More Questions About The Yahoo Breach

As Yahoo continues to investigate the biggest data breach in history, pressure is mounting on the company to admit when it knew about the attack, whether there was a delay in reporting it, and also about how it implements cryptography to secure data it’s responsible for.

Security company Venafi said it examined data from its internal certificate reputation service related to the security of Yahoo’s cryptographic keys and digital certificates. The results were a mixed bag of outdated hashing algorithms and self-signed certificates permeating Yahoo’s production environment.

Yahoo recently disclosed it was breached in 2014 and that a half-billion customer records were stolen by what the company believes was a state-sponsored actor. The attackers made off with users’ names, email addresses, phone numbers, dates of birth, recovery emails, and security questions and answers. Hashed passwords were also stolen, adding more urgency to the attack in a year in which massive password dumps have been the norm and password reuse is under greater scrutiny than ever.

A source familiar with the ongoing law enforcement and internal investigation said the majority of the stolen passwords were hashed with bcrypt, as Yahoo said, but a small percentage were secured with the outdated MD5 hash, long ago deprecated and considered unsafe.

Yahoo has forced a password reset for affected users and is recommending anyone who hasn’t changed their Yahoo passwords since 2014 to do so immediately. It’s unknown how deep the attackers’ penetration was; some experts likened the attack to the Aurora attacks against Google and other large enterprises and technology companies in 2009 and 2010. The Aurora attacks have been attributed to a Chinese APT group and the objective of the attack was to steal and modify source code from targeted organizations.

In the meantime, reports surfaced that a number of class-action lawsuits have already been filed by Yahoo users alleging that Yahoo was negligent in protecting users’ account information. 

The Financial Times also reported that Yahoo CEO Marissa Mayer (pictured) knew in July that Yahoo was investigating a potentially serious breach, well before reports arrived that 200 million Yahoo accounts were for sale on a dark web site called The Real Deal. Mayer, however, did not immediately disclose the investigation to Verizon, which is the midst of a $4.8 billion acquisition of Yahoo’s core business, nor did she disclose to the SEC in Yahoo’s latest quarterly finding. Verizon was not informed about the breach until very recently, the FT said, 10 days after the SEC filing in which Mayer and Yahoo said it had no knowledge of any security breaches or intrusions of its systems. 

The Venafi analysis, meanwhile, does not paint a favorable picture of Yahoo’s encryption processes and policies. Yahoo would not comment on the research.

Some systemic issues include the use of MD5 certificates, many of which are self-signed. Venafi said it found that one MD5 certificate is a wildcard cert with a five-year expiration date (most certificates expire within 12 to 18 months after issuance). Venafi said 27 percent of the certs on external Yahoo sites have been in place since January 2015 and only 2.5 percent in deployment have been issued within the last 90 days.

Also, almost half (41 percent) of the external Yahoo certs Venafi looked at use SHA-1 as a hashing algorithm; SHA-1, like MD5, is being phased out and has been deprecated by all the major browsers.

Venafi, meanwhile, has to gain from this research being a company that develops technology to secure crypto keys and digital certificates; it concedes it has no knowledge of the Yahoo breach.

The apparent weaknesses could be a sign of an overall lack of visibility and centralized management of Yahoo’s crypto processes and policies, Venafi said, adding that it’s likely Yahoo is unable in its vast infrastructure to quickly find and replace certificates, for example.

Theoretically, a well-resourced opponent could take advantage of one of these loopholes to stand up their own self-signed Yahoo cert, encrypt and move stolen data off the network, or pose as a Yahoo property and intercept traffic.

“Theoretically yes, you could stand up a self-signed cert or a wildcard self-issued cert; both of those are within reach of a persistent, willing attacker with resources,” said Hari Nair, cryptographic researcher with Venafi. “They could use it to establish a connection to the organization, and if there is a lack of visibility with respect to other certificates, they would get away with it.”

Nair said that key and certificate oversight aren’t the only means of detecting exfiltration of data, but an organization can use it as an indicator of compromise if it spots a certificate that has not been issued by a Yahoo-approved Certificate Authority in this case.

Certificates generally serve two purposes, authenticating that a site is what it says it is, and facilitating the encryption of data. If an organisation lacks an oversight mechanism and policies stating what certs are acceptable, where they should be obtained and how long they’re valid, it’s impossible ensure an adequate trust relationship.

“A mature organisation has visibility into its cryptographic assets. That makes it easier to see when a certificate no longer matches and triggers an alert,” Nair said. “Within an organisation, unless any of my certs are issued by an approved issuer, proceed with caution. If there’s not mechanism or trust policy, it’s hard to say what you can trust and not trust.”

Yahoo Hacked by Criminals

However, another view is that Yahoo! Inc.’s accounts were hacked in 2014 by cybercriminals, rather than a state-sponsored party as the web portal claimed, according to an official with InfoArmor, a security company.

Hackers-for-hire using pseudonyms who are well known in the underground community broke into Yahoo’s data, said Andrew Komarov, chief intelligence officer with InfoArmor. Yahoo said last week the attacker was a “state-sponsored actor,” and the stolen information from at least 500 million users may have included names, e-mail addresses, phone numbers, and, in some cases, un-encrypted security questions and answers.

“Yahoo was compromised in 2014 by a group of professional blackhats who were hired to compromise customer databases from a variety of different targeted organizations,” Scottsdale, Arizona-based InfoArmor said recently in a report. “The Yahoo data leak as well as the other notable exposures, opens the door to significant opportunities for cyber-espionage and targeted attacks to occur.”
Yahoo declined to comment on the InfoArmor report.

Threatpost:     Information-Management:


 


 

« Twitter On The Block: Offers Over $13B
What To Know About Space Security »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

National Authority Against Electronic Attacks (NAAEA) - Greece

National Authority Against Electronic Attacks (NAAEA) - Greece

The National Authority Against Electronic Attacks (NAAEA) is the national computer emergency response team of Greece.

Luxembourg Institute of Science & Technology (LIST)

Luxembourg Institute of Science & Technology (LIST)

LIST is a mission-driven Research and Technology Organisation. Areas of research include IT and aspects of IT security.

MAY Cyber Technology

MAY Cyber Technology

MAY Cyber Technology is a Security Management solutions provider located in Turkey & Germany.

Truepic

Truepic

Truepic provides technologies that prevent fraud, identity theft, misinformation, and disinformation caused by generative, manipulated, or deepfake digital content.

Cyber Intelligence (CI)

Cyber Intelligence (CI)

Cyber Intelligence is an award winning 'MSC status' cyber security education and training company.

CUJO AI

CUJO AI

CUJO AI is the global leader in the development and application of artificial intelligence to improve the security, control and privacy of connected devices in homes and businesses.

Lexsynergy

Lexsynergy

Lexsynergy is a global domain name management and online brand protection company.

GroupSense

GroupSense

GroupSense helps governments and enterprises take control of digital risk with cyber reconnaissance, counterintelligence and monitoring for breached credentials.

Dcode

Dcode

Dcode connects the tech industry and government to drive commercial innovation in the federal market.

Citizen Lab - University of Toronto

Citizen Lab - University of Toronto

Citizen Lab focuses on research and development at the intersection of cyberspace, global security & human rights.

Mobilicom

Mobilicom

Mobilicom is an end-to-end provider of cybersecurity and smart solutions for drones, robotics & autonomous platforms.

Privasee

Privasee

Make GDPR compliance simple with Privasee. Our software makes it easy to protect your data and ensure you’re compliant with the new regulations.

CampusGuard

CampusGuard

CampusGuard focuses on the cybersecurity and compliance needs of campus-based organizations including higher education, healthcare, and state and local government.

Frontal

Frontal

Frontal is a specialized unit in Blockchain and Web3.0 cybersecurity. Securing Digital Assets, Cryptocurrency, DeFi, Blockchain and Web3.0 ecosystem.

ImagineX Consulting

ImagineX Consulting

ImagineX Consulting is a cybersecurity-focused boutique technology consultancy whose mission is to help our clients #BeBetter by reducing their corporate risk.

Resonance Security

Resonance Security

Resonance offers powerful cybersecurity aggregation software that makes protecting against full spectrum cybersecurity threats effortless no matter what your technical level, budget, or scope.