Avishai Ziv’s Post

"For more than five years, Marriott has defended a massive 2018 data breach by arguing that its encryption level (AES-128) was so strong that the case against it should be dismissed. But attorneys for the hotel chain admitted in an April 10 hearing that it had never used AES-128 during the time of the breach. In fact, it hadn’t been using any encryption at all at the time but rather had been using secure hash algorithm 1 (SHA-1), which is a hashing mechanism and not encryption. During the hearing of the US District Court for the District of Maryland Southern Division, Judge John Preston Bailey ordered Marriott “to correct any information on its website within seven days.” Marriott did not issue a news release, nor did it flag the change on its homepage. Instead, it added two sentences to a page on its website from Jan. 4, 2019. The only way for consumers, shareholders, reporters or anyone else to see it is if they happened to click on the five-year-old page. The two-sentence update reads: “Following an investigation with several leading data security experts, Marriott initially determined that the payment card numbers and certain passport numbers in the database tables involved in the Starwood database security incident that Marriott reported on November 30, 2018, were protected using Advanced Encryption Standard 128 encryption (AES-128). Marriott has now determined that the payment card numbers and some of the passport numbers in those tables were instead protected with a different cryptographic method known as Secure Hash Algorithm 1 (SHA-1).”" https://lnkd.in/eSUGXU4m

Great article, Evan Schuman! Unsurprisingly, Marriott's initial claim of AES-128 encryption turned out to be inaccurate. The article states they were using SHA-1 hashing, not true encryption. It's interesting that Accenture, Verizon, and CrowdStrike all validated AES-128. This could be due to the control validation method. For instance, CrowdStrike's MDR service might not have deeply scrutinized the control if it focused on threat actor behavior then relied on the Mariott internal teams to validate encryption. It may have been a shortcoming of all three vendors. To their credit, Marriott hired external firms for validation. It seems they genuinely intended to comply despite the errors. Perhaps internal politics played a role. Someone might have given a confident but incorrect answer, assuming AES-128 encryption was in place due to the confusion between database and OS encryption. Ultimately, we can't pinpoint the exact reason for Marriott's initial misstatement. https://lnkd.in/eYFBvNYS

FCC Requires Telcos To Disclose When Your Personal Info Is Stolen: Starting today, telcos in American will need to disclose system break-ins within seven days. "[T]he same deadline now exists to report any data leaks to the FBI and US Secret Service as well," adds The Register. From the report: After releasing a proposed rule in early January and giving the industry 30 days to respond, the FCC's final rule was published today. It solidifies what the agency proposed a little more than a month ago, and what was teased in early 2022 when FCC chairwoman Jessica Rosenworcel drafted initial changes to the commission's 16-year old security "breach" reporting duties. Along with requiring that attacks are reported to the FCC within seven days of a telco discovering them, the same deadline now exists to report any data leaks to the FBI and US Secret Service as well. As the FCC planned, the new rule also eliminates the mandatory seven-day waiting period for reporting break-ins to consumers. The FCC now "requires carriers to notify customers of breaches of covered data without unreasonable delay ... and in no case more than 30 days following reasonable determination of a breach." "Reasonable determination" of a data blurt is further defined as "when the carrier has information indicating that it is more likely than not that there was a breach" and "does not mean reaching a conclusion regarding every fact surrounding a data security incident that may constitute a breach." In other words, if customers are affected then they had better be notified post-haste. The FCC has additionally extended the scope of data exposure types that telecom customers must be notified of. Prior to the passage of the new rule customers only had to be told if Customer proprietary network information (CPNI) was exposed to the world. Read more of this story at Slashdot.

There are three types of encryption: Hash function, symmetric encryption and Assymetric encryption. Hash is a one way function which means the hashed value(ciphertext) of a plaintext cannot be decrypted(deciphered). it's good for confirming data integrity(to ensure data hasn't been changed) but not for data obscurity. Also, some of the encryption algorithms have known vulnerabilities that they are no longer in use for a serious application.. SHA-1 is suceptible to Collission. https://lnkd.in/eQpz-_Zz

While we wait on the decision for Section 1071, are you up to date with the new FTC Safeguard Rule? Check out our article and the latest on Safeguard and how to maintain data security. #equipmentfinance #elfa #NEFA https://lnkd.in/gCY242fY

FCC Requires Telcos To Disclose When Your Personal Info Is Stolen: Starting today, telcos in American will need to disclose system break-ins within seven days. "[T]he same deadline now exists to report any data leaks to the FBI and US Secret Service as well," adds The Register. From the report: After releasing a proposed rule in early January and giving the industry 30 days to respond, the FCC's final rule was published today. It solidifies what the agency proposed a little more than a month ago, and what was teased in early 2022 when FCC chairwoman Jessica Rosenworcel drafted initial changes to the commission's 16-year old security "breach" reporting duties. Along with requiring that attacks are reported to the FCC within seven days of a telco discovering them, the same deadline now exists to report any data leaks to the FBI and US Secret Service as well. As the FCC planned, the new rule also eliminates the mandatory seven-day waiting period for reporting break-ins to consumers. The FCC now "requires carriers to notify customers of breaches of covered data without unreasonable delay ... and in no case more than 30 days following reasonable determination of a breach." "Reasonable determination" of a data blurt is further defined as "when the carrier has information indicating that it is more likely than not that there was a breach" and "does not mean reaching a conclusion regarding every fact surrounding a data security incident that may constitute a breach." In other words, if customers are affected then they had better be notified post-haste. The FCC has additionally extended the scope of data exposure types that telecom customers must be notified of. Prior to the passage of the new rule customers only had to be told if Customer proprietary network information (CPNI) was exposed to the world. Read more of this story at Slashdot.

FCC Requires Telcos To Disclose When Your Personal Info Is Stolen: Starting today, telcos in American will need to disclose system break-ins within seven days. "[T]he same deadline now exists to report any data leaks to the FBI and US Secret Service as well," adds The Register. From the report: After releasing a proposed rule in early January and giving the industry 30 days to respond, the FCC's final rule was published today. It solidifies what the agency proposed a little more than a month ago, and what was teased in early 2022 when FCC chairwoman Jessica Rosenworcel drafted initial changes to the commission's 16-year old security "breach" reporting duties. Along with requiring that attacks are reported to the FCC within seven days of a telco discovering them, the same deadline now exists to report any data leaks to the FBI and US Secret Service as well. As the FCC planned, the new rule also eliminates the mandatory seven-day waiting period for reporting break-ins to consumers. The FCC now "requires carriers to notify customers of breaches of covered data without unreasonable delay ... and in no case more than 30 days following reasonable determination of a breach." "Reasonable determination" of a data blurt is further defined as "when the carrier has information indicating that it is more likely than not that there was a breach" and "does not mean reaching a conclusion regarding every fact surrounding a data security incident that may constitute a breach." In other words, if customers are affected then they had better be notified post-haste. The FCC has additionally extended the scope of data exposure types that telecom customers must be notified of. Prior to the passage of the new rule customers only had to be told if Customer proprietary network information (CPNI) was exposed to the world. Read more of this story at Slashdot.

Ever had that "uh-oh" moment when you realize your personal data might be in the wrong hands? Well, AT&T is having one of those moments right now, investigating a possible data breach affecting millions of current and former customers. If you're feeling a little wary about your data security, SHI has got your back! We help businesses secure their data and manage technology solutions effectively. Read more about it in this article and let's keep those "uh-oh" moments to a minimum! #SolveWithSHI #WeAreSHI

3 Things... ONLY 3 SMALL AND FREE THINGS! I have been saying this for a minute now, to protect against #ransomware : 1) Encrypt properly 2) Backup properly 3) Test both 1 and 2 regularly Let's break it down, shall we? Number 1 COMPLETELY removes the ability to share YOUR information on the web - clear, deep or dark. Go ahead, prove me wrong, I double-dog dare you! Number 2 ALLOWS you to restore WITHOUT PAYING! If you have PROPER backups - you CAN bring your own systems back on line. Number 3 is crucial, this is to verify your ability while gaining confidence in your encryption and that you CAN bring back your systems. To that, that both 1 and 2 were done correctly. Nothing to buy, no BD, account manager, sales or someone with a "spectacular" profile headline to talk to. It comes FREE with just about every interactive device (phones, computers, servers...and the backups for those same). Brandy V. shared the article below, yesterday. This is not an "oops I forgot" moment, this is negligence and willful deception for 5 years at LEAST! The worst part, is that ALL their data, that they have spent decades building - no longer belongs to Marriott Hotels - it now belongs to anyone who wants to buy it for a negotiated amount, or free if you know where to look. In the 1980's, an evolutionary biologist, formally educated at Harvard University, named Dr. Popp - created the first "strain" of ransomware. For 35 years my three items are not "new" - and I am sure have been repeated by others for DECADES. Encrypt your orgs data as if the data held nudie pics of you and your loved ones! Backup as if your career depended on it... to provide food for that table. Test it...well, because of reason number 1 and reason number 2.

Discover the 2023 edition of Verizon Payment Security Report and learn best practices for simplifying and securing your payment data with new insights from our experienced PCI assessment experts—we’ll help you take charge of your compliance program performance. #paymentsecurity #iamvz #forwardtogether #pci