Archive for RB

| January 5, 2019
Comments Off on Marriott Data Breach One Of Biggest Ever

Marriott Data Breach One Of Biggest Ever

Updated July 17, 2019 – The Brits slapped Marriott with a £99m ($124m) fine for “infringements of the GDPR.” The Information Commissioner’s Office said that Marriott failed to undertake sufficient due diligence when it bought Starwood, and should also have done more to secure its systems prior to the data breach.

___

Marriott Data Breach One Of Biggest EverThe internet is a dangerous place for data. Hotel chain Marriott (MAR) proved that once again. Marriott revealed that hackers stole personal information from 500 million Starwood Preferred Guest program participants. The data stolen in the data breach included sensitive personally identifiable information (PII).

Marriott

Marriott said it got an alert on September 8, 2018, about an attempt to access the Starwood database and enlisted security experts to assess the situation. During the investigation, Marriott claims to have discovered that the unauthorized access to the Starwood network started in 2014.

Investigators found that an unauthorized party had copied and encrypted information from the database and had taken steps toward removing it. The company was able to decrypt the information on November 19, 2018, and found that the contents were from the Starwood guest reservation database. The hotel chain then waited until November 30, 2018, to tell its customers of the data theft.

What was lost on the data breach

personally identifiable informationFor about 327 million Marriott customers, the compromised information includes some combination of name, address, phone number, email address, passport number, Starwood Preferred Guest (‘SPG’) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. Marriott added that the data breach included payment card information. About 170 million impacted Marriott customers only had their names and basic information like address or email address stolen.

Marriott says that about 20.3 million encrypted passport numbers and approximately 8.6 million encrypted payment cards were compromised in the breach.

Chinese hackers Several sources report that state-sponsored Chinese hackers working for the intelligence services and the military were behind the attack. The stolen data would be an espionage bonanza for government hackers. Sources point out that the Starwood attacks began in 2014, shortly after the attack on the U.S. government’s Office of Personnel Management (OPM) compromised sensitive data on tens of millions of employees, including application forms for security clearances.

Sadly, the 500 million records Marriott hack only ranks as the third-largest known data breach to date. This list of fails illustrates, no matter what you’re doing online every time you put your information on the internet, you risk it being stolen.

RankCompanyAccounts HackedDate of Hack
1Yahoo3 BillionAugust 2013
2River City Media1.3 BillionMay 2017
3Aadhaar1.1 BillionJanuary 2018
4Marriott500 Million2014 - 2018
5Yahoo500 MillionLate 2014
6Adult Friend Finder412 MiltonOctober 2016
7MySpace360 MillionMay 2016
8Exactis340 MillionJune 2018
9Twitter330 MillionMay 2018
10Experian200 MillionMarch 2012
11Deep Root Analytics198 MillionJune 2017
12Adobe152 MillionOctober 2013
13Under Armor150 MillionFebruary 2018
14Equifax145.5 MillionJuly 2017
15Ebay145 MillionMay 2014
16Heartland Payment Systems134 MillionMay 2008`
17Alteryx123 MillionDecember 2017
18Nametests120 MillionJune 2018
19LinkedIn117 MillionJune 2012
20Target110 MillionNovember 2013
21Quora100 millionNovember 2018
22VK100 MillionDecember 2018
23Firebase100 MillionJune 2018

rb-

There is something else fishy here. Reports claim that the data was encrypted using AES-128 but not all the stolen data. Attackers were able to steal nearly 20 million passport numbers, and 8.6 million encrypted payment cards.

Marriott says that the attackers were able to gain access to 5.25 million unencrypted passport numbers and 2,000 unencrypted payment card numbers.

I’m sure that regulators (GDPR) and lawyers will ask why unencrypted sensitive info like passports and credit card numbers lying around waiting to be stolen?

 

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , ,
| January 1, 2019
Comments Off on Happy New Year 2019

Happy New Year 2019

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here. 

Category: Holidays | Tags: ,
| December 30, 2018
Comments Off on Doomba

Doomba

DoombaA fitting way to close out 2018 is to celebrate the 25th anniversary of the classic first-person shooter game “Doom.” Doom tells the story of a base operated by the Union Aerospace Corporation on the Martian moon Phobos. The base is overrun by demons from Hell after its top-secret teleportation experiments go awry. A detachment of space marines are sent to investigate and all but one are slaughtered. It’s up to the player to fight through the horde of demons on Phobos and, eventually Hell itself, to prevent a massive invasion of Earth.

Roomba self-driving vacuumLike the last space marine, Doom is a survivor. As Motherboard explained, Doom is compatible with many devices because id Software wanted it to be. id Software released Doom‘s source code to the public in 1997 for reuse. Doom has been modified to run in ASCII and on a number of platforms including ATMs and printers.

The latest hack of Doom comes from developer Rich Whitehouse. He exploited the fact that Roomba self-driving vacuum robots create maps of your house as they sweep up. iRobot CEO Colin Angle swears he will totally never sell maps of your home to advertisers. Despite the CEO’s assurances, Mr. Whitehouse demonstrates that these maps can be exported. He uses the Roomba maps to create Doomba a tool that converts Roomba maps for use in Doom. Mr. Whitehouse told Digital Trends.

There’s a lot going on under the hood, though. The Roomba is broadcasting a position and angle across the network in roughly one second intervals, as well as a bunch of other data. I write the relevant data out to a .noeroomba file as it comes in. When you go to load that .noeroomba file [into my own tool] Noesis, that’s when the magic happens.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,
| December 23, 2018
Comments Off on Stories From A Christmas Story

Stories From A Christmas Story

Stories From A Christmas StoryThe 1983 classic holiday movie A Christmas Story, has been with us for 35 years. If you have lived under a rock for the last 35 years, the movie is based on the Jean Shepherd story In God We Trust: All Others Pay Cash which chronicles Ralphies quest for a Daisy Red Ryder BB gun  Here are some little known facts about the holiday classic movie.

A Christmas StoryThe 24-hour marathon began as a stunt. Thanks to Ted Turner holiday revelers can see Ralphie a.k.a. Peter Billingsley, as many times as they want on TBS. The 24-hour Christmas Day marathon of A Christmas Story is probably dreaded by as many people s those who enjoy it. TNT rolled out the first marathon in 1988 as a stunt and it became a recurring holiday tradition in 1997.

Ralphie really wants a Red Ryder BB Gun. Ralphie says he wants the a Red Ryder BB Gun 28 times throughout the course of the movie. Mental Floss calculates that’s about once every three minutes and 20 seconds.

official Red Ryder carbine action, 200-shot, range model air rifle with a compass in the stock and this thing that tells timeYou can still buy a Red Ryder BB Gun. The real Red Ryder BB Gun was first made in 1938 and was named after a popular newspaper comic strip. You can still buy Red Ryder BB Gun for the low price of $29.98. The original wasn’t quite the same as the one in the movie. The “official Red Ryder carbine-action, 200-shot, range model air rifle with a compass in the stock and this thing that tells time” did not have Ralphie’s compass in the stock, or “this thing which tells time” that both the Jean Shepherd story and the movie call for.

Daisy introduced the Red Ryder BB gun, named after the comic strip cowboy Red Ryder., and it sold for $2.95. It did not have a compass or a sundial. That was the Buck Jones model, named for a popular Western movie star of the 1920s, ‘30s, and ‘40s. Special versions of the “official Red Ryder carbine-action, 200-shot, range model air rifle with a compass in the stock and this thing that tells time” had to be made just for A Christmas Story.

Dasiy Red Ryder BB Gun adThe Daisy BB gun started in Michigan. The Plymouth Windmill Company of Plymouth Michigan began giving away BB guns as a gift for buying a windmill. Declining sales of windmills forced the business to convert to making only BB guns. In 1895 the company changed its name to Daisy Manufacturing Company, Inc. When World War II began, Daisy stopped making the air guns for several years. Production resumed in 1946 and a few years later the company was selling more than 1 million BB guns annually. Daisy relocated from Michigan to Arkansas in 1958.

Flick’s tongue wasn’t actually frozen to that flagpole. If you triple dog dare your best friend to stick his tongue stuck on a piece of cold metal it will stick. Mythbusters proved it was possible to get your tongue truly stuck on a piece of cold metal. But Flick’s tongue wasn’t actually stuck on the icy pole. The producers used a hidden suction tube to safely create the illusion.

triple dog dare your best friendFrageelee—it must be Italian. The author of the book saw an advertisement for Nehi orange soda featuring a woman’s leg and used it as an inspiration for creating the “major award.” The producers had three leg lamps created for the movie. All three copies of the leg lamp that the Old Man loves so much were broken during filming.

Just a kid. The boy in the goggles who’s waiting next to Ralphie to see Santa is not an actor. He was a real kid in the department store, and director Bob Clark decided to put him in the scene because he looked odd.

FrageeleeSanta’s Revenge. Author Shepherd loathed A Christmas Story’s generic, apple-pie title. He told the NY Post,

“I fought it all the way down the line … It was based on a story called ‘Red Ryder Nails the Cleveland Street Kid’ and I could accept that was too long for a marquee. My original title was ‘Santa’s Revenge.’

rb-

Happy Viewing and Merry Christmas

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Holidays | Tags: , , , , , , , , ,
| December 17, 2018
Comments Off on The 10 Worst Passwords of 2018

The 10 Worst Passwords of 2018

The 10 Worst Passwords of 2018It is the end of 2018 and we have learned nothing from the massive Facebook and Marriott data leaks and numerous other hacks. California-based password-management company SplashData released its 2018 100 worst passwords based on 5 million leaked passwords on the internet.

Few people have switched things up. People continue to use the same hacked passwords time and time again. Topping the list of terrible passwords were “123456789” at No. 3, “password” at No. 2, and “123456” at No. 1. 2018 marked the fifth-straight year that “123456” and “password” kept their top two spots on the SlashData list.

1. 123456
2. password
3. 1Password23456789
4. 12345678
5. 12345
6. 111111
7. 1234567
8. sunshine
9. qwerty
10. iloveyou

There are only 2 new entries in the 10 worst passwords, the highly unsecure “111111” at number 6 and “sunshine” at number 8.

SplashData estimates 10% of people have used at least one of the 25 worst passwords on this year’s list, with roughly 3% of internet users rely on the worst password, “123456.”

Don’t congratulate yourself yet if your passwords didn’t make SlpashData’s top 10 most used and least secure passwords of 2018. Check out the rest of SplashData’s list of 100 worst passwords. If your password made the worst 100 worst passwords list this year, you should change it.

rb-

Password advice has changed about as quickly as people’s passwords – NOT MUCH but worth repeating …..

  • sisyphusUse passphrases of twelve characters or more with mixed types of characters.
  • Use different passphrases for each account. if a hacker gets access to one of your passwords, they will not be able to use it to use other sites and you only have to change that password instead of 50 of them,
  • Use a password manager to generate and store your passwords and automatically log into websites.
  • Set up two-factor authentication, especially when it’s generated on a phone app like Google Authenticator or on a small hardware device like Yubikey, can add an extra layer of security.

Imperva points out that 5% of all successful attacks are using brute force to guess a user or an administrator password. Brute force attacks do this with repeated login attempts using every possible letter, number, and character combination to guess a password.

Because most individuals have many accounts and many passwords, people tend to repeatedly use a few simple passwords. This leaves them exposed to brute force attacks. Email accounts protected by weak passwords are particularly valuable to hackers. They may be connected to additional accounts, and can also be used to restore passwords.

Attackers use specialized hardware to perform efficiently guess user passwords. Cryptocurrency mining rigs with graphics processing units (GPUs) and application-specific integrated circuits (ASICs) can be very effective in quick repetitive tasks like password guessing.

Imperva recommends a number of steps that an administrator can take to protect users from brute force password cracking:

  • Lockout policy—you can lock accounts after several failed login attempts and then unlock it as the administrator.
  • Progressive delays—you can lockout accounts for a limited amount of time after failed login attempts. Each attempt makes the delay longer.
  • Captcha—tools like reCAPTCHA require users to complete simple tasks to log into a system. Users can easily complete these tasks while brute force tools cannot.
  • Requiring strong passwords—you can force users to define long and complex passwords.
  • Two-factor authentication—you can use multiple factors to authenticate identity and grant access to accounts.
Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , ,
« Older Entries   Recent Entries »