Nelly might regret staying at the Holiday Inn, and you might too. This week, InterContinental Hotels Group (IHG), owners of Holiday Inn and Crowne Plaza, have notified the public of malware found on payment card systems at 1,174 franchise hotels in the United States.
This is the second breach IHG has disclosed so far this year, the first in February. The latest malware incident was discovered between September 29th and December 29th of 2016, but customers were just recently notified. According to the company, there’s no evidence payment card data was accessed after that point but can’t confirm the malware was eradicated until two or three months later, when they began its investigation around the breach. Comforting. Among the ‘potential’ information obtained by the malware is credit card data, such as cardholders’ names, credit card numbers, expiration dates and internal verification codes. This most likely happened because the variant on their system siphoned track data from the magnetic strip of cards as they were routed through affected hotel servers.
InterContinental Hotels Group had begun implementing a point-to-point encryption payment solution last fall. This type of technology can reportedly prevent malware from scouring systems for payment card data. It seems the affected hotels were those who had not yet implemented the encryption technology. Similarly, IHG subsidiary, boutique hotel chain Kimpton is fighting a class action court case that alleges the company failed to take adequate measures to protect guests payment card data. IHG is just the latest hotel chain to report a potential customer data breach in past few years, following Hyatt, Hilton, Mandarin Oriental, and Starwood, who also acknowledged finding malware in their payment systems.
Many IHG-branded locations are independently owned and operated franchises and certain of these franchisee operated locations in the Americas were made aware by payment card networks of patterns of unauthorized charges occurring on payment cards after they were legitimately used at their locations -IHG website
Malware is continuously getting harder to detect. Read ‘How to Identify Malware Attacks’ for useful detection tips.
It’s a topic we’ll never get away from. And while you probably put your headphones on to escape the noises of the world, you’ll want to reconsider if those headphones are Bose. A recent lawsuit alleges that Bose uses an app to collect the listening habits of its customers and provide that information to third parties, without the knowledge and permission of the users.
The $5 million lawsuit accuses Bose, maker of headphones that sell up to around $350, of violating the WireTap Act and a variety of state privacy laws. According to the plaintiff Kyle Zak, a person’s musical selection can “provide an incredible amount of insight into his or her personality, behavior, political views, and personal identity.” By downloading the Bose Connect app, users are also prompted to input their name, phone number and email address, in order to ‘get the most out of their headphones.’ Zak believes Bose created detailed profiles of customers’ listening histories and habits, and shared it with marketing companies, including a firm called Segment.
Zak is seeking to represent other headphone owners over allegations of illegal data mining. Bose has yet to respond for comment, but if the allegations are true, it will be just the latest IoT case to gain media attention. Recent cases include IoT toy CloudPets, and just this month, the settlement from a company called We Vibe. The ‘smart sex toy’ maker agreed to pay $3.75 million to settle claims its app had illegally collected information about how its customers used the product. TMI.
Companies need to be transparent about the data they take and what they are doing with it, and get consent from their customers before monetizing their personal information – Jay Edelson, the privacy lawyer who filed the Bose lawsuit
Many companies operate under the sole business model of mining user data and developing better algorithms for analysis and sell this information for profit. Read ‘Your Web Browsing Habits are Building a Billion Dollar Industry’ to go more in-depth.
What would you say if you were promised to make exponential amounts of money from an initial investment of less than $200? It’s not the stock market, or from gambling. This method is a new ransomware as a service (RaaS) called Karmen, which costs $175, that has been discovered by security researchers at Recorded Future.
Ransomware as a service (RaaS) is a variant of ransomware designed to be so user-friendly that anyone with little or no technical knowledge can easily deploy them to make money. Karmen lets buyers set ransom prices, determine how long to give victims to pay and offers multiple ways to communicate with targets. It works by encrypting files on the infected PC using the strong AES-256 encryption protocol. One especially interesting feature of this ransomware is that it automatically deletes its decryptor if a sandbox environment or analysis software is detected on the victim’s computer to make security researchers away from investigating the threat. The user console acts as a dashboard which subscribers to keep tabs on the number of clients they have and how much money they have earned.
Recorded Future believes there have only been 20 versions of Karmen sold by the specific reseller identified as DevBitox, with five remaining copies for sale. At this time, Karmen’s infection chain is currently unknown, although it has been linked to the open-source ransomware sample called Hidden Tear, which was released in August 2015 for education purposes. If your first thought is to rush and purchase Karmen, hold up. It can be removed with a free tool at NoMoreRansom.org.
Karmen Ransomware is sold as a standalone malware variant, only requiring a one-time upfront payment, allowing a buyer to retain 100 percent of payments from infected victims -RecordedFuture
For how to defend against ransomware and learn best practices, read ‘Ransomware Protection.’
Rhode Island has hired its first cybersecurity officer in former utility executive Mike Steinmetz.
A working knowledge of the Domain Name System (DNS) is essential to a system administrator’s career. Not only is core DNS operations and support imperative to have mastered, but securing the platform has become equally as critical.
We need DNS’ because although domain names are simple to remember, computers access websites based on IP addresses. DNS holds the key to your existence on the Internet, which is why you want to control DNS for your domain.
The Strategic DNS Operations and Security Micro Certification will cover the operations, support and security for DNS on both the Windows and BIND platforms. Knowing how queries work, and the difference between authoritative and caching name servers, are crucial to understanding DNS best practices.
This code expires 04/23/17 at midnight EST.
Olivia Lynch (@Cybrary_Olivia) is the Marketing Manager at Cybrary. Like many of you, she is just getting her toes wet in the field of cyber security. A firm believer that the pen is mightier than the sword, Olivia considers corny puns and an honest voice essential to any worthwhile blog.