How is the Yahoo breach of 2013 -- disclosed this week -- different from any other breach? The theft of more than 1 billion user accounts is thought to be the largest data breach of a company. Apart from the size, experts also pointed to Yahoo's confirmation that attackers used its source code to modify cookies to gain access.
Unfortunately for our cyber-naïve nation, however, the historic breach may not be different enough to effect an immediate and meaningful change in how companies treat security, what consumers expect of businesses that solicit their private information, how the federal government protects its citizenry from cyber-robbery or in the frequency of state-sponsored and cybercriminal attacks.
"It is a shocker, but not surprising," said Gartner security and privacy analyst Avivah Litan. And that's a shame, she and others said.
Twenty-five years into the consumer Internet Age, many companies lack the security program and corporate culture required to deter cybercriminals or to minimize the damage they wreak. Consumer behavior also needs to change. But if recent news of state-sponsored attacks on private and government assets has not awakened us to the threat of cyberattacks, it is not obvious what needs to happen to reverse our collective cyber naiveté, short of a cataclysmic cyber-related event akin to 9/11.
"I think we'll have something of that ilk, whether it is this year or next year I can't predict. And, hopefully, there will not be as many people damaged or killed," said Stuart Madnick, the John Norris Maguire professor of information technologies at MIT Sloan School of Management, and professor of engineering systems. "But it is going to take something like that to make it impossible for us to brush [such breaches] aside in a week or two."
Cookies, MD5 and long-tail damage
Meantime, for one of the great pioneers of the consumer Internet Age, the blows keep coming. The stolen information from the 2013 hack -- separate from the 2014 hack of 500,000 Yahoo accounts disclosed earlier this year -- includes names, email addresses, telephone numbers, dates of birth, passwords that were hashed using the MD5 algorithm, and, in some cases, encrypted or unencrypted security questions, the company said. Multimillions of the backup email addresses obtained in the breach belong to military and civilian government employees from dozens of nations, including 150,000 Americans, The New York Times reported.
Yahoo shares plunged on the news, renewing concerns that Verizon could back out of its $4.8 billion deal to buy Yahoo's internet business. The class-action lawsuits have already been filed.
"The particularly frightening thing about that is that it will take two years or more to resolve this," said Jeff Pollard, principal security and risk analyst at Forrester Research.
Aside from the unprecedented scale of the hack, Pollard said there was at least one aspect of the 2013 Yahoo breach that struck him as different from what we know about other hacks: the creation of forged cookies that could allow an intruder to access users' accounts without a password -- a detail spelled out in the company release by Yahoo's Bob Lord. "Based on the ongoing investigation, we believe an unauthorized third party accessed our proprietary code to learn how to forge cookies," he stated.
"We know Yahoo has had data breaches. This is bigger. This is a scenario where they have an intellectual-property breach," Pollard said. "They have their source code being accessed and analyzed and even modified -- at least the cookies modified -- to gain access to targeted accounts."
That aspect of the Yahoo breach has potentially big implications for many companies -- aside from the fact of any employee accounts involved in this breach that could come back to haunt them.
As a browsing mechanism, cookies are core to online companies, Pollard said. They allow a company's users to browse without having to log in again. They allow a company to collect information about customers and customize what they see.
"When you look at how Yahoo and others like them collect revenue, the cookie is a key ingredient, pardon the pun, of that. And it was compromised. Threat actors were able to use it," he said.
As for whether it's fair to judge a 2013 hack by today's standards, Pollard pointed to the role of the MD5 algorithm in the breach. "The insecurity of MD5, or the improper use of MD5 to encrypt information, has been widely known since 2006 to 2008. This isn't a company that's just becoming familiar with technology that made this mistake; this is one of first big internet technology companies that made this mistake."
Pollard laid blame on a corporate culture that put security on the back burner, often clashing with its own security teams. "Yahoo had a phenomenal security team," many of whom went on to "excellent security organizations and established themselves as totally capable security practitioners," he said.
"This was very much an executive, cultural Yahoo issue from executive management on down. So, they do deserve to receive criticism for those decisions they made," Pollard said.
Where do we go from here?
If nothing else, this week's news of the 2013 Yahoo breach should drive home the point that the decisions we make about protecting and sharing sensitive information have a long shelf life. Companies make wrong-headed business decisions all the time that turn out to be short-lived, Pollard said. The odds are much less in their favor when it comes to security.
"You can't make a cavalier decision about security," he said. "It needs to be thought-out; it needs to be programmatic; it needs to be aligned with an organization's culture, its brand and what customers expect from them, because what we're seeing here is that a breach from 2013 can surface in 2016."
But even that won't be enough, Pollard and others said, because with enough time and effort anything can be hacked. If everything is hackable, where do we go from here?
Pollard, for one, said he believes two-factor authentication combined possibly with biometrics will become the norm -- and should be. He won't sign up for a service before finding out if it has two-factor authentication. "It's always shocking who does and does not," he said, adding he believes consumers eventually will demand the same of service providers.
MIT's Madnick emphasized that although everything is hackable, it doesn't mean everything will be hacked. "The bad guys out there are a finite number and they have a lot on their plate, too," he said. Companies and consumers can protect themselves by making it much harder than they do today for attackers to penetrate their systems, he said, offering a three-pronged approach that includes limiting the value of assets and thereby lowering the likelihood of being hacked; making the burden higher for hackers by using tools like two-factor authentication and password managers; and having a strategy for limiting the damage of the inevitable attack.
"A lot of what we do puts us in more risk for no good reason," he said.
Gartner's Litan agreed mechanisms like two-factor authentication and a layered approach to security raise the barrier, but it is "past time" for the U.S. to get its act together on cybersecurity, she said.
"We are under so much threat, between the cybercriminals, the nation states, the hacktivists, the trolls, and I don't know what we're waiting for. We're sitting ducks and open game." She recounted a recent trip to California where she learned about infiltration by the Chinese of Silicon Valley technology companies.
"I know you called about Yahoo, but all this goes together. The reason this all goes together is that the nation states and the cybercriminals are building these massive databases on every individual that they can get data on, including most Americans," she said.
"I came back and wrote a blog I never published because I sounded like a nut -- We're going to be taken over by these foreigners! But it is true, and then you have the cybercriminals on top of this." The federal government needs to provide cyber protection for private and public sector companies, she said, advocating for a defense system on par with what we have for the military.
Madnick was less certain. "If the NSA [National Security Agency] and the Pentagon can be broken in to, do you really think they are that much better?" he said.
"Waving a magic wand, and saying, 'OK, Obama, Trump, the government will now solve your problems' -- that would not make me sleep any better."
CIO news roundup for week of Dec. 12
- Trump meets with tech leaders. President-elect Donald Trump met with technology leaders -- including top executives from Amazon, Tesla, Apple, Facebook, Alphabet and Microsoft -- at the Trump Tower in New York Wednesday afternoon and discussed topics like free trade, cybersecurity, job creation and immigration. Trump's transition team dubbed the meeting an innovation summit. "I am here to help you folks do well," Trump told the tech leaders. The New York Times reported Bill Gates said, "We had a good conversation about innovation, how it can help in health, education, the impact of foreign aid and energy, and a wide-ranging conversation about power of innovation." Amazon CEO Jeff Bezos described the meeting as "very productive." Apple CEO Tim Cook reportedly stayed at Trump Tower after the summit was over to meet privately with Trump for further discussions. Apple, which has previously drawn Trump's scrutiny regarding outsourcing jobs to China, is reportedly investing in a $100 billion technology fund to be run by the Japanese telecom and financial conglomerate SoftBank. SoftBank founder and CEO Masayoshi Son met with Trump last week and pledged to invest $50 billion in the U.S.
- Commercial drone delivery takes flight. Amazon CEO Jeff Bezos announced Wednesday the company successfully tested its first Prime Air drone delivery service in Cambridge, U.K. "First-ever #AmazonPrimeAir customer delivery is in the books. 13 min -- click to delivery," Bezos tweeted. The fully autonomous drone delivered an Amazon Fire streaming device and popcorn to a customer on Dec. 7. "Prime Air has great potential to enhance the services we already provide to millions of customers by providing rapid parcel delivery that will also increase the overall safety and efficiency of the transportation system," the company website stated. Amazon will begin trial drone deliveries for two customers living near Cambridge, and it plans to deliver packages weighing less than to 2.6 kg within 30 minutes, The Guardian reported. Amazon has been testing drones in the U.K. airspace since 2015, an email chain between Amazon and the U.K. Civil Aviation Authority revealed.
- FCC chairman to resign. Net-neutrality champion Tom Wheeler announced Thursday he is stepping down from his position as the head of the Federal Communications Commission on Jan. 20, the day President-elect Donald Trump takes office. "It has been a privilege to work with my fellow commissioners to help protect consumers, strengthen public safety and cybersecurity, and ensure fast, fair and open networks for all Americans," Wheeler said in a statement. Wheeler's key initiatives include new rules on net neutrality and broadband privacy, and subsidizing broadband internet access for low-income families.
- California regulators ask Uber to stop testing autonomous vehicles. Uber launched a fleet of self-driving Volvo XC90s on San Francisco roads Wednesday morning, the company said in a statement. Wednesday afternoon, the California Department of Motor Vehicles sent a cease and desist letter to the company, accusing Uber of violating the law and asking the company to take appropriate measures to ensure safety of the public after several of its self-driving cars were seen running red lights. The state regulators ordered Uber to stop testing its autonomous vehicles on city roads until the company obtained state permits required to operate such vehicles.