Back to Insights
Never Waste a Good Crisis: Yahoo Edition
December 20, 2016 | Authentication
By Daniel Maloof, IANS Managing Editor
If you’re a CISO, you’re likely fielding warm holiday emails from your board wishing you a great time with your family and asking you what the heck the Yahoo breach means (if not, Yahoo announced last week that one billion user accounts had been accessed).
It’s a complex question, and facts are thin, but there are three areas to start with:
- Intrusion detection
- Response planning
Authentication is important because, apparently, this set of attackers operated using “the creation of forged cookies that could allow an intruder to access users’ accounts without a password." Intrusion detection deserves a spotlight because “law enforcement provided Yahoo in November 2016 with data files that a third party claimed was Yahoo user data" that caused them to believe "an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts."
Both authentication and intrusion detection are called out in the opening paragraphs of Yahoo's notice. The third area, response planning, is hopefully obvious.
Let's further examine each of these areas in the context of the Yahoo breach and consider some potential lessons to learn.
It’s time to review the authentication schemes for your services end to end. Odds are that Yahoo was using a keyed MAC (message authentication code) to authenticate cookies, and that the key was stolen, allowing cookie forgery. That wouldn’t have worked if the key was being rotated every few million new authentications.
It's worth asking, what would happen if each key in your system was stolen? How long would it keep working? Another aspect of the story is about the theft of responses to “secret questions.” These questions have always been a weak, difficult-to-use element of backup authentication, and with those answers being stolen, it’s time for everyone, including you, to reconsider their use.
It took over three years for Yahoo to hear about the breach (August 2013 to November 2016). I personally know many people on Yahoo's security team. They’re smart, dedicated security engineers at the top of their field and game. And, again, it took three years for the breach to be noticed. It’s time to review and re-evaluate how you do intrusion detection, both at the IT level and in your custom business code.
Have you used simulated attacks to see how well your intrusion detection works? There are a slew of “attack simulation” companies out there. What they’re doing is new and interesting. What are you doing to keep an eye on your custom services? Someone wrote code that showed up at Yahoo’s services one billion times, went to the account page, scraped it and showed up again. It was missed. It’s easy to laugh and point fingers, but don’t. Have you shown that you catch it? Today? In your services?
The wrong answer is to wait for a researcher like Andrew Komarov to discover the database, deliver it to the government, then wait for the government to let you know. There’s some great color in this story from Bloomberg, but don’t get so focused on the colorful details that you lose the big picture.
Response Planning and Tabletop Exercises
The big question here is, have you planned your response to a serious incident? There are plenty of examples, and you can easily adapt one into a tabletop exercise to help your leadership practice what to do in the case of a breach.
In conclusion, as Winston Churchill said, “never waste a good crisis.” It’s excellent advice, and it's extremely important that you take away the right lessons. In this story, those lessons are that it might be time to re-assess your organization's current authentication, intrusion detection and response planning strategies.
Adam Shostack is an entrepreneur, technologist, author and game designer. He is a member of the BlackHat Review Board, helped found the CVE, and is the author of "Threat Modeling: Designing for Security," and co-author of "The New School of Information Security."
| Tools & Templates
Incident Cheat Sheet: When to Contact Law Enforcement
| Faculty Reports
IANS Vulnerability and Breach Update: Q1 2018
Verizon’s 2018 DBIR: Ransomware Defenses Still Woefully Lacking
| Faculty Reports
Outsourced Authentication: When It Works – and When It Doesn’t