More Questions About The Yahoo Breach

As Yahoo continues to investigate the biggest data breach in history, pressure is mounting on the company to admit when it knew about the attack, whether there was a delay in reporting it, and also about how it implements cryptography to secure data it’s responsible for.

Security company Venafi said it examined data from its internal certificate reputation service related to the security of Yahoo’s cryptographic keys and digital certificates. The results were a mixed bag of outdated hashing algorithms and self-signed certificates permeating Yahoo’s production environment.

Yahoo recently disclosed it was breached in 2014 and that a half-billion customer records were stolen by what the company believes was a state-sponsored actor. The attackers made off with users’ names, email addresses, phone numbers, dates of birth, recovery emails, and security questions and answers. Hashed passwords were also stolen, adding more urgency to the attack in a year in which massive password dumps have been the norm and password reuse is under greater scrutiny than ever.

A source familiar with the ongoing law enforcement and internal investigation said the majority of the stolen passwords were hashed with bcrypt, as Yahoo said, but a small percentage were secured with the outdated MD5 hash, long ago deprecated and considered unsafe.

Yahoo has forced a password reset for affected users and is recommending anyone who hasn’t changed their Yahoo passwords since 2014 to do so immediately. It’s unknown how deep the attackers’ penetration was; some experts likened the attack to the Aurora attacks against Google and other large enterprises and technology companies in 2009 and 2010. The Aurora attacks have been attributed to a Chinese APT group and the objective of the attack was to steal and modify source code from targeted organizations.

In the meantime, reports surfaced that a number of class-action lawsuits have already been filed by Yahoo users alleging that Yahoo was negligent in protecting users’ account information. 

The Financial Times also reported that Yahoo CEO Marissa Mayer (pictured) knew in July that Yahoo was investigating a potentially serious breach, well before reports arrived that 200 million Yahoo accounts were for sale on a dark web site called The Real Deal. Mayer, however, did not immediately disclose the investigation to Verizon, which is the midst of a $4.8 billion acquisition of Yahoo’s core business, nor did she disclose to the SEC in Yahoo’s latest quarterly finding. Verizon was not informed about the breach until very recently, the FT said, 10 days after the SEC filing in which Mayer and Yahoo said it had no knowledge of any security breaches or intrusions of its systems. 

The Venafi analysis, meanwhile, does not paint a favorable picture of Yahoo’s encryption processes and policies. Yahoo would not comment on the research.

Some systemic issues include the use of MD5 certificates, many of which are self-signed. Venafi said it found that one MD5 certificate is a wildcard cert with a five-year expiration date (most certificates expire within 12 to 18 months after issuance). Venafi said 27 percent of the certs on external Yahoo sites have been in place since January 2015 and only 2.5 percent in deployment have been issued within the last 90 days.

Also, almost half (41 percent) of the external Yahoo certs Venafi looked at use SHA-1 as a hashing algorithm; SHA-1, like MD5, is being phased out and has been deprecated by all the major browsers.

Venafi, meanwhile, has to gain from this research being a company that develops technology to secure crypto keys and digital certificates; it concedes it has no knowledge of the Yahoo breach.

The apparent weaknesses could be a sign of an overall lack of visibility and centralized management of Yahoo’s crypto processes and policies, Venafi said, adding that it’s likely Yahoo is unable in its vast infrastructure to quickly find and replace certificates, for example.

Theoretically, a well-resourced opponent could take advantage of one of these loopholes to stand up their own self-signed Yahoo cert, encrypt and move stolen data off the network, or pose as a Yahoo property and intercept traffic.

“Theoretically yes, you could stand up a self-signed cert or a wildcard self-issued cert; both of those are within reach of a persistent, willing attacker with resources,” said Hari Nair, cryptographic researcher with Venafi. “They could use it to establish a connection to the organization, and if there is a lack of visibility with respect to other certificates, they would get away with it.”

Nair said that key and certificate oversight aren’t the only means of detecting exfiltration of data, but an organization can use it as an indicator of compromise if it spots a certificate that has not been issued by a Yahoo-approved Certificate Authority in this case.

Certificates generally serve two purposes, authenticating that a site is what it says it is, and facilitating the encryption of data. If an organisation lacks an oversight mechanism and policies stating what certs are acceptable, where they should be obtained and how long they’re valid, it’s impossible ensure an adequate trust relationship.

“A mature organisation has visibility into its cryptographic assets. That makes it easier to see when a certificate no longer matches and triggers an alert,” Nair said. “Within an organisation, unless any of my certs are issued by an approved issuer, proceed with caution. If there’s not mechanism or trust policy, it’s hard to say what you can trust and not trust.”

Yahoo Hacked by Criminals

However, another view is that Yahoo! Inc.’s accounts were hacked in 2014 by cybercriminals, rather than a state-sponsored party as the web portal claimed, according to an official with InfoArmor, a security company.

Hackers-for-hire using pseudonyms who are well known in the underground community broke into Yahoo’s data, said Andrew Komarov, chief intelligence officer with InfoArmor. Yahoo said last week the attacker was a “state-sponsored actor,” and the stolen information from at least 500 million users may have included names, e-mail addresses, phone numbers, and, in some cases, un-encrypted security questions and answers.

“Yahoo was compromised in 2014 by a group of professional blackhats who were hired to compromise customer databases from a variety of different targeted organizations,” Scottsdale, Arizona-based InfoArmor said recently in a report. “The Yahoo data leak as well as the other notable exposures, opens the door to significant opportunities for cyber-espionage and targeted attacks to occur.”
Yahoo declined to comment on the InfoArmor report.

Threatpost:     Information-Management:


 


 

« Twitter On The Block: Offers Over $13B
What To Know About Space Security »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Landry & Associates

Landry & Associates

Landry & Associates is a multidisciplinary firm specializing in risk management, performance and technology management.

EfficientIP

EfficientIP

EfficientIP helps organizations drive business efficiency through agile, secure and reliable network infrastructures.

Cyber Security Specialists

Cyber Security Specialists

Cyber Security Specialists Limited provide Security services across a wide range of markets, from multi-national Corporate Organisations and Government Agencies, through to smaller Businesses.

Redshift Consulting

Redshift Consulting

Redshift is an information management and information security consulting company offering a full range of services from infrastructure design to security assessments and network monitoring.

Altaro Software

Altaro Software

Altaro provide backup solutions that are intuitive, easy to use, well-priced and backed by outstanding 24/7 support as part of the package.

oneM2M

oneM2M

oneM2M is a global organization creating a scalable and interoperable standard for communications of devices and services used in M2M applications and the Internet of Things.

Sixgill

Sixgill

Sixgill, an IoT sensor platform company, builds the universal data service and smart process automation software allowing any organization to effectively govern its IoE assets.

Corellium

Corellium

Corellium are dedicated to supporting our peers in the ARM community who seek to build more secure, performant, and accessible software and devices.

ProLion

ProLion

ProLion provides Data Integrity solutions that ensure organisations’ data remains secure, compliant, manageable and accessible.

Open Quantum Safe (OQS)

Open Quantum Safe (OQS)

The Open Quantum Safe (OQS) project is an open-source project that aims to support the development and prototyping of quantum-resistant cryptography.

Seccuri

Seccuri

Seccuri is a unique global cybersecurity talent tech platform. Use our specialized AI algorithm to grow and improve the cybersecurity workforce.

ORS Consulting

ORS Consulting

ORS Consulting is a specialist provider of risk management advisory services supporting asset-intensive industries such as chemicals, energy, power and utilities, defence and maritime.

Alpha Omega Integration

Alpha Omega Integration

Alpha Omega creates new possibilities through intelligent end-to-end mission-focused government IT solutions.

Cisilion

Cisilion

Cisilion's mission is simple – to transform and connect business with next-generation IT infrastructure. Our expertise includes enterprise networking, security, data centre & cloud, managed services.

PeoplActive

PeoplActive

PeoplActive is an IT consulting and recruitment services organization with leading capabilities in digital, cloud and security.

Muscope Cybersecurity

Muscope Cybersecurity

Muscope CYSR platform performs a risk assessment and offers a comprehensive overview of the potential cyber attack risks.