Quotw This was the week when eBay admitted it had suffered a ginormous breach exposing millions of users’ emails and passwords to hackers, along with personal information like names, dates of birth, phone numbers and physical addresses.
Although passwords were apparently encrypted, the online tat bazaar told everyone to change their login details anyway - just as a precaution.
eBay said that attackers breached their databases earlier this year after getting some employees’ login credentials and using them to infiltrate the corporate network.
However, it said it couldn’t find any evidence of any mischief caused by the breach:
After conducting extensive tests on its networks, the company said it has no evidence of the compromise resulting in unauthorized activity for eBay users, and no evidence of any unauthorised access to financial or credit card information, which is stored separately in encrypted formats. However, changing passwords is a best practice and will help enhance security for eBay users.
The marketplace hasn’t actually explained just how its passwords were encrypted or how the hackers got in, which isn’t making folks very happy. Rik Ferguson, veep of security research at Trend Micro, expressed a number of concerns on Twitter:
Why can I still log into @eBay without getting a notification that I should change my password? Srsly?— Rik Ferguson (@rik_ferguson) May 21, 2014
The criticism continued when software developer and blogger Troy Hunt discovered that he couldn’t copy and paste a long random chain in for his password. He said:
I find that I cannot copy out a strong, random password from my favourite password manager but must instead manually type in a subset of the characters (my usual length is infeasible to manually enter – twice).
Even when he tries a password with 20 random characters with at least four lowercase, four uppercase, four numbers and four symbols, it was rated only as "medium strength" by eBay's password strength tool - but other less secure options were given the okay.
Examples of “good, secure passwords” included $uperman1963 and phrase strings like bestjetpilot, but when he tried to use bestjetpilot, he was told it was invalid. He said:
Aha! So naturally I immediately go to change my password to “bestjetpilot”. Well how about that – invalid. But I followed the instructions!
Interestingly, that’s the guidance on the .com.au domain’s password page but it doesn’t appear on the .com or .co.uk pages.
Of course, it may be an invalid password because it’s in the advice or even because it’s not a very good password, but his point is that folks will have difficulty figuring out just what is a good password from eBay’s advice:
The point is that eBay has some work to do with how it communicates and implements passwords.
In other security news, Kaspersky Lab has discovered that its name has been taken in vain to slap on a set of mobile malware apps. Unknown malware writers have been making apps that pretend to be Kaspersky products, but are actually infectious software or just a program that does nothing once it’s been bought. Kaspersky Lab senior malware analyst Roman Unuchek said:
Scammers who want to make a quick buck from inattentive users are selling dozens of fake apps, copying the design, but not the functionality of the original. It is quite possible that more and more of these fake apps will start appearing.
Meanwhile, Cisco chief exec John Chambers has reportedly scolded the President of the United States of America by letter over the NSA’s tampering with its kit. Chambers chided Barack Obama over the allegations that the security agency had been fiddling with Cisco gear that was due for exportation so it could spy on folks abroad.
The Financial Times, which saw the letter, reported Chambers as writing:
We simply cannot operate this way, our customers trust us to be able to deliver to their doorsteps products that meet the highest standards of integrity and security…
If these allegations are true, these actions will undermine confidence in our industry and in the ability of technology companies to deliver products globally
He also said that folks needed to be able to have confidence in an open global internet:
Absent a new approach where the industry plays a role, but in which you, Mr President, can lead, we are concerned that our country’s global technological leadership will be impaired. Moreover, the result could be a fragmented internet, where the promise of the next internet is never fully realised.
In China, the government continues to be peeved with Microsoft over its decision to stop support for XP, telling its IT procurement agency to avoid Windows 8 at all costs. Vendors bidding for a contract to supply the state with new energy-saving PCs, laptops, tablets and other gear was told that none of the products were allowed to have the newer version of Microsoft’s OS installed.
This morning, the China Central Government Procurement Center posted a notification titled 'Bidding Process for Government Purchasing Energy-efficient IT Products.' The notification indicates that the Windows 8 operating system is excluded in the bidding.
We were surprised to learn about the reference to Windows 8 in this notice. Microsoft has been working proactively with the Central Government Procurement Center and other government agencies through the evaluation process to ensure that our products and services meet all government procurement requirements.
We have been and will continue to provide Windows 7 to government customers. At the same time, we are working on the Window 8 evaluation with relevant government agencies.
And finally, a drug-pushing game called Weed Firm has shot to the top of the rankings in Apple’s App Store after the fruity firm waived its usual censorship rules. Not to worry though, even though the whole point of the game is to build up contacts in the underworld and grow their cannabis empire, the designers are not into a wee toke at all:
The creators of this game do not encourage the cultivation or use of cannabis. The plot of this game is solely a work of fiction and should be viewed only as such.
Perhaps that’s why the game’s reviewers seem to find it a tad lacking:
I found the whole idea of having an alien in the game very exciting until I actually unlocked it and it demanded all of my weed. Customers are extremely repetitive and would be great if it had more. Instead of only growing/selling weed you could include more drugs such as cocaine and heroine. Also found the area very small and repetitive, with nothing to spend my money on most of the time. The lap dance is a great idea but actually it's really boring. ®