Ya­hoo prob­lems story of too lit­tle, too late

Kuwait Times - - FRONT PAGE -

SAN FRAN­CISCO/BOS­TON/WASH­ING­TON: In the sum­mer of 2013, Ya­hoo Inc launched a project to bet­ter se­cure the pass­words of its cus­tomers, aban­don­ing the use of a dis­cred­ited tech­nol­ogy for en­crypt­ing data known as MD5.

It was too late. In Au­gust of that year, hack­ers got hold of more than a bil­lion Ya­hoo ac­counts, steal­ing the poorly en­crypted pass­words and other in­for­ma­tion in the big­gest data breach on record. Ya­hoo only re­cently un­cov­ered the hack and dis­closed it last week.

The tim­ing of the at­tack might seem like bad luck, but the weak­ness of MD5 had been known by hack­ers and se­cu­rity ex­perts for more than a decade. MD5 can be cracked more eas­ily than other so­called “hash­ing” al­go­rithms, which are math­e­mat­i­cal func­tions that con­vert data into seem­ingly ran­dom char­ac­ter strings.

In 2008, five years be­fore Ya­hoo took ac­tion, Carnegie Mel­lon Uni­ver­sity’s Soft­ware En­gi­neer­ing In­sti­tute is­sued a public warn­ing to se­cu­rity pro­fes­sion­als through a US gov­ern­ment-funded vul­ner­a­bil­ity alert sys­tem: MD5 “should be con­sid­ered cryp­to­graph­i­cally bro­ken and un­suit­able for fur­ther use.”

Ya­hoo’s fail­ure to move away from MD5 in a timely fash­ion was an ex­am­ple of prob­lems in Ya­hoo’s se­cu­rity op­er­a­tions as it grap­pled with busi­ness chal­lenges, ac­cord­ing to five for­mer em­ploy­ees and some out­side se­cu­rity ex­perts. Stronger hash­ing tech­nol­ogy would have made it more dif­fi­cult for the hack­ers to get into cus­tomer ac­counts af­ter breach­ing Ya­hoo’s net­work, mak­ing the at­tack far less dam­ag­ing, they said.

“MD5 was con­sid­ered dead long be­fore 2013,” said David Kennedy, chief ex­ec­u­tive of cy­ber firm Trust­edSec LLC. “Most com­pa­nies were us­ing more se­cure hash­ing al­go­rithms by then.” He did not name spe­cific firms.

Ya­hoo, which has con­firmed it was still us­ing MD5 at the time of the at­tack, dis­puted the no­tion that the com­pany had skimped on se­cu­rity.

“Over the course of our more than 20year his­tory, Ya­hoo has fo­cused on and in­vested in se­cu­rity pro­grams and ta­lent to pro­tect our users,” Ya­hoo said in a state­ment to Reuters. “We have in­vested more than $250 mil­lion in se­cu­rity ini­tia­tives across the com­pany since 2012.”

Com­pet­ing pri­or­i­ties

The for­mer Ya­hoo se­cu­rity staffers, how­ever, told Reuters the se­cu­rity team was at times turned down when it re­quested new tools and fea­tures such as strength­ened cryp­tog­ra­phy pro­tec­tions, on the grounds that the requests would cost too much money, were too com­pli­cated, or were sim­ply too low a pri­or­ity. Partly, that re­flected the in­ter­net pi­o­neer’s long-run­ning fi­nan­cial strug­gles: Ya­hoo’s rev­enues and prof­its have fallen steadily since their 2008 peak while Al­pha­bet Inc’s Google , Facebook Inc and oth­ers have come to dom­i­nate the con­sumer in­ter­net busi­ness. “When busi­ness is good, it’s easy to do things like se­cu­rity,” said Jeremiah Gross­man, who worked on Ya­hoo’s se­cu­rity team from 1999 to 2001. “When busi­ness is bad, you ex­pect to see se­cu­rity get cut.”

To be sure, no sys­tem is com­pletely hack-proof. Hack­ers have man­aged to break into pass­words that were en­crypted us­ing more ad­vanced tech­nolo­gies than MD5. Other In­ter­net com­pa­nies, such as LinkedIn and AOL, have also suf­fered se­cu­rity breaches, though none nearly as large as Ya­hoo’s. “This could hap­pen to any large cor­po­ra­tion,” said Tom Keller­mann, a for­mer World Bank se­cu­rity man­ager and se­cu­rity in­dus­try ex­ec­u­tive.

Keller­mann, now CEO of in­vest­ment firm Strate­gic Cy­ber Ven­tures, said he was not sur­prised that it had taken Ya­hoo sev­eral years to iden­tify the mas­sive at­tacks. “Hack­ers of­ten have a ca­pac­ity to bur­row deeper than we thought into a sys­tem and re­main for years,” he said. Reuters could not de­ter­mine how many com­pa­nies be­sides Ya­hoo were us­ing MD5 in 2013. Google, Facebook and Mi­crosoft Corp did not im­me­di­ately re­spond to requests for com­ment.

Ac­cord­ing to an­other for­mer se­cu­rity vet­eran at Ya­hoo, even when the com­pany was grow­ing quickly, se­cu­rity some­times took a back seat as the com­pany fo­cused on sys­tem per­for­mance to keep up with the growth. Then, when growth stalled, se­nior se­cu­rity staff left for other com­pa­nies and the chances of get­ting ap­proval for ex­pen­sive up­grades dropped fur­ther, the per­son said.

“Any changes to the user data­base took for­ever be­cause they were un­der­staffed, and it’s an ul­tra-crit­i­cal sys­tem ev­ery­thing de­pends on it,” said the for­mer Ya­hoo em­ployee. Ya­hoo de­clined to com­ment on de­tails of its se­cu­rity prac­tices, but said it rou­tinely con­ducted drills to test and im­prove its cy­ber de­fenses and high­lighted cam­paigns such as a “bug bounty” pro­gram in which it pays hack­ers to find se­cu­rity flaws and re­port them to the com­pany. — Reuters

Newspapers in English

Newspapers from Kuwait

© PressReader. All rights reserved.