Pass­word breach could have rip­ple ef­fects be­yond Ya­hoo

Daily Freeman (Kingston, NY) - - NATION + WORLD - By Raphael Sat­ter

As in­vestors and in­ves­ti­ga­tors weigh the dam­age of Ya­hoo’s mas­sive breach to the in­ter­net icon, in­for­ma­tion se­cu­rity ex­perts worry that the record­break­ing haul of pass­word data could be used to open locks up and down the web.

While it’s un­known to what ex­tent the stolen data has been or will be cir­cu­lat­ing — or how easy it would be to use if it were — gi­ant breaches can send rip­ples of in­se­cu­rity across the in­ter­net.

“Data breaches on the scale of Ya­hoo are the se­cu­rity equiv­a­lent of eco­log­i­cal dis­as­ters,” said Matt Blaze, a se­cu­rity re­searcher who di­rects the Distributed Sys­tems Lab at the Univer­sity of Penn­syl­va­nia, in a mes­sage posted to Twit­ter .

A big worry is a cy­ber­crim­i­nal tech­nique known as “cre­den­tial stuff­ing,” which works by throw­ing leaked user­name and pass­word com­bi­na­tions at a se­ries of web­sites in an ef­fort to break in, a bit like a thief find­ing a ring of keys in an apart­ment lobby and try­ing them, one af­ter the other, in ev­ery door in the build­ing. Soft­ware makes the tri­a­land-er­ror process prac­ti­cally in­stan­ta­neous.

Cre­den­tial stuff­ing typ­i­cally suc­ceeds be­tween 0.1 per­cent and 2 per­cent of the time, ac­cord­ing to Shu­man Ghose­ma­jumder, the chief tech­nol­ogy of­fi­cer of Mountain View, Cal­i­for­nia-based Shape Se­cu­rity. That means cy­ber­crim­i­nals wield­ing 500 mil­lion pass­words could con­ceiv­ably hi­jack tens of thou­sands of other ac­counts.

“It be­comes a num­bers game for them,” Ghose­ma­jumder said in a tele­phone in­ter­view.

So will the big Ya­hoo breach mean an ex­plo­sion of smaller breaches else­where, like the af­ter­shocks that fol­low a big quake?

That seems un­likely given that Ya­hoo says the “vast ma­jor­ity” of its pass­words were stored in an en­crypted form be­lieved to be dif­fi­cult to un­scram­ble. On the other hand, Ya­hoo said the theft oc­curred in late 2014, mean­ing that hack­ers have had as many as two years to try to de­ci­pher the data.

Ghose­ma­jumder said he didn’t see a surge in new breaches so much as a steady in­crease in at­tempts as cy­ber­crim­i­nals re­plen­ish their stock of freshly hacked pass­words.

The first hint that some­thing was wrong at Ya­hoo came when Mother­board jour­nal­ist Joseph Cox started re­ceiv­ing sup­posed sam­ples of cre­den­tials hacked from the com­pany in early July. Sev­eral weeks later, a cy­ber­crim­i­nal us­ing the han­dle “Peace” came for­ward with 5,000 sam­ples — and the star­tling claim to be sell­ing 200 mil­lion more.

On Aug. 1 Cox pub­lished a story on the sale , but the jour­nal­ist said he never es­tab­lished with any cer­tainty where Peace’s cre­den­tials came from. He noted that Ya­hoo said most of its pass­words were se­cured with one en­cryp­tion pro­to­col, while Peace’s sam­ple used a sec­ond. Ei­ther Peace drew his sam­ple from a mi­nor­ity of Ya­hoo data or he was deal­ing with a dif­fer­ent set of data al­to­gether.

“With the in­for­ma­tion avail­able at the mo­ment, it’s more likely to be the lat­ter,” Cox said in an email Tues­day.

The As­so­ci­ated Press has been un­able to lo­cate Peace. The dark­net mar­ket where the seller has been ac­tive in the past has been in­ac­ces­si­ble for days, pur­port­edly due to cy­ber­at­tacks.

At the mo­ment it’s not known who holds the pass­words or whether a state­spon­sored ac­tor, which Ya­hoo has blamed for the breach, would ever have an in­ter­est in pass­ing its data to peo­ple like Peace.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.