Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Privacy Security

Marriott's Breach Response Is So Bad, Security Experts Are Filling In the Gaps (techcrunch.com) 78

An anonymous reader quotes a report from TechCrunch: Last Friday, Marriott sent out millions of emails warning of a massive data breach -- some 500 million guest reservations had been stolen from its Starwood database. One problem: the email sender's domain didn't look like it came from Marriott at all. Marriott sent its notification email from "email-marriott.com," which is registered to a third party firm, CSC, on behalf of the hotel chain giant. But there was little else to suggest the email was at all legitimate -- the domain doesn't load or have an identifying HTTPS certificate. In fact, there's no easy way to check that the domain is real, except a buried note on Marriott's data breach notification site that confirms the domain as legitimate. But what makes matters worse is that the email is easily spoofable.

Many others have sounded the alarm on Marriott's lackluster data breach response. Security expert Troy Hunt, who founded data breach notification site Have I Been Pwned, posted a long tweet thread on the hotel chain giant's use of the problematic domain. As it happens, the domain dates back at least to the start of this year when Marriott used the domain to ask its users to update their passwords. Williams isn't the only one who's resorted to defending Marriott customers from cybercriminals. Nick Carr, who works at security giant FireEye, registered the similarly named "email-mariott.com" on the day of the Marriott breach. "Please watch where you click," he wrote on the site. "Hopefully this is one less site used to confuse victims." Had Marriott just sent the email from its own domain, it wouldn't be an issue.

This discussion has been archived. No new comments can be posted.

Marriott's Breach Response Is So Bad, Security Experts Are Filling In the Gaps

Comments Filter:
  • 1. The folks handling the Marriott/Starwood breach don't know what they are doing
    2. Management is overruling the folks handling the breach
    3. Both

    Chances are that whoever is making the decisions now got Marriott/Starwood into the problem in the first place.

    • Well, it may not matter in the long run, other than to incur unnecessary costs from mishandling. There are Marriotts that are not Starwoods and vice versa. A savvy traveller could piece together their own rewards program by clipping coupons. I doubt the hotel chains like that sort of thing, but they are choosing that by being obtuse.
    • by Anonymous Coward

      I can tell you that if Marriott is run like Carlson then the environment is as follows:

      a) The business analysts rule the company
      b) They pay bottom dollar for software and internet infrastructure services
      c) They don't understand computer security at all.

      Those few smart people who are unfortunate enough to get stuck in such a company cannot override the tidal wave of stupidity that emanates from the BAs.

      I was fortunate enough to get out - fast.

  • by Anonymous Coward

    Thanks to spammers and anti-spammers, it has become very difficult to send large volumes of legitimate emails. It is practically mandatory to leave this to professionals. If you send "from" the main domain, you have to handle the return traffic on that domain, and the mail system that handles the individual mail on that domain is most likely not suited to deal with that, and if you outsourced that to the mass emailer, you would have to give them a lot of control over your main domain. To a mass email servic

    • In the Olden Days, you had to hire an expert because sendmail required a PhD to understand the configuration.

      Then IBM released postfix, and you still needed to hire an expert, because spam was a thing.

      That was before the Earth 1.0 ended during Y2K, or whatever. Ancient Times. Before The Day.

      That said, the only reasonable explanation for their mistake is really lame. Really lame. Basically, it comes down to this: Marriott has an idiot BOFH whose neckbeard is so long, he put their email on a weird domain to a

  • by sad_ ( 7868 ) on Tuesday December 04, 2018 @06:47AM (#57746276) Homepage

    everybody is talking about how bad the email was instead of the breach itself.

    • by ShanghaiBill ( 739463 ) on Tuesday December 04, 2018 @08:50AM (#57746668)

      everybody is talking about how bad the email was instead of the breach itself.

      Breaches don't matter anymore. I was a victim of the Home Depot, Target, and Equifax breaches. So all my information is already "out there". Most other people are in the same situation. Yet another breach doesn't make any difference. Who cares?

    • everybody is talking about how bad the email was instead of the breach itself.

      Not even remotely. Just because we're talking about one thing doesn't mean we aren't talking about something else. This is only one article on one site. Even a cursory search of news will show that people are very much talking about the breach itself, it's affects on people and what the company is doing about it.

      Hell the most recent story on the news isn't even about the email. It's about Marriotts responses to fraud, here's one from only a couple of hours ago, signficantly newer than TFA: https://www.washi [washingtonpost.com]

  • by Anonymous Coward

    Well at least you don't normally give your passport to staff upon check-in... oh wait....

  • by Anonymous Coward

    Once again we see how GOVERMENT is to blame for a huge privacy and security failure and yet libtards will now demand the heads of amazing private industry people who TRIED to stop the incomptent and corrupt fat cat union controled goverment from hurting the precious consumers. And next up they want massive useless goverment to run our health care system! The insane left demands more big goverment intervention in everything and THIS is what will happen.

  • by Doke ( 23992 ) on Tuesday December 04, 2018 @09:02AM (#57746732) Homepage
    Their data breach notification site is also on a different domain, answers.kroll.com. I know Kroll, but many people would simply see that it's a different domain name, and assume it was a scam.
  • Any predictable mailing like this is an attack vector. People are likely to be expecting an email from Marriott, possibly even one that links to a "credit protection service" ready to accept your personal details for registration. I'm surprised an attacker did not beat them to the punch. Any large organization should have plans for this set out in advance.
  • by apoc.famine ( 621563 ) <apoc.famine@gm[ ].com ['ail' in gap]> on Tuesday December 04, 2018 @10:39AM (#57747306) Journal

    posted a long tweet thread...

    Huh. It's almost like twitter is one of the worst ways to communicate complicated things. Too bad there aren't any places on the internet where one can post long-form information and have a discussion about it. Guess we'll just have to break everything into 30 different tweets.

  • by mysidia ( 191772 ) on Tuesday December 04, 2018 @01:35PM (#57748490)

    Just because an advanced user has difficulty vetting the domain doesn't mean there's something wrong with it.

    There's no "official" universally accepted criteria for authenticating a domain belongs to the company whose name is claimed on the domain, and even the use of a basic TLS certificate is not foolproof; However, CSC Being a corporate-only registrar that is used by most of the largest internet brands in the US has a very HIGH PRICE to engage their services, let alone register a domain ----- unless a state actor is involved or an additional major breach of CSC themself; the probability of a phishing domain getting registered through CSC AND also with DNS hosted by CSC seems extremely remote --- particularly when you look at the second positive indicator.


    Registration is mature --- the domain email-marriott.com has been registered for 4 years created in August 2014. That would mean its been dormant or used for purposes not detected as phishing for an extremely long term: generally when a domain name is used for phishing abuse takedown procedures get initiated immediately, and most often the domain is shutdown by its registrar within days.

    COULD the breach notification be faked? Yes, In theory. So just be cautious if you receive an e-mail to not provide personal information after clicking on a link in the message. Close the browser window and visit the company's website. Open a ticket with support if the breach notice implies you need to do something, and you can't find a way to do it on their website --- ultimately a company's call-in support should be able to confirm the message is real or not and assist.

    • It is a major corporation that already existed long before 2014, so that means nothing.

      Your comments are simply dangerous bullshit of the same quality as what Marriott did.

      My goodness that is just daft beyond words. It is almost as if you never heard of phishing attacks until today! And yet, you're the Font of Knowledge.

      Yes, if an "advanced user" can't vet the domain, and the message is important, that proves there is something wrong with the domain. This isn't the 1990s, there are technologies in place f

      • by mysidia ( 191772 )

        It is a major corporation that already existed long before 2014, so that means nothing.

        Actually... it means EVERYTHING, because you see the Date and the Registrar's identity are the only pieces of information in DNS and WHOIS that cannot be easily falsified ---- everything else can have bogus info in order to make the domain survive vetting, but the "Advanced user" has in fact been tricked or taken for a ride (They're not actually vetting if they look at that stuff --- its actually an illusion). A

No spitting on the Bus! Thank you, The Mgt.

Working...