[BreachExchange] Yahoo and the Year of Living Dangerously

Mon Jan 23 18:57:30 EST 2017

http://www.technewsworld.com/story/Yahoo-and-the-Year-of-
Living-Dangerously-84246.html

If there is a lesson to be drawn from Internet search giant Yahoo's hellish
past year, it is a grimly illustrative one: Never assume a cybersecurity
disaster can't get worse.

Last September, the Internet portal disclosed that it had suffered the most
damaging and far-reaching data breach in history -- only to then announce
in December the discovery of a second, earlier, and even larger hack.

Since the discovery, the sale of the company to Verizon has been put in
jeopardy, as Yahoo -- which recently announced its name would be changing
to "Altaba" -- began a probe into the hack that is expected to take several
weeks. We may not know the full extent of these hacks' effects for years;
indeed, it took years for the breaches to even be discovered.

What is known is that these travails were a long time coming. The Yahoo
hacks were not acts of God, falling from the sky and striking an unlucky
victim; they were the direct result of the corporation's continual neglect
of information security as a vital priority for doing business.

Systemic Problem

The tragedy of Yahoo's troubles is not merely that its systems were
compromised; that is a risk even the most secure online servicers may face.
Rather, it is Yahoo's lack of attention to cybersecurity, such that it was
unable to detect and respond to the breach, making a very bad situation
into a nightmarish one.

In 2014, hackers gained access to Yahoo's main user database, pilfering
credentials and personal information from at least 500 million accounts in
what was the biggest data breach in history.

Perplexingly, the theft went undiscovered until September 2016, when 200
million sets of user credentials appeared for sale on a darknet website.
Yahoo's failure to identify a breach of such gargantuan magnitude -- one
that it would somewhat ominously claim to be a "state-sponsored" act (an
accusation rejected by researchers) -- was a dark portent of things to come.

The hack reported last December seems to be worse -- much worse. That hack,
which is believed to have occurred in August 2013, resulted in at least 1
billion accounts suffering theft of personal information like names, phone
numbers, and dates of birth. Perhaps even more damaging was the hackers'
theft of poorly encrypted Yahoo passwords, as well as unencrypted answers
to security queries like "What is your mother's maiden name?" or "What was
your first car?" That information is meant to easily allow users to confirm
their identities when resetting account details.

Some sensible security protocols and simple, low-cost encryption could have
prevented this calamity. Adding insult to injury, the theft was not
discovered until government investigators and private data analysts
examining the first reported hack found evidence that a mysterious
"third-party" had gained access to other Yahoo data.

Incredibly, these thefts -- the largest and most damaging hacks in Internet
history -- were perhaps not even the lowlight of Yahoo's year. That honor
would belong to CEO Mayer's decision, at the behest of a U.S. intelligence
agency, to scan the content of all Yahoo users' emails for specific phrases
or attachments, a massive warrantless spy program so invasive that Yahoo's
security team, uninformed of the effort, initially thought it was a hack.

It is not enough that Yahoo's security posture is moribund -- not only
unable to prevent successive blitzes against billions of its users, but
even to detect their occurrence. Worse, in this instance, is the fact Yahoo
is as fully complicit as any hacker in exposing its customers' most
sensitive personal communications: It did so without permission, simply at
the demand of a government agency bearing no warrants or probable cause.

Security Tsunami Warning

What, then, will be the fallout of Yahoo's year of living dangerously?
Given the enormous potential for secondary fraud on other sites using Yahoo
account credentials, forcing password resets now, years after the crime, is
both entirely necessary and woefully inadequate.

After years of criminals likely trading Yahoo user information on darknet
marketplaces for cash, this attempt to rectify the situation is equivalent
to changing the vault's combination a couple of years after a safecracker
robbed the bank. In an information technology environment where Internet
users commonly recycle the same credentials across the dozens of sites they
regularly use, password reuse attacks are a growing threat.

Such an attack against Yahoo users has precedent, and the results could be
frightening. In 2012, the login credentials of as many as 167 million
accounts on business networking site LinkedIn were stolen by hackers,
emerging again on darknet auction sites in May 2016.

The compromised information, which, as with Yahoo, included poorly
encrypted passwords, is believed to have been responsible for numerous
large-scale "password reuse" secondary attacks, including one major attack
against cloud hosting platform Dropbox and 60 million of its accounts.

Given the potential for wreaking havoc, Yahoo's inadequate and outdated
password encryption could have severe consequences, affecting even sites
that securely encrypt their customers' passwords, through no fault of their
own. This is the nightmare made possible through the theft of reused
passwords: a concatenating wave of data breaches affecting website after
website.

Beyond these technical threats, Yahoo's lack of transparency in combating
information theft has further endangered Internet users. It is becoming
clear that under Mayer's leadership, Yahoo downgraded the importance of
instituting much-needed cybersecurity measures, fearing that it would
alienate a fickle user base with annoying new security requirements.
However, the end result will be far worse reputational damage.

A user experience that results in hackers compromising every one of your
Web accounts, or stealing your identity, is far worse than the
inconvenience of signing into an email account using two-factor
identification.

This short-sightedness extended to Yahoo's public relations reaction: While
the company would ultimately estimate that a half billion accounts were
affected in the 2014 hack, the true number may be as high as 3 billion; and
while Yahoo may claim any affected accounts are being identified and reset,
its inability to detect even larger breaches is more than enough reason to
doubt the effort's efficacy.

Fortunately, this debacle need not be entirely in vain, if some simple
lessons can be absorbed. Had Yahoo made modest, sensible improvements in
its security posture, the hackers might have been dissuaded from attempting
such an ambitious heist, or at least been frustrated in their attempts to
do so.

Cyber risk is an unavoidable aspect of Internet business today, and even in
the worst-case scenario of a breach, reasonable precautions and rapid
action can prevent extensive damage.

For example, when "drag-n'drop" website creator Weebly suffered a hack
affecting 43 million of its users, the company's ready cooperation with
observers who discovered the attack helped it to quickly issue password
resets, while its strong password encryption further prevented customer
sites from being accessed.

The latest breach revelation may derail Verizon's planned $4.83 billion
acquisition of the search giant, but that would hardly be the greatest cost
of Yahoo's incompetence.

As always, the people who will most suffer are the consumers to whom Yahoo
owes its responsibility. They entrusted Yahoo with their personal
information -- a trust the former No. 1 search engine has inexcusably
betrayed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170123/82f12a6c/attachment.html>