Lessons for All of Us Via Yahoo
By Evelyn van Kelle.
Unless you’re 10 years old and have never created an online account anywhere, there’s a good chance that your data has been in the hands of hackers at some point.
Oh, especially if you’ve ever had a Yahoo account.
In case you missed the news, Yahoo recently said that account information from more than 500 million users was compromised in 2014 during a “state-sponsored attack.” Stolen data included user names, email addresses, telephone numbers, birthdates, encrypted passwords, and security questions and answers.
Given that we at SIG have looked at billions of lines of code over the past 15 years, this hack raised some questions among my colleagues and me. There’s no point in shaming Yahoo: they’re already reeling from the news, and Verizon may ask for a $1 billion discount on their $4.8 billion purchase agreement reached earlier this year.
The point is to emphasize that the Yahoo breach is no exception, and to talk about the best practices for data protection that companies should be following so they won’t be the next ones in the headlines.
Are you applying Security by Design?
Best practices for security have to start in the design and planning stages. “Security by Design,” when it’s done right, uses intelligent deployment of security hardware, storage, and software development practices to structurally reduce the probability and impact of breaches and other incidents. Basic preventative measures should include:
- A defense-in-depth strategy
- Robust intrusion detection
- Careful planning and tracking of security operations
- An architecture with multiple security defense layers, such that if one fails another can take over
- Separating the storage of personal information over multiple data stores — with appropriate encryption techniques
So where did this go wrong for Yahoo?
The attack took place in 2014, but was only discovered in 2016. It probably goes without saying, but that’s a LONG time to be in the dark about an attack. Yahoo needs to dig deep to figure out whether the attackers did a great job of hiding themselves . . . or, maybe, that Yahoo didn’t do enough to detect suspicious behavior on its networks.
Is your system maintainable?
Internet giants such as Yahoo face major security challenges because they provide so many entry points for attackers. Yahoo had an extra challenge because it had taken over so many other companies and their data; the result was a huge patchwork with many different rules, norms, and security methodologies.
When you’re dealing with so many legacy systems, you might largely have your security in order, yet still have an Achilles’ heel somewhere.
It’s always good to ask whether your systems are truly maintainable. As legacy systems become bigger and more complex, it can seem like there’s never a great moment to improve the simplicity and consistency of your IT environment. In fact, we see this neglected all the time, because it temporarily raises costs without delivering obvious extra functionality.
But when you take into account the possible long-term consequences, you have to admit it’s worth addressing, right?
Is your password secure?
We all know how important secure passwords are. Yet during our analyses we often see poor usage of encryption. For example, a very common problem is using the same salt for all passwords, which is a vulnerability in itself and makes you a pretty easy target for hackers. It’s also way too common to use a very small iteration number for bcrypt; it’s a shortcut taken for performance reasons that makes passwords vulnerable.
Shortcuts in security are never a good idea.
In the case of Yahoo, it was said that “the vast majority of passwords were hashed with bcrypt.” It’s not clear whether the minority of passwords had similar protections. Remember that Achilles’ heel I mentioned before? It might be that passwords not included in that “vast majority” filled that role for Yahoo.
What about IT Due Diligence?
There’s a crucial aspect of due diligence here. As mentioned, Verizon agreed to acquire Yahoo for $4.8 billion in late July. Verizon has said it was informed about the Yahoo attack two days before the public disclosure — that is, a couple of months after it agreed to the acquisition. What does that tell us about the IT due diligence that preceded the agreement?
But think about it: a hospital wouldn’t let a lawyer or accountant interpret MRI results, right? So why would anyone ask lawyers or accountants to carry out IT due diligence? You need deep code visibility here, and the technological expertise to make sense of what you find.
Meanwhile, some basic security hygiene
Yahoo’s taking a beating over this breach, and honestly they’ve brought it on themselves. But remember that this could happen to any of us if we don’t pay attention to the best practices that will keep us out of the headlines — or at least help us exert what control we can to minimize the risk of a breach.
Meanwhile, you personally might want to use this chance to refresh your passwords. So set a reminder to do it regularly, then reread this classic bit of advice from XKCD.
This blog was also published on Medium by Evelyn van Kelle