So, What Went Seriously Wrong with Yahoo?

By Sean Martin

My inbox lit up today to the point where it caught my attention. I experienced the quantity of requests from PR firms that I would normally get leading up to a huge event like the RSA or Black Hat conferences. Today, however, the emails were not about a new product release – they were about the Yahoo fiasco that was unfolding.

This post contains a collection of some of the responses I’ve received thus far (and there are more on the way). Those that are “short and sweet” (and good) will be added here and longer articles with more in-depth dialog will be published separately. Have some insight to share that isn’t covered here? Let us know.

I hope you enjoy reading these quotes and comments, presented in the order I received them (newest first).


Friday, 23-SEP-2016, 05:20

 

Leo Taddeo, Chief Security Officer of Cryptzone and former Special Agent in Charge of the Special Operations/Cyber Division of the FBI’s New York Office

The largest concern for enterprises around the Yahoo hack is the loss of unencrypted security questions and answers. This creates a risk for organizations that rely on this technique (and therefore potentially the same answers) to enhance security for traditional credentials. Traditional "something you know" methods of authentication are becoming irrelevant, as hackers continue to build broader dossiers of the things they know about us. The best defense is to deploy access controls that don't rely simply on user input, and instead examine multiple user attributes - including location, device type, time, group, configuration and more  - before allowing access. This type of "digital identity" makes it much harder for a hacker to take advantage of the type of information lost by Yahoo. 

 

Mark Skilton, Professor of Practice at Warwick Business School

While it's not a surprise to hear the magnitude of users that have been corporate hacked - after all the rise of the digital business means everyone is more or less online these days - what is shocking is the date, 2014, and the sense of resignation that some may have to the event. This is far too late for professional cyber security risk management and certainly from the organisational practices inside a company like Yahoo! that one would expect. 

The other factor is the legal impact for Yahoo! from the reputational impact and liability in losses for customers. This could yet be significant and a headache for Verizon in its planned imminent takeover of Yahoo!.

The lateness of the attack discovery, a whole two years, and the indication that it was a government state sponsored attack suggests both a highly professional stealth attack or perhaps some failure in basic perimeter monitoring by Yahoo!'s internal security practice.  

Either way, serious questions on internal checking of data breaches must be addressed. There will be a significant internal review in Yahoo! and Verizon to develop a turnaround plan for this hack, but it also suggests a need for a stronger perhaps government and industry role needed to increase cyber protection in the light of the rise in more stealth attacks. 

The infamous Russian bank stealth attack had a similar slow burn attack from an undetected stealth attack that resulted in an estimated 1 billion euro loss from several banks.

This Yahoo! situation is not that level of financial loss, but the impact and rise of huge cyber-attacks will need stronger cyber responses.


Thursday, 22-Sep-2016, 20:50

 

Scott Scheferman, Director, Consulting, Cylance

The reason the Yahoo attack is devastating from a national security perspective, is because Yahoo has been around for decades. My account goes back to 2000. Most people with a Yahoo account have had it for over a decade. These accounts are old, cluttered, and often unused for anything other than one reason: they are the one single common denominator people have kept around. The one account that followed them for over a decade.

For most, their Yahoo account is the account they use to set up all other email accounts. It is the ONE account that they use for the purpose of resetting passwords, saving personal info much like a persistent "backup" of their life, even the place they might email a zip file of their passwords for "safe keeping". Contact lists too.

No one uses Yahoo to actually compose an email and send it to their friends.

If you get access to the Yahoo account, you can reset every password on every other email system the account holder has logged into over the last 10+ years. Not just email accounts, but all accounts.

This is only phase 1 of the plot. This is the beginning of the 2nd wave of ID theft, and en-masse credential harvesting.

Yahoo would never be a final target; it would only ever be one of the first. Likely an insider attack at that.

From a machine learning / artificial intelligence (AI) perspective, at some point there is enough credential-focused data for every citizen, that AI will be able to •predict• passwords and password mutations. The vast majority of users do not randomly generate a unique password for every service.

This attack matters in 18 months from now. It is a primary seed. The sheer breadth of the data lays the foundation. The rest will just end up as clusters, and out will spit the credentials.

Yes, 2FA (two-factor authenticate) all the things.
Yes, randomly generate unique passwords for every service.
Yes, use a password manager.
Yes.... even doing all those things, we still have a problem...


Thursday, 22-Sep-2016, 19:30

 

Amichai Shulman, CTO, Imperva

The ease of getting tons of stolen credentials, with the fact that users will always continue to reuse passwords simply because they are human, make brute force attacks more effective than ever and force application providers to take proper measures to protect their users.

Data from breaches is hot merchandise on both sides of the legitimacy fence, the security marketplace on one side and the dark market on the other.

To prevent brute force attacks, security officers should not rely on password policies only, but should take specific detection measures like rate limiting login attempts, detecting login attempts from automated browsers, treat with caution logins from unexpected countries and anonymous sources, and compare login data to popular passwords and stolen credentials.

As we point out in our blog, there is a concerning pattern of breaches which occurred in 2012, but their severity was underestimated and under reported.  

Organizations must not become complacent in the face of 2016’s lack of mega breaches. As it turns out, those who don’t carefully monitor their networks today may well regret it in 2020.”

 

Michael Lipinski, CISO and chief security strategist at Securonix

The Yahoo breach is the perfect example that some of the organizations reading this statement are already breached, you just don't know it yet, or, you may never know it. We can't keep accepting this level of ignorance as the best we can do.

Not a lot of information so far but some quick comments:

  • It took two years to find the breach? I don't believe that. With the Verizon acquisition in process, there is this thing called due diligence that happens. I firmly believe that this is only now coming to light due to that due diligence. I believe someone knew about this earlier.
  • Whether there was a cover up or if indeed, this breach was not uncovered for two years, this is a huge failure of the Yahoo team for not being able to identify this much earlier.
  • The Yahoo team looks to be trying to deflect the risk to users by saying that passwords were hashed using bcrypt. Ask them how that worked out for Ashley Madison. They used the same salt hash and the hackers found a work around to the brute force methods of cracking the password.

 

Igor Baikalov, chief scientist, Securonix

When does the data breach go beyond a single organization issue and become a national security issue? The OPM breach sure qualifies because of the nature of the data compromised. Does Yahoo qualify because of the sheer volume - half a billion accounts?

When is the company too big to be breached? As we in the user behavior analytics space well know, having multiple angles at the user identity, or multiple dimensions of user data, qualitatively changes our knowledge of user identity and behavior - it's like moving from black-and-white TV screen to a 3D IMAX experience. A combination of data from somewhat orthogonal slices of life, like OPM, Anthem, United Airlines and Yahoo, allows a savvy attacker to build a pretty complete profile of the target for further exploitation.

The hacker known as Peace, who offered 200 million Yahoo accounts for 3 bitcoins back in August, might not be just Yahoo's and Yahoo users’ problem. 500 million Yahoo accounts correlated with a wealth of information stolen earlier is a priceless treasure for a nation-state.

From the user perspective, the biggest problem is unencrypted security questions/answers lost in this breach - while you can easily change that constantly compromised password, how many favorite pets can you possibly have? From the national security perspective, the problem is much bigger: how to preserve security in the digital world when the attacker has as much - or more - identity verification data as the user itself?

 

Jonathan Sander, vice president of product strategy for Lieberman Software

“Many breach headlines evoke vague awareness – a company you’ve heard of, or something that sounds important. Yahoo is Internet royalty. The message everyone should take from this is truly anyone can be cracked. Apparently it’s a state level actor, which isn’t surprising the amount of effort and resources it likely took to break security at one of the Internet’s biggest names.

Every single Yahoo user should be turning on Yahoo’s two factor authentication immediately. Yahoo has been prompting users to do this for months and most have ignored the call for extra security. If a headline like this can’t motivate them to take Yahoo’s good advice and use the extra security they’re offering, I’m not sure what could.”