Original URL: http://www.theregister.co.uk/2008/08/29/best_western_follow_up/

Fog of attack clouds Best Western hack

Are you local? Really?

By John Leyden

Posted in Security, 29th August 2008 10:39 GMT

Analysis Conflicting claims by Best Western and Glasgow's Sunday Herald over the scope of a recent security breach have been put under the microscope by security watchers. The paper claims that eight million records were potentially exposed, while the hotel insists only ten records were accessed.

Register readers familiar with Best Western systems said that the issue turns on whether the compromised PC was able to access the hotel chain's worldwide reservation system or only local data. The issue of whether archived data on guest records was accessible from the infected PC also comes into play.

According to the Herald, an Indian hacker sold information on how to access addresses, telephone numbers and credit card details from the hotel's online booking system after breaking into the system. Tips on how to repeat the hack were offered for sale on a Russian underground hacking forum.

The paper claimed anyone who stayed at any of 1,312 European Best Western since last year - eight million people in all - could have been hit by the attack. All wrong, retorted Best Western: it maintains the breach affected only one hotel in Germany and just ten customer records. The hotel chain said it has tracked down the breach to the infection of a PC in a single Berlin hotel with Trojan horse malware.

In a statement, Best Western explained: "The compromised log-in ID permitted access to reservations data for that property only. The log-in ID was immediately terminated, and the computer in question has been removed from use."

Herald technology editor Iain Bruce brought the breach to Best Western's attention in the first place. He waited till the hotel had a chance to close the hole before publishing a story, containing a quote from Best Western.

Since then the two have fallen out big style, with Best Western claiming the Herald's numbers (based on how many people stayed at the hotel over the course of a year) are a load of dingo's kidneys. The hotel angrily denounced the Herald's story, suggesting its reporter had failed to check his facts.

However, Bruce told ITWire that he put the figures to the hotel prior to publication. He said he derived the figure of eight million from the fact that the hacker offered Best Western's entire European reservation database system for sale, not just a few snippets from a Berlin hotel.

Bruce shared screenshots of the database interface with ITWire reporter Davey Winder. The interface covered the whole of Europe and had a date range running from 14 August 2007 until 21 August 2008. It included guest names and payment details.

The screenshot shows just a handful of transactions. Best Western said that data on its guests is purged from its systems a week after they leave the hotel.

If that's the case, Winder considers, why does the transaction log go back a year? Respondents to the story may have an answer for that: the system allows guests to reserve rooms for up to a year. That still leaves the big question of whether the hack allowed Europe-wide access to the hotel's reservation system or just access to the local database, as Best Western claims.

Opinion from Regreaders knowledgable about Best Western's system is split. One of our readers anonymously suggests that the hacker did not gain access to the central database, but only to an individual hotel's computer application.

"As a former IT employee for Best Western (who left recently on good terms) I can confirm that everything Best Western is saying about this incident is true. I still have friends "on the inside", so-to-speak, who confirmed (off-the-record, of course) that a hotel front desk clerk's login ID and password for the 'MemberWeb' system were stolen by a password stealing Trojan (this "MemberWeb system is what allows front desk staff to check on incoming reservations and adjust rates and availability - among many other things)," he wrote.

"The account that was compromised had *very* limited access to the MemberWeb system, so at most, the hacker was able to glean a handful of records from the 'Transaction Log' feature (looking into the account's access history is what showed that it was only 10 records that were actually accessed by the attacker)."

However, another correspondent said that reception desk PCs have access to bookings made at Best Western hotels in other countries, casting doubt that the compromise was limited.

"I have watched as a hotel in Leicester canceled a guest's stay at a hotel in Linz and rebooked him in a hotel in Vienna. At no point was the hotel in Linz informed of this other than via MemberWeb. This was done with a standard MemberWeb login and no reservation numbers - a simple search for the guest's name sufficed. This would seem to contradict BW's statement that 'The compromised user ID permitted access only to the reservations at a single hotel'."

Our man also questioned claims that Best Western purge customer records a week after guests leave its hotels, and explained the system gives access to complete payment details.

"Credit card data is not obscured or obfuscated in any way. The full credit card number, cardholder name, expiry date and CVC/CVV number - neccessary for cardholder not present transactions (eg a no-show guest)," he added. "Customer data is not 'purged' in any way, shape or form as far as I could tell. It is archived - mainly to reduce the load on the live dataBase I think. The archived data is accessible from a normal MemberWeb login.

"I don't believe that one query per second from a single member hotel would be noticed (it would in retrospect), so there's the potential that 100,000+ people may have had 'live' booking details lifted," he concluded.

All parties agree that a compromise took place and how it happened (a compromised MemberWeb log-in ID lifted after a hacker planted a Trojan on a reception desk PC in a Berlin hotel). The issue turns on whether this compromised PC permitted access to Best Western's worldwide reservation system, as was the case with the hotel in Leicester, or just local data. It's possible - though unlikely - that the Berlin hotel's systems were set up differently, with access only to local data and no access to archived information.

The claims of what was on offer contained in posts to an underground cybercrime forum provide no proof either way.

Slavik Markovich, chief technology office of database security firm Sentrigo, said that computer forensics techniques need to be applied to get to the bottom of what happened at Best Western.

"Often, the 'fog of war' surrounds a suspected breach and it is difficult to understand what happened exactly," Markovich said. "In this case (based on the few tidbits of information we know) it’s possible that eight million records represents the potential set of data that could have been affected, but due to Best Western having defensive measures in place, the actual breach had been limited to 13 records of individuals.

"It is also possible that these preliminary findings do not tell the whole picture, and that additional forensics will be required to examine additional systems that may have been affected.

"Security is all about 'defense-in-depth'. If the initial breach was somehow undetected by monitoring the network and the logs, placing a Trojan should have been detected by an anti-virus program and the traffic the Trojan sent should have been detected by a network IDS/IPS. Currently, it is not clear if the guest databases were accessed or if the breach had only a local effect of capturing data in transit."

Best Western has taken the highly unusual step of writing to those who have made a recent booking in a bid to try to calm possible fears.

You may be aware on Sunday 24th August the Scottish Herald printed a story claiming a hacker had gained access to Best Western guest information. This story is grossly unsubstantiated!

After a detailed investigation we can confirm that on 21st August a single hotel in Germany was compromised by a virus. The compromise permitted access to reservations data for that property only. This has affected only ten customers who we are currently being contacted to offer our assistance, none of these were GB customers. There is no evidence of any unauthorized access to any other customer data. Most importantly Best Western purges all reservations data within seven days of guest departure.

We are working with the FBI and other international authorities to investigate further.

At Best Western we take the confidentiality of our customers' personal information very seriously, complying with the Payment Card Industry (PCI) Data Security Standards (DSS). To maintain that compliance, Best Western maintains a secure network protected by firewalls and governed by a strong information security policy. We regularly test our systems and processes in an effort to protect customer information, and employ the services of industry-leading third-party firms to evaluate our safeguards.

Yours sincerely,

David Clarke CEO

Best Western Hotels GB

Best Western makes much of its compliance with the PCI DSS standard for credit card security, but PCI DSS compliance doesn't mean organisations are secure. Even by its own account, Best Western systems were compromised by a Trojan. A malware attack was also blamed on a breach that exposed an estimated 4.2 million credit card records at US grocery chain Hannaford, another firm that was PCI DSS compliant.

One of 12 requirements for PCI DSS compliance is to "use and regularly update anti-virus software". All well and good, but as these two companies can testify, that's no guarantee against infection. Another requirement of the PCI DSS guidelines is for firms to “protect stored cardholder data” - something both firms have conspicuously failed to do.

Best Western may honestly think that the compromised PC only allowed access to reservations in the same hotel, but experience from our reader in a Leicester hotel at least suggests that other systems are set up differently. It could be the German systems are more secure - if not, then this particular rabbit hole goes far deeper than the hotel chain would like to admit. ®