The number of recent breaches from Marriott International, the United States Postal Service, Dell EMC and Dunkin’ Donuts have potentially exposed well over a half-billion customer records ranging from passport data, bankcard information to reward program specifics. Why the sudden influx on what has already been a busy year of breaches?
To answer that question, Threatpost turned to Chris Vickery, a data breach hunter with UpGaurd, who has digitally unearthed terabytes of private, personal and financial data online. Threatpost caught up with Vickery as news was breaking regarding the theft of Marriott International’s 500 million Starwood Hotel guest reservations.
Threatpost: From your perspective, what happened in the Marriott breach?
Vickery: To be clear, there isn’t much information about the Marriott breach to come to any conclusive understanding. There are some interesting things that Marriott is not saying, which we can make some assumptions about. But again, nothing conclusive.
Threatpost: What are you not hearing, that interests you?
Vickery: If you read very carefully what Marriott said in their own press release and what they’ve said to various outlets, you realize people are reading into this and trying to draw a lot of conclusions that aren’t supported.
If you look at Marriott’s statement they don’t use the word “hack” at all. Marriott has said there was some unauthorized access to the data. But the the allegations of hacking are coming from outside sources. At this point we just need to – kind of – calm our nerves and stay rational. There’s a lot of possibilities in terms of what happened.
Threatpost: So, what’s your take?
Vickery: The Occam’s razor analysis of this is; the system was accessed by an unauthorized party repeatedly as far back as 2014. They aren’t saying data was taken in 2014, rather that there ‘had been unauthorized access to the Starwood network since 2014.’
People have been speculating that there has been some type of black hat type of hack. But the only malicious part of what Marriott has said is the data was being encrypted. I’m not sure I know what to make of that. They found supposed copies / duplicates of the data that this supposed bad guy intruder encrypted.
That to me says someone had access to their network and had access to the data, and may have been trying to extort them once they got it all the data encrypted and locked down.
Threatpost: Does this breach follow a familiar pattern?
Vickery: Usually when there is a breach like this, the data is encrypted, ransomed or (the victim is) extorted. The breach is typically an automated process via a script. That’s what we saw with WannaCry and Merck. With those companies it was an automated exploit that finds the weakness, goes in and encrypts and then ransoms the data. There are a lot defenses that detect that kind of thing now. Keep in mind, Marriott doesn’t call this a hack. It’s careful to say an ‘unauthorized party’ and ‘copied and encrypted information, and took steps towards removing it.’
Threatpost: So, when you read between the lines, what are you hearing? Is Marriott walking a tightrope when it comes to disclosure in that their hand is being forced because of new GDPR rules?
Vickery: Good point. Usually a company would jump at the occasion to claim they were hacked, because in the US, it’s classically been harder for regulators to go after these companies. On the other hand, if it was unauthorized access by a contractor or an ex-employee or somebody like that, it’s a lot easier to go after them.
Again, we just don’t have all the information here to make a determination. But, given there are 500 million people wrapped up in this, it’s going to be an international thing and we are probably going to be dealing with GDPR issues.
Threatpost: Taking a look at the big picture, in the past couple weeks we have seen a dizzying number of breaches from the United States Postal Service, Dell EMC, Dunkin Donuts and now Marriott. What’s going on?
Vickery: With specificity to the recent rash of big name breaches, what is happening in the past weeks is the word has gotten out (in the hacker community) that many Elasticsearch instances are insecure.
There is an extremely large number of these instances [that are] insecure on the internet and people are running through them. It’s just human nature that what we are hearing about is the larger, low hanging fruit available on the public internet. And people are just picking them off.
Insecure ElasticDB are behind a large degree of what is being reported. But again, I can’t tell you that was the problem behind Marriott.
Threatpost: With Elasticsearch, please help me better understand how these breaches are similar or different to problems we have seen with leaky MongoDB, Redis and AWS S3 storage buckets?
Vickery: There is nothing fundamentally different about an ElasticDB or MongoDB. What we are seeing is the front-end of the ElasticDB, called Elasticsearch, is not being sufficiently secured. ElasticDB isn’t exactly like a true database. It was designed, instead, as a holder of data that can quickly be queried and pull data sets. Data is pulled via a true REST API and a URL, which make it easier for data extraction.
Elasticsearch is very simple and easy to use. But the problem is when things are simple like that, people tend to forget about passwords and authentication. It comes down [to that fact that] people don’t know or don’t care that Elasticsearch was never meant to be used open on the internet. There are a number of ways people can secure the data, but I guess a lot of people are just running and gunning these days.
Threatpost: So this is “deja vu all over again“, with respect to insecure databases on the internet?
Vickery: ElasticDB and Elasticsearch are really popular. And you have the exact same ingredients. These databases have the ability to be configured with no authentication and lots of users. That’s the right mix for a storm of data breaches.
I want to be very clear. I don’t know what is behind Marriott. But Elasticsearch is behind a lot of large ones we have heard of recently.
Threatpost: When the public reads all these headlines of hundreds-of-millions of breach victims, are these public breaches the tip of the iceberg or is it the iceberg?
Vickery: What you hear is just the tip of the iceberg. We’re finding data breaches all day, every day. And we do have a platform that helps clients and notifies them whenever we come across something. It’s all taken care of according to regulations and laws. But we just don’t have enough time to deal with all the insecure data we find.
(Image courtesy of UpGuard)