As reported in the news, Yahoo have been not so much popped, as exploded.
I think the key points here are:
- Passwords as an authentication technology are rapidly becoming obsolete. We’re seeing many more internet organisations using familiarity signals and behavioural biometrics to authenticate customers.
- The good-old-bad-old knowledge based authentication is flawed. For better or for worse, the compromise of Yahoo shows that this information is not the “high-memorability low-latency” that was thought. For example, you can look on my Facebook profile, find an entity I’m linked to who is my mother, and she lists her maiden name as Wilks. We need to look at more intelligent ways of identity proofing and indeed, evolve this away from a one-off process to a continuous dynamic risk assessment, coupled with authentication and online fraud detection.
- Of concern is Yahoo’s statement that they have not yet been able to identity the intrusion associated with this theft. The implication is that Yahoo has overly focused on deploying protective technologies, and has not put in place effective analytics, detection and response systems and processes. Gartner recommends that organisations must engage in a fourfold strategy of:
- Predicting threats and understanding risk
- Protecting the organisation against threats
- Detecting threats in the clear and certain anticipation that there are well resourced, well-funded adversaries with skills and time that are in excess of our own. In addition it should be noted that the risk of insider threat rises when a company is in a turbulent process such as an acquisition or even downturn. We need to deploy machine analytics
- Responding with a well-rehearsed incident process to remedy an attack and restore normal business operation. This in many ways is the key role of the modern CISO – not to be the defender of the battlements, but to ensure business survivability]##].
- From what we do know, they attackers made use of cookie masquerading, pass-the-hash, and a state-sponsored actor. This gives strength to the importance of a strong detection plan as per 3c above. MD5 hashing is vulnerable to an attack type called “collision attacks” which means that an attacker can find a string of characters that will resolve to the same hash as a hashed (or encrypted password). MD5 is strongly deprecated and this points to troubling software development security practices in Yahoo or its suppliers.
It’s clear that there will be an impact on the proposed acquisition, and the markets are reacting to the news. It is disturbing that it has taken so long for the breach to be made public in the light of the data breach notification laws in the USA and elsewhere.
Clearly the upshot of this is that we need to realise that it’s no longer a case of “if we’re targeted/unlucky” but that we are all targets.