This week wasn\u2019t an overly busy one in terms of security news. However, yesterday\u2019s announcement that attackers breached a server containing user passwords at the online retail and auction giant eBay has to be the biggest story of the week. Closely behind that \u2013 in terms of importance \u2013 was the emergence of yet another zero-day in Microsoft\u2019s very widely used Internet Explorer Browser. Stepping away from bad news, Samsung is going beyond fingerprints, identifying new ways of biometric authentication. And, as always, we have some patches to mention, if only in passing.<\/p>\n
\n<\/p>
eBay Compromised<\/b><\/p>\n
eBay announced yesterday through its corporate website (eBay Inc.) that attackers compromised a database<\/a> containing customer names, encrypted passwords, email addresses, physical addresses, phone numbers, and dates of birth. Because encrypted passwords were stored in the breached server, eBay will be forcing users to change passwords in the coming days and weeks. When and if you go to change your eBay password, make sure you navigate directly to the eBay website rather than following email or social media links.<\/p>\n The reason you don\u2019t want to follow links from email or social sites is that the sensitive information stored on the server could give attackers enough information for them to perform phishing attacks. Attackers often use this sort of information to craft phishing emails that claim to come from eBay (or other legitimate online services). These emails generally present users with links leading to legitimate looking malicious sites. The purpose of those sites is to trick users into handing over login credentials.<\/p>\n As always, if you\u2019ve been sharing passwords, you will need to change your passwords to any online accounts on which you may have used the same password that you used to lock your eBay account.<\/p>\n Interestingly enough, this incident follows news from earlier in the week that retailers have decided to forge threat-data sharing partnerships<\/a> in the wake of the Target data breach. In other words, they\u2019re going to talk to each other about the kinds of attacks they face so that \u2013 collectively \u2013 retailers can better protect themselves. Later in the week, a study came out suggesting that companies are getting better at containing data breaches<\/a>. It will be interesting to see if the scope of the eBay breach, which was enabled by some compromised employee credentials, ends up validating or contradicting that point.<\/p>\n IE Zero-Day<\/b><\/p>\n The good news in this situation is that the flaw only affects IE 8, an old version of the browser. The bad news is that Microsoft is not sure when there will be an update available<\/a> the mitigates this issue. However, the computer giant has acknowledged the serious vulnerability and is working on a fix for it.<\/p>\n Without getting too technical, but probably still getting more technical than is necessary, the Internet Explorer 8 zero day<\/a> could enable an attacker to run malicious codes on vulnerable machines using an attack called a \u2018drive-by download\u2019 or by planting malicious attachments in email messages. A drive-by download is essentially a sort of attack where the attacker embeds malware on a website. When a user happens upon that website using a vulnerable browser, that user\u2019s machine becomes infected with malware.<\/p>\n What can normal computer users do about this other than update to Internet Explorer\u2019s more recent version 10? Not a whole lot; three things, really: Be careful where you browse, be careful with email attachments, and make sure you install the next Microsoft security patches as soon as they come along (if you get your updates automatically then you don\u2019t need to worry about this last bit). In fact, this advice should just be followed by everyone.<\/p>\n Iris Recognition<\/b><\/p>\n Not to let gloom and doom rule the weekly recap, Samsung announced this week that it plans to incorporate biometric sensors<\/a> such as eye scanners into more of its products in the future. The company claims these features would even be available on their less expensive offerings.<\/p>\n The move would bolster security on Samsung devices and reportedly could wind up tying into in the company\u2019s security-conscious Knox<\/a> system at some point.<\/p>\n It will be interesting to see whether iris scanning is more or less resilient to potential attack than fingerprint authentication<\/a>.<\/p>\n Breaking<\/b><\/p>\n