STE WILLIAMS

KASPERSKY SECURITY ANALYST SUMMIT – Singapore – Yet another critical infrastructure organization was found infiltrated with the Triton/Trisis malware that in 2017 shut down the safety instrumentation system at a petrochemical plant in Saudi Arabia. 

FireEye Mandiant here this week revealed that it recently discovered the Triton/Trisis attack code installed at the second industrial organization and that it is currently working on an ongoing incident response investigation into the attack. Nathan Brubaker, senior manager of FireEye’s cyber-physical intelligence team, said this represents the first publicly revealed attack by the Triton/Trisis group since the original incident two years ago.

FireEye analysts found a set of custom Triton/Trisis tools tied to the second victim organization while conducting research, and the attackers inside the victim’s corporate IT network, Brubaker said. “Based on the tool overlap [with Triton/Trisis], we have very high confidence it’s the same actor,” he said.

Brubaker said unlike attack attempts like those that have been spotted by FireEye and other ICS security firms, this was a full-blown attack. He declined to discuss any details about the victim organization’s identity or location, nor whether this new victim also had suffered an infection of its safety instrumentation system like the first victim did.

Triton/Trisis specifically targets Schneider Electric’s SIS, the Triconex Emergency Shut Down (ESD) system. SISes provide emergency shutdown for plant processes to prevent physical threats when a plant process reaches an unsafe level. These systems are not typically under the domain of security teams but, rather, engineering teams; Triton/Trisis was the first known incident to affect the OT engineering department.

In the latest Triton/Trisis incident, the attackers had a foothold in the corporate network and were conducting reconnaissance and advancing deeper into the network in order to reach the industrial operations technology (OT) network, according to FireEye.

Brubaker said the group appears to have been operational since 2014 based on intel gathered from an analysis of the custom attack tools used on the victim and there may well be more as-yet unidentified victims and attacks.

“For quite a while we’ve been looking at this possibility” of more victims, FireEye’s Brubaker said.

Just how widespread the Triton/Trisis attack campaign truly is has remained a mystery. Earlier this year, an incident responder involved in Saudi Arabia case revealed that the first known attack was more extensive than had been reported publicly. That August 2017 attack wasn’t the first incident at the plant: in June of 2017, an emergency plant-process shutdown system was knocked offline by the attackers but was misconstrued as a mechanical issue rather than a cyberattack, according to Julian Gutmanis, who was working out of a major oil and gas organization in Saudi Arabia at the time of the attacks.

Meanwhile, the Triton/Trisis attackers were able to remain in plant’s network undetected until the Schneider Triconex SIS went down after the attackers inadvertently powered it down.

Rob Lee, founder and CEO of ICS security firm Dragos – who earlier this year confirmed the attacker had been inside the first victim’s network since 2014 – said FireEye’s new report echoes his firm’s tracking of Triton activity at other industrial facilities. Dragos has seen around 12 companies whose networks have been hit with by the attack group, which it calls XENOTIME, in early stages of the attack.

Dragos said the attackers have been active in various industries aside from oil and gas, including targeting ICS OEMs and manufacturers. “All available evidence at this time indicates that XENOTIME has not deployed either Triton/Trisis or any new ICS-disruptive malware in any environment,” which jibes with FireEye’s findings, said Dragos adversary hunter Joe Slowik.

Meanwhile, Schneider Electric said in a statement that it was “encouraged” that FireEye had not reported finding Triton/Trisis malware in the victim’s industrial network.

“First, it is worth noting that FireEye does not claim to have found the Triton malware in the facility. Rather, they discovered the ‘Triton actor’ and some use of the ‘Triton framework,'” the company said in a statement. “Additionally, by releasing the details behind the Triton attack framework, the OT cybersecurity industry now better understands the Triton actor’s tradecraft. This will help all of us improve our tools and strategies to detect Triton-like attacks much earlier.”

Tools

The Triton/Trisis attackers employed both their custom attack tools as well as open source and other attack tools, including Mimikatz and SecHack to steal credentials. Many of their custom tools mimicked the features of legitimate tools to evade detection.

“They would generally use public tools when they were not as concerned about getting caught and trying to poke around. If they were doing something really important – like about trying to get to an engineering workstation – they would switch to custom tools,” Brubaker said. FireEye published a detailed technical report on Triton’s attack tools and tactics.

While a complete picture of the Triton attackers’ endgame remains unknown, their manipulating safety systems in the industrial plant demonstrates their potential ability and intent to disrupt plant processes, ICS experts say. Gutmanis, who recently joined Dragos, said the first Triton/Trisis victim “got lucky” that no catastrophic physical damage occurred.

“While threat intel and incident response teams from FireEye are investigating the second Triton/Trisis incident, what we know for a fact is that the attackers selected the most safety-critical component of the ICS to achieve their goals: the safety instrumented system,” said Eddie Habibi, CEO of PAS Global. “A bad actor can shut down a process by manipulating the configuration of a safety system. In fact, a plant is lucky if this is the approach an attacker takes: While the shutdown and loss of production is painful in such a situation, if the safety system is designed properly, there should be no safety impact or damage to equipment.”

Related Content:

• Industrial Safety Systems in the Bullseye
• TRITON Attacker Disrupts ICS Operations, While Botching Attempt to Cause Physical Damage
• First Malware Designed Solely for Electric Grids Caused 2016 Ukraine Outage
• Lessons From The Ukraine Electric Grid Hack

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/triton-trisis-attacks-another-victim/d/d-id/1334388?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Android smartphones running version 7.0 (Nougat) or later now work as physical security keys for two-factor authentication when logging into personal Google accounts and G Suite, Google Cloud Platform, and other Google apps used in and out of the office, Google announced today.

This means security-savvy Android phone users don’t have to purchase a physical key to strengthen their account protection. Google already offers the Titan Security Key, a FIDO-standard device typically used for high-value users or content, which works as a second factor for Google logins. A secure hardware chip is designed to protect against firmware attacks.

Of course, Google already offers several methods of two-factor authentication: SMS verification codes, the Google Authenticator app, and Google Prompts. But two-factor verification options vary in their security, and each has its holes. For example, an attacker could target a specific user and intercept a code sent via text message, granting them access to someone’s account.

Hardware keys are considered the strongest option of two-factor authentication, with protocols based on standard public key cryptography to block account takeover attempts. Most everyday users don’t go out of their way to buy them. However, if the key is built into a device they already have, it could stand a chance at overcoming the convenience hurdle impeding growth.

The Android-based security key, which also uses the FIDO protocol, requires a user to sign in on a Bluetooth-enabled Chrome OS, macOS X, or Windows 10 device with a Chrome browser.

How to set it up: Once you have an updated Android phone and Bluetooth-enabled computer with an updated Chrome browser and OS, add the key to your Google account. Turn on 2-Step verification and add a method like Google Prompts (if you don’t use it already). Go to myaccount.google.com/security. Under “Signing in to Google” select “2-Step Verification.” Scroll to choose a second step and click Add Security Key Your Android phone Turn on.

Once that’s complete, make sure your computer has Bluetooth turned on and go to sign into your Google Account. Your phone should alert you with a notification to confirm it’s you.

The hardware security key is currently in beta mode and only works for Google applications.

Related Content:

• Stop Mocking Start Enabling Emerging Technologies
• ‘Digital Doppelganger’ Underground Takes Payment Card Theft to the Next Level
• Credential-Stuffing Attacks Behind 30 Billion Login Attempts in 2018
• 8 Steps to More Effective Small Business Security

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/risk/android-phones-now-double-as-physical-security-keys/d/d-id/1334389?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Mergers and acquisitions are an essential part of the enterprise business landscape. These deals foster innovation and create some of the biggest and most successful companies in the world.

But one of the largest potential pitfalls in any MA transaction is mishandling IT integration and creating or failing to mitigate security risk. In the era of cloud computing, the cost of inheriting poor security can be massive and quickly destroy any value the transaction poses.

In addition, a common misconception is that if the two companies merging both operate in the cloud, integration will be easier. The reality is it’s actually harder due to the added complexity — no two cloud environments are identical, and the rate of change is so much faster compared with traditional IT. Post-acquisition IT integration used to take five to ten years, but these days, given the nonstop pace of innovation, organizations don’t have that luxury.

Today, evaluating cloud and container security risks must be a starting component of the overall MA strategy. IT integrations must happen almost immediately, and the acquiring company needs to be ready to implement best practices and mitigate high-priority risks on day one. Failing to do so can have substantial financial repercussions in the form of breaches, loss of business and market value, fines, lawsuits, etc.

Following are three cloud considerations for organizations considering MA activity.

Due Diligence Before It’s Due
MA deals can move quickly, and companies often procrastinate on technical due diligence. This can prove catastrophic when the acquirer realizes only after the deal has closed that significant security gaps exist in its new network caused by differing architectural choices, configurations, standards, etc., without a plan in place for immediate remediation.

That’s why companies must begin evaluating cloud security and compliance risks from the very beginning of the MA process. Agentless, read-only tools can enable organizations to address concerns around access while still allowing risk assessment to form a remediation strategy. Leveraging automation can enable continuous discovery to map infrastructure resources across all clouds, analyze operations, identify risks, and take action (in the form of alerts, mitigation, or remediation). This approach will help ensure major security issues can be fixed immediately after the deal closes.

Establish a Unified View of Infrastructure
One critical post-MA activity is applying the acquiring company’s governance standards across the new entity. Doing so on a global scale is typically expensive, complex, time-consuming, and fraught with error for several reasons:

• Lack of capacity to accomplish enormous change
• Poor documentation and inconsistencies in tagging, classifying, and mapping assets
• Acquired staff turnover resulting in a loss of “tribal” knowledge
• Political and cultural disruption within the acquired entity.

Automated tools are essential. It is impossible to achieve the unified view of all infrastructure needed to apply and enforce governance standards manually. Companies must ensure they are classifying and storing data consistently during the IT integration process; otherwise, they risk failing compliance audits and paying resulting penalties. Similar to security risk identification and remediation, the application and enforcement of governance standards cannot be a one-time event. The constantly evolving nature of cloud environments means automated assessment must be continuous and pervasive.

Create Efficiency at Scale
As little as five years ago, it was common for IT teams to be solely responsible for managing and securing all of their organizations’ infrastructures. This simplified IT integrations during MA because communication was really only needed between two clearly defined groups of people.

This is far from reality in the cloud. Access is so highly distributed that a company can have hundreds or thousands of individual, digitally savvy employees managing different assets and applying changes hourly. Recognizing and planning around this new landscape is critical in an MA deal. Mapping responsibilities and “ownership” of various assets matters just as much as mapping the resources themselves. This is the only way governance standards and security remediations can be implemented efficiently and at scale. While this may seem daunting, it’s faster and less risky to task the original owners — who have the contextual understanding and historical knowledge of the assets — with applying needed changes.

To this end, establishing automated feedback loops ensures the right people are assigned the right tasks, and it creates a track record of accountability. The change management process should also include automated prioritizing of tasks based on risk level, ensuring intolerable risks are addressed immediately.

Time to Adapt
Failure to recognize the added complexities and greater potential security risks of merging two or more cloud environments during an MA can have serious consequences. Companies that are still relying on traditional IT may use the MA to play catch up by acquiring more innovative companies that have already embraced the cloud. This strategy is reasonable enough, but it means companies with no prior experience in managing risk in the cloud are forced to quickly take an accurate inventory of all assets in this complex environment and ensure compliance and security standards are met.

The whole point of an MA is to find synergies between two or more companies and emphasize those synergies for financial gain. But if not done right, integrating cloud environments and mitigating security risks can be an incredibly costly undertaking. And if vulnerabilities go undetected and unremediated — well, where there are clouds there could be rain.

Related Content:

• 8 Tips for Monitoring Cloud Security
• 87% of Cloud Pros Say Lack of Visibility Masks Security
• The 12 Worst Serverless Security Risks
• As Businesses Move Critical Data to Cloud, Security Risks Abound

 Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Scott Totman brings more than two decades of experience in enterprise application development to DivvyCloud.  As VP of engineering, he is responsible for the ongoing development and delivery of DivvyCloud’s software. Prior to joining DivvyCloud, Totman was the vice … View Full Bio

Article source: https://www.darkreading.com/cloud/merging-companies-merging-clouds/a/d-id/1334314?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A new malware campaign that targets Android-using Australian banking customers has been discovered and, while the approach is not particularly sophisticated, elements of the malware have put security professionals around the world on guard.

The campaign, built around Gustuff malware, was discovered by Cisco Talos researchers and disclosed in a blog post authored by Vitor Ventura. The malware was offered as a botnet-for-rent on Exploit.in and has been shown to have the potential to hit banks and financial institutions around the world.

Talos researchers found the code to be obfuscated and packed, a combination that makes it very difficult to analyze with standard debuggers. They discovered that the code has multiple layers of protection against being run in a sandbox or on a device with antimalware in place. Once the code decides it’s safe to execute, though, it becomes very active, very quickly.

The malware finds and exfiltrates a user’s contact list and banking credentials, using one for spreading itself and the other for setting up criminal financial activity. So far, the malware is using SMS to spread rather slowly — slowly enough, in fact, for it to remain under the radar of many protective systems. Thus, while it’s not spreading quickly at this point, it has a target list that would allow extensive replication and spread.

“Usually we would see this sort of malware spreading by email. The SMS is slower but sidesteps some standard defense,” says Craig Williams, director, outreach, at Cisco Talos.

There are three other factors of special note with this campaign. First, it requires user intervention; the victim receives an SMS message containing a link that must be clicked on to begin the infection chain. The second is that the malware, once active, can intercept and respond to the SMS messages used in many two-factor authentication schemes.

The third special factor is fascinating to other security professionals. “One thing they did call out was the ability of this malware to re-establish its communications via text message,” says John Todd, executive director of Quad9. “If it gets disconnected, an inbound text message will allow it to reconnect. It’s an out-of-band control mechanism to re-establish broken command-and-control communications.”

While this campaign is aimed at Australian institutions and customers, Williams says there’s no barrier to its use against institutions around the world. The list of mobile financial apps monitored includes those from every major bank and many major financial institutions in the US and Europe. 

Given the nature of the malware’s activities, there are few unbeatable technology solutions. “Because it spreads via SMS, it will come down to user education,” Williams says. “Unfortunately, you can’t patch the user, so it’s always going to be a struggle.”

Todd offers some specific instructions. “If you get an SMS from me with a URL in it, don’t click on it. Don’t click on a link in a text message unless you’ve gotten a phone call telling you to expect it,” he says. “Don’t click on a link with an IP address in it. You’ll always want some DNS in the process, something with a recognizable name in it.”

Related Content:

• ‘MuddyWater’ APT Spotted Attacking Android
• How iOS App Permissions Open Holes for Hackers
• In the Race Toward Mobile Banking, Don’t Forget Risk Management
• 6 Ways Effective CISOs Are Changing their Role
• Debunking 5 Myths About Zero Trust Security

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/new-android-malware-adds-persistence-targets-australian-banking-customers/d/d-id/1334394?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

One in every 99 emails is a phishing attack, and a new study shows 25% of those phishing attacks bypass default security measures built into Office 365, researchers reported today.

The data comes from Avanan’s Global Phish Report, which analyzed 55.5 million emails sent to Microsoft Office 365 and Google G Suite accounts. They found roughly 1% of all messages are phishing threats that use malicious attachments or links as the attack vector. Of those, 25% were marked safe by Exchange Online Protection (EOP) built into Office 365 and delivered to users.

Cloud-based email has rung in a new era of phishing, explains Yoav Nathaniel, Avanan lead security analyst and report author. “The connected nature of cloud email allows an attacker to get access to a bigger bounty from a single successful phishing attack since the credentials give them access to other connected accounts such as cloud file sharing or cloud HR,” he says.

Of 55.5 million total emails analyzed, 561,947 were phishing attacks. Researchers broke the malicious messages into four categories: over half (50.7%) had malware, 40.9% were harvesting credentials, 8% were extortion emails, and 0.4% were spearphishing attempts.

Researchers scanned about 52.4 million emails directed to Office 365, of which 546,427 (1.04%) were phishing emails. They only analyzed 3.12 million emails for G Suite, of which 15,700 (0.5%) were phishing emails. In the report, researchers note how the messages were scanned after they had gone through default security but before they were delivered to users’ inboxes.

They then took a closer look at how phishing emails were classified by Office 365 EOP, Microsoft’s cloud-based filtering service. In EOP, emails are first sent through connection filtering, which verifies the sender’s reputation and scans for malware. Most spam is deleted here, Microsoft says. Messages continue on through policy filtering, where they’re evaluated against custom rules admins can create and enforce. They’re also passed through content filtering, where they’re checked for words and properties associated with spam. Based on settings, spam can be redirected to the Junk folder or quarantined.

After going through these layers, messages deemed benign are delivered to the inbox.

Avanan reports of the phishing emails that made it through EOP, 20.7% were marked as phishing emails and about half (49%) were marked spam. About 5% were whitelisted by admin configurations, and 25% were marked clean and successfully sent to the target user.

Bypassing Filters

How do some emails sneak through? Nathaniel says part of the reason is obfuscation, which rely on emails being displayed to end-users differently than how they appear to the machine-based security layer. Obfuscation comes in different ways: rare but legitimate email formats, which aren’t properly analyzed by security but are delivered to inboxes; malformed emails and attachments that parse HTML to confuse the security layer but appear safe to the email client; and hidden characters in the email body, which are intended to trick the security filer.

Obfuscation makes up “quite a small number of attacks,” says Nathaniel. “We see them targeting extremely high-profile individuals … they save it for special occasions.” This may include targeting a CEO or C-suite executives of Fortune 500 companies, using attacks they don’t want to land in a Junk folder.

Analysts also pulled data on different characteristics of phishing emails, which yielded some interesting data. For example, 35% of messages containing links to WordPress websites are phishing attacks. “Just the fact that it sent you a link to a WordPress site already makes the email suspicious,” Nathaniel points out. And Bitcoin wallet links are almost a sure red flag: 98% of messages with cryptocurrency wallet links turn out to be malicious, researchers learned.

“It’s important to note there’s rarely a legitimate reason to send a cryptowallet address via email,” he continues. This is typically done via text, or money is sent using an app.

Finally, the report notes out of every 25 branded emails, it’s likely at least one is a phishing attempt. Microsoft is the most frequently impersonated brand (43%) for most of the year, followed by Amazon (38%), which takes the lead during the holiday shopping season.

Related Content:

• New Android Malware Adds Persistence, Targets Australian Banking Customers
• Microsoft Patch Tuesday Fixes Windows Bugs Under Attack
• 8 Steps to More Effective Small Business Security
• Microsoft Products Under EU Investigation About Data Collection

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/cloud/25--of-phishing-emails-sneak-into-office-365-report/d/d-id/1334397?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A new Senate bill seeks to end those barrages of misleading prompts that say “turn on notifications” when they mean “give us all your everything.”

The Deceptive Experiences To Online Users Reduction (DETOUR) Act was introduced Tuesday by senators Deb Fischer (R-NE) and Mark R. Warner (D-VA). It could be included in a national data privacy bill being drafted by the Senate Commerce Committee, according to Sen. Warner in a CNBC interview (via Reuters).

The bill takes aim at some of the sneakier tactics social media companies use to coerce people into handing over their personal information. It would also prohibit the companies from choosing groups of people for behavioral experiments without first obtaining informed consent. Online platforms that have over 100 million active users per month would also be prohibited from designing addictive games for children under the age of 13.

Read more here.    

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/risk/senate-bill-would-ban-social-networks-social-engineering-tricks/d/d-id/1334395?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Information that people submit when making an online hotel reservation is often available in its entirety to a lot more parties than just the hotel itself.

New research from Symantec shows that a majority of hotels—from small independent properties to large five-star resorts and chains—routinely leak detailed guest booking data with third-party advertisers, social media websites, data aggregators, and other partners.

Guest information available to such parties includes full name, address, mobile phone number, passport number, and the last four digits of credit card numbers.

Candid Wueest, a threat researcher at Symantec tested more than 1,500 hotels in 54 countries to understand the scope of the problem. He discovered more than two-thirds of them—67%—were inadvertently leaking booking reference codes with third-party sites. “The information shared could allow these third-party services to log into a reservation, view personal details, and even cancel the booking altogether,” he said in a report Wednesday.

Nearly six-in-10 (57%) of the sites tested sent a confirmation email to guests after a booking was completed. The emails contained a link that allowed the guest to directly access their reservation details without having to log in to do so.

Since the emails use a static link, the booking reference code and the guest’s email are contained in the URL itself. What makes this an issue is the fact that many hotels load additional content, such as advertisements, on the same booking overview page.

Wueest’s research showed that some hotels in fact share the booking reference code with as many as 30 different third parties, including social networks, search engines, analytics and advertisement services.

Wueest says his tests show that such third parties generate an average of 176 requests per booking.  A “request” by these third parties can be a resource such as loading an image, a javascript or an iframe, he says. While not all of these requests contain booking details, they do provide an indication of how widely hotels share guest data directly and indirectly.

In many cases, guest booking information remained available on the hotel website and accessible via the email link even after a customer canceled the reservation.

Emails with direct links are not the only problem. Some hotel websites in Wueest’s study leaked guest information with online partners during the booking process itself, while others leaked it when customers logged in to their reservation page.

In addition, nearly 30% of the sites did not encrypt the links they send in the email for customers to access reservation information. This gives attackers a way to potentially intercept the link and to view or modify a booking. Such an attack would be feasible in public hotspots such as those in an airport or a hotel.

Privacy and Compliance Risks

For consumers, the key takeaway is that personal information including their full name, home address, email address, credit card details, and passport number might not be kept private when booking hotels, Wueest says.

“The main takeaway here for hotel sites and operators is the fact that this issue exists, despite the [EU General Data Protection Regulation] coming into effect in Europe almost one year ago,” he says.

GDPR and other privacy statutes such as the California Consumer Privacy Act prohibit such information sharing without clear, explicit disclosure and consumer consent. Hotels need to take the time to assess their processes and data protections to ensure they are compliant, Wueest notes.

Technically at least hotel websites and operators can detect if any of their trusted partners are using their access to actually view guest reservation information. A hotel for instance could check its web server access log to see if there are many different logins from a single IP, Wueest says. “But it’s doubtful that there are alerts in place to automatically detect this in all hotels,” he says.

Hotel operators are not the only ones guilty of such inadvertent data leaks. A report by Wandera earlier this year showed many airline companies are putting passenger data at risk by sending them similarly unencrypted links to check-in for flights. The links give attackers a way to view and change passenger details and to print the boarding passes, Wandera found.

Hotels and booking services need to review their online reservation processes and ensure they are compliant with applicable laws, Wueest says. “Sites should use encrypted links and ensure that no credentials are leaked as URL arguments, for example by using cookies,” as permitted by privacy laws, he says. “This is notably a developer issue.”

Related Content:

• Some Airline Flight Online Check-in Links Expose Passenger Data
• Hundreds of Hotels Hit in FastBooking Breach
• APT28 Uses EternalBlue to Spy on Hotel Wifi Networks
• 7 Privacy Mistakes That Keep Security Pros on Their Toes

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/majority-of-hotel-websites-leak-guest-booking-info/d/d-id/1334396?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple