Attacks/Breaches
1/18/2012
02:11 PM
50%
50%

Zappos Breach Renews Calls For Stronger Passwords

Passwords are the go-to security technique for retailers, but businesses must balance password strength and consumer ease of use.

Are Zappos' customers' passwords safe?

On Sunday, Zappos began notifying its customers about a network intrusion that led to the theft of customers' names, addresses, email addresses, and encrypted passwords.

Because the passwords were encrypted, it's unlikely that attackers would be able to immediately decode them all. Even so, Zappos expired all customers' passwords and advised those who had reused the same password on another site to change it there immediately.

Given that warning, what's the risk of Zappos customers having their passwords cracked after the data breach? The answer to that question depends on numerous factors, including the complexity of each password, as well as whether Zappos had both salted and hashed customers' stored passwords.

Based on the Zappos password-reset process, however, Kurt Baumgartner, senior security researcher at Kaspersky Lab, said it's likely that many customers' passwords aren't safe. "When the Zappos team forced their users to reset their passwords ... they enabled their users to provide a minimum of eight-character passwords, including one upper- and lowercase letter and one number or one special character," he said in a blog post.

[What lessons can we learn from the Zappos hack? See Zappos Breach: 8 Lessons Learned.]

"So users' [password] could look like 'Zappos12', and here lies a bigger problem. With 'rainbow tables' that have been circulating as a part of both commercial products and open-source projects discussed at major security conferences for years, this weak password scheme could be quickly cracked offline," he said. Furthermore, as demonstrated by an analysis of the passwords chosen by SonyPictures.com users, many people favor simple--and thus more easily cracked--passwords, which they reuse across sites, no doubt because they must now employ passwords for so many different sites.

It's also not clear just how well-secured the Zappos passwords may have been. Notably, Zappos said that users' passwords had been stored in "cryptographically scrambled" format. "But they need to explain what they meant by 'cryptographically scrambled,'" said Baumgartner. "'Scrambled' is not common security jargon and most likely [was] tossed out by a marketing writer doing their best with the situation."

Accordingly, he said, that raises these questions: "Are they maintaining salted md5's for their password values? How about something stronger--and why not?" Zappos also prevents customers from reusing any of their previous six passwords, he said. But how does it know what those passwords were, and is it possible attackers compromised copies of those historic passwords as well?

A spokeswoman for Zappos said no additional information was available regarding how the company secures users' passwords. Zappos, meanwhile, is still working to notify customers and upgrade its non-U.S. websites to cope with an anticipated surge in website traffic and password resets.

On that front, some customers have expressed frustration with the state of Zappos' customer-notification effort, with some saying that they failed to receive the email warning about the data breach, which included password-reset instructions. Furthermore, the full extent of the breach has yet to become clear, although Zappos is likely still investigating the intrusion and awaiting a detailed digital forensic analysis.

Find out how to create and implement a security program that will defend against malicious and inadvertent internal incidents and satisfy government and industry mandates in our Compliance From The Inside Out report. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2382
Published: 2014-11-20
The DfDiskLo.sys driver in Faronics Deep Freeze Standard and Enterprise 8.10 and earlier allows local administrators to cause a denial of service (crash) and execute arbitrary code via a crafted IOCTL request that writes to arbitrary memory locations, related to the IofCallDriver function.

CVE-2014-3625
Published: 2014-11-20
Directory traversal vulnerability in Pivitol Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x before 4.0.8, and 4.1.x before 4.1.2 allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling.

CVE-2014-8387
Published: 2014-11-20
cgi/utility.cgi in Advantech EKI-6340 2.05 Wi-Fi Mesh Access Point allows remote authenticated users to execute arbitrary commands via shell metacharacters in the pinghost parameter to ping.cgi.

CVE-2014-8493
Published: 2014-11-20
ZTE ZXHN H108L with firmware 4.0.0d_ZRQ_GR4 allows remote attackers to modify the CWMP configuration via a crafted request to Forms/access_cwmp_1.

CVE-2014-8767
Published: 2014-11-20
Integer underflow in the olsr_print function in tcpdump 3.9.6 through 4.6.2, when in verbose mode, allows remote attackers to cause a denial of service (crash) via a crafted length value in an OLSR frame.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?