Vulnerabilities in travel booking systems
Security researchers presented findings at a recent cyber security conference highlighting a range of vulnerabilities in travel bookings systems known as Global Distribution Systems (GDS). GDS are databases used by a range of companies, including travel agencies, airlines, hotels and car hire companies, to hold the travel information collectively known as the Passenger Name Record (PNR).
Researchers noted that GDS can be accessed in many cases with only a surname and a correct six-letter booking code. Due to weak rules for these codes, and a lack of limits on incorrect login attempts, they are particularly vulnerable to brute force guessing attacks. The code is printed on luggage tags and embedded in QR codes on tickets, so attackers may not even need to guess codes. Further vulnerabilities arise from the wide range of access points into GDS (including third party websites), as well as the existence of weak master passwords.
Researchers suggest that access to booking data could enable an attacker to cancel or rebook a flight, or use detailed travel itineraries to craft highly tailored phishing emails to passengers. They also claim that theft of passengers’ reward miles through access to GDS is already occurring, though do not provide specific examples.
The ability to access and/or manipulate PNR data, which can include emails and payment information, may be attractive to a wide range of actors, including criminals and states. The researchers recommend requiring strong passwords to access GDS as one mitigation, though note that this would require industry-wide agreement. They also highlight the importance of logging in GDS databases to gauge the scale of unauthorised accesses.
Security failings ‘contributed to $81m bank heist’
New details have emerged of security failings that allegedly contributed to the $81 million cyber heist at Bangladesh Bank in February 2016. The head of the police investigation into the theft has stated the bank’s IT technicians may have connected its SWIFT international payments system to the Internet while setting up a connection to the bank’s domestic payments system. The technicians reportedly also left a hardware token inserted in the server for months at a time, though it should have been removed and stored securely after business hours each day. Earlier findings from a Bangladesh government inquiry indicated further failings such as technicians disabling antivirus software and staff keeping a “secret notebook” of login IDs and passwords on the system.
The hackers injected six types of malware which captured keystrokes and screenshots. They were able to delay the detection of the fraudulent transactions, which required both token and password authentication. The investigators suspect that an insider at the bank provided the hackers with technical details about its computer network, as the malware was customised for the bank’s systems. The reported findings highlight the need for well-secured management terminals, and for staff managing sensitive systems to follow established security protocols and avoid taking risky shortcuts.
Ransomware infects smart TV
The downloading of an app advertising free movies over Christmas left a family’s smart TV unable to display anything other than a ransom note. The ransom message purported to come from the FBI’s cyber crime unit and demanded $500 to restore the use of the TV.
The TV appears to have been infected by a variant of ransomware called “Cyber Police” also known as “FLocker” and “Frantic Locker”. This incident, like the Mirai malware that has been exploiting remote cameras and other connected devices to carry out DDoS activity, shows that cyber criminals are increasingly targeting IoT devices.
As more devices are produced to be internet-enabled, manufacturers need to ensure that they are developed with appropriate security measures.
This particular incident did have a happy ending as the TV manufacturer provided instructions on how to carry out a factory reset to restore the TV.
US indicts suspects in ‘outsider trading’ case
US Federal authorities have indicted three Chinese men for stock market trading using inside information obtained by hacking attacks on New York City law firms. Prosecutors allege that the men, from Macau and mainland China, employed malware for about 18 months to access emails from lawyers working on corporate mergers and acquisitions. They used stolen confidential information to make over $4 million trading on firms that were about to undergo mergers.
The case has raised the profile of so-called “outsider trading”, where criminals obtain inside information through hacking to make money through financial trades. It is not the first incident of its kind. In 2015, US authorities indicted dozens of people based in the US, Russia, Ukraine, Malta, France and Cyprus. Ukraine-based hackers had reportedly used malware, spear phishing, brute force attacks and other methods to access the systems of business press release distribution services and obtain market-sensitive press releases before publication. They sold the information to corrupt traders in exchange for fees and a percentage of over $100 million in trading profits amassed over five years.
The 2015 case may have inspired similar hacking attacks against law firms. According to the business risk intelligence firm Flashpoint, they have been seen as soft targets because of poor cyber security regimes. New York State has recently issued new regulations – the first in the US – requiring banks, insurers and third-party vendors, such as law firms, to improve their cyber security with effect from March 2017.