Netizen Cybersecurity Bulletin 5 December 2018

In This Issue:

In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.

  • Massive Starwood Hotels breach affects 500 million guests
  • Zoom Flaw Open to Conference Hijacking
  • Q: What Happened to Quora? A: Data Breach Affecting 100 million users
  • 1-800-Flowers Victim of Latest Payment Breach
  • Phish Tale of the Week
  • How can Netizen help?

Massive Starwood Hotels breach affects 500 million guests

Starwood Hotels (a Marriott subsidiary) has revealed that guests have had their personal information exposed in a breach started in 2014 until this past September. According to their statement:

For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.  For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128).  There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.  For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other information.

What remains unknown is the identity of the perpetrators and if any guests’ records have been sold or used by any other malicious actors.

The larger problem is that the amount of information available for many guests gives the potential to use to great harm elsewhere, like with creating new lines of credit, or gives insight into the traveling habits of global or business leaders.

RECOMMENDATIONS:

Monitor your credit report and look for any suspicious activity. Credit card industry experts recommend freezing your credit so that, if your info was stolen, criminals are unable to open new lines of credit in your name. If you do decide to freeze your credit, you must contact the three major credit bureaus individually. Marriott has sent emails to those affected and has provided guests free enrollment in WebWatcher for a year, they have set up a website for affected guests here: https://answers.kroll.com/.

Zoom Flaw Open to Conference Hijacking

The popular desktop conferencing software, Zoom, contains a serious vulnerability that could allow a remoter attacker to hijack screen controls and perform actions like kicking attendees out of meetings. In this fashion Zoom could be exploited in three scenarios: More unlikely a current Zoom attendee could cause the exploit, an attacker could take advantage of the vulnerability if on the Local Area Network (LAN), or an attacker, in theory, could remotely attack over Wide Area Network (WAN) could hijack an ongoing Zoom meeting.

The vulnerability itself derives from a flaw within Zoom’s internal messaging pump, a feature that Zoom uses to wait for and send messages in the program. The pump dispatches both client User Datagram Protocol (UDP) and server Transmission Control Protocol (TCP) messages to the same message handler. Given that this process operates in this way, an attacker can potentially create and send a UDP message which would then be interpreted as a known and trusted TCP message used by authorized Zoom servers. Malicious actions caused by the attacker can include hijacking screen controls when a desktop is shared, spoof chat messages impersonating attendees, or kicking and locking out attendees from the conference call.

RECOMMENDATIONS:

Impacted Systems:

  • Zoom 4.1.33259.0925 for macOS and Windows 10
  • Zoom 2.4.129780.0915 for Ubuntu

This also affects both one-on-one (P2P) meetings as well as group meetings streamed through Zoom servers.

Zoom has since patched this issue with Windows and MacOS. However, the problem persists with Ubuntu systems and Zoom is currently working on an update. If for some reason patches cannot be applied, we recommend using other avenues of web conferencing like that of WebEx or Skype.

Q: What Happened to Quora?
A: Data Breach That Affected 100 million users

The question and answer website Quora announced on Monday that as many as 100 million of its users had their data breached by a malicious third party.

CEO Adam D’Angelo reported the breach in a company blog posting, noting that data that was mainly exposed consists of data that users have publicly shared.  Such data includes email address, questions, answers, comments, up-votes, and down-votes.

Of some concern is that users encrypted password hashes were breached.  Encrypted password hashes are the result of unique algorithmic calculations performed on the password you enter, resulting in a string, or hash. Complex hashes are safe from decoding but can be replicated when the input values are the same; this is how your password is used to gain access to Quora.

RECOMMENDATIONS:

  • While it is highly unlikely any users’ password hashes can be cracked, using different passwords for different sites is your best defense against breaches such as this one.
  • Quora users should change their login password to strengthen their security.

1-800-Flowers Victim of Latest Payment Breach

Canadian online flower shop, 1-800-Flowers, has been a recent victim of a payment breach from what researches say dates back over four years.

The site’s operating company recently filed a notice with the attorney general’s office in California in compliance with the state’s data breach notification requirements. This comes after the security team found suspicious behavior back in October, and found there had been unauthorized access to payment card data used to make purchases on the Canadian website. This information includes First and last name, payment card number, expiration date, and card security codes.

The company believes that the data exposure had lasted from middle August 2014 until mid-September of this year. There is little information in regards to how the information was being leaked, but researches think that it was a card-skimming malware installed on a misconfigured website which would account for the long window of the breach.

There is also little notice on how many were impacted from this breach, but based on the filings in California which requires notification if over 500 or more are affected, there is a significant amount found to have been breached. A Canadian newspaper has reported that over 75,000 Canadian orders have been involved in the breach. A spokesman for the company has said the issue has affected “a small number of orders.” as the US website was not affected.

Phish Tale of the Week


Netizen captures many phishes each month, which we feature here. This week one of our users has received several emails suggesting that an audio message was left in the user’s voicemail, prompting the recipient to click on a file download titled “VoiceMessage.wav”. This email was spammed to the user numerous times. Given the repeated emails as well as the unprofessional appearance, the fact that it is unsolicited, while also containing a top-level domain from Japan (.jp) leads us to believe without a doubt that this is a phishing attempt. It can also be seen that the .wav file is actually a link to a website.

RECOMMENDATIONS:

A phishing email will typically direct the user to visit a website where they are asked to update personal information, such as a password, credit card, social security, or bank account numbers. A legitimate company already has this sensitive information and would not ask for it again, especially via email.

  • Scrutinize your emails before clicking anything. Did you order or ask for anything for which you’re expecting a confirmation? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
  • Verify that the sender is actually from the company sending the message.
  • Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email—this is a huge red flag.
  • Do not give out personal or company information.
  • Review both signature and salutation.
  • Do not click on attachments.
  • Do not click on unrecognized links. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
  • Be wary of poor spelling, grammar, and formatting. As can be seen with the with this email, there are multiple spelling, grammar, and formatting errors, leading us to believe that the message is illegitimate. If an email is visually unprofessional, the sender is likely not who they say they are.

Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action or that is addressing you in a threatening manner should be questionable. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Staff Pay Raises 2018” may seem like something you really want to know about, but it could just be a ploy to plant malware on your system or steal your credentials.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.


Netizen is an ISO 27001:2013 (Information Security Management) certified company.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s