Yahoo’s compromised records likely hidden within encrypted traffic, vendor says

LOUISVILLE, KY – As Derby Con was winding down, an interesting email hit Salted Hash’s inbox form Venafi. The security firm, known for their tools that secure digital keys and certificates, outlined a number of cryptographic issues at Yahoo.

The email then claimed they’re not saying these flaws led to the massive data breach that impacted 500 million users. Yet, that’s exactly what their statements hint at.

In Venafi’s experience, an emailed statement from Alex Kaplunov, Venafi’s vice president of engineering explains, breaches like the one suffered by Yahoo are often accompanied by weak cryptographic controls.

Granted, Venafi has a horse in the race, so this isn’t an unusual statement for them to make, but it’s interesting – as it could explain how Yahoo failed to notice half-a-billion records moving into criminal hands over time.

To test their theory, Venafi examined Yahoo’s public-facing certificates over the weekend and found that 27-percent of the certificates exposed externally Yahoo’s websites have not been reissued since January 2015.

Further, only 2.5-percent of the 519 certificates deployed have been issued within the last 90 days. This, Venafi says, suggests that Yahoo does not have the ability to find and replace digital certificates quickly.

Moreover, “a surprising number” of Yahoo digital certificates use MD5, which can be reversed with brute force attacks. MD5 also suffers from vulnerabilities, which have been exploited by malware used in alleged state sanctioned espionage, such as Flame.

“All of the MD5 certificates in use by Yahoo! today and many of the other certificates Venafi Labs evaluated are self-issued. One current MD5 certificate uses wildcards (*.yahoo.com) and has an expiration date of 5 years. Certificates with long expiration dates, those that are self-issued, and those that use wild cards are all symptoms of weak cryptographic control,” the research note explained.

Finally, Venafi found that 41-percent of the external Yahoo certificates use SHA-1. Major browser vendors have stated that they will stop accepting SHA-1 certificates in January of 2017.

“Any one of these cryptographic issues would leave an organization extremely vulnerable to attacks on encrypted communication and authentication,” said Hari Nair, director of product management and cryptographic researcher for Venafi.

Kevin Bocek, Vice President of Security Strategy and Threat Intelligence at Venafi, said “it seems very likely that the exfiltrated data was encrypted and that’s how the attackers managed to move such a massive amount of data while staying under the radar of Yahoo! security tools. It’s nearly impossible for any organization to detect unauthorized, encrypted traffic coming in or out unless they have strong cryptography practices.”

“Yahoo has not replaced cryptographic keys and digital certificates over the last 90 days in any way that would represent a coordinated response to a breach. And even more troubling, known vulnerabilities like MD5 certificates combined with a wildcard certificate that has a 5 year expiration date makes it clear that Yahoo lacks deep visibility into their cryptographic security posture. Organizations use encryption to secure everything – without a comprehensive understanding of cryptographic risks, there is absolutely no way to be confident about security or privacy,”  Bocek added.

While Venafi has stated they’re not saying the Yahoo breach was caused by the cryptographic problems, it’s been proven before that criminals hide their actions within encrypted channels. Again, Venafi has skin in the game, but their research offers an interesting theory. Feel free to comment below and share your thoughts.

Salted Hash has reached out to Yahoo for comments, and will update this post if they chose to respond.