Marriott's Breach Response Is So Bad, Security Experts Are Filling In the Gaps (techcrunch.com) 78
An anonymous reader quotes a report from TechCrunch: Last Friday, Marriott sent out millions of emails warning of a massive data breach -- some 500 million guest reservations had been stolen from its Starwood database. One problem: the email sender's domain didn't look like it came from Marriott at all. Marriott sent its notification email from "email-marriott.com," which is registered to a third party firm, CSC, on behalf of the hotel chain giant. But there was little else to suggest the email was at all legitimate -- the domain doesn't load or have an identifying HTTPS certificate. In fact, there's no easy way to check that the domain is real, except a buried note on Marriott's data breach notification site that confirms the domain as legitimate. But what makes matters worse is that the email is easily spoofable.
Many others have sounded the alarm on Marriott's lackluster data breach response. Security expert Troy Hunt, who founded data breach notification site Have I Been Pwned, posted a long tweet thread on the hotel chain giant's use of the problematic domain. As it happens, the domain dates back at least to the start of this year when Marriott used the domain to ask its users to update their passwords. Williams isn't the only one who's resorted to defending Marriott customers from cybercriminals. Nick Carr, who works at security giant FireEye, registered the similarly named "email-mariott.com" on the day of the Marriott breach. "Please watch where you click," he wrote on the site. "Hopefully this is one less site used to confuse victims." Had Marriott just sent the email from its own domain, it wouldn't be an issue.
Many others have sounded the alarm on Marriott's lackluster data breach response. Security expert Troy Hunt, who founded data breach notification site Have I Been Pwned, posted a long tweet thread on the hotel chain giant's use of the problematic domain. As it happens, the domain dates back at least to the start of this year when Marriott used the domain to ask its users to update their passwords. Williams isn't the only one who's resorted to defending Marriott customers from cybercriminals. Nick Carr, who works at security giant FireEye, registered the similarly named "email-mariott.com" on the day of the Marriott breach. "Please watch where you click," he wrote on the site. "Hopefully this is one less site used to confuse victims." Had Marriott just sent the email from its own domain, it wouldn't be an issue.
Re: (Score:2)
Re: Yes, that is... (Score:4, Funny)
Internal messaging system is the key (Score:5, Insightful)
What I've seen banks, even the local power company, is to have an internal messaging system. This way, any E-mails at most will alert you to log in (also warning to manually type in the URL, and not click on a link) and check your messages, with a warning that anything else is likely a phishing attempt.
Plus, because everything is handled via the internal system, there is more control, which is a help when it comes for GDPR/PCI-DSS/HIPAA/FERPA/whatever compliance, as messages never leave the site.
Re: (Score:3)
The whole concept that ANY email from ANY domain is in any way secure
The idea is not for an email to be secure. It's for it's content to be trustworthy and not easily mistaken for something else. The question is not where does the email come "From:". It's about where it sends users and what it instructs them to do. Going to any domain other than www.marriott.com is an instant red flag which users should be trained to identify as phishing attempts at this point.
Re:Blaming the User (Score:5, Informative)
No IT system will ever be strong enough to defend against a user clicking on a link to go to a webpage and voluntarily entering their credit card info.
Re: (Score:1)
Re: (Score:2)
2 factor hardware authentication would solve this, frankly.
Re: (Score:2)
How do you keep users from using an app and having the phone be all the factors?
It works for people who understand security, are you sure it would help the others and not be just another thing they didn't learn the security details of?
Re: (Score:2)
One issue with LARTs... sometimes users really enjoy it when you bring it out, so it might just encourage the behavior that you want to discourage.
Re: (Score:2)
The IT system's spam filter might be strong enough to block bulk emails coming from a dodgy looking domain with no SPF record though.
Maybe that was the plan, make sure most of the emails end up getting blocked but technical fulfil the legal obligation to disclose. But more likely incompetence.
Re: (Score:1)
Agreed but I will say that I don't know why email clients haven't at least made clicking links more difficult. Meaning, at minimum, when clicking a link in an email, display some dire warning. Don't allow "hidden links", i.e., only allow a bare URL to be clickable, if it's an HTML email with anchor text different than the actual URL, don't let that be clickable at all. Make only valid SSL links clickable. Any number of different possibilities that certainly won't entirely solve the problem but at least
Re: (Score:1)
No IT system will ever be strong enough to defend against a user clicking on a link to go to a webpage and voluntarily entering their credit card info.
Yes, but companies shouldn't encourage the practice by using dodgy looking domains for their normal operations.
For example, the website for a phone company I do business with is www.companyA.com.
If I go to that website and for some functionality I get redirected to mycompanyAaccount.com.
A typical user can't tell if mycompanyAaccount.com is a phishing site or
The dodgy domain was very clever (Score:2)
Admitting to a security breach is rather embarrassing.
Most users will disregard an email from email-mariot.com as spam. And so the Mariot can fulfil their legal responsibility to inform users without actually informing users.
Very clever. (More likely very stupid, but a fortuitous idiocy.)
And there is no way for users to validate a domain name and know where to enter a credit card number. How can you tell that sIashdot.com is not slashdot.com?! The padlock is meaningless. Sending passwords over the net
Re: (Score:2)
meh, there's a look we can do.
My workplace does a pretty good job of protecting people, sometimes too good a job. It checks URLs, validates links sent via emails... It's not perfect, but it works pretty darn well.
There is little reason the major ISPs, browsers, and/or email systems shouldn't have similar kinds of protections. Yes, you should be able to call them to turn it off if you like to browse unsafely.
Similarly, the entire online payment industry could use some work. It's actually been a long time sin
Re: (Score:1)
Re: (Score:1)
Because some people are at a hotel, and don't want others to know why they are there. For example, I know people who didn't want others to know they were at the Midwest Fur Fest, for obvious reasons. That info being public could be at best humilating, at worst cause loss of a job or a career.
Re: (Score:3)
If they don't have the customer's contact details, then their personal details weren't stolen and they don't need to notify them.
Re: (Score:2)
Defense in depth. Yes, IT can have something in place to mitigate damage if a user clicks/downloads/runs stuff, be it AppLocker, FSRM, backups that store documents in real time, and so on. However, having users not click on things in the first place adds a "layer 8" protection in place.
Even with protective measures, having them not as needed is a wise thing.
So which one is it (Score:2)
1. The folks handling the Marriott/Starwood breach don't know what they are doing
2. Management is overruling the folks handling the breach
3. Both
Chances are that whoever is making the decisions now got Marriott/Starwood into the problem in the first place.
Re: (Score:1)
Re: (Score:1)
I can tell you that if Marriott is run like Carlson then the environment is as follows:
a) The business analysts rule the company
b) They pay bottom dollar for software and internet infrastructure services
c) They don't understand computer security at all.
Those few smart people who are unfortunate enough to get stuck in such a company cannot override the tidal wave of stupidity that emanates from the BAs.
I was fortunate enough to get out - fast.
Operational considerations (Score:1)
Thanks to spammers and anti-spammers, it has become very difficult to send large volumes of legitimate emails. It is practically mandatory to leave this to professionals. If you send "from" the main domain, you have to handle the return traffic on that domain, and the mail system that handles the individual mail on that domain is most likely not suited to deal with that, and if you outsourced that to the mass emailer, you would have to give them a lot of control over your main domain. To a mass email servic
Re: (Score:2)
Yes they do. You can piss people off until they're swearing at you, but they'll be back when you have the thing they want at the best price or offer it in a more convenient way than the competition. Your comment is just an example of the typical irrational way customers think. They put fantasies of how things should be before the way things actually are.
Re: (Score:2)
I once threatened to put a lien on a customers webserver.
Most annoyed customer I ever had.
He finally paid, though! I was shocked.
Typically though, they're annoyed because I told them they're wrong, and they suspect it is true. I tell them to take their time, think it over, get a second opinion. If they really do that, they'll come back even more annoyed; because they have to admit I was right if they want my price, and now they heard the other guy's price. :)
The best computer salesperson I ever knew once ex
Re: (Score:2)
In the Olden Days, you had to hire an expert because sendmail required a PhD to understand the configuration.
Then IBM released postfix, and you still needed to hire an expert, because spam was a thing.
That was before the Earth 1.0 ended during Y2K, or whatever. Ancient Times. Before The Day.
That said, the only reasonable explanation for their mistake is really lame. Really lame. Basically, it comes down to this: Marriott has an idiot BOFH whose neckbeard is so long, he put their email on a weird domain to a
Re: (Score:2)
It means if you try to feed port 80 to your cat(1) the poor thing is going to starve, or die of old age.
They must have enabled quantum email domains. Or something.
mission accomplished (Score:5, Insightful)
everybody is talking about how bad the email was instead of the breach itself.
Re:mission accomplished (Score:5, Insightful)
everybody is talking about how bad the email was instead of the breach itself.
Breaches don't matter anymore. I was a victim of the Home Depot, Target, and Equifax breaches. So all my information is already "out there". Most other people are in the same situation. Yet another breach doesn't make any difference. Who cares?
Re: (Score:2)
everybody is talking about how bad the email was instead of the breach itself.
Not even remotely. Just because we're talking about one thing doesn't mean we aren't talking about something else. This is only one article on one site. Even a cursory search of news will show that people are very much talking about the breach itself, it's affects on people and what the company is doing about it.
Hell the most recent story on the news isn't even about the email. It's about Marriotts responses to fraud, here's one from only a couple of hours ago, signficantly newer than TFA: https://www.washi [washingtonpost.com]
Pass (Score:1)
Well at least you don't normally give your passport to staff upon check-in... oh wait....
Yea, but then they couldn't get away with (Score:1)
SPAMMING
Yet another MASSIVE government fail. (Score:1, Funny)
Once again we see how GOVERMENT is to blame for a huge privacy and security failure and yet libtards will now demand the heads of amazing private industry people who TRIED to stop the incomptent and corrupt fat cat union controled goverment from hurting the precious consumers. And next up they want massive useless goverment to run our health care system! The insane left demands more big goverment intervention in everything and THIS is what will happen.
Re: (Score:2)
notification on a different domain (Score:3)
attack vector (Score:2)
Wrong tool for the job (Score:4, Insightful)
posted a long tweet thread...
Huh. It's almost like twitter is one of the worst ways to communicate complicated things. Too bad there aren't any places on the internet where one can post long-form information and have a discussion about it. Guess we'll just have to break everything into 30 different tweets.
Re:Wrong tool for the job (Score:4, Insightful)
CSC registered it is a STRONG clue (Score:4, Informative)
Just because an advanced user has difficulty vetting the domain doesn't mean there's something wrong with it.
There's no "official" universally accepted criteria for authenticating a domain belongs to the company whose name is claimed on the domain, and even the use of a basic TLS certificate is not foolproof; However, CSC Being a corporate-only registrar that is used by most of the largest internet brands in the US has a very HIGH PRICE to engage their services, let alone register a domain ----- unless a state actor is involved or an additional major breach of CSC themself; the probability of a phishing domain getting registered through CSC AND also with DNS hosted by CSC seems extremely remote --- particularly when you look at the second positive indicator.
Registration is mature --- the domain email-marriott.com has been registered for 4 years created in August 2014. That would mean its been dormant or used for purposes not detected as phishing for an extremely long term: generally when a domain name is used for phishing abuse takedown procedures get initiated immediately, and most often the domain is shutdown by its registrar within days.
COULD the breach notification be faked? Yes, In theory. So just be cautious if you receive an e-mail to not provide personal information after clicking on a link in the message. Close the browser window and visit the company's website. Open a ticket with support if the breach notice implies you need to do something, and you can't find a way to do it on their website --- ultimately a company's call-in support should be able to confirm the message is real or not and assist.
Re: (Score:2)
It is a major corporation that already existed long before 2014, so that means nothing.
Your comments are simply dangerous bullshit of the same quality as what Marriott did.
My goodness that is just daft beyond words. It is almost as if you never heard of phishing attacks until today! And yet, you're the Font of Knowledge.
Yes, if an "advanced user" can't vet the domain, and the message is important, that proves there is something wrong with the domain. This isn't the 1990s, there are technologies in place f
Re: (Score:2)
It is a major corporation that already existed long before 2014, so that means nothing.
Actually... it means EVERYTHING, because you see the Date and the Registrar's identity are the only pieces of information in DNS and WHOIS that cannot be easily falsified ---- everything else can have bogus info in order to make the domain survive vetting, but the "Advanced user" has in fact been tricked or taken for a ride (They're not actually vetting if they look at that stuff --- its actually an illusion). A