Home / Blogs

Thoughts on the Best Western Compromise

The Sunday Herald reported on Sunday that Best Western was struck by a trojan attack that lead to the possible compromise of about 8 million victims. There is some debate as to the extent of the breach and not a small amount of rumor going around. I’m not entirely disposed to trust corporate press releases for the facts, nor am I going to blindly accept claims of security researchers whose first call is to the PR team when discovering a problem.

That said, here is what seems to be the agreed upon facts:

  • A trojan was installed on one of the machines in Best Western’s booking systems which lead to a compromise of credentials for the hotel’s staff. These credentials were attempted to (and probably successfully) sold to organizations with links to the Russian mafia.
  • Best Western is and was Payment Card Industry Data Security Standard (PCI DSS) compliant.

Of course, PCI really only helps one piece of the security equation and compliance is not the same as security. In fact, it is usually (at best) a poor substitute and more often an excuse to stop thinking about security (“We’re Compliant!” followed by self-congratulatory back slapping). The same is true with relying on encryption. Encryption can be “defeated” and the ways to do it are well-known. (For instance, here is a paper I wrote almost 4 years ago on how to do it). If you can own the endpoint of a communication, encryption is irrelevant.

As another example, remember the backup tape heists a few years ago? Attackers know it takes an excessive amount of time to crack encryption, so they target ways to avoid it. Someone had the great idea of stealing backup tapes at which point few people would have even thought to have protected those. Now it is due diligence.

That said, here are 5 areas that are likely targets in the near future (or are targets now) that you may be overlooking:

  • Centralized patching systems (i.e. WSUS). If you can hijack an update server and have it distribute a malicious patch, you own every desktop in an environment. The RedHat compromise should be a wake-up call in this regard.
  • Centralized configuration and management systems (i.e. Configuresoft or the like). Same as above… the machine that controls all your desktops becomes the single point of pwnership.
  • Payroll. Your payroll system has salary information and identification information. In short, it has everything you need to commit tax fraud. In the US, in particular, it also has your national identification number (what is falsely called a “Social Security Number”) which allows an attacker to basically jack your entire identity as well.
  • Web 2.0. There have been some attempts to spread malware or spear phish using Web 2.0 technology. In as far as your organization uses Web 2.0, the more “legitimate” a message looks, the more likely a user is to click it. Web 2.0 provides a great vector to compromise an organization, especially if many of your employees use it. (Think social engineering).
  • Malicious insiders. Ok, this last one is not new, but still a solid majority of attacks have at least some component of an insider attack. In some cases, simply installing a keylogger and “selling” the result is simple enough for a disgruntled employee with even a token level of access to an environment.

Will put up more info on Best Western as the situation warrants. Thoughts to the top 5 lists? What would you add or take off?

By John Bambenek, Information Security Practitioner and Journalist

Filed Under


John, I agree with your assessment of Dave Shackleford  –  Aug 27, 2008 10:11 PM

John, I agree with your assessment of likely new attack targets. At Configuresoft, we urge all of our customers to treat ECM systems as critical assets that require the highest levels of protection for this exact reason. Although it’s tough to completely prevent a privileged insider from doing damage if he/she wants to, locking down the configuration management server(s) using well-known and accepted hardening guidelines, using strong passwords for accessing the system, etc. are all things people should be doing for *any* sensitive data storage or control systems. I think it’s important to note, though, that simply hijacking an operating system does not automatically guarantee the execution of malicious commands or actions within a configuration, network, or patch management product, which usually require the input of additional credentials to access the actual application.  It’s certainly a step along the way, obviously.

Director, Configuresoft’s Center for Policy and Compliance

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global


Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API


Sponsored byVerisign