Tag Archives: Yahoo

Senators accuse Yahoo of ‘unacceptable’ delay in hack discovery

4 October 2016

Six Senators demanded that Yahoo should explain why it took about 2 years before the massive data leak came to light.

In Reuters Technology News of 27 September 2016 Dustin Volz and Lisa Lambert wrote:

The lawmakers, all Democrats, said they were “disturbed” that the 2014 intrusion, which was disclosed by the company on Thursday, was detected so long after it occurred.

“That means millions of Americans’ data may have been compromised for two years,” the senators wrote in a letter to Yahoo Chief Executive Marissa Mayer. “This is unacceptable.”

This is a very interesting turn on events, but entirely justified.

In report ‘Yahoo breach calls into question detection and remediation practices’ published on SearchSecurity on 28 Sep 2016, Michael Heller discussed the question about Yahoo’s detection and response practices. I haven’t seen any discussions about missing preventive controls, although these are the foundation for the rapid detection of cyber-attacks.

The goal of prevention is to force the attacker to make errors by isolating him from his and our environment. A well-tuned SIEM system should then rapidly detect such anomalies and create incidents from them. A good mixture of detection and prevention is required for the rapid detection of cyber attacks.

For a comprehensive discussion on prevention and detection see post Cyber Security Investments: Experts Discuss Detection vs. Prevention published in the Digital Guardian blog.

In briefing document ‘The Strategic Game of ? and ?’ John Richard Boyd shows the direction to cyber security:

The Strategic Game is one of Interaction and Isolation. A game in which we must be able to diminish adversary’s ability to communicate or interact with his environment while sustaining or improving ours.

Have a good week.

Yahoo hacked in late 2014 – Breach detected in 2016

25 September 2016

In August 2016, a hacker offered 200 Million Yahoo Accounts for sale on the Darknet. In a first investigation, Yahoo found no evidence for this assertion. But the investigation team found indications for a data breach which happened in 2014.

Last Thursday, Yahoo announced that account information of 500 Million users was stolen in late 2014. The good news is that the company found no evidence that the attackers are still active in their network. And that only names, email addresses, phone numbers, birth dates, encrypted passwords, and, in some cases, security questions and answers were stolen.

That is bad enough, especially because reuse of account information like security questions and answers is a widespread bad habit. Yahoo users are well advised to change their security questions wherever they have reused them.

But what really worries me is that it took about 600 days before the breach was detected. That is far more than the MTTI (Mean Time to Identify) of 206 days the Ponemon Institute estimated in the ‘2015 Cost of Data Breach Study:  Global Analysis’. And more than the max. value of 582 days.

One can only speculate whether indicators of compromise were non-existent or ignored or not recorded or not regularly reviewed. Regular review of event and incident data is a really tough job, but essential if it comes to the assessment of indicators of compromise.

Have a good week.