Cyber data breach: Marriott vs Quora

There are lessons to be learned here.... have a read and tell me what you think:

Marriott:
https://www.sans.org/security-awareness-training/blog/what-communicate-about-marriott-hack

Quora:
https://mobile.abc.net.au/news/2018-12-04/quora-hack-sees-100-million-users-data-stolen/10582126

Find more posts tagged with

Comments

Meggo

I'm interested in everyone's thoughts on this as well.

Have you been following the comments on Krebs? Really interesting stuff: https://krebsonsecurity.com/2018/12/what-the-marriott-breach-says-about-security/

LonerVamp

I'd learn more lessons if we knew more details. But that's the norm for these things if they don't see a court room. I'm always yearning for enough information to actually improve my own systems or customers. Quora doesn't interest me nearly as much as the Starwood attack. Having unauthorized access to a network for 4 years is a huge deal. That's enough time to get bored with the access and sell it to others. And as a defender in that org, that's a long time to compromise many different things. The rebuild isn't going to be fun.

Then there's conversation about why Starwood had so much CC data. Well, that's a fun topic. The travel and hospitality industry has always had issues with things like PCI, especially when customers are expecting to easily upgrade rooms or add new services or day-trips or activities onto a particular stay. Or room damages! This would be solved if customers didn't expect that convenience.

At the end of the day, security never "wins," especially as data and information on people remains valuable. It's not like these breaches are ever fully going to go away. I personally just wish sites and companies were more transparent when they use my data to make their money. Certainly that's what Quora, in essence, does. Sure, they had ads, but that doesn't seem like it's enough to cover what I imagine their costs have been.

paul78

I personally think that breach news fatigue had dulled most people. I was looking at Marriot's stock price and it didn't really take much of a hit.

Dwell-times are still pretty high. And that's likely true in Quora's case as well. And like many breaches, the actual attack vector is not necessarily known. In Marriot's case, we may never know since I bet any logs may have been rotated by now.

UnixGuy

Some govermnets mandate that if you get breached you need to disclose it to your customers, this puts a lot of pressure on companies specially in early stage when it's not very clearly what has been breached

paul78

UnixGuy said:

Some govermnets mandate that if you get breached you need to disclose it to your customers, this puts a lot of pressure on companies specially in early stage when it's not very clearly what has been breached

In the US - the laws tend to be very sectorial and state specific. In general, breach disclosure laws do require a good faith effort to disclose to the relevant agency or regulator on what dataset may have been breached.

Disclosure mandates in the US have largely had a positive impact on consumer protection in that it somewhat does force companies to report certain types of breaches.

There are a few states that have enacted actual data protection laws - the most recent notable one in New York state but that law is aimed only at entities regulated by NY Department of financial services. And North Carolina has a law that passed this year that mandated certain data protection for insurance industry.

@UnixGuy - I recall that you are in Australia. I'm curious about what infosec people think about your new Notifiable Data Breaches law which went into effect this year. This amendment is tied to privacy whereas in the US, disclosure laws are typically tied to data which may result in consumer financial impact - except for the ones in states like California.

UnixGuy

paul78 said:

@UnixGuy - I recall that you are in Australia. I'm curious about what infosec people think about your new Notifiable Data Breaches law which went into effect this year. This amendment is tied to privacy whereas in the US, disclosure laws are typically tied to data which may result in consumer financial impact - except for the ones in states like California.

Well it's been alarming. Companies here are all recruiting and trying to build "Cyber" or "Security" Capabilities...everyone wants to be ready to disclose for any breaches. Even international companies with Australian presence have to disclose in case of any breach. PageUp coped it this year, everyone company that used PageUp at some people had to send an email notice, it was chaotic.

jcundiff

marriott (starwood)was a sql inject according to darkweb chatter going back to 2014, and was wide open in 2014 with ato and loyalty fraud, I am guessing they implemented fraud protections and failed to realize it was a symptom of, not the breach.

marriott is going to try to play "the it happened before we bought them' card but it went on for 2 years after they bought them. Sounds to me like Marriott didnt do proper due diligence during their M&A and are going to pay for it now.

Senators are rumbling about tougher laws, so this maybe the one that does it, but I doubt it

LonerVamp

It's been very rare that any company is materially impacted significantly from breaches like this. Consumers end up not caring all that much, which could be justified: If CompanyA was breached last month, they probably are spending money now to be better. I think the ones most impacted are a) security firms themselves, or b) where internal business emails/dealing are disclosed. I don't think anyone has gone out of business or been terribly impacted after losing customer data.

That said, image is a funny thing when it comes to stock prices and impact. You can move numbers and fudge things around like mad to pad and smooth over bumps. Same thing with my statement above about getting better. No one really knows if that happens, especially if you start just looking at paying fines and cyber-insurance and moving on business as usual rather than the cost of security.

LonerVamp

On a separate note, to be fair about M&A, that sort of stuff is kept ridiculously close to the chest of upper management. I don't know how large firms like this handle it, but I wouldn't be surprised if almost 0 systems compatibility or security assessment was done. Not just because it would involve more people in the know, but....what would it impact and how would you measure that in a timely manner (I know, I may have just blown shade on the whole audit industry)?

Sure, the Yahoo breaches impacted that acquisition, but I think tech companies that people expect some privacy for and easily move to something else (gmail) probably actually have valuation fluctuation for it. But only if it becomes publicly known. /devilsadvocate

paul78

jcundiff said:

marriott (starwood)was a sql inject according to darkweb chatter going back to 2014, and was wide open in 2014 with ato and loyalty fraud, I am guessing they implemented fraud protections and failed to realize it was a symptom of, not the breach.

marriott is going to try to play "the it happened before we bought them' card but it went on for 2 years after they bought them. Sounds to me like Marriott didnt do proper due diligence during their M&A and are going to pay for it now.

Senators are rumbling about tougher laws, so this maybe the one that does it, but I doubt it

As I recall, you work in threat intel. Do you remember if that chatter about sql was specific to Starwood or Marriot. We see the loyalty fraud stuff for Marriot and Starwood all the time - and credit card templates for Starwood included with cc ****. The assumption is that these are localized or third-party breaches.

I'm actually going to be interested to know if the Marriot/Starwood breach was the result of a third-party weakness. That seems to be a common trend these days.

I would agree with you - I don't recall anything substantial as far as federal law other than the usual political posturing. Not much came after the Equifax breach so I don't expect to see much on a federal level. But on the state level - it would be interesting to watch.

UnixGuy said:

Well it's been alarming. Companies here are all recruiting and trying to build "Cyber" or "Security" Capabilities...everyone wants to be ready to disclose for any breaches. Even international companies with Australian presence have to disclose in case of any breach. PageUp coped it this year, everyone company that used PageUp at some people had to send an email notice, it was chaotic.

LOL - in the US, there's usually some period of time after a law is passed before it takes effect so that companies have time to get their ducks in a row. But it reminds me a data protection law that the Commonwealth of Massachusetts passed nearly 10 years ago and all the FIs scrambled and started to send out contract addendum to their third-parties or letters asking for attestations of compliance to that state regulation.

jcundiff

@paul78 starwood, the only reason marriott is involved is due to being the new owner of the starwood brands (and networks

)

I know we do a very stringent security assessment of all M&A targets, but that may just be us

And as far as 3rd party, my assessment from what I have seen is no, just a failure of basic security hygiene

cyberguypr

just a failure of basic security hygiene jcundiff said:

..., just a failure of basic security hygiene

One of the reasons why I am numb to these breaches. Very little is going on here from a technical perspective, if anything. Many times I read a good post-mortem it all comes down to some stupid basic thing someone did like not patching well-known vulns, exposing AWS buckets, publicly exposing ports/services, using default credentials, failing at OWASP top 10 stuff, etc.

Rant over.

paul78

jcundiff said:

And as far as 3rd party, my assessment from what I have seen is no, just a failure of basic security hygiene

It'll be interesting to see how this plays out with Starwood. Your comment about darkweb chatter interested me so I just looked. Doesn't look good for Starwood. I'm gonna grab my popcorn and see how that plays out once some of that stuff starts to show up in the media.

Not sure if anyone read the Reuter's exclusive yesterday that cited anonymous sources about the ongoing investigation - but this struck me as sadly amusing - "Identifying the culprit is further complicated by the fact that investigators suspect multiple hacking groups may have simultaneously been inside Starwood’s computer networks since 2014, said one of the sources."

jcundiff

cyberguypr said:

just a failure of basic security hygiene jcundiff said:

..., just a failure of basic security hygiene

One of the reasons why I am numb to these breaches. Very little is going on here from a technical perspective, if anything. Many times I read a good post-mortem it all comes down to some stupid basic thing someone did like not patching well-known vulns, exposing AWS buckets, publicly exposing ports/services, using default credentials, failing at OWASP top 10 stuff, etc.

Rant over.

Most definitely! Look at news on how many boxes/companies are STILL vulnerable to Eternal Blue/WannaCry/SMBv1 exploits, (There was a recent article on this topic)

paul78 said:

jcundiff said:

And as far as 3rd party, my assessment from what I have seen is no, just a failure of basic security hygiene

It'll be interesting to see how this plays out with Starwood. Your comment about darkweb chatter interested me so I just looked. Doesn't look good for Starwood. I'm gonna grab my popcorn and see how that plays out once some of that stuff starts to show up in the media.

Not sure if anyone read the Reuter's exclusive yesterday that cited anonymous sources about the ongoing investigation - but this struck me as sadly amusing - "Identifying the culprit is further complicated by the fact that investigators suspect multiple hacking groups may have simultaneously been inside Starwood’s computer networks since 2014, said one of the sources."

yeah, thats what the dark web chatter from the time period reflected, openly traded and commented, my guess is some very advanced actor used all this to burrow their selves deep into the starwood network and began slowly siphoning data off... there are a couple of OSINT sources pointing fingers at China... think Dark Hotel ops from a couple of years ago