EcommerceBytes called on Zulfikar Ramzan, Chief Technology Officer of Elastica, to provide some context around eBay’s security breach. In Part 1, he talked about what’s going on at eBay right now based on his experience working with other companies that have gone through the exact situation now facing eBay.
In part 2, he answers questions about the challenges eBay faces in protecting sensitive data such as physical addresses and birth dates and the role law enforcement plays in an investigation after a breach like the one that occurred at eBay.
EcommerceBytes: Do you know what role the FBI plays in a case like this? Do they have forensic experts and do they manage the investigation?
Zulfikar Ramzan: The role of law enforcement in situations like this can vary. Certainly, the law enforcement agencies do have forensic experts. However, the reality is that the number of people out there with deep forensic experience still falls far short of what is needed given today’s threat landscape. That’s why I suspect that eBay is engaging private consulting companies who have deep expertise in this area.
EcommerceBytes: eBay did not encrypt sensitive data such as physical addresses and birth dates. What does this mean, and should they have been?
Zulfikar Ramzan: That’s a great question. I’m not familiar with eBay’s policies around encryption of the stored in their database. My background is actually in cryptography, so my opinion on this subject might be a bit more nuanced and detailed, so I apologize in advance if my answer is more lengthy as a result.
Encryption is very useful if your only goal is store data in a secure fashion. However, if you are trying to do anything else with that data other than storing it, the matter becomes significantly more complex. For example, let’s say you are trying to search your data for all zip codes that exist in a particular range, which is something that you can imagine a company trying to do as part of marketing campaigns and customer communications. Doing such a search on encrypted data is significantly more complex because you no longer have visibility into the actual content that was encrypted. There are some mathematical approaches for addressing this problem, but they are either too complicated to be practical, or they are only useful in limited scenarios, or they weaken the security guarantees you can make as a result.
The other aspect is that the security of encryption always comes down to the security of the cryptographic key that was used to encrypt that data. If an attacker can access that key, he can use it to decrypt the encrypted data. So, if I encrypt data, I need to make sure the key is not readily accessible to the attacker, otherwise the benefits of encryption are quickly nullified. At the same time, the key needs to be accessible to people who legitimately should be allowed to access the data. And so being able to manage these keys can quickly become unwieldy.
The one thing eBay did that was very useful is protect stored passwords using paradigm known as hashing and salting. (Interestingly, some media reports have erroneously said that eBay “encrypted” their passwords. However, encryption is not the right nomenclature to use here.)
Hashing and salting basically give you a way of comparing data while maintaining its confidentiality. This concept is very useful for passwords. For example, with a password, you want to know whether the user typed in the correct password. You don’t really care what the password is, but really just care about whether the password the user entered matches the actual password.
Hash functions are analogous to fingerprints. If two people submit their fingerprints to you, it is fairly easy to tell whether those fingerprints belong to the same person to different people. But from a fingerprint alone, you don’t get any additional useful information about the person.
In a similar vein, if an attacker gets their hands on the hashed and salted password, they don’t get to see the actual password itself, so what they have is of little to no use. That said, it’s not impossible for them to figure out the passwords themselves from the hashed value. The reason for that is that most users choose relatively simple passwords. For example, mostly letters and maybe a couple of numbers. On top of that, the letters they choose are not entirely random looking. For example, they may form English words. So, an attacker can quickly try to enumerate possible passwords and see if the hash of those passwords match what they see inside the database they have compromised. This process can be automated and therefore an attacker can easily test out tens of millions of possible password choices. This type of attack is known as a dictionary attack.
Salting is a technique that makes dictionary attacks harder. It involves adding a few random characters to the end of a password before hashing it. These characters would be unique to eBay. As a result, an attacker will not be able to recycle any previous work they may have done with a dictionary attack because that previous work might have used a different sale value and hence be moot.
See Part 1 of “Behind the Breach”: Handling the Aftermath – All Hands on Deck and look for Part 3 in tomorrow’s EcommerceBytes Newsflash.