San Diego Hotel Group Suffers Payment Card Breach

Full Moon over San Diego

By William Knowles @c4i
Senior Editor
InfoSec News
September 5, 2014

San Diego based Bartell Hotels has released a statement detailing a data security incident which occurred between February 16, 2014 and May 13, 2014 that may involve certain credit card data, including credit card numbers, and other personally identifiable information.

The payment card systems at the following five locations were compromised by a third party attacker.

Best Western Plus Island Palms Hotel & Marina
Humphreys Half Moon Inn & Suites
The Dana on Mission Bay
Days Hotel–Hotel Circle
Pacific Terrace Hotel

Law enforcement and the credit card brands have been notified of this incident.

Bartell Hotels encourages its guests to remain vigilant by reviewing their account statements, and monitoring their credit reports for suspicious activity. Bartell Hotels also encourages its guests to notify their banks that issued their card(s) of any suspicious activity and to monitor their credit reports.

Bartell Hotels intends to provide affected individuals with credit monitoring and identity protection services through AllClear ID.

Affected consumers of the breach who have any questions, should call their privacy counsel, Kathryn Mellinger, Esquire at 215-977-4070.

Photo by Justin Brown via Compfight

HealthCare.gov Server Compromised by Hackers

spies-like-us

By William Knowles @c4i
Senior Editor
InfoSec News
September 5, 2014

Unknown hackers breached a test server with malware on a Health and Human Services (HHS) site that supports the Obamacare insurance website HealthCare.gov

The commonplace malware was designed to launch “denial of service” attacks against other websites, HHS said, and there is no evidence any consumers’ personal information was sent to any external IP address. The attack did not appear to directly target HealthCare.gov, and the server that was targeted did not contain any consumers’ personal information.

The Wall Street Journal reports that the server was connected to more sensitive parts of the website that had better security protections, the officials said. That means it would have been possible, if difficult, for the intruder to move through the network and try to view more protected information, an official at the Department of Health and Human Services said. There is no indication that happened, and investigators suspect the hacker didn’t intend to target a HealthCare.gov server.

Washington officials said they are concerned an intruder gained access to the HealthCare.gov network through a basic security flaw. The server had low security settings because it was never meant to be connected to the Internet, the HHS official said. When the hacker broke in, it was only guarded by a default password, which often is easy to crack.

It should be noted that the Department of Health and Human Services in the 2014 Annual Report to Congress on the Federal Information Security Management Act [PDF] scored only 43% in 2014 down from 50% in 2013.

Screenshot_2014-09-05-04

 

Sekurity is hard – technicaleducation.cisco.com vulnerable to XSS

StatlerWaldorf

By William Knowles @c4i
Senior Editor
InfoSec News
August 22, 2014

On 21 of August 2014 the security researcher E1337 reported to XSSposed (XSS exposed) that technicaleducation.cisco.com has an XSS (Cross-Site Scripting) vulnerability which currently has 2 vulnerabilities in total reported by security researchers).

Cross-Site Scripting (XSS) inserts specially crafted data into existing applications through Web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a modification to a browser script, to a different end user. XSS attacks often lead to bypass of access controls, unauthorized access, and disclosure of privileged or confidential information. Cross-site scripting attacks are listed as the number three vulnerability on the OWASP Top 10 list for 2013. XSS attacks are becoming more and more sophisticated these days and are being used in pair with spear phishing, social engineering and drive-by attacks.

The vulnerability is still unpatched putting technicaleducation.cisco.com users, visitors and administrators at risk of being compromised by malicious hackers. Theft of cookies, personal data, authentication credentials and browser history are probably the less dangerous consequences of XSS attacks.

You can request to check if the vulnerability was patched or not by clicking here.

Photo by Disney.com

Black Hat, BSides Las Vegas and Def Con 2014 Coverage

HST

By William Knowles @c4i
Senior Editor
InfoSec News
August 6, 2014

For those of you not in Las Vegas for Black Hat, BSides or Defcon, the InfoSec News mailing list still works, I’ll be doing my best to cover Black Hat, BSides, and Defcon, posting infrequently and maybe taking a little break from things at least til’ next Tuesday.

 

Chinese Collegiate Hacking Team Hacks The Tesla Model S, Well Sort Of…

Tesla Sightings

By William Knowles @c4i
Senior Editor
InfoSec News
July 18, 2014

A team of Chinese collegiate hackers attending the Symposium on Security for Asia Network conference in Beijing have been succeeded in breaking into the software used in electric cars made by Elon Musk‘s Palo Alto California-based Tesla Motors.

The South China Morning Post is reporting that a team from Zhejiang University was awarded 10,600 yuan [Approximately $1707.34 USD] by the SyScan 360 Conference, being held July 16th and 17th 2014 at the Beijing Marriott Hotel Northeast in Beijing China Where attendees have been invited to hack into a Tesla Model S.

SyScan 360 organisers said on Friday: “Tesla Software Hack Challenge ended with team “yo”, from ZheJiang University, coming in first overall and winning 10,600 Yuan in prize money. No team succeeded in the mission of hacking Tesla’s door and engine within the timeframe of the challenge. Therefore, no one received the grand prize of $10,000 USD.”

Tesla had said it welcomed news of any vulnerabilities discovered as a result of the hacking competition. “We support the idea of providing an environment in which responsible security researchers can help identify potential vulnerabilities,” the company said on Wednesday.

“We hope that the security researchers will act responsibly and in good faith.”

The “yo” team hackers exploited a “flow design flaw” to gain access to the Tesla car’s system, SyScan360 announced on Weibo. The loophole enabled attackers to remotely unlock the vehicle, sound the horn and flash the lights, and open the sunroof while the car was in motion.

SyScan 360 organisers say they have reported the vulnerability to Tesla. Telsa shares TSLA closed at $215.40 a share, down .81% from Thursday’s close.

Creative Commons License Steve Jurvetson via Compfight