Full Report
Booking.com got hacked five years ago, and didn't tell its customers... but now we know who might have been behind it. Bossware rears its ugly head again in the workplace, spying on employees. And did you receive a warning email from the FBI? All this and much more is discussed in the latest edition of the award-winning "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Brian Klaas of the "Power Corrupts" podcast.
Analysis Summary
# Main Topic
Discussion of key cybersecurity topics covered in the Smashing Security Podcast episode #252, focusing on a historical Booking.com data breach potentially linked to a US intelligence agency, the rise of "Bossware" monitoring employees, and a recent FBI email hoax.
## Key Points
- **Booking.com Hack Revelation:** Reports surfaced suggesting that a US intelligence agency may have hacked Booking.com approximately five years prior to the discussion, but the company allegedly never disclosed the incident to its customers.
- **Rise of Bossware:** The recurrent issue of "Bossware" (software used by employers to spy on and monitor employees, often while working remotely) was highlighted.
- **FBI Email Hoax:** A recent incident involving hoax emails that appeared to be from the FBI, exploiting poor coding in an FBI website to distribute malicious content, was reviewed.
## Threat Actors
- **US Intelligence Agency (Alleged):** Implicated in the alleged hacking of Booking.com five years prior.
- **Unspecified Actors:** Responsible for deploying "Bossware" for workplace surveillance.
- **Unspecified Actors:** Responsible for sending the hoax emails abusing the FBI website infrastructure.
## TTPs
- **Data Exfiltration/Espionage:** Implied in the Booking.com hacking.
- **Workplace Surveillance:** Deployment of software ("Bossware") to secretly monitor remote employees.
- **Email Spoofing/Phishing:** The FBI hoax involved abusing website coding vulnerabilities to send mass, deceptive emails.
## Affected Systems
- **Booking.com:** The platform targeted in the alleged 2016 breach.
- **Employees/Workplace Devices:** Systems targeted by "Bossware" surveillance.
- **FBI Website Infrastructure:** Exploited to facilitate the distribution of hoax emails (affecting the integrity of official communications).
## Mitigations
- **For Data Breach Disclosure:** Calls for better transparency from companies regarding past security incidents (specifically Booking.com's alleged failure to notify customers).
- **For Employee Monitoring:** Implied need for clear policies regarding remote worker surveillance and employee awareness of monitoring solutions.
- **For FBI Hoax:** Users are cautioned regarding spam and emails purporting to be from the FBI, highlighting the importance of verifying sender legitimacy after the abuse of FBI website coding was discovered.
## Conclusion
The latest Smashing Security podcast covered serious ongoing privacy concerns, ranging from state-sponsored activity against commercial entities to increasing employee monitoring, and immediate threats like email credential abuse. Review of official communications (like those allegedly from the FBI) must be treated with high suspicion, and corporate transparency regarding past breaches (Booking.com) remains key to consumer trust.