Ya­hoo’s breach shows our data is vul­ner­a­ble

The Denver Post - - BUSINESS - By Bree Fowler

The rev­e­la­tion of Ya­hoo’s lat­est hack un­der­scores what many Amer­i­cans have known for years: All those e-mails, pho­tos and other per­sonal files stored on­line can eas­ily be stolen, and there’s lit­tle any­one can do about it.

The only sav­ing grace is that the at­tack­ers ap­par­ently did not ex­ploit the in­for­ma­tion for fraud. But their true mo­tives re­main a mys­tery.

“Ya­hoo users could have had im­mac­u­late com­puter se­cu­rity and still been the vic­tim here,” said Will Ack­erly, chief tech­nol­ogy of­fi­cer at Virtru, a com­puter se­cu­rity firm he co-founded af­ter work­ing for eight years at the Na­tional Se­cu­rity Agency.

“Short of us­ing en­cryp­tion, there’s no way to keep your e-mail from be­ing com­pro­mised in this kind of hack,” Ack­erly said.

OWL Cy­ber­se­cu­rity, the Denver tech­nol­ogy firm that reg­u­larly scrapes the dark web for dig­i­tal signs of ma­li­cious threats, saw the 200 mil­lion Ya­hoo cre­den­tials for sale “on and off for sev­eral months” be­fore Wed­nes­day’s ad­mis­sion by Ya­hoo, said Mark Tur­nage, OWL’s CEO.

“At this point, the seller we have seen is of­fer­ing 200 mil­lion records for a cost of ap­prox­i­mately $462.30, payable in Bit­coin (.595 BTC),” Tur­nage said Thurs­day in an e-mail. “This again clearly shows why it’s im­por­tant to mon­i­tor the dark­net for the pres­ence of your data, as it of­ten pre­cedes even the aware­ness of a breach.”

The dark web — also called the “dark­net” — are web­sites that aren’t vis­i­ble to typ­i­cal in­ter­net users. Dark­net ac­tiv­ity tends to be sur­rep­ti­tious, though not al­ways. It’s also be­come a place for peo­ple to trade hack­ing tips and com­mu­ni­cate with oth­ers in the dig­i­tal un­der­world.

The mega breach dis­closed Wed­nes­day ex­posed more than a bil­lion user ac­counts, the largest such at­tack in his­tory. The com­pany said the at­tack hap­pened in Au­gust 2013, although Ya­hoo only dis­cov­ered it re­cently.

Worse, the com­pany’s an­nounce­ment fol­lowed a sim­i­larly stun­ning an­nounce­ment in Septem­ber about a 2014 hack that Ya­hoo as­cribed to an un­named for­eign gov­ern­ment. That breach af­fected 500 mil­lion ac­counts.

Some ex­perts be­lieve the record-break­ing amount of data stolen in the breach an­nounced Wed­nes­day also points to state-spon­sored hack­ers in search of a spe­cific tar­get, which could be why three years later the data still hasn’t been spot­ted for sale on the web. And nei­ther Ya­hoo breach has yet been linked to on­line fraud or any spe­cific reper­cus­sions for Ya­hoo users.

But their disclosure closely fol­lows U.S. in­tel­li­gence con­cerns about Rus­sian hack­ing of Demo­cratic e-mails dur­ing the pres­i­den­tial campaign — not to men­tion re­cent at­tacks on a ma­jor health in­surer, a med­i­cal lab-test com­pany and the gov­ern­ment of­fice that man­ages mil­lions of fed­eral em­ploy­ees.

“The les­son is clear: No or­ga­ni­za­tion is im­mune to com­pro­mise,” said Jeff Hill, di­rec­tor of prod­uct man­age­ment for cy­ber­se­cu­rity con­sul­tant Preva­lent.

And since most of us are de­pen­dent on big or­ga­ni­za­tions that hold our dig­i­tal lives in their hands, in a broad sense that means no one is safe.

Mean­while, it’s clear that Ya­hoo didn’t do enough to pro­tect its users. For ex­am­ple, the com­pany ac­knowl­edges us­ing MD5, a pass­word-stor­age method con­sid­ered by many ex­perts to be inadequate and in­fe­rior to oth­ers avail­able at the time of the hack.

One of Ya­hoo’s pri­or­i­ties will now need to be keep­ing its users up­dated as its in­ves­ti­ga­tion pro­gresses, said Jeremiah Gross­man, chief of se­cu­rity strat­egy for Sen­tinelOne.

“I think that would go a long way to as­sur­ing users and ev­ery­body that they’re do­ing the right things,” said Gross­man, who worked in se­cu­rity at Ya­hoo from 1999 to 2001. “The best peace of mind in cy­ber­se­cu­rity is trans­parency.”

There’s only so much a com­pany such as Ya­hoo can do to pro­tect its users without dam­ag­ing its busi­ness model, which in­volves sell­ing ad­ver­tis­ing based on data gleaned from its users, Gross­man noted.

As a re­sult, it can’t do things such as en­crypt user data, which would make the in­for­ma­tion use­less to hack­ers.

Other com­pa­nies that don’t sell ad­ver­tis­ing, such as Ap­ple, are able to en­crypt. And some, such as Google, do so too but not in a way that would have pro­tected against this type of hack. They also hold the keys to that en­cryp­tion, giv­ing them the ac­cess they need for ad­ver­tis­ing sales.

For Ya­hoo users, ex­perts say, there’s lit­tle to do ex­cept for chang­ing their pass­words if they haven’t done so in the past three years.

Chang­ing e-mail providers is a pain for most peo­ple. Ex­perts say pick­ing a tough pass­word is a must, though they are divided on ex­actly how im­por­tant it is to change it fre­quently. The same pass­word should not be used for mul­ti­ple sites, and the ques­tions and an­swers needed to re­set it should be unique as well.

Per­fect se­cu­rity doesn’t ex­ist, but no one wants to be an easy tar­get.

Cy­ber­se­cu­rity ex­perts like to com­pare the hacker threat to run­ning from a bear: You don’t have to be the fastest run­ner — just not the slow­est.

The Ya­hoo breach should serve as a les­son to users that they can’t as­sume that com­pa­nies — even large multi­na­tional tech com­pa­nies — are do­ing se­cu­rity right, said John Shier, se­nior se­cu­rity ad­viser at Sophos.

“Hope­fully this is the one that wakes ev­ery­body up, although I doubt it will be,” Shier said. “It’s frus­trat­ing to see this hap­pen over and over again, when for many years we’ve known how to bet­ter pro­tect sys­tems.”

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.