So much is going on every month in the world of cybersecurity, online privacy, and data protection. It’s difficult to keep up!
Our monthly security digest will help you keep tabs on the most important security and privacy news every month. Here’s what happened in November.
1. Marriott International Suffers 500m Record Data BreachAs ever, one of the biggest bits of security news hits at the end of the month.
November ended with the Marriott International hotel group revealing an enormous data breach. It is thought up to 500 million customer records are affected as the attacker had access to the Marriott International Starwood division network since 2014.
Marriott International acquired Starwood in 2016 to create the largest hotel chain in the world, with over 5,800 properties.
The leak means different things for different users. However, the information for each user contains a combination of:
Name Address Phone number Email address Passport number Account information Date of birth Gender Arrival and departure informationPerhaps of most importance is Marriott’s revelation that some records included encrypted card information―but also could not rule out that the private keys had been stolen, too.
The long and the short of it is this: if you stayed at any Marriott Starwood hotel, including timeshare properties, before September 10, 2018, your information might have been compromised.
Marriott is taking measures to protect potentially affected user’s by offering a year’s free subscription to WebWatcher. US citizens will also receive a free fraud consultation and reimbursement coverage for free. At the current time, there are three enrollment sites:
United States Canada United KingdomOtherwise, check out these three simple ways to protect your data How to Counter Data Breaches: 3 Simple Ways to Protect Your Data How to Counter Data Breaches: 3 Simple Ways to Protect Your Data Data breaches don't only hit share prices and government department budgets. What should you do when news of a breach strikes? Read More after a major breach.
2. Event-Stream javascript Library Injected With Crypto-Stealing MalwareA JavaScript library that receives over 2 million downloads per week was injected with malicious code designed to steal cryptocurrencies.
The Event-Stream repository, a JavaScript package that simplifies working with Node.js streaming modules, was found to contain obfuscated code. When researchers deobfuscated the code, it became clear that its goal was bitcoin theft.
Analysis suggests the code targets libraries associated with the Copay bitcoin wallet for mobile and desktop. If the Copay wallet is present on a system, the malicious code attempts to steal the wallet contents. It then attempts to connect to a Malaysian IP address.
The malicious code was uploaded to the Event-Stream repository after the original developer, Dominic Tarr, handed control of the library to another developer, right9ctrl.
Right9ctrl uploaded a new version of the library almost as soon as control was handed over, the new version containing the malicious code targeting Copay wallets.
However, since that time, right9ctrl has uploaded another new version of the library―without any malicious code. The new upload also coincides with Copay updating their mobile and desktop wallet packages to remove the use of the JavaScript libraries targeted by the malicious code.
3. Amazon Suffers Data Breach Days Before Black FridayJust days before the biggest shopping day of the year (bar China’s Single’s Day, of course), Amazon suffered a data breach.
“We’re contacting you to let you know that our website inadvertently disclosed your name and email address due to a technical error. The issue has been fixed. This is not a result of anything you have done, and there is no need for you to change your password or take any other action.”It is difficult to gauge the exact details of the breach because, well, Amazon isn’t telling. However, Amazon users in the U.K., U.S., South Korea, and the Netherlands all reported receiving an Amazon email regarding the breach, so it was a fairly global issue.
Users can take some consolation in that it was an Amazon technical issue leading to the data breach, rather than an attack on Amazon. The release of information doesn’t contain any banking information, either.
However, Amazon’s message that there is no need for affected users to change their password is plain wrong. If you have been affected by the Amazon data breach, change your account password.
4. Self-Encrypting Samsung and CrucialSSD VulnerabilitiesSecurity researchers uncovered multiple critical vulnerabilities in Samsung and Crucial self-encrypting SSDs. The research team tested three Crucial SSDs and four Samsung SSDs, finding critical issues with each model tested.
Carlo Meijer and Bernard van Gastel, security researchers at Radboud University in the Netherlands, identified vulnerabilities [PDF] in the drives’ implementation of ATA security and TCG Opal, which are two specifications for implementing encryption on SSDs that use hardware-based encryption.
There is a variety of issues:
Lack of cryptographic binding between password and data encryption key means an attacker can unlock drives by modifying the password validation process. The Crucial MX300 has a master password set by the manufacturer―this password is an empty string, e.g., there isn’t one. Recovery of Samsung data encryption keys through the exploitation of SSD wear leveling.Disconcertingly, the researchers stated that these vulnerabilities might very well apply to other models as well as different SSD manufacturers.
Wondering about how to protect your drives? Here’s how you protect your data using the open-source encryption tool, VeraCrypt How to Encrypt and Protect Your Data and Files Using VeraCrypt How to Encrypt and Protect Your Data and Files Using VeraCrypt VeraCrypt is a free, open source encryption tool that you can use to encrypt and protect your valuable personal data in windows.
