1000words - Fotolia
In this Risk & Repeat podcast, SearchSecurity editors discuss the Yahoo breach and questions and criticism regarding the company's enterprise security practices.
The Yahoo breach, which exposed information of at least 500 million accounts, has led to questions and criticism regarding the company's security practices.
Late September 2016, Yahoo confirmed reports that the company had suffered a major data breach and issued a statement saying that account information such as telephone numbers, birthdates, hashed passwords encrypted or unencrypted security questions and answers may have been exposed. In the wake of that announcement, questionable infosec practices within Yahoo have come to light, including the mishandling of security certificates.
In addition, The New York Times reported that Yahoo's security team under former CSO Alex Stamos pushed for the company to adopt a forced password reset for all accounts in the event of a data breach, but the company's executive management team rejected the proposal. The fallout from the Yahoo breach has raised questions about the lack of basic security measures and practices within the company, as well as Yahoo's response to the breach.
Why didn't Yahoo implement a forced password reset policy? Why was the company using outdated certificates with insecure algorithms like SHA-1? And why did it take so long to discover and confirm a breach that initially occurred in 2014?
In this episode of SearchSecurity's Risk & Repeat podcast, editors Rob Wright and Peter Loshin discuss those questions and more regarding the Yahoo data breach. They also revisit the recent devastating DDoS attacks to discuss how a botnet was able to infect and leverage more than 100,000 internet-connected devices such as home wireless routers and DVRs.
Risk & Repeat: MobileIron's James Plouffe on Mr. Robot, mobile threats
Risk & Repeat: More Symantec vulnerabilities come to light
Risk & Repeat: OPM breach report spells bad news for government