Inside

THE NETWORK OF EMAIL NEWSLETTERS | Login

Inside Security

Inside Security (Dec 16th, 2016)

David’s Take

In today’s newsletter we take a deep dive into a big mess o’ Yahoo, and why they can’t seem to build a secure email system. It is troubling on several levels, and not just because of its sheer size. Here is what I have learned and some of my own thoughts about what you should do to manage your own email situation.

-- David Strom, editor of Inside Security
 This week’s revelation is just the most recent in a series of breaches. One breach happened in 2013, and another, from 2014, was reported back in September. The key takeaway: The 2013 breach wasn’t detected during investigation of the 2014 event. And while Yahoo says both the 2013 and 2014 breaches had nation state origins, that doesn’t mean they had the same actor behind them both. The short answer is we don’t really know who caused either of them.
 
Second is the lack of Yahoo’s encryption and authentication prowess. This takes on several dimensions, not the least of which is Yahoo’s long history of exploits over the years. If we look at the latest hack that happened in 2013, they were deploying MD5 hashes. This wasn’t state of the art then and is certainly not now. To give Yahoo partial credit, they switched over to using a more secure solution since the breach. (Brian Krebs explains this in more detail if you are interested.) To make matters worse, according to reports, they were not salting their MD5 hashes, which made them even more vulnerable.
 
But that is not all. Another reason for poor security at Yahoo is their use of the Yahoo Account Key, a simple authentication method that eliminates the need to use a password on Yahoo altogether. While other SaaS vendors are beefing up their authentication with multiple factors, Yahoo has gone to essentially zero factors. This has made it easier for attackers to figure out a way to log into targeted Yahoo accounts without even supplying the victim's password.
 
Another issue: Yahoo’s notification to its customers and the public was sub-par. They sent out this security update and Bob Lord, their CISO, posted this message. Neither had very actionable information and both lacked specific details that would help to improve customer trust. Lord has been in that job for a little over a year: you might recall in 2015, Yahoo went through three CISOs. Lord has a tough job, no doubt. He gave a talk shortly before he took the Yahoo post where he said “It is unreasonable to show up at the Wall St. Journal and say that my customer data is now on BitTorrent.” Yes, but how about when you have to show up multiple times?

Finally, there is the issue that given how long this information has been available to criminals, many fraud detection systems are now useless. As IdentityMind blogger Jose Caldera has written, "you must detect breached email addresses and apply enhanced due-diligence to ensure that the individual is who they say they are."
 
What you can do

So if you are one of the billion unfortunates that have a Yahoo email account, here is a plan.
 
First, make sure your know who is actually behind your email provider. If you have an account @att.net, just to pick a random example, that is actually being supplied with Yahoo technology. Every AT&T DSL or Uverse customer needs such an account to access AT&T services. You can’t easily get rid of these accounts.
 
Second, if you are reusing your Yahoo password anywhere else, now is a great time to change those other account passwords too. While you are at it, change your password and security questions of your Yahoo or Yahoo OEM email accounts now. And if you have duplicated your “secret questions” at other accounts, then change them as well. This may seem like a big burden, because it is.  If you haven’t yet set up a password manager, now is a really good time to download and start using one. (I use Lastpass, but there are numerous others, and most are free or inexpensive.)
 
Next, this also might be a good time to change your “online birthday” to something that isn’t your actual birthday. There is no reason to have this information anywhere online. You can have different ones sprinkled throughout the year if you are in need of e-greetings.
 
Next, don’t delete that Yahoo account – at least, not immediately.  This is because it could be tied to your identity for numerous other logins that you might not immediately remember, such as your DSL service for example. But you should delete your emails and export and then purge your contacts now before some hacker does any more damage to your reputation. When Yahoo first started having compromises to their email system many years ago, I had forgotten about an email account that I had set up, and also forgot that I had used it to test its contact import feature. All my contacts (at least current to that point) received spam messages when my account was compromised.
 



One suggestion is to switch to Gmail. Here is how. You can also setup your Gmail account to read your Yahoo messages during the transition. Another email alternative is to make use of a free email encryption service (Inky.com is one that I am testing at the moment, there are many others, including Hushmail, Mailfence, Easycrypt.co, Passlok and Mailpile.is.)
 
At the very least, if you have an option to make use of two factor authentication on your online accounts (here is a list of some of them), start using this feature to protect your account identity. Please start doing this now. Really.
 
Krebs also makes a good point about being more aware of phishing attempts, including via your phone: ”If your mobile phone number was associated with your Yahoo account, that number may receive SMS phishing or smishing attacks as a result. The standard warning about clicking links applies to unbidden text messages as well.” Thanks Brian.
 
And in other news
 
The billion-man breach at Yahoo eclipsed other breaches this week (indeed, ever) in sheer potential size. But sadly it wasn’t the only one of the week. In breaches discovered by the company's internal security team in April and traced back to February, hackers stole project data from ThyssenKrupp's plant engineering division and from other areas yet to be determined. – DARK READING

And Quest Diagnostics, a medical laboratory company based in New Jersey said Monday that it was investigating a recent hack that exposed the personal health information of about 34,000 people, according to the company. An unauthorized third party gained access to names, dates of birth, lab results and, in some cases, telephone numbers in November through a mobile health app called MyQuest by Care360. The app gives patients access to their lab results and other information. – THE NEW YORK TIMES
Just for fun
 

 (from Brian Krebs' comments)

Another suggestion from Gizmodo
“So the best option to avoid being hacked is to delete all of your accounts, fill up a warm bath, and throw all of your devices inside of it. Next, pack your bags and craft some hunting tools for your trek into the wilderness. Good luck.”
 
How likely are you to recommend Inside Security to a friend or colleague?

          

MORE FROM INSIDE

 

Did we get anything wrong or miss a story? We realize that many of our readers are smarter and more informed than we are – so please hit reply and let us know when we miss something!

 

Check out this week’s newsletter of the week: Clover Letter: A daily email newsletter for girls

 

Did you know we're crowdfunding the cost of an investigative journalist for the Inside Daily Brief? Check out our Patreon campaign to see the perks at various levels.

 

And, many thanks to the following patrons for being above the $75/month level, which includes a link in every issue of the IDB:

 

Love That PetWeedmapsThis Week in StartupsRetail Tech Podcast – ReadThisThing



Support us on Patreon

Copyright © 2016 Inside, All rights reserved.


You're receiving this email because you are subscribed to Inside Security. If you don't want to receive it anymore, go ahead and unsubscribe – or just hit reply and tell us how to make it better.

Subscribe to Inside Security

MORE NEWSLETTERS

Small x2 screen shot 2016 08 22 at 1.39.14 pm

Inside San Francisco

Fascinating news and highlights from around the Bay Area

DAILY
Small x2 mqhbsmc

Inside San Francisco

DAILY

SUBSCRIBED!

Share via

Small x2 screen shot 2016 10 04 at 4.44.03 pm

Inside AI

Bringing you the latest in Artificial Intelligence, Robotics, and Neurotechnology

WEEKLY
Small x2 giphy 31

Inside AI

WEEKLY

SUBSCRIBED!

Share via

Small x2 amazon b00x4whp5e echo 1187819

Inside Deals

A hand-picked selection of products, deals, and ways to save money.

TWICE WEEKLY
Small x2 giphy

Inside Deals

TWICE WEEKLY

SUBSCRIBED!

Share via

Small x2 screen shot 2017 02 01 at 2.23.49 pm

Inside Real Estate

For those in the business of buying, selling, and developing real estate.

TWICE WEEKLY
Small x2 tumblr mfpcr391jj1rqigtoo1 400

Inside Real Estate

TWICE WEEKLY

SUBSCRIBED!

Share via