Blog

Heads up if you’ve stayed or made reservations at a Marriott or Starwood property over the last decade. A major security issue was just announced and the scope of the problem is actually quite astonishing. Here’s what you need to know about the Marriott International data breach.

What is the Marriott Data Breach?

On November 30th, Marriott International announced that the private information of up to 500 million guests became compromised. The breach is one of the largest in history and brings up a variety of concerns regarding consumer privacy safety.

They noted that an internal tool recognized a data breach in September, but wasn’t able to confirm the issue was part of the Starwood database until November. Further investigation revealed that the problem has happened since as far back as 2014 and that the exact breadth of the issue isn’t yet known.

Who is Affected by the Marriott Data Breach?

To be blunt, 500 million people is a lot. If you’ve traveled on business in the past or regularly stay at the hotel chain’s properties, your personal data is likely compromised. Additionally, those who merely made reservations but never actually stayed the night are also included in the breach.

According to NBC News, Marriott also reported that for 327 million of those people, the information includes some combination of a name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. Encrypted credit card information is also likely stolen, but the company isn’t yet sure if the thieves were able to reveal account numbers.

An additional report also suggested that employee information might have even been compromised, especially in situations where workers took advantage of employee discounts to stay at hotels around the globe.

What is Marriott Doing After the Data Breach?

While the initial statement from the company was vague, they have taken steps to improve the situation by hiring the public relations firm Kroll. Those concerned about being part of the Marriott data breach may check for more information at a website provided by the hotel chain.

Maryland Attorney General Brian Frosh is opening an investigation into the incident, citing the company headquarters in his state as the reasoning for his inquisition. Additionally, New York planned to look into the incident and other states where the company has properties are likely to follow. There is no word yet on how the breach is being reviewed internationally.

Furthermore, within hours of the news, a class action lawsuit for 12 billion dollars was filed by Ben Meiselas of Geragos & Geragos. The suit is on behalf of two plaintiffs who feel duped by the company not immediately admitting there was a security issue. In other cases in the past are any indication, there’s likely to be a settlement out of court soon.

What Can Other Companies Learn from Marriott’s Data Breach?

At this time, it is hard to tell what other companies can learn from Marriott International’s data breach since news of the incident is still relatively recent. Other companies have faced similar issues in the past, such as Yahoo’s admission earlier this year that the three billion accounts had information hacked and Under Armour’s data breach of 150 million MyFitnessPal user accounts. Those companies were able to provide customers with free credit monitoring to try to earn back trust, but time will still tell on how it affects each firm’s reputation overall. Both have made attempts to increase application cybersecurity.

In short, if you have made a reservation or stayed at a Marriott Hotel or Starwood property in the last few years, it is wise to invest in some version of identity theft monitoring. Also, consider additional discussion and concerns with your lawyer general and by making a claim on Marriott’s data breach website.

SamSam Ransomware is becoming a massive problem for multiple industries across the United States. In fact, the problem is so big that The Department of Homeland Security, (DHS), National Cybersecurity and Communications Integration Center, (NCCIC), and the Federal Bureau of Investigation, (FBI), have all recently issued a US-CERT alert due to the SamSam ransomware. Like other types of ransomware, files and networks are infected. In exchange for uninfected the system, hackers want a ransom, that typically costs thousands upon thousands of dollars. Every company that runs a network needs to be aware of SamSam ransomware. Here is what you need to know about this topic.

What is SamSam Ransomware?

SamSam ransomware is a type of ransomware that is designed to exploit Windows servers to gain access to your network. Once it is in the network, it uses the JexBoss Exploit Kit to access your JBoss applications. This type of ransomware is also able to use Remote Desktop Protocol to access your network. The virus is difficult to detect, due to the path it takes to access your system. Once the virus has made its way inside, hackers are able to get administrators rights, putting their malware on your server and basically hijacking your network. They do not release their hold on their network until you pay them the ransom they are asking.

What Can You Do to Decrease Your Chances of Getting SamSam Ransomware?

It is extremely important that you take the correct precautions to decrease your chances of getting infected with SamSam ransomware.

One of the steps you can take is to enable strong passwords and an account lockout policy. If you have strong passwords and a good lockout policy in place, it makes it much harder for the software to hack into your system and infect it. Enabling multi-factor authentication can also help. Before any new software can be installed, before software can be wiped or before changes can be made to your network, authentication is needed. The more authentication levels you have, the harder it will be for any ransomware to infect your system.

Unfortunately, while you can decrease your chances of getting infected with SamSam ransomware, there is no way to prevent infection altogether. As such, it is essential that you regularly install system and software updates and maintain a great backup system for all of your data and systems. This way, if you do get infected, you have a recent back-up for all of your system and data. You can wipe your current, infected system and start fresh from your backup point, without losing much at all.

How Can You Learn More About SamSam Ransomware?

If you are looking to learn more about SamSam ransomware, including the technical details surrounding it. It is highly recommended that you read through the SamSam Malware Analysis Reports that have been released by the US-CERT. A list of the reports, including links, are included here:

• MAR-10219351.r1.v2 – SamSam1
• MAR-10166283.r1.v1 – SamSam2
• MAR-10158513.r1.v1 – SamSam3
• MAR-10164494.r1.v1 – SamSam4

SamSam Ransomware is infecting computer systems and networks in multiple industries all across America. It is important that you learn what this ransomware is and how to protect yourself against it. Taking the right action can help to minimize the chances of your network being held ransom by SamSam ransomware.

The Department of Homeland Security and the Federal Bureau of Investigation issued a critical alert Dec. 3, warning users about SamSam ransomware and providing details on what system vulnerabilities permit the pernicious product to be deployed.

According to the alert, which came from the DHS’s National Cybersecurity and Communications Integration Center (NCCIC) along with the FBI, the SamSam actors targeted multiple industries—some within critical infrastructure—with the ransomware, which also is known as MSIL/Samas. The attacks mostly affected victims within the United States, but there was also an international impact.

As pointed out in the alert, organizations are more at risk to be attacked by network-wide infections than individuals because they are typically in a position where they have no option but making ransom payments.

“Organizations that provide essential functions have a critical need to resume operations quickly and are more likely to pay larger ransoms,” the alert states.

That does not mean individual systems cannot or are not attacked, but they are targeted significantly less by this particular type of malware.

How do SamSam actors operate?

Through FBI analysis of victims’ access logs and victim-reporting over the past couple of years, the agencies have discovered that the SamSam actors exploit Windows servers and vulnerable JBoss applications. Hackers use Remote Desktop Protocol (RDP) to gain access to their victims’ networks through an approved access point and infect reachable hosts. From there, the cyber actors “escalate privileges for administrator rights, drop malware onto the server, and run an executable file, all without victims’ action or authorization,” the report states.

RDP ransomware campaigns are typically accomplished through stolen login credentials—sometimes purchased from darknet marketplaces—or brute force attacks. Since they do not rely on victims completing a specific action, detecting RDP intrusions is challenging, according to the alert.

Ransom notes instructing victims to establish contact through a Tor hidden service are left on encrypted computers by the SamSam attackers. Victims are assured that once they pay the ransom in Bitcoin, they will receive links to download cryptographic keys and tools for decrypting their network.

Where did SamSam originate?

The Department of Justice recently indicted two Iranian men who allegedly were behind the creation of SamSam and deployed the ransomware, causing approximately $30 million of damage and collecting about $6 million in ransom payments from victims. The crippling ransomware affected about 200 municipalities, hospital, universities and other targets during the past three years, according to an article from Wired.

Keith Jarvis, a senior security researcher at SecureWorks, reiterated the sophistication of the SamSam ransomware and how it gains access to systems through weak authentication or vulnerabilities in web applications, methods that don’t require the victim to engage in a particular action. Hackers also go out of their way to target specific victims whose critical operations rely on getting systems up and running as quickly as possible, making them more likely to simply pay up.

What technical details about SamSam are important?

In the joint DHS and FBI report, the federal agencies provided a list, though not exhaustive, of SamSam Malware Analysis Reports that outline four variants of the ransomware. Organizations or their IT services administrators can review the following reports:

MAR-10219351.r1.v2 – SamSam1

MAR-10166283.r1.v1 – SamSam2

MAR-10158513.r1.v1 – SamSam3

MAR-10164494.r1.v1 – SamSam4

What mitigation and prevents practices are best?

In general, organizations are encouraged to not pay ransoms, since there is no guarantee they will receive decryption keys from the criminals. However, relying on a contingency plan or waiting out an attack, as advised by the FBI, is difficult when an entire operation has been compromised.

The best course of action is for organizations to strengthen their security posture in a way that prevents or at least mitigates the worst impacts of ransomware attacks. The FBI and DHS provided several best practices for system owners, users and administrators to consider to protect their systems.

For instance, network administrators are encouraged to review their systems to detect those that use RDP remote communication and place any system with an open RDP port behind a firewall. Users can be required to use a virtual private network (VPN) to access the system. Other best practices, according to the report, include:

• Applying two-factor authentication
• Disabling file and printer sharing services when possible, or using Active Directory authentication or strong passwords for required services
• Regularly applying software and system updates
• Reviewing logs regularly to detect intrusion attempts.
• Ensuring third parties follow internal policies on remote access
• Disabling RDP on critical devices where possible
• Regulating and limiting external-to-internal RDP connections
• Restricting the ability of users to install and run the unwanted software application

This just scratches the surface of actions that administrators and users can take to protect their networks against SamSam or other cyber-attacks. The National Institute of Standards and Technology (NIST) provides more thorough recommendations in its Guide to Malware Incident Prevention and Handling for Desktops and Laptops, or Special Publication 800-83.

Information technology specialists can also provide insight and advice for how organizations can detect gaps or vulnerabilities in their cyber-security that leave them susceptible to SamSam or other malware infections.

Even though the word App is relatively new, it has become popular in everyday terminology as its uses have changed lives in the modern world. Almost all mobile phones are now smartphones, so even those individuals who were apprehensive about using new technology now use apps on a daily basis. That is why we now celebrate National App Day every year on December 11.

What is an App?

The word “App” was listed as the word of the year by the American Dialect Society in just 2010, showing just how quickly apps have become a regular part of society. But people already use the word so much they don’t really think of where it comes from. While the term “app” is short for “application,” common usage has changed the meaning.

An app is actually a kind of computer software or a program, and now usually refers to a very small one used on mobile devices like smartphones and tablets. Initially, the term could have meant any mobile or desktop application, but the term has quickly evolved to conform to the way people use it. Now there are thousands of apps, and some individuals and businesses design and run their own apps to make specific tasks easier.

Kinds of Apps and Main Uses

There are three basic kinds of apps, but Web Application Apps are used through a browser and Hybrid Apps have characteristics of both Web Application Apps and Native Apps. Native Apps are the ones used on mobile devices, and they only work on certain devices and have a special source code.

Of course, once someone understands how apps work they can create a new one to perform specific functions. Apps are available on Google Play for Android users, Apple’s App Store, the Windows Phone Store and BlackBerry App World. There are currently millions of apps, and prices range as widely as uses. Some apps are entirely free, while others have a recurring rate.

• Apps can be used for communication, including encrypted phone calls or video phone.
• Apps can be used for entertainment, providing movies, books and music.
• Travel apps provide needed information and tools, helping with everything from transportation to finding the closest restaurant.
• Many people use apps for games, playing simple games like solitaire or complicated games with players around the world.
• Many apps provide important tools, helping people organize their homes or perform essential functions at work.

There is no reason to think the proliferation of apps will slow down any time soon, if ever. It only remains to be seen how many people will adopt these handy tools to perform more and more specific jobs. Hopefully, people will be thinking of the endless possibilities as they celebrate National App Day on December 11.