New Delhi, India. May 23, 2014: eBay has just announced that one of its databases – which contains customer names, encrypted passwords, email addresses, contact details and dates of birth – was hacked earlier this year and has urged its users to change their passwords. According to a post on eBay’s corporate site, cyber attackers had obtained access to “a small number of employee log-in credentials, allowing unauthorised access to eBay’s corporate network.”
Dan Dinnar, Vice President for Asia Pacific, CyberArk, said, “The very fact that just a ‘small number’ of compromised accounts has resulted in such significant access to eBay’s corporate network is extremely concerning. Clearly, there has not been enough attention paid to protecting privileged access accounts, where one small human error or mistake can cause an enterprise-wide security breach.”
“These powerful accounts hold the proverbial ‘keys to the kingdom’. As evident here, they have access to vast stores of information, data and control within the organisations’ digital depositories and, as a result, are the primary target for any hacker who is on the ball. Worryingly, once access has been secured, the extent of access means that maximum havoc can be wreaked.
“Protecting privileged accounts should be top priority for any business, not least because perimeter security is clearly failing. The way in for these malicious attacks is through the inside and, as such, protection needs to start here – at the heart of the organisation. Monitoring and controlling these powerful accounts every time they’re used is paramount to mitigating the impact of an inside breach. Businesses must start better protecting their assets and critical to this is securing the privileged accounts which form the primary vehicle for so many successful attacks.”
What type of encryption do you think eBay uses on passwords, and how easy would it be for the attackers to decrypt the passwords?
We don’t know the type of encryption (there are several possible options), but the notable aspect here is that the passwords were encrypted (as repeatedly stated throughout the eBay post) instead of being hashed. This is contrary to the known best-practice of hashing the passwords with valid hashing algorithms and proper salts. The difference between encrypting and hashing is that encrypted information can be decrypted, while hashing is a one-way function which is designed to only enable one-way computation without it being possible to revert/decrypt the original information. Hashing is the known best-practice to secure passwords as the website solely needs to make sure that the password the user entered is correct, and doesn’t need to know the password itself. There shouldn’t be a need to decrypt the original password. While it is possible to use brute-force to break hashes, this is still difficult if the hashes are properly salted (a procedure that adds a random sequence of characters to the user password to make it more complex and much more difficult to brute-force).
How do you think the attackers compromised the employee credentials?
The eBay statement says that only a small number of employee log-in credentials were hijacked. This is typical of spear-phishing – an attack in which the attacker targets a specific employee (or a group of employees) with crafted email messages, which include links or attachments that when followed or opened exploit a vulnerability and install a malware on the machine. Usually, such malware is capable of collecting stored passwords (for example, those stored in browsers or elsewhere on the machine) and recording keystrokes, then sending them back to the attacker. The attackers could select this group of employee by collecting information on the employee roles in eBay and assembling a list of specific employees to target based on, for example, information available from social networks.
The important aspect here is that this group of employees had access to information that the organisation considers sensitive, i.e. they had access privileges to this information. The fact that the credentials of these privileged account resided on the employees machines and that these privileges were tied to their personal accounts is a vulnerability well known to many organisations today.
The leading recommendation to address this vulnerability includes two steps – embracing “least-privileged” approach (specifically, separating the standard user account used for daily activities from the privileged account used for more sensitive activities and limiting the privileges of the standard account) and employing controls that prevent the sensitive passwords from residing or being used from the potentially vulnerable endpoints (for example, by employing jump servers that authenticate the user and establish the privileged session without the privileged password ever reaching the endpoint).