back to article EBay, you keep using the word 'SECURITY'. I do not think it means what you think it means

eBay‬ has told people to change their passwords for the online tat bazaar after its customer database was compromised. Names, dates of birth, phone numbers, physical addresses, email addresses, and "encrypted" passwords, were copied from servers by attackers, we're told. Credit card numbers and other financial records were not …

COMMENTS

This topic is closed for new posts.
Silver badge

"Encrypted" passwords

Damn well hope my password wasn't encrypted, and was actually hashed.

It would have been more useful if they had said whether the passwords were salted or not. If my salted hashed password has been released, I'm totally "meh" about it, where as if my unsalted encrypted password has been released then I'm much more angry.

8
1
Silver badge
Happy

That's known as Schrödinger's anger.

10
0
Silver badge

...about 50% of the time.

5
0

Re: "Encrypted" passwords

Well unless they got the salt too, I wouldn't be suprised if eBay have it in the next column.

3
2
Silver badge

Re: "Encrypted" passwords

Doesn't matter if they got the salt too, the idea of a salt is that each password is hashed diferently, so they can't just store a dictionary of hashed strings which they can compare against. They'd need a dictionary per possible salt value. That is unwieldly and slows down any attack, which is general is the best you can ever hope for.

6
0
Silver badge

Re: "Encrypted" passwords

Still screws up using rainbow tables though, doesn't it?

4
0
Mushroom

Re: "Encrypted" passwords

>> It would have been more useful if they had said whether the passwords were salted or

>> not. If my salted hashed password has been released, I'm totally "meh" about it,

>> where as if my unsalted encrypted password has been released then I'm much more angry.

You're wrong, then. Let's assume (and it may be a rather large assumption) that ebay are not complete fucking maroons, and are not only salting your password, but salting your password with a unique-to-you, or better, unique-every-time-you-change-your-password salt. Now, as the bad guys have your salted password hash, they can't do anything with it, right? Wrong. Of course they can. If they've managed to extract your salted, hashed password from ebay's database, we can also assume they bothered to extract the salts at the same time, and they know the salting & hashing algorithm that ebay use. Because they aren't fucking mongs either; indeed, we should assume they are somewhat smarter than you or I. So, if your account particularly takes their interest, they are perfectly capable of building a rainbow table for reversing your password hash to its original plaintext version of "ebay.com". If it's salted uniquely per password, they can't then use the rainbow table to reduce the time taken to do an *en masse* reverse; they effectively need to brute force every password. And even that is less of an issue should they happen to have a botnet at their disposal; all they need to do is distribute hash/salt pairs out, and have their bots do the crunching via brute force rather than rainbow tables. That's how I'd do it, anyway.

We can probably assume that ebay have fallen into the common trap of using lower-complexity hashing algorithms, on the grounds that 500ms is too long to wait to log in, and the combined compute load of their users logging in would be too expensive should they use something "heavweight". Which is fair enough, but it makes brute-forcing feasible, time-wise. And even if they are using something "hard", all the brute forcer needs to do is give up after a certain amount of time, or put harder hashes "back onto the queue" for later attention, focussing on getting the lower hanging fruit first.

Whichever way you look at it, if they want into your account, you're proper fucked whatever happens.

2
8

Re: "Encrypted" passwords

Standard salting isn't enough if you have billions logins. The standard salt on many of systems is only 8 characters and only contains about 48 bits of entropy. That is about 300 trillion unique salt values so there should only be about a 1 in 300,000 chance that your eBay password shared the same salt as another user however that assumes the random salt generator works properly and what I've seen in the real world is a few thousand people will be sharing the same salt. eBay must release details of how those passwords were stored. They also need to identify any large groups of users with shared salts since they will be the 1st targets.

0
2
Silver badge

Re: "Encrypted" passwords

Don't confuse an implementation of salt with the definition of a salt. Salt is simply a technique. If can be 2 bytes but it can just as easily be 256 randomly generated bytes (or any number). It doesn't even have to be appended to the end. You know the size of the hash output so you can interleave the salt and resulting hash in the one field if you want. That approach means that your authentication server can easily get all the information it needs and you can not tell from the table what is hash and what is salt.

0
1

I love the way the say that "no financial information was compromised" - Well that doesn't matter as they now have all the information they need to take our credit cards, loans and to commit identity fraud regardless.

2
0

Data used for phishing

"The digital break-in of staff accounts was detected about two weeks ago" ... "no evidence of the compromise resulting in unauthorized activity"

Really? My sister notified them on 22nd April about an eBay phishing email she received which contained her very personal contact details as provided to eBay. The phishing email was asking to fill in a form with all credit card details.

The personal details provided made it look very credible I have to say.

3
0

Known about it for two weeks...

and they didn't think to meantion this absolutely immediately...

and no emails from them

and no message on the front page

A lesson in how not to manage security issues post exploit.

4
0
Anonymous Coward

All they knew 2 weeks ago was that a couple of staff accounts had been compromised.

The subsequent investigation, which took time, revealed what was accessed by those staff accounts.

1
0
Anonymous Coward

Hmm, seems odd.

That when Sony told everyone that payment details weren't taken, the press conveniently, "forgot" to include that rather important nugget. EBay have the luxury of having it in bold.

It also seems odd that whilst Sony got a tonne of bad press for dragging their heels for a week whilst doing forensic analysis on the hack and gaining solid information, that was totally unacceptable, yet eBay sitting on this knowledge since Feburary is somehow perfectly fine.

Funny old world....

2
6
Anonymous Coward

Re: Hmm, seems odd.

Why not post under your Sony ID instead of anonymous?

4
2

darn it. It gets tedious inventing new passwords, there are so many sites that I log into, I need an A4 notepad to store all my passwords - and then I have to encrypt that in some way so that no one can somehow use it if they find my list of site names and passwords........ Wish I had an eidetic memory :-(

1
0
Silver badge

Try something like LastPass, KeePass or another password vault.

Just make sure your master password is as long and complex as possible, and ideally use two factor auth.

1
0
Anonymous Coward

Or come up with a master password and a rule to derive extra bits based on the domain name. For instance, "ABCD123" & characters 5-8 of domain name & "45EFGH" & number of characters in domain name + 2 & "IJK678". Different password for each site, easy to remember, can be done with your brain so no software required (which you might not always have), and tough to reverse engineer. I also advise basing the master password on the initials of a memorable sentence, which makes it trivially easy to remember a good long password with no dictionary words or obvious patterns in it. Takes a bit of concentration for the first couple of days, then just comes easily.

For example, using the sentence "The 2014 version of Godzilla is way better than that pitiful Roland Emmerich shite" gives "T2014voGiwbttpREs". Add the above rules for this site, and you could get "T2014vegisoGiwbt13tpREs". Same system for Amazon.co.uk would give "T2014voncooGiwbt8tpREs".

0
0

Encryption

"Exactly how the tat bazaar's passwords were “encrypted" "

ROT13 for the US and Pig Latin for the rest of the world. No problemo.

6
0
Silver badge

encrypting sensitive personal data

Why do companies like @eBay or @Target NOT encrypt sensitive personal data? Let me hear one single good reason.

How about because for things like addresses they need to be able to decrypt it, which means they need to store the password, and that can be stolen like any other piece of data. Encryption is only useful if you don't keep the key anywhere near the data, which is tricky if you need to be able to retrieve the data automatically, as distinct from asking a real person to type in their key.

1
3
Silver badge

Re: encrypting sensitive personal data

Yeah, but it's good marketing.

"They got your data. But don't panic: it was encrypted! *mumble* they may also *cough* have got the *cough* encryption key. *endmumble*"

0
0
Happy

no indication of INCREASED fraudulent account activity on eBay

I love that phrasing.

12
0

Re: no indication of INCREASED fraudulent account activity on eBay

So, if there was no evidence of fraudulent account activity, how did they know they'd been hacked?

This is actually quite an interesting incident and any comment must involve a certain amount of reading between lines. The truth is undoubtedly out there but getting to it may present a challenge. But a bit of speculation seems in order...

So then - if the intrusion happened a couple of months back and it was only detected weeks ago, we have two possibilities - either eBay are truly incompetent to the point of recklessness, or this was a fairly stealthy attack by someone who was actually rather good at this sort of thing. If the latter is true, then my best guess would be some sort of spear-phishing directed at system admin type folks. A bit of homework scanning through LinkedIn would probably produce enough information to send a plausible email containing some sort of zero day attack either as an attachment (old hat) or a link back to a compromised site. Job done, start extracting information and loading up the root kits or whatever.

No conventional security tools are likely to detect this if done well.

At this point, my sympathies are with eBay. Briefly.

However, whatever protection they had over encrypted/hashed passwords was obviously woefully inadequate, assuming of course that passwords were compromised rather than 'might have been' compromised.

Which leads to epic fail on communications. Keeping your mouth shut for a couple of weeks is understandable - get the forensics folks in and crawling all over your logs etc and understand the extent of the problem before you go public is perfectly reasonable.

But - that period should give you enough breathing space to produce a coherent and sensible communications strategy. One that does not consist of vague advice to change your password. Why the hell couldnt some one have written a script to enforce password change at next logon? Not rocket science.

Bad security controls and poor incident management. A classic example of a major organisation not taking information security seriously.

0
0
Anonymous Coward

I smell bullshit

First we are told the NSA have access to everything then every man and his dog are getting you to change passwords.

If they didn't have your password before they certainly do now.

or maybe I'm just too cynical and need a tin foil hat?

0
0

Pardon my American ignorance: what is a "tat bazaar"? Is eBay's "tat bazaar" a subset of eBay's service, jargon for an online auction, or something else. Mr. Google links to lots of articles by El Reg on the topic, but using a term to define a term is term-inally unhelpful.

0
1
Silver badge

a bazaar is like an open air market

tat is a load of useless old shite

eBay is the company hosting aforementioned tat-bazaar

11
0
Silver badge

"I can't define a tat bazaar but I know one when I see one"

1
0
FAIL

If you use a key manager...

Had to disable javascript on the new password page as you can't paste your new 20 character long password containing upper + lower + numbers and symbols.

2
0
FAIL

legal action?

Any chance there could be some *penalties* for companies being too cheap to keep things secure.

OK, stuff happens, crims will always try and get in. But if they want our information (and they claim they do) they should be legally culpable.

Perhaps the cost of IT security teams would go up...?

P.

5
0

Data Protection Act and Information Commissioner

It seems to me that this is a data breach and eBay has a registered office in South West London. Can the ICO take action if we make a complaint?

6
0
Pint

Re: Data Protection Act and Information Commissioner

"It seems to me that this is a data breach and eBay has a registered office in South West London. Can the ICO take action if we make a complaint?"

BWAH HA HA HA HA HA HA

<font size=plus infinity>BWAH HA HA HA HA HA HA</font>

You owe me some new sides to replace the ones I have just split.

.. sorry. You may have missed the Troll Icon. Have beer instead.

4
0

Or you could just try writing eBay a stern letter

Cut out the middle man...

4
0
Mat

Re: Data Protection Act and Information Commissioner

Well if eBay were to change their name to NHS then I'm sure they'd be fined! ;)

0
0
Silver badge
WTF?

eBay.fr

No notification. No email. No on-screen prompt. No nothing.

Luckily I have zero trust in PayPal so I always use virtual credit cards. As for the rest of it, WTF eBay?

1
0
Silver badge

Re: eBay.fr

They informed me at seven o'clock this morning...

"Voici les informations dont nous disposons : cette attaque s'est produite entre la fin février et le début mars, et s'est traduite par un accès non autorisé à une base de données des utilisateurs eBay contenant les pseudos, mots de passe cryptés, adresses e-mail, adresses postales, numéros de téléphone et dates de naissance de nos membres." - they stop short of pointing out the seriousness of what this actually means. As my mobile number is unlisted, if I suddenly find myself drowning in spam texts, I fully trust that eBay will meet all costs incurred in changing my number; not to mention sorting out the cancellation of any services that other people might sign me up to on the basis of this information (there is enough there to get a person subscribed to SMS services that are charged €€€ per text sent). Thankfully I think the French banking system is too tightly regulated for loans to be granted based purely upon this, though other countries may be somewhat less careful.

I guess the main question now is not so much what went wrong at eBay, but more - what happens now with regards this information.

0
0
Facepalm

Odd happenstance upon login....

I just logged into my eBay account - instead of taking me to the main landing page, it took me to a screen with the words, "Message from eBay"....and no message. Underneath that was a button labeled "Continue to your Destination"

A blank message seems somehow to epitomize eBay's overall approach to security and communication, i.e., non-existent.

3
0
Silver badge

Re: Odd happenstance upon login....

But, complain not. You at least got a message.

0
0
Silver badge

Re: Odd happenstance upon login....

"In order to achieve true enlightenment, first, you have to realize the truth: There is no message!"

2
0

Re: Odd happenstance upon login....

You're running an adblocker

1
0
Silver badge

Re: Odd happenstance upon login....

Same happened to me. I assume it was eBay trying to force-feed me advertising.

Now, how do I go about configuring AdBlock to stop that incredibly annoying full-page video PayPal has on its landing page?

0
0
Anonymous Coward

Re: Odd happenstance upon login....

With Adblock Plus, right click on video on Paypal site, click on 'Adblock Plus:BlockAudio/Video.....' then click on 'Add Filter'

0
0
Silver badge

Just tried to change mine ...

... page not available due to high traffic (presumably of people changing their passwords)

0
0

Password change FAIL

Just logged on to me Ebay account to change my password in response to their advice. This is the response I got 5 times in a row:

"Page not available

Ebay is asking its users to reset their passwords due to the unauthorized access to our corporate information network. This may result in a delay of service due to the high traffic volume. We ask for your patience and that you return to eBay soon. In the meantime, please be assured that no activity can occur on your account until your password is reset.

You may also visit Customer Service"

So we are advised to change our passwords ASAP because Ebay takes our security "seriously"? "Seriously!"

1
0
Anonymous Coward

Is the net progressing or regressing?....

I started out using the net @ uni for a comp-sci degree in the early 90's. It held so much promise. Around the mid to late 90's it started to become over-commercialised, but it still had promise. However, now it just isn't fun anymore: The 'Target' hack, Heartbleed, the Adobe cloud fiasco, E-Snowden & NSA privacy revelations, Google ads on everything goal, and now this latest eBay / Paypal meltdown....

I used to be the go-to guy for family friends for tech matters, but I can't be anymore. How can I assure them of anything when even the CEO of Symantec-Norton admits that their own AV / Malware / Phishing products are a sham! I can't even offer advice regarding financial hacking or data privacy, or government spying, because the attack vectors are firmly beyond me now...

I have a home based business. I used to diligently roll out updates and patches and even made assumptions that made me sleep better at night. But who has the time anymore?! I now leave most of my office machines permanently unplugged and off-the-net (and use a USB sparingly by air only when necessary). For the machines that are still 'live', I dedicate one to design, another to financial / accounting, and anther to (risky) browsing, and isolate all onto different networks...

All the while I'm thinking this isn't f*cking progress! In addition I no longer have an active financial presence online, because I don't feel the banks / retailers etc, are doing enough to protect consumers, much to the chagrin of many pollyannic customer service mugs.

But I used to love the internet and I lament the fact there's so many sheeple using it, thereby fuelling the rise in hacks and scams... I cannot help but ask, why have an eBay / Paypal account when you're just a mark to a hacker with ultra-fast broadband in a small town in Romania you've never heard of?... Same goes for Google+, FB, Yahoo and MS mail...

And when the net isn't about scamming, account hacking, data breaches and hype, its saturated by the latest celebrity vampire leveraging it for all its worth... Driven on by a fickle global-media praying at the altar of the new shinny Twitter, Facebook, Google: 'God'...

So am I the only one retrenching from the net?

10
1

Re: Is the net progressing or regressing?....

YOU DARED TO SPELL SHINY INCORRECTLY.

Seriously: you make a good point.

2
0
Flame

I'm beyond fed up with this

A major site hack or vulnerability or whatever comes out every other week, prompting me to change my password(s). The new one(s) should (once again) be unique to the site, not tied to any personal data, etc., etc...

Go to hell. Seriously, just go to hell; I'm not a goddamn hash table that can store an infinite number of passwords for an infinite number of sites and change any or all of them at a moment's notice. My memory is rather limited in this aspect.

Use a password manager, you say? I access these sites from a variety of devices and don't want my passwords to be present (encrypted or not) on all of them. Instead, I use SuperGenPass, but since that uses my master password and the site name to generate the actual pass, I can't change the site password without changing my master password, and thus we're back to square one.

I'm just so sick and tired of the whole thing by now, goddammit...

8
0

Re: I'm beyond fed up with this

Interesting point on the "construct password based on site name" concept.

This is all fine and good until you have to change it, and which point you become stuck.

1
0

Reset

Sounds like it was the meat they employed to blame for this one, compromised accounts. Aren't they regulated as a bank these days? Or does that just apply to their Paypal racket?

I might switch to LastPass. Keep complex passwords all in a centralised web-based service... What could go wrong!

Also what happened to loading a public/private key pair into your browser and authing that way? All your details encrypted with your private key but stored on whoever's servers. Sounds a bit better than the current shambles to me. I remember it was all the rage with HSBC business banking 15 years ago or so, albeit with a hilariously complicated implementation.

1
0

Not just your current password ...

Don't forget, the retards are eBay do not just keep your current password in the db, they keep all your previous passwords too ... as anyone who has been faced with their "you can't use that password, beacause you have used it before" idiocy will know ... so potentially they have not just revealed your current password .. but your whole keyring.

2
0

A rant, and a question (the question's at the end)

Apologies for the rant, it's an almost direct c/p of my arsebook post on the subject, but the question at the end is likely to be answered relevently by folks here. (I notice Robin Szemeti above has noticed this too.)

Begin paste:

Several points against ebay here. Their backend database got 'hacked' [read: we left the keys on the hall table]. This much is public knowledge.

So I go to change my password as recommended. Nope. No such user, followed by several variants of 'this page is experiencing extreme load' and 'this page not found' and 'no such email in database'

So I go to chat to customer disservices using their live chat. Unavailable, despite being in working hours, california time.

SO I get pissed, and send them a web form based Shit-O-Gram telling them to bloody well fix their ebay password change page NOW as they've just bloody asked everyone to use it.

I immediately get an email response with some utterly unrelated drivel that was barely literate, referring to paypal password problems. So naturally I replied to it with a "read your goddamned missives rather than sending algorithm matched shite". Only to get a bounce message saying 'this email account is not monitored'. So don't fscking HAVE IT then, what the hell is the point of an email address that doesn't work?

Eventually after much use of F5 and other F words, I get to the 'reset your password' link, and try to reset it. Only to get an offer to send me a PIN. By Text. To A FSCKING LANDLINE NUMBER. *HEADDESK*

I chose the more sensible option: Email me a reset link. Here they scored a minor plus: The reset email, which arrived almost instantly and was in my set 'plain text' format, told me to c/p the link to the address bar, encouraging me NOT to click links in email. Good advice. Credit where it's due.

However, the system then accepted my new password, but would not allow me to sign in with it.

So I hit reset AGAIN. And here begins the section with the query, I'd be pleased to hear you commentards' input on this: It then refused to let me use that same new password again, as I'd previously used it.

This to me says there's a problem: One of the following.

1. They're storing unencrypted passwords (not likely for such a large company, that's a rookie mistake),

2. They're storing encrypted passwords, not the hashes, bad practice.

3. They're storing unsalted hashes.

4. They're salting the hashes with the SAME salt, thus rendering it useless.

The questions are 2fold. 1, is my analysis above basically correct (I would LOVE some input on my understanding of hashing algorithms), and 2, am I right that this is a major security flaw?

I won't even go into the rant about 'your password must contain 2 lowercase, 2 numbers, 2 symbols, 2 uppercase, the blood of a virgin, 2 bits of first kingdom hieroglyphics BUT NO SPACES' crap.

2
0
This topic is closed for new posts.

Forums

Biting the hand that feeds IT © 1998–2017