Hackers' hotel 'master key' could be big risk for business travelers →

April 25, 2018 Jonathan Greig

Cybersecurity researchers have worked on cracking the code to hotel room keys since 2003.

Two intrepid cybersecurity researchers have figured out a way to crack the security systems of hotel rooms around the world, exploiting lapses in the electronic lock systems made by Swedish lock manufacturer Assa Abloy, according to a Wednesday press release.

Assay Abloy, which created VingCard's "Vision" system, has deployed it at 42,000 properties in 166 countries, including everything from hotel rooms to garages and secure spaces, as noted by our sister site ZDNet.

Tomi Tuominen and Timo Hirvonen, researchers from F-Secure, discovered a way to breach the system after nearly a decade of research following a strange occurrence at a Berlin security conference in 2003. A friend of theirs had a laptop stolen from his hotel room with no signs of forced entry, leading the two men on a decade-long journey to prove their theory that someone had figured out how to manipulate the RFID card reader.

The specific RFID card reader they were looking into was a typical kind sold by VingCard and created by Assay Abloy for mass use at hotels across the world, as noted by Wired. What Tuominen and Hirvonen have discovered, and will exhibit at a conference in Miami this week, is a program that can not only create cards for certain rooms but a master key for every room, giving potential thieves access to any part of any hotel they choose, the release said.

The main instruments needed are a $300 Proxmark RFID card reading and writing tool and any card, either old or new, from a hotel, according to Wired. From there, Tuominen and Hirvonen only need one minute to steal data from the used card and create a master card that can open any door on the same system.

Both men have tried to downplay any fears hotels and customers may have about the loophole and have actively worked with Assay Abloy to fix their system. Although it took them more than a decade, they said if someone worked full time, they could create a similar system in far less time.

"We don't know of anyone else performing this particular attack in the wild right now," they told ZDNet in an email.

They later added: "Developing [the] attack took considerable amount of time and effort. We built a RFID demo environment in 2015 and were able to create our first master key for a real hotel in March 2017. If somebody was to do this full time, it would probably take considerably less time."

Assay Abloy has since created a new line of locks and released a patch update earlier this year to address the issue, the release said. But the patch has to be installed manually by each hotel in each lock, leading both men to wonder whether the updates had actually been implemented.

There was also a discrepancy in the number of hotel rooms that are vulnerable. According to Wired, Assay Abloy told Tuominen and Hirvonen privately that "the problem affects millions of locks in total," while publicly they have said the problem would only affect close to 500,000 rooms locks.

A spokeswoman for Assay Abloy told the BBC that any electronic device is vulnerable to hacking and that a breach of this kind would require large teams and copious amounts of time.

"Vision Software is a 20-year-old product, which has been compromised after 12 years and thousands of hours of intensive work by two employees at F-Secure," the spokeswoman told the BBC. "These old locks represent only a small fraction [of the those in use] and are being rapidly replaced with new technology."

Tuominen and Hirvonen have said they will not release information on how their device works and will only give a broad overview of their method at the conference in Miami this week, the release noted.

A similar situation six years ago led to a US-wide robbery spree of hotel rooms following the release of a list of possible lock system vulnerabilities by a security researcher. Wired noted in their article that a number of government intelligence agencies, including those in the US and Israel, claim to already have ways to hack into hotel room key systems.

The ACLU noted as far back as 2012 that some security companies were even marketing themselves by advertising their ability to teach people how to crack VingCard locks.

Many major international hotels, including the Intercontinental, Hyatt, Radisson and Sheraton, use VingCard's system and are in the process of updating the locks now that the system's vulnerabilities have been made public.

Being that a stolen laptop was the impetus for this research, it goes without saying that business travelers should use extra caution when traveling and staying at a hotel. Check with management to see if the locks have been updated and, if worried, be sure to bring your valuables with you when you leave the room.

*This article was featured on the Tech Republic website on April 25, 2018: https://www.techrepublic.com/article/hackers-hotel-master-key-could-be-big-risk-for-business-travelers/

Hackers hit Saks Fifth Avenue and Lord & Taylor, stealing credit card data of millions →

April 2, 2018 Jonathan Greig

Russian-speaking hackers compromised systems at the luxury retail outlets in May 2017, and are now offering the data of millions on the dark web.

Hackers have put the credit card data of 125,000 people up for sale on the dark web and have the information of another 5 million people after infiltrating the systems of high-end retailers Saks Fifth Avenue and Lord & Taylor.

Both stores are owned by Canada-based Hudson's Bay Company, which only confirmed the hack after cybersecurity firm Gemini Advisory released information on the breach in coordination with a number of affected financial institutions. The Gemini Advisory report estimates that the breach first occurred in May 2017, but was only detected after the hackers announced details of their attack in March 2018.

On Wednesday, March 28, infamous hacking syndicate JokerStash, also known as Fin7, announced that it had information from 5 million credit and debit cards, which it was offering for sale on the dark web.

According to Gemini Advisory, the financial institutions involved have confirmed that the credit and debit card numbers are real and say most were stolen from stores in New York and New Jersey. The data was stolen through malware that was installed on cash registers and was still funneling card numbers to the hacking group until last month, the report said.

In a statement, Saks Fifth Avenue said they "took steps to contain" the hack and "believe it no longer poses a risk to customers shopping at our stores."

"Once we have more clarity around the facts, we will notify our customers quickly and will offer those impacted free identity protection services, including credit and web monitoring," Saks Fifth Avenue wrote in the statement, adding that their e-commerce sites had not been affected by the hack.

But Gemini said the hackers are openly offering about 35,000 card numbers for sale from Saks Fifth Avenue and about 90,000 from Lord & Taylor, with almost 5 million more they can continue to sell for years.

"The theft of five million payment cards is undoubtedly among the most significant credit card heists in modern history, and will negatively affect a large number of consumers in North America," Gemini Advisory wrote.

"Cardholders who frequently shop at luxury retail chains like Saks Fifth Avenue are more likely to purchase high-ticket items regularly; therefore, it will be extremely difficult to distinguish fraudulent transactions from those of a legitimate nature, allowing criminals to abuse stolen payment cards and remain undetected for a longer period of time," Gemini Advisory continued.

JokerStash is well known for its hacks of many stores and outlets, including Whole Foods, Chipotle, Omni Hotels & Resorts, and Trump Hotels, the report said.

The hack comes on the heels of other major security breaches at companies across the country in the last five years. Just last year, credit reporting company Equifax admitted that data—including social security numbers, addresses, tax ID numbers, and driver's license information—from 145.5 million Americans had been stolen. Additionally, 56 million card numbers were stolen from Home Depot in 2014 and 40 million from Target in 2013.

Sportswear company Under Armour admitted on Friday that hackers had broken into their system and stolen data from the MyFitnessPal fitness-tracking app, exposing information from 150 million users.

Gemini urged all brick-and-mortar stores to switch from magnetic stripe card machines to Europay Mastercard and Visa, or EMV, terminals, which are able to verify purchases through a microchip in the physical card itself.

*This story was featured on Tech Republic’s website on April 2, 2018: https://www.techrepublic.com/article/hackers-hit-saks-fifth-avenue-and-lord-taylor-stealing-card-data-of-millions/

Baltimore emergency 911 dispatch hacked, taken offline for 17 hours →

March 28, 2018 Jonathan Greig

The cyberattack slowed emergency response times as dispatchers had to resort to manual methods.

Government officials in Baltimore recently confirmed that their emergency dispatch system was infiltrated by unknown hackers around 8 am on Sunday, forcing the city to shut the entire system down and handle emergency calls manually for nearly 17 hours.

The office of Baltimore Mayor Catherine Pugh confirmed the hack yesterday and the city's CIO, Frank Johnson, told the Baltimore Sun that instead of emergency calls being "being relayed to dispatchers electronically, they were relayed by call center support staff manually."

Hackers breached the city's CAD system, which manages 911 and 311 calls, and city officials quickly took the affected server offline, Johnson told the Baltimore Sun. City officials didn't comment in detail on the situation, although they confirmed that the police department and the FBI became involved almost immediately. The system was eventually restored at 2 am on Monday.

The story of what happened in Baltimore gained prominence this week as Atlanta also struggled with a similar but even more widespread hacking event, as reported by our sister site ZDNet.

Since Thursday, all of Atlanta's government computers were shut down during a ransomware attack by notorious hacking group SamSam. Just last year, the group hacked into the Dallas emergency system and set off tornado sirens, according to the New York Times.

In Atlanta this weekend, the group demanded a $51,000 payment in Bitcoin in exchange for releasing all of the government's files and threatened to destroy them if they weren't paid. Details on the resolution are murky due to the ongoing government investigation, but Atlanta city officials were able to use their computers again on Tuesday, the Times reported. At a press conference, Atlanta Mayor Keisha Lance Bottoms called the multi-day hack a "hostage situation."

Law enforcement officials across the country have been raising the alarm about possible cyberattacks to government entities, highlighting the fact that hackers have been upping the ante against hospitals and emergency services, believing them to be the parts of government that can least afford to be down for long periods of time.

CIOs in a number of states said in a 2016 ICMA survey that local governments needed to prioritize cybersecurity like any other service, due to the rapidly rising number of attacks.

"The survey...found that about one-quarter of local governments reported that they were experiencing attacks of one kind or another, successful or not, at least as often as once an hour," the New York Times wrote. But they added that only about a third of local governments had a detailed plan to handle hacking situations.

"A smart local government will have fire, police and cybersecurity at the same level," David Jordan, CISO for Arlington County, VA, told the New York Times.

*this article was featured on the Tech Republic website on March 28, 2018: https://www.techrepublic.com/article/baltimore-emergency-911-dispatch-hacked-taken-offline-for-17-hours/