Menu > Articles de la revue de presse : - l'ensemble [tous | francophone] - par mots clé [tous] - par site [tous] - le tagwall [voir] - Top bi-hebdo de la revue de presse [Voir]

---

S'abonner au fil RSS global de la revue de presse

---

Présentation : Well eBay are in the news due to their breach of 145 million users' account details. There are a few worrying things about this breach, beyond the breach itself, that point to architectural issues in eBay's security. The first issue is that a spokeswoman according to Reuters claimed that it used 'sophisticated', proprietary hashing and salting technology to protect the passwords. This sounds very much like security through obscurity, which doesn't work. So, either they are using a proprietary implementation of a publicly known algorithm, or they have created their own. Both of these situations are doomed. As always, no one person can think of all the attacks on an algorithm, which is why we have public scrutiny. Even the best cryptographers in the world can't create new algorithms with acceptable levels of security every time. Do eBay have the best cryptographers in the world working for them I don't believe so, but I could be wrong. Also, if their argument is that hackers don't know the algorithm so can't attack it, then I'm fairly sure they're wrong there too. Even if the algorithm was secure enough to stand up to analysis of the hashes only, as hackers have eBay staff passwords perhaps they also have access to the code If, on the other hand, they have their own implementation of a public algorithm I have to question why Many examples are available of implementations that have gone wrong and introduced vulnerabilities, e.g. Heartbleed in OpenSSL. Do they think they know better The second issue is that they don't seem to encrypt Personally Identifiable Information PII . This is obviously an issue if a breach should occur, but, admittedly, doesn't solve all problems as vulnerabilities in the web application could still expose the data. However, it is likely to have helped in this situation. Finally, and most importantly, how did gaining access to eBay staff accounts give attackers access to the data Database administrators shouldn't have access to read the data in the databases they manage. Why would they need it Also, I would hope that there are VPNs between the corporate and production systems with 2-factor authentication. So how did they get in Well, either eBay don't use this standard simple layer of protection, they leave their machines logged into the VPN for extended periods or they protect the VPN with the same password as their account. Even if eBay do implement VPNs properly with 2-factor authentication, the production servers shouldn't have accounts on them that map to user accounts on the corporate network. Administrative accounts on production servers should have proper audited account control with single use passwords. Administrators should have to 'sign out' an account and be issued with a one-time password for it by the security group responsible for Identity and Access Management IAM . All this leads me to think that eBay have implemented a weak security architecture.

Les mots clés de la revue de presse pour cet article : security
Les videos sur SecuObs pour les mots clés : security
Les mots clés pour les articles publiés sur SecuObs : security
Les éléments de la revue Twitter pour les mots clé : security





Les derniers articles du site "RLR UK" :

- Black Box versus White Box testing and when to use them
- Security groups should sit under Marketing, not IT
- EU Commission Working Group looking at privacy concerns in IoT
- Internal cyber attacks - more thoughts
- eBay's Weak Security Architecture
- Denial of Service DoS and Brute-Force Protection
- The Disconnect between Security and Senior Management
- Web Hosting Security Policy Guidelines
- Pentests Don't Make You Secure
- Here come the Security Police

---

S'abonner au fil RSS global de la revue de presse

---