Month: January 2019
Originally seen on Zdnet.com by Charlie Osborne
The company has turned to external help to prevent data breaches from ever affecting its properties again
Hyatt Hotels has launched a bug bounty program in light of recent card-skimming attacks against the hospitality chain.
On Wednesday, the company said the new initiative will be hosted on bug bounty program HackerOne and is designed to allow Hyatt to “tap into the vast expertise of the security research community to accelerate identifying and fixing potential vulnerabilities.”
Ethical hackers can use the platform — as well as rival services such as Bugcrowd — to report vulnerabilities, security flaws, leaky servers and more before less well-intentioned individuals stumble across them, potentially leading to cyberattacks or data theft.
The bug bounty program is public and includes the main hyatt.com domain, m.hyatt.com, world.hyatt.com, and both the iOS and Android Hyatt mobile apps.
Novel origin IP address discovery, authentication bypass, back-end system access via front-end services, container escapes, SQL injections, cross-site request forgery, WAF bypass, and cross-site scripting (XSS) bugs will all be considered for rewards, among other issues.
Hyatt has chosen to use the Common Vulnerability Scoring Standard (CVSS) standard to evaluate the severity of security flaws found.
Researchers who report valid, high-severity flaws can expect rewards of up to $4,000; important bugs will earn them $1,200 and less severe vulnerabilities are worth between $300 and $600.
“At Hyatt, protecting guest and customer information is our top priority and launching this program represents an important step that furthers our goal of keeping our guests safe every day,” said Hyatt Chief Information Security Officer Benjamin Vaughn. “As one of the first global hospitality brands to launch this type of program, we extend the ways we care for our guests and deepen our commitment to protecting their sensitive information.”
In a Q&A with HackerOne, Vaughn said an invitation-only program was launched first, which may account for the $5,650 in bug bounty rewards which have already been issued at the time of writing.
It is unfortunately quite common for hotel chains and others in the hospitality space to become the focus of cyberattacks due to the vast amount of valuable data these businesses process and store.
Hard Rock Hotels & Casinos, Loews Hotels, Radisson Hotel Group, the Trump Hotel Collection, Marriott, and Hyatt Hotels itself is on the list of organizations which have experienced successful cyberattacks in recent years.
In 2015, 250 properties managed by Hyatt across countries including the US, UK, China, Germany, Japan, Italy, France, Russia, and Canada were subject to a cyberattack. Information-stealing malware was implanted on systems, leading to the exposure of customer financial data including cardholder names, card numbers, expiration dates, and internal verification codes.
A second data breach occurred in 2017, in which 41 locations were affected and unauthorized access to payment card information was detected.
Chicago-based Hyatt Hotels manages over 750 properties in 55 countries.
Other organizations that use HackerOne to tap into a vast pool of security researchers include Google, Twitter, the US Department of Defense, GitHub, and Qualcomm.
Big hacks and data leaks are nothing new, but this year has seen a surge in reported breaches. The reason for this might be simple: After the EU general update to data protection regulation (GDPR) came into place in May, firms are more likely to report attacks.
But it also demonstrates that the huge amounts of data collected by companies is not immune to hacking. And many firms aren’t doing enough to ensure they are secure. Let’s take a look back at five massive hacks of this year and examine what they mean for cybersecurity in 2019.
Facebook has suffered several breaches this year, with the worst seeing at least 50 billion users compromised. The biggest breach, in late September enabled hackers to exploit a weakness in Facebook’s code to access the ‘View As’ privacy tool that allows users to see how their profile looks to other people.
Three major security incidents affected user data in 2018, says Lewis Henderson, VP threat intelligence at Glasswall Solutions – and these are just the ones we know about. “Having been caught playing fast and loose with their users’ data, further major security incidents demonstrate Facebook’s infrastructure was probably never designed to cope with this many subscribers. It simply doesn’t have security built in, nor has Facebook taken those companies who exploit subscriber data through a robust third-party security process.”
Facebook has a large security budget and a team that’s known throughout the industry as top-notch, says Joan Pepin, CISO at Auth0. “They should know what they’re doing – but they have a complicated product. The latest hack combined several features in concert, which QA never thought to test. It was a failure of imagination and an outcome of the incredible complexity of their product.”
At the end of November, hotel group Marriott admitted it had suffered a massive data breach affecting the records of up to 500 million customers. The firm revealed its Starwood division’s guest reservation database had been compromised by an unauthorized party. Information accessed included payment information, names, mailing addresses, phone numbers, email addresses and passport numbers.
“Regardless of who the finger is being pointed at, it’s clear this stealthy attack meant the perpetrator had unrestricted access, across multiple IT systems for a very long time,” says Glasswall’s Henderson. “Presumably with many elevated privileged accounts compromised, the attackers were clear to traverse customer data held in different locations and likely cleared their tracks as they went.”
And when people trust firms with their data, even cybersecurity experts aren’t immune. “I am a Marriott Platinum for Life customer: My data was hacked alongside that of millions,” says José Hernandez author of Broken Business.
He points out that good crisis management requires full, timely, and complete disclosure – alongside an independent investigation. “Beyond trust and good governance, with Europe’s GDPR, waiting two months to report a significant hack is likely to be met with significant fines and penalties.”
It’s not the data breach that will be most impactful to the company; it’s the regulatory and class actions that follow, says Ian Thornton Trump, head of cyber security at Amtrust International. “But the big question is, why was this data not encrypted while at rest? Why are passport numbers and details not required by law to be encrypted at rest? The Marriott breach was not just about failing to protect the data they have; it’s a failure of governments to insist identity documents are treated with the same requirements as credit card data.”
In December, Quora suffered a massive breach of user data. The intrusion, discovered on November 30, included up to 100 million users’ names, email addresses, IP addresses, user IDs, encrypted passwords, user account settings, personalization data, public actions and content such as questions, answers, comments, blog posts and upvotes.
“The breadth and potential value of the data compromised, like encrypted passwords and social media data, was notable,” says Andrew Tsonchev, director of technology, Darktrace Industrial.
Edward Whittingham, a former law enforcement officer who is MD of The Defence Works, agrees. “Quora’s data breach was pretty punchy, mainly because it exposed the names, email address and encrypted passwords, as well as data from social networks like Facebook and Twitter, to which people had connected their accounts,” he says.
“Perhaps most interesting, is how the cybercriminals might then go on to use the data, such as questions and answers posed on the platform. I’d expect to see this information sold on the dark web and if there are any contentious questions or answers in there, the fraudsters will be sure to make use of this information and possibly look to hold some users to ransom.”
On 6 September, British Airways informed its customers that details from around 380,000 booking transactions had been stolen, including bank card numbers, expiry dates and cvv codes. It took the firm just one day to announce it had been hit by a cyber-attack between 21 August and 5 September.
Soon afterwards, it was discovered the details were taken via a script designed to steal financial information by ‘skimming’ the payment page before it was submitted. Security researchers now think the perpetrator is the same group that breached Ticketmaster, Magecart.
The impact to affected customers was still being felt in November when it was discovered the Russian hacker group behind Magecart was selling the details in the dark web for around $10 a card.
“In the immediate aftermath, many banks and credit card companies issued replacements or warnings to their customers who may have been affected, netting the Russian group a possible $12m from the hack,” says Martin Jartelius, CSO at Outpost24.
“Aside from BA’s parent company’s shares taking a hit in the immediate aftermath, it’s likely that the company will be penalized under the GDPR legislation, with some experts stating the impact could be in the region £500m or 4% of its turnover, or – if IAG is held accountable – an even larger sum: reportedly around £800m.”
Without Inbenta’s knowledge, Ticketmaster used this code on its payments page, where it was discovered by hackers and modified to extract payment information. The scale isn’t as massive as some other breaches – but the impact was huge. Some customers reported their money had been stolen and others claimed their details had turned up for sale on the dark web. The culprit was apparently credit-card skimming criminals Magecart.
“Just one month after GDPR came into full effect, Ticketmaster announced 40,000 customers’ data was accessed due to a malicious hack on a third party solution,” says Guy Bunker, SVP of Products, Clearswift.
He points out that many security incidents occur as a result of the actions of customers, suppliers and partners. “It’s important to ensure that security measures are up to date across the entire network of companies. Ticketmaster was only as secure as its weakest link.”
Cyber security in 2019
After hitting Ticketmaster and BA, experts predict that Magecart will target more than credit card data in 2019. “In 2018, credit-card skimming criminals grouped under the Magecart label have been carrying out a full-scale assault on e-commerce. They show zero signs of stopping as we head into 2019, with the attacks only getting more traction as various groups learn how to become more effective,” says RiskIQ’s Klijnsma.
He predicts: “As web skimming can skim all sorts of information entered into a website, Magecart groups will surely expand to skimming more than just payment data, such as login credentials and other sensitive information.”
As nation state actors ramp up their campaigns, critical infrastructure will also likely be a target. These attacks are already on the rise, says Andrew Tsonchev, director of technology, Darktrace Industrial. “This year, the ports of San Diego and Barcelona were attacked with ransomware: compromising industrial devices can now allow criminals to ransom access to operational systems as well as data.”
Jake Moore, cyber security expert at ESET, predicts 2019 will see a new form of attack: GDPR bounty hunting. “GDPR bounties work effectively when the attacker extorts an organization by providing them with a copy of their data to prove that it has been breached.
“They then give the victim two options: pay the possibly eye watering ICO fine of up to €20m or 4% of their annual global turnover – or pay the hackers’ chosen fee, which could be anything less than the maximum from the ICO. Hackers take advantage of the fact that some organizations will be tempted to choose the second option so they can avoid any reputational damage caused by a data breach.”
The end of the year is a notoriously busy time for most organizations. Now that we are within the new year, take the time to focus on your security. Please keep these reminders handy to help protect yourself against Cybercrime.
Most malicious attacks an organization will face, will be initiated via email, and can easily spread through an organization without the proper protection. Even a company with a dedicated IT department can still have these attacks slip through.
- Phishing scammers lure their targets into a false sense of security by spoofing the familiar, trusted logos of established, legitimate companies. Or they pretend to be a friend or family member.
- Phishing scammers make it seem like they need your information or someone else’s, quickly – or something bad will happen. They might say your account will be frozen, you’ll fail to get a tax refund, your boss will get mad, even that a family member will be hurt or you could be arrested. They lie with the intent of obtaining you or your organizations confidential and financial information.
- Never let your guard down.
- Never assume anything you receive via email is legit. If you are not 100% certain call the sender to verify.
- Do not allow yourself or your organization to complete financial transactions solely via email. There have been widespread bank wire fraud attacks. Please be extremely careful.
- The best practice here, is to come up with a strict set of actions that are required for financial transactions, and stick to them. A phone call or face to face hand off should be at least one of the steps.
- Even the most careful users, are susceptible to this kind of fraud. This is why at ITG we urge our clients to take the necessary proactive measures. ITG has new products and recommendations that will further protect you from these types of security scams. We strongly recommend sending all of your users our Be Aware and Be Alert checklist from above.
- ITG services and our customized plans include full security coverage:
- Prevention – reduce the number of phishing and spam emails that make it through to the users.
- Training – user awareness is a critical part of the defense.
- Compliance – many organizations are now subject to either Federal or State security compliance rules. We are here to help you navigate these and build a security platform that will ensure you can meet and maintain compliance.
If you have any questions or would like to request additional information feel free to contact us today.