Attacks/Breaches
7/13/2012
11:09 AM
50%
50%

Yahoo Password Breach: 7 Lessons Learned

What should businesses, users, and regulators take away from the Yahoo password breach? Start with encryption for all stored passwords.

Who Is Anonymous: 10 Key Facts
Who Is Anonymous: 10 Key Facts
(click image for larger view and for slideshow)
Stop the password breach madness: If it seems as if every week brings a new password breach to light, that's because hackers have been hard at work, releasing passwords with aplomb.

Recently, an attacker uploaded a subset of hashed passwords from LinkedIn to an online security forum, requesting help with cracking them. That was swiftly followed--apparently, by the same attacker--with similar requests for passwords purloined from dating website eHarmony and music-streaming website Last.fm.

This week, question-and-answer website Formspring said that 420,000 of its users' passwords had been compromised, leading the company to reset passwords for all 28 million users. Meanwhile, a hacker or hacking group known as D33Ds Company leaked about 450,000 email addresses and passwords associated with Yahoo Voices, formerly known as Yahoo Contributor Network. The motivation, according to D33Ds, was simple: it was sending "a wake-up call" to whoever was in charge of Yahoo Voices about the need to get serious about security.

[ Read 7 Tips To Toughen Passwords. ]

What could Yahoo--and by extension any company that has consumer passwords to protect--do better? Here are seven best practices:

1. Confirm breaches quickly. Where Yahoo and Formspring are to be commended is in the speed with which they confirmed their password breaches and instituted a fix, all of which happened in less than 24 hours. According to Yahoo spokesman Jon White, "We are taking immediate action by fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users, and notifying the companies whose users accounts may have been compromised."

Formspring, however, went one step better, by providing details about the exact improvements made. "We were able to immediately fix the hole and upgraded our hashing mechanisms from SHA-256 with random salts to Bcrypt, to fortify security," said Formspring CEO Ade Olonoh in a blog posted Wednesday.

2. Watch for fast-moving SQL injection attacks. D33Ds said it breached Yahoo by using a union-based SQL injection attack. Security experts said attackers prefer this type of attack for its ability--when successfully executed--to rapidly retrieve large amounts of sensitive data.

"Not all SQL injection attacks are equal. Some can be more destructive than others," said Kyle Adams at Mykonos Software--part of Juniper Networks--in a blog post. "This [type of] attack enables the attacker to extract extremely large chunks of data in a very short amount of time. It's the difference between requesting each password one at a time (normal SQL injection), letter by letter (blind SQL injection) or requesting hundreds of passwords in one shot (union-based)."

3. Beware third-party security. Last year, one of the more than a dozen data breaches involving Sony involved hackers accessing what the consumer electronics giant said was "an outdated database from 2007." Likewise, the breached Yahoo database appears to have come from a company acquired by Yahoo, which means that the database wouldn't have been covered by Yahoo's own system development lifecycle (SDLC) practices. But that should have led Yahoo to at least protect the acquired systems with a Web application firewall (WAF), according to security experts, to help block SQL injection attacks.

"This attack highlights the challenges of security with third-party applications," said Rob Rachwald, director of security strategy at Imperva , in a blog post. "The attacked applications [were] probably acquired by Yahoo! from a third party, Associated Content. It's very challenging to have an effective SDLC with third parties. Therefore, you need to put them behind WAF."

4. Require strong passwords. The breach also shows that Yahoo--or else Contributor Network, if the passwords date from before the company's acquisition by Yahoo--failed to require users to select strong passwords. According to an analysis published by Swedish security expert Anders Nilsson at Eurosecure, the top five most-selected passwords were "password," "123456," "12345678," "1234," and "qwerty."

Of course, people's password selection is irrelevant if, as in the case of the Yahoo breach, the password database isn't even properly secured. Likewise, in the case of the LinkedIn breach, the apparent use of an outdated encryption algorithm, and a failure to salt the passwords--meaning, adding a unique value to each one before encrypting it--meant that even the strongest passwords could be cracked offline, given a bit of time.

5. Businesses, get serious about passwords. Any business or government agency that stores users' passwords needs to do a better job of not just deleting password databases, but ensuring they're actually secure. Indeed, based on a review of the leaked data, Imperva's Rachwald said Yahoo apparently "stored the passwords both ... encrypted (AES_passwd) and in clear text (clear_passwd) which, of course, makes the encryption useless." Coming on the heels of the LinkedIn, eHarmony, and Last.fm breaches, Rachwald dubbed the Yahoo breach as yet "another epic password fail." When will companies learn?

6. Consumers, practice tough love. Until businesses do learn, the rule for consumers is simple: Don't trust any site that requires a password to keep it safe. Accordingly, use unique passwords for every website, so attackers can't reuse credentials stolen from one site, such as Yahoo, to access an account tied to the same email address on another site, such as PayPal. Also consider changing passwords with some frequency, in case prior versions of password databases should get exploited. Finally, consider that not all password breaches come to light, and the situation might be even worse than it appears.

7. Regulators, crack down. Fines, of course, could help businesses focus on improving their information security practices. On that note, privacy expert Christopher Soghoian has opined that Yahoo could face Federal Trade Commission sanctions over the breach. Notably, the FTC requires that companies abide by their privacy policies, which the agency enforces as a consumer guarantee. Furthermore, Yahoo's privacy policy states that it "takes reasonable steps to protect your information." But by just about any security measure, storing users' passwords in unencrypted format--or failing to spot passwords stored in that manner, after acquiring a company--hardly qualifies as reasonable.

Editor's note: Corrected spelling of D33Ds hacker group.

Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity issue of Dark Reading shows how to strengthen them. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Alex_Horan
50%
50%
Alex_Horan,
User Rank: Apprentice
7/13/2012 | 7:49:47 PM
re: Yahoo Password Breach: 7 Lessons Learned
The past 30 days have been the month of the password hack. But there two angles to this story that will have long-reaching effects. First, for users that continue to have one password for everything, itGs time to change them, and quickly. The second angle G primarily prompted by Yahoo G is the responsibility of corporations to protect their users. With security threats are becoming increasingly more sophisticated, corporations need to be more proactive and predictive about security. Otherwise, youGre just reactive and cleaning up after the fact. Read more about my thoughts here: http://blog.coresecurity.com/2...
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5208
Published: 2014-12-22
BKBCopyD.exe in the Batch Management Packages in Yokogawa CENTUM CS 3000 through R3.09.50 and CENTUM VP through R4.03.00 and R5.x through R5.04.00, and Exaopc through R3.72.10, does not require authentication, which allows remote attackers to read arbitrary files via a RETR operation, write to arbit...

CVE-2014-7286
Published: 2014-12-22
Buffer overflow in AClient in Symantec Deployment Solution 6.9 and earlier on Windows XP and Server 2003 allows local users to gain privileges via unspecified vectors.

CVE-2014-8015
Published: 2014-12-22
The Sponsor Portal in Cisco Identity Services Engine (ISE) allows remote authenticated users to obtain access to an arbitrary sponsor's guest account via a modified HTTP request, aka Bug ID CSCur64400.

CVE-2014-8017
Published: 2014-12-22
The periodic-backup feature in Cisco Identity Services Engine (ISE) allows remote attackers to discover backup-encryption passwords via a crafted request that triggers inclusion of a password in a reply, aka Bug ID CSCur41673.

CVE-2014-8018
Published: 2014-12-22
Multiple cross-site scripting (XSS) vulnerabilities in Business Voice Services Manager (BVSM) pages in the Application Software in Cisco Unified Communications Domain Manager 8 allow remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug IDs CSCur19651, CSCur18555, CSCur1...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.