home_banner `

Content Icon

Never Waste a Good Crisis: Yahoo Edition

December 20, 2016 | Blog | Authentication | By Daniel Maloof, IANS Managing Editor

If you’re a CISO, you’reAdamShostack likely fielding warm holiday emails from your board wishing you a great time with your family and asking you what the heck the Yahoo breach means (if not, Yahoo announced last week that one billion user accounts had been accessed). 

It’s a complex question, and facts are thin, but there are three areas to start with:

  • Authentication
  • Intrusion detection
  • Response planning 

Authentication is important because, apparently, this set of attackers operated using “the creation of forged cookies that could allow an intruder to access users’ accounts without a password." Intrusion detection deserves a spotlight because “law enforcement provided Yahoo in November 2016 with data files that a third party claimed was Yahoo user data" that caused them to believe "an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts."

Both authentication and intrusion detection are called out in the opening paragraphs of Yahoo's notice. The third area, response planning, is hopefully obvious. 

Let's further examine each of these areas in the context of the Yahoo breach and consider some potential lessons to learn. 


It’s time to review the authentication schemes for your services end to end. Odds are that Yahoo was using a keyed MAC (message authentication code) to authenticate cookies, and that the key was stolen, allowing cookie forgery. That wouldn’t have worked if the key was being rotated every few million new authentications. 

It's worth asking, what would happen if each key in your system was stolen? How long would it keep working? Another aspect of the story is about the theft of responses to “secret questions.” These questions have always been a weak, difficult-to-use element of backup authentication, and with those answers being stolen, it’s time for everyone, including you, to reconsider their use.

Intrusion Detection

It took over three years for Yahoo to hear about the breach (August 2013 to November 2016). I personally know many people on Yahoo's security team. They’re smart, dedicated security engineers at the top of their field and game. And, again, it took three years for the breach to be noticed. It’s time to review and re-evaluate how you do intrusion detection, both at the IT level and in your custom business code. 

Have you used simulated attacks to see how well your intrusion detection works? There are a slew of “attack simulation” companies out there. What they’re doing is new and interesting. What are you doing to keep an eye on your custom services?  Someone wrote code that showed up at Yahoo’s services one billion times, went to the account page, scraped it and showed up again. It was missed. It’s easy to laugh and point fingers, but don’t. Have you shown that you catch it? Today? In your services? 

The wrong answer is to wait for a researcher like Andrew Komarov to discover the database, deliver it to the government, then wait for the government to let you know. There’s some great color in this story from Bloomberg, but don’t get so focused on the colorful details that you lose the big picture.

Response Planning and Tabletop Exercises

The big question here is, have you planned your response to a serious incident? There are plenty of examples, and you can easily adapt one into a tabletop exercise to help your leadership practice what to do in the case of a breach. 

In conclusion, as Winston Churchill said, “never waste a good crisis.” It’s excellent advice, and it's extremely important that you take away the right lessons. In this story, those lessons are that it might be time to re-assess your organization's current authentication, intrusion detection and response planning strategies. 

Adam Shostack is an entrepreneur, technologist, author and game designer. He is a member of the BlackHat Review Board, helped found the CVE, and is the author of "Threat Modeling: Designing for Security," and co-author of "The New School of Information Security."

Related Research

IANS Vulnerability and Breach Update: Q4 2018

Vulnerabilities and breaches are mainstream news regularly. With a new vulnerability seemingly discovered daily, which should be taken more seriously (i.e., patch now!) and which are overhyped? In this quarterly research report, IANS Faculty Mike Saurbaugh updates clients on the top vulnerabilities and breaches from the past quarter and provides some real-world context and perspective.

2018 in Review

In this webinar, IANS Research Director Bill Brenner and IANS Faculty Dave Shackleford look back at the biggest security news trends of 2018, what made them significant and what it all could mean for the year ahead.

Poll: Cheap, Easy Multifactor Authentication (MFA)

What MFA solutions are cheap, easy to implement and effective? In this Viewpoints report, IANS Faculty Jared DeMott, Mike Saurbaugh and Adam Shostack offer their recommendations.

The Marriott Breach: What Happened and What to Do About It

Marriott just announced a major breach affecting more than 500 million customers worldwide. What does an event like that mean for your business? In this Ask-an-Expert written response, IANS Faculty Adam Shostack explains what happened and offers recommendations for reducing the risk to your organization.

We use cookies to deliver you the best experience on our website. By continuing to use our website, you consent to our cookie usage and revised Privacy Statement.