Perpetual IT

The personal data of 10,683,188 MGM hotel guests that leaked sometime in or before 2017 was posted for sale on the Dark Web this week, ZDNet reports.

It doesn’t matter that the data isn’t freshly baked: it’s still edible. ZDNet called hotel guests whose details were included in the data dump and found that, while some of the phone numbers had been disconnected, many were still valid, as “the right person answered the phone.”

The data was first spotted by an Israeli security researcher calling themselves Under the Breach who claims to have “deep relations” with various threat actors that gives them “pre-breach information on many publicly traded companies.”

Under the Breach says they spotted some Vegas-big names among the leaked guest records, including Twitter CEO Jack Dorsey, pop star Justin Bieber, and government officials from the Department of Homeland Security (DHS) and the Transportation Security Administration (TSA).

Under the Breach came across the leaked files on an online forum commonly used by hackers, they told Business Insider. The researcher said that they’d cross-referenced the information with publicly available data and emails that had been exposed in previous breaches.

A spokesperson for MGM Resorts confirmed the security breach, saying that the data is old. The dump included full names, addresses, phone numbers, emails and birthdays, but MGM says that no payment information was compromised. The hotel chain hasn’t confirmed the identity of any of the affected guests; nor has Twitter commented on whether or not Dorsey’s information was involved.

ZDNet confirmed the authenticity of the data on Wednesday. None of the hotel guests whom the news outlet contacted had stayed at the hotel more recently than 2017. But regardless of how long ago the initial breach happened, the personally identifiable information (PII) is still valuable for use in spearphishing campaigns or in SIM-swap attacks, as Under the Breach told ZDNet.

An MGM spokesperson told ZDNet that the data came out of a security breach that happened last year:

Last summer, we discovered unauthorized access to a cloud server that contained a limited amount of information for certain previous guests of MGM Resorts. We are confident that no financial, payment card or password data was involved in this matter.

The hotel chain said that it had promptly notified all affected hotel guests in accordance with applicable state laws. ZDNet wasn’t able to find any of those notifications, but it did find posts dating to August 2019 on the Vegas Message Board from people who said that they’d been alerted to the July breach.

The sale of the records has been linked to the threat actor known as GnosticPlayers, which has claimed responsibility for multiple big breaches, including the September 2019 hack of online social game maker Zynga, the massive hack of 26 million records stolen from another six online companies in March 2019, and plenty more.

The tally of records put up for sale on the Dark Web by GnosticPlayers spirals ever upward: in 2019, the entity dumped more than a billion user records, ZDNet reports.

Latest Naked Security podcast

After fixing a fat pile of critical security flaws as part of last week’s Patch Tuesday update, Adobe has come back with two more that need urgent attention.

This is what’s called an out of band update, which means that a vulnerability is too risky or likely to be exploited to leave to the next scheduled update.

The first is in the Windows and macOS versions of the After Effects graphics software and affects anyone running version 16.1.2 and earlier.

Identified as CVE-2020-3765 after being reported to Adobe only days ago, the company offers little detail on the vulnerability itself beyond stating that the update:

Resolves a critical out-of-bounds write vulnerability that could lead to arbitrary code execution in the context of the current user.

All that tells us is that exploiting the flaw would require access to the user’s machine which shouldn’t detract from the need to patch the issue.

The second is also an out-of-bounds write weakness, this time in Adobe Media Encoder, affecting Windows and macOS versions 14.02. Identified as CVE-2020-3764, this requires similar current user access.

There is no evidence that either of these flaws is being exploited in the wild, but you never know, hence the need to patch now.

The update

The fix for After Effects (APSB20-09) is to upgrade to version 17.0.3. For Media Encoder (APSB20-10) it’s version 14.0.2.

It’s unusual for Adobe to issue out of band updates. Excluding the later than usual patching of a slew of flaws last October, the last was three emergency fixes for ColdFusion the month before that.

Despite the inconvenience, this is to be applauded. The sooner a critical is patched, the sooner everybody stops worrying about it.

Latest Naked Security podcast

The American Civil Liberties Union (ACLU) dubbed 2019 the year that proved that ubiquitous facial recognition surveillance isn’t inevitable. The latest (tentative) win for legislative restrictions on the increasingly pervasive technology: the state of Washington.

On Wednesday, the state senate passed a bill – Senate Bill 6280 – that would prohibit state and local government agencies from using facial recognition in most instances, including…

Ongoing surveillance – meaning tracking people as they move through public places over time, be it in real-time or through use of a service that relies on historical records.

And…

Persistent tracking – which refers to the use of facial recognition to persistently track someone without first having identified them or verified their identity.

If passed, the law will require law enforcement to first get a search warrant before using those types of faceprint-reliant tracking and surveillance, or else would be limited to emergency situations in which people’s lives are at risk.

From here, the bill goes to the state House for consideration.

The latest version of the bill specifies that at least 90 days before government agencies adopt a new facial recognition technology, they must inform the public about the technology in question – in detail.

Accountability reports would have to include the name of the technology, the vendor, what kind of data it collects and from where, how that data is processed, why and how it’s going to be used, data or research that demonstrates its supposed benefits, whether it’s going to be used by other agencies and how, data retention policy, how data will be securely stored and accessed, and how it’s going to affect civil rights and liberties… to name a few.

It would be an understatement to say that this type of transparency would be a marked change from the secretive (and sometimes slapdash) way in which agencies have been adopting the technology to surveil people, often without the need for warrants.

SB 6280 would also require that decisions with legal implications that are based on facial-recognition programs be reviewed by an agency worker with training on the technology – someone with authority to reverse the decision, according to analysis (PDF) from the Washington senate committee on Environment, Energy and Technology.

Examples of such decisions include whether or not somebody gets a loan, housing, insurance, health care, and educational or job opportunities. If a given program does have such an impact, it would have to be tested before being deployed. The bill would also set training standards for government employees handling personal data gleaned from facial recognition.

According to the Seattle Times, SB 6280 is likely going to face resistance in the House, where a competing bill – House Bill 2856 (PDF) – would go further still, by imposing a moratorium on local and state facial recognition programs until 1 July, 2023.

The Seattle Times quoted the House bill’s sponsor, Rep. Debra Entenman, who is herself one of the people whom facial recognition most frequently fails to correctly identify: a black woman.

[This debate is about] having a technology that is not ready to be used in the public sphere.

As an African American woman, I am of course concerned about the fact that law enforcement and others believe that this technology will make people safer.

The Seattle Times also quoted the Senate bill’s sponsor, Sen. Joe Nguyen:

Right now, facial-recognition technology is being used unchecked and with little recourse. And tech companies generally don’t care about the moral values of the products they are creating.

Running tally of pushback

In October, the state of California outlawed facial recognition in police bodycams. Some of its biggest cities have gone further still in restricting the controversial technology, including San Francisco, Berkeley, and Oakland.

Outside of California, government use of facial recognition has also been banned in three Massachusetts municipalities: Somerville, Northampton and Brookline. New York City tenants also successfully stopped their landlord’s efforts to install facial recognition technology to open the front door to their buildings.

Latest Naked Security podcast

Global facilities company ISS World, headquartered in Denmark, has shuttered most of its computer systems worldwide after suffering what it describes as a “security incident impacting parts of the IT environment.”

The company’s website currently shows a holding page, with no clickable links on it:

On 17 February 2020, ISS was the target of a malware attack. As a precautionary measure and as part of our standard operating procedure, we immediately disabled access to shared IT services across our sites and countries, which ensured the isolation of the incident.

The root cause has been identified and we are working with forensic experts, our hosting provider and a special external task force to gradually restore our IT systems. Certain systems have already been restored. There is no indication that any customer data has been compromised.

Some media outlets – for example, the BBC – have mentioned ransomware prominently in their coverage of the issue, perhaps because of the suddenness of the story, but at the moment we simply don’t know what sort of malware was involved.

As you can imagine, facilities companies that provide services such as cleaning and catering rely heavily on IT systems for managing their operations.

But one silver lining for ISS World is that many, perhaps most, of its staff don’t rely on computers to carry out their hour-by-hour work, and most staff work on customer sites:

The nature of our business is to deliver services on customer sites mainly through our people and as such we continue our service delivery to customers while implementing our business continuity plans. Our priority is to ensure limited or no disruption while we fully restore all systems.

Nevertheless, a report in the UK claims that 43,000 staff worldwide, including 4000 in the UK, don’t have access to email, a serious operational blow to any modern business.

ISS World has promised, via its one-page, static website, that it is “currently estimating when IT systems will be fully restored and are assessing any potential financial impact”, and that it will “provide a further update when we have significant, additional information.”

Two things right

As bad as it sounds, it seems that the company has done at least two things right: it has issued a clear statement of what it’s willing to say right now, and it has stated that it will tell us all more when it is sure of its facts.

It’s easy to jump down the throat of a business that suffers a cyberattack, to demand answers right away, and to assume that “something is suspicious” if the company demands time to investigate for some time before making a full statement.

In this case, we’d urge ISS World customers to be as patient as possible, and to give the company time to find out as much as it can, with as much forensic precision as possible, before expecting it to reveal what it knows.

Incidents of this size in a business this large are definitely a matter for the regulators and for law enforcement – so if there’s any chance of finding out who was reponsible with the sort of evidence that would stand up in court…

…let’s hope ISS World can come up with it.

What to do?

Here’s our advice on how to keep crooks out of your network – not just for ransomware in particular, but for malware in general.

• Pick strong passwords. And don’t re-use passwords, ever.
• Make regular backups. They could be your last line of defence against a six-figure ransom demand. Be sure to keep them offsite where attackers can’t find them.
• Patch early, patch often. Attacks such as WannaCry and NotPetya relied on unpatched vulnerabilities to spread around the globe.
• Lock down RDP. Criminal gangs exploit weak RDP credentials to launch targeted malware attacks. Turn off RDP if you don’t need it, and use rate limiting, 2FA or a VPN if you do.
• Use anti-ransomware protection. Sophos Intercept X and XG Firewall are designed to work hand in hand to combat ransomware and its effects. Individuals can protect themselves with Sophos Home.