One statement shows the main problem web services like Yahoo’s face on a 24/7 basis: Credibility in safeguarding personal information is of utmost importance.
For a company that really could use some good news for a change, Yahoo has had another pretty rough week. The pioneering search and web services provider, whose home page starts more browser sessions than anybody in the world, revealed Dec. 14 that new security issues had impacted the personal data of more than 1 billion of its users. This is thought to be the largest and most widespread theft of personal information in the brief history of the internet.The breach is different and twice as large as the hack Yahoo admitted to suffering last September, one the company said happened in 2014—and was at the time the largest breach in the world. So much for world records.The newly disclosed security intrusion from Dec. 14 apparently took place in 2013 and involved a substantial amount of personal information, including passwords and the answers to security questions. Yahoo is trying to harden all its systems and requiring all its users to change passwords, and it is automatically invalidating the security questions.
Former User: ‘Went Over to My Gmail Account’
In a typical reaction, a Yahoo user interviewed on the street Dec. 14 on Bay Area television news simply said: “How does the Yahoo breach affect me? Simple. I just went to my Yahoo account, closed it and went over to my Gmail account.”
That in one statement shows the main problem web services like Yahoo’s face on a 24/7 basis: Credibility in safeguarding personal information. To be fair, this could happen to anybody, and it does on a regular basis; the public just doesn’t become aware of all the breaches.Yahoo had agreed earlier this year to sell its core businesses to Verizon Communications for $4.8 billion. Verizon said that it might seek to renegotiate the terms of the transaction after the first hacking was discovered. It’s not known how the Dec. 14 hack attack will affect the purchase, which is still in process. No matter what, this news isn’t going to help Yahoo’s side of the negotiation.As one might expect, eWEEK was inundated with reactions from IT folks far and wide after the news broke two days ago. The self-serving, “I told you so” statements were easily remedied by the delete button.Others are legitimate observations based on industry experience and perspective—information from which Yahoo and others can learn. We include some of the more cogent ones here.
Jason Rose, Senior Vice President of Customer Identity Management Provider, Gigya:
“The biggest casualty is consumer’s loss of trust in Yahoo, which will, ultimately, erode the company’s value for pending acquirer Verizon. Trust is earned in drips and lost in buckets. In the online world, customers need to share their identity: email addresses, personal preferences, credit card numbers, etc., in order to connect with the businesses that provide them goods and services. If customers can’t rely on a business to protect that data, then trust is lost. In other words, identity is the currency of trust.”James Maude, Senior Software Engineer, Avecto:
“One in six people globally have now had their data breached thanks to Yahoo. With a breach on such an unprecedented scale, users should be concerned about how a behemoth of the internet failed to notice this for such a long period of time. This is especially concerning as recent reports have shown that around this time Yahoo was busy undermining its own security by installing backdoors in their own infrastructure for government agencies. There is the worrying possibility that this undisclosed backdoor served as cover for the data breaches, as employees deliberately ignored or hid these back channels.
“Initial reports suggest that the attackers manipulated cookies, which are normally used to authenticate or track users; however, in this case the attackers changed them to bypass logins without requiring a password. Using this technique, attackers could have logged into accounts at will and monitored them for great lengths of time. With such negligence questions must be asked as to what was going on at Yahoo to allow this to happen.”Craig A. Newman, head of Privacy & Data Security Practice, Patterson Belknap LLP:
“Not only is this a big deal in the context of the proposed sale to Verizon, but it raises obvious questions about Yahoo’s overall data security protocols, particularly if 1 billion accounts were hacked more than 3 years ago and we’re just finding out about it now. Surely, it ups the stakes in the proposed deal and gives Verizon a lot more leverage either to renegotiate the purchase price or walk from the deal. While it also underscores the importance of cybersecurity due diligence in an M&A transaction and its direct link to valuation, it begs the broader question of reputational risk and what this is really going to cost in terms of litigation and regulatory investigations.”
Mike Ahmadi, Global Director of Critical Systems Security, Synopsys Software Integrity Group:
“It is rather interesting to see the issue of cybersecurity risks being used as leverage in an acquisition, even if it is only speculation. It seems like the market is ripe for a third party evaluation and certification as a way to demonstrate some level of due diligence.”Tony Gauda, CEO of ThinAir:
“The second cyberattack discovered at Yahoo illustrates just how difficult data breach investigations have become. Even while the company was assessing its systems following the discovery of the 2014 breach, this separate and larger breach went completely unnoticed. It’s clear organizations lack adequate visibility of their data. You don’t stand a chance defending digital assets you can’t see. Yahoo isn’t the only company with a breach just waiting to be discovered, and until the industry prioritizes reducing the time spent on investigations, this cycle will continue.”
Corey Williams, Senior Director, Products And Marketing at Centrify:
“Turns out the largest breach in history of 500M Yahoo accounts in 2014 is only half as much as the new largest hack ever discovered: 1B Yahoo accounts lost in 2013. Whether you stay with Yahoo or switch to another provider, my advice is the same: fasten your ‘cyber safety belt’ by turning on multifactor authentication. After all, over the last few decades, most Americans have come to accept seat belts as an essential safety measure. The ‘Click-it or Ticket’ education campaigns have been highly effective. Maybe this large scale event will serve to raise awareness about the inadequacy of the common password and to introduce the ‘cyber safety belt’—two-factor authentication.”Yahoo is simply not safe to use unless you turn on Yahoo Account Key or another multifactor authentication solution.”
Amichai Shulman, CTO of Imperva:
“This Yahoo breach and others before it from LinkedIn, Dropbox and Yahoo! Itself teach us a couple of things: One, that attackers are still ahead of enterprises, even the larger companies when it comes to covering their tracks. (which we have pointed to at the end of 2015). The alleged breaches were only detected once the leaked information surfaced on the web.
“Two, in these mega breaches, time is still a factor. While the passwords were not leaked in clear text, the time between leakage and detection allowed the attackers, using modern computing power, to crack most of the passwords. If the enterprises had promptly detected the breaches a lot of the potential damage could have been avoided.”
Paul Calatayud, CTO of FireMon:
“For all of us, this breach is a reminder that your online identities are always at risk. There is a lot of talk about making sure you have strong passwords but when those passwords are exposed in a breach, there is a different issue that arises—what else can the hackers do with knowledge of your password? Other websites may share passwords because you have decided to remember one long strong password that is reused across other accounts.”The best way to mitigate the impact of the Yahoo breach would be to ensure you use unique passwords across your web accounts. That way any breach does not expose additional data or information contained in other systems. Breaches are very difficult to prevent but the explores and impact of a single breach is something you can manage with unique account practices.”
Bert Rankin, CMO, Lastline:
“The damage that a big business suffers from an orchestrated attack can continue to exact costs for decades. The costs can include the hard dollar costs of litigation, paying ransoms, investigations and infrastructure replacement, and also soft-yet-real losses of escalating customer churn and brand value decline.”Companies often fail to account for the magnitude of potential losses when resourcing their preventative measures. Perhaps a logical Yahoo-Verizon deal adjustment, however, will be a sober reminder of just how important it is to get a state-of-art cyber defense strategy in place.”
Shuman Ghosemajumder, CTO of Shape Security and former Google click-fraud czar:
“This most recent credential spill at one of the world’s largest email providers further exacerbates the risk of millions of accounts being taken over at thousands of other major websites. This breach makes the job of cybercriminals that much easier, adding significantly to the more than 2 billion spilled credentials reported available to those attacking online accounts.”The real issue now is that these passwords will be used to breach thousands of other websites unrelated to Yahoo, as cybercriminals use advanced automated tools (like Sentry MBA) to discover where users have used those same passwords on other sites, through credential stuffing attacks, the most common attacks on web applications and APIs today.”Steve Rubin, Cybersecurity Attorney, Moritt Hock & Hamroff:
“The FTC has been enforcing consumer protection statutes. If the FTC thinks Yahoo had lax security, regardless of their disclosures, the FTC may file an action. Because the breach relates to email, the ramifications are far reaching. Transactions performed over email may be compromised and that can include all sorts of sensitive data. Further, Yahoo credentials are used to access many services. And now those services are compromised. Aside from the number of customers, the nature of this data presents potentially far reaching ramifications.”
Chris Petersen, CTO and Co-Founder of LogRhythm:
“As I’ve said before, Yahoo must operate with the assumption that their network is untrustworthy. It’s likely the attacker still has avenues in, and left behind back doors and time bombs for future compromise. We’ve seen malicious code planted in compromised networks that go active months, even years later, providing the hackers access back into the network.”
“Moreover, they need to focus on protecting their most valuable data, identity information and the passwords of their users certainly fall in to this category. They must create a ‘Virtual monitoring shield’ around this data to detect unauthorized and abnormal access.”
Matt Little, VP of Product Development at PKWARE:
“We know encrypting data mitigates sensitive information exposure when the inevitable data breach occurs. Yahoo was encrypting some, but not all of this data. As we have seen many times before, data breaches in non-regulated industries are often much worse in terms of exposure, and due to lack of IT security spend, result in exceedingly long detection times with little to no information as to how it happened. Every organization needs a defense-in-depth approach to information security. It is no longer acceptable to ignore data-centric technologies, like data-level encryption as part of a modern approach.”
Ilia Kolochenko, CEO of High-Tech Bridge:
“I don’t think the breach will impact Yahoo’s customers in any new manner now, unless someone makes the breached database public and enables the re-use of passwords and secret questions/answers. The attackers who breached Yahoo must have already leveraged the compromised data for their own purposes. If they haven’t done so already after September’s disclosure, all Yahoo customers should consider changing their passwords, including accounts on all other services on which they registered using their Yahoo email. Migration to a more reliable email provider, such as Gmail, also makes sense.”
Scott Fulton, Technical Fellow at BeyondTrust:
“Now more than ever companies need to protect themselves when other companies are compromised. We all know users reuse passwords and we can almost guarantee that the answers to user’s internal secret questions are the same as their personal secret questions. Users must take steps to protect themselves with internal access and privilege management. Again, we see why users should never reuse passwords. For the vast majority of users, convenience will always trump security. Available tools, including many password managers are still too hard to use by the average citizen and other means are required to protect end-users and consumers alike from their own laziness.”
Vishal Gupta, CEO of Seclore:
“Yahoo is learning for the second time this year that the most dangerous data breach is the one that goes undetected, and it could have a significant impact on negotiations with Verizon. With the details of over a billion users compromised, there is no doubt that the leaked information has already been leveraged by cybercriminals in one way or another. While payment details weren’t stolen, the hackers made away with names, email addresses, phone numbers, and other PII that can be used for highly targeted spear-phishing campaigns. Until organizations responsible for safeguarding large amounts of user information shift to a data-centric security model, they remain highly-valuable targets for hackers, who will continue to come up with inventive ways to infiltrate systems.”
Jason Hart, VP and CTO for Gemalto’s Data Protection:
“What’s concerning about this breach is that Yahoo still hasn’t been able to confirm the source of the intrusion yet, and the fact that it took them over three years to discover a breach of this magnitude speaks to the amount of work we in the security industry still need to do. If Yahoo, one of the largest tech companies in the world, is struggling with security, how can companies with less resources combat these bad actors?”
Alex Vaystikh, CTO of SecBI:
“As news of the new Yahoo breach started pouring in, the first bit of information that really stood out is that the breach occurred in 2013, before the breach that was reported last September, which had taken place in 2014. The severity of this incident cannot be overlooked. Not only was the intrusion itself not detected in 2013, but no signs of it were discovered during the investigation of the 2014 breach. In too many organizations, threat detection still involves chasing after alerts and investigating them in a very limited way, detached from the bigger picture. Even when they chase down what they believe to be the ‘threat,’ there is no indication of where and how long ago the incident actually began. That is exactly what happened here.”
Joshua Eddy, CTERA:
“Today’s news underscores the value of target-rich environments that attracts the efforts of the world’s cyber-criminal and state-sponsored espionage community. User credentials are sold by the fraction of a penny, so commercial hackers must focus their energies on the world’s largest websites and cloud storage repositories in order to be successful. What’s worse, the increasing occurrences of these hacks is evolving the conversation around SaaS security from “if” to “when”. What we do know is that all of the major cloud storage SaaS companies share some aspect of the data management and security management with their customers. Not one of them can claim to allow their customers to enjoy exclusive ownership of their data, their metadata, their encryption keys and their access credentials. For a certain class of security-conscious enterprises, this is fundamentally unacceptable.” Kenneth Geers, Senior Research Scientist, Comodo“Yahoo should know that it is an invaluable target for cybercrime syndicates and nation-states and invest the resources to protect its data accordingly. The use of vulnerable MD5 hashes suggests that Yahoo was not paying sufficient attention to security.
“This is a hack of strategic scale, conducted with a high level of anonymity; those two factors combined could mean that this is a foreign intelligence service seeking the information solely for its signals intelligence value. One way to test that hypothesis is to try and find out if the stolen information has been used for cybercrime; that, however, is no guarantee because leaking some information could be a deceptive tactic on the part of the attacker.”Kevin Cunningham, President and Co-Founder of SailPoint:“What this latest breach disclosure by Yahoo underscores is an interesting trend where hackers are breaching user accounts, not necessarily to infiltrate corporate networks and applications, but to grab highly sensitive data hiding in email and other unstructured file stores. Think about all of the highly sensitive files that could be lurking in these breached Yahoo email accounts: incredibly sensitive tax or financial statements, personal healthcare data, even banking or credit card information. And that’s what hackers are after today: sensitive data that is ripe for the taking.
“What this means is that in 2017, not only will we see even more attacks targeting data stored in unstructured systems, but that it is critical that identity becomes the focal point for securing data stored in both corporate systems and unstructured databases, emails and files stores. Understanding who has access to your data, and how they are using that data is critical—no matter if that data lives in a corporate application or system, or in an unstructured system like email.”