Slashdot Mirror

← Back to Stories (view on slashdot.org)

Marriott's Breach Response Is So Bad, Security Experts Are Filling In the Gaps (techcrunch.com)

Posted by BeauHD on from the poor-responses dept.

An anonymous reader quotes a report from TechCrunch: Last Friday, Marriott sent out millions of emails warning of a massive data breach -- some 500 million guest reservations had been stolen from its Starwood database. One problem: the email sender's domain didn't look like it came from Marriott at all. Marriott sent its notification email from "email-marriott.com," which is registered to a third party firm, CSC, on behalf of the hotel chain giant. But there was little else to suggest the email was at all legitimate -- the domain doesn't load or have an identifying HTTPS certificate. In fact, there's no easy way to check that the domain is real, except a buried note on Marriott's data breach notification site that confirms the domain as legitimate. But what makes matters worse is that the email is easily spoofable.

Many others have sounded the alarm on Marriott's lackluster data breach response. Security expert Troy Hunt, who founded data breach notification site Have I Been Pwned, posted a long tweet thread on the hotel chain giant's use of the problematic domain. As it happens, the domain dates back at least to the start of this year when Marriott used the domain to ask its users to update their passwords. Williams isn't the only one who's resorted to defending Marriott customers from cybercriminals. Nick Carr, who works at security giant FireEye, registered the similarly named "email-mariott.com" on the day of the Marriott breach. "Please watch where you click," he wrote on the site. "Hopefully this is one less site used to confuse victims." Had Marriott just sent the email from its own domain, it wouldn't be an issue.

40 of 78 comments (clear)

  1. Re:Blaming the User by Calydor · · Score: 4, Informative

    No IT system will ever be strong enough to defend against a user clicking on a link to go to a webpage and voluntarily entering their credit card info.

    --
    -=This sig has nothing to do with my comment. Move along now=-
  2. Re:Blaming the User by mermeid007 · · Score: 1

    Yes. I also wonder how exactly they would know who their customers are? Some customers are rewards members and signed up in one way or another. I suppose by checking in with a credit card you might have become a rewards member by default. Others are just people who may have paid cash for a room on vacation and aren't rewards members at all. Those people would not have been affected no matter how often they stayed at a Marriott. Why scare those people?

  3. So which one is it by Monoman · · Score: 1

    1. The folks handling the Marriott/Starwood breach don't know what they are doing
    2. Management is overruling the folks handling the breach
    3. Both

    Chances are that whoever is making the decisions now got Marriott/Starwood into the problem in the first place.

    --
    Keep the Classic Slashdot.
    1. Re:So which one is it by mermeid007 · · Score: 1

      Well, it may not matter in the long run, other than to incur unnecessary costs from mishandling. There are Marriotts that are not Starwoods and vice versa. A savvy traveller could piece together their own rewards program by clipping coupons. I doubt the hotel chains like that sort of thing, but they are choosing that by being obtuse.

    2. Re:So which one is it by Anonymous Coward · · Score: 1

      I can tell you that if Marriott is run like Carlson then the environment is as follows:

      a) The business analysts rule the company
      b) They pay bottom dollar for software and internet infrastructure services
      c) They don't understand computer security at all.

      Those few smart people who are unfortunate enough to get stuck in such a company cannot override the tidal wave of stupidity that emanates from the BAs.

      I was fortunate enough to get out - fast.

  4. Operational considerations by Anonymous Coward · · Score: 1

    Thanks to spammers and anti-spammers, it has become very difficult to send large volumes of legitimate emails. It is practically mandatory to leave this to professionals. If you send "from" the main domain, you have to handle the return traffic on that domain, and the mail system that handles the individual mail on that domain is most likely not suited to deal with that, and if you outsourced that to the mass emailer, you would have to give them a lot of control over your main domain. To a mass email service. I don't think so.

    Sending mass email from a separate domain is quite customary and in itself not a problem. There is also no point in running a web server on that domain: A scammer could and certainly would do that to "legitimize" the domain, but actually it does not help with verifying the authenticity of the mail at all. The main domain is where all domains associated with the enterprise need to be listed in a prominent position. If there is a "contact us" page, that would be a good place for a list of these domains, which are "also us, just not the main domain".

    Also, nobody should click on any links in any emails. If you treat these as notifications only, there is no problem. Even if a scammer sent you email about this breach, as long as you only see it as a notification and use your bookmarks to go to the site, the scammer has actually done you a service. Don't click on links in emails.

    1. Re: Operational considerations by Anonymous Coward · · Score: 2

      Yes they do. You can piss people off until they're swearing at you, but they'll be back when you have the thing they want at the best price or offer it in a more convenient way than the competition. Your comment is just an example of the typical irrational way customers think. They put fantasies of how things should be before the way things actually are.

    2. Re:Operational considerations by Aighearach · · Score: 1

      In the Olden Days, you had to hire an expert because sendmail required a PhD to understand the configuration.

      Then IBM released postfix, and you still needed to hire an expert, because spam was a thing.

      That was before the Earth 1.0 ended during Y2K, or whatever. Ancient Times. Before The Day.

      That said, the only reasonable explanation for their mistake is really lame. Really lame. Basically, it comes down to this: Marriott has an idiot BOFH whose neckbeard is so long, he put their email on a weird domain to avoid having to manage the DNS setting for the email provider. That's it. That's the whole story. Some cheesehead who works 4 hours a week babysitting servers from a fancy office doesn't want to take on a responsibility that means he has to check his email every morning. And won't delegate it, because it would jeopardize their whole shindig. And he never learned that fancy anti-spam thing you have to put into the DNS. And the first tutorial he followed was for the wrong version of the technology. So he gave up, and blamed systemd.

    3. Re: Operational considerations by Aighearach · · Score: 1

      I once threatened to put a lien on a customers webserver.

      Most annoyed customer I ever had.

      He finally paid, though! I was shocked.

      Typically though, they're annoyed because I told them they're wrong, and they suspect it is true. I tell them to take their time, think it over, get a second opinion. If they really do that, they'll come back even more annoyed; because they have to admit I was right if they want my price, and now they heard the other guy's price. :)

      The best computer salesperson I ever knew once explained her technique to me: "I get them so mad they have to buy everything just to get off the phone quicker." Only works on corporate purchasing drones, of course.

  5. mission accomplished by sad_ · · Score: 4, Insightful

    everybody is talking about how bad the email was instead of the breach itself.

    --
    On a long enough timeline, the survival rate for everyone drops to zero.
    1. Re:mission accomplished by ShanghaiBill · · Score: 4, Insightful

      everybody is talking about how bad the email was instead of the breach itself.

      Breaches don't matter anymore. I was a victim of the Home Depot, Target, and Equifax breaches. So all my information is already "out there". Most other people are in the same situation. Yet another breach doesn't make any difference. Who cares?

    2. Re:mission accomplished by thegarbz · · Score: 1

      everybody is talking about how bad the email was instead of the breach itself.

      Not even remotely. Just because we're talking about one thing doesn't mean we aren't talking about something else. This is only one article on one site. Even a cursory search of news will show that people are very much talking about the breach itself, it's affects on people and what the company is doing about it.

      Hell the most recent story on the news isn't even about the email. It's about Marriotts responses to fraud, here's one from only a couple of hours ago, signficantly newer than TFA: https://www.washingtonpost.com...

      It may surprise you that people can talk about more than one thing at a time.

  6. Re:Blaming the User by mermeid007 · · Score: 1

    That is the most intelligent comment I have ever heard.

  7. Re:Blaming the User by AmiMoJo · · Score: 1

    The IT system's spam filter might be strong enough to block bulk emails coming from a dodgy looking domain with no SPF record though.

    Maybe that was the plan, make sure most of the emails end up getting blocked but technical fulfil the legal obligation to disclose. But more likely incompetence.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  8. Pass by Anonymous Coward · · Score: 1

    Well at least you don't normally give your passport to staff upon check-in... oh wait....

  9. Yea, but then they couldn't get away with by Narcocide · · Score: 1

    SPAMMING

  10. Re:Blaming the User by Anonymous Coward · · Score: 1

    Agreed but I will say that I don't know why email clients haven't at least made clicking links more difficult. Meaning, at minimum, when clicking a link in an email, display some dire warning. Don't allow "hidden links", i.e., only allow a bare URL to be clickable, if it's an HTML email with anchor text different than the actual URL, don't let that be clickable at all. Make only valid SSL links clickable. Any number of different possibilities that certainly won't entirely solve the problem but at least reduce it some.

    Honestly myself, I think even the trade off of just don't make links clickable at all ever would be worth it.

  11. Re:Yes, that is... by gtvr · · Score: 1

    Exactly. The whole concept that ANY email from ANY domain is in any way secure (unless you're using digital signatures, or even looking at headers and seeing what domains the email traversed) is useless. I mean, I could send an email with the "from" as marriott.com and phish people. The "from" is one of the last things you would look at, from a security perspective. You should look at where any links go - the actual domain, or something else? Or even better, just type in the domain directly in your browser.

  12. Yet another MASSIVE government fail. by Anonymous Coward · · Score: 1, Funny

    Once again we see how GOVERMENT is to blame for a huge privacy and security failure and yet libtards will now demand the heads of amazing private industry people who TRIED to stop the incomptent and corrupt fat cat union controled goverment from hurting the precious consumers. And next up they want massive useless goverment to run our health care system! The insane left demands more big goverment intervention in everything and THIS is what will happen.

    1. Re:Yet another MASSIVE government fail. by bugs2squash · · Score: 1

      you should put that on a bumper sticker - if there's any space for it on your car.

      --
      Nullius in verba
  13. Re: Yes, that is... by Doke · · Score: 3, Funny

    Typing a dodgy domain name into your browser is probably safe, if your browser is Lynx...

  14. notification on a different domain by Doke · · Score: 2

    Their data breach notification site is also on a different domain, answers.kroll.com. I know Kroll, but many people would simply see that it's a different domain name, and assume it was a scam.

  15. Re:Blaming the User by Anonymous Coward · · Score: 1

    No IT system will ever be strong enough to defend against a user clicking on a link to go to a webpage and voluntarily entering their credit card info.

    Yes, but companies shouldn't encourage the practice by using dodgy looking domains for their normal operations.

    For example, the website for a phone company I do business with is www.companyA.com.

    If I go to that website and for some functionality I get redirected to mycompanyAaccount.com.

    A typical user can't tell if mycompanyAaccount.com is a phishing site or a real site. It looks real...

    The company should have used myaccount.companyA.com or account.companyA.com.

    Sometimes they will redirect to www.companyAmobility.com. Is this the real site for their mobile phone service or a phishing website?

  16. attack vector by bugs2squash · · Score: 1

    Any predictable mailing like this is an attack vector. People are likely to be expecting an email from Marriott, possibly even one that links to a "credit protection service" ready to accept your personal details for registration. I'm surprised an attacker did not beat them to the punch. Any large organization should have plans for this set out in advance.

    --
    Nullius in verba
  17. Internal messaging system is the key by ctilsie242 · · Score: 4, Insightful

    What I've seen banks, even the local power company, is to have an internal messaging system. This way, any E-mails at most will alert you to log in (also warning to manually type in the URL, and not click on a link) and check your messages, with a warning that anything else is likely a phishing attempt.

    Plus, because everything is handled via the internal system, there is more control, which is a help when it comes for GDPR/PCI-DSS/HIPAA/FERPA/whatever compliance, as messages never leave the site.

  18. Re:Blaming the User by ctilsie242 · · Score: 1

    Defense in depth. Yes, IT can have something in place to mitigate damage if a user clicks/downloads/runs stuff, be it AppLocker, FSRM, backups that store documents in real time, and so on. However, having users not click on things in the first place adds a "layer 8" protection in place.

    Even with protective measures, having them not as needed is a wise thing.

  19. Re:Blaming the User by ctilsie242 · · Score: 1

    One issue with LARTs... sometimes users really enjoy it when you bring it out, so it might just encourage the behavior that you want to discourage.

  20. Re:Blaming the User by Anonymous Coward · · Score: 1

    Because some people are at a hotel, and don't want others to know why they are there. For example, I know people who didn't want others to know they were at the Midwest Fur Fest, for obvious reasons. That info being public could be at best humilating, at worst cause loss of a job or a career.

  21. Wrong tool for the job by apoc.famine · · Score: 3, Insightful

    posted a long tweet thread...

    Huh. It's almost like twitter is one of the worst ways to communicate complicated things. Too bad there aren't any places on the internet where one can post long-form information and have a discussion about it. Guess we'll just have to break everything into 30 different tweets.

    --
    Velociraptor = Distiraptor / Timeraptor
    1. Re:Wrong tool for the job by nwaack · · Score: 3, Insightful

      Twitter is one of the worst ways to communicate, period. It should be destroyed in fire.

  22. Re:Blaming the User by scamper_22 · · Score: 1

    meh, there's a look we can do.

    My workplace does a pretty good job of protecting people, sometimes too good a job. It checks URLs, validates links sent via emails... It's not perfect, but it works pretty darn well.

    There is little reason the major ISPs, browsers, and/or email systems shouldn't have similar kinds of protections. Yes, you should be able to call them to turn it off if you like to browse unsafely.

    Similarly, the entire online payment industry could use some work. It's actually been a long time since I just typed in my credit card info into a random website. Most things are available on Amazon and i go there. I also tend to use paypal. Is paypal super secure? I don't know, probably not. But it's better than typing all my info into some random website. Some kind of digital ID/payment systems would go along way.

    Basically, i'm not saying anything here is perfect, but there's a crap load that we could do to make things better. Yes, the internet is open and 'free', but at lease in Canada, most people are with a handful of big ISPs and most people use a handful of browsers and email servers. Most people use a handful of banks. We could definitely lock that down real quick so most people are not impacted most of the time even with their 'user stupidity'

    Go outside the nice playpen and you could get dangerous real quick.

  23. CSC registered it is a STRONG clue by mysidia · · Score: 3, Informative

    Just because an advanced user has difficulty vetting the domain doesn't mean there's something wrong with it.

    There's no "official" universally accepted criteria for authenticating a domain belongs to the company whose name is claimed on the domain, and even the use of a basic TLS certificate is not foolproof; However, CSC Being a corporate-only registrar that is used by most of the largest internet brands in the US has a very HIGH PRICE to engage their services, let alone register a domain ----- unless a state actor is involved or an additional major breach of CSC themself; the probability of a phishing domain getting registered through CSC AND also with DNS hosted by CSC seems extremely remote --- particularly when you look at the second positive indicator.


    Registration is mature --- the domain email-marriott.com has been registered for 4 years created in August 2014. That would mean its been dormant or used for purposes not detected as phishing for an extremely long term: generally when a domain name is used for phishing abuse takedown procedures get initiated immediately, and most often the domain is shutdown by its registrar within days.

    COULD the breach notification be faked? Yes, In theory. So just be cautious if you receive an e-mail to not provide personal information after clicking on a link in the message. Close the browser window and visit the company's website. Open a ticket with support if the breach notice implies you need to do something, and you can't find a way to do it on their website --- ultimately a company's call-in support should be able to confirm the message is real or not and assist.

    1. Re:CSC registered it is a STRONG clue by Aighearach · · Score: 1

      It is a major corporation that already existed long before 2014, so that means nothing.

      Your comments are simply dangerous bullshit of the same quality as what Marriott did.

      My goodness that is just daft beyond words. It is almost as if you never heard of phishing attacks until today! And yet, you're the Font of Knowledge.

      Yes, if an "advanced user" can't vet the domain, and the message is important, that proves there is something wrong with the domain. This isn't the 1990s, there are technologies in place for verifying emails. And those technologies are attached to the DNS system. A user is absolutely supposed to be able to vet that.

    2. Re:CSC registered it is a STRONG clue by mysidia · · Score: 1

      It is a major corporation that already existed long before 2014, so that means nothing.

      Actually... it means EVERYTHING, because you see the Date and the Registrar's identity are the only pieces of information in DNS and WHOIS that cannot be easily falsified ---- everything else can have bogus info in order to make the domain survive vetting, but the "Advanced user" has in fact been tricked or taken for a ride (They're not actually vetting if they look at that stuff --- its actually an illusion). And if the WHOIS data is false, then so is the result of anything you "think" you can authenticate via DNS. The domain Surviving for 4 years on the other hand is very strong evidence that the domain was not registered by a phishing entity for the purpose of running a false website on for phishing.
      Its certainly standard practice for companies to register separate e-mail domains for mass mailing campaigns as well, or for disseminating information on emergencies such as breaches.

      Also, Its a very important fact here that the registrar CSC is unlike other registrars and does not provide service to just anybody...
      In fact, it means that EVERY domain registered by CSC is going to be a legitimate registration created by a large business entity representing that it has legal ownership of that mark and managed by CSC's brand protection services, because that's essentially what CSC's business is, AND CSC is already in a high position of trust with billions of $$ at stake.

      So much so that seeing "CSC" on the registrar field can be a MORE trustworthy indicator that a domain name is a legitimate company's sanctioned domain name than the indication provided by the server holding an Organization-Validated TLS Certificate or EV Certificate from a major CA ----- the fact is, Certificate Authorities have automated the process of obtaining certificates, the vetting of CAs is expedited and the processes of TLS CAs have been exploited in the past due to bugs or fraud/social engineering, etc; Mis-issued certificates in the hands of malicious actors have occurred frequently over multiple CAs --- there are hundreds of CAs the world over, and just one rogue or compromised EV CA can issue a SSL cert for any domain.

      Yes, if an "advanced user" can't vet the domain, and the message is important, that proves there is something wrong with the domain.

      Nope.... because in reality the fact is an "advanced user" can't truly vet ANY domain by looking at its WHOIS.
      Because you see EVERY entry in WHOIS is falsifiable.

      Especially, nowadays with the GPDR in place.... The WHOIS contact is not even a person that can legally pull the domain.

      If I knew someone's info I could stick a domain with certain registrars and put their name, company name, address, e-mail, etc as the registrant or contacts, and in WHOIS it would appear "Legitimate", but the listed registrant and contacts would have absolutely no control and no way to get control of the registrar account or domain settings, because many registrars allow you to administer Account Control and Whois listings independently, and there's no real verification of data before it can be placed in WHOIS.

  24. Re:Blaming the User by Mr.+Droopy+Drawers · · Score: 1

    2 factor hardware authentication would solve this, frankly.

    --

    To Copy from One is Plagiarism; To Copy from Many is Research.

  25. Re:Blaming the User by PhunkySchtuff · · Score: 2

    If they don't have the customer's contact details, then their personal details weren't stolen and they don't need to notify them.

    --
    Specialist Mac support for creative pros, Melbourne
  26. Re:Blaming the User by Aighearach · · Score: 1

    How do you keep users from using an app and having the phone be all the factors?

    It works for people who understand security, are you sure it would help the others and not be just another thing they didn't learn the security details of?

  27. Re:Yes, that is... by thegarbz · · Score: 2

    The whole concept that ANY email from ANY domain is in any way secure

    The idea is not for an email to be secure. It's for it's content to be trustworthy and not easily mistaken for something else. The question is not where does the email come "From:". It's about where it sends users and what it instructs them to do. Going to any domain other than www.marriott.com is an instant red flag which users should be trained to identify as phishing attempts at this point.

  28. Re:Doesn't "load"? by Aighearach · · Score: 1

    It means if you try to feed port 80 to your cat(1) the poor thing is going to starve, or die of old age.

    They must have enabled quantum email domains. Or something.

  29. The dodgy domain was very clever by aberglas · · Score: 1

    Admitting to a security breach is rather embarrassing.

    Most users will disregard an email from email-mariot.com as spam. And so the Mariot can fulfil their legal responsibility to inform users without actually informing users.

    Very clever. (More likely very stupid, but a fortuitous idiocy.)

    And there is no way for users to validate a domain name and know where to enter a credit card number. How can you tell that sIashdot.com is not slashdot.com?! The padlock is meaningless. Sending passwords over the net is the real idiocy. There is a solution, Secure Remote Passwords, but nobody uses it. So don't blame users for our stupidity.