Are you more vulnerable to credit card theft if you stay in a hotel?
No need to get paranoid, but it is a valid question, since online security firm Trustwave Spiderlabs consider hotels hackers’ No. 1 target. It’s also a timely question since Wyndham Hotels just yesterday announced that hackers stole customer credit card information by breaching its networks. It’s Wyndham’s third breach in 12 months.
- TWITTER: Follow Hotel Check-In’s feed
- FAVE PERK: Free room upgrade, wi-fi or breakfast?
- CELL PHONE: Use it to open your hotel door
To understand the problem better, I recently talked with online security expert Nicholas Percoco, who works as a security auditor and data breach investigator for the security firm Trustwave SpiderLabs. The firm investigates breaches for companies and figures out how they happen.
“This is a new trend. Prior to late 2008, we did not really see any investigations around hotels – maybe a handful,” Percoco told me during our conversation. “But it was not something significant enough to call it a trend.”
In the firm’s recent study of 218 breach investigations across 24 countries last year, Trustwave found that hotels accounted for about 70 of them – making them hackers’ favorite hackers, even over the financial services companies.
His theory is that sometime in late 2008, a fairly sophisticated group hacked into a single hotel and they identified it as an easy system to extract information, Percoco told me.
Archive
Tag: Cybersecurity
Intel has revealed in a Securities and Exchange Commission filing that it too was the target of a sophisticated hacking attack in January, around the same time Google complained to China about such cyberassaults.
Intel made a concisely worded disclosure in filing its Form 10-k annual report; publicly-traded companies are requred to disclose any material events that could be reasonably expected to affect stock prices and investors’ decisions.
Data thieves running the so-called “Operation Aurora” attack campaign hacked into Google and some 30 other large corporations last December and January.
So was Intel trying to signal that it, too, was one of Operation Aurora’s targets? The chip maker has declined to supply details.
Security experts point out that there is a mountain of circumstantial evidence suggesting there may not be any connection at all between the attacks on Intel vs. Google. “It is absolutely possible Intel could have been breached by someone else, given the sheer volume and variety of attacks seen every day,” says Eric Olson, vice president of solutions assurance at security firm Cyveillance.
The massive data theft from the tax authority’s computer system has raised concerns about cybersecurity in the Baltic country.
It has also embarrassed politicians and other public officials whose income and wealth – often many times the national average – are being exposed to the public at a time when Latvia is undergoing painful budget cutbacks to rebound from a severe recession.
News of the electronic security breach surfaced last week, when an organization calling itself the People’s Army of the Fourth Awakening told Latvian TV it had downloaded millions of classified documents over several months from the revenue service’s Web site.
One of the group’s members, who uses the name “Neo” – apparently in reference to the hero of the popular “Matrix” films – has been making some of the documents available on the Internet.
On Wednesday “Neo” published salaries of members of Latvia’s police force and, in comments on a Twitter account, said “I call on the police union to analyze the data and determine whether the salary reform is fair and to continue the fight against crime.”
Full Story ~ The Washington Post
But for anyone with a Webcam (and Webcams are now built in to many laptops and desktops), the question is whether you are vulnerable to having your Webcam remotely turned on. The answer is yes, though the newest version of the software used by the district to monitor its computers can no longer be used to activate Webcams or even track stolen computers.
According to Harriton High School student Phil Hayes, officials at the Lower Merion School District used a program called LANRev to manage and track the Macintosh laptops issued to students. The product was published by Pole Position Software, which was acquired last year by Vancouver, B.C.-based Absolute Software. An Absolute Software spokesman verified that it is also his understanding that the school used LANRev software.
Even if a school doesn’t do anything wrong or ever use their software to connect to the laptop webcams, spyware certainly could do so. Let’s take this a step further. Say that a spyware programmer knows of a school that is giving laptops to their students. The students could be specifically targeted in addition to accidentally (or ignorantly) being infected with spyware. This puts the students at risk to outsiders even if the school is responsible.
Are these computers thoroughly protected from spyware? Even if the answer is yes, it is not absolute protection and children are still at risk to predators using spyware to activate their webcam. The only acceptable answer to this webcam concern is for there to not be webcams in the school-provided laptops. As for laptop theft recovery, there are other methods and softwares that do not require webcams.
Additionally, I agree with the cnet writer about the microphone. That is also a potential weakness and would require a physical on/off switch on the laptop to disable (“muting” can be undone via spyware code). It wasn’t that long ago, it seems, that the concern was the government listening to us via our cellphones since the microphone could be turned on remotely. I’m sure that concern will show up again in the future.
The attack was just one of what the world’s largest chipmakers said were regular attempts on its computer systems, Intel said in a filing under a heading about potential theft or misuse of the company’s intellectual property.
“The only connection is timing,” Intel spokesman Chuck Mulloy said, declining to elaborate. The company first publicized the attack and pointed out the similarity in timing to the move on Google in an annual filing with the U.S. Securities and Exchange Commission.
Now that Google has publicly admitted to being successfully attacked without much damage to their reputation, analysts said other companies are rethinking their typically tight-lipped approach to security breaches.
Recent changes to disclosure laws and increased awareness of cyber-security may also have prompted Intel to come clean, analysts say.
But Intel did not say who was behind the attacks, from where in the world they originated, or what information, if any, had been taken.
It would seem to be prudent for the giants of industry to talk to each other or perhaps to a government agency when attacked in a sophisticated way.
Comparing the digital age to the dawn of automobiles, analysts said more government regulations may be the only way to force the public and private sectors to adequately counter cyber threats. They compared the need for new oversight to regulations for seat belts and safety equipment that made the highways safer.
At stake is the need to secure the financial and power systems vital to national security and daily life without choking off business innovation and competition. President Barack Obama declared cybersecurity a major priority early last year, but his administration struggled to make progress, not naming a new cyber coordinator until December.
“Cyber has become so important to the lives of our citizens and the functioning of our economy that gone are the days when Silicon Valley could say hands off to a government role,” Michael McConnell, former director of national intelligence, told the Senate Commerce, Science and Transportation Committee.
The panel has been trying for the past year to draft legislation that would map out a way the government and private industry could work together to protect critical computer networks, set industry standards and promote more high-tech education and public awareness.
Full Story ~ The Washington Post
Using a doctored passport at a self-serve passport machine, the hacker was cleared for travel after just a few seconds and a picture of the King himself appeared on the monitor’s display.
Adam Laurie and Jeroen Van Beek, who call themselves “ethical hackers,” say the exercise exposed how easy it is to fool a passport scanner with a fraudulent biometric chip.
The Presley test was carried out at Amsterdam’s Schiphol airport in September 2008 — by Laurie and Van Beek — to highlight potential security shortcomings.
Passports, and the ability to fake them, are back in the spotlight after the apparent use of false documents during the gang assassination of a Hamas militant in Dubai in January.
Van Beek said: “What we did for that chip is create passport content for Elvis Presley and put it on a chip and sign it with our own key for a non-existent country. And a device that was used to read chips didn’t check the country’s signatures.”
Chinese military and education officials have dismissed reports linking them with a cyber attack on the Internet search engine Google. In an interview with China Daily, they said that a recent accusation printed in the New York Times was false.
In its report on Thursday, the New York Times linked two Chinese higher education institutions to cyber attacks on Google.
The world’s biggest search engine announced last month that it had been the target of a highly sophisticated attack in December. It said the hacking had come from a source within China.
The report claimed the two education facilities have close ties with the Chinese military and also Google’s competitor in China, Baidu.
Pan Zheng, an expert from the National Defense University, told China Daily that the attacks on Google had nothing to do with the Chinese government, nor the military. He went on to say that a hacking location inside China doesn’t necessarily mean the attacks were launched by the government or the military.
Major General Luo Yuan from the Academy of Military Science said that web hacking is against Chinese law. He stated that the Chinese military would not go against the rules. He claimed that it was irresponsible to blame the military when there was such a lack of evidence.
One of the accused schools is the Shandong-based Lanxiang Vocational School. School officials say they have been getting phone calls all day asking about the cyber attack. They say that the school provides lessons in I.T. and computing, and has no ties with the Chinese military.
A professor from Shanghai-based Jiaotong University, the other named Chinese institution, said he is not surprised by allegations that students hacked into websites. However he said that such acts were not malicious in motive, and that the students may simply have been testing out their Internet abilities. The professor added that the IP address of the university was often hijacked.
These articles take as evidence that hackers’ IP addresses could be traced back to two schools in China. However, it is common sense that hackers can attack by hijacking computers from anywhere in the world. This fact also explains why hackers are hard to be tracked down.
Computers in China are easy to be hijacked by hackers as internet security technology and services are still underdeveloped in China. The majority of Chinese internet users also lack security awareness and adequate protection measures.
The hackers’ IP addresses could by no means vindicate the newspapers’ allegations that the attacks were carried out by Chinese citizens or from within China.
Certain newspapers went even further by indicating that the Chinese government and the military might have supported those cyber attacks.
Woot Watcher
WOOT
Sharper Image TENS Back Pain Relief System
$39.99
I WANT ONESHIRT
A Forbidden Love
$10.00
I WANT ONESELLOUT
Bissell Steam Shot Hard Surface Cleaner
$22.99
I WANT ONE
