This week’s Security Central examines the ins and outs of the massive Yahoo breach and the implications it may have on their $4.8 billion deal with Verizon, explores a rather atypical breach story and highlights a few key points from Check Point’s recently-released fourth annual Security Report.
Yahoo Inc. on Thursday officially confirmed a massive data breach that The New York Times is calling “the biggest known intrusion of one company’s computer network.” The breach, which actually happened two years ago, was one of epic proportions. Hackers accessed and stole the account information of at least 500 million users, including names, email addresses, birth dates, passwords, phone numbers and even security questions, according to the Times.
The internet company is claiming that the 2014 hack was carried out by a “state-sponsored actor,” meaning a person or group acting on behalf of a governmental body. Yahoo is working with law enforcement and the FBI to get to the bottom of the breach.
"The FBI is aware of the intrusion and investigating the matter," the agency told ABC News. "We take these types of breaches very seriously and will determine how this occurred and who is responsible. We will continue to work with the private sector and share information so they can safeguard their systems against the actions of persistent cyber criminals."
This all started back in August when a hacker ironically named “Peace” stirred things up by claiming to be selling information and data from 200 million Yahoo users. Yahoo originally said it was "aware of a claim" and was investigating the situation. Not hard enough, it seems. At the time, Yahoo was somewhat vague about the particulars of said investigation and didn’t issue a call for users to reset their passwords. Now, they might have to, for all the good it will do. As Recode puts it, “it will be a case of too little, too late.” Truer words were never spoken considering the far-worse outcome and scale of impact compared to the August claims. Oops...
"This is massive," said cybersecurity expert Per Thorsheim on the scale of the hack. "It will cause ripples online for years to come." On top of this already-terrible situation (the “largest-ever theft of personal user data,” says The Wall Street Journal), the breach has raised questions about Yahoo!’s $4.8 billion deal with Verizon Communications. Verizon announced back in July that it is acquiring Yahoo's operating business.
It’s not surprising that many an eyebrow is being raised over at Verizon in light of this news. The implications of the breach could be a huge turnoff to executives and shareholders not wanting to deal with the large-scale liabilities. The reviews are mixed. Analyst Sameet Sinha of B. Riley & Co. says that the breach probably won’t affect terms of the Verizon deal. “Data breaches have become part of doing business now,” he told The Wall Street Journal. But not everyone is as optimistic as Sinha. Stephen S. Wu, a technology lawyer at the Silicon Valley Law Group, said that the language in the original proxy filing related to the deal might give Verizon leverage to renegotiate the terms of the deal, or simply walk. The language in the filing stated that Yahoo “wasn't aware of any ‘security breaches’ or ‘loss, theft, unauthorized access or acquisition’ of user data.” Oops again.
“We will evaluate as the investigation continues.” Verizon said in a statement. In what almost every major news publication is calling the “worst breach in history” in some form or another, as evidenced by the numerous mentions above, it will be interesting to see how this story unfolds.
And now for a story about a rather strange breach that occurred recently - not the result of a calculated attack, but good old-fashioned human error. In this case, it appears that payment processing service BlueSnap was the victim of some careless activity, resulting in the “dumping” of 324,380 user's financial details online.
Back in July, Troy Hunt, the Australian data breach researcher who created Have I Been Pwned, came across a tweet from a known hacker with a link to a 1.6GB file. According to BankInfoSecurity.com, the file “contained more than 100,000 names, email and postal addresses, last four digits of payment card numbers, three-digit card verification values, expiration dates and amounts paid for services.” The tweet claimed that the source of the data was BlueSnap.
After taking a closer look at the data, Hunt determined that online enrollment platform company Regpack might actually be the responsible party. Regpack develops web-based registration forms that can be integrated into websites. These forms also hold credit card data, which is passed on to BlueSnap for payment processing. Upon first examination, it looked like BlueSnap was the breach-ee, but upon Hunt’s second and closer examination, information in the leaked files showed damning evidence that Regpack may be the source.
In a statement, segments of which are featured on Hunt’s blog, both companies offer vague and confusing comments about the breach and seem to bat around blame, but the long and the short of it is that the data was leaked as the result of human error. As it turns out, an employee accidentally posted decrypted files and private customer information on a public-facing Regpack server. Just goes to show that not all cyber-attacks result from malicious behavior, and is a lesson for providers and everyone in general. This article by Hackread lists a few good rules of thumb, but above all, avoid storing sensitive data.
Lastly, what week would be complete without a malware scare? Try this dizzying statistic on for size: according to a new report by Check Point released Tuesday, some form of known malware is downloaded every 81 seconds in an enterprise organization.
The company’s fourth annual Security Report combines the findings from the Check Point 2016 Security Report and Exploits at the Endpoint: SANS 2016 Threat Landscape Study. The report highlights the challenges that IT leaders face, and provides them key recommendations and steps to take as their organizations navigate the rocky cyber threatscape and attempt to protect against ever-evolving and sophisticated cyber-attacks. The report analyzed the activity of more than 31,000 Check Point gateways across the globe, providing insights into what enterprises are getting hit with in terms of known and unknown malware, attack trends, the impact of more mobile devices in the enterprise and the impact/cost of successful breaches.
“With billions of new connections formed every minute, the world is more globally linked than ever. Innovations like cloud, mobility and IoT are changing the way we deploy, the way we consume, and the way we secure technology,” said Amnon Bar-Lev, president, Check Point. “More and more malware is being put into our ecosystem that traditional security techniques are powerless to prevent. Given this, staying a leader requires being one step ahead of things you cannot see, know or control – and preventing attacks before they happen.”
Both reports details various statistics and key findings, but both come to the same conclusion - that the ideal security model starts with having a “best-of-breed architecture in order to address the current and future complexities of securing IT.” Check Point also urges enterprises to educate their workforce, understand the risks associated with mobile, stress “security hygiene” with employees and segmenting work-related and non work-related data. Sounds simple enough, right?