EBay is asking all of its users to change their passwords, following a recently discovered data breach from late February. Apparently employee login credentials were compromised, allowing intruders to access a database containing eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. However, the database did not contain financial information or other confidential personal information. Unfortunately, data breach announcements throw around the term "encrypted password" loosely, so we don't know if they are encrypted (meaning they can be decrypted with a key, not a best practice), or hashed (meaning they cannot be decrypted, which is good). In either case, there are bigger risks associated with the breach of personal data that could be used to aid identity theft.

What Happened This Week The US Department of Justice announced charges against five members of the (Chinese) Peoples Liberation Army Unit 61398 for cyber industrial espionage against Westinghouse, SolarWorld, U.S. Steel, Allegheny Technologies Inc., the United Steel, Paper and Forestry, Rubber, Manufacturing, Energy, Allied Industrial and Service Workers International Union, and Alcoa Inc. (News coverage: NYT, WSJ (may be behind their paywall), Washington Post) The indictment alleges that the defendants conspired to hack into American entities, to maintain unauthorized access to their computers and to steal information from those entities that would be useful to their competitors in China, including state-owned enterprises (SOEs). In some cases, it alleges, the conspirators stole trade secrets that would have been particularly beneficial to Chinese companies at the time they were stolen. In other cases, it alleges, the conspirators also stole sensitive, internal communications that would provide a competitor, or an adversary in litigation, with insight into the strategy and vulnerabilities of the American entity. “This is a case alleging economic espionage by members of the Chinese military and represents the first ever charges against a state actor for this type of hacking,” U.S. Attorney General Eric Holder said. “The range of trade secrets and other sensitive business information stolen in this case is significant and demands an aggressive response.” While these are serious allegations, there was a certain high theater about this. The Attorney General held a press conference. The DOJ and FBI issued press releases, complete with "Wanted By The FBI" posters with color pictures of each of the PLA officers and the note that if you see one of these people to call your local FBI office. Somehow, I don't expect any of them to plan a trip to anyplace with an extradition treaty with the US anytime soon.

Disclaimer: These notes are neither product recommendations or complete reviews. They are intended to share a couple of things I'm playing around with right now. Feedback in the comments section would be welcome, especially shared experience with these apps. F-Secure Freedome VPN F-Secure, the Finnish security company, has made a bit of a splash in the technical media (not to mention Forbes as well) lately with their mobile VPN and security app Freedome. Freedome is intended to enhance anonymity and reduce tracking for mobile device users on iOS and Android. F-Secure claims: "We’ve gathered the most sophisticated security features – VPN, anti-virus, anti-tracking, and anti-phishing – into one intuitive service. With the push of a button, Freedome watches your back."

Brian Dye, Symantec's senior vice president for information security, caused lot of virtual ink to be spilled when he told the Wall Street Journal that antivirus "is dead. We don't think of antivirus as a moneymaker in any way." According to Dye, traditional signature antivirus picks up about 45% of cyber attacks. Eeva Haaramo points out on ZDNet that this is not news. Symantec's endpoint protection products (as well as those of their competitors) already look for suspicious activity that may come from previously unseen viruses. They also integrate a local firewall, spam protection, and other new features.

There's been a lot of hand-wringing about the current state of cryptography lately. We've had two publicly disclosed bugs that rendered widely used cryptosystems ineffective in some cases. One was Apple's "goto fail" bug in iOS, which could allow an attacker to intercept all traffic in what the user thought was a secure session. The other was the "Heartbleed" bug in OpenSSL which allowed the compromised of data in memory of an SSL server, including private keys.

Gregg Keizer in Computerworld quotes Secunia's Kaspar Lindgaard making a case that I've been making for a while, that "Patch Tuesday" will be a boon for hackers looking for XP vulnerabilities. We'll get a test of the hypothesis tomorrow, when Microsoft releases 8 new security updates. The reasoning is that many vulnerabilities patched in Windows 7, Windows 8.1, or the various Windows Server operating systems were carried forward from code lines in XP. The patches and accompanying security bulletins give attackers a roadmap for finding the vulnerabilities in XP that will never be patched.

Eden Technologies has released a series of five web videos on Enterprise Data Security and Data Loss Prevention (DLP). The series highlights the components of an effective data security program and the place of DLP systems in a complete program. We emphasize the importance of considering people, process, and technology in your DLP program. The series is a good balance of all three, combining a review of the programs and processes with demonstrations of the major components of the Symantec DLP system. The five videos in the series are:

Yesterday Microsoft issued a critical out-of-cycle patch for the IE 0-day vulnerability in security bulletin MS14-021. Contrary to past statements, this patch will cover Windows XP and will cover all versions of IE from IE6 through IE11. As all of the investments advertisements say “past performance is no guarantee of future performance.” You dodged a bullet this time, but it may be the last time. Upgrade now.

Back to other vulnerabilities and security issues. The first vulnerability since XP went out of support has been reported, although not yet patched. Once the patch is out for supported versions, though, it will remain a zero-day for XP. Here's a preview of a FAQ I'm preparing for our clients at work. What is the security alert? Microsoft has issued a security advisory (2963983) based on research done by FireEye announcing a zero-day vulnerability in all versions of IE from IE6 through IE11. There is a bug in the way that IE accesses invalid memory (e.g. use after free) that can be exploited using Flash to allow remote code execution. According to FireEye, this vulnerability is NOT mitigated by either Address Space Location Randomization (ASLR) or Data Execution Protection (DEP). This vulnerability has been designated CVE-2014-1776 in the National Vulnerability Database. Both Microsoft and FireEye have warned that this vulnerability is being actively exploited in limited targeted attacks.

My old friend Dan Geer has an interesting post on Heartbleed (hat tip to Bruce Schneier for spotting it). Dan and Bruce have written before about the dangers of software monocultures. When flaws are widely disseminated that their impact is disastrous when exploited either deliberately or by accident. Some examples that come to mind from an operating system near-monoculture are the Melissa and Love Letter viruses, circa 1999-2000 (email dissemination of an executable virus) and the 2003 SQL Slammer worm. The near ubiquity of Microsoft Windows and, in the case of Slammer, the poor state of patch discipline caused widespread denial of service.