Tag Archives: eBay

Criminals use IRS website to steal data of 104,000 people

30 May 2015

On 10 June 2014 I wrote my first post on this blog about the eBay data breach, which was published on 21 May 2014. This Thursday, nearly a year later, the Internal Revenue Service (IRS) data breach was made public. Cyber attackers used personal information mined from other attacks, even perhaps from the eBay attack, to breach the “Get Transcript” accounts of more than 100,000 taxpayers.

Jose Pagliery wrote on CNN Money on May 26, 2015: “The IRS said criminals were able to use the Get Transcript service, because they plugged in personal data they had already stolen: Social Security numbers, birthdays, physical addresses and more. They even answered correctly those personal identity verification questions — the ones we all know as being too specific, annoying and difficult to answer ourselves.”

FIDO U2F Security Key

FIDO U2F Security Key

Well said, those identity verification questions are really annoying. And inherently unsafe, as we learned from a Google study published this week.

And yet the obvious solution would be to discard all those questions and to use Two Factor Authorization instead. For example a FIDO U2F security key in combination with a one-time PIN or fingerprint would be a nearly unbreakable and cheap solution.

How many data breaches must still take place before organizations seriously start securing their customers personal data?

Have a good weekend!

Google confirms ‘five million’ customer data dump but denies breach

13 September 2014

Google confirms ‘five million’ customer data dump but denies breach – IT News from V3.co.uk.

The news about the Google hack this week were somewhat puzzling at a first glance. Five million customer data stolen but no attack on internal systems? It took me some time to understand this.

In my opinion some hackers collected a large number of accounts from lots of companies, including some Google accounts. From my experience with phishing attacks, and the statements in several reports about the lousy data quality, this sounds quite plausible.

Some statements in post ‘Cleaning up after password dumps’ published by Google’s Spam and Abuse Team on 10 September in its Online Security Blog confirmed my impression:

It’s important to note that in this case and in others, the leaked usernames and passwords were not the result of a breach of Google systems. Often, these credentials are obtained through a combination of other sources.

For instance, if you reuse the same username and password across websites, and one of those websites gets hacked, your credentials could be used to log into the others. Or attackers can use malware or phishing schemes to capture login credentials.

How could we avoid such data theft in the future?

From a technical point of view only Two or Multiple Factor Authentication (MFA) could prevent such attacks. In post Google denies breach after hackers leak millions of user logins published on 11 September in Computerweekly.com, Yiannis Chrysanthou, security researcher in KPMG’s cyber security team, stated, that MFA is the sole means to prevent misuse of stolen credentials.

The last statement in this post was very puzzling:

“Of course this extra security comes with increased investment – but the improved customer protection makes it viable and valuable,” said Chrysanthou.

What increased investment? For usage of Google 2 Step Verification? Or TFA in Apple’s iCloud Services or WordPress.com? There are no additional costs! The only drawback of MFA is loss of comfort for the users of this services. But the gains in security are invaluable. I would be very pleased if Amazon, eBay, and Microsoft would add TFA to their services as soon as possible.

When it comes to implementation of MFA inside of companies we definitely talk about increased investment. Adding MFA to an Active Directory that serves ten thousands of internal users or to a service for external customers will result in an additional investment and higher operation costs. But with TFA the eBay data breach earlier this year would have been prevented. Just as the Code Spaces collapse.

The big question is as always: What is the total loss of turnover created by a data breach compared to the total costs of implementing TFA?

Can Code Spaces tell us?

E-book review: Staying Ahead in the Cyber Security Game

28 August 2014

Some weeks ago I attended the webinar ‘Staying Ahead in the Cyber Security Game: What matters Now’ sponsored by IBM and Sogeti.
The webinar is a good introduction to the free e-book with the same title. And the e-book is absolutely worth reading.

Chapter 10 is entitled ‘The data scientist will be your next security superhero’. Wow! Superhero reminds me always of the Queen song ‘Flash Gordon’:

Flash a-ah
Savior of the universe

In verse ‘Seemingly there is no reason for these extraordinary intergalactical upsets’ the work of a big data Analyst is well described. My favourite verse is at the end of the song:

Flash Flash I love you
But we only have fourteen hours to save the Earth

I love this song, I would really love to be a superhero … ;-). Back to the e-book!

‘We may have effective detection tools to reduce the impact of the attacks. But the real revolution will be with big data: We will be able to more finely analyze what is normal and what is not normal.’

This statement gives me pause. How long does it take to find a hint where seemingly is none? Do we really have fourteen hours in the case of an unknown attack to save the company? Would big data analytics have prevented the eBay or Code Spaces disaster? Should we rely on the good brains of a big data analyst only?

My answer is: Don’t just rely on a single technology! And don’t believe that everything is as easy as it sounds.

Big data technology can support us in boosting IT security but, of course, it will take some time before clear indications to data breaches could be generated.

First, you have to set up data sources like firewall or Windows event logs. In parallel, your analysts and your system must start learning what is normal to recognize what is abnormal, because abnormal events are a strong indicator of an advanced threat or breach. And finally you should make an incident response plan to do the right things when your systems detects an incident.

Sounds like a plan, doesn’t it?

By the way: The first security superhero was David Levinson in ‘Independence Day’. In an ocean of electromagnetic signals he detected an alien signal and identified it as countdown, and all within a few minutes. A true superhero!

Bromium – The Dawn Of A New Era In Corporate Cyber Threats?

14 July 2014

The Dawn Of A New Era In Corporate Cyber Threats? | A Collection of Bromides on Infrastructure.

Although the picture reminds me of some scenes of Terminator II, Bill Gardner does not announce the imminent end of the world. In this blog post he just creates awareness for a new kind of attacks with may have dramatic impact on businesses.

Fortunately, today’s attackers focus on new market businesses. The impact of a data theft, e.g. loss of reputation or annoyed customers, is costly and exasperating for companies, but not life-threatening. Destruction of data and of backups, as in the case of Code Spaces, might lead in the worst case to loss of business and disastrous effect on customers.

But the expansion of malicious activities to old market businesses, like chemical and pharmaceutical plants or basic infrastructure like national gas or power supply systems, could have  a catastrophic impact on businesses, environment and people.

In addition, a third type of damage, integrity loss, caused by tampering of data, makes things really worse, because this kind of damage is very hard, and often only after several years, to discover.

We urgently need to prepare for the “Maximum Credible Accident!

For a good starting point see Mark Brown’s article “Where should a CISO look for cyber security answers – hardware, software or wetware?”.

Don’t Panic – All will end well!

SearchSecurity: Multifactor authentication key to cloud security success

12 July 2014

Multifactor authentication key to cloud security success

In this great post Brandon Blevins provides a brief summary about the Code Spaces attack, the progression of the attack and the catastrophic consequences for the company and the customers. Moreover, he makes clear that Multi Factor Authentication is an essential requirement for running a successful business in the cloud. With Two- or Multi Factor Authentication in place this attack would not have been possible.

The attack pattern in the Code Spaces case differs only slightly from the patterns in the eBay, Target, and Office attacks. In all cases the attackers used stolen credentials of employees for unauthorized access to the company network and the data.

One Euro Cent Coin

From my point of view, Two or Multi Factor Authentication (MFA) would have prevented most of the published data breaches, irrespective of whether the services are hosted on premise or in the cloud.

Multi Factor Authentication is worth every Cent!

The main difference between the attacks exists in the amount of the damage, in the eBay case data theft and loss of reputation, irreversible destruction and discontinuation of Business in the Code Spaces case.

But a third, more important type of damage must be considered:

Integrity loss, caused by tampering of data.

Small changes to software products, to the formulation of drugs, or a bill of material could lead in the worst case to a catastrophic impact on people, businesses and the environment.

How often does this happen, without you ever noticing?  At this very moment? And, are you able to recognize such integrity losses to prevent larger damage?

We should ask ourselves these worrying questions. The statement “I always call it the Wal-Mart-Target competition … to see who can get to the lowest price and still provide good service. Security is what gets lost” gains a new meaning from the integrity point of view.

I would strongly recommend, that all businesses, in particular in the manufacturing industries and in the pharma sector, should decide about implementing MFA to prevent damage caused by integrity loss.

That will make our world a somewhat safer place.

The eBay data breach – Is hashing of passwords the appropriate response?

10 June 2014

The news about the data theft at eBay have almost electrified me. Not due to fears of losing my private data, I am not eBay customer, but the details under which the theft took place are interesting for me from a professional point of view.

My first thought was: This was an Insider Attack!

The IT departments of large companies are doing a very good job in operating the servers connected to the internet. I would have been very surprised about an attack through servers at the company’s border to the internet.

The information published by eBay at 21 May 2014 [1] saved my day:

‘Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay’s corporate network.’

I am not at all surprised that eBay discovered the loss of customer information with a two month delay. According to the Ponemon Study 2013 [2] the average time to resolve attacks by ‘malicious insiders’ is 65.5 days in 2012 (57.1 days in 2011). That fits well even in this case.

But I am somewhat puzzled by the discussion in some blogs whether encryption is the adequate method to protect sensitive and private data from unauthorized access. Hashing is praised as a better method for protecting passwords.

In my opinion this discussion goes hardly far enough. The loss of e-mail address, physical address, and date of birth is to take at least as seriously as the loss of passwords, since this information enables e.g. professionally made targeted phishing attacks. And, as we all know, an experienced hacker can attack even a hashed password, in particular if he has enough time behind closed doors. See [3] for amazing details about cracking of hashed passwords.

Just new technology will not necessarily increase the overall security because the root causes for this data breach are more likely a lack of security awareness and training. Therefore, only the classic PPT approach, which includes People, Processes and Technology, will lead to an increased overall security.
PPT - People, Processes, Technology

PPT – People, Processes, Technology