eBay data breach: Death to passwords?
eBay this week confirmed that it had been breached by hackers, potentially giving them access to the personal details of 145 million account holders.
The firm stressed at the time that financial information had not been stolen and said that hackers had gained access to "a database containing eBay user passwords" by compromising an employee's credentials.
The reaction to the breach has been damming, not only on eBay detecting the breach some two months after the intrusion but also on its lack of communication and enforcement of automatic password change. (New Clearswift data reveals that only a third of users have changed their passwords).
On the subject of passwords, several people SC spoke to said that this was evidence that the passwords are on their way out – paying the way for biometrics perhaps – while others urged the need for two-factor authentication.
And in the week where one report revealed that the number of data breaches continues to rise, companies may start to look at their legacy security measures.
Cyber-criminals up the ante
The increase in the number of data breach investigations is worrying at a time where cyber-criminals are widely-seen to be enhancing their skillset as well as their ability to remain hidden from view.
Troels Oerting, head of the European Cyber Crime Centre (EC3), told audience attendees at the Check Point conference in Barcelona, Spain this week that the ‘Internet of Everything' will enable them to attack anyone, anywhere – adding as he has said previously that they're in dark web to avoid detection.
"Cyber-criminals also trade quite freely on the Darknet, using currencies such as Bitcoin to hide their cyber-criminal profits," he said, adding that state sponsored activity is also on the rise.
Meanwhile, MWR InfoSecurity this week revealed new research which revealed the current and new technologies being used by cyber-criminals to steal information from companies.
Detailing its findings in two white papers, the consultancy found that hackers are able to exfiltrate data through a number of popular websites, such as Facebook, Flickr, LinkedIn and YouTube.
Researchers said that cyber-criminal groups are advancing with forensics tools, using the cloud to obscure the final destination of data, and are looking to compromise VPN solutions and mobile devices as their new targets. The latter, in particular, has been seen as the “new way into corporations”.
MWR researcher, and lead author of the whitepapers, Dr David Chismon detailed the ways hackers are compromising systems, and exfilitrating data.
“As there are few restrictions, attackers typically transfer files the same way any technical user would do,” he said via email. “Many use the connections they have set up for command and control. HTTP and HTTPS (web traffic) are highly common and the File Transfer Protocol (FTP) is often used as well.
“Others use emails, employing simple techniques like setting up an email forwarding rule for the target so any email they receive is copied to the attacker. Others are increasingly using cloud storage such as Google Drive and Microsoft OneDrive. Interestingly, attackers have been seen deploying tools to use cloud storage, but not using them as there are other options available to them.”
He added: “If organisations block access to websites to prevent attackers, they can use popular websites that are likely to be permitted as vectors to exfiltrate data. In an experiment we carried out it was possible to exfiltrate 1TB of data via Flickr in 200mb chunks (see video). It was also possible to exfiltrate 20Gb via YouTube in a single chunk, and smaller amounts via popular websites such as Facebook and Tumblr.
“Increasing use of mobile devices, remote working and VPNs (Virtual Private Networks) will present new opportunities for attackers, who are using more covert methods to exfiltrate the data, such as hiding it as other data types.”
He added: “As more organisations use cloud services for business functions and remote work, attackers can compromise passwords for these services and get the data directly from there rather than needing to obtain it from the organisation's network.”
Future of encryption? Not likely
A potential candidate for the Internet's future security system, a protocol based on "discrete logarithms, has been abandoned as potentially being the solution the world was looking for after being decrypted by researchers at Ecole Polytechnique Federale de Lausanne (EPFL) within two hours.
This was considerably quicker than the forecast 40,000 times the age of the universe for all computers on the planet to do it, explained Thorsten Kleinjung, post-doctoral fellow at LACAL. The team will present its findings this August at the Crypto 2014 conference.
EPFL's team, with Jens Zumbragel from TU Dresden, had focused on a "family" of algorithms meant to be candidates for the next generation of encryption keys, using "supersingular curves. These ‘Discrete logarithm problems' – very complex mathematical operations – are used to secure data transmissions. Arjen Lenstra, director of the Laboratory for Cryptologic Algorithms (LACAL) at EPFL says "Their complexity is such that they are deemed as impossible to solve. The danger lies in the fact that these systems are based on principles that we do not fully understand. If someone were to find out how to solve them all, the entire system would collapse."
As a result, “We just excluded this option from the search for a successor to current algorithms," said Arjen Lenstra.
Microsoft's busy week
Spare a thought for Microsoft, whose security team had a busy week and a potentially costly one too.
The biggest damage of all could be in China, which has decided to snub the adoption of Windows 8 because the Redmond software giant made Windows XP end-of-life on April 8.
Meanwhile, a new zero-day flaw was discovered for an older version of Internet Explorer (IE8), placing XP users once again at risk.
The vulnerability, named CVE-2014-1770, was discovered by HP's Zero Day Initiative, which claims it contacted Microsoft in October. Microsoft is now working on a patch.
ZDI holds off publicly publishing information on a security flaw for up to six months so a software vendor can patch it, but told Microsoft on May 8 that it intended to publish the details of the flaw.
If that wasn't enough, researchers at Include Security were able to reverse engineer Microsoft's Outlook Android application (via Beta News), and subsequently found that the app stores emails and attachments in the Android file system unencrypted.
As a result, would-be hackers could exploit the vulnerability with compromised third-party apps and read unencrypted subject lines and the body text of email, even attached files. This last option would take a little more effort however – with email attachments saved to the /sdcards/attachments folder, the bad guy would have to have physical access to device and a malicious app.
The pin code isn't even enough to save users. While Outlook lets users enter a pin-code to enter the app, researchers say that it solely protected the GUI (Graphical User Interface) and not the messages.
Inside Security said it found the flaw in November and reported to Microsoft in December. The firm reportedly said that users shouldn't expect data encryption by default.
Microsoft has promised fixes for the IE and Office flaws (the Office app was created by a third party – Seven Networks).