More security woes keep eBay on edge
Independent security pros are finding all kinds of flaws in eBay's networks
IDG News Service - EBay's security team isn't going to get a break for a while.
Following an attack disclosed last week that exposed sensitive information of up to 145 million people, the auction giant is scrambling to repair several other problems reported in its vast network by security enthusiasts.
"As a company, we take all vulnerabilities reported to us very seriously, evaluating any reported issue within the context of our entire security infrastructure," wrote Ryan Moore, lead manager of eBay's business communications, in an email to IDG News Service.
EBay has long been a target for cybercriminals. It is the seventh most visited site in the U.S, according to statistics from Amazon's Alexa Web analytics unit. Its combination of a marketplace and payments platform, PayPal, means it holds sensitive data and poses opportunity for fraudsters.
Three U.S. states -- Connecticut, Florida and IllinoisA -- are jointly investigating eBay's data breach, a sign that regulators and law enforcement are taking a keen interest in how consumer data is protected following Target's data breach last year.
EBay's size puts it in the league of companies such as Facebook, Google and Microsoft. All run large networks constantly prodded by "black hat" hackers, those who are seeking to damage a company or profit from attacks, and "white hats," who alert companies to problems.
Yasser Ali, a 27-year-old who lives in Luxor, Egypt, said it took him all of three minutes last week to find a serious vulnerability that could let him take over anyone's eBay account if he knows a person's user name, which is public information.
Ali shared a video with eBay showing how the flaw could be exploited, he said in a phone interview Tuesday night. He hasn't received a response from eBay, but said the video was viewed by company officials 17 times, according to a statistics counter on the clip. Moore said eBay has now fixed the bug, and Ali plans to release details of it.
Ali, who quit his job as a mechanical engineer last month to focus on information security, has found other bugs before in eBay and is named in a list of security gurus who have helped out. But he said he has little incentive to continue analyzing eBay since the company doesn't pay for vulnerability information.
"They are not like Google's security team, and they are not like Facebook," Ali said, noting those companies have close ties with the research community. "This will kill their reputation."
Google, Facebook, Yahoo and others pay independent researchers rewards up to thousands of dollars for security information. The payments are an incentive for security enthusiasts, who spend long hours on their own time to look for flaws.
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- Big Data, Big Mess: Sound Risk Intelligence Through Complete Context This paper examines the insecurity of the small businesses in the supply chain and offers tips to close those backdoors into the enterprise.
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to...
- Will the Real Endpoint Threat Detection and Response Please Stand Up? This webinar explores new technologies & process for protecting endpoints from advanced attackers as well as the innovations that are pushing the envelope... All Malware and Vulnerabilities White Papers | Webcasts