#security (2018-11)

Archive: https://archive.sweetops.com/security/

2018-11-30

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Marriott hack hits 500 million guests attachment image

The hotel chain says details of up to 500 million guests may have been accessed in a database breach.

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Basically if you’ve stayed at Starwood’s hotel brands that include W Hotels, Sheraton, Le Méridien and Four Points by Sheraton - your information is pwned

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

name address phone number email address passport number account information date of birth gender arrival and departure information

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

how they have so many people?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Starwood is one of the largest international hotel chains

tamsky avatar
tamsky

read: all guest stay details since ~2014

tamsky avatar
tamsky

luckily I can change my passport number quite easily – thanks to my newfangled e-ink passport

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Whatttt??

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Is that for real? E ink passport?

tamsky avatar
tamsky

lol

tamsky avatar
tamsky

trolled

tamsky avatar
tamsky

just imagine: single use passport numbers

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

tamsky avatar
tamsky

I think this should just teach folks everywhere to rarely share accurate details that are never used with folks that don’t need the details. Typically there are no consequences for providing a wrong birthdate / address / phone / passport#

1
joshmyers avatar
joshmyers

Oh dear.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

1Password should implement an identity generator

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

So I can have a unique identity for every property

tamsky avatar
tamsky

I like that idea

tamsky avatar
tamsky

can it also make up unique answers to “security” questions too ?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

But let 1p keep track of it so I am not stuck in identity verification hell

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Yea

joshmyers avatar
joshmyers

@tamsky an e-ink passport?

1
joshmyers avatar
joshmyers

Ah, as someone that has worked at the UK passport office that sounded interesting :D

maarten avatar
maarten

So the sad part is, they store everything, but when you checkin at the hotel you still wait 10 minutes for the clerk to type everything over again and again

1
maarten avatar
maarten

Next hack will be Hertz & Enterprise

tamsky avatar
tamsky

https://www.gemalto.com/govt/travel/security-printing – apparently counterfeiting is still a thing

Security Printing: a 2018 Guide to Passport Papers and Design attachment image

Security Printing solutions for national passport integrity : an expert guide on how best Gemalto use paper elements to protect any principles of passport design.

maarten avatar
maarten

Stuff like this makes GDPR is a very needed initiative.. Policy.

tamsky avatar
tamsky

I dunno, I feel like fines, or the threat of fines, won’t prevent these events

tamsky avatar
tamsky

fines don’t get anyone’s data back

maarten avatar
maarten

Fines will make companies do more to prevent things like this to happen. Personal data must be spread out, and for warehousing it must be anonimized for example. Also the retention of data is a topic.

:100:1
maarten avatar
maarten

I was a customer of Mariott in 2015.. why is my data still there ?

tamsky avatar
tamsky

agree with all that

joshmyers avatar
joshmyers

Aye, I know UK PCI mandates data can only be stored for a year, not sure about PII

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
11:33:42 PM

@Erik Osterman (Cloud Posse) set the channel topic:

2018-11-27

joshmyers avatar
joshmyers
I don't know what to say. · Issue #116 · dominictarr/event-stream

EDIT 26/11/2018: Am I affected?: If you are using anything crypto-currency related, then maybe. As discovered by @maths22, the target seems to have been identified as copay related libraries. It on…

joshmyers avatar
joshmyers

Aye, people giving maintainer quite a lashing

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

yea, it’s given me pause

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

we also maintain cloudposse/packages which basically bundles other repos binaries

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
07:19:28 PM
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

need something like that for npm

loren avatar
loren

blockchain for packages lol

tamsky avatar
tamsky

I don’t feel like a web of trust helps prevent the attack; and only marginally affects the ability to cast blame. Malicious code/package changes could happen, but a developer may be only guilty of having their signing key compromised.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

security is always just about layers

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

a developer can also be held at gun point

joshmyers avatar
joshmyers

^^ Sounds like suggesting a key signing party. Weird places

mrwacky avatar
mrwacky

I’m still waiting for the first malicious Ubuntu PPA

2018-11-26

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
Announcing the First AWS Security Conference: AWS re:Inforce 2019 | Amazon Web Services attachment image

On the eve of re:Invent 2018, I’m pleased to announce that AWS is launching our first conference dedicated to cloud security: AWS re:Inforce. The event will offer a deep dive into the latest approaches to security best practices and risk management utilizing AWS services, features, and tools. Security is the top priority at AWS, and […]

:--1:2

2018-11-22

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Uh oh, think solar winds properties were hacked

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
02:24:18 AM
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Wow they are planning a 500m IPO

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
SolarWinds Plans $500M IPO Three Years After Exiting Public Market attachment image

The provider of IT management solutions, currently owned by two private equity giants, has expanded its cloud capabilities this year through two major acquisitions

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
    keyboard_arrow_up