Massive Marriott Data Breach, Secure Holiday Shopping Tips, Phishing Sites Using HTTPS – WB45

This is your Shared Security Weekly Blaze for December 3rd 2018 with your host, Tom Eston. In this week’s episode: the massive Marriott data breach, secure holiday shopping tips, and phishing sites using HTTPS.

Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer.

Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.

In late breaking news last Friday Marriott, the world’s largest hotel chain, disclosed a massive data breach that was identified on September 8th of this year affecting up to 500 million guests. That will make this data breach one of the largest in history. Apparently, the Starwood guest reservation database had been accessed by an “unauthorized party” since 2014, yes that’s correct someone had access to this database for 4 years. Private information stolen was categorized by Marriott in two groups of guests. First, approximately 327 million guests had some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences accessed. Some of these guests also had their credit card information accessed, even though Marriott states it was encrypted. However, Marriot disclosed that two components used to encrypt the cards (aka: the encryption keys) were potentially stolen as well. For the remaining 173 million guests only name and sometimes other data such as mailing address, email address, or other information was accessed.

In our show notes we’ve linked to a web page that Marriot has set up where you can find additional details as well as to sign up for your “complimentary” monitoring service if you’re one of the victims. If you happen to be a victim, like with other data breaches you should change your password for any Starwood Hotels or Marriott rewards program. And while you’re at it, ensure you’re not saving your credit card details for future use. In general, it’s always advisable to never store your credit card with the sites and services you use. While an inconvenience, the majority of the time, even when credit card data is encrypted, is usually compromised in a data breach when the encryption keys are also found. Per the other usual advice we give, enable two-factor authentication and of course, closely monitor your credit card statements for unusual activity. As this story will likely evolve throughout the week, we’ll keep you updated on our Twitter and Facebook with information about this data breach as we receive it.

Edgewise Networks is the first zero trust platform that stops data breaches by allowing only verified software to communicate in your cloud and data center.

Micro segmentation projects can be costly and difficult, but Edgewise offers a new approach: zero trust segmentation. Without any changes to your network environment, Edgewise puts your data at the heart of your security strategy, giving you:

  • Visibility into workload communication pathways;
  • Security policies built on the cryptographic fingerprint of the software;
  • The ability to apply policies and segment your networks in one click; and
  • A way to continuously monitor and assess risk.

Edgewise recommends policies based on the identity of your software, and stops attackers’ lateral movements by requiring authentication and authorization with every workload communication. Visit edgewise.net to learn how Edgewise can eliminate network attack surface, stop lateral movement, and protect your applications.

The holiday shopping season is upon us which means we all need to be more aware of fraud and scams that may targeting us while we shop online. According to an article from CBS News, Dave Kennedy from cybersecurity firm TrustedSec, says that they are seeing “a 317 percent increase in these attacks, compared to the average month”. Why might this be the case? Besides the fact that all of us are spending more money compared to other months, the holidays tend to add a lot of additional stress and pressure that can cause us to be more susceptible to scams and fraud. Scams to look out for this holiday season are ones that may lure you with online coupons, discounts, fake ads and threats like ones that state “you must act now because supplies are limited”. The bottom line is to be more aware that scams around the holidays will attempt to get an emotional response from you that will result in some type of action that you might take, such as: clicking on a malicious link or entering in personal information and credit card details.  Often times, scams will be disguised as charity requests targeting the poor or even animal rescues. There is nothing worse than seeing some poor puppy or kitten in need, especially around the holidays. See what I did there? Some of these scams will even try to use passwords from previous data breaches targeting you in email phishing attempts. For example, there have been recent phishing scams that, within the email, will include a password that you may have used in the past and say that the they know your password and will attempt to extort you for money. These passwords are found in publicly available databases of past data breaches. Now, if you happened to use the same password for every site and service that you use this scam would probably cause you a rather urgent emotional response, which is exactly what the scammer is going for.

So what are the top three tips to protect yourself from online scams and fraud this holiday season? First, be cautious of any email, web or social media advertisement attempting to generate an emotional response from you. Think before you click but if it looks to be a legitimate offer or you’re not sure, you’re better off visiting the site or service by manually typing in the web address in your browser.  Second, do a little research on the company and the site that may selling a product before you make a purchase. You can do this through some simple Google searches for the company or by checking reviews through Amazon and other marketplaces. A lot of times during the holidays, scam sites will show up that might look exactly like popular sites you may have done business with in the past, so be sure to carefully review the URL (aka: the domain information in the address bar of your browser) to make sure you’re not visiting a phishing site. You should also be careful with sellers on Amazon and similar large online retailers. There have been cases of legitimate merchants having their Amazon seller accounts hacked and some scammers can put up fake marketplaces which offer popular toys and other hot items at deep discounts which end up stealing your money or sending you a broken version of the item you were attempting to buy. Lastly, as we mentioned in episode 43 of the podcast when we discussed how to prevent credit card fraud, never use a debit card for your purchases. Instead, use a credit card. Even if your bank says that you have zero liability for debit card transactions, you still lose that money out of your checking account instantly and it can take weeks for your bank to reimburse you that money. And that’s definitely something you don’t want to happen right around the holidays.

A recently released study by PhishLabs has shown that almost half of all phishing sites now use HTTPS encryption to trick you into thinking that a phishing site is legitimate. According to Brian Krebs from Krebsosecurity.com, the report found that “49 percent of phishing sites in the third quarter of 2018 bore the padlock security icon next to the phishing site domain name as displayed in a browser address bar. That’s up from 25 percent just one year ago, and from 35 percent in the second quarter of 2018.”

This trend is concerning since in the past security professionals and awareness campaigns have said to “look for the lock” to ensure that a site is “secure” and safe to submit your sensitive data. The “look for the lock” education was always not the best advice because the lock only means that the information you submit through a website is secured through the use of HTTPS, or also known as, SSL encryption.  It does not mean that the site may be fake or have other vulnerabilities which could lead to your data being compromised.

So how does something good, like HTTPS encryption, also be leveraged by attackers? First, it’s easier than ever to obtain a legitimate and free SSL certificate though projects like Let’s Encrypt. This is actually a good thing as HTTPS encryption helps secure your information in transit which prevents surveillance by an attacker that might be trying access your data while its being transmitted. With the push by tech companies and other privacy advocates, it’s more important than ever to ensure websites are all using HTTPS. However, on the other hand, the barrier for entry to obtain a legitimate SSL certificate is now very low. You don’t have to provide an ID or even other documentation that you own a site or are using the SSL certificate for a valid and legal purpose. I think it goes back to re-educating all of us on the real purpose of HTTPS encryption, which is that it can only provide protection for the information you send and receive from a site, and should not be used as a way to ensure a site is secure and safe to put your information in to. Of course, you should ensure that a site is using HTTPS encryption before putting in sensitive information but specifically, to detect phishing attacks, awareness starts with the email that you receive and the clues which indicate that the email may be a phishing attempt.

That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.



*** This is a Security Bloggers Network syndicated blog from Shared Security authored by Tom Eston. Read the original post at: https://sharedsecurity.net/2018/12/03/massive-marriott-data-breach-secure-holiday-shopping-tips-phishing-sites-using-https-wb45/