ELEC-E7470 - CYBERSECURITY L CASE STUDY: YAHOO 2016 INFORMATION LEAK REVELATIONS - MYCOURSES
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
ELEC-E7470 - Cybersecurity L
Case Study: Yahoo 2016 information leak
revelations
Tuomas Rantataro, Si Zuo, and Yang Xiao
Team: Bicycle
1 Case Introduction
In September 2016, Yahoo confirmed a massive security breach that hackers
swiped personal information associated with at least 500 million account that
took in place in 2014, disclosed that a different attack in 2013 compromised more
than 1 billion accounts.
”This is the biggest data breach ever,” said well-known cryptologist Bruce Schneier.
The incident is a big deal, since so many have a Yahoo account of some type or
other for email or finance or fantasy sports and so on. In the official statement
given by Yahoo, The account information may have included names, email ad-
dresses, telephone numbers, dates of birth, hashed passwords (the vast majority
with bcrypt) and, in some cases, encrypted or unencrypted security questions
and answers. The ongoing investigation suggests that stolen information did not
include unprotected passwords, payment card data, or bank account informa-
tion; payment card data and bank account information are not stored in the
system that the investigation has found to be affected. Based on the ongoing in-
vestigation, Yahoo believes that information associated with at least 500 million
user accounts was stolen and the investigation has found no evidence that the
state-sponsored actor is currently in Yahoos network.1
Yahoo, as one of the internets busiest sites with one billion monthly users that
is one of the oldest free email services, have many users built their digital iden-
tities around it, from their bank accounts to photo albums and even medical
information. Even though it is too early to say what impact the breach might
have on Yahoo and its users because many questions remain, including the iden-
tity of the state-sponsored hackers behind it. But there are already some impact
to Yahoo users and stakeholders. As Yahoo confirmed the stolen user informa-
tion was being used primarily for spamming, i.e., sending spam to the people
whose information was stolen. But since such info can often be passed around
widely among criminal hackers, its always possible it could be used for more ne-
farious purposes. In the meantime, hackers posted to underground forums and
online marketplaces what they claimed was stolen Yahoo data and offering a
large collection of stolen Yahoo credentials including user names, easily crackedpasswords, birth dates, ZIP codes and email addresses on a underground site where hackers can buy and sell stolen data. An infamous cybercriminal named Peace claimed on a website that he was selling credentials of 200 million Yahoo users from 2012 on the dark web for just over $1,800. And the underground site uses Tor, the anonymity software, and Bitcoin, the digital currency, to hide the identities of buyers, sellers and administrators who are trading attack methods and stolen data.2 Whats more, It will take Yahoo months and years time before it regain users trust. Since Yahoo is a major webmail provider, theres one extra problem: any further service which has password reset emails sent to a Yahoo Mail account should also be considered compromised, and passwords accordingly changed. ”When a company has allowed their customers’ data to fall into the hands of criminals, the resulting lack of trust is difficult to repair,” CEO Ebba Blitz said in a statement. And there has possible larger implications for the $4.8 billion sale of Yahoos core business which is at the core of this hack to Verizon. The scale of the liability could bring untold headaches to the new owners. Shareholders are likely to worry that it could lead to an adjustment in the price of the transaction. That deal is now moving to completion, but the companies cannot be integrated until it is approved by a number of regulatory agencies, as well as Yahoo shareholders. Representatives of Verizon and Yahoo started meeting recently to review the Yahoo business, so that the acquisition would run smoothly once complete.3 But the good news is that Yahoo says the passwords were hashed, meaning that the hackers much spend much more time decrypt a single user password, unless the user use simple common password and simple or obvious security questions and answer. 2 Case Analysis Yahoo said on 22 Sept,”2016 that at least 500 million of its accounts were hacked in 2014 by what it believed was state-sponsored actors, thieves that appeared to be the world’s biggest known cyber breach by far.” However, according to the report by Infoarmor, ”Yahoo was compromised in 2014 by a group of professional blackhats who were hired to compromise cus- tomer databases from a variety of different targeted organizations. Some of their initial targets, which occurred in 2012 and 2013, are linked directly with the recent large scale data breaches of social media networks and online-services such as MySpace, Tumblr and LinkedIn. Other well-known brands have been impacted by this group but the data stolen from them is not currently available for sale or validation in the underground.”4 A association called ”Group E” is mentioned in the report, group of professional blackhats from Eastern Europe,
is considered has direct relation to Yahoo hack in 2014. On 15th March, 2017, the U.S. Justice Department unsealed indictments against four men accused of hacking into a half-billion Yahoo email accounts. ”Two of the men worked for a unit of the Russian Federal Security Service (FSB) that serves as the FBIs point of contact in Moscow on cybercrime cases. Another one is Karim Baratov ,a Canadian and Kazakh national who lives in Canada. ”5 . More details will be discussed in the later part. For the data breach in 2014, some security experts noted that:”the majority of Yahoo!’s passwords used the bcrypt hashing algorithm which is considered difficult to crack, the rest used the older MD5 algorithm which can be broken rather quickly.”4 . Such information, especially security questions and answers, could help hackers break into victims’ other online accounts. According to Yahoos chief information security officer, Bob Lord,”the hackers used ’forged cookies’ bits of code that stay in the users browser cache so that a website doesnt require a login with every visit”. ”The cookies’could allow an intruder to access users accounts without a password by misidentifying anyone using them as the owner of an email account. The breach may be related to theft of Yahoos proprietary code”, Lord said. Infoarmor also mentioned that, ”by evaluating a sample of records, more confu- sion is created because the decrypted passwords from some of them were legiti- mate for actual Yahoo users. However, the vast majority of the data is not legit- imate, including invalid accounts, deleted accounts, and nonexistent accounts. After extensive analysis and cross reference against the data breach intelligence systems of Infoarmor, it was determined that the dump is based on multiple third party data leaks, which have no relation to Yahoo. Presumably, the threat actor specially misrepresented this data set in order to sensationalize and sell it for the purpose of monetizing his efforts following the negative impact of his relationship with tessa88”. ”Since individuals reuse exactly the same passwords for multiple online-services, some low level of positive conversion rate is inevitable, making ATO possible with a very small number of user accounts and may explain the positive valida- tion of this limited number of accounts.”3 As for the data breach occurred in August 2013,Yahoo stated this was a sepa- rate breach from the late 2014 one and was conducted by an ”unauthorized third party”.7 Similar data as from the late 2014 breach had been taken from over 1 billion user accounts.Yahoo! had been able to identify that the method that data was taken from the last 2014 hack using fake cookies during this investigation, but the method of the August 2013 breach was not clear to them upon their
announcement.
In todays connected world, were sharing more personal information online than
ever before. And its not only when were sitting at our computers: we use our
mobile devices to shop, bank, conduct business, and connect with friends. In the
age of Information, personal information or user data of a company become ex-
tremely important.In a digital age, data is the where the value of a company or
a person are. As technology progresses,all of our information moves to the digi-
tal world, and,consequently, cyber attacks are becoming the new way of crime.
Based on the research of Infoarmor, ”the thieves are not state-sponsored actors,
instead they are a group of professional blackhats who used to sell the personal
data for money.”
As described in the report from Infoarmor, ”tessa88, registered on several un-
derground communities, was the first to mention that Yahoo account credentials
were available for sale. Initially tessa88 proposed several databases for sale, in-
cluding VK, MySpace, Fling and other notable e-mail providers and some instant
messaging services from Eastern Europe.”4
A list of selling information can be seen from the figure 1 from InfoArmor4 .
Fig. 1. Selling information from account ”tessa88”3 Responses to the Yahoo hacks Due to the massive amount of people the hacks have affected, they have caused responses from wide range of different actors. There have been criminal investi- gations to both Yahoo and the hackers, articles by security authorities on what went wrong, and surprisingly small financial consequences to Yahoo. The company itself posted blog posts after both big breaches were made public, and also sent emails to the affected users.8 9 The messages were straightforward in admitting that the hacks had taken place, what information was stolen, and what Yahoo had already done to secure the user accounts. They also included suggestions what the user can do to keep his account more secure in the future. The emails were made acknowledging that similar phishing emails were already being sent and used the best practices of sending such emails. They included no links or attachments, and also warned against such threats in phishing emails. Therefore it can be said that Yahoo handled communication to its users quite well, when they eventually told to outside world about the breaches. There are, however, accusations that the company knew about the breaches much earlier, but tried to keep it quiet hoping it would go away without release of the data.10 The accusations that Yahoo’s leadership knew about the hacks much earlier than September 22nd has lead to other responses. Some of the most serious ones are related to planned buyout of Yahoo by Telecommunications company Verizon. The company claimed as late as two weeks before the 22nd September rele- vations that the company was unaware of any security breaches, unauthorised access or unauthorised use of its IT systems.10 The misleading statement may have led to overvaluation of the company during the purchase negotiations. The U.S. Securities and Exchange Commission (SEC) has opened an investigation on Yahoo because of this reason. In addition to SEC, other countries’ government regulators have also took in- terest in the breaches. However, the regulators have mostly been information security and privacy authorities, in contrast to the financial nature of SEC. In the UK, Information Commissioners Office, which is tasked with protecting in- formation rights of the people, has been asking questions from Yahoo. In Ireland, too, the Data Protection Commissioner has been in contact with the US gov- ernment to ask question about the breach. The role of these privacy agencies has earlier been mostly giving guidance, but there has been signs of the agencies planning to take a more punitive approach in privacy breaches. One example of this is new European Union data protection laws coming to force in 2018, which ”will require companies to improve privacy and disclosure policies or risk heavy fines.”11 While there has been reponses from organizations, another interesting thing to follow has been how Yahoo’s users have reacted to the theft of their private in- formation with possibly great consequences. In addition to the regular advice of
changing passwords and avoiding reusing same passwords elsewhere, Germany’s
Federal Office for Information Security has even recommended switching email
provider to a more secure one.12 However, these measures have apparently have
had little effect on users’ usage of Yahoo’s services.13
4 Conclusion
The Yahoo hacks are currently world’s biggest hacks when counted by users
affected. The hacks show that many different parties, such as state-sponsored
hackers, may target even a single organization, and may succeed if the organiza-
tion is not well enough prepared against such threats. Responses to these kind
of attacks are still varying very much, with privacy and financial organizations
coming up with ways to force companies to secure their data well enough to
avoid breaches as big as these.
References
1. An Important Message About Yahoo User Security(22, SEP, 2016)
https://yahoo.tumblr.com/post/150781911849/an-important-message-about
-yahoo-user-security
2. Nichole, P. Yahoo Says Hackers Stole Data on 500 Million Users in 2014(22, SEP,
2016)
https://www.nytimes.com/2016/09/23/technology/yahoo-hackers.html?_r=0
3. Kara, S. Yahoo is expected to confirm a massive data breach, impacting hundreds
of millions of users (22, SEP, 2016)
https://www.recode.net/2016/9/22/13012836/yahoo-is-expected-to-confi
rm-massive-data-breach-impacting-hundreds-of-millions-of-users
4. InfoArmor: Yahoo Data Breach Investigation (28 , SEP, 2016)
https://www.infoarmor.com/infoarmor-yahoo-data-breach-investigation/
5. Four Men Charged With Hacking 500M Yahoo Accounts(15, Mar , 2017)
https://krebsonsecurity.com/2017/03/four-men-charged-with-hacking
-500m-yahoo-accounts/
6. AN G. Yahoo says half a billion accounts breached by nation-sponsored hackers(22
, SEP , 2016)
https://arstechnica.com/security/2016/09/yahoo-says-half-a-billion-a
ccounts-breached-by-nation-sponsored-hackers/
7. Yahoo Says 1 Billion User Accounts Were Hacked,By VINDU GOEL and NICOLE
PERLROTHDEC. (14, DEC , 2016)
https://www.nytimes.com/2016/12/14/technology/yahoo-hack.html
8. Important Security Information for Yahoo Users (21, APR, 2017)
https://yahoo.tumblr.com/post/154479236569/important-security-informa
tion-for-yahoo-users
9. An Important Message About Yahoo User Security (21, APR, 2017)
https://yahoo.tumblr.com/post/150781911849/an-important-message-about
-yahoo-user-security410. SEC opens formal probe of Yahoo hacking disclosure (21, APR, 2017)
https://www.ft.com/content/2bebc10e-e18b-11e6-8405-9e5580d6e5fb
11. Yahoo faces questions over delay in data breach revelation (21, APR, 2017)
https://www.ft.com/content/54ec6bd8-818e-11e6-8e50-8ec15fb462f4
12. White House says FBI is investigating hack of 1bn Yahoo user accounts (21, APR,
2017)
https://www.theguardian.com/technology/2016/dec/15/fbi-investigation
-yahoo-hack-one-billion
13. Turns Out Consumers Stay Loyal to Companies After Hacks (21, APR, 2017)
https://www.wired.com/2016/09/hacks-like-yahoos-new-normal/You can also read
