Modern field guide to security and privacy

Yahoo hack throws internet insecurity into sharp relief

The massive scale of the credential thefts at Yahoo, LinkedIn, and the other internet firms has focused attention on the seeming inability of American companies to secure their networks against foreign and domestic adversaries.

Denis Balibouse/Reuters
A Yahoo logo is pictured in front of a building in Rolle, 30 km (19 miles) east of Geneva, December 12, 2012.

Even in an era of massive data breaches, the one announced by Yahoo this week was spectacular and raises worrisome questions about the continued vulnerability of America's digital networks to increasingly sophisticated adversaries.

Yahoo on Thursday announced that a state-sponsored adversary had broken into its networks and stolen the names, email addresses, phone numbers, birth dates, passwords, and security questions belonging to a staggering 500 million user accounts.

The announcement confirmed earlier rumors about a potential breach at the company. In August, a cybercriminal named "Peace" announced he had put some 200 million Yahoo credentials for sale on the Dark Web. Yahoo had said it was aware of the hacker’s claim but did not confirm it had been breached.

Peace has put hundreds of millions of similar user credentials stolen from LinkedIn, MySpace, and Tumblr up for sale earlier this year. The data was obtained from intrusions at these firms over the past two or three years. 

Yahoo said the intrusion into its network occurred sometime in late 2014 but offered no explanation on why it was disclosing the breach only now, two months after agreeing to sell its core business to Verizon for $4.8 billion.

The massive scale of the credential thefts at Yahoo, LinkedIn, and the other internet firms has focused attention on the seeming inability of American companies to secure their networks against foreign and domestic adversaries.

Over the past few years, numerous private sector and government organizations have been hit in breaches that have exposed financial data, personal information, health care data and privileged information.

Just this week, for instance, White House officials said that they are investigating reports that hackers leaked First Lady Michelle Obama's passport details and vice president Biden's travel schedules online.

The breaches come at the time when spending on information security is higher than ever. The technology research firm Gartner expects worldwide information security spending to top $81 billion in 2016, up nearly 8 percent from last year.

As organizations such as Yahoo continue to get breached in spectacular fashion, modern enterprises face enormous challenges in stopping hackers.

For companies as large as Yahoo, it can be incredibly difficult blocking every single entry point and avenue for attack, say security experts. The growing use of cloud services and mobile devices has opened up innumerable entry points into the network, making it almost impossible to protect against every single intrusion attempt.

"Despite the size of a company or how large a cybersecurity budget [it may have], there are currently no technology controls or assortment of controls that can defend a company against an attack," says Chris Pierson, general counsel and chief security officer at Viewpost, a provider of online invoicing and payment services.

No current technology controls have proven themselves capable of immediately spotting a sophisticated adversary and minimizing the length of time they spend in a network, Mr. Pierson said.

"Until we can achieve times that are measured in minutes and hours to enable reaction, response, and blocking, all companies are susceptible to compromise," he said.

In Yahoo's case, the company's failure to disclose the breach for nearly two years suggests that it did not have adequate breach detection and response capabilities or that it remained mum despite knowing about it.

Either way, the consequences are likely enormous. The leak has given hackers 500 million new keys to try and break into organizations says Rajiv Gupta, chief executive officer of security vendor Skyhigh Networks.

Many of the username and password combinations may not work or lead nowhere. But some of them will lead to sensitive information, as users tend to reuse login credentials.

Previous incidents show that password breaches can have a significant ripple effect, says Mr. Gupta. "[Extensive] password reuse means even a stolen consumer email or social media password can be the weak link that leads to a data breach."

 

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.