Thanks to our friends at GreatHorn for sponsoring this week’s podcast. In this episode of the Podcast, # 123: Troy Hunt, the founder of HaveIBeenPwned.com joins us to talk about Marriott International’s big mess: a breach of Starwood Hotels’ reservation system that revealed information on half a billion (with a “B”) guests. And: you’ve heard of Business Email Compromise attacks but what about Business Service Impersonation scams? In our second segment we speak with Kevin O’Brien the CEO and co-founder of GreatHorn about using machine learning to defend against asymmetric messaging threats.
Part 1: Marriott’s Big Mess
Marriott International acquired more than a chain of hotels when it bought Starwood three years ago: it acquired a whopper of a security compromise. This week we – almost four years since that deal was consummated – we found out how big a breach it was. Marriott disclosed to the public that information on some 500 million Starwood guests had been stolen and exfiltrated from its reservation system. This follows a 2014 breach of its point of sale system that affected scores of hotels.
For more than 300 million of those victims, the stolen data included names, email addresses, mailing addresses Starwood’s preferred guest numbers and even passport numbers – a virtual treasure trove of sensitive data that could have value to everyone from rank cyber criminals to sophisticated, nation-state attackers.
To talk about what all this means, we invited security Researcher Troy Hunt of the website HaveIBeenPwned into the Security Ledger studios to talk about what happened at Marriott and what kinds of crimes might follow on the theft of so much personal data – even if that data is never leaked to the dark web.
Hunt’s web site has become something of a first stop for victims of data breaches. It now holds information on more than 5.6 billion stolen account credentials from more than 328 web breaches and other attacks. The site gets upwards of 250,000 visits every day from individuals interested in whether their information has fallen into the hands of hackers. Top on the list of threats that victims of the Marriott breach need to be concerned about: credential stuffing attacks, in which attackers leverage credentials taken from Starwood to try to gain access to other online properties.
Part 2: Email’s Asymmetric Threat
What do ransomware attacks, executive impersonation scams and remote access trojans all have in common? Well, they’re all likely to visit you by way of email. Nearly half a century old, email is still a vital conduit of personal and business communications and – still – the single largest avenue attack against your organization for everyone from petty cyber criminals to nation state attackers.
That’s because email threats are asymmetric: simple, inexpensive, highly effective and easy to carry out both at massive scale and in very targeted ways that are difficult to detect. Kevin O’Brien, the CEO of GreatHorn says that business service impersonation attacks are a great example of that: leveraging the widespread use of cloud platforms like Microsoft’s Office365 and Google to fool users into giving up their credentials or installing malicious software that can give malicious actors a foothold on your network.
You might also like: Report: Financial industry in crosshairs of credential-stuffing botnets
In this conversation we talk about the new scourge of business impersonation attacks and how adoption of cloud based “SaaS” platforms like Office 365 hasn’t eliminated email based risks so much as moved the problem around. You can check our full conversation in our latest Security Ledger podcast at Blubrry. As always, you can also listen to it on iTunes and check us out on SoundCloud.