Sophos news in review: Asia partner conference, EBay breach, and the FBI’s crazy week

Sophos held our final Partner Connections conference in Hanoi, Vietnam, and it was a successful conclusion to a globe hopping tour by our senior management team. Our channel strategy is getting great reviews from our partners, and the market is responding.

In security news, e-commerce website eBay was the latest online giant to disclose a blockbuster data breach — which was comparable in size to the data breach at Target last year.

Meanwhile, the FBI had a big week of news: the bust of a cybercrime ring responsible for the computer-hijacking malware called Blackshades, federal indictments of five Chinese army hackers, and the FBI director’s controversial comments about marijuana.

EBay’s big breach

EBay owned up to a major breach of the e-commerce website’s 138 million user accounts that could make them vulnerable to identity theft, but the company’s response to the security breach wasn’t exactly smooth.

After publishing the initial announcement on its website, eBay said it would be emailing all its users to inform them of the breach and telling them to change their passwords. Yet many readers of our article at Naked Security commented that they didn’t receive eBay’s notification, and the resulting flood of traffic to ebay.com caused it to slow to a crawl.

Although the company informed users of the breach this week, the breach itself probably occurred sometime in February 2014 and was only discovered by the company in early May.

Paul Ducklin, senior security analyst at Sophos, explained in a Naked Security article that eBay’s response indicated the company had been compromised with stolen employee credentials – and thankfully, eBay’s payments subsidiary PayPal was not affected by the breach.

In his post, Duck says the segregation of PayPal and eBay’s networks was prudent:

If crooks have to break in to three different places, in three different ways, to be able to stitch together all your corporate data, then their job is tougher.

Sophos security adviser Maxim Weinstein said eBay, despite its stumbles out of the gate, did a pretty good job of taking action once they realized the breach had happened.

“They have to figure out what happened, why did it happen, do something so that it won’t happen again and determine that it’s not still happening,” Max said in an interview with the International Business Times.

“The fact that they were able to do that within two weeks is actually pretty impressive,” Max said.

FBI battles China and jokes about pot-smoking hackers

US Attorney General Eric Holder announced the indictment of five Chinese military officers who the FBI says hacked the networks of major US steel companies, provoking a diplomatic row with China.

On top of that, the feds announced a major bust of a cybercrime ring with 100 arrests in multiple countries, all tied to the Blackshades remote access Trojan (RAT).

According to James Lyne, Sophos global head of security research, Blackshades was easily available for $50 to $100 in cybercrime markets, giving creepy criminals the world over a cheap way of spying on their victims.

If that wasn’t enough, FBI Director James Comey stirred up controversy when he said the FBI has trouble hiring qualified hackers who aren’t also marijuana users who want to “smoke weed on the way to the interview.”

After the comments were reported in the Wall Street Journal, US Senator Jeff Sessions strongly condemned them during a Senate oversight hearing – with Comey in the hot seat facing questions from Senators.

Comey backpedaled to say he was not endorsing marijuana – that he was just being “funny and serious” about the agency’s recruitment issues.

Sophos Security Chet Chat #148: Cloud privacy policies not related to data security

This week’s Sophos security podcast features Sophos experts Chester Wisniewski and Sean Richmond.

60 Second Security: Breach at eBay, bugs in Chip-and-PIN, busts for Blackshades

Paul Ducklin reviews the news of the week in just about a minute.

Keep up with Sophos news
You can get all the latest Sophos related news right here. Sign up for our Sophos Blog newsletter by filling in your email address at the top right of the blog’s webpage. Follow us on your favorite social media networks, chat with us in our forums, download our informative podcasts, or sign up for our RSS feeds.