Slashdot Mirror

← Back to Stories (view on slashdot.org)

Marriott's Breach Response Is So Bad, Security Experts Are Filling In the Gaps (techcrunch.com)

Posted by BeauHD on from the poor-responses dept.

An anonymous reader quotes a report from TechCrunch: Last Friday, Marriott sent out millions of emails warning of a massive data breach -- some 500 million guest reservations had been stolen from its Starwood database. One problem: the email sender's domain didn't look like it came from Marriott at all. Marriott sent its notification email from "email-marriott.com," which is registered to a third party firm, CSC, on behalf of the hotel chain giant. But there was little else to suggest the email was at all legitimate -- the domain doesn't load or have an identifying HTTPS certificate. In fact, there's no easy way to check that the domain is real, except a buried note on Marriott's data breach notification site that confirms the domain as legitimate. But what makes matters worse is that the email is easily spoofable.

Many others have sounded the alarm on Marriott's lackluster data breach response. Security expert Troy Hunt, who founded data breach notification site Have I Been Pwned, posted a long tweet thread on the hotel chain giant's use of the problematic domain. As it happens, the domain dates back at least to the start of this year when Marriott used the domain to ask its users to update their passwords. Williams isn't the only one who's resorted to defending Marriott customers from cybercriminals. Nick Carr, who works at security giant FireEye, registered the similarly named "email-mariott.com" on the day of the Marriott breach. "Please watch where you click," he wrote on the site. "Hopefully this is one less site used to confuse victims." Had Marriott just sent the email from its own domain, it wouldn't be an issue.

78 comments

  1. Yes, that is... by Anonymous Coward · · Score: 0

    ...disheartening to see this sort of thing happen. Average people don't know how any of that works.

    1. Re:Yes, that is... by gtvr · · Score: 1

      Exactly. The whole concept that ANY email from ANY domain is in any way secure (unless you're using digital signatures, or even looking at headers and seeing what domains the email traversed) is useless. I mean, I could send an email with the "from" as marriott.com and phish people. The "from" is one of the last things you would look at, from a security perspective. You should look at where any links go - the actual domain, or something else? Or even better, just type in the domain directly in your browser.

    2. Re: Yes, that is... by Anonymous Coward · · Score: 0

      Itâ(TM)s the dumbass who thinks hidden links exist

    3. Re:Yes, that is... by Anonymous Coward · · Score: 0

      I'm not arguing your point that email is not secured communications, but I think you missed a couple important details here about how email works.

      I mean, I could send an email with the "from" as marriott.com and phish people.

      As a whole that statement is not true.
      Of course you could *send* that email, but since 99% of the worlds email servers would *reject receiving* it, it is doubtful that could even be called a phishing attempt let alone phish anyone.

      Since you wouldn't be sending it from the IPs listed in that domains SPF records, other email servers know with certainty it is invalid and spoofed. While the exact action to take is up to the mail servers administrator, any well run mail server with actual users on it is nearly certain to be configured to block such fake emails.

      That said, you COULD send an email from "email-mariott.com" and it would not be rejected at all.
      This domain has no SPF records in place, which in effect says to all the worlds mail servers that any/every IP address is allowed to send emails from "email-mariott.com"

      For that domain yes you can spoof it in the from address and easily phish people.
      That was the point of the complaint that these notification emails are easily spoofable yet their primary and well known domain name is not easily spoofable.

    4. Re: Yes, that is... by Anonymous Coward · · Score: 0

      Or even better, just type in the domain directly in your browser.

      Seriously?

    5. Re: Yes, that is... by Doke · · Score: 3, Funny

      Typing a dodgy domain name into your browser is probably safe, if your browser is Lynx...

    6. Re:Yes, that is... by thegarbz · · Score: 2

      The whole concept that ANY email from ANY domain is in any way secure

      The idea is not for an email to be secure. It's for it's content to be trustworthy and not easily mistaken for something else. The question is not where does the email come "From:". It's about where it sends users and what it instructs them to do. Going to any domain other than www.marriott.com is an instant red flag which users should be trained to identify as phishing attempts at this point.

  2. Blaming the User by Anonymous Coward · · Score: 0

    Telling users not to click on something with a hugging web browser is a really bad cop-out.

    An IT system should be strong enough to allow a user to click on anything.

    1. Re:Blaming the User by Calydor · · Score: 4, Informative

      No IT system will ever be strong enough to defend against a user clicking on a link to go to a webpage and voluntarily entering their credit card info.

      --
      -=This sig has nothing to do with my comment. Move along now=-
    2. Re:Blaming the User by mermeid007 · · Score: 1

      Yes. I also wonder how exactly they would know who their customers are? Some customers are rewards members and signed up in one way or another. I suppose by checking in with a credit card you might have become a rewards member by default. Others are just people who may have paid cash for a room on vacation and aren't rewards members at all. Those people would not have been affected no matter how often they stayed at a Marriott. Why scare those people?

    3. Re:Blaming the User by mermeid007 · · Score: 1

      That is the most intelligent comment I have ever heard.

    4. Re:Blaming the User by Anonymous Coward · · Score: 0

      A remote LART combined with frequent unannounced drills could do the trick.

    5. Re:Blaming the User by AmiMoJo · · Score: 1

      The IT system's spam filter might be strong enough to block bulk emails coming from a dodgy looking domain with no SPF record though.

      Maybe that was the plan, make sure most of the emails end up getting blocked but technical fulfil the legal obligation to disclose. But more likely incompetence.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    6. Re:Blaming the User by Anonymous Coward · · Score: 1

      Agreed but I will say that I don't know why email clients haven't at least made clicking links more difficult. Meaning, at minimum, when clicking a link in an email, display some dire warning. Don't allow "hidden links", i.e., only allow a bare URL to be clickable, if it's an HTML email with anchor text different than the actual URL, don't let that be clickable at all. Make only valid SSL links clickable. Any number of different possibilities that certainly won't entirely solve the problem but at least reduce it some.

      Honestly myself, I think even the trade off of just don't make links clickable at all ever would be worth it.

    7. Re:Blaming the User by Anonymous Coward · · Score: 0

      That is the most intelligent comment I have ever heard.

      Using text-to--speech to listen to this thread?

    8. Re:Blaming the User by Anonymous Coward · · Score: 1

      No IT system will ever be strong enough to defend against a user clicking on a link to go to a webpage and voluntarily entering their credit card info.

      Yes, but companies shouldn't encourage the practice by using dodgy looking domains for their normal operations.

      For example, the website for a phone company I do business with is www.companyA.com.

      If I go to that website and for some functionality I get redirected to mycompanyAaccount.com.

      A typical user can't tell if mycompanyAaccount.com is a phishing site or a real site. It looks real...

      The company should have used myaccount.companyA.com or account.companyA.com.

      Sometimes they will redirect to www.companyAmobility.com. Is this the real site for their mobile phone service or a phishing website?

    9. Re:Blaming the User by ctilsie242 · · Score: 1

      Defense in depth. Yes, IT can have something in place to mitigate damage if a user clicks/downloads/runs stuff, be it AppLocker, FSRM, backups that store documents in real time, and so on. However, having users not click on things in the first place adds a "layer 8" protection in place.

      Even with protective measures, having them not as needed is a wise thing.

    10. Re:Blaming the User by ctilsie242 · · Score: 1

      One issue with LARTs... sometimes users really enjoy it when you bring it out, so it might just encourage the behavior that you want to discourage.

    11. Re:Blaming the User by Anonymous Coward · · Score: 1

      Because some people are at a hotel, and don't want others to know why they are there. For example, I know people who didn't want others to know they were at the Midwest Fur Fest, for obvious reasons. That info being public could be at best humilating, at worst cause loss of a job or a career.

    12. Re:Blaming the User by scamper_22 · · Score: 1

      meh, there's a look we can do.

      My workplace does a pretty good job of protecting people, sometimes too good a job. It checks URLs, validates links sent via emails... It's not perfect, but it works pretty darn well.

      There is little reason the major ISPs, browsers, and/or email systems shouldn't have similar kinds of protections. Yes, you should be able to call them to turn it off if you like to browse unsafely.

      Similarly, the entire online payment industry could use some work. It's actually been a long time since I just typed in my credit card info into a random website. Most things are available on Amazon and i go there. I also tend to use paypal. Is paypal super secure? I don't know, probably not. But it's better than typing all my info into some random website. Some kind of digital ID/payment systems would go along way.

      Basically, i'm not saying anything here is perfect, but there's a crap load that we could do to make things better. Yes, the internet is open and 'free', but at lease in Canada, most people are with a handful of big ISPs and most people use a handful of browsers and email servers. Most people use a handful of banks. We could definitely lock that down real quick so most people are not impacted most of the time even with their 'user stupidity'

      Go outside the nice playpen and you could get dangerous real quick.

    13. Re:Blaming the User by Mr.+Droopy+Drawers · · Score: 1

      2 factor hardware authentication would solve this, frankly.

      --

      To Copy from One is Plagiarism; To Copy from Many is Research.

    14. Re:Blaming the User by PhunkySchtuff · · Score: 2

      If they don't have the customer's contact details, then their personal details weren't stolen and they don't need to notify them.

      --
      Specialist Mac support for creative pros, Melbourne
    15. Re:Blaming the User by Aighearach · · Score: 1

      How do you keep users from using an app and having the phone be all the factors?

      It works for people who understand security, are you sure it would help the others and not be just another thing they didn't learn the security details of?

  3. So which one is it by Monoman · · Score: 1

    1. The folks handling the Marriott/Starwood breach don't know what they are doing
    2. Management is overruling the folks handling the breach
    3. Both

    Chances are that whoever is making the decisions now got Marriott/Starwood into the problem in the first place.

    --
    Keep the Classic Slashdot.
    1. Re:So which one is it by mermeid007 · · Score: 1

      Well, it may not matter in the long run, other than to incur unnecessary costs from mishandling. There are Marriotts that are not Starwoods and vice versa. A savvy traveller could piece together their own rewards program by clipping coupons. I doubt the hotel chains like that sort of thing, but they are choosing that by being obtuse.

    2. Re:So which one is it by Anonymous Coward · · Score: 1

      I can tell you that if Marriott is run like Carlson then the environment is as follows:

      a) The business analysts rule the company
      b) They pay bottom dollar for software and internet infrastructure services
      c) They don't understand computer security at all.

      Those few smart people who are unfortunate enough to get stuck in such a company cannot override the tidal wave of stupidity that emanates from the BAs.

      I was fortunate enough to get out - fast.

  4. Operational considerations by Anonymous Coward · · Score: 1

    Thanks to spammers and anti-spammers, it has become very difficult to send large volumes of legitimate emails. It is practically mandatory to leave this to professionals. If you send "from" the main domain, you have to handle the return traffic on that domain, and the mail system that handles the individual mail on that domain is most likely not suited to deal with that, and if you outsourced that to the mass emailer, you would have to give them a lot of control over your main domain. To a mass email service. I don't think so.

    Sending mass email from a separate domain is quite customary and in itself not a problem. There is also no point in running a web server on that domain: A scammer could and certainly would do that to "legitimize" the domain, but actually it does not help with verifying the authenticity of the mail at all. The main domain is where all domains associated with the enterprise need to be listed in a prominent position. If there is a "contact us" page, that would be a good place for a list of these domains, which are "also us, just not the main domain".

    Also, nobody should click on any links in any emails. If you treat these as notifications only, there is no problem. Even if a scammer sent you email about this breach, as long as you only see it as a notification and use your bookmarks to go to the site, the scammer has actually done you a service. Don't click on links in emails.

    1. Re:Operational considerations by Anonymous Coward · · Score: 0

      No shit Sherlock. What do you think customers want? Email on the main domain. They are well aware of how scam emails operate, not just to get you to click links but to react to the email in a certain way so future emails can build on the scam.

    2. Re:Operational considerations by Anonymous Coward · · Score: 0

      Customers are irrational and whiny. "The customer is always right" does not mean "listen to the customer and do as they say". That would be stupid. It means find out what the customer will pay for and do that.

    3. Re: Operational considerations by Anonymous Coward · · Score: 0

      Annoyed customers pay nothing at all

    4. Re: Operational considerations by Anonymous Coward · · Score: 2

      Yes they do. You can piss people off until they're swearing at you, but they'll be back when you have the thing they want at the best price or offer it in a more convenient way than the competition. Your comment is just an example of the typical irrational way customers think. They put fantasies of how things should be before the way things actually are.

    5. Re:Operational considerations by Aighearach · · Score: 1

      In the Olden Days, you had to hire an expert because sendmail required a PhD to understand the configuration.

      Then IBM released postfix, and you still needed to hire an expert, because spam was a thing.

      That was before the Earth 1.0 ended during Y2K, or whatever. Ancient Times. Before The Day.

      That said, the only reasonable explanation for their mistake is really lame. Really lame. Basically, it comes down to this: Marriott has an idiot BOFH whose neckbeard is so long, he put their email on a weird domain to avoid having to manage the DNS setting for the email provider. That's it. That's the whole story. Some cheesehead who works 4 hours a week babysitting servers from a fancy office doesn't want to take on a responsibility that means he has to check his email every morning. And won't delegate it, because it would jeopardize their whole shindig. And he never learned that fancy anti-spam thing you have to put into the DNS. And the first tutorial he followed was for the wrong version of the technology. So he gave up, and blamed systemd.

    6. Re: Operational considerations by Aighearach · · Score: 1

      I once threatened to put a lien on a customers webserver.

      Most annoyed customer I ever had.

      He finally paid, though! I was shocked.

      Typically though, they're annoyed because I told them they're wrong, and they suspect it is true. I tell them to take their time, think it over, get a second opinion. If they really do that, they'll come back even more annoyed; because they have to admit I was right if they want my price, and now they heard the other guy's price. :)

      The best computer salesperson I ever knew once explained her technique to me: "I get them so mad they have to buy everything just to get off the phone quicker." Only works on corporate purchasing drones, of course.

    7. Re:Operational considerations by Anonymous Coward · · Score: 0

      What you think is enough only works for relatively small scale operations. If you want to send actual mass email and have most of it arrive unfiltered, then you basically need some form of control over the *other* end of the connection too (by forming agreements) or at least know quite well how each of the recipients' mail providers handle mail. That means you probably need multiple accounts with typical configurations at most of the mail providers that your customers use (if possible). You need to constantly monitor countless blocking lists and know how to remove your servers from them. Your legitimate mail will be reported as spam by recipients who opted in of their own free will and with verification. There will be huge amounts of automatic responses. Around the clock. If you think this is a job for one lonely admin holed up in a server room, you're delusional.

  5. Doesn't "load"? by Anonymous Coward · · Score: 0

    What the fuck does that mean? "the domain doesn't load"? How is a "domain" supposed to "load", and why is it more legitimate then?

    Oh, Slashdot.

    1. Re:Doesn't "load"? by Anonymous Coward · · Score: 0

      Well, a domain that loads, meaning shows up in your browser, tells you quite a few things about the legitimacy of the domain. For example, if you are running a hotel website and a customer went to any one of your various domains, you would want that domain to load, along with whatever info you want to provide about the hotel. A domain that does not load implies a number of things, such as: 1. It is not associated with the hotel 2. It is associated with the hotel and the IT staff suck 3. It is associated with the hotel and for some reason the hotel doesn't want you as a customer, or at least care enough to load the web page. 4. It is associated with the hotel and, for whatever reason, the hotel management has no idea how customers behave in the real world. There could be other explanations. Usually hotels make their web pages work and nobody thinks about why it might not.

    2. Re:Doesn't "load"? by Aighearach · · Score: 1

      It means if you try to feed port 80 to your cat(1) the poor thing is going to starve, or die of old age.

      They must have enabled quantum email domains. Or something.

  6. mission accomplished by sad_ · · Score: 4, Insightful

    everybody is talking about how bad the email was instead of the breach itself.

    --
    On a long enough timeline, the survival rate for everyone drops to zero.
    1. Re:mission accomplished by Anonymous Coward · · Score: 0

      I received one of those emails and told my wife who was in another room that the fraudsters were already at it.
        I went into deleted email and yep it was sent by them.
      I bet almost everyone who looked it over did the same.

    2. Re:mission accomplished by ShanghaiBill · · Score: 4, Insightful

      everybody is talking about how bad the email was instead of the breach itself.

      Breaches don't matter anymore. I was a victim of the Home Depot, Target, and Equifax breaches. So all my information is already "out there". Most other people are in the same situation. Yet another breach doesn't make any difference. Who cares?

    3. Re:mission accomplished by Anonymous Coward · · Score: 0

      Like https://www.equifaxsecurity2017.com looked like a valid Domain Name back then (NOT). Why don't Admins learn from the mistakes of others?

    4. Re:mission accomplished by Anonymous Coward · · Score: 0

      So true! After Equifax let out info on basically everyone worth spoofing, what else can happen to me that isn't already possible?

    5. Re:mission accomplished by thegarbz · · Score: 1

      everybody is talking about how bad the email was instead of the breach itself.

      Not even remotely. Just because we're talking about one thing doesn't mean we aren't talking about something else. This is only one article on one site. Even a cursory search of news will show that people are very much talking about the breach itself, it's affects on people and what the company is doing about it.

      Hell the most recent story on the news isn't even about the email. It's about Marriotts responses to fraud, here's one from only a couple of hours ago, signficantly newer than TFA: https://www.washingtonpost.com...

      It may surprise you that people can talk about more than one thing at a time.

  7. Don't do the time if you can't do the crime by Anonymous Coward · · Score: 0

    don't do it.! Ever.! If you can't do the crime, don't do the time.!

  8. Lazy companies and users by Anonymous Coward · · Score: 0

    Both companies and users are at fault. Don't store your information on someone's server for convenience and don't count on companies who spend more on PR convincing you how secure they are. Rather then spending it on internal security.

    1. Re: Lazy companies and users by Anonymous Coward · · Score: 0

      I guess they are SOL

    2. Re: Lazy companies and users by Anonymous Coward · · Score: 0

      They must have violated the KISS principle by now

  9. FQDN correction by Anonymous Coward · · Score: 0

    The notice I received was from Marriott@marriott-email.com, not email-marriott.com

  10. Pass by Anonymous Coward · · Score: 1

    Well at least you don't normally give your passport to staff upon check-in... oh wait....

  11. Yea, but then they couldn't get away with by Narcocide · · Score: 1

    SPAMMING

  12. Gmail client does exactly this (Re: Blaming the Us by Anonymous Coward · · Score: 0

    Gmail creates tracking links for all email links clicked. Why I run the less easy to use outlook. (if there's a way to turn that off lemme know)

  13. bad security is everywhere. by Anonymous Coward · · Score: 0

    The real issue every citizen needs to demand is the end to this endless data collection. The amount of data collected as STORED and kept long is unacceptable. How do people justify giving away so much for so little in return?

    Companies should only be allowed to collect the bare minimum they require and destroy it once it's been used.

  14. Yet another MASSIVE government fail. by Anonymous Coward · · Score: 1, Funny

    Once again we see how GOVERMENT is to blame for a huge privacy and security failure and yet libtards will now demand the heads of amazing private industry people who TRIED to stop the incomptent and corrupt fat cat union controled goverment from hurting the precious consumers. And next up they want massive useless goverment to run our health care system! The insane left demands more big goverment intervention in everything and THIS is what will happen.

    1. Re:Yet another MASSIVE government fail. by bugs2squash · · Score: 1

      you should put that on a bumper sticker - if there's any space for it on your car.

      --
      Nullius in verba
    2. Re:Yet another MASSIVE government fail. by Anonymous Coward · · Score: 0

      Once again we see how GOVERMENT is to blame for a huge privacy and security failure

      If the government (or the courts) allowed me to sue and recover damages (actual cash damages, not coupons for services from the company), then this problem will solve itself. Companies with terrible IT security will be sued into oblivion.

    3. Re:Yet another MASSIVE government fail. by Anonymous Coward · · Score: 0

      Ironic that many in power who want less regulation also want tort reform. This is where I figured out that most who call themselves libertarian are just using that label to hide the fact that they’re really crony capitalists feeding on the energy of idealistic libertarians.

    4. Re:Yet another MASSIVE government fail. by Anonymous Coward · · Score: 0

      Found the libtard.

  15. notification on a different domain by Doke · · Score: 2

    Their data breach notification site is also on a different domain, answers.kroll.com. I know Kroll, but many people would simply see that it's a different domain name, and assume it was a scam.

  16. attack vector by bugs2squash · · Score: 1

    Any predictable mailing like this is an attack vector. People are likely to be expecting an email from Marriott, possibly even one that links to a "credit protection service" ready to accept your personal details for registration. I'm surprised an attacker did not beat them to the punch. Any large organization should have plans for this set out in advance.

    --
    Nullius in verba
  17. Internal messaging system is the key by ctilsie242 · · Score: 4, Insightful

    What I've seen banks, even the local power company, is to have an internal messaging system. This way, any E-mails at most will alert you to log in (also warning to manually type in the URL, and not click on a link) and check your messages, with a warning that anything else is likely a phishing attempt.

    Plus, because everything is handled via the internal system, there is more control, which is a help when it comes for GDPR/PCI-DSS/HIPAA/FERPA/whatever compliance, as messages never leave the site.

    1. Re:Internal messaging system is the key by Anonymous Coward · · Score: 0

      Yo dawg, I heard you like email.

  18. Wrong tool for the job by apoc.famine · · Score: 3, Insightful

    posted a long tweet thread...

    Huh. It's almost like twitter is one of the worst ways to communicate complicated things. Too bad there aren't any places on the internet where one can post long-form information and have a discussion about it. Guess we'll just have to break everything into 30 different tweets.

    --
    Velociraptor = Distiraptor / Timeraptor
    1. Re:Wrong tool for the job by nwaack · · Score: 3, Insightful

      Twitter is one of the worst ways to communicate, period. It should be destroyed in fire.

    2. Re:Wrong tool for the job by Anonymous Coward · · Score: 0

      Really, Troy could've just used his blog instead, but nooo, instead he uses shitter, which makes me question his intelligence even further.

      Not to mention, the whole haveibeenpwned site is now being used to find out if accounts are compromised and then a mad dash ensues to find the leaked info and hijack the account. Thanks, Troy, you've put more users at risk.

  19. Marriott not the only clueless outsourcer by Anonymous Coward · · Score: 0

    and not just for breach notifications. Consider PayPal's third-party marketing firm which uses the "paypal-communications.com" domain for emails (and banner ads) which not only look, feel, and smell like phishing, but sometimes are completely orthogonal to reality.

  20. Most Marriott IT jobs not in US by Anonymous Coward · · Score: 0

    Go to the list of open IT jobs for Marriott. If you scroll through a few pages in the list of the jobs, you'll see that most of the jobs are not based in the US.

  21. CSC registered it is a STRONG clue by mysidia · · Score: 3, Informative

    Just because an advanced user has difficulty vetting the domain doesn't mean there's something wrong with it.

    There's no "official" universally accepted criteria for authenticating a domain belongs to the company whose name is claimed on the domain, and even the use of a basic TLS certificate is not foolproof; However, CSC Being a corporate-only registrar that is used by most of the largest internet brands in the US has a very HIGH PRICE to engage their services, let alone register a domain ----- unless a state actor is involved or an additional major breach of CSC themself; the probability of a phishing domain getting registered through CSC AND also with DNS hosted by CSC seems extremely remote --- particularly when you look at the second positive indicator.


    Registration is mature --- the domain email-marriott.com has been registered for 4 years created in August 2014. That would mean its been dormant or used for purposes not detected as phishing for an extremely long term: generally when a domain name is used for phishing abuse takedown procedures get initiated immediately, and most often the domain is shutdown by its registrar within days.

    COULD the breach notification be faked? Yes, In theory. So just be cautious if you receive an e-mail to not provide personal information after clicking on a link in the message. Close the browser window and visit the company's website. Open a ticket with support if the breach notice implies you need to do something, and you can't find a way to do it on their website --- ultimately a company's call-in support should be able to confirm the message is real or not and assist.

    1. Re:CSC registered it is a STRONG clue by Aighearach · · Score: 1

      It is a major corporation that already existed long before 2014, so that means nothing.

      Your comments are simply dangerous bullshit of the same quality as what Marriott did.

      My goodness that is just daft beyond words. It is almost as if you never heard of phishing attacks until today! And yet, you're the Font of Knowledge.

      Yes, if an "advanced user" can't vet the domain, and the message is important, that proves there is something wrong with the domain. This isn't the 1990s, there are technologies in place for verifying emails. And those technologies are attached to the DNS system. A user is absolutely supposed to be able to vet that.

    2. Re:CSC registered it is a STRONG clue by mysidia · · Score: 1

      It is a major corporation that already existed long before 2014, so that means nothing.

      Actually... it means EVERYTHING, because you see the Date and the Registrar's identity are the only pieces of information in DNS and WHOIS that cannot be easily falsified ---- everything else can have bogus info in order to make the domain survive vetting, but the "Advanced user" has in fact been tricked or taken for a ride (They're not actually vetting if they look at that stuff --- its actually an illusion). And if the WHOIS data is false, then so is the result of anything you "think" you can authenticate via DNS. The domain Surviving for 4 years on the other hand is very strong evidence that the domain was not registered by a phishing entity for the purpose of running a false website on for phishing.
      Its certainly standard practice for companies to register separate e-mail domains for mass mailing campaigns as well, or for disseminating information on emergencies such as breaches.

      Also, Its a very important fact here that the registrar CSC is unlike other registrars and does not provide service to just anybody...
      In fact, it means that EVERY domain registered by CSC is going to be a legitimate registration created by a large business entity representing that it has legal ownership of that mark and managed by CSC's brand protection services, because that's essentially what CSC's business is, AND CSC is already in a high position of trust with billions of $$ at stake.

      So much so that seeing "CSC" on the registrar field can be a MORE trustworthy indicator that a domain name is a legitimate company's sanctioned domain name than the indication provided by the server holding an Organization-Validated TLS Certificate or EV Certificate from a major CA ----- the fact is, Certificate Authorities have automated the process of obtaining certificates, the vetting of CAs is expedited and the processes of TLS CAs have been exploited in the past due to bugs or fraud/social engineering, etc; Mis-issued certificates in the hands of malicious actors have occurred frequently over multiple CAs --- there are hundreds of CAs the world over, and just one rogue or compromised EV CA can issue a SSL cert for any domain.

      Yes, if an "advanced user" can't vet the domain, and the message is important, that proves there is something wrong with the domain.

      Nope.... because in reality the fact is an "advanced user" can't truly vet ANY domain by looking at its WHOIS.
      Because you see EVERY entry in WHOIS is falsifiable.

      Especially, nowadays with the GPDR in place.... The WHOIS contact is not even a person that can legally pull the domain.

      If I knew someone's info I could stick a domain with certain registrars and put their name, company name, address, e-mail, etc as the registrant or contacts, and in WHOIS it would appear "Legitimate", but the listed registrant and contacts would have absolutely no control and no way to get control of the registrar account or domain settings, because many registrars allow you to administer Account Control and Whois listings independently, and there's no real verification of data before it can be placed in WHOIS.

    3. Re: CSC registered it is a STRONG clue by Anonymous Coward · · Score: 0

      ... except for the fact that CSC doesn't even exist anymore. They laid off 50% of their workforce about 2 years ago (more by some accounts) and merged with HPE's services arm to form DXC. These guys are not the CSC from the 90's and 00's that could do it all.
      The only evidence the domain registration gives us is the fact that back in 2014, CSC was at least consulting for Marriott. It confers zero evidence they're still contractually engaged today.
      If they're the Incident Response team working this for Marriott, expect to see plenty more Keystone Cops moments. Oy.

  22. Isn't He? by Anonymous Coward · · Score: 0

    BIll probably likes watching his wife get raped by n-iggers.

    I mean, she's already been raped by so many long dicked n-iggers relentlessly ripping her cunt, who cares?

  23. The dodgy domain was very clever by aberglas · · Score: 1

    Admitting to a security breach is rather embarrassing.

    Most users will disregard an email from email-mariot.com as spam. And so the Mariot can fulfil their legal responsibility to inform users without actually informing users.

    Very clever. (More likely very stupid, but a fortuitous idiocy.)

    And there is no way for users to validate a domain name and know where to enter a credit card number. How can you tell that sIashdot.com is not slashdot.com?! The padlock is meaningless. Sending passwords over the net is the real idiocy. There is a solution, Secure Remote Passwords, but nobody uses it. So don't blame users for our stupidity.

  24. Nice. Expert information walled in a video blog by Anonymous Coward · · Score: 0

    Nice to see the security expert walling his information on the breach in a youtube video blog.
    Didn't watch the video. Written content is overwhelmingly more information dense than 2 bullet points in a 5 minute video entry.

  25. Email-from checking. by Anonymous Coward · · Score: 0

    Encouraging people to check the FROM in an EMail should be discouraged. Email from's can be spoofed so easily that they carry no authentication power.

    To check that this email is genuine, please verify that the from address is "noreply@email-mariott.com".
    To check that this email is genuine, please verify that the from address is "noreply@marriott-email.com".
    To check that this email is genuine, please verify that the from address is "noreply@email-marriott.org".
    To check that this email is genuine, please verify that the from address is "noreply@email-rnarriott.com".
    To check that this email is genuine, please verify that the from address is "noreply@email-marriot.com".
    To check that this email is genuine, please verify that the from address is "noreply@email-marriott.net".
    To check that this email is genuine, please verify that the from address is "noreply@email-matriot.com".

    Can you spot the right one? (answer: none of the above is the real one).
    Did I use all permutations? No!