Making sense of the Yahoo breach

Security vendors are going nuts over Yahoo's revelation that it's investigating a systems breach that may have exposed 450,000 user IDs. The inbox is crammed with security experts with an opinion. So let's have a look.

First, a review of the news: This morning the BBC and others reported that the attack apparently originated from servers connected to Yahoo Voices, a user-generated section of the site, and that hacking group D33DS had claimed responsibility for the attack. Yahoo put a warning on its site, saying, "We confirm that an older file from Yahoo Contributor Network... containing approximately 450,000 Yahoo and other company users' names and passwords was compromised yesterday. Of these, less than 5 percent of the Yahoo accounts had valid passwords. We are taking immediate action by fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo users and notifying the companies whose users accounts may have been compromised."

Tom Cross, director of security research at Lancope, said there's an awful lot of passwords and password hashes circulating in the underground after a string of recent breaches and disclosures like this one, and there's every reason to believe we'll see similar compromises in the future, and that these passwords will likely be used to compromise corporate networks.

“The question that we need to be asking is how do we detect attackers who log into our networks with legitimate credentials? Organizations that are only focused on looking for exploit activity at the network perimeter can't see attacks after they've already gotten in the front door," he said. "IT security teams also need visibility into authorized traffic on the internal network that enables them to detect and mitigate compromises after the walls have been breached.”

Mark Bower, data protection expert and VP at Voltage Security, said he's dumbfounded that attacks like this keep happening despite all the warnings and advice companies have received. "SQL injection is a known attack," he said. "Sensitive data needs to be protected and just relying on access controls doesn’t work – an accepted fact proven time and time again. If what is stated is true, it’s utter negligence to store passwords in the clear."

"It is often the case that obvious database vulnerabilities -- such as weak passwords and default configuration settings -- are initially overlooked and never fully remediated," says Slavik Markovich, CTO of Database Security at McAfee. "An organization's sensitive information can never be adequately secured if it lacks dedicated tools and processes to gain complete visibility into their databases' security weaknesses and eliminate the opportunity for the bad guys to exploit them."

Those comments are pretty much the same as what all the security vendors are saying.

I agree that companies should know by now that storing passwords in the clear is a dumb thing to do. I have no idea why they haven't changed their ways yet, because I don't work for them and am clueless of what goes on behind the scenes.

I'll say this, though: Sooner or later we need to get rid of passwords and adopt other ID authentication techniques. That's easier said than done because doing that costs money. But we've been talking about a world without passwords for years now. Bill Gates' keynote at RSA in 2006 was all about declaring passwords obsolete. Yet the needle hasn't moved much since then.

How many more breaches have to happen before the majority of companies start to get it? Who knows.

Stay tuned to CSOonline for more on this developing story.

Insider: How a good CSO confronts inevitable bad news
Join the discussion
Be the first to comment on this article. Our Commenting Policies