CS1701
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
yahoo! fallout<br />
David Gibson, Varonis: organisations<br />
should be providing forensic evidence<br />
when the worst happens.<br />
Paul German, Certes: there is a<br />
fundamental step missing - damage<br />
limitation.<br />
users should have been better protected<br />
and, even allowing for the fact that a breach<br />
occurred at all, that intrusion and theft<br />
should have been detected at the time.<br />
The fact that the company was quick to<br />
invalidate unencrypted security questions<br />
and answers, so they couldn't be used to<br />
access an account, is of scant comfort to<br />
those whose data has been taken and used<br />
for whatever purposes. The time lapse of<br />
two years between the breach and finding<br />
out they were victims was something of<br />
a double blow. If the breach had been<br />
discovered at the time, they might well<br />
have been less impacted.<br />
In advice to all its account holders,<br />
Yahoo also made the following security<br />
recommendations:<br />
Change your password and security<br />
questions and answers for any other<br />
accounts on which you used the same or<br />
similar information used for your Yahoo<br />
account<br />
Review your accounts for suspicious<br />
activity<br />
Be cautious of any unsolicited<br />
communications that ask for your<br />
personal information or refer you to<br />
a web page asking for personal<br />
information<br />
Avoid clicking on links or downloading<br />
attachments from suspicious emails<br />
Additionally, consider using Yahoo<br />
Account Key, a simple authentication<br />
tool that eliminates the need to use<br />
a password altogether.<br />
These recommendations are mostly to be<br />
found in any issue of Computing Security<br />
magazine about the world we now live in -<br />
and, incidentally, have lived in for some<br />
time - as is Yahoo's warning about how an<br />
"increasingly connected world has come with<br />
increasingly sophisticated threats". Industry,<br />
government and users "are constantly in the<br />
crosshairs of adversaries", it states. That kind<br />
of statement now seems no more surprising<br />
than being told the sun will come up in the<br />
morning.<br />
It's hard to see what solace its account<br />
holders will extract from Yahoo's undertaking<br />
that, through what are strategic proactive<br />
detection initiatives and active response to<br />
unauthorised access of accounts, "Yahoo<br />
will continue to strive to stay ahead of these<br />
ever-evolving online threats and to keep our<br />
users and our platforms secure".<br />
DARK, DARK DAYS<br />
Meanwhile, how have other industry<br />
observers generally responded to the<br />
breach? "With the complex, data-rich, IT<br />
environments organisations run today, there<br />
is always a high possibility of yet another<br />
breach, with customer data making its way<br />
onto the dark web," says Gavin Millard,<br />
EMEA technical director, Tenable Network<br />
Security. "As we continue to add more<br />
technologies to our networks and as<br />
attackers become more sophisticated, it's<br />
important that organisations have a rapid<br />
process for determining the impact of the<br />
breach and a robust approach in addressing<br />
the ensuing post-breach fallout."<br />
Leo Taddeo, chief security officer, Cryptzone,<br />
states that the loss of unencrypted security<br />
questions and answers creates a risk for<br />
enterprises that rely on this technique to<br />
enhance security for traditional credentials.<br />
"The best defence is to deploy access<br />
controls that examine multiple user<br />
attributes before allowing access. This type<br />
of 'digital identity' makes it much harder for<br />
a hacker to take advantage of the type of<br />
information lost by Yahoo," he comments.<br />
Alex Mathews, EMEA technical manager,<br />
Positive Technologies, points out how almost<br />
every year we see reports of millions of<br />
leaked accounts of Yahoo/Hotmail/Gmail/<br />
iTunes/etc. He stresses the need for complex<br />
password protection on the part of users and<br />
the responsibility that also lies with them to<br />
do everything to keep themselves safe.<br />
20<br />
computing security Jan/Feb 2017 @CSMagAndAwards www.computingsecurity.co.uk