home_banner `

Content Icon

Never Waste a Good Crisis: Yahoo Edition

December 20, 2016 | Blog | Authentication | By Daniel Maloof, IANS Managing Editor

If you’re a CISO, you’reAdamShostack likely fielding warm holiday emails from your board wishing you a great time with your family and asking you what the heck the Yahoo breach means (if not, Yahoo announced last week that one billion user accounts had been accessed). 

It’s a complex question, and facts are thin, but there are three areas to start with:

  • Authentication
  • Intrusion detection
  • Response planning 

Authentication is important because, apparently, this set of attackers operated using “the creation of forged cookies that could allow an intruder to access users’ accounts without a password." Intrusion detection deserves a spotlight because “law enforcement provided Yahoo in November 2016 with data files that a third party claimed was Yahoo user data" that caused them to believe "an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts."

Both authentication and intrusion detection are called out in the opening paragraphs of Yahoo's notice. The third area, response planning, is hopefully obvious. 

Let's further examine each of these areas in the context of the Yahoo breach and consider some potential lessons to learn. 


It’s time to review the authentication schemes for your services end to end. Odds are that Yahoo was using a keyed MAC (message authentication code) to authenticate cookies, and that the key was stolen, allowing cookie forgery. That wouldn’t have worked if the key was being rotated every few million new authentications. 

It's worth asking, what would happen if each key in your system was stolen? How long would it keep working? Another aspect of the story is about the theft of responses to “secret questions.” These questions have always been a weak, difficult-to-use element of backup authentication, and with those answers being stolen, it’s time for everyone, including you, to reconsider their use.

Intrusion Detection

It took over three years for Yahoo to hear about the breach (August 2013 to November 2016). I personally know many people on Yahoo's security team. They’re smart, dedicated security engineers at the top of their field and game. And, again, it took three years for the breach to be noticed. It’s time to review and re-evaluate how you do intrusion detection, both at the IT level and in your custom business code. 

Have you used simulated attacks to see how well your intrusion detection works? There are a slew of “attack simulation” companies out there. What they’re doing is new and interesting. What are you doing to keep an eye on your custom services?  Someone wrote code that showed up at Yahoo’s services one billion times, went to the account page, scraped it and showed up again. It was missed. It’s easy to laugh and point fingers, but don’t. Have you shown that you catch it? Today? In your services? 

The wrong answer is to wait for a researcher like Andrew Komarov to discover the database, deliver it to the government, then wait for the government to let you know. There’s some great color in this story from Bloomberg, but don’t get so focused on the colorful details that you lose the big picture.

Response Planning and Tabletop Exercises

The big question here is, have you planned your response to a serious incident? There are plenty of examples, and you can easily adapt one into a tabletop exercise to help your leadership practice what to do in the case of a breach. 

In conclusion, as Winston Churchill said, “never waste a good crisis.” It’s excellent advice, and it's extremely important that you take away the right lessons. In this story, those lessons are that it might be time to re-assess your organization's current authentication, intrusion detection and response planning strategies. 

Adam Shostack is an entrepreneur, technologist, author and game designer. He is a member of the BlackHat Review Board, helped found the CVE, and is the author of "Threat Modeling: Designing for Security," and co-author of "The New School of Information Security."

Related Research

Average Cost of a Cyber Attack Reaches $1.7 Million

Estimates of the financial impact of a successful cyber attack can vary significantly. On average, the cost of a successful cyber attack has reached $1.7 million. This cost includes a number of factors, including operating expenses, investigations, audits/software patches, customer compensation, regulatory fines and future prevention costs.

Convey Breach Preparedness to Execs Clearly

What is the most effective way to communicate to executive management the state of an organization's preparedness for a breach? In this Ask-an-Expert written response, IANS Faculty Josh Marpet details some standard methods but says tabletop exercises are far and away the best.

Tailor IR Tabletops to IT and the C-Suite

No matter the audience, successful incident response (IR) tabletops require careful planning and design. In this Ask-an-Expert written response, IANS Faculty Ken Van Wyk details how best to tailor tabletops to IT vs. the C-suite and offers tips for asking the right questions and keeping participants engaged.   

Optimize Command and Control During a Security Incident

Manning the bridge during a security event can be challenging. In this Ask-an-Expert written response, IANS Faculty Dave Shackleford says the keys to success include the ability to quickly triage the incident, define practical metrics and implement a basic workflow to ensure incidents are handled quickly and effectively.