Marriott's incident page [1] links to a Q&A page [2]. Apparently the forthcoming sorry-we-lost-your-data notifications will come from "starwoodhotels@email-marriott.com".
"Let's immediately set up a separate domain name that looks like ours" remains one of the weirdest antipatterns in incident response.
Is this to purposefully increase likelihood of getting caught in a spam/phishing filter? So they claim they've reached out while also (probably correctly) claiming it's not their fault if customers didn't get it.
Interesting theory. My theory was that there's incident management contractors get this sort of business and don't want to bother integrating with any existing company's infrastructure, so they just set up something entirely different.
Close to my theory! Basically, they need to send out millions of email fast. This email, with a bunch of legal text will probably have a high 'mark as spam' rate. This will destroy the domain's marketing ability. SO! The marketing guy won the argument in the meeting: don't use the root domain.
I think the stated reason is usually "a single place users can go to directly", the least nefarious reason is that they don't want to associate the breach with their main site, so only affected or inquisitive customers will know about it.
Anti-pattern does seem like a strong enough word sometimes. These domains are available:
emai1-marriott.com
email-marriot.com
e-mail-marriott.com
I wonder whether it might be better if governments took over the notification side of things. Something like "notice@databreach.gov". Companies could pick from a few standard templates and get charged $1.00 per email.
> Is it time for us to simply accept that it's inevitable that, at some point, everything will be hacked, and hacked often?
I disagree. I’d take the Economists route, which is looking for the incentives that drive motivation. If companies were held to a higher standard of accountability, imagine how many would beef up their security. For decades, security researchers have been poking fun at how ridiculous some of these sites are at handling security, and nothing ever happens.
Now, imagine if there was severe economic accountability to a company that was hacked. Perhaps payouts to each person affected (in this case, to all 150m). I imagine you’d see security become a top priority very quickly at most companies.
As a developer, do you really want to live in a world where "security is a top priority" at every company? Does such a world even make economic sense after accounting for the opportunity cost of the time most that developers would otherwise spend actually building new products and features?
While companies could probably do better than they are right now, hacks like this are probably never going to be eliminated. There are too many companies and too many developers for nobody to make mistakes, even when they're being mindful not to. Investing in solutions that assume hacks will happen seems reasonable to me.
That's wrong for many reasons. Others have covered the simple fact that you couldn't start any app with lots of users and zero capital. The downside is huge. Barriers to entry become more impossible than they already are.
But that's not the worst of it. The Economist here is doing a static analysis, oddly enough. They're making the simple observation that if things cost more or have more risk, they get more attention.
That's if they have more risk today. Once you collect data, it doesn't go anywhere. Every bit that sits on your servers can easily be copied to another server, today, tomorrow, ten years from now. Do you know what all the bits are on your computers?
This isn't copyrighted DRM or porn. You could have a blob hashes and userids. If I put that on your computer, would you know? Could you be expected to find it? Know what it was?
As Facebook and the other platforms are demonstrating, this data continues to have value many years after it was collected. And once somebody gives some data to you, it's effectively both invisible and trackless. Over long periods of time, your cost becomes infinity to maintain this risk. Meanwhile, attack vectors get better and people come and go out of your offices all the time. Could you manage that risk? Forever?
I can't think of _any_ sensitive data on the web that's stayed safe. Why would attaching any amount of value change that?
So far the market has decided that she economics for protecting users and protecting data just isn't there and that's why we see what we see.
That's why GDPR happened. "Ok, if you're not going to do anything about it, we'll make you do something about it."
So you're not taking the economists point of view at least from the perspective of the free market rather you're thinking about which economic levers you could pull to effect change from a regulators point of view.
Either your information is known to an attacker, or it isn't. Great security "at most companies" in a hypothetical future doesn't help. You need security better than the best attacker, at every company, all the time.
That's a pipe dream. Instead we should take advantage of public-key cryptography, so that authenticating to one company does not leave behind infinitely reusable credentials for others.
Everyone who knows about security already accepts that everything either already is hacked or will be hacked eventually and no one can stop it. There's a famous quote and I'm not sure if it's originally from former FBI Director Robert Mueller [1] or former Cisco CEO John Chambers [2]:
"There are two types of companies: those that have been hacked, and those who don't know they have been hacked."
Seems like it. Bank vaults are difficult to get into, sure. But they're especially difficult to get into without being detected. Go ahead and force your way in if you want to. You most likely won't have long to enjoy it since you've been witnessed in person, by security cameras, and are now carrying marked bills.
Perhaps in the digital world as well, intrusion detection is more valuable than intrusion prevention?
I don't know what your background is, but IPS is a huge deal already. Tens of billions of cumulative market cap in the space. Your physical "bank vault" analogy doesn't model the threat very well for many reasons. If you happen to know how to solve this, though, you will be incredibly wealthy.
The digital world does not require my physical presence which means that even if you detect me, odds are you can't even identify, much less apprehend me. Bank robbers have no such luxury.
The most valuable data is just necessary to do their business though. Our financial and identity information are the things we hold most dear, but that's also exactly what we need to exchange in order to engage in commerce.
I really want to know why identity verification can't incorporate better technology, since driver's licenses and passports and such have been upgraded but are still non-interactive (from the user's perspective) and can't prove identity remotely.
i.e., instead of the traditional "what are the [last 4 of] your SSN, and/or we'll tell you three things that may or may not be in your credit history and you have to fill in the blank on each of them"...
...why not just use 2FA?
You give everyone a TOTP code on a separate card but tied by the government to your SSN, passport number, and state ID. You provide a government mobile app that they can use if they don't want to use a 3rd party one. When some third party wants to verify your identity, there would be a heavily secured, simple, autited government server that you'd use the app to auth to (ssn + TOTP), returning a temporary auth code/passphrase, stored for 1 day and associated with your SSN. You give that temporary code to the third party, which then verifies that temporary auth code or passphrase with that same government server. You could have an additional voice phone channel to get the temp codes, for people without smartphones.
If your TOTP code card and device are both lost or stolen, you visit in person to get a new one just like normal. Anyone who sees the card can impersonate you, but you shouldn't be carrying it around or waving it around, and even if stolen in individual cases, the scheme eliminates mass identity theft.
U2F could be an option, for anyone with a u2f-capable hardware security key or smartphone, but I'm not sure about mandating u2f because compatible hardware has a non-trivial marginal cost.
Because the cost of "verifying identity" is a feature! The easier it is, the more frivolous uses of it there will be - imagine basic forum websites deciding the easiest way to cut spam is to demand real world IDs. Google's new practice of requiring of a phone number to make an account would look tame in comparison.
This very case is already an example of overreach. The only reason a hotel needs someone's identity is in case they trash the room and skip out. There is absolutely no reason that it should have been kept after checkout, except that we've been groomed to expect this surveillance based on payment cards being similarly broken.
I can see the possibility for reasonable progress in the EU, where a government ID could carry rules that it couldn't be involuntarily used for business purposes (and assuming that would actually last). But in the US, the government will mandate some base system and then let companies abuse it ad infinitum - even social security numbers are already way too much.
Because people who should know better are happy to support legal liability around the protection of shared secrets. Companies almost always prefer to protect legacy systems with lawsuits/regulations than to actually harden them.
You could say the same thing about corporate lawbreaking. It's likely given enough time and employees, but that doesn't absolve the company of its responsibility and liability.
We need tough, enforced penalties for data breaches, plain and simple. It's a negative externality, just like pollution, and so can only be controlled by regulation.
> It's a negative externality, just like pollution
No.
Your leaked data does not hurt me. So it is NOT like pollution.
If you do not like your data on the internet - do not give it to companies you do not trust.
> can only be controlled by regulation
Your claim is wrong.
Companies behavior is controlled by customers demands. The balance between security and convenience -- is not an exception here: customers demand define where that balance is. There is no need for the government to intervene in this case.
Past time. There are way too many people comfortable with giving companies date of birth, passport and social security numbers, as forms of ID. And therefore the sane and aware people who don't want to give up that information, are left as non-participants because they are the minority. And therefore I think there needs to be law making it illegal for certain personal information to be stored. Marriott can sufficiently confirm my identity by getting my name, address, phone number, and a credit card number. The latter can be used to verify the former via a 3rd party, the issuer of the credit card. And this verification doesn't require storing the credit card number.
Anyway, these companies are bad at their job as evidenced by the breach happening. And I definitely think we're past the time where it should be illegal for companies to even ask for passport numbers, DOB and social security. A phone company, a hotel, need none of that. They just want it. Big difference.
You're only thinking of transactions. Physical location history (which hotels they frequent, and when) is damaging enough to HNWIs. Name + location + timestamp is sufficient to prove physically dangerous when leaked.
What we need are more options to transact anonymously. This "show ID for everything" culture needs to stop.
I see two possible readings of your comment, which are almost opposites. One is that we should all learn to deal with this much data about ourselves being exposed. The other is that the root cause here was how much data they collected about us in the first place.
I really don't understand why so many companies think they need so much information about me. Or even if they do need it, why such disparate data as passport numbers, credit card numbers, email address, gender, and home address would be stored in the same database.
Is there a law that requires hotels to collect all this data? I've stayed at some cheap motels where they glanced at my driver's license and accepted a couple of $20 bills, and I got a key, and that was the entire transaction.
I'm starting to wonder if it would be a good thing if the data from one of these broad hacks was widely distributed, forcing companies to come up with a better way to verify "identity".
If companies knew that there was a database that everyone has access to with all the data you need to signup for new sources of credit for 50% of US residents, there would be a very strong financial incentive to actually fix the problem.
Maybe, but there's a legitimate fear that this thinking will eventually lead to everyone being required to be implanted with a microchip to participate in the economy
> “Usually when stolen data doesn’t appear, it’s a state actor collecting it for intelligence purposes,” said James A. Lewis, a cybersecurity expert at the Center for Strategic Studies in Washington.
Not to downplay it but my email shows 3 breaches in haveibeenpwned.com, and I haven't had any problem till now, apart from probably more emails in spam folder.
Not entirely on topic, but Marriott seems to be dealing with some internal phone abuse issues as well - calls going directly to hotel rooms (bypassing the front desk) and asking for card details to fix broken incidentals records. I got a call like this yesterday and found out that it's enough of an issue that they've printed out signs in the lobby warning guests to not hand out information.
That's interesting. I've had a couple of calls like this in the past and have always insisted on going to reception instead of giving details over the phone. Thankfully mine turned out to be genuine.
Note: This has affected Marriott's "Starwood" division.
Starwood's hotel brands include W Hotels, Sheraton, Le Méridien and Four Points by Sheraton. Marriott-branded hotels use a separate reservation system on a different network.
According to the article the systems were merged 3 months ago.
"The company resolved one major issue involving elite-night credits earned from credit card spending just last week, more than three months after the integration. That problem left many members in limbo, unsure of how close they were to hitting elite-level thresholds before year’s end."
The intrusion was detected on Starwood's system in September according to the BBC article.
"On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. Marriott quickly engaged leading security experts to help determine what occurred. Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014. Marriott recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database."
This sounds more like Marriott having better monitoring and once the DBs got merged they figured out somebody had been in the Starwood network for four years.
Assuming poor security practices is the new assumption of monetary debt from a merger. One wonders what it will take to get companies to take auditing potential acquisitions' security practices in greater depth.
As a first rough approximation, this figure includes everyone on HN.
It appears to include everyone who's ever stayed in a room at a Marriott, St. Regis, Ritz-Carlton, Bulgari, W Hotel, JW Marriott, The Luxury Collection, Le Meridien, Renaissance, Westin, Tribute Portfolio, Sheraton, Autograph Collection, Design Hotel, Marriott Executive Apartments, Delta Hotels & Resorts, AC Hotels, Element, Gaylord, SpringHill Suites, Courtyard, Residence Inn, Fairfield Inn & Suites, Moxy Hotels, Protea Hotels, TownePlace Suites, Aloft, Four Points by Sheraton, or Marriott Vacation Club property.
For reference, there are under 130M households in the US and around 200M households in the entire EU.
"The hotel chain said the guest reservation database of its Starwood division had been compromised by an unauthorised party."
"Starwood's hotel brands include W Hotels, Sheraton, Le Méridien and Four Points by Sheraton. Marriott-branded hotels use a separate reservation system on a different network."
edit: the Marriott website itself confirms as much that this is limited to Starwood properties.
" guest information relating to reservations at Starwood properties* on or before September 10, 2018.'"
"* Starwood brands include: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. Starwood branded timeshare properties are also included."
> * Starwood brands include: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. Starwood branded timeshare properties are also included.
"It said some records also included encrypted payment card information, but it could not rule out the possibility that the encryption keys had also been stolen."
Can anyone recommend solutions (for those that don't know). On how to have an encrypted database for sensitive information, i.e first name, last name, ip, geo data, etc and the encryption keys not be available to hackers when they have essentially gained root?
Segmentation can help. For example, you can use envelope encryption[1] that keeps your keys on an isolated, dedicated key management server that prevents even the admin from exporting the master keys. Therefore, decryption of the data keys must be performed on the key management server.
It’s still not perfect because an attacker can potentially send requests to the key management server, but they shouldn’t be able to walk away with they keys to perform decryption outside of the system.
You then set up monitoring to watch how many decryption operations are being performed per minute or hour and alert admins when it steps outside of normal useage patterns.
It’s not perfect but can help you to 1) catch an attacker early and 2) have some type of estimate of the size of the breach when discovered. A very patient attacker may not trigger an alarm of decryption operations but in that case he’s got to work much slower, which limits the scope of the attack while they hopefully trigger something else that exposes them.
Have a server responsible solely for decryption and audit access to it. The server doesn’t issue keys, it literally does the decryption. AWS KMS can do this for you.
The gist is you create an encryption key for your row, encrypt it using your encryption service, and store it next to your actual payload. To decrypt, ask the service to decrypt the key which you use to decrypt the payload. If your database gets popped, your decryption server hopefully didnt because you hardened it specifically.
Well, it's still tough. The question is always "gained root to what", cause at some point somebody needs a key.
Envelope encryption is a good scheme. Under envelope encryption you have a master key and per-row or per-unit keys. You store the per-unit keys encrypted with the master key, and the master key is stored offsite.
For example on an AWS environment, you would use AWS KMS with IAM authentication to handle the master key crypt for the individual keys, and the encrypted versions of the individual keys are stored in a database that you own.
You encrypt your data with the individual keys (eg, one key per user, or one key per DB row, or one key per namespace, whatever), but the individual keys are decryptable only by KMS.
Under this scheme an attacker must both be able to get ahold of the encrypted individual keys, and be able to decrypt them with the master key.
Of course this leaves you very vulnerable if the master key is acquired, but KMS does not allow you to read the master key at all, you have to use the AWS API to make encryption/decryption requests. So the vulnerability is less about how secure the key is and more about how secure your IAM setup and instances are.
If you don't need to decrypt the data on the same system, you could always use asymmetric encrpytion, so encrypt with the "public" key and then keep the private key elsewhere.
If you require to be able to decrypt on the system in question then you need a key somewhere, so secure storage of the key is very important.
One option, often deployed in banks, is to store the key in a hardware security module (HSM) and then ensure that it's not available outside of that.
There's a load of tradeoffs to using HSMs but they can be useful where symmetric encrpytion is needed.
This was solve by banks a long time ago with hardware security modules (https://en.m.wikipedia.org/wiki/Hardware_security_module). HSMs make it impossible to extract encryption keys from the device and turn a digital security problem into a physical security problem which banks knew how to manage. Are your encryption keys secure? Yes they are right there.
It's been several years since I dealt with PCI, but the app I was on the team for handled $1B+ annually. Here's just a few points that I remember.
Physically separate the key storage from the data storage. Different servers, different user auth mechanism. Make them compromise both systems.
Unique keys per client.
Use key-encrypting keys, periodically replace them.
PCI environment must be totally self contained and not mixed with standard working environment. If an employee is phished, their credentials for email/etc should not gain access to the env.
Don't allow developers to deploy or even read from prod db. Have a separate deployment team, all access to prod database audited via production tickets.
I’m not sure there is a one-size-fits-all right solution here - but having a system where decryption keys should not be extractable by software alone (e.g. an HSM, a service such as AWS KMS or the equivalents in other clouds) sounds like it would have been an improvement in this case (though with no post-mortem it’s hard to know exactly what went wrong).
Assuming a layered system, something like Vault transit encryption (perhaps with the master key in an HSM) should keep decryption keys away from front-end machines, though as ever, once you have root and can access the memory of a machine where the encryption keys are stored, most bets are off.
The general idea is to insert some kind of bogus information into a system, with no links to other systems, and then trigger a notification if someone accesses it.
One tool is to only get access to this data from the Web FE via an API. This API is then monitored for spikes in usage, so if a given FE is suddenly requesting a lot more than normal it gets flagged. It doesn't stop targeted attacks, but does show the big ones - another reason why security needs to be multi layered.
Keep in mind they've been compromised for 4 years. For that time duration it's not just about protecting data at rest, it's also about protecting data as it is processed inside your systems.
You are already fucked at this point. I would focus my attention on prevent hackers from 1) gaining any unauthorized access. 2) from doing any sort of privilege escalation from a restricted account/service.
Maybe keep the keys only in memory in each application? Pull them from some very well monitored service once at startup? Anyone who gained access to the server would have to check the program's memory to get them.
How is that the "Oh dear."? Do you work for a bank?
That seems like the least interesting bit of information here for individuals.
It's really bizarre to me that people here seem to consider their credit card numbers more sensitive than their travel history or even contact information.
Why is it bizarre? Most people wouldn't consider their comings-and-goings to be worthy of any privacy protections, though some people have non-criminal reasons to want to protect that privacy. Contact information likewise is generally public information, some people may have non-publicized means of contacting them though that they want to keep private.
Generally people's level of care will correlate to what nefarious purposes the data can be used for. There aren't that many such purposes with the data exposed here until you consider the passport number (probably something more secure than a SSN for most Americans?), payment info, or login info. The purposes I can think of for the other data are reliant on the metadata that so-and-so was at that location at that time, when I might have believed something else.
well possibly not. If the attackers got the keys to decrypt payment details that means that victims, in addition to the identity theft risks, may also face fraudulent transactions on those cards as a risk.
and according to the article: "It said an internal investigation found an attacker had been able to access the Starwood network since 2014."
4 years of access, surely the attacker didn't manage to get hold of these keys
Curious if it matters much that the keys were stolen too. How long to brute force a 16 digit number? With a known subset of 4 digit leaders, and being able to cull the list first for ones with good luhn checksums.
Edit: Ugh. Yes. My mind was apparently elsewhere. Keyspace would drive the time needed.
Though it is a relatively short list of known plaintext. especially if you focus on the bin ranges for say the three most popular banks in the US.
But, only interesting if Marriot was using some encryption with a small keyspace.
I don’t follow. Why is it the size or structure of what’s being encrypted that matters for brute force time rather than the key space of the encryption algorithm.
Password hashing is different because there is no key space.
Card information has no value because it is very easy to reissue a card. Things like name or phone number, or address, cannot be changed so easily and have much higher value.
Card information is literally cash money. It's volatile and subject to being rendered defunct, but it still has a lot of value if you can buy a bunch of prepaid gift cards with them before it's deactivated.
Imagine you could make payments with a salted and hashed credit card number.
Except that doesn't really make anything better, because now an attacker could simply use that salted and hashed credit card number elsewhere to make payments too!
The real solution is to use something like OAuth for payments. You authorize a merchant to take ongoing payments from you, and the card issuer gives the merchant a token which is only useful for making payments from you to them, and can't be used to make payments to anyone else.
Whilst you can't hash it like a password as you need to be able to transfer it onwards, modern systems make tokenisation possible, where you immediately pass the details to the card processor, don't store them at all, and get back a token that can be used for that transaction.
Readit News
"Let's immediately set up a separate domain name that looks like ours" remains one of the weirdest antipatterns in incident response.
[1] http://news.marriott.com/2018/11/marriott-announces-starwood...
[2] https://info.starwoodhotels.com/
emai1-marriott.com
email-marriot.com
e-mail-marriott.com
I wonder whether it might be better if governments took over the notification side of things. Something like "notice@databreach.gov". Companies could pick from a few standard templates and get charged $1.00 per email.
Should we be focusing our efforts more on how to make "identity theft" (i.e. fraud) more difficult, even when someone knows all your data?
Something more tied to your physical self, whether 2FA or something else?
I disagree. I’d take the Economists route, which is looking for the incentives that drive motivation. If companies were held to a higher standard of accountability, imagine how many would beef up their security. For decades, security researchers have been poking fun at how ridiculous some of these sites are at handling security, and nothing ever happens.
Now, imagine if there was severe economic accountability to a company that was hacked. Perhaps payouts to each person affected (in this case, to all 150m). I imagine you’d see security become a top priority very quickly at most companies.
While companies could probably do better than they are right now, hacks like this are probably never going to be eliminated. There are too many companies and too many developers for nobody to make mistakes, even when they're being mindful not to. Investing in solutions that assume hacks will happen seems reasonable to me.
But that's not the worst of it. The Economist here is doing a static analysis, oddly enough. They're making the simple observation that if things cost more or have more risk, they get more attention.
That's if they have more risk today. Once you collect data, it doesn't go anywhere. Every bit that sits on your servers can easily be copied to another server, today, tomorrow, ten years from now. Do you know what all the bits are on your computers?
This isn't copyrighted DRM or porn. You could have a blob hashes and userids. If I put that on your computer, would you know? Could you be expected to find it? Know what it was?
As Facebook and the other platforms are demonstrating, this data continues to have value many years after it was collected. And once somebody gives some data to you, it's effectively both invisible and trackless. Over long periods of time, your cost becomes infinity to maintain this risk. Meanwhile, attack vectors get better and people come and go out of your offices all the time. Could you manage that risk? Forever?
I can't think of _any_ sensitive data on the web that's stayed safe. Why would attaching any amount of value change that?
Right now, there are few penalties, outside of a brief reputational hit, for large firms that lose control of customer data.
That's why GDPR happened. "Ok, if you're not going to do anything about it, we'll make you do something about it."
So you're not taking the economists point of view at least from the perspective of the free market rather you're thinking about which economic levers you could pull to effect change from a regulators point of view.
That's a pipe dream. Instead we should take advantage of public-key cryptography, so that authenticating to one company does not leave behind infinitely reusable credentials for others.
"There are two types of companies: those that have been hacked, and those who don't know they have been hacked."
[1] https://archives.fbi.gov/archives/news/speeches/combating-th...
[2] https://www.networkworld.com/article/2952184/cisco-subnet/jo...
Perhaps in the digital world as well, intrusion detection is more valuable than intrusion prevention?
You’re right. These companies should absolutely have to weigh the cost of keeping data because they overestimate their ability to keep it safe.
i.e., instead of the traditional "what are the [last 4 of] your SSN, and/or we'll tell you three things that may or may not be in your credit history and you have to fill in the blank on each of them"...
...why not just use 2FA?
You give everyone a TOTP code on a separate card but tied by the government to your SSN, passport number, and state ID. You provide a government mobile app that they can use if they don't want to use a 3rd party one. When some third party wants to verify your identity, there would be a heavily secured, simple, autited government server that you'd use the app to auth to (ssn + TOTP), returning a temporary auth code/passphrase, stored for 1 day and associated with your SSN. You give that temporary code to the third party, which then verifies that temporary auth code or passphrase with that same government server. You could have an additional voice phone channel to get the temp codes, for people without smartphones.
If your TOTP code card and device are both lost or stolen, you visit in person to get a new one just like normal. Anyone who sees the card can impersonate you, but you shouldn't be carrying it around or waving it around, and even if stolen in individual cases, the scheme eliminates mass identity theft.
U2F could be an option, for anyone with a u2f-capable hardware security key or smartphone, but I'm not sure about mandating u2f because compatible hardware has a non-trivial marginal cost.
This very case is already an example of overreach. The only reason a hotel needs someone's identity is in case they trash the room and skip out. There is absolutely no reason that it should have been kept after checkout, except that we've been groomed to expect this surveillance based on payment cards being similarly broken.
I can see the possibility for reasonable progress in the EU, where a government ID could carry rules that it couldn't be involuntarily used for business purposes (and assuming that would actually last). But in the US, the government will mandate some base system and then let companies abuse it ad infinitum - even social security numbers are already way too much.
Went into force a few months ago.
We need tough, enforced penalties for data breaches, plain and simple. It's a negative externality, just like pollution, and so can only be controlled by regulation.
No.
Your leaked data does not hurt me. So it is NOT like pollution.
If you do not like your data on the internet - do not give it to companies you do not trust.
> can only be controlled by regulation
Your claim is wrong.
Companies behavior is controlled by customers demands. The balance between security and convenience -- is not an exception here: customers demand define where that balance is. There is no need for the government to intervene in this case.
Anyway, these companies are bad at their job as evidenced by the breach happening. And I definitely think we're past the time where it should be illegal for companies to even ask for passport numbers, DOB and social security. A phone company, a hotel, need none of that. They just want it. Big difference.
What we need are more options to transact anonymously. This "show ID for everything" culture needs to stop.
I really don't understand why so many companies think they need so much information about me. Or even if they do need it, why such disparate data as passport numbers, credit card numbers, email address, gender, and home address would be stored in the same database.
Is there a law that requires hotels to collect all this data? I've stayed at some cheap motels where they glanced at my driver's license and accepted a couple of $20 bills, and I got a key, and that was the entire transaction.
If companies knew that there was a database that everyone has access to with all the data you need to signup for new sources of credit for 50% of US residents, there would be a very strong financial incentive to actually fix the problem.
https://phys.org/news/2013-09-lexisnexis-breach-earlier-year...
I'm preeetty sure they source DL data from some state DMVs.
Dead Comment
I give it 24 hours.
> “Usually when stolen data doesn’t appear, it’s a state actor collecting it for intelligence purposes,” said James A. Lewis, a cybersecurity expert at the Center for Strategic Studies in Washington.
Starwood's hotel brands include W Hotels, Sheraton, Le Méridien and Four Points by Sheraton. Marriott-branded hotels use a separate reservation system on a different network.
https://www.wsj.com/articles/inside-the-marriott-starwood-lo...
According to the article the systems were merged 3 months ago.
"The company resolved one major issue involving elite-night credits earned from credit card spending just last week, more than three months after the integration. That problem left many members in limbo, unsure of how close they were to hitting elite-level thresholds before year’s end."
The intrusion was detected on Starwood's system in September according to the BBC article.
"On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. Marriott quickly engaged leading security experts to help determine what occurred. Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014. Marriott recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database."
It appears to include everyone who's ever stayed in a room at a Marriott, St. Regis, Ritz-Carlton, Bulgari, W Hotel, JW Marriott, The Luxury Collection, Le Meridien, Renaissance, Westin, Tribute Portfolio, Sheraton, Autograph Collection, Design Hotel, Marriott Executive Apartments, Delta Hotels & Resorts, AC Hotels, Element, Gaylord, SpringHill Suites, Courtyard, Residence Inn, Fairfield Inn & Suites, Moxy Hotels, Protea Hotels, TownePlace Suites, Aloft, Four Points by Sheraton, or Marriott Vacation Club property.
For reference, there are under 130M households in the US and around 200M households in the entire EU.
"The hotel chain said the guest reservation database of its Starwood division had been compromised by an unauthorised party."
"Starwood's hotel brands include W Hotels, Sheraton, Le Méridien and Four Points by Sheraton. Marriott-branded hotels use a separate reservation system on a different network."
edit: the Marriott website itself confirms as much that this is limited to Starwood properties.
http://news.marriott.com/2018/11/marriott-announces-starwood...
" guest information relating to reservations at Starwood properties* on or before September 10, 2018.'"
"* Starwood brands include: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. Starwood branded timeshare properties are also included."
Do you have other information?
Other marketing activities.
Resale to third parties.
You at any point requested to be added to their mailing list and that's linked to purchase history.
Web analytics linked to purchase history.
Corporate policy is not to delete data.
Laziness.
So there's seven reasons of various legitimacy off the top of my head.
Oh dear.
It’s still not perfect because an attacker can potentially send requests to the key management server, but they shouldn’t be able to walk away with they keys to perform decryption outside of the system.
You then set up monitoring to watch how many decryption operations are being performed per minute or hour and alert admins when it steps outside of normal useage patterns.
It’s not perfect but can help you to 1) catch an attacker early and 2) have some type of estimate of the size of the breach when discovered. A very patient attacker may not trigger an alarm of decryption operations but in that case he’s got to work much slower, which limits the scope of the attack while they hopefully trigger something else that exposes them.
1: https://devender.me/2016/07/13/envelope-encryption/
The gist is you create an encryption key for your row, encrypt it using your encryption service, and store it next to your actual payload. To decrypt, ask the service to decrypt the key which you use to decrypt the payload. If your database gets popped, your decryption server hopefully didnt because you hardened it specifically.
Envelope encryption is a good scheme. Under envelope encryption you have a master key and per-row or per-unit keys. You store the per-unit keys encrypted with the master key, and the master key is stored offsite.
For example on an AWS environment, you would use AWS KMS with IAM authentication to handle the master key crypt for the individual keys, and the encrypted versions of the individual keys are stored in a database that you own.
You encrypt your data with the individual keys (eg, one key per user, or one key per DB row, or one key per namespace, whatever), but the individual keys are decryptable only by KMS.
Under this scheme an attacker must both be able to get ahold of the encrypted individual keys, and be able to decrypt them with the master key.
Of course this leaves you very vulnerable if the master key is acquired, but KMS does not allow you to read the master key at all, you have to use the AWS API to make encryption/decryption requests. So the vulnerability is less about how secure the key is and more about how secure your IAM setup and instances are.
If you don't need to decrypt the data on the same system, you could always use asymmetric encrpytion, so encrypt with the "public" key and then keep the private key elsewhere.
If you require to be able to decrypt on the system in question then you need a key somewhere, so secure storage of the key is very important.
One option, often deployed in banks, is to store the key in a hardware security module (HSM) and then ensure that it's not available outside of that.
There's a load of tradeoffs to using HSMs but they can be useful where symmetric encrpytion is needed.
Amazon and Azure offer these in the cloud.
Physically separate the key storage from the data storage. Different servers, different user auth mechanism. Make them compromise both systems.
Unique keys per client.
Use key-encrypting keys, periodically replace them.
PCI environment must be totally self contained and not mixed with standard working environment. If an employee is phished, their credentials for email/etc should not gain access to the env.
Don't allow developers to deploy or even read from prod db. Have a separate deployment team, all access to prod database audited via production tickets.
Assuming a layered system, something like Vault transit encryption (perhaps with the master key in an HSM) should keep decryption keys away from front-end machines, though as ever, once you have root and can access the memory of a machine where the encryption keys are stored, most bets are off.
The general idea is to insert some kind of bogus information into a system, with no links to other systems, and then trigger a notification if someone accesses it.
You are already fucked at this point. I would focus my attention on prevent hackers from 1) gaining any unauthorized access. 2) from doing any sort of privilege escalation from a restricted account/service.
That seems like the least interesting bit of information here for individuals.
It's really bizarre to me that people here seem to consider their credit card numbers more sensitive than their travel history or even contact information.
Generally people's level of care will correlate to what nefarious purposes the data can be used for. There aren't that many such purposes with the data exposed here until you consider the passport number (probably something more secure than a SSN for most Americans?), payment info, or login info. The purposes I can think of for the other data are reliant on the metadata that so-and-so was at that location at that time, when I might have believed something else.
Edit: Ugh. Yes. My mind was apparently elsewhere. Keyspace would drive the time needed.
Though it is a relatively short list of known plaintext. especially if you focus on the bin ranges for say the three most popular banks in the US.
But, only interesting if Marriot was using some encryption with a small keyspace.
If yes, how much would you expect the bruteforcer to earn per successful attempt?
At the very least you'll need cardholder name and expiry to match up, and hopefully you'll need CVV/CVC as well.
Of course I really hope the Marriott weren't storing CVV in a reversibly encrypted format.
Password hashing is different because there is no key space.
Except that doesn't really make anything better, because now an attacker could simply use that salted and hashed credit card number elsewhere to make payments too!
The real solution is to use something like OAuth for payments. You authorize a merchant to take ongoing payments from you, and the card issuer gives the merchant a token which is only useful for making payments from you to them, and can't be used to make payments to anyone else.
https://squareup.com/gb/townsquare/what-does-tokenization-ac...