Yahoo, How The Heck Did They Miss It?

LESSONS TO LEARN FROM THE YAHOO BREACH…

Chris Roberts, Chief Security Architect

Overview
•  Intro and brief overview (feels odd not standing on stage waving arms around…)
•  Lawyers and the 10 second rule…
•  Straight down to brass tacks: How much did Yahoo get wrong?
•  This will be short: What did Yahoo do right?
•  Realistically, what should we be considering as changes to our 2017/2018 focus?
•  Realism vs. Pessimism
•  Static vs. active defense: The Maginot line and a quick poke at the French.
•  Sobering moments and a little sunshine…
•  Blame Russia!
•  Fixing things, metrics, passwords and humans and the IoT J

•  We have between 25 and 45 mins to disseminate the info, so sit back grab a drink and off we go.
An admission:
•  Up until yesterday afternoon I thought I was part of a panel doing this, didn’t have slides or anything
more than talking notes. Needless to say, I was a little surprised when I realized it would be me solo
waving my electronic arms around.

•  So…I locked myself away last night, somewhere quiet…

•  And worked

•  If I smell, sorry, you are on the other end of a computer, bear with me.

•  I’m just glad of WiFi

Lawyers

I’m going to simply assume that there’s lawyers on the call: I feel it is only fair to you give 10 seconds head start
and a wind advantage.
 et al

•  We will assume there are Yahoo and Ex-Yahoo people here.

•  To the geeks who TRIED to get the leadership to give a
damm: Thank you…
•  To the ones who missed the ongoing signs: Learn.
•  To the ones who wanted the right tools: This is for you!
•  To those who were oblivious: Wake the F*** up (Please!)
•  To leadership who didn’t listen: No words describe you.

•  To everyone watching this: PLEASE learn from others.

Brief recap
•  All familiar with the breaches at the Internet company…if not here’s a quick recap
•  2012 Yahoo Voice (subdomain of Yahoo’s main site) breached and data, passwords stolen (going back to 2006)
•  2013 breach, separate from the next one on the list but pinned as the one time forgot…1 Billion accounts compromised.
•  2014 breach, this is the confusing one, 500 Million accounts compromised, IS separate from the 2013 1 Billion, but has similar
data footprint.

•  Other instances and issues that Yahoo is often accused of…

•  2012 Yahoo data for sale on multiple sites, initially thought to be direct hack, likely now considered pieced together from LinkedIn,
etc.
•  2015 Multiple sightings of the Yahoo data being for sale, this prompted a number of people to suspect a hack during this year.
•  2016 Several “Yahoo’s been breached again” people stepped up. I was among them (fearing that 2015 was just repeating itself)
however it seems that 2016 was simply the final realization that prior data was hitting the open market (initially 200 Million
accounts)
•  Think that’s about it from the main ones, with that being said, some thoughts:
•  I wasn’t there, I wasn’t scrambling to deal with the messes over the last 5 years or more.
•  I’ve not worked for them or had to deal with the aftermath directly.
•  I’ve been fortunate to sit on the sidelines and observe…if you are ok with that perspective then we’re good.
In fairness, that last slide should probably be the CEO in Yahoo’s case
 Let us start with the simple statement:
It is not if you get breached it is when and occasionally how often…

Familiar?!?
Squirrel moment:
•  READ Kubla Ross, pick your stage of grief based on your status in this mess, and them move forward!
•  5 stages of grief:
•  Denial
•  Anger
•  Bargaining
•  Depression
•  Acceptance
•  The biggest barrier to improvement efforts is the natural defensiveness of EVERYONE involved in breaches who
initially see the process and data as negative.
•  The grief model gives an outline of the phases through which we must move to be ultimately successful.
Squirrel moment over:
So, how much did they get wrong?
•  Arguable the two simple things that they got wrong were:
1.  How they handled the breach once they were aware of the situation: Incident handling.
2.  How they recovered from the breach once the initial WTF moment passed: Recovery.
•  Incident handling:
•  Detection, nope failed here multiple times, LE had to tell them (or find the data for sale on the open market.)
•  Analysis, failed, when you do analysis and miss a billion accounts…something’s wrong.
•  Containment, yea, nope moving swiftly along…
•  Eradication, nope not in three attempts, and blaming state actors is never good unless you HAVE evidence
•  Recovery (see below)
•  Recovery:
•  To improve and reduce or eliminate any reoccurrence of the incident… Nope, last count 3-4-5 breaches?
•  To gain an understanding of the impact upon the business, yep IF we tell our users we’re screwed…
therefore “keep digging”?
•  To provide clear and concise reporting to leadership…Yes, but no action?
Let’s not forget the elephant…

•  2012 breach… 450,000 people NOT notified

•  2013 breach… REPORTED December 2016
•  2014 breach… REPORTED September 2016
Ok…how much did they get right?

Bugger all…
BUT! All the data was encrypted…
•  Doesn’t that count for something?
•  NO! Not when the algorithm that was cracked before most Geeks were born!
•  If my data in encrypted at rest am I secure?
•  NO! Not when you use an algorithm that was flawed in 1996
•  If my data is encrypted in motion am I secure?
•  NO! Not when you use an algorithm that has FREE websites to crack it!
•  Will I pass the audit if I am using encryption?
•  YES! You will if the auditor doesn’t ask WHAT bloody encryption you use.

•  STOP fooling the auditors AND yourself… Leave MD5 to die peacefully.
Seriously…how much did they get right?
•  OK, the last slide wasn’t too fair, so let’s take a look and see what redeeming features we can find in this.
•  Security Policy
•  It had to be there in some form, but obviously NOT effective, so in practice both useless and dangerous.
•  Organization of Information Security
•  When the leadership team won’t pay attention OR action simple security solutions you have a toothless tiger.
•  Asset Management
•  All your source code (cookies remember) belongs to someone else? Yep, this one’s got some holes too.
•  Communications and Operations Management
•  Given “protection against malicious code” is in the middle of this… I’m afraid we can’t even give them this.
•  Access Control
•  Lets see, someone has been in your systems for years syphoning your data (close to 2 Billion with all tallies) so nope.
•  Information Security Incident Management
•  Detect and manage incidents… The ONE redeeming thing here is that eventually they came forward and admitted guilt.
•  Compliance
•  There’s probably a lawyer somewhere IN Yahoo who thinks they did the right thing by not fessing up about the breach, probably a
loophole in compliance that they used… To that lawyer…”may you live in interesting times.”
OK, so realistically where’s this going?
By 2020 there will be
somewhere between 26
and 30 billion devices
connected to the Internet.

How many of YOU know

what your vendor, your
partner, your supplier is
doing with YOUR data?

Most organizations have no concept of data

classification, let alone understand WHERE all their
data resides.
And over to the senior pessimist…
•  How many people watching this are investing money in security products?
•  How many of you feel more secure?

•  How many of you think that you are keeping pace with the attackers?
•  How many of the attackers are holding onto your data and you don’t even know it?

•  How many of you are continuing to invest in static security products?

•  Have they REALLY worked in the past?

•  How many of you invest the same amount of money in those blinking lights as you do in your users?
•  Social engineering is not a dying art…it’s alive, well and probably has eyes on your company.

•  How many of you have to go through mandated assessments?

•  How many of you consider the auditor an adversary? Why?

•  How many of you care more about the perception of a breach as opposed to guilt over losing MY data?
•  It’s never good when you put the reputation of the company ahead of those trusting you to protect them.

•  How many of you look outside your 4 walls, assess your vendors, partners, contractors, etc.?
•  Given the plethora of attack vectors those afford us…someone needs to be paying attention!
I think Despair.com sums up the current feelings
Lets talk defense for a moment:
The goals of data security:

•  Protect information from those who are not authorized to receive it

(intrusion and espionage.)

•  Protect against misuse of information (including by authorized users.)

•  Guard against open and legal collection efforts that can harm a
company.

•  Carefully control the information that a company publishes about itself.

•  Anticipate and monitor threats to a company and build effective

countermeasures.
The French (you’ve been waiting for this)
•  Traditional security relies on firewalls, encryption, passwords, and other static defenses that
hackers are constantly and successfully working to get around.
•  Active, preventative and predictive security works to identify, monitor, and counteract ongoing
threats.
•  Are you relying on the cyber-version of the Maginot Line?

•  I think we have to argue that Yahoo’s security was this:

•  Reportedly they spent $250M on Security… on what??

•  Please note, above is the SOLE use of the word cyber

Proactive and Predictive Defenses
•  If we are playing buzzword bingo at RSA this year, my money is on these two words…
•  Actually, given the Acalvio crew and the awesome work on Deception 2.0 I expect that to trend in bingo too!

•  Static defense plays a role, I am not advocating throw out your firewalls or A/V, but I am advocating you
supplement it with something other than another damm blinky light that nobody watches.
•  Get a solution that does the watching FOR you, preferably something that doesn’t stick out like a sore thumb
and itself becomes an attack vector!

•  Simply put, waiting to invest in security is, arguably, these days a death sentence for the very organization you
have been employed or retained to protect.
•  Oh, and when times are hard… PLEASE try to not cut security spending first, learn from Yahoo’s mistakes.
A sobering moment…
•  You can’t stop us from getting in.
•  Simple truth, and debatable for as long as you like, for every instance you give us of a technology that is “meant
to be a barrier” we will give you several ways past that illusionary roadblock.
•  You put a firewall in place; we went past those in the 90’s and never looked back.
•  You put IDS/IPS in place and we can bypass that.
•  You use DLP, but you leave port 80 open for web traffic, or you don’t filter… we can exfiltrate anything.
•  You have “deep packet inspection” but we’ve been bypassing that since 2012.
•  You have patches…congratulations we have 0Days.
•  You have Antivirus…congratulations it’s at best 3-7% effective and half the time is disabled.
•  You have endpoint protection, but logs are local and nobody reviews them.
•  You have SELM fully installed…and you have more alerts than a full team of minions can handle.
•  You have IoT; we now have an entire landscape of attack vectors that are unmonitored.
•  You have built in encryption, but the computer is ON which bypasses it.
•  You WOULD have policies, procedures and controls IF you could all agree and not fight.

•  YOU have to be successful 100% of the time; we only have to get lucky once.
A ray of sunshine…
•  What you CAN do though is build a security architecture around restricting my movements.
•  My landing point is simply that, somewhere to rest my feet while I survey my new domain.
•  Once I’ve landed and set up camp I need to escalate and move around YOUR environment.
•  I’ll make noise.
•  I’ll be checking into files, folders, systems and anything I can find to give me that edge.
•  I’m going to be rooting around all over your company…these days for an average of 190+ days before the alarm
goes off.

•  Change that!
•  Set a baseline for user and system behaviors.
•  Understand your environments better than you do today!
•  And trap me! I should not be able to walk into anything at will, you have the capability to deploy the electronic
equivalent of lures, breadcrumbs and deceptions that act like Alice’s Wonderland…
OK, so what else CAN we do?

Blame the Russians!

Organizational maturity
•  What is the level of security maturity within your organization?
•  Nonexistent: There is no evidence of this standard or practice in the organization.
•  Initial: The organization has an ad hoc and inconsistent approach to this privacy standard or practice.
•  Repeatable: The organization has a consistent overall approach, but it is mostly undocumented.
•  Defined: The organization has a documented, detailed approach, but no routine measurement or enforcement of it.
•  Managed: The organization has a documented, detailed approach, but no routine measurement or enforcement of it.
•  Optimized: The organization has refined its compliance to the level of best practice.

•  If you are sitting there thinking “hey, that’s a cool idea” or “what the heck IS he on about”…
•  We should talk.
•  Now.
•  It’s probably too late, but heck at the very least you’ll hopefully have demonstrable losses less than Yahoo…
•  It could be worse, you could have $1 Billion removed from your valuation like they did.
•  You get the idea, get a baseline, get a plan and action the damm thing.
•  Although IF you are really sitting there thinking it’s a cool idea, we probably need to get some sensors in place to see how BADLY you’ve
been p0wned.
•  Come to RSA, we’re giving alcohol and a sensor to everyone in this demographic…
Add
Lessons from Yahoo: Metrics
•  More informative metrics to define the effectiveness of security to the executives.
•  Better definition of what the executive need to see to help them understand security…and why it’s important
•  Exec: Don’t shoot the messenger
•  IT: Don’t coddle the Exec.
•  Exec: Pay attention to this shit please! Seriously for a change actually give a DAMM about the people you are
meant to be protecting. This is no longer a bloody risk vs. reward game.
•  Maturity models: start to define one, start to understand where you are in it…and plan accordingly
•  Effective communication between:
•  Executive team (business agility)
•  Operations (cost efficiency)
•  Security (bulletproof systems)
•  Rope in the business (they own the data NOT IT/IS/InfoSec)
•  Rope in HR, legal, compliance, risk etc…make them part of the decision tree!
Lessons from Yahoo: Passwords
•  Feel like I’m beating a dead horse….but it would be nice for once to NOT break into a company because
defaults or outright dumb passwords are being used.
•  Would be nice to break into somewhere where biometrics or smartcards are in widespread use, or two factor
correctly deployed.
•  The “cost” argument of deploying is BS… cost of remediation is 8x the cost of deployment; start fixing your
passwords (please)!
•  User education, user awareness, user understanding AND executive buy-in…NOT on the exclusion list.
•  QUIT MAKING IT EASY! NO DEFAULTS! NO “Passw0rd!”
•  Pass-phrases, seriously use them!
•  Different pass-phrases/words for different categories of risk
•  ANY website that “only” allows 6-8 Characters with no specials (because the developers don’t know how to
make it work) Firebomb them…you KNOW who you are (automotive finance sites, retailers, etc.)
If you are on here you need to leave now...
•  I have many different things I want to do with you and
none of them are repeatable in a public forum.
•  Many involve hot pokers…
•  Some involve ants and sand…
•  You get the idea it’s not pretty.
•  You KNOW better but are too lazy to comply and to
hold up YOUR end of the security bargain.
•  You ARE a threat and will be the common point of
compromise.
Actually stay, you ARE my target & landing zone!
Lessons from Yahoo: Humans…

Thanks to threatgeek.com!
More thoughts:
•  All your data belongs to:
•  Samsung (your TV viewing habits, regular screenshots and ransomware)
•  Google…yea pretty much anything you do
•  Your car…welcome to the infotainment system, V2V and V2X
•  Map Apps….who are working with the advertisers (and your car)
•  Social media…that’s more your fault than anyone else!
•  Your toaster…it’s connected to the smart-system in your house J
•  Your coffee machine…IoT KNOWS you need coffee at 7am
•  Etc.
•  Welcome to the Internet of everything, all your data belongs to ????
We are more than just a number, a statistic, a line item on a
Cyber Liability insurance claim!
In closing:
•  Per the opening statement…I’m locked away and it’s 4am..so bear with me:
•  The Yahoo breach was a mess on many levels.
•  The blame game can be played out in a number of different ways, it doesn’t change the facts that they got
their asses handed to them several times and were unforgivably remiss in notifying any of us.
•  YOU might be next, so mock them carefully.

•  Security is not a point solution, it’s a journey, a game of chess and a learning process AND we are playing catch
up. However you have to translate that to CEO/CFO speak DO it!
•  Stop talking about how we can’t do things.
•  Talk about how DO we solve these issues.
•  We have to change our approach:
•  Focus on who is interested in your data. (REAL threat intelligence, not the crappy stuff)
•  Focus on where that data actually is. (This one’s a doozy, sorry!)
•  Focus on you, your vendors, partners and 3rd parties.
•  Focus on your people, remember training them is less than one blinky bloody firewall.
•  Please look beyond the stagnant, static Maginot line style defenses that are failing you.
So Long And Thanks For All The Fish...
…Douglas Adams, you are missed.

•  With HUGE thanks to BrightTALK for putting up with me!

•  To Acalvio for doing the same, for Nat, Ram, Sreenivas, Raj and the ENTIRE team for everything!
•  To the community, we have a bloody good one (albeit dysfunctional at times) use it when you get stuck!
•  To threatgeek and the cartoons! To Warner Bros. & Chuck Jones for the various characters…
•  To EFF for putting up with me and HFC for just being most excellent! And of course Eddie!
•  To Jen for editing this at 6am! The reason this makes sense is because of her J

•  Hopefully this has been both insightful AND entertaining (and not death by PowerPoint)
•  Hopefully some of this is useful, and you can download, print and beat people over the head with it!