** Correction about CLEAR as noted in this episode of the podcast. CLEAR does not use Facial Recognition technology, only iris or fingerprint biometric scans **
This is your Shared Security Weekly Blaze for March 18th 2019 with your host, Tom Eston. In this week’s episode: Equifax and Marriott data breach updates, facial recognition coming to 20 US airports, and the Citrix password spraying attack.
Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer.
Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
In data breach news, Equifax CEO Mark Begor and Marriott CEO Arne Sorenson appeared before a US Senate subcommittee to testify regarding the data breaches that both companies have suffered. While no new information was made about the Equifax breach (just the committee grilling Equifax’s CEO on the security controls and investments in security that they’ve put in place) several more technical details about the Marriott breach were revealed. In September of last year, Accenture, who managed the Starwood Guest Reservation Database, contacted Marriott’s IT team about a strange query from a legitimate administrator account. Marriot discovered that these credentials were stolen and began an investigation. Investigators first found a remote access trojan being used as well as a tool to reveal usernames and passwords in memory called MimiKatz. Investigators finally found two encrypted files that were deleted and then recovered. These two files were removed from the Starwood network on November 13th of last year. Shortly after, investigators were able to decrypt these files to show what type of data was stolen. Even though 383 million guest records were accessed, the good news was that 9.1 million credit card numbers in the stolen data was encrypted and there has been no evidence to indicate that the master encryption keys to decrypt the card data was accessed. Marriott also said that they have not received any claims of loss from fraud from the incident. This is quite surprising, given that attackers had breached the Starwood network for at least 4 years since 2014 well before Marriott acquired the hotel chain.
In other Equifax news, famed reporter Brian Krebs reports that even if you already froze your credit files through Equifax after their data breach and were issued a PIN code, it still may be possible for an attacker to bypass your PIN and lift an existing credit freeze with just your name, social security number and birthday. Check out the link in our show notes to read the full article on this rather disturbing development.
US Customs and Border Protection (or CBP) is beginning to implement facial-recognition technology at 20 airports across the US. These new systems will be used to verify the identities of passengers entering and exiting the country. The plan is to have this system in place across all US airports by 2020. The technology will measure what’s called facial landmarks, which is the distance between the eyes or from the forehead to the chin, and match that data to passport photos stored in a database. You might be surprised to hear this but similar commercial facial-recognition systems are already in use at many airports already. For example, Delta has a “curb-to-gate” facial recognition system for international travelers at Atlanta International Airport and other airlines like JetBlue, British Airways, and Lufthansa are running similar pilot programs of their own. You may have also seen a third-party service called “Clear” at over 27 US airports which are kiosks that use iris or fingerprint biometric scans. Clear allows you to basically jump to the front of the security screening line, and includes a bunch of other airline specific perks, which can significantly decrease the time it takes through airport security. The issue with Clear, is that it comes at a cost of about $15 a month.
Facial-recognition technology seems to be implemented faster than we can understand the privacy ramifications. In a lot of ways, we’re starting to see the beginnings of a government funded massive surveillance network, now tied into the passport system, which has the potential to expand even outside of the airport. It’s also important to note that there are no laws that govern the use of facial recognition. Yet, the government is happy to roll this technology out, all in the name of your security. Third-parties like Clear, now make millions of dollars in this new business model of paying money in order to trade our privacy for extra convenience. Just so we don’t have to wait in line like everyone else. I hate to say this but it’s not going to stop anytime soon. So what do you think? Are you OK with facial-recognition technology being used at airports? Does it really improve security? And are you willing to trade your privacy for convenience?
A recent attack on Citrix, a large virtualization and software provider used by 98% of the Fortune 500, shows that weak and guessable passwords are still a huge problem for organizations. On March 6th, Citrix posted a notice that they had their internal network hacked by international cyber criminals. In a blog post about the intrusion Citrix said that the attackers may have accessed and downloaded business documents and that they are cooperating with the FBI in the ongoing activation. Apparently, the attack vector used was a technique called “Password Spraying” which is where an attacker puts together a list of usernames, usually collected through harvesting employee names from LinkedIn or other publicly available sources, and tries to login to exposed applications using a single common weak password like, “Winter2019” or “Password1”. Each login uses a username from the list and that single password. This technique is similar to another type of attack called a “brute force” attack were multiple logins and multiple common passwords are used. This type of attack is much noisier and easier to detect which is why many attacker prefer to use password spraying. Once an attacker finds a valid set of credentials, it doesn’t take long for the attacker to gain a foothold into the company’s internal network. Typically, this is done through lateral movement by exploiting vulnerabilities found with the access of that one single account. This attack, of course, take advantage of poor password policies as well as the lack of other controls like multi-factor authentication. Check out our show notes for our recent episode on multi-factor authentication to find out why just having a password alone, is not enough to protect user accounts.
That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.