Marriott International Suffers 500m Record Data Breach

So much is going on every month in the world of cybersecurity, online privacy, and data protection. It’s difficult to keep up!

Our monthly security digest will help you keep tabs on the most important security and privacy news every month. Here’s what happened in November.

1. Marriott International Suffers 500m Record Data Breach

As ever, one of the biggest bits of security news hits at the end of the month.

November ended with the Marriott International hotel group revealing an enormous data breach. It is thought up to 500 million customer records are affected as the attacker had access to the Marriott International Starwood division network since 2014.

Marriott International acquired Starwood in 2016 to create the largest hotel chain in the world, with over 5,800 properties.

The leak means different things for different users. However, the information for each user contains a combination of:

• Name
• Address
• Phone number
• Email address
• Passport number
• Account information
• Date of birth
• Gender
• Arrival and departure information

Perhaps of most importance is Marriott’s revelation that some records included encrypted card information—but also could not rule out that the private keys had been stolen, too.

The long and the short of it is this: if you stayed at any Marriott Starwood hotel, including timeshare properties, before September 10, 2018, your information might have been compromised.

Marriott is taking measures to protect potentially affected user’s by offering a year’s free subscription to WebWatcher. US citizens will also receive a free fraud consultation and reimbursement coverage for free. At the current time, there are three enrollment sites:

• United States
• Canada
• United Kingdom

Otherwise, check out these three simple ways to protect your data after a major breach.

2. Event-Stream JavaScript Library Injected With Crypto-Stealing Malware

A JavaScript library that receives over 2 million downloads per week was injected with malicious code designed to steal cryptocurrencies.

The Event-Stream repository, a JavaScript package that simplifies working with Node.js streaming modules, was found to contain obfuscated code. When researchers deobfuscated the code, it became clear that its goal was bitcoin theft.

Analysis suggests the code targets libraries associated with the Copay bitcoin wallet for mobile and desktop. If the Copay wallet is present on a system, the malicious code attempts to steal the wallet contents. It then attempts to connect to a Malaysian IP address.

The malicious code was uploaded to the Event-Stream repository after the original developer, Dominic Tarr, handed control of the library to another developer, right9ctrl.

Right9ctrl uploaded a new version of the library almost as soon as control was handed over, the new version containing the malicious code targeting Copay wallets.

However, since that time, right9ctrl has uploaded another new version of the library—without any malicious code. The new upload also coincides with Copay updating their mobile and desktop wallet packages to remove the use of the JavaScript libraries targeted by the malicious code.

3. Amazon Suffers Data Breach Days Before Black Friday

Just days before the biggest shopping day of the year (bar China’s Single’s Day, of course), Amazon suffered a data breach.

“We’re contacting you to let you know that our website inadvertently disclosed your name and email address due to a technical error. The issue has been fixed. This is not a result of anything you have done, and there is no need for you to change your password or take any other action.”

It is difficult to gauge the exact details of the breach because, well, Amazon isn’t telling. However, Amazon users in the U.K., U.S., South Korea, and the Netherlands all reported receiving an Amazon email regarding the breach, so it was a fairly global issue.

Users can take some consolation in that it was an Amazon technical issue leading to the data breach, rather than an attack on Amazon. The release of information doesn’t contain any banking information, either.

However, Amazon’s message that there is no need for affected users to change their password is plain wrong. If you have been affected by the Amazon data breach, change your account password.

4. Self-Encrypting Samsung and Crucial SSD Vulnerabilities

Security researchers uncovered multiple critical vulnerabilities in Samsung and Crucial self-encrypting SSDs. The research team tested three Crucial SSDs and four Samsung SSDs, finding critical issues with each model tested.

Carlo Meijer and Bernard van Gastel, security researchers at Radboud University in the Netherlands, identified vulnerabilities [PDF] in the drives’ implementation of ATA security and TCG Opal, which are two specifications for implementing encryption on SSDs that use hardware-based encryption.

There is a variety of issues:

• Lack of cryptographic binding between password and data encryption key means an attacker can unlock drives by modifying the password validation process.
• The Crucial MX300 has a master password set by the manufacturer—this password is an empty string, e.g., there isn’t one.
• Recovery of Samsung data encryption keys through the exploitation of SSD wear leveling.

Disconcertingly, the researchers stated that these vulnerabilities might very well apply to other models as well as different SSD manufacturers.

Wondering about how to protect your drives? Here’s how you protect your data using the open-source encryption tool, VeraCrypt.

5. Apple Pay Malvertising Campaign Targets iPhone Users

iPhone users are the target of an ongoing malvertising campaign involving Apple Pay.

The campaign attempts to redirect and scam users of their Apple Pay credentials using two phishing pop-ups, with the attack originating through a series of premium newspapers and magazines when accessed via iOS.

The malware, known as PayLeak, delivers unsuspecting iPhone users who click the malicious ad to a Chinese-registered domain.

When the user arrives at the domain, the malware checks a series of credentials, including device motion, the device type (Android or iPhone), and whether the device browser is Linux x86_64, Win32, or MacIntel.

Furthermore, the malware checks the device for any antivirus or antimalware apps.

If the correct conditions are met, Android users are redirected to a phishing site that claims the user has won an Amazon gift card.

However, iPhone users receive two pop-ups. The first is an alert that the iPhone needs updating, while the second informs the user that their Apple Pay app needs updating, too. The second alert shares the Apple Pay credit card information with a remote command and control server.

6. One Million Children’s Tracker Watches Vulnerable

At least one million GPS-enabled children’s tracker watches are sold to parents packed with vulnerabilities.

Pen Test Partners’ research detailed a litany of security issues with the extremely popular MiSafe children’s security watch. The GPS-enabled watches are designed to allow a parent to track the location of their child at all times.

However, the security researchers found that device ID numbers—and therefore, the user account—could be accessed.

Accessing the account enabled the security team to locate the child, view a photo of the child, listen to conversations between the child and their parent, or remote call or message the child themselves.

“Our research was carried out on watches branded ‘Misafes kids watcher’ and appears to affect up to 30,000 watches. However, we discovered at least 53 other kids tracker watch brands that are affected by identical or near-identical security issues.”

Vulnerabilities in smart devices aimed at children are not a new issue. It does, however, remain a worrying one.

“So how do you purchase safe smart toys for your kids? You don’t,” says Aaron Zander, IT engineer at Hacker One. “But if you must, don’t go for the cheapest options and try to minimize capabilities like video, Wi-Fi and Bluetooth. Also, if you do have a device and it does have a security flaw, reach out to your government representatives, write your regulating bodies, make a stink about it, it’s the only way it gets better.”

November Security News Roundup

Those are six of the top security stories from November 2018. But a lot more happened; we just don’t have space to list it all in detail. Here are five more interesting security stories that popped up last month:

• The Japanese deputy-chief of cybersecurity strategy revealed he has never used a computer.
• Nation-state malware Stuxnet attacks facilities and organizations in Iran (again).
• Hackers find zero-day exploits in iPhone X, Samsung Galaxy S9, and Xiaomi Mi6 devices.
• Microsoft patches a Windows zero-day exploit used in multiple attacks by various hacking groups.
• The Pegasus advanced spyware is used to target investigative journalists in Mexico.

Another whirlwind of cybersecurity news. The world of cybersecurity is constantly changing, and keeping abreast of the latest breaches, malware, and privacy issues is a struggle.

That’s why we round up the most important and most interesting bits of news for you every month.

Check back at the beginning of next month—the start of a new year, no less—for your December 2018 security roundup. Next month will also see the MakeUseOf 2018 year in security roundup, too. In the meantime, check out these five tips and tricks to securing your smart devices.

Image Credit: Karlis Dambrans/Flickr

Read the full article: Marriott International Suffers 500m Record Data Breach

Read Full Article