Monthly Archives: May 2014

Ebay Falls Victim to Breach: Source Forge Updates Password Storage

 It was just recently announced that eBay suffered a breach that led to the compromise of user details including:

  • username
  • encrypted password
  • email address
  • physical address
  • date of birth
  • phone number

 Their announcement indicates that there was no other data (financial or otherwise) that was compromised.  Financial data is believed to be stored separately.  The good news is that they appear to have separation and it was only credentials retrieved.  The bad news is that it is another victim to the loss of credentials.

EBay mentions that the passwords were encrypted, but they do not indicate how they are encrypted.  We have seen a lot of different definitions for encryption and even between valid ones, some techniques are better than others.  Were they hashed, or encrypted?  If hashed, were they salted?  Were there iterations?   We don’t get these types of details when a breach like this happens, but the answers to those questions can give an indication of how the passwords may stand up to attacks of brute forcing them.  We can only hope that they were using “Good” techniques for storing passwords.

It is recommended that you change your eBay password and the password for any other site you may use that same password on.  Even with the best password protection out there, once there is a compromise, let’s just assume it is cracked.  This may be a good time to go through and update some of your other passwords too. 

Here is a great article on creating stronger passwords: http://www.itbusinessedge.com/slideshows/eight-ways-to-create-stronger-passwords-and-protect-your-accounts.html

In other news, Source Forge has announced that users will have to change their passwords upon next login.  They have stated that they have changed how they store passwords to increase the security of them.  It is great to see a company that is actively looking at their controls and updating them.  Of course, they don’t provide any details on how they will be storing and protecting the passwords, so we can only assume that they are doing “Good” protection. 

There is a lot of buzz around password security, and there has been for a while.   I don’t see that changing any time soon.  Help raise awareness to others about how to manage passwords securely. 

James Jardine is a Principal Security Consultant at Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at james@secureideas.com, @jardinesoftware or visit the Secure Ideas – Professionally Evil site for services provided.

Comprehensive Testing: Red and Blue Make Purple Video

James Jardine and I held the Comprehensive Testing (Purple Teaming) webcast yesterday.  In this webcast we discussed how red teaming works, what it means to be a blue team member and how combining the testing of these roles improves the security of an organization.  We talked through various misconceptions and told a lot of stories.… Continue Reading

Carolina Spring Security Events

It seems that Spring is “prime time” for security professionals in the Carolinas, and Charlotte seems to be at the center of it at least geographically if not organizationally.  This year started with the 10th Annual InfoSec Summit organized by ISSA Charlotte.  This was a successful year for the summit, bringing together more security professionals… Continue Reading

Professionally Evil Web Penetration Testing Class

Ever thought about being able to test the security of your web applications? Wanted to know how the Professionally Evil hack web services and applications?  Interested in upgrading your skills around attacking modern web applications? Well now you have your chance! Secure Ideas is excited to announce the latest in our course offerings.  We will be… Continue Reading

Professionally Evil Training: Advanced Tactical Burp Webinar

Secure Ideas is excited to announce its latest upcoming online training.  We will be offering a two-hour session exploring advanced topics related to Burp Suite and its use in a web application penetration test.  Kevin Johnson and James Jardine will explore the various features of Burp Suite, focusing on how we use the system during our penetration… Continue Reading