Orlando Scott-Cowley

Another Day Another Breach – eBay…Now Office

eBay seems to be coping with the hack of its user database. Weeks on from the announcement that its user database had been breached and we’re seeing millions of users change their passwords after receiving notifications from the online auction giant.

If you missed the news, around 145 million eBay users had their email addresses and encrypted passwords stolen when one of eBay’s databases was breached.

We now know that hackers were able to gain access to the user database by compromising three corporate eBay employees and using their credentials to access the eBay network. eBay has also told us that it believes there was no customer data compromised initially, but gives little more information than that.

We can speculate that the attack was most likely perpetrated through a targeted attack in email or a spear phishing attack. If this is right, the corporate employees of eBay who had their credentials compromised would have been sent a link in an email that tricked them into giving away their user details. We don’t yet know if those credentials were eBay’s website username and passwords or if they were network or corporate credentials.

Spear phishing and targeted attacks have become the de facto attack vector for anyone hacker trying to compromise an enterprise. Attackers know that most organizations have been lulled into a false sense of security regarding spear phishing – thinking that their existing legacy anti-spam and anti-virus systems protect them from spear phishing. While it would be true to say the majority of Secure Email Gateway vendors have started to build in protections for spear phishing; we also know that all the recent major and most public breaches have successfully snuck past major security vendors.

This week brings another personal data compromise. Office, a UK shoe retailer has admitted that its website has been compromised to the extent that customer personal data has been stolen. Office is asking all its customers to change their passwords.

Office and eBay are both quick to point out that no “financial information” was stolen. While this seems to be the case, stealing personal data, as in the Office hack, may give the attackers enough information to allow them to steal your identity. Once you lose that, you risk losing that key financial information.

The CIOs and CISOs I talk to are generally worried; none of them want to be the next big breach. They all understand the risks associated with spear phishing and are all trying to educate their users, but many worry constantly about those few users who still click the link in the email, or enter their user credentials in mystery websites.

Protecting against this human risk is a much tougher task, and until we solve that, these big breaches will continue. It’s why new security technology to counter spear phishing like our Targeted Threat Protection service must be combined with effective user monitoring and education if we are to successfully counter this growing threat to our organizations.


eBay – A Trophy Hack?

The news over the last week confirmed that eBay has been hacked. Media comments suggest that upwards of 145 million users have had their account details, including passwords and personal information, stolen.

According to reports, the story started when a bizarre blog post appeared on PayPal’s website that indicated eBay was asking users to change their passwords. The post was quickly deleted, but not before it had been retweeted dozens of times. The cat was out of the bag and eBay started making the headlines.

What we know

eBay has been hacked! If this isn’t alarming enough, consider that eBay’s user-base is huge and the data that appears to have been stolen contains more than just usernames and passwords. eBay is obviously worried that the breached database contains personal information as well as encrypted passwords.

What we dont yet know

So far eBay has been reasonably tight lipped about the breach. But there are some significant unanswered questions that it needs to address quickly:

  • How much data was stolen, and how easy would it be for the attackers to use that data?
  • How was the data encrypted?
  • How were the passwords encrypted? How strong was the hash function and were the passwords salted too?

The trophy hack

eBay is one the world’s largest websites and given the nature of its business need to retain a significant amount of personal information about its users. In terms of a target for attackers, eBay is a holy grail and a trophy, because a compromise of its databases would be the one-stop-shop attackers need to gain personal and financial information.

What you should do now

The advice in the event of hacks like this is always the same. Change your password. Consider also changing your PayPal password in this case.  Although PayPal appears not to have been affected, I’m betting lots of people use the same password for PayPal as they do for eBay.

Then consider which other sites you may have used that password on. This is yet more proof if you need it why you must never share passwords across websites, but despite the common sense of this many people still do it. Also change and rotate your passwords regularly.

Better still, use a password tool like LastPass (other password tools are available) which will generate a long and complex password for you, then remember the site and password for you.

I’m waiting to see how this incident pans out and I’m expecting we’ll learn a lot from it. I’ll provide more analysis on this blog shortly.


Dealing with the File Sharing Menace – Join the Discussion

When Bloor’s ‘Taking control of file sharing services’ white paper was made public on this blog last month we were pleased it became a hot topic in numerous conversations with customers and prospects planning their file sharing strategy.

Learn about the risks of uncontrolled cloud file sharing caused by attachment size limits placed on your staff, and how to retake control. Register now http://mim.ec/1fADyIQ

Learn about the risks of uncontrolled cloud file sharing caused by attachment size limits placed on your staff, and how to retake control. Register now http://mim.ec/1fADyIQ

As predicted, it’s a report which taps into the growing trend of office workers using consumer-grade personal file sharing services to send and store corporate data. However, there have also been a number of new conversations and ideas sparked by the report we are keen to explore further.

The increasing interest in IT-sanctioned file sharing service is why we’re hosting a free 40 minute webinar with Bloor (‘Deal with the file sharing menace’ on 20th May 10am EST US, 3pm UK, 4pm South Africa) next week. Fran Howarth, Security Analyst, Bloor Research will be presenting an overview of the enterprise grade file sharing options and revealing the real-life horror stories encountered by Bloor.

I’m delighted to say that joining Fran and I will be Joel Edwards, Director of IT, Wiggin and Dana LLP who brings his own unique perspective on the risks associated with uncontrolled cloud file sharing caused by attachment size limits placed on staff and enterprise best practice that will enable you to retake control.

You can register for the free ‘Deal with the file sharing menace’ webinar on 20th May here. Hope to share ideas with you then.

In the spirit of interactivity we’re hoping participants will bring along questions to ask the experts – feel free to send me the questions directly (osc@mimecast.com) or enter a comment after this post.


Protecting Yourself from Phishing Doesn’t Have to Be That Hard

I just read in Computer Weekly and Computing about the BBC’s method of dealing with phishing attacks. The articles were based on a keynote presentation by David Jones, Head of Information Security at the BBC at InfoSec.

His experience of how challenging it is to protect users and the network from phishing reflects comments I hear from many organizations.

I was struck by this in particular: To combat future attacks, Jones said the BBC has created a flag pole. “This enables us to say we have a phish attack and we can block the phishing attack domain, then set a search to delete phishing messages from inboxes.” While such an approach works on desktops and laptops, Jones said it is still necessary to in touch with mobile users, as mobile devices are generally outside the control of corporate IT.

This ‘monitor, identify and purge’ method to phishing protection has been the de-facto approach for most IT teams. As his comments suggest, it’s expensive, complex and time consuming. Also it’s not a complete solution as it doesn’t always cover mobile as we see here. This is a rapidly growing problem with the proliferation of mobile devices sitting on the average network or email system today. For many of us our mobile might even be our primary email device.

But the good news is that you can protect yourself from this threat and before the attack reaches your end users. It doesn’t have to be this hard (or expensive). Please excuse the blatant plug but this is exactly the kind of problem we set out to fix with our own phishing service announced last week – Targeted Threat Protection. It stops the phishing problem organizations are currently battling in its tracks.

Targeted Threat Protection means phishing emails that clear the email gateway have their links rewritten and Mimecast checks the webpage every time the link is clicked by the user. If it’s clean the user goes straight to the site and if not, it’s blocked. And this happens every time it’s clicked because many phishing attacks may start with clean webpages only changing them later to malware hoping to catch a later or second click. And importantly, this protection extends to every device they use to access their corporate email – mobile or desktop, corporate or BYOD.

The IT team can be alerted automatically that they have phishing mail on the network helping them get an early warning of threats.  But they can relax knowing that, users are protected even if they ignore their training or instinct and decide to click on the link in the email.

And it’s a service on the Mimecast cloud so no local hardware, installs or updates required. The IT team enable it centrally from their Mimecast administration console.

I also see that Mr Jones went on to talk about the importance of user training – I couldn’t agree more. You need technical protection matched with end-user training. This is partly why we’re building reporting tools into the administration console so the IT team can see whose clicking malicious links, adapt security profiles or initiate training to reduce a future threat from risky online behavior.

So the bad news – the phishing threat (and spear phishing in particular) is growing and it’s real. The good news – cloud email security services like those from Mimecast mean you can protect yourself without adding yet more complexity and cost to your infrastructure.

Anyway plug over.