Choice Hotel Data Breach Affects up To 700,000 Customers

Recently, an independent researcher named Bob Diachenko worked collaboratively with Comparitech. They discovered an unsecured database containing nearly 700,000 hotel records belonging to Choice Hotels.  Unfortunately, although Diachenko reported his finding to the company, hackers had beaten him to the punch and had already downloaded the file. They are now demanding a ransom for its return.

An investigation into the matter is ongoing. A spokesman for Choice Hotels reported that the bulk of the file consisted of test information, including dummy payment card numbers, passwords and populated reservation fields.  They did confirm, however, the presence of some 700,000 genuine guest records and included names, addresses and phone numbers.

The hackers left a ransom note in the database, demanding 0.4 Bitcoin for the safe return of the data.  Based on recent prices, that amounts to about $4,000. Assuming the company decides to pay and assuming the hackers keep their word, that is a small price to pay given the number of compromised records.

Choice Hotels reported that the database was exposed when a third-party vendor accessed it as part of a proposal to provide a tool.  Due to the lapse in security, Choice Hotels has decided not to work with that vendor again.

Their announcement about the incident reads, in part, as follows:

"We are evaluating other vendor relationships and working to put additional controls in place to prevent any future occurrences of this nature... We are also establishing a Responsible Disclosure Program and we welcome Mr. Diachenko's assistance in helping us identify any gaps."
This lukewarm response to the incident has done little to ease the concerns of Choice Hotels' customers. To this point, no notifications have been sent out to customers whose data has been compromised.  If you stay at Choice Hotels when you travel, be mindful that you may be receiving targeted phishing emails and that your payment card information may have been compromised.

Don't wait for a data breach to happen before you realize the importance of information security. Call SpartanTec, Inc. in Wilmington for a thorough review of your network. Our team will help identify potential vulnerabilities and help set in place security measures to protect your network and your client's information. 

SpartanTec, Inc.
Wilmington, NC 28412
(910) 218-9255

https://spartantec-wilmingtonnc.business.site/

BlueKeep Virus Continues To Be An Issue For Microsoft

Wormable bugs are an ongoing concern for Microsoft.  Recently, the company released a set of patches for two newly discovered 'BlueKeep-Like vulnerabilities" that impact a wide range of Windows Operating Systems.

These bugs plague the company's remote desktop services and permit malware to spread rapidly from one device to another.

Remote Desktop Services is an older technology that's been an integral part of the Microsoft Windows environment for decades.  It's a good idea and a widely used technology that allows Windows users to remotely access another computer over a network.  Unfortunately, flaws in the system allow malicious third parties to gain control over the system and spread malware via remote code execution.

The two most recently discovered bugs are being tracked as CVE-2019-1181 and CVE-2019-1182.  They were discovered by Microsoft during one of the company's routine security checks. Patches were released for both as part of the company's August Patch Tuesday.

As the company explained in a recent blog post related to the issues:

"These two vulnerabilities are also 'wormable,' meaning that any future malware that exploits these could propagate from vulnerable computer to vulnerable computer without user interaction."

The operating systems vulnerable to the newly discovered bugs are:

• Windows 7, Service Pack 1
• Windows Server 2008 R2, Service Pack 1
• Windows Server 2012
• Windows 8.1
• Windows Server 2012 R2
• Windows 10, including server versions

At present, Microsoft has no statistics about how many machines in the Windows ecosystem are vulnerable to the two new bugs. The company has detected no third-party manipulations of the vulnerabilities to this point, but they recommend immediately applying the relevant patches in order to mitigate risk.

Unfortunately, recent reports have revealed that many businesses have been slow to respond to the threat that BlueKeep vulnerabilities represent.  If your company is among them, the time to act is now.

Call SpartanTec, Inc. if you want to make sure that your operating systems are secured from the most common online threats today. Let our team help you in keeping your network and business safe and secure from various types of risks and vulnerabilities.

SpartanTec, Inc.
Wilmington, NC 28412
(910) 218-9255

https://spartantec-wilmingtonnc.business.site/

Update Your iPhone To Avoid Latest iMessage Security Vulnerability

If you own an iPhone, be aware that a new iMessage vulnerability has been recently found and patched by Apple. This was part of the iOS 12.4 update.

The flaw allowed hackers to access and read the contents of files stored on iOS devices remotely. They could access files the same way as the device owner with no sandbox, and with no user interaction needed.

The issue was discovered by Natalie Silvanovich, who is a security research with Google's Project Zero.  As a proof of concept, she created a demo that only works on devices running iOS 12 or later. She describes it as "a simple example to demonstrate the reach-ability of the class in Springboard. The actual consequences of the bug are likely more serious."

In describing the issue itself, Silvanovich had this to say:

"First, it could potentially allow undesired access to local files if the code deserializing the buffer ever shares it (this is more likely to cause problems in components that use serialized objects to communicate locally than in iMessage).  Second, it allows an NSData object to be created with a length that is different than the length of its byte array.  This violates a very basic property that should always be true of NSData objects.  This can allow out of bounds reads, and could also potentially lead to out-of-bounds writes, as it is now possible to create NSData objects with very large sizes that would not be possible if the buffer was backed."

As mentioned, this bug has already been patched, along with two other iMessage vulnerabilities that Silvanovich recently discovered. All of them were addressed in Apple's most recent (12.4) update. If you're not in the habit of installing security updates automatically, then you'll need to grab this one and install it manually at your earliest convenience.

Smart gadgets and devices are everywhere. Regardless of the brand, a prudent owner will find ways to make sure that all their smartphones, computers, laptops, and network in general is safe against potential vulnerabilities that could put their pertinent information at risk. Call SpartanTec, Inc. in Wilmington NC to make sure that efficient security measures are in place to protect your personal information, business, and clients from the many different online threats today. 

SpartanTec, Inc.
Wilmington, NC 28412
(910) 218-9255

https://spartantec-wilmingtonnc.business.site/

Security Issue Found In Multiple Devices Is Called ‘Urgent 11’

Let's take a little time to talk about the vast numbers of smart devices in use around the world. You probably have several in your home or office. Smart devices need operating systems, just like your phone and your PC. Of course, mobile device operating systems must be much smaller and more compact. After all, they don't really need to do a lot of computing, and they don't need a GUI, so the code tends to be on the lean side.

The odds are excellent that you've never even heard of most of the IoT's operating systems, nor the companies that make them. Take VxWorks by a company called Wind River, for example.  It's the most popular Real Time Operating System (RTOS), used in a wide range of smart devices today.  They don't get a lot of attention or oversight because almost nobody has heard of them.

That's beginning to change, however.  Recently, security researchers disclosed the details of the "Urgent 11", which are 11 vulnerabilities found in VxWorks that can be used by hackers to take control of a variety of devices. These devices range from medical systems to printers, industrial equipment, routers, and more.

The company has been in existence for 32 years. Yet, in that time, only 13 security flaws with a MITRE-assigned CVE have been found in the VxWorks RTOS, because again, nobody's paying attention.

The good news is that when someone finally started paying attention, Wind River responded quickly and resolved all eleven of the security flaws, issuing a patch to correct them.  There's just one rather significant catch, however.

The company is claiming that the vulnerabilities are not unique to Wind River software and that the IPnet stack (where the vulnerabilities were found) was acquired by the company back in 2006.  Prior to Wind River's acquisition of it, it was deployed in a wide range of other RTOS'.

All that to say, while Wind River is acting responsibly, there are an unknown number of other RTOS' out there that are vulnerable. The companies behind them may be doing little or nothing about it.  In many ways, the OS ecosystem of the IoT is still very much a black box, and that's troublesome.

As a company, are you doing your part in securing your smart devices and your network? Or are you left in the dark about their vulnerabilities? Let SpartanTec, Inc. Wilmington help you find out if your business is at risk. Call now and learn more about their complimentary, one-time scan with Dark Web ID™ Credential Monitoring.

SpartanTec, Inc.
Wilmington, NC 28412
(910) 218-9255

https://spartantec-wilmingtonnc.business.site/

Facebook Is Making Changes To Privacy Following Huge Fine

We're talking about the result of a massive five billion dollar fine over violations surrounding the Cambridge Analytica scandal. While the staggering size of the fine made all the headlines, there's more to the company's agreement than just several billion dollars.

In addition to the fine itself, the company has also accepted an agreement.

It forces Facebook to implement a new privacy framework, and to be monitored and held accountable for decisions it makes about its users' privacy and information it collects on them.

The FTC Press release reads, in part, as follows:

"The order requires Facebook to restructure its approach to privacy from the corporate board-level down and establishes strong new mechanisms to ensure that Facebook executives are accountable for the decisions they make about privacy and that those decisions are subject to meaningful oversight (for a period of not less than twenty years)."

Facebook also published a statement about their acceptance of the fine, but it offered little in the way of new information.  Digging a bit deeper, however, some of the details of the changes coming to Facebook include the following:

• The formation of an independent privacy committee - The committee will be appointed by an independent nominating committee and be comprised of Facebook's board of directors. The FTC says this will help limit CEO Mark Zuckerberg's formerly unfettered control over decisions affecting user privacy.
• The appointment of Compliance Officers - These people will report to the new privacy committee and will be tasked with monitoring the entire company's privacy program. The Compliance offers are not appointed by Facebook's CEO or any Facebook employee, and no Facebook employee (including the CEO) can remove those officers.  One of the responsibilities of the new Compliance Team will be to submit reports to the FTC.
• More and better external oversight of Facebook - The FTC's ruling strengthens the role of independent third-party assessors who will conduct independent reviews of Facebook's privacy program at two-year intervals.

Will these steps be enough?  Only time will tell, but it's certainly a great start.  Kudos to the FTC for holding Facebook accountable and trying to be a force for change.

Businesses of all sizes are being held responsible for the safe keeping of their customers data. SpartanTec, Inc. in Wilmington NC is here to help your business implement a privacy policy for your business, install firewalls to protect your data and train your employees on safe practices. Call us today for an in-depth consultation.

SpartanTec, Inc.
Wilmington, NC 28412
(910) 218-9255
https://spartantecwilmington.business.site

Unsecured Database May Have Exposed Some Big Companies

An UpGuard research team recently discovered several unsecured Amazon S3 buckets belonging to the Israeli IT Services firm Attunity.

The company left the buckets unsecured, exposing more than a terabyte of sensitive information belong to a number of prominent companies including Ford, TD Bank and Netflix.
To provide a sense of scale, Attunity has more than 2,000 clients worldwide, including many on the Fortune 100 list.

Three different Amazon S3 databases were left open.  These were:

• Attunity-it
• Attunity-patch
• Attunity-support

Upon discovery, the UpGuard research team contacted Attunity and by the next day, all three databases had been secured.  At this time, it's not known with complete certainty whether an unauthorized third party was able to download the databases. Early indications say they weren't, but if they did, they're now in possession of a treasure trove of information.

An UpGuard analysis of the three databases revealed that they contained:

• A massive 750GB trove of email backups
• A variety of Microsoft OneDrive account details
• System passwords for a variety of network assets
• Sales, marketing and contact information
• Project specifications
• Other similar data

Qlik is a larger company in the process of buying Attunity, and they released a statement that reads, in part, as follows:

"We are still in the process of conducting a thorough investigation into the issue and have engaged outside security firms to conduct independent security evaluations.  We take this matter seriously and are committed to concluding this investigation as soon as possible.  At this point in the investigation, indications are that the only external access to data was by the security firm that contacted us."

The UpGuard research team added the following:
"The risks to Attunity posed by exposed credentials, information and communications, then are risks to the security of the data they process.  While many of the files are years old, the bucket was still in use at the time detected and reported by UpGuard, with the most recent files having been modified within days of discovery."

Kudos to UpGuard for finding the issue and alerting Attunity, and to Qlik for their timely response.  Here's hoping the early indications hold, and hackers somehow missed the exposed databases.

SpartanTec, Inc.
Wilmington, NC 28412
(910) 218-9255
https://spartantecwilmington.business.site

Large Percentage Of Mobile Apps Have Security Flaws

How many apps do you have on your phone?If you're like most people, you've likely got dozens or more. Considering how much storage is available on mobile devices these days, people tend to install apps and when they no longer want them, they don't bother to uninstall them. Whatever your number is, the statistics recently published by Positive Technologies in their report "Vulnerabilities and Threats in Mobile Applications 2019" will alarm you.

Here are a few of the key findings:

• 35 percent of all mobile apps tested had vulnerabilities relating to the insecure transmission of sensitive data.
• 35 percent had issues with the incorrect implementation of session expiration
• 20 percent had problems relating to sensitive data being stored in the app source code and insufficient protection against cyber attacks using brute-force techniques
• 29 percent of tested apps contained vulnerabilities relating to insecure inter-process communications, which are classed as high risk

Overall, high-risk vulnerabilities were found in 38 percent of tested iOS apps, and 43 percent of Android apps.  Even worse, 89 percent of the vulnerabilities that were discovered could be exploited via malware.  The hacker targeting the device would never even need to take physical control of the device.

Leigh-Anne Galloway (one of the people responsible for the report) said:

"Developers pay painstaking attention to software design in order to give us a smooth and convenient experience and people gladly install mobile apps and provide personal information.  However, an alarming number of apps are critically insecure, and far less developer attention is spent on solving that issue. We recommend that users take a close look when applications request access to phone functions or data.  If you doubt that an application needs access to perform its job correctly, decline the request."

Wise words, and very good advice.  So back to the initial question, and with the statistics above in mind, how many apps do you have on your phone?

SpartanTec, Inc. of Wilmington is here to protect your company's data again cyber attacks regardless of the source. Call us today for a free analysis of your vulnerability.

SpartanTec, Inc.
Wilmington, NC 28412
(910) 218-9255
https://spartantecwilmington.business.site


Google Post