Travel Giant Sabre Confirms Its Reservation System Was Hacked

Just two months ago, the Sabre Corporation announced that it had hired security firm Mandiant to investigate a possible hacking incident. Now the company has publicly announced the results of that investigation. An unauthorized third party breached Sabre systems and was able to access customer payment data.

That’s not great news, considering the Texas-based company processes reservations for around 100,000 hotels and more than 70 airlines worldwide to the tune of $120 billion. If there is a silver lining, it’s that Sabre says that only the Sabre Hospitality System — which handles bookings for hotels from both consumers and travel agents — data was compromised. A company spokesperson also confirmed to me that “less than 15 percent of the average daily bookings on the SHS reservation system were viewed” while the attackers had access.

An Intercontinental hotel in New York City.

It’s still a very significant breach, especially since both payment card information and reservation details were accessed. In some cases, that included the customer’s name, email address, phone number, and address.

Like most industries, the travel sector has had to deal with a steady rise in cyber attacks in recent years. In 2016, InterContinental Hotels Group reported that more than 1,000 of its properties had been hit with “malicious software designed to siphon customer debit and credit card data,” according to security expert Brian Krebs. Earlier in the year, HEI Hotels & Resorts reported a similar incident at some of its Hyatt, Marriott, Sheraton, and Westin locations.

On June 6, once Mandiant had concluded its investigation, Sabre began notifying payment card providers, partners, and customers. The company says that it “has enhanced the security around its access credentials and the monitoring of system activity to further detect and prevent unauthorized access.” Sabre has also set up a call center to handle inquiries about the breach.

 

Network Safety: Experts Weigh In

If you missed our Cybersecurity Session “Cybersecurity for CEO’s- The Game Has Changed” at The NAA Education Conference, no worries. Our friends at Multi-Housing News have published a great article for you. Special thanks to Sanyu Kyeyune for attending our session and writing the article.

At NAA’s recent conference in Atlanta, panelists shared best practices for keeping vital network information safe from attack.

The panel included Chad Hunt, supervisory special agent with the FBI; Dave McKenna, CEO of ResMan; Frank Santini, cybersecurity attorney of Trenam Law; Jeremy Rasmussen, cybersecurity director of Abacode; and Michael Reese, Chief Information Officer of USA Properties Fund, who moderated the session.

Reese opened the talk by underscoring the commercial real estate industry’s vulnerability to cyber-attacks: “Real estate sits on a goldmine of information, including intellectual property, personally identifiable information—things hackers want to go after.”

Understand Data Value

The cost of stolen information for a single customer can fetch $10-20 on the dark net, but the liability to an organization is $158 or more. This greater figure reflects the cost to recover data, the value of this information to competitors and regulatory fines incurred. Multiply this number by 50,000 customers and the cost amounts to $7.9 million—enough to put some property management firms out of business.

C-suite leaders that understand the total costs of cybersecurity are in better shape to manage a firm’s cyber health. “As a leader, you can’t be afraid to raise the red flag. It’s your responsibility to defend your company and your partners.”

Crafting a risk-based approach helps companies decide on what to defend and how much to spend. This plan should include a guide for CEOs interacting with the media and attorneys working with incident response companies. “There is always a tradeoff between usability and security. That’s why you need to engage with a firm that can bake security into a product from chip to the enterprise level,” Rasmussen warned. “Don’t try to bolt it on at the end.”

Improve Network Visibility

Once the value of data has been quantified, the next step to addressing a company’s cyber health is to ask how secure networks currently are, because on average, noted Rasmussen, by the time a threat has been identified, it has been active for up to 270 days.

A majority of clients lack visibility into their own networks,” Rasmussen explained. “In today’s world, it’s not a matter of if, it’s when. And not only that, but, are they already in?

One of the most common software attacks uses ransomware, which encrypts files—effectively eliminating access to important data—and threatens to delete or publish them until the victim pays an agreed-upon sum. However, organization that already has solid system backups in place can combat ransomware by reverting back to previously stored versions. Along with ransomware, phishing attempts, social engineering, attacks on crucial infrastructure, financial fraud and “zero-day” vulnerability (a hole in security unknown to the vendor, typically identified and exploited by hackers over a short time frame) have emerged as some of the most damaging cybersecurity threats.

For some organizations, the expenses associated with downtime and productivity could be crippling. Therefore, advised McKenna, it is crucial to be proactive ahead of time, rather than after a threat has surfaced, to mitigate the cost of recovering from a cyber-attack. “It still comes down to your people not being victims,” he said. “The technology won’t do it all for you.”

According to Hunt, email is the most common point of entry for a cyber-attacker. Because emailing and phone calls already poke holes into a security system, organizations must be vigilant in managing these activities to avoid a breach. One way to do this is by focusing security training on individuals with elevated privileges, such as system administrators and C-suite users, which are hot targets for hackers.

Know Who to Call

An order of operations might be to call your IT people to stop and contain the threat, contact your attorney to find out what the legal implications are around reporting, call your public relations firm to control the event in the media and then to contact law enforcement,” Rasmussen offered.

Company leadership should also rally IT teams to mandate routine password changes for all users and to require people to upgrade software instead of patching outdated platforms. It is also crucial to keep a list of key personnel to contact when an infiltration occurs. “Locally, the FBI is a good place to start, but you can also call the Secret Service in your area,” Hunt advised. “In either case, develop this personal relationship ahead of time, as local law enforcement has little authority at a corporate level.

He also suggested that if a particular individual within an organization becomes the victim of a cyber-attack, then this person should file a police report to avoid being implicated as a perpetrator. When interacting with local authorities, Hunt added, it is most effective to do so in a controlled, documented manner.

Thirteen years ago, there was much less information-sharing with law enforcement, but now it’s more of a two-way street,” Hunt explained. “The FBI can gather information without necessarily having to open a federal investigation.

Santini encouraged leadership to secure a forensic investigator that will supervise the handling of evidence and assist in documentation—actions that can be helpful in the event of legal repercussions—and to ensure that attorney-client privilege keeps these interactions private.

Rally Vendors

Another important questions that C-suite leaders need to ask themselves is, “What are your partners and their partners doing to ensure cyber safety?

McKenna emphasized that having a conversation with vendors and suppliers will help reinforce the company priorities, identify the degree of protection already in place and define a plan for handling an intrusion in the future. “You need to know if your vendor will indemnify you for the cost of a breach, if there is a mutual indemnification clause and what level of insurance the vendor requires of its partners,” Santini encouraged. “Make sure you have written agreements with your cloud provider and other suppliers, and negotiate these terms with the help of a lawyer.

Ultimately, it is up to C-level employees to develop vendor relationships, rather than making cybersecurity a grassroots effort led by an IT department. “There needs to be a separation of duties, just like how a company might hire one accounting team for auditing and another for taxes,” said Rasmussen. “Cybersecurity should be handled the same way.

Prioritize Efforts

The panel discussion concluded with a punch list of items to help C-level leaders put a cybersecurity plan into action. Here are some key features:

  • Detection using 24/7 monitoring and incident response to gain immediate feedback on the effect of a network security initiative
  • Implementation of organizational policy/procedures, which requires a cultural shift and buy-in from all members of an organization
  • Add-in of other annual assessments, such as penetration testing, phishing, etc., to improve visibility into a network
  • Engagement of IT teams to support continuous improvement and governance
  • Understanding of “zero-day” threats
  • Encouraging collaboration across all stakeholders

 

 

 

 

 

Latest Ransomware Hackers Didn’t Make WannaCry’s Mistakes: PETYA

PETYA RANSOMWARE

The latest sweeping ransomware assault bares some similarity to the WannaCry crisis that struck seven weeks ago. Both spread quickly, and both hit high-profile targets like large multinational companies and critical infrastructure providers. But while WannaCry’s many design flaws caused it to flame out after a few days, this latest ransomware threat doesn’t make the same mistakes.

Originally identified as Petya, a ransomware that first started circulating in 2016, the current attack now appears to be a Petya offshoot, with added refinements such as stronger encryption. Some researchers call this new iteration “NotPetya” or “GoldenEye,” while others still refer to it as Petya. Regardless of the name, it has already hit 2,000 targets, seizing the systems of high-profile victims like Danish shipping giant Maersk, US pharmaceutical company Merck, and multiple private and public institutions in Ukraine.

And while it owes its rapid spread in part to EternalBlue, the same stolen NSA exploit WannaCry leveraged, it lacks several of the traits that made WannaCry—which turned out to be an unfinished North Korean project gone awry—easier to stop.

WannaBreak

“The quality of the code improves from iteration to iteration—this GoldenEye ransomware is pretty solid,” says Bogdan Botezatu, a researcher at the security firm Bitdefender. “We don’t get to catch a break.”

The most important WannaCry pitfall that this current round sidesteps? A kill switch that allowed researchers to neuter the ransomware around the world and drastically reduce the spread. The mechanism was a low-quality, possibly unfinished feature meant to help the ransomware avoid analysis. It backfired spectacularly. So far, GoldenEye shows no signs of containing such a glaring error.

Additionally, WannaCry spread between networks across the internet like a worm, relying almost entirely on EternalBlue to get in and hitting systems that hadn’t yet downloaded Microsoft’s patch for that vulnerability. This new ransomware also targets devices that somehow still aren’t secured against EternalBlue, but can deploy other infection options as well. For example, the attackers seem to be spreading the ransomware through the software update feature of a Ukrainian program called MeDoc, and possibly through Microsoft Word documents laced with malicious macros.

Along with exploiting EternalBlue to gain access when possible, the ransomware can also leverage an additional Shadow Brokers-leaked NSA exploit known as EternalRomance (patched by Microsoft in March) for  remote access. And some researchers have also found unconfirmed evidence that the ransomware may take advantage of yet another tool published by the ShadowBrokers, known as EsteemAudit, that specifically targets computers running Windows XP and Windows Server 2003. Microsoft patched that vulnerability two weeks ago as part of its unprecedented effort to secure its old, unsupported operating systems against leaked NSA exploits.

Once inside the network, the ransomware steals administrative credentials, giving it control over powerful system management tools like Windows PsExec and Windows Management Instrumentation.

“If a system with enough administrative privileges is compromised, it will simply instruct all other PCs it has access to run the malware as well,” says Fabian Wosar, a security researcher at the defense firm Emsisoft, which specializes in malware and ransomware. “That is why a lot of system administrators are freaking out right now.”

Smarts, Not Scale

Because GoldenEye appears to take a more targeted approach to infection, rather than barreling around the internet, it has so far resulted in fewer infections: it has affected 2,000 targets versus the hundreds of thousands that WannaCry hit. But don’t read that as a weakness necessarily. WannaCry’s ability to spread over the internet led to out-of-control infections, and its creators were ill-equipped to handle that volume of potential payments.

In fact, WannaCry hackers proved incapable of tracking payments whatsoever. Attackers had victims send ransoms to one of four set bitcoin addresses, instead of assigning each target a unique address. This made incoming payments difficult to track, and left it to the criminals to figure out which victims (among hundreds of thousands) had paid and should be sent a decryption key.

Payment happens to be GoldenEye’s current weakness as well, though not due to WannaCry-level incompetence. It relies on manual payment validation, meaning that when victims pay the ransom they must email proof of payment to an email address, after which hackers send a decryption key. Not only does a manual system make it harder for attackers to get paid, it can reduce victim faith that paying the ransom will result in decryption.

Also? The hackers’ email provider, Posteo, pulled the plug on their account, making payment confirmation pretty much impossible.

No Easy Fix

This latest round of ransomware appears to be here to stay. The diversity of delivery options means that no single patch can necessarily provide complete protection against it. Still, administrators can take some steps to protect their systems. Analysts agree that while patches don’t solve everything in this situation, they are still crucially important and do offer real defense. “Very, very important to patch,” says MalwareHunter, a researcher with the MalwareHunterTeam analysis group.

Researchers also note that the ransomware runs on boot, meaning that if you can disrupt a system before Windows boots, or if you encounter a “Check Disk” message, you can avoid having your files encrypted by quickly powering down.

Additionally, for the current variant of ransomware, administrators can stop the spread within a network from the Windows Management Instrumentation by blocking the file C:\Windows\perfc.dat from running.

“The problem is, patching is only one method of defense,” says David Kennedy, CEO of threat detection firm Binary Defense. “Credential harvesting and using that for lateral movement was the big impact in this situation.”

All of which provides cold comfort for those already impacted. And based on how many companies ignored the EternalBlue patch, even after the WannaCry threat, it may not end up slowing down the current outbreak at all.

First place to start make sure your systems have the latest patches and updates !!!

CoPilot settles with New York AG for delaying breach notification for over one year

This is only the beginning of what will happen in the future.

It took over a year to notify 220,000 individuals of a breach to its website. HHS is determining if it’s a HIPAA-covered business associate.

CoPilot Provider Services has settled with New York for $130,000 in penalties for waiting more than a year to notify its customers of a breach to the company’s website, NY Attorney General Eric Schneiderman announced Thursday.

The attorney general determined the healthcare administrative services and IT provider violated general business law, in its delayed breach notification to its 221,178 customers. CoPilot agreed to the monetary settlement and to reform its notification and legal compliance program.

The breach occurred in October 2015, when an unauthorized individual accessed confidential patient reimbursement data through the administration site. The hacker downloaded data that included names, birthdates, addresses, phone numbers and medical insurance card details.

However, CoPilot waited until January 2017 to begin formally notifying its customers of the breach.

The FBI began investigating the incident in February at CoPilot’s request, focusing on a former employee they believed was responsible.

CoPilot blamed the breach notification delay on the FBI investigation, but law enforcement didn’t say that customer notification would hinder the ongoing investigation and didn’t instruct CoPilot to delay. General business law instructs that companies must provide timely breach notification.

The Department of Health and Human Services is still looking into whether CoPilot is considered a covered business associate under HIPAA.

Thursday’s agreement also states that CoPilot will comply with New York’s consumer protection and data security laws.

“Healthcare services providers have a duty to protect patient records as securely as possible and to provide notice when a breach occurs,” said Schneiderman in a statement. “Waiting over a year to provide notice is unacceptable. My office will continue to hold businesses accountable to their responsibility to protect customers’ private information.”

Data security – should you care?

Daily there are new articles that talk about data breaches, cyber attacks, ransom ware, etc. We all panic when our networks are down for routine maintenance – “I don’t have anything to do!” Imagine a world where everything is driven by data and machines?

Today a data breach can be uncomfortable – personal information is shared with the wrong people. However, in years to come a data breach can mean the difference between life and death. Imagine cruising down the freeway in your autonomous driving car and the system is hacked and your car stops abruptly, but other cars do not. Imagine being on the operating table and having a robot operating on you, the system is breached and instead of taking out your appendix the bad guys makes it remove your spleen or worse – kill you.

In the years to come we all need to get a lot more educated about data security and how to avoid breaches. This applies in both our personal and professional lives. We need to ask questions of organizations we provide data to and consume data from – how well are they performing and how vested are they in keeping us safe.

Data security needs to move into mainstream conversations and be an integral part of any security initiative.

Cybersecurity for CEOs: The Game Has Changed

I’m honored and humbled that my colleagues have asked me to join them to speak on a panel Cybersecurity for CEO’s “The Game Has Changed” Atlanta Georgia World Conference Center June 21-24 for National Apartment Association.

https://www.naahq.org/education-conference/education

Chipotle says hackers hit most restaurants in data breach

Hackers used malware to steal customer payment data from most of Chipotle Mexican Grill Inc’s (CMG.N) restaurants over a span of three weeks, the company said on Friday, adding to woes at the chain whose sales had just started recovering from a string of food safety lapses in 2015.

Chipotle said it did not know how many payment cards or customers were affected by the breach that struck most of its roughly 2,250 restaurants for varying amounts of time between March 24 and April 18, spokesman Chris Arnold said via email.

A handful of Canadian restaurants were also hit in the breach, which the company first disclosed on April 25.

Stolen data included account numbers and internal verification codes. The malware has since been removed.

The information could be used to drain debit card-linked bank accounts, make “clone” credit cards, or to buy items on certain less-secure online sites, said Paul Stephens, director of policy and advocacy at the non-profit Privacy Rights Clearinghouse.

The breach could once again threatens sales at its restaurants, which only recently recovered after falling sharply in late 2015 after Chipotle was linked to outbreaks of E. coli, salmonella and norovirus that sickened hundreds of people.

An investigation into the breach found the malware searched for data from the magnetic stripe of payment cards.

Arnold said Chipotle could not alert customers directly as it did not collect their names and mailing addresses at the time of purchase.

The company posted notifications on the Chipotle and Pizzeria Locale websites and issued a news release to make customers aware of the incident.

Linn Freedman, an attorney at Robinson & Cole LLP specializing in data breach response, said Chipotle was putting the burden on the consumer to discover possible fraudulent transactions by notifying them through the websites.

“I don’t think you will get to all of the customers who might have been affected,” she said.

Security analysts said Chipotle would likely face a fine based on the size of the breach and the number of records compromised.

“If your data was stolen through a data breach that means you were somewhere out of compliance” with payment industry data security standards, Julie Conroy, research director at Aite Group, a research and advisory firm.

“In this case, the card companies will fine Chipotle and also hold them liable for any fraud that results directly from their breach,” said Avivah Litan, a vice president at Gartner Inc (IT.N) specializing in security and privacy.

Chipotle did not immediately comment on the prospect of a fine.

Retailer Target Corp (TGT.N) in 2017 agreed to pay $18.5 million to settle claims stemming from a massive data breach in late 2013.

Hotels and restaurants have also been hit. They include Trump Hotels, InterContinental Hotels Group (IHG.L) as well as Wendy’s (WEN.O), Arby’s and Landry’s restaurants.

Shares in Chipotle Mexican Grill ended marginally lower at $480.15 on Friday following the announcement.