eBay got hacked. You’re next.

eBay has become the most recent public target in a string of attacks that are growing more common by the week.  It’s been reported that hackers obtained “a small number” of eBay employee credentials, which they then used to get access to millions of eBay customer accounts. This means that millions of users are now at risk of subsequent social engineering attacks.  Be ready for the scams to begin.

But we can thwart attacks with a little common sense, and a lot of vigilance.  Here are my thoughts on what consumers, and enterprise IT, can do in the wake of this most recent compromise.

Consumers – What can we do?

First off, eBay is an Internet superpower, and as such they have been around the block a few times. Ebay says that passwords were salted and hashed (which sounds delicious, but simply means they were made very difficult to decrypt), but other account data, like phone number and address, were not as well protected.

Top tips for consumers to protect against social engineering:

  • Change your eBay password as soon as you can.  Ebay said they were protected, but also recommended changing them… better safe than sorry.
  • Never re-use passwords.   We can’t be sure that all services encrypt passwords as well as eBay.  If you use the same password everywhere, and hackers compromise a single service, they can then get into all your other accounts easily.  Bad times.
  • Be vigilant.  Hackers have your phone number, and contact info.  They can call you and pose as eBay, and seem legit. Don’t give any personally identifiable information to people over the phone, via email, or on sites that you didn’t explicitly go to.

Enterprise IT – Are you next?

As a former IT guy, I used to spend millions every year on securing our perimeter against attack. Traditional firewalls, next-gen firewalls, L7 application scanning, proxy servers, load balancers to mitigate DDoS – they are all critical to protecting against unauthorized entry, and they have billion dollar markets behind them to back that up.

But the old perimeter is being extended across cloud and mobile – it isn’t your datacenter or office anymore.  It’s everywhere your users have access.  Identity is the new perimeter, and it requires new tools to protect. Also, human beings have proven that we are pretty terrible at protecting our identity – and that’s what attackers are counting on.

See, trying to force your way through even moderately strong perimeter security architecture is something that has become way to hard.  We’ve all seen the prime-time dramas and Hollywood movies that show a couple of teenagers in a basement “hacking” through firewalls with nothing but energy drinks and a green scrolling command line, but in the real world, the easiest way to get into a corporation is not to fight the defenses, it’s to avoid them entirely.

Perimeter defenses are meant to block unauthorized access.  But what about authorized access?  Authorized users are meant to get in.  Hackers know this too. They also know it’s pretty easy to trick humans out of their usernames and passwords, or steal passwords off of unprotected devices – avoiding perimeter security by becoming an authorized user.

It’s happening every day, and it isn’t powered teens with energy drinks and command line hacks.  It’s powered by social engineering, and bad password hygiene.  It’s powered by unsecured mobile devices, phishing emails, and legitimate-sounding phone calls.

If your employees use the same passwords for their cloud apps as they do for your domain, you might have a real problem.  And, speaking from experience as both an IT guy and a human, I can unequivocally state that your users do indeed use the same password across lots of apps. (…And they write it on a yellow sticky and put it in the top drawer of their desk.  With the pens and loose change.  Sad.)  We need to help protect them against themselves.

Top tips to keep your data safe:

  • By all means keep your traditional defenses up.  Come on.  I know that identity is the new perimeter, but don’t go ignoring the old one.
  • Secure mobile devices that have access to your stuff.  Make sure there’s a passcode at minimum, so someone who picks up a lost phone can’t see what apps you use, and then log in to corporate email and perform a password reset to get into all those apps.
  • Consider an SSO solution. Sound counter intuitive?  It’s not.  Giving your authenticated users access with just a click means you can use a different password for every app, eliminating the risk of hacked credentials becoming the keys to the entire kingdom.
  • Enforce Least Privileged Access.  If someone does compromise a user’s account, make sure they can’t get everywhere, and that you are notified when they try.

Unfortunately, we can’t eliminate the risk that the human element brings to our sensitive data.  But we can learn from these public attacks, and try to implement solutions that protect the new identity-based perimeter.