Krebs - The Marriott/Starwood breach and what to do going forward.

Post #426,560 by Another Scott 12/1/18 5:11:10 PM 12/1/18 5:11:10 PM Reply	Krebs - The Marriott/Starwood breach and what to do going forward. https://krebsonsecurity.com/2018/12/what-the-marriott-breach-says-about-security/ A good read. Cheers, Scott.
Post #426,575 by a6l6e6x 12/2/18 10:04:44 PM 12/2/18 10:04:44 PM Reply	A four year breach? That's incredible. Alex "There is a cult of ignorance in the United States, and there has always been. The strain of anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that "my ignorance is just as good as your knowledge." -- Isaac Asimov
Post #426,577 by Another Scott 12/2/18 11:10:48 PM 12/2/18 11:10:48 PM Reply	"If it ain't broke, don't fix it??" Yeah. :-/ I've gotten blase' about things like this, even if I were a customer. My CC number changes about every 6-9 months now, so someone having the number from 2014 means it's several generations old. Still, it's senseless for them not to have known about this long ago. I would think that about the first thing done in an acquisition these days would be to scrub the IT system to make sure that it's clean... Cheers, Scott.
Post #426,587 by a6l6e6x 12/3/18 3:10:40 PM 12/3/18 3:10:40 PM Reply	Who and why someone makes a data request needs to be logged and analyzed at more idle times. Also the data needs to be broken up by categories of use and made available only on a "need to know" basis, i.e. with proper authorization. Popping up screens with everything known about a client is just bad practice. Yes, it makes things inefficient. Of course I have no idea how Marriott did things. Alex "There is a cult of ignorance in the United States, and there has always been. The strain of anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that "my ignorance is just as good as your knowledge." -- Isaac Asimov
Post #426,749 by scoenye 12/12/18 6:52:23 PM 12/12/18 6:52:23 PM Reply	Time to turn the burden around? As these operators are seemingly unable to keep their noses clean and the only thing they care about is money, I think the time has come to set up a nationwide insurance pool. Any operator who insists on hanging on to information which can be used for ID or other theft gets to tithe in based on the number of accounts and the type of information they keep. And then those who do get taken to the cleaners because of one of these breaches* can call on it to repair the damage. Any operator who gets caught out storing sensitive information without paying in gets to foot the bill themselves. * Primary breaches only. Password recyclers are SOL if the loss is due to a derived breach.
Post #426,750 by lincoln 12/12/18 7:12:11 PM 12/12/18 7:12:11 PM Reply	Re: Time to turn the burden around? Any operator who gets caught out storing sensitive information without paying in gets to foot the bill themselves. That's the status quo today. It hasn't prevented any company from storing our information safely for the past 25 years. Satan (impatiently) to Newcomer: The trouble with you Chicago people is, that you think you are the best people down here; whereas you are merely the most numerous. - - - Mark Twain, "Pudd'nhead Wilson's New Calendar" 1897
Post #426,751 by drook 12/12/18 10:24:40 PM 12/12/18 10:24:40 PM Reply	That's because we're not actually billing them Whenever there is a fine for fraud or negligence, the fine should be after they've forfeited the entire profit made from the activity. A billion-dollar fine sounds like a lot, until you consider the 14 billion they made because of the fraud. -- Drew
Post #426,770 by scoenye 12/13/18 10:03:34 PM 12/13/18 10:03:34 PM Reply	Not quite With "pay for the damage", I mean restitution of the damage others have suffered. To date, that still falls entirely on the victims.
Post #426,736 by a6l6e6x 12/11/18 11:29:16 PM 12/11/18 11:29:16 PM Reply	Looks like it's the Chinese again... In part to watch their citizens. But potentially all kinds of nefarious stuff. NY Times: Marriott Data Breach Is Traced to Chinese Hackers as U.S. Readies Crackdown on Beijing The cyberattack on the Marriott hotel chain that collected personal details of roughly 500 million guests was part of a Chinese intelligence-gathering effort that also hacked health insurers and the security clearance files of millions more Americans, according to two people briefed on the investigation. The hackers, they said, are suspected of working on behalf of the Ministry of State Security, the country’s Communist-controlled civilian spy agency. The discovery comes as the Trump administration is planning actions targeting China’s trade, cyber and economic policies, perhaps within days. Those moves include indictments against Chinese hackers working for the intelligence services and the military, according to four government officials who spoke on the condition of anonymity. The Trump administration also plans to declassify intelligence reports to reveal Chinese efforts dating to at least 2014 to build a database containing names of executives and American government officials with security clearances. Alex "There is a cult of ignorance in the United States, and there has always been. The strain of anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that "my ignorance is just as good as your knowledge." -- Isaac Asimov

Welcome to IWETHEY!