Cybersecurity The State of Enterprise IT Security Podcast - S1 EP. 15: Hotel Check-In Kiosk Exposes Room Access Codes, Microsoft Introduces Red Team Augmentation, AT&T Breach

[00:00:00] I've said a couple of times that AI today is not artificial intelligence. It is augmented intelligence. It's not particularly good at creating original content. It's good at summarizing and stitching things together.[00:00:30]

All right. Hey everybody. I'm Brad Busse, chief information security officer here at E360. Thank you for joining me for the State of Enterprise IT Security Edition. This is the show that makes IT security approachable and actionable for technology leaders. I am happy to bring you three topics this week.

The first one, a hotel self check in kiosk exposes room access codes. [00:01:00] The second, Microsoft introduces Red Team Augmentation via AI. And the third is the AT& T breach. 70 million users have been impacted. So with that, let's get started. Now, the hotel self check in kiosks. That exposed room access codes. This was a, we'll call it a budget hotel brand [00:01:30] in Germany.

They're also in some other European countries. And what it looks like is they were impacted by a vulnerability that exposed keypad codes, which could then be used to enter rooms. Not your room, somebody else's room. And there was a Swiss IT security assessment firm that went through and kind of looked at this and [00:02:00] what they found is there's about 600 hotels, probably across 20 countries.

And the vulnerability is across their whole self check in system. Basically, the flaw, while it impacted those hotels, what they're thinking is that it actually impacted far more because those kiosks are actually used by more brands. So I think this could end [00:02:30] up getting quite a bit bigger. As we find more that have this vulnerability.

So what happened is the impacted kiosks, they allowed a customer to check into their room with no staff present. That's, that's kind of the, the reason to do this, or if it's like a big line, it's super busy, you just go and. And check into your room. And then it gives you a code based [00:03:00] on the booking ID. It matches all the things like it's supposed to gives you a room number.

And in this instance, it is a door keypad code. So instead of giving you an actual, uh, token or a card, you get a, you get a code. So what they found is that if you were to enter, I think it was a series of dashes. Instead of a booking ID, the terminal spit [00:03:30] out the list of current bookings. And then if you tapped on any of the bookings.

It showed the room number and the keypad access code, which the interesting thing is that remains unchanged during a customer stay at the hotel. But if they were to check out, it does then change. So this could allow an attacker to enter any of the rooms that were [00:04:00] displayed, which In that case was all and what this comes back to is, is this is a vulnerability, but it's to me, it sounds more like a bug in the code, or maybe it was like a test function that the vendor forgot to take out and deactivate.

And you see this a lot happen with what we call backdoors in code or in applications, where a developer, while they're creating the [00:04:30] application, while they're doing testing, maybe there's a master code, maybe there's a way to get in, only they know. And then next thing that happens is that doesn't get disabled.

And attackers find it and then they exploit it. So what is still unclear is how pervasive this is beyond the budget hotel brand. And [00:05:00] the thing about this that makes it not as bad is that in order to exploit the vulnerability, an attacker has to be there in person. They have to know about this. Thanks.

And they have to be on a targeted terminal leveraging it. So, I think that's a little more exposure than most attackers want because they're on video going into the hotel. They would be on video in the hallways. Like, there's a lot of things that if you're [00:05:30] thinking like an attacker or thinking like a hacker, you're probably not going to Leverage this kind of thing at scale.

The reason that I wanted to bring this up is just to talk about the importance of making sure that it's not just about secure code practices. It's also about understanding the application architecture. So if you have and create your own applications. Just spend a little extra time going [00:06:00] through that application code and and doing the standard quality assurance testing, because I guarantee in 8 out of 10 applications, you're going to find something very similar to this.

Second topic for today is Microsoft introduces red team augmentation via AI. This is exciting for me because I've said a couple of [00:06:30] times that AI today is not artificial intelligence. It is augmented intelligence. It's not particularly good at creating original content. It's good at summarizing and stitching things together.

And in a lot of cases it looks new, but I think as we're starting to see if you're, if you're paying attention to the news and the headlines, [00:07:00] There's been a lot of examination of things that our AIs are creating. Our Gen AIs are creating new songs, new pictures, new things. And I'm going to say new, I'll do this again.

It's not new. They're saying, Hey, that melody is actually from a song, top 10 hit, whatever. And actually that whole drum beat was from a different song. And what we're starting to see. Is all of those stitching things [00:07:30] together that our Gen AIs are doing right now, because it's all about how the model is trained.

What is it trained with? So, we can actually take this and use it as our, our advantage with augmenting things. So, back in February, I think it was February, Microsoft partnered with OpenAI and they introduced a new What they're calling open automation framework, and that's just to assist [00:08:00] security professionals in managing their risk overall, and they're calling it the python risk identification tool kit or P.

1. R. I. T. And it provides a I for red teaming, and what it does is it leverages Jenny I capabilities. Of the technology with the sole intent of exposing vulnerabilities. So you're able to do it [00:08:30] faster. You're able to take things from a lot of different places and again, pull them together into something that looks new.

And this is pretty useful when it, when it comes to finding vulnerabilities. At scale. So there's been a couple of advisors that are talking about this, and they agree that the tools are pretty helpful, really in filling the gaps for organizations [00:09:00] that just need assistance with cyber security, doing more with less.

3 years, that's what we were talking about. When it comes to AI, not that it's going to take your job, it's going to help you do your job better. And I think this is a really good example of that. That is happening. And the thought process is now gen AI can help when it comes to finding someone or [00:09:30] now something that has some skills based on attacking a webpage.

Maybe doing some social engineering, uh, or just straight up hacking. And we've said this when it comes to social engineering. Why is it getting harder to detect that it is social engineering? It's because attackers are using Jenna. The language is getting better. The emails are getting better, and it's getting harder and harder to detect that.

It was [00:10:00] not written by a, we'll say a non native speaking person. which tends to be an indicator of attack in a lot of emails. Now, when it comes to Microsoft, they're saying that this system provides really a more probabilistic result than what we would consider traditional red team. And there's a lot of different [00:10:30] technologies out there that have been doing something similar for a while, and they've been looked at as breach attack simulators or a automated pen tester.

But really what the Microsoft solution partnered with open AI is talking about. Is leveraging some of the Gen AI capabilities that are out there today, uh, and not a different model that's built on, you know, different machine learning algorithms. So, [00:11:00] if I'm looking at this, I'm thinking, we're going to be able to execute the same attack, but we're going to be able to do it multiple times.

Then something that is, that is traditional and. I think Gen AI systems, they've got multiple layers and it's, it's basically focused on like what I call non determinism. [00:11:30] That is the same input can provide different outputs. It's just on how they're implemented. So imagine being able to do that across the system a thousand times where a normal pen tester, maybe they're able to do 1, 2, 3, 4, 5, uh, you can start to see the augmentation and, and the scale.

So if you look at it, most successful companies these days, they come up [00:12:00] with a product and it is intended to solve once for everyone instead of. Everyone solving something independently. That's just how it works. And that's really exactly what this gen AI experience is, is starting to do. So instead of expecting every company to have to build their own platform, their own framework, their own solution, [00:12:30] and testing that Microsoft and the open AI team, they're, they're giving us a tool.

And any company can use it. So we, in a previous episode, talked a little bit about creating GPTs. Think of this very similarly is there is now something specifically written for the red teamers out there. Something, something [00:13:00] interesting that I think we should, we should definitely take a look at. And I'll leave you on this topic with, with one thing in particular.

AI is. still a support tool. It's not good at original content again. It's good at summarizing a complex problem. And I would say that a lot of these gen AI capabilities, [00:13:30] they, they've not been trained to focus specifically on cybersecurity, but now we have something that is. Used specifically for cyber security.

And to me, as a practitioner, that's pretty exciting. So keep an eye on it. Let's see what this evolves into over the next, I mean, I would say year, but as I think we've seen the scale and speed of growth when it comes [00:14:00] to technology. Is absolutely exponential. 3rd topic for today. The AT& T breach. We're looking at somewhere in the realm of 70 million users that have been impacted by this.

So, if I'm going to outline what happened, there was a theft of sensitive information belonging to. I think I just said it. Millions of AT& T's [00:14:30] current and former customers. And it was discovered online. It was discovered on the dark web. And it contains things like social security numbers, passcodes, and that's for right around, I think it was 8 million, 7.

6 million current account holders. And then like 65. 4 million former account holders. Thankfully I'm, I'm a former [00:15:00] account holder. And I'm now using a different passcode that I used to use, but if think of it this way, if you are a current or previous AT& T subscriber, and you're using the same passcode to get support or log into the site or do do the things as you leverage for your banking.

Think about how that could potentially impact you because this is what happens. It shows up on the [00:15:30] dark web and it is the attacker's job to figure out where else can they use this information? Because AT& T is going to do what most organizations would do. They're going to go through, they're going to change all of the passcodes that exist.

They're going to force you into a reset situation, verify you are who you are in a different manner. And from there, you're going to do passcode. Okay. But that's the attacker's job is to say, all right, well, we're not going [00:16:00] after AT& T, but now we're going to go after all of these other places that this person could potentially be using a pin or a passcode or things like that.

So that's really. The intent behind it. So I would say, what, what do you really need to know about this? What was compromised? Obviously the social security numbers, not a lot you can do about that. That seems to happen daily. I'm sure all of us have, uh, letters. I actually have a [00:16:30] letter right here. I'm not going to pull it up because I don't want you to see it, but I got one saying that my information was a part of a, a breach and I get one of those Monthly.

I'm sure a lot of you do as well. The other information that was leaked, full names, email addresses, mailing address, phone number, date of birth, and that passcode that we were talking about. So, the impacted data, it looks like it's from [00:17:00] 2019 and earlier. If there is some more current information in there, they're not saying yet.

Best way to know if you've been affected is look out for that letter because it's going to be coming or you're going to get an email and the email notices started going out, I think, last Saturday. And it's going to take them a while to get through and mail everything. Now, I said a little bit what AT& T has [00:17:30] done about this.

They've already gone out and reset the passcodes of current users. And they're doing what any other company, uh, thinks makes us happy. Uh, they are going to pay for credit monitoring services where applicable. Now, if you're like me, one thing that I would recommend, freeze your credit. Uh, if you haven't looked into freezing your credit, it's not that big of a deal.

It's not super painful unless you're trying to get credit. And [00:18:00] then it's kind of a pain because you will forget that you froze your credit. But it's actually a good default state. You can go register for an account. I recommend using a password manager or, or a pass key for the three bureaus so that it's easy for you to log in after a year or two when you, when you've forgotten what all of that information is and you log in and you can unfreeze.

The credit and it doesn't take very long. It takes. I think they said an [00:18:30] hour for it to show back, and then the Bureau can go through and do that. In this day and age with all of these different breaches, it is honestly the best form of protection that you can have. And for organizations, the kind of the counterpoint to this is like wire transfers, being tricked into doing a wire transfer to to someone else.

Uh, based on information that's gathered on the dark web in a different episode. We'll talk a little bit more about that. But 1 [00:19:00] thing you could take away from it is I recommend that if they're. Is the possibility of wire transferring something you and your board come up with a passcode of your own that changes every quarter and only that team knows it.

And it's not written down. It's not stored any of that. And that passcode needs to be reciprocated between the board in order to authorize something like a wire transfer. [00:19:30] Or, uh, something highly sensitive being sent somewhere else. So just, just a little, little tip for you there. So back, back to AT& T, uh, really they're, they're not talking.

About how exactly this happened yet, especially since the data is a little bit older. So I would say what I'm focused on right now is like how you can protect yourself going forward. So [00:20:00] I think I gave you some good actionable points, you know, freezing of the credit, changing any passcodes you have, um, going through and just as a, as a good rule of thumb, there's no reason you can't go out and change all of your passwords right now.

There's absolutely nothing stopping you from doing that. So I would say consider that, uh, as part of this. It's just good, uh, good hygiene overall. Now, what's interesting here is the Federal Trade Commission. [00:20:30] They're, they're involved. And they're involved from the Credit Bureau perspective. Equifax, Experian, TransUnion.

And it's interesting because they're saying something very similar to what I just said. They're offering free credit freezes and fraud alerts that consumers can set up to help protect themselves from identity theft and other malicious activity. So you've got a couple of sources telling you that that is a good option.[00:21:00]

And I think it's something to consider. So thank you for joining me and I look forward to the next time on the state of enterprise IT security.