eBay's denial aside, it's still Malaysian user data
By Gabey Goh May 30, 2014
- CSM says no official reports regarding attack to date, will investigate if there are
- Leaked data is legitimate but origins unknown, could be from Malaysian company
ONLINE auction house eBay may have denied that data claiming to be from its database breach being offered online were legitimate accounts, but the fact remains that the leaked data contains details of over 10,000 Malaysian consumers.
In response to queries from Digital News Asia (DNA), CyberSecurity Malaysia (CSM) chief executive officer Dr Amirudin Abdul Wahab (pic) said that Cyber999 has not received any official report regarding this attack.
Cyber999 is a service operated by the Malaysia Computer Emergency Response Team (MyCERT) for Internet users to report or escalate computer security incidents. It comes under the purview of CSM, an agency under the Ministry of Science, Technology and Innovation.
“However, as we are aware of the file being available on the Internet for downloads, we have already escalated this issue to the respective service providers for the removal of this file, as the information ... implicates Malaysian users,” Amirudin said.
Investigation by request
Amirudin said that the agency was not in a position to verify the data set but will conduct investigations if there are official requests from relevant parties or impacted users.
Breaking down the process, he said an analysis of the compromised system or application will first need to be conducted.
“The incident happened probably because the user or admin was lacking IT security practices, which led to account information being hacked,” he said.
Amirudin said that the availability of digital evidence is important for analysis and verification purposes. This digital evidence may include the log of the compromised machine, the audit trail of application activities, or other relevant information that would help in the technical analysis and investigation.
The source of the compromise would indicate the originating IP (Internet Protocol) address of the attack, and it would then be even possible to identify who, where and how it happened.
“Law enforcement agencies would then have to conduct an investigation to trace the identity of the person using the IP address, or other relevant evidence, after which they can take legal action against the party in question if the actions are found to be against the law,” he added.
Asked by DNA to look into the data set, Goh Su Gim, Asia security advisor for cybersecurity firm F-Secure, noted that access to the list was “quite open” but added that there was no verification on how genuine the data is.
“The data seems legitimate as most of it checked out, but because the data has been massaged and sanitised by the attacker, it is hard to determine its origin,” he added.
Goh said that it is “quite difficult” to find out where the hacked information came from, especially with the hashed (encrypted) passwords because eBay claimed it uses complex hashing techniques, and also “salting” techniques, that it may be difficult to verify how authentic the password is.
“Cracking them with brute force will take a lot of time and effort,” he said.
Asked whether the data could have originated from a database of another company, potentially Malaysian given the dominance of local users in the list, Goh said it was a possibility.
“Yes, there is also a chance that these accounts could have been harvested from a compromised Malaysian company, [which was] storing [users'] phone number, date of birth, email address, mailing addres ... and somehow cross-referencing those accounts show an account in eBay.
“The attacker could have well thought this out as the perfect way to scam other scammers looking for this information,” he added.
Goh (pic) said that currently, most enterprises have high security awareness with their tools and expertise.
“However, security is always an expense to the company, therefore it is just there to buy themselves a sense of protection. Most attacks today are targeted or APTs (Advanced Persistent Threats), and most [are done] through social engineering.
“To stay secure, a company needs to watch 24/7, but the attacker just need to get lucky once,” he said.
While taking basic precautions with the use of protection technologies is important, Goh said that educating and raising security awareness within the enterprise's employees is the most important thing to do.
He said that most of the time, breaches come through the weakest link – humans – and mostly through social engineering attacks.
“And most times, we blame the IT security and network people ... but all employees should be responsible for the security of a company.
Not all accounts created equal
In the case of the eBay breach, the US company said that cyber-attackers had obtained access to “a small number of employee log-in credentials, allowing unauthorised access to eBay’s corporate network.”
Dan Dinnar, CyberArk vice president for Asia Pacific, said that the very fact that just a ‘small number’ of compromised accounts has resulted in such significant access to eBay’s corporate network is extremely concerning.
“Clearly, there has not been enough attention paid to protecting privileged access accounts, where one small human error or mistake can cause an enterprise-wide security breach.
“These powerful accounts hold the proverbial ‘keys to the kingdom’,” he said in a statement issued on the breach.
Dinnar noted that eBay has access to vast stores of information, data, and control within the organisation's digital depositories and, as a result, is a primary target for any hacker who is on the ball.
“Worryingly, once access has been secured, the extent of access means that maximum havoc can be wreaked. Protecting privileged accounts should be top priority for any business, not least because perimeter security is clearly failing.
“The way in for these malicious attacks is through the inside and, as such, protection needs to start here – at the heart of the organisation,” he added.
Dinnar said that monitoring and controlling these powerful accounts every time they’re used is paramount to mitigating the impact of an inside breach.
“Businesses must start better protecting their assets and critical to this is securing privileged accounts, which form the primary vehicle for so many successful attacks,” he said.
The eBay hack, and the subsequent wave of offers to sell the purported stolen data online, has highlighted another worrying trend, according to F-Secure’s Goh.
“One thing for sure is that after this incident, scammers are getting more and more crafty or entrepreneurial in taking taking advantage of such an incident to make another round of money – in this case, it’s the better scammers conning scammers,” he said.