Hilton investigates hack claims; FTC's Google antitrust investigation; Researchers break AWS RSA keys

Hackers seem to have compromised point-of-sale registers in gift shops and restaurants at hotels owned by Hilton Hotel in the United States, according to anonymous sources cited by technology reporter Brian Krebs.

According to Krebs’ report on the story, in August this year financial services corporation Visa sent confidential alerts to multiple financial institutions warning of a breach at a brick-and-mortar entity that occurred from 21 April to 27 July.

These alerts from Visa did not name the brick-and-mortar entity that had been breached but did include card numbers that were suspected of being compromised, the report said.

“However, sources at five different banks say they have now determined that the common point-of-purchase for cards included in that alert had only one commonality: They were all used at Hilton properties, including the company’s flagship Hilton locations as well as Embassy Suites, Doubletree, Hampton Inn and Suites, and the upscale Waldorf Astoria Hotels & Resorts,” Krebs wrote.

His sources said the fraud seems to stem from compromised point-of-sale devices located at restaurants, coffee bars and gift shops within the properties in question.

Krebs cited unnamed financial industry sources as saying the incident may in fact go back to November 2014, and may be ongoing.

SC Magazine quoted a statement from Hilton Worldwide as saying: “Hilton Worldwide is strongly committed to protecting our customers’ credit card information.”

“We have many systems in place and work with some of the top experts in the field to address data security. Unfortunately the possibility of fraudulent credit card activity is all too common for every company in today’s marketplace. We take any potential issue very seriously, and we are looking into this matter,” the statement said.

Researchers knick RSA keys from AWS EC2

Security researchers reckon they have found a way to recover RSA decryption keys from Amazon Web Services (AWS) Elastic Compute Cloud (EC2) virtual machines, according to ITnews.

The researchers, who hail from the Worcester Polytechnic Institute in the States, apparently used a last-level cache (LLC) attack to grab a complete 2048-bit RSA key from an EC2 virtual machine.

More details on the attack — which reportedly targeted a Libgcrypt RSA implementation — are available at ITnews.

Ars Technica quoted an Amazon spokesperson as saying: “[T]his research shows Amazon EC2 continues to strengthen its built-in, base-level security measures, even when researchers perform complex attacks with extremely rare, unlikely pre-existing conditions and outdated third-party software.”

The spokesperson continued: “AWS customers using current software and following security best practices are not impacted by this situation. Further, a patched version of the open source software targeted by this research (Libgcrypt) is publicly available for Amazon EC2 customers via their operating systems’ standard software update mechanisms or direct download from the Libgcrypt project page at www.gnu.org/software/libgcrypt/. AWS encourages the reporting of any AWS security concerns to AWS Security via aws-security@amazon.com.”

FTC targets Android in antitrust investigation

The US Federal Trade Commission (FTC) is investigating whether Google is violating antitrust laws by hampering competitors’ access to Android, according to a Bloomberg report.

According to the report, there’s no guarantee the FTC will actually bring a case against Google. But if a case does eventuate, Bloomberg reckons a ruling against Google could impact the search giant’s advertising revenue.

A Reuters report provided some details on the investigation. According to that story, the probe is in its very early stages and focuses on Google’s requirements that its search, maps and other products are given a prominent place on handsets.

Both the FTC and Google are reportedly remaining tight-lipped on the topic of an investigation.

Image courtesy Josbert Lonnee under CC