Marriott-Starwood data breach: 500 million guests may be affected, hackers active since 2014


Originally published at:



I don’t think this can even be described as a colossal fuck up. This is something else entirely. I need a German word for this STAT.


Why does a hotel chain collect and retain passport numbers?




I don’t know the German word, but the English one is omnishambles


What’s 4% of their global turnover? A few bureaucrats in Brussels are licking their lips right now. Massive breach, hidden for years, this is an open and shut case.


Glad I haven’t stayed in a Marriott anytime remotely recently. Though I keep getting scam calls claiming I was a recent customer. I wonder if I’ll get more or less of those calls now…


I am an old, retired IT security guy. I worked for 35 years in IT. During the last 15, I did IT Security. During that time, I saw a consistent decrease in the overall security of IT. Security has gotten worse industry wide.

Now, IT security is working harder than ever before. But, we are more insecure than ever before. We are not keeping up with the increased hostility of the Internet.

For example, every year, we submit to Pentests, carefully analyze the result, and apply correction. Every year, the Pentests find more issues. It has gotten to the point where only incompetent Pentests fail to completely compromise an organization.

We need to get better, faster. We need to look at what security is doing, and become more effective.

Currently Pentests are primarily used to deflect institutional blame. We need better Pentests that will actually reduce the likelyhood of attack.

The most effective way to make Pentests more useful requires government intervention. Overall Internet security will probably continue to degrade until Government forces a change in our Risk/Reward calculations.

  • Government must increase the penalties for failing to stop attack. This means imposing significant penalties for creating public hazards, and violating the public interest.
  • Government must impose liability on software.

Everything else is stop-gap. But, maybe temporary measures can help us survive until we get effective government action.

The major problem with Pentests, is that Pentest results are interpreted via “Risk Analysis” of the defender. They are evaluated with respect to the potential Risk or Loss to the organization. This seems acceptable when the view of risk is limited. However, it fails to confront reality.

The reality is, attack is always driven by THE ATTACKER’S risk analysis. Attackers are not constrained by a defenders risk analysis. Attackers are always free to develop and target attacks that maximize attack’s benefits. Failing to confront this reality means that institutions reactions to Pentests, never increase security or reduce attack. We defend one thing. They attack something else.

The ever-increasing gap between defender self interest and attacker benefit has helped to create the widespread, systemic failure of IT security.

The other big problem with Pentests is that their complexity makes them vulnerable to misinterpretation, manipulation and “Spin”.

Security is complex. Pentests have to be complex, because they reflect the nature of security. But, this complexity opposes understanding. Without understanding, Pentests become irrelevant.

This same issue plagued the area of web security. SSLLabs cut through the complexity with a simple, repeatable, reporting scale. Their “A” thru “F” rankings caused great improvements in web security.

Perhaps, by following SSLLabs example, the Pentest industry could increase their value. For example:

  • F: The organization is vulnerable to the automated attacks currently present on the Internet. This requires that Pentest groups know the current state of automated attack. Either by close communication with peers or by tracking current attack levels. Note: The signature mindset of a “F” organization is: “Well, yes, it is easy to compromise those systems, but we don’t really care about them.” This is may be OK for the organization, but it creates systemic problems for everybody else. Organizations that think this way are public hazards. They are an Internet “Typhoid Mary”.
  • D: The organization’s IT fails to detect and quickly resolve when current malware appears anywhere on it’s systems. This requires that Pentest groups know and have access to representative (declawed) samples of currently deployed malware. Either by close communication with peers or by tracking current malware. Almost every current attacker gets intermittent access to “0-day” attacks. This, coupled with inevitable mistakes, means that compromise and malware may appear almost anywhere and anytime. So, swiftly detecting and mitigating malware is critical to surviving compromise. An organization that can’t quickly detect and mitigate current malware has widespread compromise. If not now, they will in a few days.
  • C: The organization’s IT counters and mitigates remote targetted attack. Reflects organization’s response to remote, motivated attackers. The current aggressive internet attacks by the US, China and Russia have legitimized Internet attack for all the remaining governments. EVERYBODY who has anything valuable, now gets a chance to receive targetted, remote attack by several governments, PLUS targetted attack by the many organized crime groups. If an organization can’t resist remote targetted attack, then they are now, or soon will be compromised.
  • B: The organization’s IT counters and mitigates local targetted attack. Reflects the organization’s response to “insider” threats and local motivated attackers. Many organizations may be eligible for a “B” grade if they resist remote attacks, but fail to resist Denial of Service attacks.
  • A: The organization not only counter’s and mitigates local threats, they apprehend the Pentest team. They also have resilient infrastructure that resists major DoS attack. An “A” organization tracks current threats and creates effective defenses before they are needed.

Currently, most Pentests focus their activities on a mix of “B” and “C” level activities. This creates multiple problems:

  • All Pen-Test results are viewed as similarily significant or insignificant.
  • Organizations appear to exist at a “B” level, when they actually fail at the “F” and “D” levels.
  • Organizations who have never experienced a “B” level Insider threat or a local attacker tend to discount the “B” level findings. Then, they also discount all the other findings.

In addition to a clear, standardized ranking, for each “Finding”, the Pentest team should:

  • Evaluate if the finding creates a reasonable opportunity of attack by the organization’s likely attackers.
  • State what changes the organization could make to reduce the value of attack via this finding, to unacceptable levels. This evaluation should be based on the current, likely attackers of the organization.
  • Note: This requires that a Pentest team be aware of the value of the organization’s resources to it’s likely attackers, and the expected capabilities of those likely attackers.


It’s a good thing that my Marriott account isn’t tied to my United Airlines account too. Oh wait…


You think you feel that way.

This was the first story that came up on my newsfeed this morning, while I was lying in bed.

Reading the news on my phone…

…In my hotel room.


It is a legal requirement for hotels to collect passport numbers in many countries. In theory, this is to confirm your identity as well as potentially crosscheck with law enforcement for outstanding warrants or immigration violations, etc. In some countries hotel staff scans passports and sends the scan directly to the police, as well.


This topic was automatically closed after 5 days. New replies are no longer allowed.