[BreachExchange] Yahoo Defends Information Security Mojo to Senators

Audrey McNeil audrey at riskbasedsecurity.com
Tue Feb 28 18:55:36 EST 2017


http://www.databreachtoday.com/blogs/yahoo-defends-
information-security-mojo-to-senators-p-2402

What did Yahoo executives know about multiple data breaches and attacks
that the company suffered, and when did they know it?

Those questions have continued to dog Yahoo as it negotiates its sale to
Verizon for $4.5 billion. That's $350 million less than the offer Verizon
made last summer, before Yahoo last year revealed that it had discovered -
or failed to appreciate the full extent of - massive breaches.

"We are keeping an eye out for signs of support for a national breach
notification law."

Here's a brief timeline of Yahoo's related breach notifications:

Sept. 22, 2016: Yahoo reports that a late-2014 breach affected 500 million
or more users. Yahoo says it learned about the breach in 2016 from law
enforcement agencies.
Nov. 9, 2016: Yahoo warns that attackers have been using forged cookies to
access users' accounts without authorization.
Dec. 14, 2016: Yahoo says a breach, believed to date from August 2013,
compromised 1 billion user accounts.
Feb. 15: Yahoo warns more users that they may have been targeted via forged
cookie attacks.

Yahoo last month promised to brief U.S. Senate staffers on the latest
information relating to the 2013 breach, including details of 2015 and 2016
cookie-forging attacks that allowed attackers to access some users'
accounts without a password. But at the end of January - apparently with
more cookie-forging attack details coming to light - Yahoo abruptly
canceled its briefing.

Cue blowback from senators. On Feb. 10, Sen. John Thune, R-S.D., chairman
of the Senate Committee on Commerce, Science and Transportation, and Sen.
Jerry Moran, R-Kan., chairman of the committee's subcommittee on data
security, wrote to Yahoo CEO Marissa Mayer, demanding answers to numerous
breach-related questions, including a detailed timeline listing when
breaches were discovered, law enforcement agencies alerted and affected
consumers notified. Moran set a deadline of Feb. 23 for the responses.

On Feb. 23, April Boyd, Yahoo's head of global public policy, responded to
the committee, saying that "in the spirit of cooperation," Yahoo would
answer the committee's questions. She noted that the company, reflecting
public statements that it's made, continues to investigate the breaches
with the help of two outside digital forensic investigation firms - Stroz
Friedberg and Mandiant.

And she said that during the current management team's tenure, the company
has invested $250 million "in security initiatives ... including creating a
'Red Team' and developing the 'Bug Bounty' program" (see How Yahoo Hacks
Itself).

Yahoo Dishes Out Breach Details

Yahoo's answers largely rehash what the search giant had already revealed
via press releases and Securities and Exchange Commission filings.

The company says it believes that "a majority of the user accounts that
were affected by the 2014 [security] incident ... [were] affected by the
2013 incident." But given that the 2013 breach may have compromised 1
billion accounts - or nearly all of Yahoo's user base - that's not exactly
a shocking finding.

Yahoo also said that in September and December of last year, it required
any users who had not changed their password since 2014 to do so, and also
invalidated all security questions that it had been storing in unencrypted
format, which it believes attackers also stole.

Boyd emphasized that Yahoo, which is publicly traded, had disclosed many of
these details relating to its breach response and findings via quarterly
updates to the SEC.

She also detailed a number of information security initiatives that the
company has undertaken, such as providing users with a view of all devices
and browsers that have been used to access their account, providing a
"global logout" capability, hashing passwords using the bcrypt algorithm -
plus salt, and continuing to refine authentication mechanisms, for example
via OAuth as well as by "leveraging fingerprint-based authentication on
certain smartphones."

Boyd also promised that Yahoo would be providing briefings to senators'
staff.

Late last year, the SEC reportedly launched its own investigation into
Yahoo and whether the company issued timely enough warnings about the
breaches to investors.

National Breach Notification Deficit

One elephant in the room with Yahoo's back and forth with senators - or the
SEC's investigation - is that details of the search giant's data breaches
haven't come to light thanks to any national breach-notification rules in
the United States, but rather state-level laws.

Some 47 states - plus the District of Columbia, Guam, Puerto Rico and the
Virgin Islands - have breach notification laws on their books. Only
Alabama, New Mexico and South Dakota have no laws relating to consumer
breach notification.

Despite Congress debating a federal breach notification mandate for over a
decade, it has failed to pass such a measure. One concern has been that
some proposed bills would have put in place relatively weak requirements,
meaning that breached organizations would then have to comply not just with
the national law, but also any state laws mandating stronger notification
requirements.

"We are keeping an eye out for signs of support for a national breach
notification law," write privacy attorneys Cynthia J. Larose and Michael B.
Katz of law firm Mintz Levin, in a recent blog post. "So far, there does
not appear to be much political motivation for undertaking this effort."

In 2016, they say, 26 states weighed bills that revised their already
existing breach notification processes, and five states passed related
legislation. In multiple cases, legislation has expanded the definition of
what constitutes "personal information," for example "to include medical,
insurance or biometric data," Larose and Katz write.

Meanwhile, Europe has enacted the General Data Protection Regulation, which
will begin to be enforced in May 2018. GDPR requires any breached
organization, anywhere in the world - including the United States - to
alert any affected consumers in Europe about breaches.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170228/934a1f2b/attachment.html>


More information about the BreachExchange mailing list