Ya­hoo’s mega breach shows just how vul­ner­a­ble data is

Kuwait Times - - TECHNOLOGY -


The rev­e­la­tion of Ya­hoo’s lat­est hack un­der­scores what many Amer­i­cans have known for years: All those emails, pho­tos and other per­sonal files stored on­line can eas­ily be stolen, and there’s lit­tle any­one can do about it. The only saving grace is that the at­tack­ers ap­par­ently did not ex­ploit the in­for­ma­tion for fraud. But their true mo­tives re­main a mys­tery. While there are a num­ber of straight­for­ward mea­sures all users should take to pro­tect them­selves, rel­a­tively few peo­ple ac­tu­ally do. And in this case, do­ing so wouldn’t re­ally have mat­tered. Even the most scrupu­lous in­di­vid­ual coun­ter­mea­sures could only limit the dam­age.

“Ya­hoo users could have had im­mac­u­late com­puter se­cu­rity and still been the vic­tim here,” said Will Ack­erly, chief tech­nol­ogy of­fi­cer at Virtru, a com­puter se­cu­rity firm he co­founded af­ter work­ing for eight years at the National Se­cu­rity Agency.

“Short of us­ing en­cryp­tion, there’s no way to keep your email from be­ing com­pro­mised in this kind of hack.”

The mega breach dis­closed Wed­nes­day ex­posed more than a bil­lion user ac­counts, the largest such at­tack in his­tory. The com­pany said the at­tack hap­pened in Au­gust 2013, although Ya­hoo only dis­cov­ered it re­cently. Worse, the com­pany’s an­nounce­ment fol­lowed a sim­i­lar an­nounce­ment in Septem­ber about a 2014 hack that Ya­hoo as­cribed to an un­named for­eign gov­ern­ment. That breach af­fected 500 mil­lion ac­counts.

Some ex­perts be­lieve the record-break­ing amount of data stolen in the breach an­nounced Wed­nes­day also points to state­spon­sored hack­ers in search of a spe­cific tar­get, which could be why three years later the data still hasn’t been spot­ted for sale on the web. And nei­ther Ya­hoo breach has yet been linked to on­line fraud or any spe­cific reper­cus­sions for Ya­hoo users.

But their dis­clo­sure closely fol­lows U.S. in­tel­li­gence con­cerns about Rus­sian hack­ing of Demo­cratic emails dur­ing the pres­i­den­tial cam­paign - not to men­tion re­cent at­tacks on a ma­jor health in­surer, a med­i­cal lab-test com­pany and the gov­ern­ment of­fice that man­ages mil­lions of fed­eral em­ploy­ees.

“The les­son is clear: No or­ga­ni­za­tion is im­mune to com­pro­mise,” said Jeff Hill, di­rec­tor of prod­uct man­age­ment for cy­ber­se­cu­rity con­sul­tant Preva­lent. And since most of us are de­pen­dent on big or­ga­ni­za­tions that hold our dig­i­tal lives in their hands, in a broad sense that means no one is safe.

The hacks rep­re­sent yet an­other stum­ble for the strug­gling Sun­ny­vale, Cal­i­for­nia, com­pany as it tries to rein­vent it­self. The breaches oc­curred dur­ing the reign of Ya­hoo CEO Marissa Mayer, a once-lauded leader who has been un­able to turn around the com­pany in the four years since she ar­rived.

Ear­lier this year, Ya­hoo agreed to sell its dig­i­tal op­er­a­tions to Ver­i­zon Com­mu­ni­ca­tions for $4.8 bil­lion - a deal that may now be jeop­ar­dized by the hack­ing rev­e­la­tions.

Mean­while, it’s clear that Ya­hoo didn’t do enough to pro­tect its users. For ex­am­ple, the com­pany ac­knowl­edges us­ing MD5, a pass­word-stor­age method con­sid­ered by many ex­perts to be in­ad­e­quate and in­fe­rior to oth­ers avail­able at the time of the hack.

One of Ya­hoo’s pri­or­i­ties will now need to be keep­ing its users up­dated as its in­ves­ti­ga­tion pro­gresses, said Jeremiah Gross­man, chief of se­cu­rity strat­egy for Sen­tinelOne.

“I think that would go a long way to as­sur­ing users and ev­ery­body that they’re do­ing the right things,” said Gross­man, who worked in se­cu­rity at Ya­hoo from 1999 to 2001. “The best peace of mind in cy­ber­se­cu­rity is trans­parency.”

Chang­ing Pass­words

There’s only so much a com­pany like Ya­hoo can do to pro­tect its users with­out dam­ag­ing its busi­ness model, which in­volves sell­ing ad­ver­tis­ing based on data gleaned from its users, Gross­man noted.

As a re­sult, it can’t do things like en­crypt user data, which would make the in­for­ma­tion use­less to hack­ers. Other com­pa­nies that don’t sell ad­ver­tis­ing, such as Ap­ple, are able to en­crypt. And some, such as Google, do so too but not in a way that would have pro­tected against this type of hack. They also hold the keys to that en­cryp­tion, giv­ing them the ac­cess they need for ad­ver­tis­ing sales.

“If you take a step back, the 1 bil­lion peo­ple aren’t Ya­hoo’s cus­tomers, they’re its prod­uct,” Gross­man said.— AP

DETROIT: Gen­eral Mo­tors Chair­man and Chief Ex­ec­u­tive Of­fi­cer Mary Barra stands next to an au­ton­o­mous Chevro­let Bolt elec­tric car Thurs­day, in Detroit. Gen­eral Mo­tors has started test­ing fully au­ton­o­mous ve­hi­cles on pub­lic roads around its tech­ni­cal cen­ter in sub­ur­ban Detroit. — AP

Newspapers in English

Newspapers from Kuwait

© PressReader. All rights reserved.