Attacks/Breaches
7/13/2012
11:09 AM
50%
50%

Yahoo Password Breach: 7 Lessons Learned

What should businesses, users, and regulators take away from the Yahoo password breach? Start with encryption for all stored passwords.

Who Is Anonymous: 10 Key Facts
Who Is Anonymous: 10 Key Facts
(click image for larger view and for slideshow)
Stop the password breach madness: If it seems as if every week brings a new password breach to light, that's because hackers have been hard at work, releasing passwords with aplomb.

Recently, an attacker uploaded a subset of hashed passwords from LinkedIn to an online security forum, requesting help with cracking them. That was swiftly followed--apparently, by the same attacker--with similar requests for passwords purloined from dating website eHarmony and music-streaming website Last.fm.

This week, question-and-answer website Formspring said that 420,000 of its users' passwords had been compromised, leading the company to reset passwords for all 28 million users. Meanwhile, a hacker or hacking group known as D33Ds Company leaked about 450,000 email addresses and passwords associated with Yahoo Voices, formerly known as Yahoo Contributor Network. The motivation, according to D33Ds, was simple: it was sending "a wake-up call" to whoever was in charge of Yahoo Voices about the need to get serious about security.

[ Read 7 Tips To Toughen Passwords. ]

What could Yahoo--and by extension any company that has consumer passwords to protect--do better? Here are seven best practices:

1. Confirm breaches quickly. Where Yahoo and Formspring are to be commended is in the speed with which they confirmed their password breaches and instituted a fix, all of which happened in less than 24 hours. According to Yahoo spokesman Jon White, "We are taking immediate action by fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users, and notifying the companies whose users accounts may have been compromised."

Formspring, however, went one step better, by providing details about the exact improvements made. "We were able to immediately fix the hole and upgraded our hashing mechanisms from SHA-256 with random salts to Bcrypt, to fortify security," said Formspring CEO Ade Olonoh in a blog posted Wednesday.

2. Watch for fast-moving SQL injection attacks. D33Ds said it breached Yahoo by using a union-based SQL injection attack. Security experts said attackers prefer this type of attack for its ability--when successfully executed--to rapidly retrieve large amounts of sensitive data.

"Not all SQL injection attacks are equal. Some can be more destructive than others," said Kyle Adams at Mykonos Software--part of Juniper Networks--in a blog post. "This [type of] attack enables the attacker to extract extremely large chunks of data in a very short amount of time. It's the difference between requesting each password one at a time (normal SQL injection), letter by letter (blind SQL injection) or requesting hundreds of passwords in one shot (union-based)."

3. Beware third-party security. Last year, one of the more than a dozen data breaches involving Sony involved hackers accessing what the consumer electronics giant said was "an outdated database from 2007." Likewise, the breached Yahoo database appears to have come from a company acquired by Yahoo, which means that the database wouldn't have been covered by Yahoo's own system development lifecycle (SDLC) practices. But that should have led Yahoo to at least protect the acquired systems with a Web application firewall (WAF), according to security experts, to help block SQL injection attacks.

"This attack highlights the challenges of security with third-party applications," said Rob Rachwald, director of security strategy at Imperva , in a blog post. "The attacked applications [were] probably acquired by Yahoo! from a third party, Associated Content. It's very challenging to have an effective SDLC with third parties. Therefore, you need to put them behind WAF."

4. Require strong passwords. The breach also shows that Yahoo--or else Contributor Network, if the passwords date from before the company's acquisition by Yahoo--failed to require users to select strong passwords. According to an analysis published by Swedish security expert Anders Nilsson at Eurosecure, the top five most-selected passwords were "password," "123456," "12345678," "1234," and "qwerty."

Of course, people's password selection is irrelevant if, as in the case of the Yahoo breach, the password database isn't even properly secured. Likewise, in the case of the LinkedIn breach, the apparent use of an outdated encryption algorithm, and a failure to salt the passwords--meaning, adding a unique value to each one before encrypting it--meant that even the strongest passwords could be cracked offline, given a bit of time.

5. Businesses, get serious about passwords. Any business or government agency that stores users' passwords needs to do a better job of not just deleting password databases, but ensuring they're actually secure. Indeed, based on a review of the leaked data, Imperva's Rachwald said Yahoo apparently "stored the passwords both ... encrypted (AES_passwd) and in clear text (clear_passwd) which, of course, makes the encryption useless." Coming on the heels of the LinkedIn, eHarmony, and Last.fm breaches, Rachwald dubbed the Yahoo breach as yet "another epic password fail." When will companies learn?

6. Consumers, practice tough love. Until businesses do learn, the rule for consumers is simple: Don't trust any site that requires a password to keep it safe. Accordingly, use unique passwords for every website, so attackers can't reuse credentials stolen from one site, such as Yahoo, to access an account tied to the same email address on another site, such as PayPal. Also consider changing passwords with some frequency, in case prior versions of password databases should get exploited. Finally, consider that not all password breaches come to light, and the situation might be even worse than it appears.

7. Regulators, crack down. Fines, of course, could help businesses focus on improving their information security practices. On that note, privacy expert Christopher Soghoian has opined that Yahoo could face Federal Trade Commission sanctions over the breach. Notably, the FTC requires that companies abide by their privacy policies, which the agency enforces as a consumer guarantee. Furthermore, Yahoo's privacy policy states that it "takes reasonable steps to protect your information." But by just about any security measure, storing users' passwords in unencrypted format--or failing to spot passwords stored in that manner, after acquiring a company--hardly qualifies as reasonable.

Editor's note: Corrected spelling of D33Ds hacker group.

Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity issue of Dark Reading shows how to strengthen them. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Alex_Horan
50%
50%
Alex_Horan,
User Rank: Apprentice
7/13/2012 | 7:49:47 PM
re: Yahoo Password Breach: 7 Lessons Learned
The past 30 days have been the month of the password hack. But there two angles to this story that will have long-reaching effects. First, for users that continue to have one password for everything, itGÇÖs time to change them, and quickly. The second angle GÇô primarily prompted by Yahoo GÇô is the responsibility of corporations to protect their users. With security threats are becoming increasingly more sophisticated, corporations need to be more proactive and predictive about security. Otherwise, youGÇÖre just reactive and cleaning up after the fact. Read more about my thoughts here: http://blog.coresecurity.com/2...
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Changing Face of Identity Management
Mobility and cloud services are altering the concept of user identity. Here are some ways to keep up.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.