Showing posts with label passwords. Show all posts
Showing posts with label passwords. Show all posts

Thursday, May 29, 2014

eBay Breach: Password Reset Issues

There are 145 million people affected by the security breach from the Internet giant eBay.

Dumping the Data

EbayHackPasswordChange
When a catastrophic event happens, cyber-criminals come out from the shadows and lurk on their pray…YOU!

It has been stated that  eBay’s database and is on the market and priced for 1.45 bitcoin.

The claimed offer is for sale via anonymous text file site Pastebin.

It is likely that the data is not from the recent eBay data breach but possibly from another source.

The hacker provided a 3,000-row extract from a database with Asian-Pacific user names, addresses, phone numbers and their DOB.  This equals to about 145 million users.

The users are shown in the sample would represent an odd subset of users for an international company like eBay.

Even if the sample is not from the eBay breach, it could potentially be data from another major company’s leak.

Or it could be fake, and just another cyber-criminal trading for bitcoin on the blackmarket.

Did you receive a notice?

Many reports from worried eBay users says eBay has not yet sent them an email about the issue.  There is no notification when you go to eBay.com or any kind of warning about the breach.

There was a notification after the user tries to reset their password which urges users to create a new one.


ebay-password


It is common for websites to put a banner or notification on their site after a breach.  Notifications urging their users to change passwords, even when the theft is only of encrypted (and properly salted and hashed) passwords.

The reason why eBay hasn’t done the same, is a mystery…

 

Beef up the password

If you haven’t already done so, create a strong, unique password for your account.
Make sure you can remember it but nobody else will be able to guess it.

eBay unlike many others, allows short 6 character passwords.  The suggested amount of characters is at least 8.

eBay does require a mix of characters with upper, lower, number and a symbol.  Try and use a combination of them all.

The following passwords are rated as “medium” allowing users to use these as passwords:
  • Password1
  • MyH0us3
  • Iloveyou!
  • !2345@
You see how these passwords still have a combination of characters and numbers, although they are still quite easy to guess.

This is why it is so important to create a strong, secure password at least 8 characters long.

De-link PayPal

Since eBay owns PayPal, they suggest users to link their PayPal account to their eBay account.

Since the breach, if you have followed their suggestion, you may want to rethink your choice.

If you un-link PayPal from eBay account, you can still pay with your PayPal account at any time.

Linked accounts provide cyber-criminals with an easy way to gather a variety of data.

Anytime a step is removed from the process of logging in as a user, you remove a step of security against criminals gaining access to your information.

It took eBay two months to discover the hack because there was no sign of “unusual activity” detected.  eBay has not confirmed if the data stolen was private information or not.

Security experts have criticized the company for not encrypting all private customer information obtained.
eBay is aggressively investigating the intrusion with police enforcement but has no evidence that user accounts have been tampered with.

What do you think about this data breach?  Please leave your comments below, we would love to hear from you!

Be sure to follow us on Twitter at @hyphenet or “Like” us on Facebook to stay up-to-date on the latest computer security threats.

References:
Myers, Lysa
ESET
eBay breach news: Posted data dump not valid, password reset issues
http://www.welivesecurity.com/2014/05/22/ebay-breach-news-posted-data-dump…
Published: May 22, 2014

Gibbs, Samuel
TheGuardian
Ebay denies ‘stolen database’ on sale for 1.45 bitcoin is authentic
http://www.theguardian.com/technology/2014/may/22/ebay-denies-stolen-database-on-sale…
Published: May 22, 2014
Posted by at No comments:
Labels: , , ,

Friday, August 30, 2013

Long passwords don’t offer “safe option”

A popular password-cracking app called “Hashcat” has upgraded it’s password characters to 55.  This app can actually crack a long password more quickly than a shorter one.
When passwords are made longer than the normal 8-11 characters, people start to make sentences out of them.
In 2011, Graham Cluely stated,  the best passwords are in a sentence.  Today, a password with 15 characters or longer are usually a combination of words or phrases because it’s hard to remember them.  Having a long password with only random numbers and special character such as T&7j#15!pDr8q is much harder to remember or even type than a simple MyN3wP@ssW0rd or Hamilton1.
Hackers are very quick at catching onto these passwords.no-password
“I’ve been saying for a long time that while passphrases can offer better protection against password cracking than a simple password, it’s easy to over-estimate the usefulness of that measure,” says ESET Senior Research Fellow David Harley.
It’s just like when an online dictionary can guess what word you are wanting to find even after you misspelled the word when typing it in.  Fuzzy matching algorithms are able to catch simple-to-fairly-complex variations exactly the same way.
Hackers use  “A Dictionary Attack” to crack passwords.  So if you have a common word as a password,  a dictionary is ran to scan and seek out those words, enabling hackers to crack your password much more easily.

A Solution

KeyPass, LastPass, and 1Password are all secure websites created for you to store all your passwords into one place.  All you have to do is remember 1 password.
A good technique  to use when creating a password is to make up a sentence and use the first letter of each word for your password.  You can alter certain letters into characters or numbers for variation.  Here is an example of how to create a password from a sentence.

password-security
Three key notes to remember:
  1. Never use a dictionary word
  2. Create a different password for each website
  3. Keep an antivirus up to date

References:
Long passwords don’t offer “safe option” as cracker app upgrades – WeLiveSecurity
http://www.welivesecurity.com/2013/08/27/even-long-passwords-can-be-cracked-quickly-as-hashcat-app-upgrades/
August 27, 2013
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)