Interviews

After the hack, the scams

by Mark Rowe

Yahoo! in September confirmed that ‘state-sponsored’ hackers stole around 500 million users’ information. That’s including names, email addresses, telephone numbers, dates of birth and encrypted passwords. The information was stolen from the company in 2014, only now made public.

Beware of social engineering schemes that will follow this incident, IT security people warn. Rajiv Gupta, CEO at Skyhigh, a cloud service, said: “In the wake of a breach like this, companies should have a well-oiled response plan. First, measure exposure to the breach by identifying how many employees use the cloud service. Then, take action to prevent immediate threats by prompting employees to change their passwords. Companies may consider temporarily blocking data uploads to the service to prevent further damage. The fallout of a data breach doesn’t end there, and neither should companies’ response. Employees frequently reuse passwords, and hackers can use stolen passwords to access other accounts. Companies should implement behavioral analytics to monitor for suspicious activity among affected accounts – the IT equivalent of post-breach credit monitoring.”

David Reed, Director of Research at analytics company DataIQ, said: “Massive data breaches always sound scary. But scale is not always the best guide to the severity of the problem. In the case of the Yahoo! breach, each stolen record is being sold for 0.000009 cents. That is a good indicator of the true value (or otherwise) of such data. Knowing the password to an online account may cause problems for each user, but it is not necessarily the gateway to a more severe issue, such as financial or ID theft. That said, a technology business like Yahoo! should never have been compromised by this scale of hack in the first place – its reputation will be the real victim.”

Mark Skilton, a Professor of Practice at Warwick Business School, said: “While it’s not a surprise to hear the magnitude of users that have been corporate hacked – after all the rise of the digital business means everyone is more or less online these days – what is shocking is the date, 2014, and the sense of resignation that some may have to the event. This is far too late for professional cyber security risk management and certainly from the organisational practices inside a company like Yahoo! that one would expect.

“The other factor is the legal impact for Yahoo! from the reputational impact and liability in losses for customers. This could yet be significant and a headache for Verizon in its planned imminent takeover of Yahoo!. The lateness of the attack discovery, a whole two years, and the indication that it was a government state sponsored attack suggests both a highly professional stealth attack or perhaps some failure in basic perimeter monitoring by Yahoo!’s internal security practice.

“Either way, serious questions on internal checking of data breaches must be addressed. There will be a significant internal review in Yahoo! and Verizon to develop a turnaround plan for this hack, but it also suggests a need for a stronger perhaps government and industry role needed to increase cyber protection in the light of the rise in more stealth attacks. The infamous Russian bank stealth attack had a similar slow burn attack from an undetected stealth attack that resulted in an estimated 1 billion euro loss from several banks.

“This Yahoo! situation is not that level of financial loss, but the impact and rise of huge cyber-attacks will need stronger cyber responses.”

Everyone should be aware that any breach notice that Yahoo! emails out will go only to their email service users, and it will not provide links to click on, include any attachments, and will NOT ask for personal information, advises Kurt Baumgartner, principal security researcher at Kaspersky Lab. He was reminded of Google’s Aurora APT incident in 2009, announced in 2010. He said: “When we compare these two breaches, it is incredible that it’s 2016 and users are only being notified years after a major breach like this one, and only after another organisation made the issue public. While it is important to note that Yahoo! provides a list of account “meta-information” that appears to have been stolen and leaves out content of email accounts, the credential knowledge based challenge information and passwords were stolen as well. So, passwords could have been reset on accounts without customers carefully checking password resets and access. And, the knowledge based challenge information used to reset passwords may have been re-used to attack other web services the customer may be using. In the meantime, if you are using a Yahoo! email account, it’s a good idea to set up a “Yahoo account key,” which removes the need to enter passwords and enables a level of two factor authentication.

Raj Samani, pictured, CTO EMEA at Intel Security, said: “With the scale of Yahoo’s attack going undetected for two years, hackers have had time to cause even more destruction. Customers who continue to re-use their authentication data for multiple accounts could be vulnerable to attack from multiple sources – with hackers even accessing accounts that customers had forgotten they ever set up.”

“How is it that huge organisations with data loss prevention (DLP) solutions in place are still suffering breaches of this magnitude? Many well intentioned CISOs or CIOs fund DLP projects in an effort to protect their organisations, but forget that awareness and buy-in from business units is critical to success. With poor scope definition and priorities, these organisations might achieve a very basic monitoring level, but they rarely move beyond that. Without any real collaboration between business units, a DLP program has little chance of gaining traction.

“With cyber security threats rising at such a rapid rate, organisations are having to come to terms with the fact that it’s fast becoming a question of ‘when’, not ‘if’, they suffer a breach. As such, protecting the network and detecting a threat is not enough. Organisations need strategies in place that are set up to correct systems in the event of an attack – minimising damage to the organisation and its customers.

And John Marsden, Head of ID and Fraud at credit checking agency Equifax said: “Passwords are continuing to topple like dominos, and the rate of major breaches is increasing at an alarming rate. The Yahoo breach is a super-sized domino that is going to have huge effects on people for years to come. This is a game changer in the online fraud world; aside from Gmail being cracked, there is no other single event that could happen that will cause more fraud and damage over the next five years.

“The breach has been a major blow to Yahoo with personal details of around half a billion users now up for sale on the dark web. This information will spread quickly and globally with no chance of recovery. There will be a long lasting impact for consumers and businesses as hackers attempt to use the breached data to access other online accounts.

“We urge businesses to be on high alert for any customer contacting them from a Yahoo email address as there is a high chance that their details have been comprised. One particular area to watch are requests to reset passwords, sending a “click here to reset password” link to a Yahoo address is not advisable given the size of the breach.

“Passwords are no longer effective as a stand-alone measure and companies must act sooner rather than later to improve their online security. The normal advice of complex password, numbers and numerals no longer works in a world where there are now billions of cracked passwords; companies should instead introduce a second layer of authentication processing, such as device recognition, to help build the necessary barriers to keep data safe.”

Related News

  • Interviews

    Cisco on Generation Y

    by Mark Rowe

    You may assume that security risks increase as a person’s online activity becomes shadier. Cisco’s 2013 Annual Security Report (ASR) suggests that…

  • Interviews

    DevOps security

    by Mark Rowe

    After the publication of a KuppingerCole report on DevOps security, Josh Kirkwood, DevOps Security Lead at privileged security and cloud services company…

  • Interviews

    Mitigating ransomware

    by Mark Rowe

    Everyone’s thinking about ransomware the wrong way, says Sandra Bell, Head of Resilience, Sungard Availability Services. It’s become a fact of life…

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing