So much is going on every month in the world of cybersecurity, online privacy, and data protection. It’s difficult to keep up!
Our monthly security digest will help you keep tabs on the most important security and privacy news every month. Here’s what happened in November.1. Marriott International Suffers 500m Record Data Breach
As ever, one of the biggest bits of security news hits at the end of the month.
November ended with the Marriott International hotel group revealing an enormous data breach. It is thought up to 500 million customer records are affected as the attacker had access to the Marriott International Starwood division network since 2014.
Marriott International acquired Starwood in 2016 to create the largest hotel chain in the world, with over 5,800 properties.
The leak means different things for different users. However, the information for each user contains a combination of:Name Address Phone number Email address Passport number Account information Date of birth Gender Arrival and departure information
Perhaps of most importance is Marriott’s revelation that some records included encrypted card information―but also could not rule out that the private keys had been stolen, too.
The long and the short of it is this: if you stayed at any Marriott Starwood hotel, including timeshare properties, before September 10, 2018, your information might have been compromised.
Marriott is taking measures to protect potentially affected user’s by offering a year’s free subscription to WebWatcher. US citizens will also receive a free fraud consultation and reimbursement coverage for free. At the current time, there are three enrollment sites:United States Canada United Kingdom
Analysis suggests the code targets libraries associated with the Copay bitcoin wallet for mobile and desktop. If the Copay wallet is present on a system, the malicious code attempts to steal the wallet contents. It then attempts to connect to a Malaysian IP address.
The malicious code was uploaded to the Event-Stream repository after the original developer, Dominic Tarr, handed control of the library to another developer, right9ctrl.
Right9ctrl uploaded a new version of the library almost as soon as control was handed over, the new version containing the malicious code targeting Copay wallets.
Just days before the biggest shopping day of the year (bar China’s Single’s Day, of course), Amazon suffered a data breach.“We’re contacting you to let you know that our website inadvertently disclosed your name and email address due to a technical error. The issue has been fixed. This is not a result of anything you have done, and there is no need for you to change your password or take any other action.”
It is difficult to gauge the exact details of the breach because, well, Amazon isn’t telling. However, Amazon users in the U.K., U.S., South Korea, and the Netherlands all reported receiving an Amazon email regarding the breach, so it was a fairly global issue.
Users can take some consolation in that it was an Amazon technical issue leading to the data breach, rather than an attack on Amazon. The release of information doesn’t contain any banking information, either.
However, Amazon’s message that there is no need for affected users to change their password is plain wrong. If you have been affected by the Amazon data breach, change your account password.4. Self-Encrypting Samsung and CrucialSSD Vulnerabilities
Security researchers uncovered multiple critical vulnerabilities in Samsung and Crucial self-encrypting SSDs. The research team tested three Crucial SSDs and four Samsung SSDs, finding critical issues with each model tested.Carlo Meijer and Bernard van Gastel, security researchers at Radboud University in the Netherlands, identified vulnerabilities [PDF] in the drives’ implementation of ATA security and TCG Opal, which are two specifications for implementing encryption on SSDs that use hardware-based encryption.
There is a variety of issues:Lack of cryptographic binding between password and data encryption key means an attacker can unlock drives by modifying the password validation process. The Crucial MX300 has a master password set by the manufacturer―this password is an empty string, e.g., there isn’t one. Recovery of Samsung data encryption keys through the exploitation of SSD wear leveling.
Disconcertingly, the researchers stated that these vulnerabilities might very well apply to other models as well as different SSD manufacturers.Wondering about how to protect your drives? Here’s how you protect your data using the open-source encryption tool, VeraCrypt How to Encrypt and Protect Your Data and Files Using VeraCrypt How to Encrypt and Protect Your Data and Files Using VeraCrypt VeraCrypt is a free, open source encryption tool that you can use to encrypt and protect your valuable personal data in windows.