Today we learn that Yahoo!’s user database appears to have been compromised: 500 million accounts plus associated information including (apparently) hashed passwords.
The Mike Tyson Effect
And, of course, it was “state sponsored” (cough) (cough)
I call this the “Mike Tyson Effect” – when you get beaten up, you don’t want to tell your friends you got beaten up by PeeWee Herman, so, by the time you’ve told the story, the person who beat you up was incredibly skilled – probably a professional boxer like Tyson, or maybe a ninja, or Chuck Norris. After all, a company that suffers a major information security breach can’t come out and say “we screwed up, oops.” It’s necessary to mis-represent the skill of the attacker in order to downplay their own failure.
And, we know it’s a pretty typical-sounding failure. Apparently the breach happened 2 years ago.* That is in line with industry norms. According to the Verizon Data Breach and Incident Report (DBIR)** the average time to discover a breach is on the order of 100 days (depending on a variety of factors, I’m simplifying) – which is a big problem because the usual time between a breach and data being exfiltrated is under a week, usually a matter of days. So, Yahoo! got hit in a fairly typical way, and reacted in a fairly typical way; i.e.: they didn’t know they were hit.
The industry’s response to breaches has been lame, but not as lame as the NSA/CIA/FBI’s. By 2000 it ought to have been obvious to anyone with a website that their customer database was a target. Instead, with vigorous poking from legislators (who, themselves, demonstrate terribly poor information security practices) they focused on establishing a whole system of breach notification and indemnification for failure. So, if a provider leaks your personal information due to their incompetence and negligence, their liability ends when they tell you our information was leaked and that you should put a fraud watch on your bank accounts, credit cards, experian, blah, blah, blah. I.e.: “we suck, but here’s all this extra work for you, and now we’re not responsible.” Want to guess who thought up that response regime? Yeah, the businesses lawyers had a little bit to do with it.
Record Count is A Poor Metric
The media, of course, do not help. Because they do not understand security well enough to report sensibly about it. For example, why is number of records leaked relevant?
Well, it’s not, really. But the media assume that if one instance of leaking is bad, forty million instances of leaking are worse. That’s not true, of course: leaking a few dozen administrative passwords is more severe than leaking every twitter account’s password – simply because nobody’d be able to exploit all the twitter accounts and it would only impact a small number of users, whereas exploiting administrative accounts compromises entire domains or meta-domains instantly. It’s frustrating for serious security practitioners, because the noise-level is high and the clue-level is low, so it’s hard to combat people’s tendency to focus on the wrong thing, “Well, Yahoo! lost 500 million users’ data, so we don’t have to worry, we’ve only got a million users, total, we can lose ’em all and nobody’ll notice!”
Security is a Sea Of Mediocrity
There are sad and disappointing things about all of these breaches. Ones like the Office of Personnel Management being a notorious examplar of clueless that makes Yahoo! look minor in comparison. First off, yes, Yahoo! should have (and did, I know their security people) (or used to, if they haven’t all gone elsewhere) known they were a target and had their systems set up to detect attacks against the user database. There are basic techniques that people like myself have been talking about for decades, which they should have done. Much like the NSA, CIA, State Department, Hillary Clinton, etc not having their file server logs turned on, they should have been looking at access logs against the database, using privileged access management and data isolation, as well as rule-based policy violation detection. Office of Personnel Management’s breach was worse because they had been getting warnings for years about vulnerabilities in their practices and apparently didn’t put two and two together and realize that the US Government’s employment database includes a lot of juicy stuff. Basically, it’s a list of everyone’s salary, job code, branch they work in, classification status, etc. It’s the “org chart” for the whole US Government, including the intelligence community. /facepalm
Now, I assume that any country spying on the US already has that information, on an agency-by-agency basis, but it sure was nice of OPM to put all that stuff in a single database so they can confirm it.***
In both cases, OPM, and Yahoo! – actually, all the cases I mentioned so far: NSA, CIA, State Department, Clinton, Democratic Party HQ … – the breach was not discovered as a result of competence within the organization. Some system administrator or security person didn’t say “Whoah!?” and look more closely at the logs. They learned they were breached when they woke up and read about it in the news, or on wikileaks, or some journalist called.
So, if you want to understand how badly security sucks, that’s the number right there: zero. That’s how many of the organizations I’ve mentioned detected the breaches in a timely manner. The figure above, from the DBIR (“Figure 9”) shows the scariest trend-line in security – the number of breaches detected by the victims themselves has been going steadily downward. So, while I place NSA, CIA, State Department, etc, in the Pit Of Suck, they’re going to have more and more company. And they will lie more and more egregiously about how they were hacked by cyberninjas from the 9th dimension, not drilled with a basic phishing attack by a bored sociopath.
I know a few heroes out there, that are locally reversing that trend. One CSO I know has the organization’s security practice aligned toward the objective of being able to catch a penetration-tester in real-time. Think about that: that’s actually a minimum level requirement. If you can’t catch your penetration-tester, who you hired to come try your security, you’re not going to have a ghost of a chance of catching a hacker. What’s crazy is that the organizations I know that do basic, solid security stuff? They have substantially fewer problems than the guys that don’t. Imagine.
As a joke, a few years ago, I totalled up all the credit card/SS# breaches and it surpassed the population of the US. Yahoo! did that single-handedly. So, even assuming a healthy overlap, we can probably assume that the only Americans who haven’t had their information leaked are the ones who were born 5 minutes ago. And I’m not even sure about them.
Last, But Not Least:
If Yahoo! didn’t know about the attack for 2 years, how in god’s rolling green acres of fuck can they say NOW “it was state-sponsored”????
The heading “Security is a Sea of Mediocrity” sounds like something Jean Meslier would write, doesn’t it?
(* One trick I used to teach people was to have a procedure that runs every night that updates the birthday on a ‘tombstone’ user, let’s say Fred Fishlips: if someone offers to sell your database, you can tell if its yours because Fred Fishlips is there, and what day it leaked by looking at Fred’s birthday. There are lots of ways of fingerprinting data like that.)
(** The awesome Jay Jacobs was the brains behind it for several years, now he’s gone on to do other things. I expect the DBIR to slowly become irrelevant. One issue already is that it’s a self-selected sample, representing incident reports of those organizations that were willing to report breaches and incidents to Verizon. We have no way of knowing how biased that sample is. I interview Jay on the DBIR and related topics here)
(*** That’s the real game. It’s one thing to think you know something about another country, but when they’re kind enough to have data that cross-confirms it, then you’ve got a measure of their IT competence as well.)