Yahoo Didn’t Make Security a Priority According to Insiders

The New York Times published an interesting piece on the Yahoo breach.  The Times says that 6 years ago Yahoo, Google and a number of other tech companies were hacked by the Chinese.

That is where the similarity ends, according to the Times.

At Google, co-founder Sergey Brin took the hack personally.  Google hired hundreds of security engineers, using 6 figure signing bonuses as incentives.  Google invested hundreds of millions of dollars.

Yahoo, on the other hand didn’t do that.  They did not invest in the same kinds of people and tech that Google did.

Marissa Mayer was more interested in creating a pretty user interface than a secure company.

I still remember an interview with Mayer where she was asked about using a PIN on her phone.  She said that would be inconvenient.  That’s not inconvenient.  Inconvenient is when you are hacked to the tune of 500 million user accounts.  That is quite inconvenient for your users.

Yahoo also has a security team.  They are known as “The Paranoids”.  I often refer to myself as paranoid – that goes  back to my days as the security guy at a large defense contractor, but I am not sure that the Yahoo Paranoids was a positive appellation.

The Times said that The Paranoids often clashed with Yahoo execs over costs of security features and the impact of the security on usability for Yahoo’s customers.  Apparently, Google’s customers are more understanding.

A Yahoo spokesperson said that the company spent $10 million on encryption technology in 2014.  For a company being sold for almost $5 billion, $10 million is a drop in the bucket.  She also said that their investment in security increased by 60 percent between 2015 and 2016.  They probably needed to increase it by 600 percent instead.  She did not say how much they spent.

Also, Yahoo played all of their breaches – likely at least four of them – very close to the vest. They didn’t admit, until now, two of the breaches – one with 200 million users and the other with 500 million users.  Yahoo says these breaches are NOT the same.

After the breach in 2010 Google started paying bug bounties to researchers to find bugs and holes.  Yahoo eventually did that, but not until three years later.

Even after Edward Snowden told the world that Yahoo was a frequent target of foreign nation spies, they still didn’t hire a new Chief Information Security Officer for a year.

Yahoo also resisted implementing end to end encryption because it would get in the way of them reading your mail to offer certain services.

While The Paranoids were passionate about their work, that didn’t translate into increased budget and respect.  Many of them left Yahoo for other companies.

Whether Congress, the SEC, numerous shareholder lawsuits and the risk of the Verizon buyout blowing up will get their attention or not is unclear.  Hopefully, it will.

Information for this post came from the New York Times.

Insurers Say Cancer Center “On Its Own”

I wrote about 21st Century Oncology in March (see post here) when the FBI came knocking on their door.  The result?  2.2 million records compromised.  At that time they said that they likely did not have enough insurance to cover the costs of the breach.

Fast forward six months.

Law360 is reporting that Charter Oak Fire Insurance and Travelers Property Casualty Co. have asked a Florida court to rule that they have no duty to defend.

There are currently 17 class action suits pending.  If these insurance companies are found to have a duty to defend 21st Century Oncology, they will spend millions doing that.  Maybe tens of millions.

This incident was a cyber breach.  These insurance policies do not appear to be cyber policies.  Given that 21st Century has already said that they are concerned that they do not have enough insurance that they are likely at grasping at straws.

Part of the reason that these lawsuits have been filed is that the plaintiffs say that 21st Century should have notified them sooner.

The breach happened, they say, around Oct. 3, 2015.

The FBI  told them about the breach on Nov. 13th.

21st Century notified patients of the breach on Mar. 4, 2016, at the request, they say, of the FBI to delay notification.  I am not familiar with Florida law, but most states have an exemption from prompt notification when law enforcement requests it.  Assuming this is the case in Florida and assuming the FBI did ask for the delay, I don’t think this part of the case has much of a chance of succeeding.  However, I am not a lawyer and I certainly don’t pretend to be able to predict what juries will do.

I assume that the 17 pending class actions have a lot more claims in them that they will have to defend against.

The company’s 10-Q for the first quarter of 2016 said that they are “highly leveraged”, with over $1 billion of long term debt and are experiencing losses from operations.  Given the financial challenges that they will have to deal with over the next several years, this is not a great situation.  They have not revealed how much coverage they have.  I don’t think I would buy their stock right now.

For other companies, this is a great opportunity to look at the risks that they face and the coverages that they have and determine if they are aligned with each other.

Many companies have a $1 million or $3 million cyber liability policy.  For small companies, this is probably fine.  For a company with 800 physicians and 140 facilities, how much coverage is appropriate – In a highly regulated, highly targeted industry?  How much coverage could they buy at any price?

And, you can count on the fact that come renewal time, either they won’t be able to renew, the retained liability (deductibles) will be through the roof or the premium will be out of sight.  We already saw this with Anthem after their breach.

I suspect that their troubles are only beginning.

My recommendation is (a) plan now, (b) have enough coverage and (c) make cyber risk mitigation a priority.

Information for this post came from Law360 (registration required).

That App You Just Installed – It Might Be Listening To You

If you were not paranoid before, you may be now.  According to a lawsuit filed last month, the Golden State Warrior’s app turns on your phone’s microphone in order to figure out where the owner is, in order to serve ads to the user.

The suit names the NBA team, Yinzcam, Inc., which developed the app and Signal 360, which licenses the technology that makes it all work.

The law firm who filed the suit, Edelson, PC and attorney Christopher Dore said that they plan to bring lawsuits against almost a dozen pro sports teams for violating people’s privacy.

While the purpose of the technology is to use the mic to listen to beacons in and around the arena to serve ads, the microphone has to listen to your conversations as well in order to do that.

In theory they might be able to throw out your conversations, but then again, maybe not.

The app does this whether it is in the foreground or in the background.

While the app does request permission to access your phone’s microphone, it doesn’t clearly explain why or what they are collecting.

While this suit only addresses Android users, there is an iPhone app as well.  Apparently, the way that the app requests permission on an iPhone is different, so the suit doesn’t cover Apple users.  That doesn’t mean that the Apple app is not doing the same thing, however.

The suit is asking for damages for each of the 100,000 users who downloaded the Android app.

The team did not respond to requests for comment.

Most people do not bother to even look at the permissions that apps ask for.  Most users would not even consider not installing an app that asks for too many permissions.

This is an example of what happens when you don’t do that.

This is far from the only app that uses the Signal 360 technology and the firm is attempting to file other lawsuits on behalf of users of other apps that do the same thing.

One other thing to consider.

Not only would the app record your voice, but it would record the voice of anyone nearby, so even if you haven’t installed the Warrior app, it doesn’t mean that you are not being recorded.

THIS is why Snowden made people take the batteries out of their phone or put their phone in the freezer (the metal box does a good job of shielding the phone from communicating).

So next time you install an app or even say something private, consider that a nearby phone may be recording the conversation.

Maybe the FBI should use this technology?

MAYBE they already are!

Even Though 9 in 10 Firms Breached, Few Worried About Future Incidents

Lloyd’s of London released a study that said while 92% of firms have been breached, only 42% are worried that they will be breached again in the future.

Either, this means that those 92% learned an incredible lesson and completely changed the way that they run their businesses as a result of being breached ….. or, perhaps, they are deluding themselves.

Which do you think is right?

Some other statistics from the study.

Only 13% think they will lose business as a result of a breach.  Ask Tillage Commodities, who last week shut down as a result of a breach.  Or ask Yahoo, who is already losing customers as a result of their announcement of a two year old breach.  Ask the Yahoo investors who will likely get less money as a result of the breach – because the cost of paying for the breach will come out of the proceeds of the sale – and possibly the sale price will change.

The EU General Data Protection Regulation goes into effect next year.  The EU GDPR requires very strong privacy protections for companies that do business in Europe, no matter where the the companies themselves are located.  97% of the respondents said that they have HEARD about it but only 7% say that they know a great deal about it.  For companies that do business in the EU, the GDPR will have a major impact on them in the next 12 months or so, so not knowing much about it could get very expensive.  57% said they know little or nothing about it.

Only a little over half – 58% were aware of the fact that they could be penalized up to 4% of the annual revenue – not profit – in situations where they violated that law.

Amazingly, 42% said the loss of paper with information on it was the biggest risk.  Really?  Do they think that hackers from China snuck into America, broke into Lockheed Martin and stole the paper plans for the F-35 Fighter airplane.  I don’t think that is the way it happened.  Maybe I am wrong.

The report concludes that maybe businesses figure that they have already lost the war and are waiting to be executed by the cyber red-army.

That sounds like a pretty defeatist attitude and one that I am not willing to give into.

Information for this post came from Business Reporter.

The Internet of (Scary) Things

UPDATE:  Brian’s web site is not back with Akamai, but rather with Google’s Project Shield.  Project Shield is an effort by Google to support free speech to journalists around the world.  If they accept your web site, there is no cost.  And Google probably has a fair amount of both bandwidth and brainpower to stop cyber attacks. No doubt they get hacked at from time to time.

Brian Krebs is a former WaPo writer who focused on cyber security until the Post decided that cyber security was not their thing,  When he and the Post parted ways, Brian started a blog called Krebs on Security (which is a great blog if you don’t already read it) and wrote a book on the innards of the Russian spam mafia.

Very recently he exposed a group of Israeli “business people” who run a large DDoS for hire service called vDOS.  A DDoS is an attack against a target web site designed to flood the site with traffic and effectively shut it down.  His attention to vDOS got the owners arrested.

About four days ago his web site was taken offline by a very large, sustained DDoS attack.  His site is hosted by Akamai (for free) and they told him that they were going to have to shut down their support because they could not handle the attack – it was too much for them.

The attack measured a sustained attack rate of over 600 gigabits per second.  This, Akamai said, was double the next largest attack that they had ever had against any customer.

What was going on behind the scenes is not clear, but the tech community came down on Akamai like a ton of bricks.  Akamai competitor Cloud Flare offered to host the site.

72 hours later is back online, apparently with Akamai.  During those 72 hours, I think, Akamai engineers analyzed the attack and figured out a way to mitigate it.

Many of these large attacks use an attack technique called amplification.  With amplification attacks, the attacker sends out a relatively small stream of data and the attack gets amplified many times as it hits the target.  One example of an amplification attack is a DNS attack where the attacker sends a particular DNS request to a DNS server to resolve with the “sender” of the request spoofed to be the target.   Because of the way the request is structured, a 40 byte request might generate a 4,000 byte response to the target, so, in this hypothetical case, we have an amplification of 100x.   This means that if the attacker has/uses 1 gigabit of bandwidth, he would generate 100 gigabits of attack traffic on the target.  Very few sites can survive under this attack without the support of a firm like Akamai or Cloudflare and their site would stay down until the attacker got tired.  That could be minutes, hours or days.

What is different about this attack is that rather than using a few drone computers and an amplification style attack – which is relatively easy to mitigate – this attack used hundreds of thousands of devices, which made it very difficult to block.

What is unclear right now is whether Akamai’s engineers mitigated the attack or the attackers made their point and moved on.

Now the scary part from the subject.

Brian is saying on his blog that it appears that these hundreds of thousands of devices may be infected Internet of Things (IoT) devices such as web cameras, digital video recorders and routers.

As I have written before, many of these devices have horrible security, making the process of turning them into zombies relatively easy.

The next scary part is what this means for businesses.  It is certainly possible that this could be the new norm for DDoS attacks.  We are dealing with a client now who has been DDoSed a number of times and every time that happens, their ISP just shuts down their Internet connection.  Sometimes for a few hours, sometimes for a day.  In the mean time this client’s users have to resort to using some other form of Internet access – maybe their cell phone data plan with it’s ridiculously slow speed and data caps – to get online.  This has a dramatic effect on their business.

My question for you today is “Is your business prepared to deal with a DDoS attack?” All it takes is for someone to be upset with you for some perceived slight and you could be under siege.  There are many other DDoS for hire services like vDOS and their prices are insanely check.  They are hosted in places like Russia and Ukraine, so our ability to shut them down using the courts is pretty much nill.  When this happens, your ISP’s first strategy is going to be to turn off your Internet connection.  Now it is your problem.

You might say that you have a Service Level Agreement (SLA) with your provider and if they shut you off they have to pay a penalty.  I would say two things about that.  Let’s say that you pay $2,000 a month for your Internet connection (I know, most of you pay a lot less, but I want to make a point here).  In that case, your SLA probably says that they have to pay you $66 a day that you are down, but typically only if you are down for say, over 12 or 24 hours.  So they write you a check for $66 and your business is in the stone age for a day.  If you are down for a week, that would cost them $466.

How much would it cost you to be down for a day or a week?

IF you have cyber insurance and you have coverage that covers you for this kind of attack, the business interruption coverage might kick in.  We have seen a lot of those policies that have a 24 hour waiting period before coverage kicks in and if you are down for 18 hours each, several times over a month, that 24 hour waiting period applies to each event, typically.

AND, even more important, your ISP might say that the DDoS attack violates your terms of service or contract that they are not liable for anything.  If they say that, you are left to sue them in court.  That is not a very positive scenario.

The moral of the story is that you need to have both an incident response plan and disaster recovery/business continuity plan.

For more information on the attack on Brian’s web site, read his blog, here.


Yahoo Breach – 500 Million Accounts Compromised

Unless you have been totally disconnected for the last 24 hours, you are no doubt aware that Yahoo announced what may be the largest breach of accounts in history – 500 million accounts.  Included in the hack were names, email addresses, phone numbers, dates of birth, hashed passwords and security questions.  They are saying, at this point, that credit card information and bank account information was NOT part of the hack.

While the passwords were encrypted with a strong encryption algorithm, given that the hackers have all the time in the world to decrypt them, they will likely be successful.  Also part of the haul were the security questions and answers.  Some of the questions and answers were encrypted; some were not.

Besides the fact that this information could be used to hack into people’s Yahoo accounts, if people reuse their passwords and security questions, that information could be used to access other accounts – potentially even bank accounts if the person used the same password or security questions.

Yahoo is telling people to change their passwords and security questions, but what is equally important is for people to change the passwords and security questions for any other accounts that used the same credentials.

You may also be aware that Verizon agreed to buy Yahoo for a little more than $4 billion.  Verizon said that they were not aware of the breach, which occurred in 2014 until two days ago – when the public became aware of it.

I guess no one at Verizon reads my blog – where I keep saying that companies need to conduct cyber due diligence prior to a buyout.

While both companies may be publicly committed to closing the deal, behind the scenes they has to be a lot of talk.  When did Yahoo know about the 2014 breach?  What is this breach going to cost – it won’t be cheap?  Who is going to deal with the regulators?  What about the inevitable lawsuits?  Should the deal be repriced?

NBC is suggesting that the closing of the merger may be delayed and Marissa Mayer who might have stayed on as part of the transition team will likely be given her walking papers sooner.  Of course, she likely doesn’t care as she will laugh all the way to the bank.

Unless, of course, regulators and/or Verizon discover that she knew about the breach and withheld that information.

Reuters is reporting (curiously on Yahoo News) that Yahoo said, in a September 9th regulatory filing that they were not aware of any incidents of unauthorized access that could materially effect the acquisition.  The same article said that Motherboard emailed Yahoo on July 30th asking if they were aware that the hacker Peace was selling Yahoo credentials on the dark web.  They published a story on August 1st saying that Yahoo was aware.  This could come down, in court, to the issue of what the definition of is, is – as in is aware.

There probably are a bunch of investors – in both Verizon and Yahoo – that are pretty nervous right now.

Information for this post came from CNN , NBC and Reuters.