Attacks/Breaches

7/13/2012
11:09 AM
50%
50%

Yahoo Password Breach: 7 Lessons Learned

What should businesses, users, and regulators take away from the Yahoo password breach? Start with encryption for all stored passwords.

Who Is Anonymous: 10 Key Facts
Who Is Anonymous: 10 Key Facts
(click image for larger view and for slideshow)
Stop the password breach madness: If it seems as if every week brings a new password breach to light, that's because hackers have been hard at work, releasing passwords with aplomb.

Recently, an attacker uploaded a subset of hashed passwords from LinkedIn to an online security forum, requesting help with cracking them. That was swiftly followed--apparently, by the same attacker--with similar requests for passwords purloined from dating website eHarmony and music-streaming website Last.fm.

This week, question-and-answer website Formspring said that 420,000 of its users' passwords had been compromised, leading the company to reset passwords for all 28 million users. Meanwhile, a hacker or hacking group known as D33Ds Company leaked about 450,000 email addresses and passwords associated with Yahoo Voices, formerly known as Yahoo Contributor Network. The motivation, according to D33Ds, was simple: it was sending "a wake-up call" to whoever was in charge of Yahoo Voices about the need to get serious about security.

[ Read 7 Tips To Toughen Passwords. ]

What could Yahoo--and by extension any company that has consumer passwords to protect--do better? Here are seven best practices:

1. Confirm breaches quickly. Where Yahoo and Formspring are to be commended is in the speed with which they confirmed their password breaches and instituted a fix, all of which happened in less than 24 hours. According to Yahoo spokesman Jon White, "We are taking immediate action by fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users, and notifying the companies whose users accounts may have been compromised."

Formspring, however, went one step better, by providing details about the exact improvements made. "We were able to immediately fix the hole and upgraded our hashing mechanisms from SHA-256 with random salts to Bcrypt, to fortify security," said Formspring CEO Ade Olonoh in a blog posted Wednesday.

2. Watch for fast-moving SQL injection attacks. D33Ds said it breached Yahoo by using a union-based SQL injection attack. Security experts said attackers prefer this type of attack for its ability--when successfully executed--to rapidly retrieve large amounts of sensitive data.

"Not all SQL injection attacks are equal. Some can be more destructive than others," said Kyle Adams at Mykonos Software--part of Juniper Networks--in a blog post. "This [type of] attack enables the attacker to extract extremely large chunks of data in a very short amount of time. It's the difference between requesting each password one at a time (normal SQL injection), letter by letter (blind SQL injection) or requesting hundreds of passwords in one shot (union-based)."

3. Beware third-party security. Last year, one of the more than a dozen data breaches involving Sony involved hackers accessing what the consumer electronics giant said was "an outdated database from 2007." Likewise, the breached Yahoo database appears to have come from a company acquired by Yahoo, which means that the database wouldn't have been covered by Yahoo's own system development lifecycle (SDLC) practices. But that should have led Yahoo to at least protect the acquired systems with a Web application firewall (WAF), according to security experts, to help block SQL injection attacks.

"This attack highlights the challenges of security with third-party applications," said Rob Rachwald, director of security strategy at Imperva , in a blog post. "The attacked applications [were] probably acquired by Yahoo! from a third party, Associated Content. It's very challenging to have an effective SDLC with third parties. Therefore, you need to put them behind WAF."

4. Require strong passwords. The breach also shows that Yahoo--or else Contributor Network, if the passwords date from before the company's acquisition by Yahoo--failed to require users to select strong passwords. According to an analysis published by Swedish security expert Anders Nilsson at Eurosecure, the top five most-selected passwords were "password," "123456," "12345678," "1234," and "qwerty."

Of course, people's password selection is irrelevant if, as in the case of the Yahoo breach, the password database isn't even properly secured. Likewise, in the case of the LinkedIn breach, the apparent use of an outdated encryption algorithm, and a failure to salt the passwords--meaning, adding a unique value to each one before encrypting it--meant that even the strongest passwords could be cracked offline, given a bit of time.

5. Businesses, get serious about passwords. Any business or government agency that stores users' passwords needs to do a better job of not just deleting password databases, but ensuring they're actually secure. Indeed, based on a review of the leaked data, Imperva's Rachwald said Yahoo apparently "stored the passwords both ... encrypted (AES_passwd) and in clear text (clear_passwd) which, of course, makes the encryption useless." Coming on the heels of the LinkedIn, eHarmony, and Last.fm breaches, Rachwald dubbed the Yahoo breach as yet "another epic password fail." When will companies learn?

6. Consumers, practice tough love. Until businesses do learn, the rule for consumers is simple: Don't trust any site that requires a password to keep it safe. Accordingly, use unique passwords for every website, so attackers can't reuse credentials stolen from one site, such as Yahoo, to access an account tied to the same email address on another site, such as PayPal. Also consider changing passwords with some frequency, in case prior versions of password databases should get exploited. Finally, consider that not all password breaches come to light, and the situation might be even worse than it appears.

7. Regulators, crack down. Fines, of course, could help businesses focus on improving their information security practices. On that note, privacy expert Christopher Soghoian has opined that Yahoo could face Federal Trade Commission sanctions over the breach. Notably, the FTC requires that companies abide by their privacy policies, which the agency enforces as a consumer guarantee. Furthermore, Yahoo's privacy policy states that it "takes reasonable steps to protect your information." But by just about any security measure, storing users' passwords in unencrypted format--or failing to spot passwords stored in that manner, after acquiring a company--hardly qualifies as reasonable.

Editor's note: Corrected spelling of D33Ds hacker group.

Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity issue of Dark Reading shows how to strengthen them. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Alex_Horan
50%
50%
Alex_Horan,
User Rank: Apprentice
7/13/2012 | 7:49:47 PM
re: Yahoo Password Breach: 7 Lessons Learned
The past 30 days have been the month of the password hack. But there two angles to this story that will have long-reaching effects. First, for users that continue to have one password for everything, itGs time to change them, and quickly. The second angle G primarily prompted by Yahoo G is the responsibility of corporations to protect their users. With security threats are becoming increasingly more sophisticated, corporations need to be more proactive and predictive about security. Otherwise, youGre just reactive and cleaning up after the fact. Read more about my thoughts here: http://blog.coresecurity.com/2...
3 Ways to Retain Security Operations Staff
Oliver Rochford, Vice President of Security Evangelism at DFLabs,  11/20/2017
A Call for Greater Regulation of Digital Currencies
Kelly Sheridan, Associate Editor, Dark Reading,  11/21/2017
New OWASP Top 10 List Includes Three New Web Vulns
Jai Vijayan, Freelance writer,  11/21/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.