Risk
9/26/2013
12:00 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Yahoo Email Change Doesn't Solve Security Problem

Yahoo's "Not My Email" button may cut down on misdirected email, but security experts say Yahoo's solution doesn't address the underlying security issues.

Davis said that right now, Yahoo is banking on its "Require-Recipient-Valid-Since" protocol, a header that senders add to emails to check the age of the account before delivering a message, such as a password reset email. The problem with this, Davis said, is that it asks a lot of the sender. "This requires vendors to change the way they do something, and the only way this is going to work is if every vendor out there adds this header or Yahoo comes up with a better solution," he said.

By focusing its solution on the usability of the recycled accounts instead of the security issues still surrounding them, Yahoo is ignoring the bigger problem, said Eva Velasquez, CEO of the Identity Theft Resource Center.

"As far as helping new account holders avoid the nuisance of spam, [the button] may work, however when it comes to the risk of identity theft, it will make no difference," Velasquez said in an interview. "The potential for social engineering is incredible. Access to social network login credentials themselves may not lead to a credit card being opened in the original account holder's name, but it can help a nefarious character to obtain the information needed to do so. Once the information has been sent via email, the damage is done. It's just as if you were to receive a tax return for the person who used to live in your house."

Sophos' Wisniewski said there were better ways for Yahoo to deal with the problem of dwindling "good" email addresses. "There are ways to get the part before the @ that you want without taking someone else's email address," he said. Wisniewski suggested that Yahoo create a different email suffix, such as @yahoo.ng for "new generation," for example.

Velasquez said that Yahoo's problem should serve as an example for other businesses. "This is just another example of how policies and procedures need to take security into account before new services roll out and not as an afterthought," she said. "This is happening across the board as security often takes a back seat to innovation in such a fast-paced market."

CounterTech's Davis said what Yahoo does and how it proceeds will set the tone for other businesses, which will eventually face the same problem. "Yahoo is being the pioneer in this. Outlook, Hotmail and others will have to do the same thing," he said. "Whatever Yahoo does will become part of a standard way. They're falling off their bike and skinning their knees right now. Yahoo wanted to attract more users and have old ones come back, but if they don't address this problem, they won't have people returning."

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JMONTAGUE292
50%
50%
JMONTAGUE292,
User Rank: Apprentice
9/27/2013 | 7:39:26 PM
re: Yahoo Email Change Doesn't Solve Security Problem
The FCC makes some radio call signs available for reassignment (FCC's own assignment and in some cases by request). The minimum dormancy period for many, if not all, cases is 2 years after license expiration, license abandonment, or licensee's death (or dissolution of organization).

Given the abundant personal information that flows through email, a reason minimum period of dormancy should be 10+ years.
Kristin Burnham
50%
50%
Kristin Burnham,
User Rank: Apprentice
9/27/2013 | 2:04:51 PM
re: Yahoo Email Change Doesn't Solve Security Problem
@ubm_techweb_disqus_sso_-4c5bf4ba8d74c722d28ca4c34a7266ae:disqus Good advice--thanks for sharing!
ninjacoding
50%
50%
ninjacoding,
User Rank: Apprentice
9/27/2013 | 1:05:27 PM
re: Yahoo Email Change Doesn't Solve Security Problem
These researchers missed important aspect. Companies should take an active measures to ensure proper communication. If users deactives an account it should remain dormant for multiple years. In that time frame companies should at minimum do a yearly check to verify email communication. When that attempt is made the email message if deactived properly should returned an invalid address message and the company systems should deactivate use of that email account.
Instead companies use "do not reply" email accounts which simply dump the return message in to a "null" bin never looking to see if the account is invalid. From personal experience with a cable company, I have change the email address, deleted it as well, called them on it, and still I get mail from them using that old account.
Halwits
50%
50%
Halwits,
User Rank: Apprentice
9/27/2013 | 6:22:53 AM
re: Yahoo Email Change Doesn't Solve Security Problem
Yes , I agree with you.
OtherJimDonahue
50%
50%
OtherJimDonahue,
User Rank: Apprentice
9/26/2013 | 7:11:58 PM
re: Yahoo Email Change Doesn't Solve Security Problem
Recycling email addresses is sheer craziness on Yahoo's part. It was a terrible idea, and this "fix" is a Band-Aid at best.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0993
Published: 2014-09-15
Buffer overflow in the Vcl.Graphics.TPicture.Bitmap implementation in the Visual Component Library (VCL) in Embarcadero Delphi XE6 20.0.15596.9843 and C++ Builder XE6 20.0.15596.9843 allows remote attackers to execute arbitrary code via a crafted BMP file.

CVE-2014-2375
Published: 2014-09-15
Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to read or write to arbitrary files, and obtain sensitive information or cause a denial of service (disk consumption), via the CSV export feature.

CVE-2014-2376
Published: 2014-09-15
SQL injection vulnerability in Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVE-2014-2377
Published: 2014-09-15
Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to discover full pathnames via an application tag.

CVE-2014-3077
Published: 2014-09-15
IBM SONAS and System Storage Storwize V7000 Unified (aka V7000U) 1.3.x and 1.4.x before 1.4.3.4 store the chkauth password in the audit log, which allows local users to obtain sensitive information by reading this log file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
CISO Insider: An Interview with James Christiansen, Vice President, Information Risk Management, Office of the CISO, Accuvant