Yahoo

Five hackers are said to be behind breaches totalling up to a staggering three billion credentials from some of the world's biggest tech companies including the Yahoo! breach that led to the loss of 500 million credentials.

The claims, made to The Reg by recognised threat intelligence boffin Andrew Komarov, pin the world's largest hacks on "Group E", a small Eastern European hacking outfit that makes cash breaching companies and selling to buyers including nation states.

Komarov told The Register the group is behind a laundry list of hacks against massive household tech companies including the breach of Yahoo!, Dropbox, LinkedIn, Tumblr, and VK.com among other public breaches.

The analyst says the same hacking group has breached other major tech firms but would not be drawn on revealing the names of the affected companies nor the number of compromised credentials. Komarov has reported those breaches which are not on the public record to police.

He goes further and says much of the reporting concerning the Yahoo! breach was inaccurate, and suggests the number of affected credentials could be as high as one billion, double what was reported.

Group E had, according to Komarov, breached Yahoo! and sold the massive data haul through a recognised hacker identity who served as a broker.

It was then sold to a unnamed nation-state actor group.

Komarov's employer InfoArmor says it performed "extensive analysis of collected intelligence" from the Yahoo! hack from different sources to "clarify the motivation and attribution of the key threat actors" concluding "many recent press reports and published articles have significant inaccuracies".

Yahoo! last week pinned the breach on a unnamed state actor but did not say if, as Komarov claims, that the group bought the credentials from Group E which conducted the intrusion.

The company did not respond to a request for comment by the time of publication.

Hacking gangs Group E, For Hell, and broker Tessa88. Mind map by Andrew Komarov.

Hacking gangs Group E, For Hell, and broker Tessa88. Mind map by Andrew Komarov.

Komarov tells The Register Group E, so called after the first letter of its leader's moniker, broke into sites using a variety of attack vectors.

"Web apps vulnerabilities and exploitation, plus network intrusion through infection … [and] direct access to databases and source code," Komarov says.

Sites breached by the five-person Group E hacker outfit. Statistics via Andrew Komarov

Breach company Number of records
Yahoo! 500 million (up to 1bn)
Myspace 360 million
LinkedIn 167 million
Vk.com 137 million
Qip.ru 133 million
Badoo 126 million
Dropbox 103 million
Rambler.ru 101 million
Tumblr 50 million
LastFM 43 million
Fling.com 40 million
Mobango.com 6 million
Other combined dumps: 600 million

A second group known as "For Hell" used the same broker to sell stolen databases and masterminded other high profile breaches. Komarov says one member known as ROR[RG}) hacked Ashley Madison, Adult Friend Finder, and the Turkish National Police, while a second team mate known as "arnie" or "darkoverlord" conducted breaches of unnamed health care organisations.

Komarov, an established threat intelligence man formerly of Intelcrawler before its acquisition by Arizona-based security firm InfoArmor, is one of a handful of cybercrime intelligence analysts who closely monitor closed crime forums and dark web sites.

He fingers a Russian-speaking criminal hacking identity known as Tessa88 as the broker used by the two hacking groups.

That broker is claimed by hackers including some speaking to Vulture South to be a part-time scammer for selling bogus credentials, although the claims cannot be verified. Komarov says Tessa88 was at pains to mask the identity of the hacking groups when selling the Yahoo! credentials to the nation-state actors.

Sponsored: IBM FlashSystem V9000 product guide


The Register - Security

An investigation conducted into the two Yahoo security incidents disclosed recently revealed the existence of a connection and led researchers to believe that the claim of 200 million accounts being stolen in 2012 is likely false.

In early August, a hacker claimed to possess 200 million Yahoo user accounts stolen from the tech giant back in 2012. The hacker, known online as Peace and peace_of_mind, had offered to sell the data for 3 Bitcoin on a marketplace called TheRealDeal, where he had previously sold hundreds of millions of Tumblr, Myspace, VK and LinkedIn accounts.

Then, earlier this month, Yahoo confirmed that attackers, which the company believes were sponsored by a nation state, breached its systems in 2014 and stole at least 500 million user accounts. Yahoo never confirmed the alleged 2012 incident, although some suggested that the company discovered the 2014 breach while investigating those claims.

Security firm InfoArmor launched an investigation and determined that the vast majority of the 200 million credentials were not associated with Yahoo accounts. Experts believe the data likely comes from multiple third-party leaks and that some of the credentials match only because people reuse passwords. It’s worth noting that some people questioned the validity of the 2012 dump ever since samples of the data were made available.

InfoArmor believes Peace faked the data after having a falling-out with tessa88, another hacker who recently offered to sell hundreds of millions of accounts stolen from various services. According to researchers, tessa88 and Peace exchanged stolen information, until the former was called out over fake and low-quality dumps.

However, evidence uncovered by InfoArmor suggests that there is a link between these cybercriminals and the threat actor that carried out the 2014 attack confirmed by Yahoo.

Researchers believe tessa88 is linked to the real Yahoo hackers through an unidentified actor that played the role of a proxy. This proxy allegedly obtained the Yahoo data from professional black hats in Eastern Europe and provided it to various other actors, including cybercriminals and a state-sponsored party that had been interested in exclusive database acquisitions.

Tessa88 had previously received accounts from the proxy and InfoArmor believes tessa88 and Peace expected to get the Yahoo data as well. However, since that did not happen, Peace created a fake dump and claimed it came from a 2012 breach.

According to the security firm, the 500 million accounts were stolen from Yahoo after the compromised database was divided into hundreds of equal parts. The files, which contained data organized alphabetically, were exfiltrated in segments.

InfoArmor said the actual Yahoo dump is still not available on any cybercrime forums. However, the data has been monetized by some cybercriminals and the company believes it might have also been leveraged in attacks targeting U.S. government personnel.

Yahoo breach aftermath

News of the breach has caused serious problems for Yahoo, just as the company’s core business is about to be acquired by Verizon for $ 4.8 billion. Some believe the incident could impact the deal, but Verizon has yet to comment.

Several class actions have been filed against Yahoo by customers, including people who claim to be directly affected by the breach.

Earlier this week, U.S. Senator Patrick Leahy sent a letter to Yahoo CEO Marissa Mayer asking how such a massive breach could go undetected for two years. Senator Mark Warner has asked the Securities and Exchange Commission (SEC) to determine if the company fulfilled obligations to keep the public and investors informed, as required by law.

Mayer reportedly neglected cybersecurity since she took over the company. According to The New York Times, current and former employees said the CEO focused on functionality and design improvements rather than security.

Alex Stamos, who left his CISO position at Yahoo last year to become Facebook’s CSO, was allegedly denied financial resources for proactive security solutions. Mayer is said to have also rejected a proposal to reset all user passwords fearing that the move would result in more users abandoning its services.

Related: Yahoo Pressed to Explain Huge 'State Sponsored' Hack

Related: Russia? China? Who Hacked Yahoo, and Why?

view counter

Previous Columns by Eduard Kovacs:

Tags:


SecurityWeek RSS Feed

Pokémon GO Spam, Ransomware, On the Rise

August 17, 2016 , 12:58 pm

Cisco Begins Patching Equation Group ASA Zero Day

August 24, 2016 , 5:53 pm

Mozilla Wants to Drop WoSign as Trusted CA

September 27, 2016 , 2:51 pm

OpenSSL Fixes Critical Bug Introduced by Latest Update

September 26, 2016 , 10:45 am

500 Million Yahoo Accounts Stolen By State-Sponsored Hackers

September 22, 2016 , 3:47 pm

Yahoo Reportedly to Confirm Breach of Hundreds of Millions of Credentials

September 22, 2016 , 12:31 pm

Experts Want Transparency From Government’s Vulnerabilities Equities Process

September 20, 2016 , 2:41 pm

Bruce Schneier on Probing Attacks Testing Core Internet Infrastructure

September 15, 2016 , 11:15 am

Generic OS X Malware Detection Method Explained

September 13, 2016 , 9:14 am

Patched Android Libutils Vulnerability Harkens Back to Stagefright

September 9, 2016 , 2:06 pm

Chrome to Label Some HTTP Sites ‘Not Secure’ in 2017

September 8, 2016 , 3:43 pm

Threatpost News Wrap, September 2, 2016

September 2, 2016 , 9:00 am

Insecure Redis Instances at Core of Attacks Against Linux Servers

September 1, 2016 , 1:08 pm

Dropbox Forces Password Reset for Older Users

August 29, 2016 , 9:58 am

New Collision Attacks Against 3DES, Blowfish Allow for Cookie Decryption

August 24, 2016 , 8:00 am

Cisco Acknowledges ASA Zero Day Exposed by ShadowBrokers

August 17, 2016 , 4:06 pm

ProjectSauron APT On Par With Equation, Flame, Duqu

August 8, 2016 , 1:40 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

Keystroke Recognition Uses Wi-Fi Signals To Snoop

August 25, 2016 , 2:19 pm

Critical MySQL Vulnerability Disclosed

September 12, 2016 , 11:00 am

PLC-Blaster Worm Targets Industrial Control Systems

August 5, 2016 , 4:49 pm

Android Patch Fixes Nexus 5X Critical Vulnerability

September 2, 2016 , 12:49 pm

WordPress Update Resolves XSS, Path Traversal Vulnerabilities

September 8, 2016 , 12:23 pm

Browser Address Bar Spoofing Vulnerability Disclosed

August 17, 2016 , 12:54 pm


Threatpost | The first stop for security news

Yahoo!'s embattled mail service was dealt another blow Tuesday when an outage hit users worldwide.

Data from outage monitors DownDetector and Outage.Report back up multiple reports from users that the service was knocked offline for a period of time earlier this morning US time, or afternoon for those in Europe.

Spokespersons for Jerry and David's Guide to the World Wide Web did not respond to a request for comment on the outage.

The downtime only adds to an already sizable pile of problems for Yahoo! with its free mail service. Last week's disclosure of a massive hack exposing some 500 million user accounts has now reached the point of possible legal actions.

Following demands that US financial watchdog the SEC be called in to probe the matter, a group of US Senators is also asking Yahoo! chief executive Marissa Mayer to provide them with an explanation as to why the Purple Palace took so long to find and disclose the hack, and what they plan to do to prevent future intrusions.

The letter [PDF], sent by Senators Al Franken (D-MN), Patrick Leahy (D-VT), Ed Markey (D-MA), Elizabeth Warren (D-MA), Richard Blumenthal (D-CT), and Ron Wyden (D-OR), requests a formal briefing from Mayer and Yahoo!.

"This breach is the latest in a series of data breaches that have impacted the privacy of millions of American consumers in recent years, but it is by far the largest," the group writes.

"Consumers put their trust in companies when they share personal and sensitive information with them, and they expect all possible steps to be taken to protect that information."

Verizon, which has a standing agreement to acquire Yahoo! for $ 4.8bn, has so far declined to comment beyond a brief statement it issued last week. ®

Sponsored: Optimizing the hybrid cloud


The Register - Security

The Yahoo sign in front of the company's campus in Sunnyvale, Calif.

Yahoo's announcement that state-sponsored hackers have stolen the details of at least 500 million accounts shocks both through scale -- it's the largest data breach ever -- and the potential security implications for users.

That's because Yahoo, unlike MySpace, LinkedIn and other online services that suffered large breaches in recent years, is an email provider; and email accounts are central to users' online lives. Not only are email addresses used for private communications, but they serve as recovery points and log-in credentials for accounts on many other websites.

[ Safeguard your data! The tools you need to encrypt your communications and web data. • Maximum-security essential tools for everyday encryption. • InfoWorld's encryption Deep Dive how-to report. | Discover how to secure your systems with InfoWorld's Security newsletter. ]

An email compromise is one of the worst data breaches that a person could experience online, so here's what you should know:

Fifty shades of hashing

Yahoo said that the "vast majority" of the stolen account passwords were hashed with bcrypt. Hashing is a one-way cryptographic operation that transforms data into a set of random-looking characters that serves as its unique representation -- this is called a hash.

Hashes are not supposed to be reversible, so they're a good way to store passwords. You take input, such as a password, pass it through a hashing algorithm and compare it to a previously stored hash.

This provides a way to verify passwords at log-in time without actually storing them in plain text in the database. But not all hashing algorithms offer equal protection against password cracking attacks that attempt to guess which plaintext password generated a specific hash.

Unlike the ageing MD5, which is quite easy to crack if implemented without additional security measures, bcrypt is considered a much stronger algorithm. This means that in theory, the likelihood of hackers cracking "the vast majority" of Yahoo passwords is very low.

But here's the problem: Yahoo's wording suggests that most, but not all passwords were hashed with bcrypt. We don't know how many passwords were hashed with another algorithm, or which one it was. The fact that this hasn't been specified in Yahoo's announcement or FAQ page suggests that it's an algorithm that's weaker than bcrypt and that the company didn't want to give away that information to attackers.

In conclusion, there's no way to tell if your account was among those whose passwords were hashed with bcrypt or not, so the safest option at this point is to consider your email compromised and to do as much as damage control as possible.

Don't keep emails just because you can

Once hackers break into an email account they can easily discover what other online accounts are tied to that address by searching for sign-up emails. These are the welcome messages that most websites send when users open a new account, and which users rarely delete. These days most email providers offer enough storage space that users won't ever have to worry about deleting messages.

Aside from exposing the links between an email address and accounts on various websites, those sign-up emails can also expose the specific account names chosen by the user, if different from their email address.

If you're among the people who don't delete welcome emails and other automatic notifications sent by websites, such as password resets, then you might want to consider doing so and even go back to clean your mailbox of such communications.

Sure, there might be other ways for hackers to find out if you have an account on a certain website, or even a number of websites, but why make it easier for them to compile a full list?

Be careful when asked for your personal details

Among the account information that hackers stole from Yahoo were real names, telephone numbers, dates of birth and, in some cases, unencrypted security questions and answers. Some of those details are sensitive and are also used for verification by banks and possibly government agencies.

There are very few cases when a website should have your real date of birth, so be judicious about providing it.

Also, don't provide real answers to security questions, if you can avoid it. Make something up that you can remember and use that as answer. In fact, Yahoo doesn't even recommend using security questions anymore, so you can go into your account's security settings and delete them.

Check your email forwarding rules regularly

Email forwarding is one of those "set it and forget it" features. The option is buried somewhere in the email account settings that you never check and if it's turned on there's little to no indication that it's active.

Hackers know this. They only need to gain access to your email account once, set up a rule to receive copies of all your emails and never log back in again. This also prevents the service from sending you notifications about repeated suspicious log-ins from unrecognized devices and IP addresses.

Two-factor authentication everywhere

Turn on two-factor authentication -- this is sometimes called two-step verification -- for any account that supports it. This will prompt the online service to ask for a one-time-use code sent via text message or generated by a smartphone app, in addition to the regular password, when you try to access the account from a new device.

It's an important security feature that could keep your account secure even if hackers steal your password. And Yahoo offers it, so take advantage of it.

Don't reuse passwords; just don't

There are many secure password management solutions available today that work across different platforms. There's really no excuse for not having unique, complex passwords for every single account that you own. If you do want memorable passwords for a few critical accounts use passphrases instead: sentences made up of words, numbers and even punctuation marks.

Here comes phishing

Large data breaches are typically followed by email phishing attempts, as cybercriminals try to take advantage of the public interest in such incident.

These emails can masquerade as security notifications, can contain instructions to download malicious programs that are passed as security tools, can direct users to websites that ask them for additional information under the guise of "verifying" their accounts and so on.

Be on the lookout for such emails and make sure that any instructions that you decide to follow in response to a security incident came from the affected service provider or a trusted source.


InfoWorld Security

Just two days after Yahoo! admitted hackers had raided its database of at least 500 million accounts, the Purple Palace is being dragged into court.

Two Yahoo! users in San Diego, California, filed on Friday a class-action claim [PDF] against the troubled web biz: Yahoo! is accused of failing to take due care of sensitive information under the Unfair Competition Act and the state's Consumer Legal Remedies Act, plus negligence for its poor security, and breaking the Federal Stored Communications Act.

The stolen Yahoo! database includes people's names, email addresses, telephone numbers, dates of birth, hashed passwords and encrypted or unencrypted security questions and answers about their personal lives.

“There's a sense of violation,” the plaintiffs' lawyer David Casey of Casey Gerry Schenk Francavilla Blatt & Penfield told The Register last night.

“We think they breached their duty of trust to the clients and violated privacy laws. I anticipate hundreds of cases will be filed and then those will be consolidated into one federal class action suit.”

Casey said that at least one of his clients had already seen dodgy activity on their credit card which had been attributed to the attack and another was concerned that their financial and tax data had been viewed by outsiders. The plaintiffs are seeking redress and damages from Yahoo!

The court filing also states that Yahoo! had “unreasonably delayed” telling its customers about the mega-hack. It points out that the incident, which Yahoo! blamed on state-sponsored hackers, occurred back in 2014, and the webmail giant should have detected it sooner and let people know a long time ago.

“There’s a lot of anger over the delay,” Casey said. “The delay is pretty inexplicable.”

While this is the first sueball lobbed at Yahoo!, it is unlikely to be the last. If even a fraction of the 500 million Yahoo! users targeted by hackers take action against the company, and win even a miserly award, the potential costs to the biz could count in the high multi-millions.

Under the circumstances the due diligence team at Verizon, which in July confirmed it wanted to buy Yahoo! for $ 4.8bn, are going to be recalculating their figures as to the net worth of the Purple Palace. Having such large liabilities hanging over Yahoo! can only depress its value.

Verizon told The Register that it was informed about the hack just a few days in advance of this week's staggering confession – which raises questions in itself. In late July and early August, news articles were circulating warning that stolen Yahoo! customer information was being sold on the dark web. One wonders why Verizon didn’t pick up on this earlier.

One possible theory is that while investigating the 200 million or so account records being touted on underground souks, Yahoo! discovered a separate larger break-in by government-backed hackers – and has only just confirmed that.

In the meantime, legal action will continue to mount in America, the land of the lawsuit. Yahoo! should also expect folks overseas to start lawyering up, too. It’s going to be an expensive Fall for the organization. ®

Sponsored: HPC and HPDA for the Cognitive Journey with OpenPOWER


The Register - Security

Here’s an overview of some of last week’s most interesting news, reviews and articles:

Repercussions of the massive Yahoo breach
Yahoo has announced on Thursday that they have suffered a breach and that account information of at least half a billion users has been exfiltrated from the company’s network in late 2014.

Review: Boxcryptor
Storing your data in the cloud comes with both positive and negative aspects. Boxcryptor is a solution that helps with this by encrypting your data on your device before it gets synchronized to the cloud storage provider of your choice.

(IN)SECURE Magazine issue 51 released
(IN)SECURE Magazine is a free digital security publication discussing some of the hottest information security topics.

How ransomware is impacting companies in six major industries
BitSight analyzed the security ratings of nearly 20,000 companies to identify common forms of ransomware and to determine which industries (amongst Finance, Healthcare, Education, Energy/Utilities, Retail, and Government) are most likely to experience attacks.

Why DNS shouldn’t be used for data transport
Malicious DNS tunnelling is a big problem in cybersecurity.

Basic file deletion increases exposure to security risks
The use of improper data removal methods and the poor enforcement of data retention policies have created the perfect storm for confidential, oftentimes sensitive data to be lost or stolen.

US elections and the hacking of e-voting machines
As the day when US citizens cast a vote for their preferred presidential nominee quickly approaches, the issue of whether the actual voting process can be tampered with is a topic that interests many.

Malicious torrents management tool uncovered
Researchers have uncovered Raum, a tool that is used by Eastern European organized crime group “Black Team” to deliver malware to users through malicious torrents.

Xiaomi smartphones come equipped with backdoor
If you’re a computer science student with an interest in cybersecurity like Thijs Broenink, you can reverse-engineer pre-loaded apps and discover for yourself what they do.

Chinese researchers hijack Tesla cars from afar
Tesla car owners are urged to update their car’s firmware to the latest version available, as it fixes security vulnerabilities that can be exploited remotely to take control of the car’s brakes and other, less critical components.

We have to start thinking about cybersecurity in space
With all the difficulties we’ve been having with securing computer systems on Earth, the cybersecurity of space-related technology is surely the last thing on security experts’ minds – but it shouldn’t be.

HDDCryptor ransomware uses open source tools to thoroughly own systems
HDDCryptor (aka Mamba) is a particularly destructive piece of ransomware that encrypts files in mounted drives and network shares, locks the computers’ hard disk, and overwrites their boot disk MBR.

Biometric skimmers: Future threats to ATMs
Kaspersky Lab experts investigated how cybercriminals could exploit new biometric ATM authentication technologies planned by banks.

US gets federal guidelines for safe deployment of self-driving cars
The public is welcome to comment on the new policy, and the Department of Transportation intends to update it annually.

880,000 users exposed in MoDaCo data breach
Subscribers of UK-based MoDaCo, a forum specialising in smartphone news and reviews, have been unpleasantly surprised by notifications that the site and their account have been compromised.

UK: Financial fraud soars
More than 1 million incidents of financial fraud – payment card, remote banking and cheque fraud – occurred in the first six months of 2016, according to official figures released by Financial Fraud Action UK. To compare, in the first six months of 2015 there were a little over 660,000 cases.

Should you trust your security software?
Recently, Google’s Project Zero security research team uncovered a bunch of critical vulnerabilities in two dozen enterprise and consumer antivirus security products from Symantec and its Norton brand.

BENIGNCERTAIN-like flaw affects various Cisco networking devices
The leaking of BENIGNCERTAIN, an NSA exploit targeting a vulnerability in legacy Cisco PIX firewalls that allows attackers to eavesdrop on VPN traffic, has spurred Cisco to search for similar flaws in other products – and they found one.

Connected devices riddled with badly-coded APIs, poor encryption
Ignoring cybersecurity at the design level provides a wide open door for malicious threat actors to exploit smart home products.


Help Net Security

Yahoo's claim that it is the victim of a gigantic state-sponsored hack raises the question of whether it is the latest target for hackers with the backing of Russia, China or even North Korea, experts say.

The US internet giant was under pressure Friday to explain how it sustained such a massive breach in 2014, which possibly affected 500 million accounts.

Yahoo said the stolen information may have included email addresses and scrambled passwords, along with both encrypted or unencrypted security questions and answers that could help gain access to victims' other online accounts.

Sometimes the link between the target of a hack and a particular state may suggest itself easily.

One of the highest-profile hacks came when North Korea is thought to have targeted entertainment titan Sony in 2014, apparently in revenge for producing the comedy film "The Interview" about a CIA plot to assassinate leader Kim Jong-Un.

More recently, a mysterious group calling itself Fancy Bears hacked the medical records of athletes held by the World Anti-Doping Agency (WADA). It is still dripping the information out.

Commercial motives

Many experts believe that cyberattack was carried out by Russia after its track and field athletes were banned from the Olympics and its entire Paralympics team turfed out of their Games over evidence of state-sponsored doping.

While motivation for those cyberattacks seems clear, it might initially appear less obvious why countries such as Russia, North Korea or even China would target a company like Yahoo.

Chinese hackers have been accused of plundering industrial and corporate secrets and of orchestrating a breach of US government files on its employees that affected more than 21 million people and reportedly led to the hasty withdrawal of US intelligence operatives from China to protect their lives.

But political motives can be as strong as commercial ones, analysts note.

"Would, for example, Russian intelligence wish to conduct a large-scale hack on a major internet company like Yahoo? Absolutely they would," Shashank Joshi, senior research fellow at the London-based Royal United Services Institute, told AFP.

"It is an incredibly valuable commodity. The ability to access email addresses for US persons, perhaps a Russian dissident -- any intelligence agency worth its salt would want that sort of data, although it is very hard to use because of the encrypted passwords," he said.

Julien Nocetti, of the French Institute of International Relations (IFRI), said the hack was too big for an independent group to carry out.

"Given the scale of the revelations about Yahoo, it indicates that a lot of resources, technical equipment and coordination were required -- this definitely comes from a state," he said.

Given the tensions between Russia and the United States over the Syrian war "you could put forward the theory that this could be a Russian attempt to test the Americans' cyber defences", he said.

- Finding the source -

Yahoo has so far given no evidence to support its claim that it has been targeted by a state. RUSI's Joshi said finding the source "is the most fundamental problem when it comes to cyber-attacks".

"This completely bedevils even the most well-resourced people," he said.

However, he believes Yahoo would only have pointed the finger at state involvement if it had some evidence.

"The way you identify responsibility for a hack is to look for signatures that correspond to earlier known facts and then see what you know about them," he said.

For example, in case of the hacking of Democratic National Committee (DNC) emails this year which exposed bias within the party in favour of Hillary Clinton, cyber-security experts found evidence of a so-called Advanced Persistent Threat (APT).

"That is a code word for state hackers who were clearly operating in a system and matched up with earlier such hacks" carried out by Russia's state and military intelligence agencies, Joshi said.

But in Russia, so often accused of state-sponsored hacking, one expert said it was naive to immediately blame a state and scoffed at the suggestion the hackers were sophisticated spies.

"Anyone could have hacked a database of users like Yahoo because it's a classic commercial server," said Oleg Demidov, a consultant at the Moscow-based independent think-tank PIR Center.

"At the moment, this looks like a traditional hack aimed at making money or carving out a reputation by selling a load of personal data," he added.

view counter

© AFP 2016

Tags:


SecurityWeek RSS Feed

Yahoo officially acknowledged it was the victim of one of the largest data breaches in history in which data from at least 500 million user accounts was stolen.

The Yahoo breach took place in late 2014 but it wasn't confirmed until a "recent investigation." Yahoo didn't provide a specific timeline of events, but Flashpoint confirmed it recently found 200 million Yahoo accounts for sale on the deep web.

"On August 2, 2016, Flashpoint became aware of an advertisement posted on TheRealDeal Marketplace by actor "peace_of_mind" (otherwise known as "peace") for the sale of some 200 million Yahoo account credentials," Vitali Kremez, cybercrime intelligence senior analyst at Flashpoint, told SearchSecurity via email. "Peace_of_mind is the same actor whom Flashpoint previously reported as selling leaked MySpace and LinkedIn account credentials in May 2016. This actor, who is also a co-founder of TheRealDeal Marketplace, is considered highly credible based on past activity and feedback from customers."

Various new outlets have reported that the sale of the Yahoo accounts on the deep web  first prompted Yahoo to investigate a potential mega breach in the first place. The Yahoo breach follows other high profile data breaches at companies such as LinkedIn and Dropbox that have exposed user emails and information.

Keatron Evans, senior security researcher and principle of Blink Digital Security, said Yahoo needs to provide more details about the attack. "What I want to know is when Yahoo discovered this attack. If it happened in 2014, and the company has known about it for the past two years, then why has it taken so long to reveal the extent of the breach?" Evans said. "This slow response could become a PR nightmare that damages the company's reputation, and it goes to show how difficult it can be to determine the root cause of an attack that happened months or even years in the past without the right training and tools."

In a statement, Yahoo said it believes the attack was state-sponsored, though no specific nation was named. Yahoo also attempted to reassure users that their most valuable data had not been compromised.

"The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers," Yahoo wrote. "The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected."

J. Paul Haynes, CEO of eSentire, said it was good to see Yahoo not jumping to conclusions with attribution.

"The timing of this breach is curious, given Yahoo's pending sale; however it's a bit premature to place blame with a state-sponsored attacker," Haynes said. "Attribution is a slippery slope and nearly impossible without a complete case file, which Yahoo nor the investigators have at this point."

Complicating matters further, Verizon is in the process of purchasing Yahoo for $ 4.8 billion. The deal is still under regulatory review. A Verizon spokesperson said the company only learned of the mega breach at Yahoo this past Tuesday, but said Verizon only has "limited information and understanding of the impact" of the breach.

Adam Levin, chairman and founder of IDT911, said data breaches should be considered a new certainty in life along with death and taxes. "All users of Yahoo email must immediately change not only their Yahoo user IDs and passwords but also any duplicate login information used to access other accounts," Levin said. "As we live in an environment where breaches have become the third certainty in life, it is essential that consumers protect themselves by using long and strong passwords, which are never shared across their universe of social, financial, retail and email accounts and updated routinely; enable two-factor authentication; and are always on guard against phishing attacks."

Yahoo suggested users review their online accounts for any suspicious activity, change account details, avoid clicking suspicious links and use the Yahoo Account Key two-factor authentication tool.

Brett McDowell, executive director of the FIDO Alliance, said this should be a warning to everyone that strong passwords alone may not be enough. "Cyber criminals know that consumers use the same passwords across websites and applications, which is why these millions of leaked password credentials are so useful for perpetuating fraud. We need to take that ability away from criminals and the only way to do that is to stop relying on passwords all together," McDowell said. "The frequency and severity of these data breaches is only getting worse year-over-year, and this trend will continue until our industry ends its dependency on password security and adopts un-phishable strong authentication."

Vishal Gupta, CEO of Seclore, said the fallout from this attack could be devastating. "This nation now has access to 500 million phone numbers. With talk of Russian attempts to influence the election, it isn't difficult to imagine how access to the contact information, and personal details, of that many potential votes could be used maliciously," Gupta said. "Unless organizations take stricter security measures and apply data-centric security solutions, hackers will always come up with inventive ways to leverage sensitive information for malicious purposes."

Next Steps

Learn more about the merits of encrypting and hashing passwords

Find out how to build strong passwords and prevent data breaches

Get info on best practices for conducting information security assessments


SearchSecurity: Security Wire Daily News

Yahoo has announced on Thursday that they have suffered a breach and that account information of at least half a billion users has been exfiltrated from the company’s network in late 2014.

Yahoo breach

The stolen data “may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers,” but not “unprotected passwords, payment card data, or bank account information,” nor Tumblr user data.

Yahoo attributed the hack to a state-sponsored actor, and says that there is no indication that they are still present in Yahoo’s network. As the investigation continues, users are getting notified of the breach through their Yahoo and alternate email accounts, and advised to change their passwords and adopt alternate means of account verification, change the password and security questions for any other accounts on which they used the same information, and to be on the lookout for phishing attempts.

The company has provided a page with more details, including instructions on how to spot phishing emails impersonating the company and how to surely tell that an email comes from Yahoo.

How did the Yahoo breach happen?

“Online intrusions and thefts by state-sponsored actors have become increasingly common across the technology industry. Yahoo and other companies have launched programs to detect and notify users when a company strongly suspects that a state-sponsored actor has targeted an account. Since the inception of Yahoo’s program in December 2015, independent of the recent investigation, approximately 10,000 users have received such a notice,” Yahoo has noted in the announcement.

The company has not offered any explanation on how they have managed to miss the intrusion for so long. It’s also possible that they did known about it but chose to remain silent until they no longer couldn’t. Last month’s public offer for sale of account details of some 200 million Yahoo users was apparently the result of a previous breach, but forced the company into starting a new investigation.

“Yahoo, like many other large companies, has huge and sprawling networks with hundreds of thousands of hosts. That’s a lot of attack surface for anyone to effectively protect all the time. So, it’s unsurprising when breaches, even of this magnitude, take place,” noted Jeremiah Grossman, Chief of Security Strategy at SentinelOne, and former infosec officer at Yahoo (late 1999-mid-2001).

“Due to Yahoo’s size, they often have to rely on homegrown technology solutions because historically there has been limited products on the market that can scale to meet the demands of their system. It could be that this issue created gaps in their security program because they’re unable to use cutting-edge security products designed to thwart modern threats that most everyone else can,” he added.

Who’s behind it?

“There are a lot of unanswered questions here—the biggest one being that while we know the information was stolen in late 2014, we don’t have any indication as to when Yahoo first learned about this breach. This is an important detail in the story,” says Grossman.

Why would a nation-state target Yahoo in the first place (if indeed it has)?

“There are some parallels between this and the Google Aurora attacks in 2010,” he noted. “I’d argue that nation-state sparring is playing out on networks like Yahoo because they’re a valuable source of information on your opponent’s strategy. If you are a nation state and want to determine if any of your domestic spies have been discovered, you put taps on Google, Yahoo, Microsoft, etc. rather than government networks. Of course, there is always the motivation to deanonymize political dissidents.”

“The fact that the Yahoo breach is being tied to state-sponsored actors is extremely alarming. With the potential to be the largest breach in history (at 500 million users were affected), the fallout from this attack could be devastating, says Vishal Gupta, CEO of Seclore.

“For example, this nation now has access to 500 million phone numbers. With talk of Russian attempts to influence the election, it isn’t difficult to imagine how access to the contact information, and personal details, of that many potential votes could be used maliciously. Imagine getting a call from a presidential campaign, except the information being shared by the caller isn’t factual, and is actually intended to sway you towards a different candidate. We haven’t seen this sort of activity yet, but it’s within the realm of possibility. Unless organizations take stricter security measures and apply data-centric security solutions, hackers will always come up with inventive ways to leverage sensitive information for malicious purposes.”

Repercussions for users

If you’re an affected user, you might want to do all the things Yahoo has advised you to do to protect yourself and your other accounts.

I argue that the advice might have been good if it came right after the breach, but it’s now just an illusion that you can control the situation. If this information was stolen in 2014, who knows how many time it has been sold and misused since then?

“One of the more egregious errors in this disclosure was the fact that date of birth (DOB) information was exposed,” notes Todd Feinman, founder of Spirion.

“Companies like Yahoo have an obligation to their customers to protect their privacy and classify personally identifiable information. DOBs are a perfect example of data that should be classified and protected so that, in the event of a data breach, personally identifiable information (PII) is not exposed,” he explained.

“DOB can be used in conjunction with other data to steal an identity or compromise the victim in other ways. They’re sometimes used as secondary validation and should be classified as confidential and kept encrypted just like social security numbers and health record numbers.”

“Data breaches are now a common occurrence but should not be taken for granted. When we see 200 million DOBs, password hashes, and usernames floating around, it is critical those users become aware and cognizant of any identity theft alerts and change their passwords that were the same as those on Yahoo. Hashes will slow criminals down but not stop them,” he concluded. I would add: especially if they are a well-resourced nation-state actor, and they’ve has two years to work on breaking them.

Repercussions for Yahoo

The timing of the revelation of the breach could scarcely be worse, as Yahoo has recently announced that Verizon is going to acquire the company for $ 4.8 billion.

“Mergers are complicated endeavors, and the scrutiny under which both companies will reside during the course of the transaction only increases the stress to keep what should be sensitive information protected. Verizon certainly took on a calculated level of risk in acquiring Yahoo!, particularly because of its massive user base,” says Kevin Cunningham, president and founder at SailPoint.

“The question of whether this breach will affect the sale price depends on how extensively it performed due diligence on Yahoo’s security controls. It’s a perfect illustration of the fact that this due diligence should include not just network security controls, but also identity governance controls, because as we’ve seen with LinkedIn, Dropbox and countless others, breaches very often result from compromised employee credentials.”

“What I want to know is when Yahoo discovered this attack. If it happened in 2014, and the company has known about it for the past two years, then why has it taken so long to reveal the extent of the breach?” notes Keatron Evans, Senior Security Researcher and Principle of Blink Digital Security.

“This slow response could become a PR nightmare that damages the company’s reputation. As this story continues to unfold, it is likely that even more damaging news is revealed. The one thing that is clear at this point is that all enterprises need to learn from Yahoo’s mistakes by putting in place a robust post-breach remediation plan that has the tools to investigate breaches faster. There are already appliances in the market that help to automate and speed up the forensics process, so no company of Yahoo’s size has the luxury of leaving customers hanging for months without adequate information or a plan for corrective action.”


Help Net Security