I remember meeting Tim Koogle in one of the ‘ten plague’ conference rooms in the early days of Yahoo! Tim was the founding CEO at the time. I thought it odd that we met in a conference room named “Blood”, nearly 17 years later, here we are full-circle and Yahoo! is a victim of Cyber-blood-shed. We’ll not real blood, just the life-blood of any internet company – confidential, personally identifiable information (PII) records.
Collectively, in 2014, some Russian hackers amassed 1.2B records in a multi-pronged data theft but that wasn’t one site or one company – it was many. Thus, this is the largest single breach in history – 1 Billion records, according to Yahoo! So far, the most damaging breach in history was the TJ Maxx breach of 100,000,000 – 100 Million records. The reason is that the TJ Maxx breach included 100M valid, usable credit card records and TJ Maxx paid over $225,000,000 – 225 Million Dollars in damages. Credit card information is worth at least $1 per record on the black market. The Yahoo! breach allegedly did NOT include credit card records, however, it contained very ‘juicy’ PII – names, addresses, emails, dates of birth, passwords, answers to security questions, etc. This information would allow a smart hacker to easily break into your Yahoo! email account. If you use Yahoo! email for receiving credit card statements, online bills, bank statements or have used your account to send and receive tax records or other PII, your Yahoo! email is a treasure trove for these hackers.
What to do right away?
At Tips.SnoopWall.Com I’ve just posted my top ten tips for dealing with this Yahoo! breach if you feel you are one of the 1 Billion victims. You can find the PDF file here: https://www.snoopwall.com/wp-content/uploads/2016/09/Next-Steps-Yahoo-Data-Breach.pdf
How did this breach happen and who did it?
Like all the most recent breaches you hear about in the news, there’s a common theme. It goes like this:
1) Employee receives an email that does NOT look suspicious. It’s called a Spear Phishing attack. The source of the email are the hackers.
2) Employee is compelled to open the attachment or to click the link that leads to ‘drive by malware’ – either way, they get a Remote Access Trojan (RAT) installed. Their favorite antivirus doesn’t recognized the new malware, their firewall doesn’t notice anything suspicious and they are now infected with this piece of ‘zero day’ (new) malware. Here’s my 101 video on Spear Phishing: https://www.youtube.com/watch?v=TiBlXZWotxY which shows also that 54 antivirus scanners fail to recognize the “RAT”. Try it yourself at http://www.virustotal.com on any suspicious email attachment – but DO NOT open or execute the file, just upload it to this site to see what they think about it.
3) The hackers remotely access the employee’s computer and eavesdrop for a while – maybe a few weeks, maybe even a month. Their RAT gives them access to keyboard, microphone, webcam, file storage, etc. Then, when they’ve collected enough information using their RAT, the create a covert channel and send the data they’ve stolen either in one huge upload one evening or most likely in small, slow chunks, barely noticeable over a longer period of time so to stay off the radar of an intrusion detection system.
I’m tossing my coin on either the Russian government or the Chinese government as to who the ‘nation state actors’ are in this case and I’m leaning towards China. It’s just a best guess but time will tell.
Why didn’t Yahoo! tell us about the Breach when it started, in 2014?
If it’s true that Nation State actors (cyber hackers working for another government) actually hacked Yahoo! then maybe Yahoo! asked for FBI help in 2014 and the FBI told them not to disclose the breach while they were investigating it.
However, under California law, a breach notice must be given to consumers within 30 days of the detection of a breach, so it’s odd that we’re finding out about it in 2016.
Most likely, Yahoo! recently found out about the breach 2 years too late. This happens all the time. According to Fireeye, most breaches are not discovered by the victims for over 280 days, nearly a year!
Could this huge breach have been avoided?
As I’ve been saying for years, the #1 way exploitation occurs (this breach, Anthem.com – 80m records, OPM.gov 22m records, etc.) is simple. Spear Phishing. So, if Yahoo! made sure that all employees could only use TEXT ONLY email with no hyperlinks or attachments, they would never have been infected with the RAT that allowed the cyberhackers to steal 1 billion records. It’s that simple! But wait, you’ll say “no one can get their work done with text only email.” I beg to differ. Just agree on a covert file transfer protocol, for example, “I’m going to send you that file through our shared (secret and encrypted and password protected) Box account.” You could use Box, DropBox, Google Drive, Filesanywhere or one of the many other file sharing/transferring services that support privacy and encryption with password protection. Then, anytime you need to transfer a file or receive one, it’s on a secret location that only you and the sender know. You don’t put this info in email, you don’t publicize it and now, you don’t get Spear Phished, ever.
Finally, Yahoo! needed to encrypt everything – data and applications, all the time. What would STRONG ENCRYPTION with proper key management have done for Yahoo!? Well, the hackers may have stolen 1 billion records but if they were encrypted and the hackers had no way to crack the encryption, they would have 1 billion blobs of useless information. Yes, it’s that simple. Encryption can be free and strong like TrueCrypt (v6.0 or older), OpenSSL, OpenCA and so many other free encryption tools there simply should be NO excuse for using plain text to store PII anymore.
If, after my simple recommendations, Yahoo! still can’t get it right, they could always deploy my NetSHIELD appliances to prevent the breach in the first place. But, companies like Yahoo! would rather risk a data blood bath than buy products from smaller, innovative startups. Their IT staff will also be proud when they say “I don’t get fired for buying from Cisco (or IBM, or fill in the blank large public company with old INFOSEC technology).” Sorry, that poor excuse won’t work anymore. Innovate, get proactive, go on the offense, or be responsible for the breach (and most likely get fired for your failure to take proactive ‘risk’ to reduce risk).
Lessons learned, Yahoo! The Data Breach should never have happened.
P.S. M&A 101 – Did Verizon know about this before offering to Buy Yahoo!?
Most likely not. Again, epic fail. During an M&A, it’s critical to not just audit the financials. If you are buying a company, audit their network, their security posture, etc. Cybersecurity professionals might have tipped Verizon off to the breach and they might have paid a more fair and reasonable price for an asset that’s going to be sued. Remember the TJ MAXX breach – cost them $225M. What will this cost Yahoo!?
About The Author
Gary Miliefsky, fmDHS, CISSP®,is the Executive Producer of Cyber Defense Magazine who loves to write his annual trip report to his favorite INFOSEC conference, RSA Conference USA. He is a cyber-security expert and a frequent invited guest on national and international media commenting on mobile privacy, cyber security, cyber crime and cyber terrorism, also covered in both Forbes and Fortune Magazines. He has been extremely active in the INFOSEC arena and is a Founding Member of the US Department of Homeland Security (http://www.DHS.gov), the National Information Security Group (http://www.NAISG.org) and the OVAL advisory board of MITRE responsible for the CVE Program (http://CVE.mitre.org). He also assisted the National Infrastructure Advisory Council (NIAC), which operates within the U.S. Department of Homeland Security, in their development of The National Strategy to Secure Cyberspace as well as the Center for the Study of Counter-Terrorism and Cyber Crime at Norwich University. Previously, Gary has been founder and/or inventor for technologies and corporations sold and licensed to Hexis Cyber, Intel/McAfee, IBM, Computer Associates and BlackBox Corporation. Gary is a member of ISC2.org and is a CISSP® who founded SnoopWall, Inc., the breach prevention company.