This week wasn’t an overly busy one in terms of security news. However, yesterday’s announcement that attackers breached a server containing user passwords at the online retail and auction giant eBay has to be the biggest story of the week. Closely behind that – in terms of importance – was the emergence of yet another zero-day in Microsoft’s very widely used Internet Explorer Browser. Stepping away from bad news, Samsung is going beyond fingerprints, identifying new ways of biometric authentication. And, as always, we have some patches to mention, if only in passing.
eBay announced yesterday through its corporate website (eBay Inc.) that attackers compromised a database containing customer names, encrypted passwords, email addresses, physical addresses, phone numbers, and dates of birth. Because encrypted passwords were stored in the breached server, eBay will be forcing users to change passwords in the coming days and weeks. When and if you go to change your eBay password, make sure you navigate directly to the eBay website rather than following email or social media links.
The reason you don’t want to follow links from email or social sites is that the sensitive information stored on the server could give attackers enough information for them to perform phishing attacks. Attackers often use this sort of information to craft phishing emails that claim to come from eBay (or other legitimate online services). These emails generally present users with links leading to legitimate looking malicious sites. The purpose of those sites is to trick users into handing over login credentials.
As always, if you’ve been sharing passwords, you will need to change your passwords to any online accounts on which you may have used the same password that you used to lock your eBay account.
Interestingly enough, this incident follows news from earlier in the week that retailers have decided to forge threat-data sharing partnerships in the wake of the Target data breach. In other words, they’re going to talk to each other about the kinds of attacks they face so that – collectively – retailers can better protect themselves. Later in the week, a study came out suggesting that companies are getting better at containing data breaches. It will be interesting to see if the scope of the eBay breach, which was enabled by some compromised employee credentials, ends up validating or contradicting that point.
The good news in this situation is that the flaw only affects IE 8, an old version of the browser. The bad news is that Microsoft is not sure when there will be an update available the mitigates this issue. However, the computer giant has acknowledged the serious vulnerability and is working on a fix for it.
Without getting too technical, but probably still getting more technical than is necessary, the Internet Explorer 8 zero day could enable an attacker to run malicious codes on vulnerable machines using an attack called a ‘drive-by download’ or by planting malicious attachments in email messages. A drive-by download is essentially a sort of attack where the attacker embeds malware on a website. When a user happens upon that website using a vulnerable browser, that user’s machine becomes infected with malware.
What can normal computer users do about this other than update to Internet Explorer’s more recent version 10? Not a whole lot; three things, really: Be careful where you browse, be careful with email attachments, and make sure you install the next Microsoft security patches as soon as they come along (if you get your updates automatically then you don’t need to worry about this last bit). In fact, this advice should just be followed by everyone.
Not to let gloom and doom rule the weekly recap, Samsung announced this week that it plans to incorporate biometric sensors such as eye scanners into more of its products in the future. The company claims these features would even be available on their less expensive offerings.
The move would bolster security on Samsung devices and reportedly could wind up tying into in the company’s security-conscious Knox system at some point.
It will be interesting to see whether iris scanning is more or less resilient to potential attack than fingerprint authentication.
As I write, reports began emerging that the Android Outlook application contains an encryption issue that could expose user emails and the attachments therein. Read more here, and we’ll surely discuss this issue in the monthly news podcast.
Patches Per Usual
As always, we have some patches you should look out for. This week it’s Google, which fixed 23 security vulnerabilities in Chrome, including three high-risk flaws. So, if you use Chrome and don’t let the browser install updates automatically then you should go ahead and install these updates as soon as possible.