Maksim Kabakou - Fotolia
Yahoo's security practices have been called into question after the company suffered the largest data breach in history, and more trouble appears to be on the horizon for Yahoo as well.
The Yahoo breach led to theft of data from 500 million users, and the company has seen the first class-action lawsuit filed by two of the affected users. Yahoo has been accused of gross negligence and failure "to securely store and maintain the personal information of plaintiffs and the class," according to the lawsuit filed in the U.S. District Court in San Diego.
However, Yong-Gon Chon, CEO of Cyber Risk Management LLC, based in Tampa, Fla., said it will be challenging to prove Yahoo was grossly negligent.
"Current laws and regulations surrounding cloud service providers focus on implementing hundreds of compliance controls instead of preventing bad outcomes with real consequences. There are no service-level agreements for data breach," Chon told SearchSecurity. "Privacy laws and disclosure laws don't adequately define breach detection. If implementing hundreds of controls and demonstrating compliance is proof of due diligence, then our rules for managing cyber-risk are broken."
The lawsuit also touched on another hot topic surrounding the Yahoo breach: the time between when the breach occurred in 2014 and when Yahoo realized it had been breached. Experts have speculated why it took two years for Yahoo to find the breach, and some have also noted that Yahoo might have known about the breach in July of this year.
"[Yahoo] CEO Marissa Mayer may have had knowledge of a breach as early as July, yet did not disclose details to regulators and investors until last week. If true, Yahoo-acquirer Verizon is no doubt asking a lot of questions right now," Michael Sutton, CISO of Zscaler Inc., based in San Jose, Calif., wrote in a blog post. "Such information is clearly of great importance during a due-diligence process, and yet as recently as September 9 in a regulatory filing with the [Securities and Exchange Commission], Yahoo claimed no knowledge of any data breaches."
The Securities and Exchange Commission (SEC) has been asked by Sen. Mark Warner (D-Va.) to evaluate whether Yahoo violated breach disclosure laws.
"I encourage you to investigate whether Yahoo and its senior executives fulfilled their obligations to keep investors and the public informed, and whether the company made complete and accurate representations about the security of its IT systems," Warner wrote in a letter to the SEC. "Additionally, since published reports indicate fewer than 100 of approximately 9,000 publicly listed companies have reported a material data breach since 2010, I encourage you to evaluate the adequacy of current SEC thresholds for disclosing events of this nature."
Tom Kellermann, CEO of Strategic Cyber Ventures LLC, based in Washington, D.C., agreed the SEC needs to become more proactive in regulating publicly traded organizations, and Verizon should be worried about the Yahoo breach.
"Given the tenacity of the criminals in cyberspace, investors must apply cyber-risk to their calculus. Due diligence per mergers and acquisitions must incorporate an assessment of the overall cybersecurity health," Kellermann said. "Case in point: Verizon should pay close attention and employ a comprehensive assessment to Yahoo's network to ensure there are no backdoors for cybercriminals that would harmfully impact the existing infrastructure of Verizon."
Red flags for Yahoo security
The Yahoo breach has also called into question the security practices of the company leading up to the attack and even since the breach was detected. Yahoo CEO Marissa Mayer has been accused of prioritizing consumer products over security, according to current and former employees who spoke to The New York Times. Yahoo's security team was denied resources and team members have consistently been hired by competing companies. According to The New York Times, Mayer's management team said no to an automatic reset of user passwords because management was worried the move would push users to change email providers.
Yahoo did not respond to inquiries about the breach.
Vishal Gupta, CEO of India-based Seclore, said the details of Yahoo's security policies are worrisome, but not uncommon.
"The company isn't alone in its decision to choose convenience over security. This needs to change. With the data of 500 million users, Yahoo should have taken steps to assure that information was secured, regardless of whether or not it had left the network," Gupta told SearchSecurity. "This is the perfect example as to why companies need to adopt data-centric security solutions capable of stopping the increasingly sophisticated hackers, who are constantly hunting for the weakest link [in] their targets' cybersecurity posturing."
Additionally, research from Venafi found the Yahoo breach hasn't had much effect on the company's cryptographic stance. Venafi found 27% of the certificates on external Yahoo websites have not been reissued since January 2015, and only 2.5% of the 519 certificates deployed have been issued within the last 90 days.
"Any one of these cryptographic issues would leave an organization extremely vulnerable to attacks on encrypted communication and authentication. Collectively, they pose serious questions about whether Yahoo has the visibility and technology necessary to protect encrypted communications and ensure its customers privacy," Nair wrote. "Our team has been working on a major research project that led us to believe that there is usually a high degree of correlation between weak cryptographic controls and overall cybersecurity posture."
Lance Cottrell, chief scientist for the Passages browser at Ntrepid Corp., based in Herndon, Va., said these issues could have contributed to the Yahoo breach.
"The biggest issue with old certificates is that attackers who compromised the site might easily have stolen the certificate. This would allow them to perfectly impersonate Yahoo or to intercept and read any communications with secure Yahoo websites," Cottrell told SearchSecurity. "MD5 and SHA-1 create a similar issue. In this case, any attacker could potentially create new certificates with the same cryptographic fingerprint as Yahoo's real certificates. It takes a lot of work, but, again, the result is that the attacker can now impersonate Yahoo websites and read communications."
Bobby Kuzma, systems engineer at Core Security, based in Roswell, Ga., said it was "unconscionable" that Yahoo hasn't revoked and reissued every certificate in the organization, adding that it bordered on "criminal negligence."
"If attackers compromised the private keys stored on servers, they could easily perform man-in-the-middle attacks, masquerading as legitimate Yahoo servers," Kuzma told SearchSecurity. "If the allegations that Yahoo knew about this breach more than a year ago [are true], the company will be in hot water. That's information that Verizon should have had during its process of purchasing Yahoo, and I expect that the SEC will have something to say about the matter."
Chon questioned the security processes in place following the Yahoo breach.
"It can be very challenging for companies leveraging crypto at enormous scale to maintain properly if the underlying processes weren't established from the start," Chon told SearchSecurity. "For a company like Yahoo, the challenge of computing processes at scale is exacerbated by growth through acquisition, regulations such as [International Traffic in Arms Regulations], and higher staff attrition rates in the tech sector due to the demand for high-quality cybertalent."
Cottrell agreed it was a matter of process.
"It is not difficult to change a cryptographic key. The company needs to make sure that they have a comprehensive inventory of all the cryptographic certificates they use and a process to make sure they are all regularly updated," Cottrell said. "The problem is that these can easily slip out of sight and out of mind if maintaining them is not a priority."
Cris Thomas, strategist at Tenable Network Security, based in Columbia, Md., said the Yahoo breach speaks to a bigger problem among security professionals and the C-suite.
"While it's easy for infosec professionals who are in the trenches every day trying to protect their networks and users from the maliciousness of the online world to get discouraged, we need to focus on building a collaborative environment that starts with executive-level support. Hopefully, companies large and small will soon realize the importance of security and implement security controls that are aligned to the needs of their businesses," Thomas said. "If companies don't take security seriously and invest in sound cybersecurity measures upfront, it only leaves more room for the risk of a compromise down the road."
Learn more about retiring obsolete SHA-1 and RC4 cryptographic algorithms.
Find out why data breach disclosure laws don't work.
Get info on putting the SEC in DevOps.