Even though it has been months since the news of the massive Yahoo breach came out, the fallout continues, showing that a data breach is not an isolated incident. The effects can linger and cause damage for a long time.
Last week, more details about the breach were revealed, as eWeek reported:
Yahoo has been attacked by a variety of different means in recent years, among them is a cookie forging attack the company publicly detailed in its 2016 10-K filing with the U.S. Securities and Exchange Commission (SEC).
Session hijacking in this way is a fairly well-known attack vector for sites that do not secure communications with their users, according to Nathan Wenzler, chief security strategist at AsTech. He added in an email comment that malicious, malformed or forged cookies have been an issue for quite a long time, and are still used where sites do not maintain encrypted channels of communication for all user sessions.
So, this isn’t an unusual method of attack. But the Yahoo breach stands out for a couple of things. First, the sheer scope of the breach makes this one different. With a billion records, more or less, compromised, it is difficult to find someone who wasn’t affected in some way. Second, it was Yahoo’s response, as Wenzler said to me:
For a company as large as Yahoo that has the resources to address securing its customers’ browser sessions, it seems almost negligent to me that there was not a great call to arms internally to fully investigate the situation and remediate the issue.
News today shows how Yahoo’s troubles continue, again lingering from an old breach. Passwords, usernames and email addresses for both Yahoo and Gmail accounts have been found for sale on the Dark Web, with all the information coming from breaches that happened several years ago. Almost 250,000 Yahoo accounts were posted for sale, culled from breaches to Adobe, MySpace and Last.fm, according to ComputerWeekly.com. A million Gmail accounts came from breaches at MySpace, Tumblr, Dropbox and Adobe. Some of these breaches happened as far back as 2008.
Seeing how a breach can continue to haunt you for years, it’s clear that organizations need to rethink their approach to data stored in the cloud. As Sanjay Kalra, co-founder and chief product officer at Lacework, told me in an email comment, today’s security solutions either force you to tag workloads manually or provide network-level security, but are blind to organizations’ elastic workloads and newly containerized applications, making these solutions ineffective. They also force you to set manual rules/policies, which is a non-starter and complex in today’s dynamic data centers/clouds. Kalra added:
Organizations today need security for dynamic data center/cloud workloads without requiring any policies/rules or manual tagging. They also need solutions in place to automatically discover hybrid cloud workloads, applications and users, along with their interactions that will help them reduce breach detection time from days, weeks and months to perhaps an hours’ time.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba