eBay Hacked – Would you believe John Donahoe offered credit protection?

eBay Hacked – Would you believe John Donahoe offered credit protection?
EventHorizon1984
22 May 2014

“You eat danger for breakfast” 
“Would you believe lunch?”  Zach Smart
“Don’t do that.”  Chief Maxwell Smart
Get Smart (1995)

eBay INC made an interesting press release on 21 May 2014eBay INC stated:

“SAN JOSE, Calif.–(BUSINESS WIRE)– eBay Inc. (Nasdaq: EBAY) said beginning later today it will be asking eBay users to change their passwords because of a cyberattack that compromised a database containing encrypted passwords and other non-financial data. After conducting extensive tests on its networks, the company said it has no evidence of the compromise resulting in unauthorized activity for eBay users, and no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted formats. However, changing passwords is a best practice and will help enhance security for eBay users.

Information security and customer data protection are of paramount importance to eBay Inc., and eBay regrets any inconvenience or concern that this password reset may cause our customers. We know our customers trust us with their information, and we take seriously our commitment to maintaining a safe, secure and trusted global marketplace.

Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay’s corporate network, the company said. Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers.

The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. However, the database did not contain financial information or other confidential personal information. The company said that the compromised employee log-in credentials were first detected about two weeks ago. Extensive forensics subsequently identified the compromised eBay database, resulting in the company’s announcement today.

The company said it has seen no indication of increased fraudulent account activity on eBay. The company also said it has no evidence of unauthorized access or compromises to personal or financial information for PayPal users. PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted.

Beginning later today, eBay users will be notified via email, site communications and other marketing channels to change their password. In addition to asking users to change their eBaypassword, the company said it also is encouraging any eBay user who utilized the same password on other sites to change those passwords, too. The same password should never be used across multiple sites or accounts.”

A matter of fact, ‘don’t panic‘, ‘nothing to see here’ statement.  Then came the scrutiny.

 

“No more secrets, Marty.”
Cosmo, Sneakers (1992)

The press release did not mention the extent of the “compromised” database.  Although on 21 May 2014 eBay INC clarified:

“For the time being, we cannot comment on the specific number of accounts impacted. However, we believe there may be a large number of accounts involved and we are asking all eBay users to change their passwords,” eBay spokeswoman Kari Ramirez said.

And on 22 May 2014 eBay INC provided more clarification:

EBay hack, 2nd largest in U.S. history, leaves questions unanswered
Chicago Tribune, Reuters, 22 May 2014

EBay Inc’s description of how hackers got access to its entire database of 145 million user records leaves many questions unanswered as to how cyber criminals orchestrated what appears to be the second-biggest data breach in U.S. history.

“They’ve been pretty tightlipped. They’ve barely provided any information. They should be more forthcoming about what happened,” said David Kennedy, chief executive of TrustedSEC LLC, an expert in investigating data breaches.

In particular, Kennedy wants to know why it took eBay three months to detect the intrusion.

“Missed it by that much”
Maxwell Smart (Don Adams), Get Smart

Computer security experts say the biggest breach was uncovered at software maker Adobe Systems Inc in October 2013, when hackers accessed about 152 million user accounts.

“The day ain’t over yet…”
Curly, City Slickers (1991)

In eBay INC’s press release they promised, “Beginning later today, eBay users will be notified via email.”  Has any reader received any email warning of the database breach? Apparently that email has yet to be sent.

Some customers complained on eBay Community forums that they had not received much information about the breach from eBay and have yet to get notifications by email, which the company has promised to do.

And what did the “145 million user”s affected by the database incursion immediately see?

U.S. states probe eBay cyber attack as customers complain
Reuters, 22 May 2014

As of Thursday afternoon, eBay did not have information on the attack visible on its market home page, www.ebay.com.

“That’s really poor incident response,” said David Kennedy, a cyber forensics expert who is CEO of TrustedSEC LLC. “EBay should be held to a higher standard.”

The eBay Hack: They Haven’t Only Hacked Your Security, They’ve Hacked Your Brand
Patrick Hanion, Forbes, 22 May 2014

“The eBay Hack” brings to mind the recent Target INC hack.

Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It
Michael Riley, Ben Elgin, Dune Lawrence, Carol Matlack, Businessweek, 13 March 2014

The biggest retail hack in U.S. history wasn’t particularly inventive, nor did it appear destined for success. In the days prior to Thanksgiving 2013, someone installed malware in Target’s (TGT) security and payments system designed to steal every credit card used at the company’s 1,797 U.S. stores.

“On Saturday, Nov. 30, the hackers had set their traps”

Target stood by as 40 million credit card numbers—and 70 million addresses, phone numbers, and other pieces of personal information—gushed out of its mainframes.

“More than 90 lawsuits have been filed against Target by customers and banks for negligence and compensatory damages. That’s on top of other costs, which analysts estimate could run into the billions.”

The time between hack and notification?

Federal investigators warned Target of a massive data breach on Dec. 12.

Note this is not Target INC notifying it’s customers. It’s the U.S. Government notifying Target INC.

Notification to consumers was much much later.

14 January 2014

Dear Target Guest,

As you may have heard or read, Target learned in mid-December that criminals forced their way into our systems and took guest information, including debit and credit card data. Late last week, as part of our ongoing investigation, we learned that additional information, including name, mailing address, phone number or email address, was also taken. I am writing to make you aware that your name, mailing address, phone number or email address may have been taken during the intrusion.

I am truly sorry this incident occurred and sincerely regret any inconvenience it may cause you. Because we value you as a guest and your trust is important to us, Target is offering one year of free credit monitoring to all Target guests who shopped in U.S. stores, through Experian’s® ProtectMyID® product which includes identity theft insurance where available. To receive your unique activation code for this service, please go to creditmonitoring.target.com and register before April 23, 2014. Activation codes must be redeemed by April 30, 2014.
In addition, to guard against possible scams, always be cautious about sharing personal information, such as Social Security numbers, passwords, user IDs and financial account information. Here are some tips that will help protect you:
  • Never share information with anyone over the phone, email or text, even if they claim to be someone you know or do business with. Instead, ask for a call-back number.
  • Delete texts immediately from numbers or names you don’t recognize.
  • Be wary of emails that ask for money or send you to suspicious websites. Don’t click links within emails you don’t recognize.

Target’s email communication regarding this incident will never ask you to provide personal or sensitive information.Thank you for your patience and loyalty to Target. You can find additional information and FAQs about this incident at our Target.com/databreach website. If you have further questions, you may call us at 866-852-8680.Gregg Steinhafel Chairman, President and CEO

Compare and contrast the actions and timeline of Target INC and CEO Gregg Steinhafel to eBay INC and CEO John Donahoe.

Time from breach to customer notification.

  • Target Inc, customer emails, 1 month +
  • eBay Inc, Press Release, 2-3 months

Message from CEO to customers.

  • Target Inc, 1 month +
  • eBay Inc, none

Credit protection.

  • Target Inc, “Target is offering one year of free credit monitoring”
  • eBay Inc, none

While eBay INC has stated,”no evidence of unauthorized access or compromises to personal or financial information”, one may or may not want to take that with a grain of salt.

Someone posted a batch of emails, scrambled passwords, phone numbers and addresses of more than 12,000 people on the Internet, saying it was a sample of data stolen from eBay and offering to sell the full batch for 1.453 bitcoin, or a little more than $750.

EBay’s Miller said the information was not authentic.

Reuters spoke to six people whose phone numbers were included in that batch. While only four said they had eBay accounts, all of them said the data was correct

If eBay INC can’t identify it’s own users, what assurance is there that eBay INC can identify the condition of it’s own data.

The fate of Target INC CEO Gregg Steinhafe?

Target’s CEO Steps Down Following The Massive Data Breach And Canadian Debacle
Forbes, 8 May 2014

“Target CEO, President and Chairman Gregg Steinhafel resigned from all his positions after extensive discussions with the board.”

I’ve never seen worse corporate governance than eBay
Carl Icahn, 5 March 2014

The fate of eBay INC CEO John Donahoe remains to be seen.

/*

“And because of current synergies, a lot of data is traded between eBay and PayPal.” JP Mangalindan, Fortune

Why would you divide up the data?! Everyone is paying millions to get to the data. Why would you divide up the data?
John Donahoe, 10 March 2014

/*

Technorati Profile
EventHorizon1984 Log

cookie
//

Musing Bytes 4 – Science Fiction

Musing Bytes 4 – Science Fiction
EventHorizon1984
16 March 2014

“Is this Doctor the sort who needs flattery?  Or can I leave him to it?”  Jyoti Cutler
“I just let him talk.”  Flip Jackson
“I am still here you know.”  The Doctor
“You are so brilliant.  I don’t know what I’d have done without you.”  Jyoti Cutler
“Hmmm”  The Doctor
Doctor Who, “Scavenger
Big Finish, 14 March 2014

On 14 March 2014 Big Finish released the Doctor Who audio adventure “Scavenger” featuring The 6th Doctor, Colin Baker.  The synopsis reads:

Thursday 28 May 2071: the day the Anglo-Indian Salvage 2 rocket launches. Its mission: to clean up space; to remove from Earth’s orbit over a century’s worth of man-made junk…

From the viewing window of a nearby space station, the Doctor and Flip have a unique view of Salvage 2 as it sets about its essential task – and of the disaster that unfolds when Salvage 2 encounters something it’s not been programmed to deal with. Something not of human manufacture…

Back on Earth, the Doctor fights to save Flip from becoming part of a 500-year tragedy being played out in orbit, hundreds of miles above. And millions will die if he fails.

Scavenger cover    © 2014 Big Finish Productions

Big Finish is known for “producing high-quality audio drama” “based on popular TV series such as Doctor Who” and others.

Now that is the public relations view.  (Ed.) In my opinion, that view is rather understated.

If you’re a Doctor Who fan, “Scavenger” is an excellent ‘listen’.  As are other Big Finish products.

If you’re another type of fan, there is a nice Easter egg included in the audio drama.  Salvage 2???

“I’ve been wondering.  What happened to Salvage 1?”  The Doctor
“Some Moon project from a hundred years ago.  Nothing to do with us.”  Jyoti Cutler

Well.

“Jettison Control this is Salvage 1.  The Vulture has landed!”
Melanie “Mel” Slozar from the Lunar surface, Salvage (January 1979)

A very nice tribute to the 35th anniversary of the TV movie Salvage and the TV series that followed.

Thank you Big Finish.

JettisonSalvage1     JettisonSalvage2   © 2014 Sony
“… Jettison Salvage …”           “… Jettison Salvage …”
Harry Broderick (Andy Griffith), Salvage (1979)

/*

“So are you seriously telling me.  All those blokes.  Old man white hair, Beetle’s haircut, frilly shirt, long scarf big eyes, cricket boy, Joseph and his Amazing Technicolor Dreamcoat, and Lord Byron.  Are all of them?  They were you?”
“ah Yes.” The Doctor
“Wicked.”  Ace
Doctor Who, The Light At The End  
Big Finish, October 2013

And speaking of Big Finish.

The Doctor Who 50th Anniversary show, “The Day Of The Doctor” was not the only official multi-Doctor show.  In October 2013 Big Finish released their 50th Anniversary audio adventure “The Light At The End.”  Featuring the voice talents of Doctor Who original (20th Century) cast members:

Tom Baker  (The Fourth Doctor)
Peter Davison  (The Fifth Doctor)
Colin Baker  (The Sixth Doctor)
Sylvester McCoy  (The Seventh Doctor)
Paul McGann  (The Eighth Doctor)
Louise Jameson  (Leela)
Sarah Sutton  (Nyssa)
Nicola Bryant  (Perpugilliam “Peri” Brown)
Sophie Aldred  (Dorothy Gale “Ace” McShane)
Susan Foreman  (Carole Ann Ford)
Vicki  (Maureen O’Brien)
Steven Taylor  (Peter Purves)
Sara Kingdom  (Jean Marsh)
Polly Wright  (Anneke Wills)
Jamie McCrimmon  (Frazer Hines)
Zoe Heriot  (Wendy Padbury)
Jo Grant  (Katy Manning)
Tegan Jovanka  (Janet Fielding)
Vislor Turlough  (Mark Strickson)
Geoffrey Beevers  (The Master)

And many more.

Buy it.

Two Doctors observing The Sixth Doctor.
“Do I really end up with such a terrible sense of fashion?”  The Doctor  (Tom Baker)
“Says the man in the impractical scarf.  It’s all a question of taste I suppose.”  The Doctor  (Paul McGann)
“Well I suppose that would explain your Wild Bill Hickok costume?”
“Most people think it has something to do with Byron.”
Doctor Who: The Light At The End (2013)

/*

“… Code name Lovely Angel?!  Dirty Pair!
The soon to be ex-object of Yuri’s affection.

“LOVELY ANGELS!”
Yuri and Kei, The Dirty Pair  (1979- )

Meanwhile in Japan, SF Magajin published a story by Haruka Takachiho.  It was titled “Daatipea no Diabouken”, or known in English as “The Dirty Pair’s Great Adventures“.  Featuring The Dirty Pair Lovely Angels, Trouble Consultants Yuri and Kei of the World Welfare Work Association (3WA)

From then to now, the 1979 serialized book would spawn anime, manga, and comics of their adventures.

DirtyPairMontage2

The Dirty Pair
Top Left, Clockwise

Happy Birthday Dirty P Lovely Angels.
“What happened?  Or should I ask, what disaster have you initiated?”
3WA Department Chief Soranaka to Kei and Yuri … after devastating the WWWA home city.
The Dirty Pair Strike Again (2008)

/*

It’s no secret that Japanese science fiction was greatly influenced by the Western sci-fi authors of the ’50s. That became the foundation of Japanese sci-fi. All science-fiction writers were influenced by the “Big Three”: Arthur C. Clarke, Isaac Asimov, and Robert A. Heinlein. That started with my generation. You won’t find an author who wasn’t touched by Clarke, Asimov, and Heinlein.
Haruka Takachiiho

/*

Technorati Profile
Add to Technorati Favorites
EventHorizon1984 Log
Add to Technorati Favorites

cookie
//

Sony EverQuest Next Landmark Hacks, The No Hacker Help Version

Sony EverQuest Next Landmark Hacks, The No Hacker Help Version
EventHorizon1984
1 March 2014

The fledgling EverQuest Next Landmark  MMORPG began it’s paid Alpha access on 31 January 2014.  Initially buggy and wipe prone the Alpha version has mostly stabilized.  ‘Mostly’ stable as there will be a constant stream of updates.

With the ‘mostly’ stable server and client software, hi-jinks from a few players became noticeable.

Enter EverQuest Director of Development Dave “Smokejumper” Georgeson.

EQNL Hacking Data Mining

Hi, folks,

Some innocent, and not-so-innocent, poking around in our build files has been happening recently.

Let us be perfectly clear here. This is NOT okay.

We are in Alpha right now. That means that things are not as secure as they will be later. When you go into the build and change things, you are creating bug situations that can cause serious problems with the game and/or consternation amongst its players.

That is not cool, and it’s not acceptable. We will ban folks that do that. Really. There’s no appeal process. You’re just gone.

You’ll know exactly when you’re doing something wrong. You’re opening up a menu via LUA that can’t be opened up from within the game, or you’re using a third-party tool to comb through compressed files, or you’re crafting things that aren’t available to other players yet. Stuff like that. There’s no question that you’re aware of what you’re doing when you’re doing these things because you can’t do them accidentally.

So be a good person instead, please. Let us know that the vulnerability exists, we’ll take care of things, and you will have made Landmark a better, stronger game for your efforts.

Later we will be creating a “white hats” list for people that love doing stuff like this and want to officially work with us. Details for signing up for that list will be made available at a later date, and we welcome any of you that are inclined to do those sorts of things to work with us in that regard.

But any sort of destructive or exploitative behavior during this Alpha phase will simply not be tolerated.

Sorry for being stern when I’m usually Mr. Excitement. But this is a serious matter. I hope you all understand.

Followed by:

  22Feb2014

“I’ve heard this argument countless times. Sorry, folks. It doesn’t hold water. Work with us and play by the rules, or don’t play.

Yes, you can datamine that stuff all that you want to, that’s your right because the files are on your computer, but if we find out, we are not required to let you continue to disrupt the game. And we won’t.”

Followed by a caveat:

22Feb201438

Although we don’t recommend altering these files, the *.ini files and the *.xml files in the game directory are benign files if you want to adjust your key settings (as an example) before we get the user key settings into the game.

HOWEVER, I strongly recommend that you back up those files before altering them, and if you do alter them, and you experience ANY bugs, you should revert them back to original and test again before reporting those bugs, please.

That’s pretty much why we don’t want folks to poke around in the files. These games are so complicated that you rarely have an idea what value touches what features.

We understand that key config is a big issue. That’s why we have it as a high priority in the roadmap. Soon! :)

In it’s current state, EverQuest Next Landmark Alpha is little more than Minecraft with gorgeous graphics, and stripped down mining and crafting, no combat, no chat, etc.  Very slim pickens, so to speak.

EQNL12

(“How can I take screenshots of the game?!?!“)

Why some “players” have the need to cheat at something so simple is pathetic.

But not unexpected.

If you ain’t cheating, you ain’t trying!
Attributed to Mark Grace

Cheating in MMORPGs is not confined to Sony products.

Which can be seen here.

But as this article began with a Sony game, we’ll finish with another Sony MMORPG, EverQuest 2, and a small issue of die roll cheating.

“Wait for all players to make a choice or until the timer, shown underneath the “Loot” window, runs out.”
Laughable advice on “How to Beat the Need Before Greed Loot in EQ2

A common feature in MMORPGs is the random die roll for loot.  The “loot” being something of value.  In EverQuest II, the basic die roll command is “/ran”.

‘Aplayer’, types “/ran” and the game server returns a numeric value from 1 to 100.

/ran
(Loot) [12:12 PM] Random: Aplayer rolls from 1 to 100 on the magic dice…and scores a 76!

‘Aplayer’ types “/ran 10000″ and:

/ran 10000
(Loot) [12:13 PM] Random: Aplayer rolls from 1 to 10000 on the magic dice…and scores a 5332!

Unless one is actively hacking the game server, there no way to change the outcome of the roll.

Of course, the computer generated random number is not random.

Can A Computer Generate A Truly Random Number? “If you go to an online poker site, for example, and you know the algorithm and seed, you can write a program that will predict the cards that are going to be dealt.”

But that’s another topic, for another day.

Getting back on subject.  If you’re a player, have you ever noticed the same people “accidentally” making multiple loot rolls?

(Loot) [06:47 AM] Random: Dieroller rolls from 1 to 100 on the magic dice…and scores a 33!
(Loot) [06:47 AM] Random: Dieroller rolls from 1 to 100 on the magic dice…and scores a 2!
(Loot) [06:48 AM] Random: Dieroller rolls from 1 to 100 on the magic dice…and scores a 97!

Or the same people winning loot by rolling last?

You may have been punked by a chat hack.

Apparently there’s a so-called hack that involves suppressing chat lines.  We’re saying “so-called” as that ability is near impossible.  Perhaps as near impossible as hacking the Sony mainframeTwice.

Nevertheless there were at least three sites (morte) that at one time claimed to have a hack that would buffer one chat line.  Rendering it invisible to other players.

Simply.  Take the previous rolls.  To an outside observer:

(Loot) [06:47 AM] Random: Player2 rolls from 1 to 100 on the magic dice…and scores a 7!
(Loot) [06:47 AM] Random: Player3 rolls from 1 to 100 on the magic dice…and scores a 31!
(Loot) [06:47 AM] Random: Scumbag rolls from 1 to 100 on the magic dice…and scores a 33!
(Loot) [06:47 AM] Random: Player4 rolls from 1 to 100 on the magic dice…and scores a 45!
(Loot) [06:47 AM] Random: Player5 rolls from 1 to 100 on the magic dice…and scores a 91!
(Loot) [06:47 AM] Random: Scumbag rolls from 1 to 100 on the magic dice…and scores a 2!
(Loot) [06:48 AM] Random: Scumbag rolls from 1 to 100 on the magic dice…and scores a 97!

Oh dear ‘Scumbag’ wasn’t watching the display and forgot to turn on the hack before making the “/ran” roll.  Zip back a minute.  This is Scumbag’s chat window:

hackon
(Loot) [06:47 AM] Random: Player2 rolls from 1 to 100 on the magic dice…and scores a 7!
(Loot) [06:47 AM] Random: Player3 rolls from 1 to 100 on the magic dice…and scores a 31!
/ran
(Loot) [06:47 AM] Random: Scumbag rolls from 1 to 100 on the magic dice…and scores a 33!
(Loot) [06:47 AM] Random: Player4 rolls from 1 to 100 on the magic dice…and scores a 45!
(Loot) [06:47 AM] Random: Player5 rolls from 1 to 100 on the magic dice…and scores a 91!
/ran
(Loot) [06:47 AM] Random: Scumbag rolls from 1 to 100 on the magic dice…and scores a 2!
/ran
(Loot) [06:48 AM] Random: Scumbag rolls from 1 to 100 on the magic dice…and scores a 97!
hackoff

An outside observer views:

(Loot) [06:47 AM] Random: Player2 rolls from 1 to 100 on the magic dice…and scores a 7!
(Loot) [06:47 AM] Random: Player3 rolls from 1 to 100 on the magic dice…and scores a 31!
(Loot) [06:47 AM] Random: Player4 rolls from 1 to 100 on the magic dice…and scores a 45!
(Loot) [06:47 AM] Random: Player5 rolls from 1 to 100 on the magic dice…and scores a 91!
(Loot) [06:48 AM] Random: Scumbag rolls from 1 to 100 on the magic dice…and scores a 97!

Possible workarounds.

  • Turn on the Need or Greed option for a specific loot item.  Cumbersome but not hackable.
  • Everyone rolls, then the raid/group leader or designated randomizer rolls.  Player with a number closest to the second roll wins.  Beatable.  A cheater playing the odds will roll a number between say 33 and 66; long explanation not provided.  A cheater will still win more often than other players, but will no longer be guaranteed an instant win.
  • Use a large changing randomly selected seed.  Like raid/group leader types “/ran 10000 32000″ and everyone must roll “/ran TheResultsOfLeaderRoll”.  And rolls must be completed in two ticks of the system clock.  That is 06:47 to 06:48; a duration of 61 seconds to 119 seconds.  Cumbersome, beatable.  Manual typing a large number takes time.  Because the number changes, changing a “ran” macro takes time.  A fast typist can beat this, but this does cut down on the number of rolls the cheater can make.  This does penalize slow honest typists.
  • Everyone who wants the item, types in chat their name or moniker.  Like drawing a name from a hat, the Raid Leader rolls /ran NumberOfNamesInChat.  Winner is the name with the matching number.  Quick, easy, painless.

<shrug>  You can believe it or not.

On the plus side, the sites got taken down.  On the minus side, if this hack or exploit is real, and this is not confined to EQ2, honest players should keep their guard up.

/*

Updated 1 April 2014.

/*

The only way to win is cheat
Suicide Is Painless, Johnny Mandel
The theme from M*A*S*H (1970)

/*

Technorati Profile
Add to Technorati Favorites
EventHorizon1984 Log
Add to Technorati Favorites

cookie
//


August 2014
S M T W T F S
« May    
 12
3456789
10111213141516
17181920212223
24252627282930
31  

Archives

Categories

Enter your email address to subscribe to this blog and receive notifications of new posts by email.


Follow

Get every new post delivered to your Inbox.