Monthly Archives: May 2014

Ebay Password Breach

Ebay announced today that the had usernames, encrypted passwords, phone numbers, email address, physical address and date of birth stolen during a recent breach.  The key here is encrypted passwords, which hopefully means strong security.  That is just an assumption though.  It is not uncommon by any stretch to see a large company suffering from a breach that includes user credentials.  We often overlook the idea that credentials are actually very valuable.  We spend so much time focusing on social security numbers, credit card numbers, and HIPAA data that we forget about the basics.   Those keys that protect the rest of all of that data.

Ebay believes that no other data (financial, etc) was accessed during the breach.  This is the good news.   The bad news is we now need to change our passwords again.  Look on the bright side, if we used fingerprints as our access we would only change our password a few thousand times before we had to start using toes.  There are a lot of different passwords we can come up with.  I know it is obvious, but if you haven’t stopped reading this post to go change your Ebay password, stop for a moment and go do that.

Managing our passwords can be difficult and we may often feel helpless as the end user because not only do we not have any control of how a company or service stores our passwords, we don’t have any insight into how they do it.  Previously people have mentioned advertising on the site how the password is protected.  It is an interesting idea.  The question is: does it make you more or less of a target?   There are a lot of factors that go into that determination.

If you advertise that you use bcrypt with 10,000 iterations, is good or bad?   Will the bad guys just turn around looking for that easier score or will they accept that challenge.  Now advertise that you are just storing passwords using MD5 with no salt.   The difference between the two is like seeing a wireless network with and without a password.  Of course, the problem we also have is whether or not the description provided would mean anything to the average user.  My mom, even my wife, wouldn’t have any idea what MD5 or bcrypt meant or which one may be more secure.  It is server side, so do users care?   I am not really sure.    I don’t think advertising the details would really help the problem, maybe just satisfy those techies that want to debate over whether the company was following best practices.

Spread the word when you see that a site has been breached.  Let your friends and co-workers know so they too can take the appropriate steps to protect them selves.  We can’t fix a companies vulnerabilities, but we can all respond accordingly to calm the wave of destruction.

Windows XP: End of Life

On April 8, 2014 Microsoft ended support for Windows XP after a great 12 year run.  When you really think about it, 12 years is a really long time in the technology world for an operating system to survive.  Other systems are seen being updated every few years which makes sense due to the ever changing capabilities of technology.  There has been a history of the consistent cycle from the Windows operating system of great versions followed by what some would say are flops.  When you find something that works for you, you tend to stick with it.  I still have computers with Windows XP loaded on them because they just work.  However, there are some precautions I must take to try and protect myself.  Fortunately, the machine is really just a test machine and not my main computer. 

You might be wondering what it means to say that it is end of life.  Basically, it means that Microsoft will no longer supply updates or patches for the operating system.  Of course, they did break this rule shortly after the end of life by supplying a patch for Internet Explorer for Windows XP.  This is out of the ordinary and has created a divided crowd as to whether they should have done that or not.  On one side, they are helping protect people that are still running the out of date operating system.  On the other side, they are supporting people to continue to run this out of date operating system. 

So should you upgrade your computer if you are running Windows XP?  The simple answer is to recommend updating to a newer operating system.  Understanding that the system still works and is stable, there are many concerns around using the system.  First, of course there is the issue of no more security updates.  That poses a significant risk because the attackers are going to start looking at the patches that come out for the newer operating systems trying to identify which ones are in shared components with Windows XP.  They can then use these against Windows XP users because they know the system won’t be patched. 

The second issue is just finding supported applications.  For example, Internet Explorer 9 and above are not supported on Windows XP.   Not only do these newer browsers have better security features, they also support new browsing features.  We will start to see web applications that only support the newer browsers.  Of course, at this time you can install FireFox or Chrome onto your system and that would still work.  At some point, those may stop being supported on Windows XP as well. 

Keep in mind that many attacks to the end user are performed through the web browser.   An attacker getting you to open a malicious URL that takes advantage of a flaw in the browser, java, flash, or some other object.  One option a die hard Windows XP fan can take is to stop using Internet Explorer and use an alternative browser, but that is not a full solution.  There are many sites talking about how you can extend the life of Windows XP, just do a simple Google search. 

From a user perspective, I understand the difficulty of upgrading the Windows operating system.  It has never been a painless process and can be very time consuming and difficult.  Even worse, what hardware is your computer running and do they support Windows 7 or Windows 8.1?  You have to determine what options you have before you determine which course of action to take.   Maybe you can just upgrade the OS.   Maybe you need to get a new system and migrate files over to it.  It is important to make sure that you take the time and work with someone knowledgeable to make the upgrade seamless.

For companies, we need to look at what our upgrade plans are.  Microsoft was very open about when the operating system was going to reach end of life.  Companies had plenty of warning.  There are always reasons why the upgrade hasn’t happened, legacy applications, cost, etc.  Set up test systems to ensure that all the applications needed to do business work as expected.  You don’t want to just upgrade and then find out business is stopped because that critical application doesn’t work. You don’t want to have a gaping hole sitting on your network.

While it is not the end of the world, Windows XP’s end of life is significant.  It was/is a great operating system with a lot of support and with the UI changes that were made with Windows 8, it is no wonder people are hesitant to upgrade.   Look at your alternatives, be aware of the life cycles, and find out what the next operating system will be.   We don’t want to be early adopters, but we also don’t want to be living on outdated technology.