More Questions About The Yahoo Breach

Uploaded on 2016-09-30 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

As Yahoo continues to investigate the biggest data breach in history, pressure is mounting on the company to admit when it knew about the attack, whether there was a delay in reporting it, and also about how it implements cryptography to secure data it’s responsible for.

Security company Venafi said it examined data from its internal certificate reputation service related to the security of Yahoo’s cryptographic keys and digital certificates. The results were a mixed bag of outdated hashing algorithms and self-signed certificates permeating Yahoo’s production environment.

Yahoo recently disclosed it was breached in 2014 and that a half-billion customer records were stolen by what the company believes was a state-sponsored actor. The attackers made off with users’ names, email addresses, phone numbers, dates of birth, recovery emails, and security questions and answers. Hashed passwords were also stolen, adding more urgency to the attack in a year in which massive password dumps have been the norm and password reuse is under greater scrutiny than ever.

A source familiar with the ongoing law enforcement and internal investigation said the majority of the stolen passwords were hashed with bcrypt, as Yahoo said, but a small percentage were secured with the outdated MD5 hash, long ago deprecated and considered unsafe.

Yahoo has forced a password reset for affected users and is recommending anyone who hasn’t changed their Yahoo passwords since 2014 to do so immediately. It’s unknown how deep the attackers’ penetration was; some experts likened the attack to the Aurora attacks against Google and other large enterprises and technology companies in 2009 and 2010. The Aurora attacks have been attributed to a Chinese APT group and the objective of the attack was to steal and modify source code from targeted organizations.

In the meantime, reports surfaced that a number of class-action lawsuits have already been filed by Yahoo users alleging that Yahoo was negligent in protecting users’ account information. 

The Financial Times also reported that Yahoo CEO Marissa Mayer (pictured) knew in July that Yahoo was investigating a potentially serious breach, well before reports arrived that 200 million Yahoo accounts were for sale on a dark web site called The Real Deal. Mayer, however, did not immediately disclose the investigation to Verizon, which is the midst of a $4.8 billion acquisition of Yahoo’s core business, nor did she disclose to the SEC in Yahoo’s latest quarterly finding. Verizon was not informed about the breach until very recently, the FT said, 10 days after the SEC filing in which Mayer and Yahoo said it had no knowledge of any security breaches or intrusions of its systems. 

The Venafi analysis, meanwhile, does not paint a favorable picture of Yahoo’s encryption processes and policies. Yahoo would not comment on the research.

Some systemic issues include the use of MD5 certificates, many of which are self-signed. Venafi said it found that one MD5 certificate is a wildcard cert with a five-year expiration date (most certificates expire within 12 to 18 months after issuance). Venafi said 27 percent of the certs on external Yahoo sites have been in place since January 2015 and only 2.5 percent in deployment have been issued within the last 90 days.

Also, almost half (41 percent) of the external Yahoo certs Venafi looked at use SHA-1 as a hashing algorithm; SHA-1, like MD5, is being phased out and has been deprecated by all the major browsers.

Venafi, meanwhile, has to gain from this research being a company that develops technology to secure crypto keys and digital certificates; it concedes it has no knowledge of the Yahoo breach.

The apparent weaknesses could be a sign of an overall lack of visibility and centralized management of Yahoo’s crypto processes and policies, Venafi said, adding that it’s likely Yahoo is unable in its vast infrastructure to quickly find and replace certificates, for example.

Theoretically, a well-resourced opponent could take advantage of one of these loopholes to stand up their own self-signed Yahoo cert, encrypt and move stolen data off the network, or pose as a Yahoo property and intercept traffic.

“Theoretically yes, you could stand up a self-signed cert or a wildcard self-issued cert; both of those are within reach of a persistent, willing attacker with resources,” said Hari Nair, cryptographic researcher with Venafi. “They could use it to establish a connection to the organization, and if there is a lack of visibility with respect to other certificates, they would get away with it.”

Nair said that key and certificate oversight aren’t the only means of detecting exfiltration of data, but an organization can use it as an indicator of compromise if it spots a certificate that has not been issued by a Yahoo-approved Certificate Authority in this case.

Certificates generally serve two purposes, authenticating that a site is what it says it is, and facilitating the encryption of data. If an organisation lacks an oversight mechanism and policies stating what certs are acceptable, where they should be obtained and how long they’re valid, it’s impossible ensure an adequate trust relationship.

“A mature organisation has visibility into its cryptographic assets. That makes it easier to see when a certificate no longer matches and triggers an alert,” Nair said. “Within an organisation, unless any of my certs are issued by an approved issuer, proceed with caution. If there’s not mechanism or trust policy, it’s hard to say what you can trust and not trust.”

Yahoo Hacked by Criminals

However, another view is that Yahoo! Inc.’s accounts were hacked in 2014 by cybercriminals, rather than a state-sponsored party as the web portal claimed, according to an official with InfoArmor, a security company.

Hackers-for-hire using pseudonyms who are well known in the underground community broke into Yahoo’s data, said Andrew Komarov, chief intelligence officer with InfoArmor. Yahoo said last week the attacker was a “state-sponsored actor,” and the stolen information from at least 500 million users may have included names, e-mail addresses, phone numbers, and, in some cases, un-encrypted security questions and answers.

“Yahoo was compromised in 2014 by a group of professional blackhats who were hired to compromise customer databases from a variety of different targeted organizations,” Scottsdale, Arizona-based InfoArmor said recently in a report. “The Yahoo data leak as well as the other notable exposures, opens the door to significant opportunities for cyber-espionage and targeted attacks to occur.”
Yahoo declined to comment on the InfoArmor report.

Threatpost:     Information-Management:


 


 

« Twitter On The Block: Offers Over $13B
What To Know About Space Security »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Clearpath Solutions Group

Clearpath Solutions Group

Clearpath Solutions Group expertise covers virtualization and data storage technologies, networking, security and cloud computing.

Rogue Wave Software

Rogue Wave Software

At Rogue Wave, our mission is to simplify your hardest problems, improve software quality and security, and shorten the time it takes to deliver value.

Air Informatics

Air Informatics

Air Informatics LLC provides security, information management, analytics and informatics for IT and wirelessly enabled airplanes and operations.

Fugue

Fugue

Fugue ensures cloud infrastructure stays in continuous compliance with enterprise security policies.

Italtel

Italtel

Italtel is a multinational ICT company that combines networks and communications services with the ability to innovate and develop solutions for digital transformation.

RFA

RFA

RFA is an institutional-quality IT, financial cloud and cyber-security services provider to the financial service and investment management sector.

M12

M12

M12 (formerly Microsoft Ventures) is the corporate venture capital subsidiary of Microsoft.

Aigner Business Solutions

Aigner Business Solutions

Aigner Business Solutions GmbH is a specialist in IT-Security and Data Protection. Concise and focussed.

SAM Seamless Network

SAM Seamless Network

SAM Seamless Network is a cybersecurity technology platform that protects the connected home, by tackling cyber security threats at the source.

PNGCERT

PNGCERT

PNGCERT is the national Computer Emergency Response Team (CERT) for Papua New Guinea.

Xalient

Xalient

Xalient is an IT consulting and managed services business, specialising in modern, software-defined networking, security and communications technologies.

Vanta

Vanta

Vanta helps companies scale security practices and automate compliance for the industry’s most sought after standards - SOC 2, ISO 27001, HIPAA, GDPR, and other security and privacy frameworks.

Cyber Suraksa

Cyber Suraksa

We make security simple and hassle-free by offering a sustained and secure IT environment with next-gen cybersecurity solutions through a scalable security-as-a-service model.

Cyber Proud

Cyber Proud

Cyber proud is leading a talent revolution to promote and create an inclusive skilled cyber workforce.

Verosint

Verosint

Verosint (formerly 443ID) provides real-time account fraud prevention that reveals fraudsters hiding in user accounts and proactively blocks them before their attacks can cause harm.

CyberNINES

CyberNINES

CyberNINES is a business specializing in helping US Department of Defense contractors become compliant and attest to federal cybersecurity regulation requirements.