[SecurityRatty] tag: hotel

Death Toll of Hotel Bombing in Pakistan Continues to Rise

Wed, 24 Sep 2008 23:39:00 +0000

It was no coincidence that the bombing in Islamabad which killed more than 40 and injured more than 250 was a popular place for foreigners to meet.

U.S. military personnel were attending the Marriott when the bomb exploded. The horrific injuries were not limited to foreigners however, as many Muslims were breaking their Ramadan fast and eating there at the time.

Of course, the terrorists have shown us in the past that they are not opposed to killing other Muslims as was the case in the World Trade Center bombings in 2001
The Islamabad Marriott was said to have been well fortified. If it wasn't afterall, let us hope that Hotel chains like the Marriott review the security of their overseas locations.

One thing is for sure, any overseas location that is considered a gathering place for foreigners, especially Americans in places like Pakistan, India, etc., will continue to be Prime Targets. Serious surveys need to be conducted and overall security needs to be enhanced. Vehicular access needs to be closely monitored and controlled in the more hostile regions. Marriott and all the others need to focus on counter surveillance measures to ensure the safety of their guests.

Islamabad Bomb's Secret Ingredient

Mon, 22 Sep 2008 09:06:00 +0000

The terrorist attack on the Marriott Hotel in Islamabad, Pakistan caused massive destruction and loss of life. One of the reasons why: The bomb contained a lethal accelerant, found in some of the world's most powerful munitions.

SDL Press Tour Announcements

Tue, 16 Sep 2008 12:04:00 +0000

Steve Lipner here.

Last week I participated in a “press tour” talking to press and analysts about the evolution of the SDL. Most of our past discussions with press and analysts have centered on folks who follow security, but this time we also spoke with publications and analysts who write for software development organizations. I was struck by the extent to which the folks who focus on development have been grappling with many of the issues about developing secure software that we’ve focused on here at Microsoft.

Security beat reporters, whom we have been working with for years, have been exposed to a regular stream of news on the latest bugs, worms and viruses, and Microsoft’s ability to react quickly to customers affected by those attacks with patches has been the industry story for many years. Last week, I had an opportunity to get out and tell the other side of the story – what we are doing proactively as a major software vendor and platform provider to help eliminate vulnerabilities during the development process. Based on feedback from reporters and analysts who know this space, our work to take Microsoft’s SDL best practices and share them externally has clearly been a need in the industry for a long time.

The specific occasion that motivated me to spend a week in conference rooms, airplanes and hotel rooms was today’s announcement of new initiatives in sharing aspects of the SDL with the development community. These initiatives don’t make secure development a “cut and dried” process, but I believe they will take things one step further toward enabling developers to build more secure software. I’d encourage you to look at our announcements. I’m really excited that we’re taking these new steps to share more of our secure development practices and tools with developers who need them.

As always, we’d welcome your feedback about these new programs and what we should do next.

Sheraton Lounge with Free Wi-Fi in Central Park's Sheep Meadow

Tue, 16 Sep 2008 05:49:57 +0000

Sheraton builds lounge in Central Park with Wi-Fi: It's a publicity stunt, but the hotel chain wants to promote the fact that it's updated its hotel lounges or some nonsense, so they've taken over the famous Sheep Meadow, blanketing it in free Wi-Fi through September, and offering snacks and such next Monday. Central Park already has some Wi-Fi, including at Sheep Meadow.

A New Security Breach in Google Docs Revealed

Mon, 15 Sep 2008 07:59:03 +0000

I am a big fan of Google and, over time, I have started to enjoy the freedom from my desktop with Google Docs. For example, when I keep track of business expenses I have found it easier to update a Google Spreadsheet versus depending on Microsoft Excel on my laptop because I can update from anywhere in the world and share with my bookkeeper too. So, I’ve been using Google Docs more lately.

Today, however, I discovered a huge security breach in Google Docs. While I was in my account working on a spreadsheet I suddenly found my Google Doc account listing many documents that did not belong to me. I clicked on one of the documents and the results are in the image below, where my Google Doc session appears to have “crossed over” with another users.

I decided to do a bit more exploring and take a few more screenshots, because I don’t yet know how to reproduct this security breach. The image below show a Google document (fifth from the top) which is not owned by me, “owned by me”. However, when I click on this mysterious “owned by me” document, it is owned by another user. Here is another screenshot below; you can click on the image for the full-screen version.

Again, here is another example of the same security violation with two documents. As above, you can click on the image for a full-screen version.

I contacted the owner of the Google Docs account which I had suddenly and mysteriously “crossed sessions” with today. I asked him if he was in Thailand (since a few of the documents were in Thai) and he said yes, however he say he did not have any Thai language documents in his account. However, as you can see from the screenshot, the Google Docs menu shows this person as “the owner” of a Thai language document. He also mentioned that, today, he saw “wierd documents” in his account that did not belong to him (or “normally” shared with him).

Unfortunately, I was having problems with the Internet connection in my hotel room so I could not continue to investigate the breach. When I logged back in a few hours later, everything was back to normal. So far, all is “normal” and I have not been able to repeat this breach.

I suspect the Google Docs flaw comes from a JavaScript error in how Google manages user sessions. The bottom line is that the security breach is real and dangerous. Your Google Docs, and I suspect other Google applications that use the same session management code, are vulnerable. There may be an underlying XSS vulnerability as well.

Note: Reposted from my original post on the ISC2 blog.

Too Many Events, Too Little Time

Thu, 11 Sep 2008 11:00:42 +0000

ScienceLogicians will be scattering around the nation next week to cover 5 shows. Where we’ll be:

Interop NY

East Coast version of this major networking show. ScienceLogic is the official provider for network monitoring and help desk for InteropNet, the world’s largest temporary network. See us in action in the NOC. Stop by the booth, #1045, to chat, pick up your own deck of EM7 cards, or fill out a survey for a free t-shirt.
When: Conference runs from Mon 9/15 – Friday 9/19. Expo days are Wed 9/17 – Thurs 9/18.
Where: The Javits Center, NYC.

VMworld 2008

The largest virtualization show put on by VMware, the leader in the space. VMworld is only a couple of years old but growing like gangbusters. This year’s show should be an interesting one in light of all the turmoil surrounding VMware and Microsoft’s putsch, oops I meant push, into the space with Hyper-V.
When: Mon 9/15 is Partner Day. Conference runs from Tues 9/16 – Thurs 9/18
Where: The Venetian Hotel, Las Vegas.

Hosting Transformation Summit

Executive-level hosting/service provider show run by The 451 Group (and Tier 1). The analysts at The 451 Group and Tier 1 discuss state of the industry and trends.
When: Mon 9/15 – Wed 9/17
Where: The Mirage, Las Vegas

ICE Summit

Also run by The 451 Group, the ICE (Infrastructure Computing for the Enterprise) Summit will focus on “virtualization in context”. This overlaps the last day of VMworld (personally making my life a little harder).
When: Thurs 9/18
Where: The Mirage, Las Vegas

Inc 500 / Inc 5000 Conference & Awards Ceremony

Since we made it on the list (#350!), we thought we should show the flag at the Inc 500 conference, culminating in an awards gala on Saturday night.
When: Thurs 9/18 – Sat 9/20
Where: Gaylord National Resort & Convention Center at the National Harbor (DC)

Stay tuned for live blogging and video from the various events with always lively commentary from the ScienceLogicians.

Best Western Forced to Play Defense on Breach Disclosure

Mon, 01 Sep 2008 03:33:25 +0000

A dispute between Best Western and a Scottish newspaper over the scope of a data breach at the hotel chain highlighted the need from companies to get out in front on breach disclosures, rather than being forced into damage-control mode.

If there were gold medals for Data Leakage...

Wed, 27 Aug 2008 20:00:00 +0000

I've just returned from my summer vacation, somewhat foolishly deciding to spend it under canvas in the south-west of the UK and expecting to get good weather. If my tent had leaked as badly in the last couple of weeks as data seems to have been leaking in the UK during the same period, I'd be in need of an aqualung by now! If it were an Olympic sport, Britain would have beaten China for pole position in the medals table!

It all started with the loss of a memory stick by a UK Government contractor which contained somewhere around 120,000 records, including the details of 10,000 of our nation's most serious criminals. We then heard about a compromise at global hotel chain Best Western...

Every Time I See It, I Think About Logs

Wed, 27 Aug 2008 10:08:00 +0000

"Hotel chain now says data of just 10 guests was exposed; newspaper claims 8 million" (here)

Can't they look at logs and know for sure? Hmmm...

Do they have logs?

Do they know whether they have logs?

Do they know what are logs?

Ehmmmm...

Best Western Rebuts Claims of Massive Data Breach

Wed, 27 Aug 2008 09:45:00 +0000

Best Western International and the Sunday Herald newspaper of Scotland are duking it out over a story which reports that a hacker stole the records of 8 million customers from the hotel chain's global network in the "the greatest cyber-heist in world history." Best Western says 10 people were affected at one hotel.