Thousands of Guests’ Data May Have Been Hacked at Starwood, Marriott and Hyatt Hotels

The Westin Lombard Yorktown Center is pictured in Lombard, Illinois

A data breach at 20 U.S. hotels operated by HEI Hotels & Resorts for Starwood, Marriott, Hyatt and Intercontinental may have divulged payment card data from tens of thousands of food, drink and other transactions, HEI said on Sunday.

The breach follows similar attacks at Hyatt Hotels and Starwood Hotels & Resorts in recent months. Norwalk, Connecticut-based HEI, which is privately held, said malware designed to collect card data was found on HEI’s systems.

The malware was discovered in early to mid-June on payment systems used at restaurants, bars, spas, lobby shops and other facilities at the properties, Chris Daly, a spokesman for HEI, said in emails and phone calls.

The number of customers affected is difficult to calculate because they might have used their cards multiple times, Daly said. About 8,000 transactions occurred during the affected period at the Hyatt Centric Santa Barbara hotel in California, and about 12,800 at the IHG Intercontinental in Tampa, Florida, Daly said.

The malware affected 12 Starwood hotels, six Marriott International properties, one Hyatt hotel and one InterContinental hotel. It was active from March 1, 2015 to June 21, 2016, with 14 of the hotels affected after Dec. 2, 2015, HEI said on its website.

Marriott and IHG declined to comment. Representatives from the other hotel groups did not respond to requests for comment.

HEI said outside experts investigated the breach and determined that hackers might have stolen customer names, account numbers, payment card expiration dates and verification codes. The hackers did not appear to have gained PIN codes, since those are not collected by its system, it added.

The company has informed federal authorities and has installed a new payment processing system that is separate from other parts of its computer network.

Among the properties affected were Starwood’s Westin hotels in Minneapolis; Pasadena, California; Philadelphia; Snowmass, Colorado; Washington, D.C.; and Fort Lauderdale, Florida. Also affected were Starwood properties in Arlington, Virginia; Manchester Village, Vermont; San Francisco; Miami; and Nashville, Tennessee.


Source: NBC

Millions of VW Cars at Risk: Wireless Hack Lets Crooks Clone Volkswagen Keys

If you own a Volkswagen with keyless entry, it’s likely to be vulnerable to a remote-cloning attack, according to new research.

After reverse-engineering the keyless entry systems of multiple VW models from the early 2000s to 2016, a team of researchers believe that the vast majority of the 100 million vehicles from VW Group sold in that time are vulnerable to a key-cloning attack that leaves the ignition and keyless entry system exposed to tampering.

The attack can be carried out using cheap, battery-run commercially-available radios, which are capable of eavesdropping and recording the rolling codes used by keyless entry systems and then emulating a key. One of the tools they developed for the attack, an Aduino-based RF transceiver, cost just $40 to make.

Researchers from the University of Birmingham in the UK, and German embedded-security consultancy Kasper & Oswald will present their research this week at the Usenix security conference in Austin, Texas.

They note in the paper that Volkswagen Group had relied on only a few cryptographic global master keys for the RKE systems in vehicles sold during the past two decades.

“With the knowledge of these keys, an adversary only has to eavesdrop a single signal from a target remote control. Afterwards, he can decrypt this signal, obtain the current UID and counter value, and create a clone of the original remote control to lock or unlock any door of the target vehicle an arbitrary number of times,” they write.

The researchers discovered master keys by reverse-engineering the firmware of Electronic Control Units (ECUs) onboard vehicles in the study. The attack exploits weaknesses in the key distribution method.

There isn’t much car owners or Volkswagen can immediately do to reverse the vulnerability because patching or replacing ECUs and the key fobs would be a gargantuan undertaking.

What it does mean for car owners is that checking a system for tampering by listening for sound or watching for blinking indicators isn’t valid anymore, since a new valid code can be generated any time after the initial signal is eavesdropped, which can be done from up to 100m away.

Since car owners can’t practically block an attacker eavesdropping RF signals, “the only remaining (yet impractical) countermeasure is to fully deactivate or at least not use the [remote keyless entry] functionality and resort to the mechanical lock of the vehicle.”

A second attack the researchers explored relates to the ageing Hitag2 rolling code scheme, which is used by Alfa Romeo, Chevrolet, Peugeot, Lancia, Opel, Renault, and Ford.

The researchers found Hitag2 keyless entry system used a cryptographically weak cipher. As noted by Wired however, NXP, the semiconductor maker behind the Hitag2 scheme, has been advising manufacturers to upgrade to a modern scheme.

The researchers said they advised VW Group of the vulnerabilities and came to an agreement with the company not to disclose the cryptographic keys, part numbers of vulnerable ECUs, and how they reverse-engineered the processes.

The researchers argue that, given their findings, insurance companies may need to accept that cases that look like insurance fraud, such as a laptop stolen from a locked car without any physical traces of a break-in, can plausibly be an actual theft.

A VW Group spokesman later told ZDNet the security of its systems are up to scratch and that the researchers’ work went beyond flaws that are easy to exploit.

Here’s the full quote from VW Group spokesman, Peter Weisheit:

“The bar for theft prevention is constantly being raised, but ultimately there is no 100% guarantee for security. On one hand, criminals are equipped with sophisticated tools, and on the other hand, theft protection is impacted by the fact that we have to provide access to the OBD interface (On-Board Diagnosis) as well as the processes and documents in connection to these systems. With highly specialized technical knowledge, individual electronic components of the vehicles can be manipulated though this open interface.

Volkswagen’s electronic and mechanical security measures are state-of-the-art technology. Volkswagen also offers innovative technologies in this field that are continuously developed further.

Researchers from the university of Birmingham set themselves the task of analyzing security technologies such as the immobilizer and remote control to identify systematic weaknesses, regardless of practical applicability. Their academic work that has now been published showed that the security systems of the vehicles that were up to 15 years old do not have the same security level as, for example, our present vehicles based on the MQB Modular Transverse Matrix (e.g. the current Golf, Tiguan, Touran, Passat, etc.). These current vehicle generations are not affected by the problem described.

The responsible department at Volkswagen Group is in contact with the academics mentioned and a constructive exchange is taking place. We agreed that the authors would publish their mathematical-scientific findings, but without the sensitive content that could be used by accomplished criminals to break into vehicles. The findings obtained will serve to further improve the security technology.

The spokesperson said that the company won’t be commenting on further details yet.


Source: ZDNet

Fake QR Code App Gets Hacker into Luxury Airport Lounges for Free

Free airline Fast Track for all! Free lunch and booze at luxury airport lounges for all! Duty-free shopping for all!

That’s what a fake QR code generating app can get you, according to Przemek Jaroszewski, head of Poland’s Computer Emergency Response Team (CERT).

At the Defcon security conference in Las Vegas on Sunday, Jaroszewski presented the simple program that he’s now used dozens of times to get into airline lounges all over Europe.

The Android app generates the QR codes in order to spoof a boarding pass for any name, flight number, destination and class.

He hasn’t tried it in the US yet, but as far as Europe goes, he says none of the airline lounges he’s tested the app in have checked the details of that fake QR code against their own ticketing databases. All the airlines check for are that the QR codes actually exist.

That means that he – or other hackers who figure out how to replicate the 500 lines of javascript he said he used to create the app – can get access to exclusive, luxury airport lounges or to buy things at duty-free shops that should require proof of international ticket.

If this sounds familiar, it should. Jaroszewski is far from the first one to get himself past feeble airport security checks.

His Defcon presentation paper lists previous airplane hijinx, including:

  • In 2003, Bruce Schneier described how to fly on someone else’s airplane ticket by screwing around with e-tickets. He said he wasn’t the first to get this idea, by far.
  • In 2005, Andy Bowers described how online check-in meant that you can get on a flight without ever proving you were the person who bought the ticket.
  • In 2007, Christopher Soghoian created a fake boarding pass generator website, allowing anyone to create a fake Northwest Airlines boarding pass: any name, airport, date, or flight, thereby demonstrating a known and obvious vulnerability in airport security involving boarding passes and IDs. That resulted in a visit from the FBI, the glass on his front door smashed in, a ransacked home, a search warrant taped to his kitchen table, and all of his computers removed from his house.
  • In 2008, Jeffrey Goldberg demonstrated the ineffectiveness of airport security check-in by carrying in an astonishing assortment of verboten items on a variety of flights: an OSAMA BIN LADEN, HERO OF ISLAM T-shirt, a stack of homemade boarding passes courtesy of Schneier, a Hezbollah flag featuring the image of an upraised fist clutching an AK-47 automatic rifle, and a beer belly concealing two cans’ worth of Budweiser, for example.

Jaroszewski told Wired that his Defcon talk was intended to point out that years after those exploits, the boarding pass insecurity not only persists, but it’s gotten easier to exploit because of airports’ reliance on automated QR code readers.

Wired quotes him:

Literally, it takes 10 seconds to create a boarding pass [on a mobile phone]. And it doesn’t even have to look legit because you’re not in contact with any humans.

Here’s a video of Jaroszewski using the fake QR code to get into Turkish Airlines’ Istanbul airport lounge (one of his favorites, he told Wired: it’s replete with a cinema, putting green, Turkish bakery and free massages).

Before you dismiss him as a cheap-o fraudster who doesn’t want to pay for a first class or business ticket, rest assured that, according to Wired, he flies 50 to 80 times a year and is solidly in gold status. He says he created the app last year, when that gold status was mistakenly rejected, to make sure he didn’t get locked out again.

What’s more, Jaroszewski has refrained from exploiting the fake QR codes to get into places he doesn’t have the right to access. Nor has he bought duty-free goods when he wasn’t traveling internationally. Both actions would probably be illegal.

This isn’t a security concern, according to the US’s Transportation Security Administration (TSA) and the International Air Transport Association (IATA), and they have no plans to fix it. As it is, it’s up to the airlines if they don’t want lounge-crashers to rip off their amenities.

Both organizations told Wired that a forged bar-coded boarding pass (BCBP) wouldn’t get you on a flight. Other security measures would likely reveal that the bearer of a fake QR code didn’t have a legitimate boarding pass.

Still, the fake QR code app underscores Jaroszewski’s point: even 13 years after Schneier’s fake boarding pass demonstration, airport security is hardly what you’d call airtight.


Source: Naked Security

This PC Monitor Hack Can Manipulate Pixels for Malicious Effect

Don’t believe everything you see. It turns out even your computer monitor can be hacked. On Friday, researchers at DEF CON presented a way to manipulate the tiny pixels found on a computer display.

Ang Cui and Jatin Kataria of Red Balloon Security were curious how Dell monitors worked and ended up reverse-engineering one. They picked apart a Dell U2410 monitor and found that the display controller inside can be used to change and log the pixels across the screen.

During their DEF CON presentation, they showed how the hacked monitor could seemingly alter the details on a web page. In one example, they changed a PayPal’s account balance from $0 to $1 million, when in reality the pixels on the monitor had simply been reconfigured.

It wasn’t exactly an easy hack to pull off. To discover the vulnerability, both Cui and Kataria spent their spare time over two years, conducting research and understanding the technology inside the Dell monitor.

However, they also looked at monitors from other brands, including Samsung, Acer and Hewlett Packard, and noticed that it was theoretically possible to hack them in the same manner as well.

The key problem lies in the monitors’ firmware, or the software embedded inside. “There’s no security in the way they update their firmware, and it’s very open,” said Cui, who is also CEO of Red Balloon.

The exploit requires gaining access to the monitor itself, through the HDMI or USB port. Once done, the hack could potentially open the door for other malicious attacks, including ransomware.

For instance, cyber criminals could emblazon a permanent message on the display, and ask for payment to remove it, Kataria said. Or they could even spy on users’ monitors, by logging the pixels generated.

However, the two researchers said they made their presentation to raise awareness about computer monitor security. They’ve posted the code to their research online.

“Is monitor security important? I think it is,” Cui said.


Source: CSO Online

Irish National Police Service Shuts Down IT Systems to Mitigate Cyber Attack

Garda Síochána (Gaelic Irish for “the Guardian of the Peace”), which is Ireland’s National Police service, has said it was at the receiving end of a cyber-attack, following which they had to shut down several IT computer systems to prevent attackers from gaining access to sensitive information.

The attack took place last Thursday, on August 4, but it was only disclosed to the public on Sunday, after authorities dealt with the intrusion.

According to local news media, police officials explained the attack was carried out with a new strain of malware that the police IT security team had never seen before.

Garda officials claimed the attackers did not manage to steal anything from their servers. This was possible because the IT staff managed to shut down the targeted computer systems in time before data was ex filtrated.

The Irish National Police servers, just like the ones belonging to any other law enforcement organization, hold information on ongoing investigations, staff members, and the general public.

Authorities did not indicate whom they suspected for the attack. A Garda spokesperson gave the Irish Independent the following statement:

“(After the threat was recognized) heightened security procedures were implemented and standard protocols were enforced across all Garda ICT environments to limit any effect on our systems. Working with security experts the threat was identified and an appropriate solution was implemented across all Garda Siochana ICT systems.”

By Catalin Cimpanu

Source: Softpedia

Android Bug Fear in 900 Million Phones

Serious security flaws that could give attackers complete access to a phone’s data have been found in software used on tens of millions of Android devices.

The bugs were uncovered by Checkpoint researchers looking at software running on chipsets made by US firm Qualcomm. Qualcomm processors are found in about 900 million Android phones, the company said. However, there is no evidence of the vulnerabilities currently being used in attacks by cyberthieves. “I’m pretty sure you will see these vulnerabilities being used in the next three to four months,” said Michael Shaulov, head of mobility product management at Checkpoint.

“It’s always a race as to who finds the bug first, whether it’s the good guys or the bad.”

Affected devices included:

  • BlackBerry Priv and Dtek50
  • Blackphone 1 and Blackphone 2
  • Google Nexus 5X, Nexus 6 and Nexus 6P
  • HTC One, HTC M9 and HTC 10
  • LG G4, LG G5, and LG V10
  • New Moto X by Motorola
  • OnePlus One, OnePlus 2 and OnePlus 3
  • US versions of the Samsung Galaxy S7 and Samsung S7 Edge
  • Sony Xperia Z Ultra

Mr Shaulov said six months of work to reverse engineer Qualcomm’s code revealed the problems. The flaws were found in software that handles graphics and in code that controls communication between different processes running inside a phone. Exploiting the bugs would allow an attacker to gradually be able to take more control over a device and gain access to its data.

Checkpoint handed information about the bugs and proof of concept code to Qualcomm earlier this year.

In response, Qualcomm is believed to have created patches for the bugs and started to use the fixed versions in its factories.

It has also distributed the patches to phone makers and operators. However, it is not clear how many of those companies have issued updates to customers’ phones.

Checkpoint has created a free app called QuadRooter Scanner that can be used to check if a phone is vulnerable to any of the bugs, by looking to see if the patches for them have been downloaded and installed.

In addition, Mr Shaulov said Android owners should only download apps from the official Google Play store to avoid falling victim to malicious programs.

“People should call whoever sold them their phone, their operator or the manufacturer, and beg them for the patches,” said Mr Shaulov.

In a statement, Qualcomm said: “We were notified by the researcher about these vulnerabilities between February and April of this year, and made patches available for all four vulnerabilities to customers, partners, and the open source community between April and July.

“We continue to work proactively both internally as well as with security researchers to identify and address potential security vulnerabilities.”

By Mark Ward

Source: BBC

Three Times as Bad as Malware: Google Shines Light on Pay-Per-Install

As some point you have probably downloaded a “free” piece of software only to find it has come with a whole host of other unwanted friends that go on to redirect your browser search bar or inject ads where there weren’t any before.

This is the world of pay-per-install (PPI) and Google, along with New York University and the International Computer Science Institute, spent a year digging into the little-understood market, publishing their results in a paper [PDF] this week.

What they found over the course of 12 months makes for sobering reading: the issue of PPI is three times greater than malware: no less than 60 million download attempts every week. That’s something that the authors say represents “a major security threat”. They estimate as many as five per cent of all browsers have been affected.

Why is it such a big problem? Two reasons: first, it is not illegal. Companies that want their software on millions of people’s system pay publishers to bundle it with legit software that the user then actively chooses to download and install.

That pushes the law right to its very boundaries but the fact that a number of big name companies, including Skype and Opera, are using this method to disburse their software is testament to the fact it is not a crime.

The second big reason that PPI is a so widespread is, of course, money. The authors note that one of the four large PPI outlets that they looked at took in $460m in revenue in 2014. With money like that, you can expect interest and sophistication. The paper notes that the download bundles come with a good degree of technical know-how. Variations in software to account for different operating systems and browsers are automatically installed. PPI publishers store between five and 50 different offers/bundles and provide whichever is most effective for your particular machine.

Some software builds in a 20-day delay before waking up so users don’t immediately associate it with the free download they just installed. Some check in the computer’s registry for anti-virus and that they’re not already installed.

The team found a total of 15 PPI affiliate networks dotted around the globe providing a total of 160 software families. And it dug into pricing: the price you pay to have your software installed comes as a per-install cost and varies according to region and network. For one network, the cheapest cost was $0.06 or six cents for Vietnam, up to $1.50 per install for North America. The United States was persistently the most expensive market, followed next by the UK.

Despite efforts to block the installations from occurring, the PPI networks have a wide variety of ways to bypass their efforts. The paper’s authors found that affiliates jump between domain names every seven hours in order to constantly stay ahead of blocking efforts. They incorporate technology to get past filters and virus scans.

Despite the team noting that 59 per cent of the software they discovered was flagged by anti-virus as “unwanted”, that still means more than 40 per cent of it was getting past – and that’s for systems with antivirus on.


As for where you can pick these delightful pieces of software up from: the greatest percentage of bundles came through freeware and shareware websites (11.8 per cent) but there were a wide range of other outlets: websites offering video games, file sharing, online video, operating systems, hacked and cracked software, and so on.

In short, if you are trying to download something for free that you know you should really be buying, chances are it will come with some unwanted extras that your system will not notice.

“PPI networks operated with impunity towards the interests of users, relying on a user consent dialogue to justify their actions,” the report notes. “We hope that by documenting these behaviors the security community will recognize unwanted software as a major threat.”

In a related blog post, Google noted that it was constantly improving and updating its “safe browsing” notices in order to flag up sites that includes this sort of software, and its Cleanup Tool that helps prevent their installation. It is also a part of the Clean Software Alliance which is building an industry-wide approach to blocking these sorts of downloads.

By Kieren McCarthy


Samsung Pay Vulnerability Enables Hackers to Steal Credit Cards Wirelessly

A vulnerability has been discovered in Samsung Pay which can be exploited by a hacker to wirelessly steal credit cards.

The way Samsung Pay secures transactions involves translating credit card data into tokens so that card numbers can’t be stolen from the device. However, security researcher Salvador Mendoza discovered that those tokens aren’t as secure as one might believe them to be. He presented more details about this vulnerability at a Black Hat talk in Las Vegas earlier this week.

He discovered that the tokenization process is limited and that the sequencing of the tokens can be predicted. He explains that the tokenization process becomes weaker after the Samsung Pay app generates the first token for a specific card which means there is a greater chance that future tokens could be predicted. A hacker who knows how to do this can steal the tickets and use them in another device to make unauthorized transactions.

Mendoza said that he proved his theory by sending a token to one of his friends in Mexico who was able to use it with magnetic spoofing hardware to make a purchase using Samsung Pay despite the fact that Samsung’s mobile payment service has not been launched in Mexico yet.

Mendoza explains more about his discovery in the video that’s posted down below. Samsung hasn’t confirmed yet if it has taken care of this vulnerability but did say that “If at any time there is a potential vulnerability, we will act promptly to investigate and resolve the issue.” It also wants to remind all users that “Samsung Pay is built with the most advanced security features, assuring all payment credentials are encrypted and kept safe, coupled with the Samsung Knox security platform.”



Critical Flaws Found in Cisco Small Business Routers

Researchers have uncovered several critical and high severity vulnerabilities in Cisco’s small business RV series routers. The networking giant has released patches for some of the security holes.

According to advisories published by Cisco on Wednesday, RV110W, RV130W and RV215W routers include a default account that can be leveraged by an attacker to gain root access to the device (CVE-2015-6397). The default account should normally be read-only and not have root privileges.

Cisco also informed customers about a critical vulnerability in RV180 and RV180W VPN routers. The flaw affects the web interface and it allows remote, authenticated attackers to execute arbitrary code with root privileges (CVE-2016-1430).

The same RV router models are also affected by a high severity flaw that can be exploited remotely to perform a directory traversal and access arbitrary files on the system (CVE-2016-1429).

RV110W, RV130W and RV215W routers are also plagued by a medium severity command shell injection vulnerability that allows a local attacker to inject arbitrary shell commands and have them executed by the device.

Cisco has released firmware updates to address the flaws affecting RV110W, RV130W and RV215W routers, but the company will not issue fixes for the RV180 and RV180W models since these are no longer sold.

The vulnerabilities were reported to Cisco by Adam Zielinski and Harri Kuosmanen. The firm says it’s not aware of any attacks involving these weaknesses.

In mid-June, Cisco informed customers of four security holes affecting its RV series routers, including one rated critical. Patches for those flaws were released by the company a few days after the initial disclosure.

By Eduard Kovacs


High-Profile Vulnerabilities Affect HTTP/2

Black Hat USA 2016 – Imperva today revealed details on four high-profile attack vectors affecting HTTP/2, the new version of the HTTP protocol.

The company’s latest Hacker Intelligence Initiative (HII) Report provides an in-depth analysis of the four vulnerabilities in HTTP/2, a next-generation protocol expected to address many of the shortcomings of HTTP/1.x. HTTP/2 brings along new mechanisms that increase the attack surface of web infrastructure, rendering it vulnerable to new types of attacks.

After analyzing the HTTP/2 server implementations from Apache, Microsoft, NGINX, Jetty, and nghttp2, Imperva was able to find exploitable vulnerabilities in all major HTTP/2 mechanisms, two of which were similar to well-known and widely exploited flaws in HTTP/1.x. Furthermore, the security company notes that other implementations of the HTTP/2 protocol might also be vulnerable.

Dubbed Slow Read (CVE-2016-1546), the first of the four high-profile issues is identical to the well-known Slowloris DDoS attack that major credit card processors experienced in 2010: it calls on a malicious client to read responses very slowly. To test the flaw, researchers requested a large resource from the server, but instructed it to send a very small maximum amount of data to a small window size. By requesting enough streams, the server would eventually stop offering service to other clients too.

The attack has been well-studied in the HTTP/1.x ecosystem, but remains effective in the application layer of HTTP/2 implementations, Imperva says. The company identified the vulnerability across popular web servers such as Apache, IIS, Jetty, NGINX and nghttp2 and explains that the behavior of servers in Slow Read attacks depends on the type and structure of the requests.

The second type of attack is HPACK Bomb (CVE-2016-1544, CVE-2016-2525), a compression-layer attack that resembles a zip bomb. The attacker creates small and innocent-looking messages that instead turn into gigabytes of data on the server, thus consuming all the server memory resources and making it unavailable for clients.

“The default size of the dynamic table is 4KB. The server allows one request to contain up to 16K of header references. By sending a single header of size 4KB and then sending a request with 16K references to this one header, the request is decompressed to 64MB on the server side. […] In our lab, 14 streams that consumed 896MB after decompression, were enough to crash the server,” Imperva researchers explain.

Attackers can also abuse the manner in which servers implement Stream Multiplexing to crash the servers and cause denial of service (DoS). The function was designed to tunnel multiple sessions through a single HTTP/2 connection but, because the partition of the connection is purely logical, an attacker can use it to manipulate the server or to send frames out of context (CVE-2016-0150).

Dubbed Dependency Cycle Attack, the fourth vulnerability analyzed by Imperva leverages flow control mechanisms that HTTP/2 uses for network optimization through specially crafted requests that induce a dependency cycle, thus forcing the server into an infinite loop. The flaw, fixed in nghttp2 1.7.0 (CVE-2015-8659) could allow an attacker to cause DoS or even run arbitrary code on a vulnerable system.

All of these vulnerabilities have been already patched in the affected servers, Imperva says. All of the five servers the company tested these attacks against were found to contain at least one vulnerability. All implementations that rely on external HTTP/2 libraries such as nghttp2 are believed to be vulnerable to these attacks, the security researchers say.

“This research is pointing out once again that new technology brings new risks. When releasing new code into the wild, it is only a matter of time until new vulnerabilities are found and exploited. As with any new technology, HTTP/2 suffers from creating new extended attack surfaces for attackers to target. Hence, server administrators need to understand they cannot simply turn on HTTP/2 and expect it to work without additional layers of security,” Imperva notes.

By SecurityWeek