Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 











Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Yahoo Confirms Huge Data Breach Affecting 500 Million Accounts - expert comments

September 2016 by Expert

This evening, Yahoo revealed that information associated with at least 500 million
user accounts was stolen in 2014 by, what is believed, a state-sponsored actor. The
stolen data may include names, email addresses, telephone numbers, dates of birth
and hashed passwords.According to Yahoo, it may not have also included payment card
data or bank account information. The commentary from some of the world’s top cyber security experts.

Copyright - Boguslaw_Mazur

Stephen Gates, chief research intelligence analyst at NSFOCUS:

"Although the breach was originally reported back in July of 2012, the size of the
breach apparently was incorrectly reported. In 2012, the number of potentially
compromised user credentials was estimated to be around 450 thousand. However, the
hacker known as Peace is claiming to have up to 500 million user credentials he/she
is now attempting to sell online. That’s a huge difference.

Yahoo users, who have not changed their passwords since then, really need to do so
now. In addition, if users have used the same username/password combination on any
other online accounts, they’re at risk of hackers gaining access to those other
online accounts; if hackers can determine what other online accounts a user may
have.

The Verizon purchase apparently comes with some “baggage” that they most likely
do not want to be associated with. The likelihood of this beach affecting the
purchase is however, quite small. The responsible thing to do it to force all
users to update their passwords; however, that action most likely will not be well
received by Yahoo’s user community for a breach that happened over four years ago.

Although the number of breaches on this scale have been reduced over the years, they
are far from over. Today, organizations of all sizes are taking measures to ensure
a breach does not happen to them. Unfortunately, it has not stopped hackers from
succeeding on a global scale.

Enterprises must first assess what hackers would likely want to steal from them.
Once identified, enterprises must use all measures at their disposal to protect that
data – at all costs. If an organisation does not practice due diligence, then
they can be accused of alleged negligence. Being found guilty of negligence is
never good for anyone’s career.

You must protect your data. It is what hackers are after. This is all about
monetary gain, and people will go to almost any length to achieve it. Hacker’s
understand how to erode your defenses, consume your resources, control your systems,
and eventually steal your data. Taking an Intelligent Hybrid Security approach will
help protect what hackers are after."

David Gibson, VP of strategy and market development at Varonis:

“Hopefully Yahoo! will force password resets for all its users, even ones that it
believes have not been affected. Dropbox learned this lesson the hard way. Users
should also reset passwords for other accounts that share the same password as their
Yahoo account and consider using a password manager going forward.

It’s hard to say for sure whether the breach will upset the pending acquisition by
Verizon—publishers of the renowned yearly Data Breach Investigation Report—but
it certainly could. If witnessing a data breach capsizes a $4.8 billion acquisition
doesn’t shock CEOs and CSOs into investing more in security, what will?

There will certainly be financial repercussions for Yahoo!, if not by way of fines
and lawsuits, certainly in terms of time and effort to recover, perform an
investigation, and further invest in bolstering security.

Breaches of this magnitude won’t slow until incentives are re-aligned. Dark
Reading released a report recently stating that 80% of CSOs cite a lack of funding
as being the #1 barrier preventing them from addressing cybersecurity challenges and
51% of CSOs cite a lack of available cybersecurity pros. The two go hand-in-hand.
Until organisations are willing to invest more in security technology and pay a
higher price tag to attract top security talent, they can expect similar results.

Organisations need to invest more in cybersecurity teams, follow security best
practices and make security a top priority if they want to stop hacks on this scale.

The same lessons we learned from Target, Sony, OPM, etc. apply to Yahoo. It’s just
too easy for hackers to get their hands on critical data.

Businesses – just like individuals – are still struggling to get the basics
right when it comes to securing their data. There are so many basic vulnerabilities
that organisations need to address – external and internal. The number of reported
breaches will no doubt continue to increase. More companies are keeping more
information from consumers and business partners, which increases the value of a
potential breach. In order to be productive, company networks can’t be 100%
isolated, and no matter how much time and money you spend on security tools, nothing
is fool-proof, especially when the weakest links in the chain are the people who
need access to data in order to do their jobs.

When you work under the assumption that your outer defences will be breached, it
frames the data security challenge somewhat differently. Instead of pouring all of
your energy into building a very high, very strong fence, spend more time securing
what you truly need to protect: data. Make sure that once someone is inside, their
activities will be observed and controlled. Just because you have a great lock on
your front door doesn’t mean that cameras and motion sensors aren’t also a good
idea. Similarly, monitoring user access and analysing it properly will help
organisations identify attackers on their network and hopefully mitigate any damage.

Burying your head in the sand and hoping nothing bad will ever happen isn’t an
option these days, so companies should absolutely have a plan for what happens after
they discover a breach. Just like it would be silly to choose not to have a plan for
a fire in the building, it doesn’t make sense not to have a response plan for a
data breach. At a minimum, it’s critical for companies to identify what may have
been stolen or deleted and what their obligations are to customers, partners,
shareholders, etc. Different types of information have different disclosure
requirements, therefore it’s important for companies to understand what kind of
data they’re storing and what those obligations are so they can plan
accordingly.”
Gubi Singh, Chief Operating Officer at Redscan:

“There is never a good time to be hit by a cyber-attack but the reported breach,
appears to have happened at the worst possible moment for Yahoo and that’s
unlikely to be a coincidence.

Criminals will spend months planning and implementing attacks on companies of this
size, with attackers biding their time to avoid detection.

For companies undergoing a merger or acquisition, a comprehensive cyber security
assessment can reduce risk for all parties involved and has become a key part of the
due diligence process.”

Jonathan Sander, VP of Product Strategy at Lieberman Software:

“Every single Yahoo user should be turning on Yahoo’s two factor authentication
immediately. Yahoo has been prompting users to do this for months and most have
ignored the call for extra security. If a headline like this can’t motivate them
to take Yahoo’s good advice and use the extra security they’re offering, I’m
not sure what could.”

Amichai Shulman, CTO and Co-Founder of Imperva:

"The ease of getting tons of stolen credentials, with the fact that users will
always continue to reuse passwords simply because they are human, make brute force
attacks more effective than ever and force application providers to take proper
measures to protect their users.

Data from breaches is hot merchandise on both sides of the legitimacy fence, the
security marketplace on one side and the dark market on the other.

To prevent brute force attacks, security officers should not rely on password
policies only, but should take specific detection measures like rate limiting login
attempts, detecting login attempts from automated browsers, treat with caution
logins from unexpected countries and anonymous sources, and compare login data to
popular passwords and stolen credentials.

As we point out in our blog, there is a concerning pattern of breaches which
occurred in 2012, but their severity was underestimated and under reported.
Organisations must not become complacent in the face of 2016’s lack of mega
breaches. As it turns out, those who don’t carefully monitor their networks today
may well regret it in 2020.”

Michael Patterson, CEO of Plixer:

“It is interesting that - Peace – the alleged hacker who claimed to have access
to 200 million user accounts and was selling them online just prior to the Verizon
purchase of Yahoo. It may be just a hack or someone with a hidden agenda that
designed the timing to try and disrupt a billion dollar transaction. Yahoo has been
investigating this hack since August and should have immediately asked users to
change their passwords while they look into the claims.”

Brian Laing, VP, Lastline:

“This hack only emphasizes the critical importance of maintaining strong
authentication measures in both personal and professional web applications. With so
many accounts potentially open for hacker use in distributing advanced malware, a
data breach of this scale will no doubt have a far reaching impact on malware
distribution worldwide. We recommend changing passwords immediately, and consider
using a second factor authentication, to ensure that accounts are not being used by
malware spammers. Because enterprise assets such as laptops are used in blurred
fashion between personal and professional everyday in our daily lives, it also
underscores the criticality of protecting organizations from the network core to the
outer edges against advanced persistent threats. A hack like the Yahoo one can
provide a very large distribution hub for malware, through legitimate accounts, on a
huge scale for years to come.”

Michael Callahan, VP at FireMon:

“Given the size of Yahoo and the scale of this data breach, it is a good reminder
that attackers are just waiting for organisations to slip up in their security
measures before they seize the opportunity with both hands. Yahoo no doubt has a
huge, complex array of security technology in place to try and prevent cyber attacks
and the leaking of any customer data. The trouble is, this complexity is becoming
increasingly common in organisations that seek to do the “right” thing by
bolstering security with more solutions. But without the right intelligent tools to
help make sense of the technology, policies and access permissions under one
umbrella, it becomes almost impossible to manage. Therefore, we keep seeing these
types of breaches happening and will keep seeing them happen until proper security
management is addressed.”

Mark James, Security Specialist at ESET:

“500million accounts is huge by any standards, we sometimes get a little blasé as
the numbers get higher but let’s not make any mistakes here, that’s a lot of
customers’ information stolen here.

Data breaches are on the up, it’s almost a daily occurrence but the damage it
causes is massive. The data may be used for immediate financial gain or used later
along with more information to enable identity theft or phishing attacks either way
it could be very damaging for the victim.

As always in these cases it’s the end user that ultimately pays the price, of
course from a PR point of view it’s never good for the company that was breached
but for the individual it could have long term financial implications if things go
badly wrong. It could also mean accounts may be temporally unavailable and for some,
emails are a lifeline. Changing email address if you move to another provider is not
as easy as it sounds because of the nature of how email works you still need access
to the old email in case of older websites that may require password resets or
account recovery with the original email address.

As Verizon are about to buy Yahoo, they will have to consider the backlash of future
issues with compromised account data. Because the ramifications of data breaches are
often felt in the future they will have to consider the implications of any
customers who can prove identity issues caused as a result of this particular breach
if they are the new owners.

Although it seems an easy task, stopping data breaches is not as easy as it sounds.
Doing all you possibly can to stop it in the first place, ensuring that if it does
happen then the data is stored in such a way it’s impossible to do anything with
it and having a good contingency plan in case it happens is what organisations need
to be doing.

What other businesses can learn from this is, where possible, being proactive with
your user base; the users need to be kept in the loop. If there has been a breach
then find out how, where and why. Ensure your systems are now clean if malware is
involved, reset passwords, inform your users and keep them up-to-date. We all
understand data breaches are a factor of modern day computing but the impact can be
cushioned with the correct flow of information.”

Brian Spector, CEO of MIRACL:

“This is a modern-day mega breach, and demonstrates how data theft and identity
fraud is a multi-billion dollar business on the dark Web.

It is still too early for more detailed analysis, but the attack vectors commonly
used to initialize attacks of this magnitude are to gain access by stealing employee
or insider credentials. The credentials are still all too often simply user name and
password. What the attacker knows: when a password, irrelevant of how complex the
password may be, is successfully stolen, the attacker can get access to internal
systems and work their way to sensitive information - and steal it all.

The underlying issue is that the username and password system is old technology that
is not up to the standard required to secure the deep information and private
services that we as individuals store and access online today. By contrast, new,
secure methods of multi-factor authentication can provide much stronger security,
and make database hacks, password reuse, browser attacks and social engineering a
thing of the past.”


See previous articles

    

See next articles












Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts