CS1701

yahoo! fallout
David Gibson, Varonis: organisations
should be providing forensic evidence
when the worst happens.
Paul German, Certes: there is a
fundamental step missing - damage
limitation.
users should have been better protected
and, even allowing for the fact that a breach
occurred at all, that intrusion and theft
should have been detected at the time.
The fact that the company was quick to
invalidate unencrypted security questions
and answers, so they couldn't be used to
access an account, is of scant comfort to
those whose data has been taken and used
for whatever purposes. The time lapse of
two years between the breach and finding
out they were victims was something of
a double blow. If the breach had been
discovered at the time, they might well
have been less impacted.
In advice to all its account holders,
Yahoo also made the following security
recommendations:
Change your password and security
questions and answers for any other
accounts on which you used the same or
similar information used for your Yahoo
account
Review your accounts for suspicious
activity
Be cautious of any unsolicited
communications that ask for your
personal information or refer you to
a web page asking for personal
information
Avoid clicking on links or downloading
attachments from suspicious emails
Additionally, consider using Yahoo
Account Key, a simple authentication
tool that eliminates the need to use
a password altogether.
These recommendations are mostly to be
found in any issue of Computing Security
magazine about the world we now live in -
and, incidentally, have lived in for some
time - as is Yahoo's warning about how an
"increasingly connected world has come with
increasingly sophisticated threats". Industry,
government and users "are constantly in the
crosshairs of adversaries", it states. That kind
of statement now seems no more surprising
than being told the sun will come up in the
morning.
It's hard to see what solace its account
holders will extract from Yahoo's undertaking
that, through what are strategic proactive
detection initiatives and active response to
unauthorised access of accounts, "Yahoo
will continue to strive to stay ahead of these
ever-evolving online threats and to keep our
users and our platforms secure".
DARK, DARK DAYS
Meanwhile, how have other industry
observers generally responded to the
breach? "With the complex, data-rich, IT
environments organisations run today, there
is always a high possibility of yet another
breach, with customer data making its way
onto the dark web," says Gavin Millard,
EMEA technical director, Tenable Network
Security. "As we continue to add more
technologies to our networks and as
attackers become more sophisticated, it's
important that organisations have a rapid
process for determining the impact of the
breach and a robust approach in addressing
the ensuing post-breach fallout."
Leo Taddeo, chief security officer, Cryptzone,
states that the loss of unencrypted security
questions and answers creates a risk for
enterprises that rely on this technique to
enhance security for traditional credentials.
"The best defence is to deploy access
controls that examine multiple user
attributes before allowing access. This type
of 'digital identity' makes it much harder for
a hacker to take advantage of the type of
information lost by Yahoo," he comments.
Alex Mathews, EMEA technical manager,
Positive Technologies, points out how almost
every year we see reports of millions of
leaked accounts of Yahoo/Hotmail/Gmail/
iTunes/etc. He stresses the need for complex
password protection on the part of users and
the responsibility that also lies with them to
do everything to keep themselves safe.
20
computing security Jan/Feb 2017 @CSMagAndAwards www.computingsecurity.co.uk