Slashdot Mirror
Hacker May Be Exposing eBay Back Door
pacopico writes "A hacker specializing in eBay cracks has once again managed to masquerade as a company official on the site's message boards, according to The Register. A company spokesman denies that 'Vladuz's' repeated assaults on eBay point to a larger problem with the site's security. Of course, eBay two days ago claimed to have found a way to block Vladuz altogether, only to see him pop up again. The hacker himself made comments indicating that the company's email servers are connected somehow to the financial information eBay hosts."
...eBay is just a venue for people to exchange items, such as malicious code into an unexpecting user's browser.
When will they learn to do something simple like disallow META tags in item descriptions to stop redirects to sites with malicious code, rather than to hide such things and disavow any responsibility.
Your choice in Operating System does little to mitigate bad coding. eBay has never been known for their technical wizardry and coding sophistication. It wouldn't surprise me if their back doors were wide open. (If you knew where to look.) For example, instead of having secure B2B messaging channels between different offices and departments, they might use machine formatted Internet Email that gets decoded by machine on the other side. Which would mean that a lot of "financial information" could be travelling over "their email system".
10:1 says the guy is an employee who lost his gruntles.
Javascript + Nintendo DSi = DSiCade
Isn't that frowned upon?
Breaking in. Taunting someone and then getting paid to fix things? Bad precendece I would think.
You betting against him? He has crawled in the network, have you? Personally, I am not betting against him.
Has he? How do you know he's not a disgruntled ex-employee, who would have knowledge of their network legitimately? How do you know he's not in cahoots with an ex-employee? Why make persistent efforts to expose this unproven "flaw" in a public manner unless the intention were to harm eBay's image and/or their stock position?
This sort of information would be worth a lot of money on the black market, if it were true. Why doesn't he sell it?
If his goal is to protect ebay users, why doesn't he work with ebay security, privately?
I don't understand why people insist on believing this kind of stuff right out of the gate without any critical thinking.
The theory of relativity doesn't work right in Arkansas.
It might not be possible to fix their system.
According to Netcraft, eBay appears to heavily use Microsoft software for their main North American operations. If that list is correct, it seems that most of their sites run on Windows 2000 or Windows Server 2003, using IIS 5.0.
If these exploits are due to problems within Windows or IIS, it's basically outside of eBay's control as to whether or not such things get fixed. But we also have to question the competency of developers who would choose to base any significant, Web-based system on Windows. From a technical standpoint, it is insufficiently secure, and thus anybody in the know would avoid it. Web sites like eBay call for the use of high-quality, high-security operating systems like Linux, Solaris, HP-UX and AIX.
Both IIS 5.0 and IIS 6.0 can be easily secured, IIS 6.0 is simply more secure "as installed".
Neither compare to the security of Apache. One of the main problems with IIS is that updates are so slow in coming after a vulnerability is discovered. And since you don't have the source code, you can't deal with the problem yourself. With Apache, patches are usually available within hours, sometimes even minutes, of a vulnerability being located. And you do have the source code, so you can immediately fix any problems.
I ran one of the biggest hacker targets on the Net on IIS, and every single moron who announced giddily that "we are so owned, we are so stupid" walked away with their head hung low.
There's a very good chance that your Microsoft-based servers were compromised, but you just weren't aware of it. One of the main problems with Windows is that it's possible (and quite easy) to run processes that aren't displayed in the Task Manager, nor are they listed on the Services configuration dialog. So in effect, your system can be running a trojan and you have no idea.
UNIX systems, on the other hand, often display down to the thread level. Using ps, you can not only see every single process and thread that is running, but you can also see the complete path to the binary of that process. That way you can tell if somebody has hijacked your machine and is running a trojan under the name of another typical process (eg. httpd, sendmail, sh).
Now, it's possible for the ps command to be altered to not display certain processes. But there are numerous rememdies. One is comparing the checksums of the ps binary on your system to that of the distribution or vendor. Another option is to rebuild it yourself, with source code from a known source.
Regardless, it doesn't matter how good of an administrator you are. The technical nature of Windows systems leaves them wide open to vulnerabilities, including those that can't be easily detected.
Security breaches on ebay servers might explain the rampant theft of people's credit card info on ebay. In most cases ebay are apparently still trying to make customers and sometimes banks pay for the losses rather than admit to their servers being compromised.
Publishing this sort of thing privately often doesn't work. I've had numerous security vulnerabilities ignored for years: the use of public FTP sites with user's private passwords is one of the most common. Publicly write-able home directories used by both bosses and their secretaries is another: so are password free SSH keys and software that stores passwords locally in clear text, then NFS export those directories.
In practice, nothing forces a change faster than an obvious break-in that discomfits the boss's secretary: the second fastest is something that affects the stock price. Even something that is being actively used for break-ins is often ignored due to recalcitrant developers and users who cannot be troubled to use secure practices, or to invest in keeping their software upgraded. The worst of them are those who think "we're inside a firewall, we trust the people we work with!". Then they sneak in a laptop from home and expect it to just work.