Yahoo’s billion-user breach calls the company’s security practices into question.
A second massive and “distinct” Yahoo breach – affecting more than one billion users – that was disclosed Wednesday has raised a number of questions, primarily why the internet company didn’t suss out the intrusion earlier, how to mitigate a troubling pattern of attacks, and what this second disclosure might mean for Verizon’s impending acquisition of Yahoo.“The first bit of information that really stood out is that the breach occurred in 2013, before the breach that was reported last September, which had taken place in 2014,” SecBI CTO Alex Vaystikh told SC Media. “The severity of this incident cannot be overlooked. Not only was the intrusion itself not detected in 2013, but no signs of it were discovered during the investigation of the 2014 breach.”
That Yahoo could fall victim to such a massive breach sent out ripples of alarm.
“If Yahoo, one of the largest tech companies in the world, is struggling with security, how can companies with less resources combat these bad actors?” Jason Hart, vice president and CTO for Gemalto’s Data Protection solutions, told SC Media.
Indeed, “companies with fewer resources” should take notice, Sarah Stephens, head of cyber, media and E&O, JLT Specialty, told SC Media, because “they may also be missing detection of significant events.”
Yahoo’s failure to uncover breaches sooner and the difficulty it faces in identifying the culprits – the company has said only that an unauthorized third party is to blame and briefly mentioned cookies in an ongoing investigation into the creation of forged cookies and links to a state-sponsored actor in its Wednesday press release – mirrors the struggles organizations face to detect, attribute, prevent and eliminate attacks from what are often well-planned attacks with long-term goals from a patient adversary. “These attacks, by nature, do not occur over one night,” said Vaystikh. “They have high dwell time, lasting weeks, months and maybe even years before they are noticed.”
Without “any clear technical details, it’s difficult to make any conclusions on who or what was at the origins of the breach,” lia Kolochenko, CEO of High-Tech Bridge, told SC Media.
But cybersecurity pros were quick to hazard a guess at what those unidentified hackers might be after. The Yahoo breach also illuminates a growing trend that finds hackers “breaching user accounts, not necessarily to infiltrate corporate networks and applications, but to grab highly sensitive data hiding in email and other unstructured file stores,” Kevin Cunningham, president and co-founder of SailPoint, told SC Media.
Yahoo email accounts are likely chock full of sensitive files, such as tax or financial documents and healthcare information. “And that’s what hackers are after today: sensitive data that is ripe for the taking,” Cunningham said.
Protecting unstructured data, which by some estimations, Cunningham said, could comprise 80 percent of enterprise data. will continue to be “an incredibly big challenge” for those organizations that don’t have “proper” visibility into that stored data. “Not only do companies struggle to understand what data even lives in these unstructured data stores, but because hackers often steal copies, it’s sometimes impossible to know what data was even taken,” he said. “And, even if you identify and stop an attack, the data is still in the hands of the bad guys.”
The latest attack on the heels of the breach revealed in September “raises serious questions” about Yahoo’s security, JLT’s Stephens said. “It is fairly extraordinary that a delay of several years could have occurred before the scale of the attack was uncovered,” she said. “A sophisticated and well-established tech behemoth such as Yahoo is likely to have best-in-class intrusion detection and escalation capabilities.”
If attackers used the company’s code to forge cookies, the implications could be long-lasting and further highlight poor security on Yahoo’s part. “If the code had embedded secrets that allowed this forging of cookies, then that is a code implementation error embedding keys in the code,” Chris Wysopal, CTO of Veracode, informed SC Media. “If there were no secrets then it would likely be a design flaw if access to the code alone could allow forging cookies.”
It is a matter of best practice that important secrets instead “should be stored in an HSM (Hardware Security Module), not in the code or even a configuration file that an attack may be able to get access to,” Wysopal said. “Then there is the access to the propriety code itself. Companies typically consider this the crown jewels and guard it well. How did that access happen?”
He compared getting the information to forge cookies as “essentially a backdoor into user accounts that you can use undetected (or hard to detect) into the future. This is why you don’t embed secrets in code, something we look for and have stats about. It’s a backdoor once it is discovered.”
But all the blame doesn’t lay at Yahoo’s feet. The latest breach is indicative of poor or outdated security strategies and an indictment of established practices by cloud storage SaaS companies. Further, it raises the question as to how data is used. “The increasing occurrences of these hacks is evolving the conversation around SaaS security from ‘if’ to ‘when,’” Joshua Eddy, an expert in product marketing for data storage software and hardware at CTERA, told SC Media. “What we do know is that all of the major cloud storage SaaS companies share some aspect of the data management and security management with their customers.”
Not one of those companies “can claim to allow their customers to enjoy exclusive ownership of their data, their metadata, their encryption keys and their access credentials,” he said. “For a certain class of security-conscious enterprises, this is fundamentally unacceptable.”
Yahoo’s billion-user breach calls the company’s security practices into question.
Impact on impending business
Most certainly, the second breach stands to foul Verizon’s proposed acquisition of Yahoo, which already appeared in jeopardy after the September breach was announced.
“I am pretty sure that this news has the potential to negatively impact the deal with Verizon,” said Kolochenko. “Such disclosure, taking into consideration the unclear and even suspicious disclosure timeline – just before the buyout – may provide a valid reason for Yahoo’s shareholders to sue Yahoo’s top management if the deal fails or brings less money than expected.”
Adam Rosen, vice president of data access governance solutions at STEALTHbits Technologies, said the deal, which was expected to close in the first quarter 2017, will “at the very least” be renegotiated “for a lower price” and Yahoo will likely face the scrutiny of regulators, particularly the SEC, “if it starts to look like Yahoo’s executives withheld material information, or information that a ‘reasonable investor’ would consider important.”
The FBI is investigating the breach, White House spokesman Josh Earnest said at a press briefing, and Sen. Mark Warner (D-Va.), a member of the Senate Intelligence Committee, said he’d be reviewing how Yahoo has handled security.
Attorney Mark Grossman suggested that it might be time for Verizon to walk away from the deal. “Sometimes closing the deal and best business practices aren’t the same thing,” Grossman told SC Media.
Whether the deal falls through or is simply renegotiated, it marks a turning point for cybersecurity as an important aspect of M&A. “It is rather interesting to see the issue of cybersecurity risks being used as leverage in an acquisition, even if it is only speculation,” Mike Ahmadi, global director of critical systems security at Synopsys Software Integrity Group. “It seems like the market is ripe for a third-party evaluation and certification as a way to demonstrate some level of due diligence.”
To thwart future attacks and their effects, Yahoo and other organizations must tighten security and improve their resilience. “As before, it’s likely that at this point Yahoo is already past the assessment stage, having determined the initial damage and the value of the assets that were affected.
“But what is the next step?” asked Casey Ellis, CEO and founder of Bugcrowd. “They are likely trying to determine how to prevent this from happening yet again. This is yet more proof that security is a moving target, which is why continuous testing should be fundamental for any organization – especially those that handle sensitive data.”
And, it demonstrates that “attackers are still ahead of enterprises, even the larger companies when it comes to covering their tracks,” Amichai Shulman, CTO of Imperva, told SC Media.
Ellis suggested that organizations move away from focusing on identifying perpetrators and rather, “especially given understaffed security teams,” train their resources on “not the who, but the what.”
“Just as you can’t control which burglar shows up at your door, you can’t control which threat actor attacks you,” Ellis told SC Media. “However, you can control where you are vulnerable, locking your door and closing the vulnerabilities in your systems.”
By taking that approach, Yahoo will have “another opportunity” to move beyond simply proving it’s secure to assuring users and others that it’s resilient, he said.
Those companies with greater visibility into their networks better position themselves “to address the concerns of consumers, business partners and shareholders” after an attack, RedSeal CEO and Chairman Ray Rothrock told SC Media. “Digital resilience – the ability to battle the bad guys when they are inside your network, continue your operations staying in business and protect high value assets like customer data – is the new gold standard,” said Rothrock, adding that “digital resilience scores – similar to credit worthiness scores – [could] provide a benchmark and support a cyberstrategy for improvement.”
Yahoo’s breach woes have left its customers in the crosshairs. Already, the database of one billion users reportedly has been sold on the Dark Web for $300,000. Andrew Komarov, CIO at InfoArmor, was quoted by the New York Times as saying control of the database was sold to three buyers, including one engaged in espionage and two others considered “prominent spammers.”
The mix of user information stolen in the 2013 breach is lucrative because it can be combined to sell as valuable datasets to cybercriminals. “Using these real identities, and sometimes fake identities with valid credentials, hackers will take over accounts, apply for loans and much more,” Robert Capps, vice president of business development for NuData Security, told SC Media. “Therefore, we’re not surprised to see the database sold – that’s the point, and that is why every hack has a snowball effect that far outlasts the initial hack.”
While the “obvious first attack vector” would be using the credentials stolen to access Yahoo accounts via spam or phishing campaigns, “the more serious attack vector is against those who re-use the same passwords across multiple sites,” Travis Smith, senior security research engineer at Tripwire, told SC Media. “Password stuffing attacks will use these stolen Yahoo credentials on more valuable websites such as your bank.”
Calling password reuse a long-standing problem, Richard Henderson, Global Security Strategist at Absolute, told SC Media that organizations, not just individuals, should “thoroughly review how they are storing passwords themselves – if they’re not storing hashes appended with a long enough random salt (and it needs to be a unique salt per user) – then they need to get on top of that right away.”
Of course, users can protect themselves with a little basic hygiene. “If they haven’t done so already after September’s disclosure, all Yahoo customers should consider changing their passwords, including accounts on all other services on which they registered using their Yahoo email. Migration to a more reliable email provider, such as Gmail, also makes sense,” said Kolochenko. Others recommend the use of two-factor authentication. And Grossman advised users to do what he’s done ever since Sarah Palin’s email was hacked in 2008: Lie when answering security questions.