Category: hackers

White Lodging, the company behind a number of of the hotels in the US chains Hilton, Marriott, Sheraton and Westin, has been leaking thousands of guests’ credit and debit card information throughout much of 2013.

safety journalist Brian Krebs reports hearing from banking business sources in January regarding a pattern of fraud on cards used at the hotels from about 23 March 2013 up until the end of 2013.

The fraud popped up in exact hotels located in the US cities of Austin, in Texas; Chicago, in Illinois; Denver, in Colorado; Los Angeles, in California; Louisville, in Kentucky; and Tampa, in Florida.

The common denominator, it turns out, is that all of the affected hotels in those locations contain businesses run by White Lodging Services Corporation, which owns, develops and/or manages premium hotel brands.

Krebs’s sources said that it was mostly the restaurants, gift shops and other businesses that White Lodging runs within some of the hotels that were targeted, as opposed to the front desk computers that verify guests in and out.

That means that the only Marriott guests who should be affected are those who used their cards at gift shops and restaurants, Krebs notes.

Marriott issued a statement saying that “one of its franchisees has experienced unusual fraud patterns in connection with its systems that process credit card transactions at a number of hotels across a range of brands, including some Marriott-branded hotels.”

Sophos’s Chester Wisniewski and Numaan Huq have been tracking malware behind rigged PoS systems for more than three years and are on the brink of presenting their research at this year’s RSA Conference.

Marriott mentioned fraud “at a number of hotels across a range of brands”, which makes it sound similar to we still might well hear of other hotel brands serviced by White Lodging having been targeted.

So if you’ve been in a hotel, paid for something in a hotel restaurant or gift shop, bought crafting supplies, or fundamentally touched any sliver of plastic in your wallet or purse at all whatsoever to buy so much as a gumball, keep an eye out for funky charges on your report.

The US’ National safety Agency (NSA) and its UK counterpart, GCHQ, have been honing their data-slurping technologies to suck up anything they can get from leaky smartphones, the protector reported on Tuesday.

Beyond device details, data shared over the internet by iOS and Android apps can include personal information such as age, gender, and location, while some apps share even more responsive user information, such as sexual first choice or whether a given user might be a swinger.

The Guardian, relying on top-secret documents handed over by whistleblower Edward Snowden, says that the spy guys are increasing capabilities to milk this private information from apps as innocuous as the insanely popular Angry Birds game.

Reporting in partnership with the New York Times and Pro Publica, they revealed that the NSA and GCHQ have “common tools” ready to throw against iPhone, Android and other phone platforms.

The agencies also apparently think of Google Maps as a gold mine. The Guardian reports that one project involved intercepting Google Maps queries from smartphones to collect large volumes of location data.

The documents suggest that, depending on how much information a user has provided in his or her profile on a given app, the organization could collect “almost every key detail of a user’s life”, the protector reports: home country, current location (through geolocation), age, gender, zip code, marital status – options included “single”, “married”, “divorced”, “swinger” and more – income, ethnicity, sexual orientation, education level, and amount of children.

Given how popular Angry Birds is, and given that the secret documents use it as a case study, some articles have hung Angry Birds in their headlinery – that’s like finery, but with headlines instead of undies.

But Angry Birds shouldn’t be singled out as being in any way subverted or corrupted by the NSA or GCHQ.

Angry Birds is, after all, just one of thousands of mobile apps, none of which has been indicted as complicit with, or data-raked by, the NSA or GCHQ – rather, the spying agencies are, as news reports say, simply tapping data as it flies across the network.

It’s easy to see why: it’s a heck of a lot more fun to have apps spill your beans, since in switch over we get linked to communities or get shiny doo-dads. All we have to do is fill out profiles with stuff they actually don’t, really, need – birthdates, marital status, etc.

We can take back a large chunk of our privacy simply by refusing to hand over data, whether it’s given in a profile or beamed out when we have WiFi and/or geolocation turned on.

Cinching our data waistbands can be done with three simple steps, outlined by Naked safety in the Privacy Plan Diet.

If you can live without “discover My iPad” or other such geolocation-dependent goodies, you can keep a lot of your data out of the hands of spies, marketers or other data busybodies.

But beyond information knowingly handed over in profiles, phone apps have a nasty habit of distribution more data than users may realize.

Sometimes the holes come from software bugs, but then again, sometimes data leakage is an unintended effect of users’ own, deliberate actions, such as:

Twitter users having geolocation turned on, using the word “home” in their tweets and, Presto! thereby potentially handing a nosy small function their home address.

Soldiers snapping photos that smartphones then mechanically geotag, giving the enemy their coordinates.

Beyond bugs and deliberate leakage from probably-inattentive users is yet another category: apps that silently gulp data in the environment while they’re doing innocent-seeming things in the foreground, such as being a flashlight or a mobile phone app for kids.

US China India Romania flagsLaw enforcement in four countries have managed to work together to take down a number of hackers-for-hire, all accused of operating websites present to break into email financial statement for a fee.

Arrests were made over the last week in the US, China, India and Romania, with customers of hacking services also picked up in the US, making a total of eleven arrests all told.

The target of the corresponding leap was a cluster of websites offering bespoke hacking services, mainly breaking into email and social networking sites for a variable fee. It’s not clear whether there was any connection between the sites or their operators, other than their public business model.

In the US, the FBI filed charges against five people, the main targets being two men from Arkansas idea to be behind the needapassword.com site.

The site is thought to have been involved in breaching over 6,000 email accounts. The men could face up to five-years jail time if found blameworthy.

The additional three defendants are accused of being customers of hacking sites. Two paid just over $1,000, while the third, from California, is alleged to have handed over more than $20,000 to a Chinese hacking site.

The Feds did not disclose whether this was the same site operated by Ying “Brent” Liu, who was picked up by Beijing police in link with another email hacking website, hiretohack.net, linked to around 300 account compromises. Local reports claim Liu “confessed all through examination”.

In the intervening time in India another man was under arrest, described by local law enforcement reports as only “a Pune based private person” but named by the FBI as Amit Tiwari and linked to two websites connected to over 900 email account breaches.

Lastly, Romanian police have picked up and charged four people regarding six unlike websites which may have been behind around 1,600 further account break-ins.

All in all it seems like a pretty successful operation, made all the more impressive by the complexities of international cybercrime law and the difficulties involved in coordinating action connecting several law enforcement agencies, all operating under different legal codes.

Cybercrime and law blogger Gary Warner called the cooperative effort “unparalleled” and a “great sign” of tough times to come for cybercrooks.

As well as given that details and screenshots of many of the sites involved, Warner also speculates that the Romanian haul may include the notorious celebrity-hacker known as Guccifer, before now thought to have been picked up last week.

Cybercrime is a worldwide problem and requires worldwide measures to combat it. As we’ve seen several times recently, the cyber cops of the world seem to be doing an ever superior job of working together, pooling information and assets and coordinating cases across borders to good result.

Hand and computer. Image courtesy of ShutterstockWe’re also seeing ever more action on the legal side of things, with countries from Pakistan to Nigeria effective on or finishing new laws to deal with cybercrime.

If President Goodluck Jonathan gets his way, the Nigerian proposal may even include the death sentence for cases involving dangerous transportation or loss of life, according to local information.

It’s significant for those drafting and favorable these laws to take into account the global nature of cybercrime, and make sure their local laws enable teamwork and collaboration with legal systems and enforcement agencies around the world.

So, it might be best to steer clear of punishments some might think a little great.

On a brighter note, if the trends demonstrated in the hackers-for-hire case continue, we could one day end up with a properly organized set of laws covering digital crimes all over the world, and a set of enforcement agencies to back them up, all working in unity.