Yahoo breach lessons IT can't ignore

The indictment against the attackers behind the Yahoo breach illustrates just how vulnerable corporate networks are when thieves get their hands on employees' personal information

Current Job Listings

As more details emerge about how a group of four Russians breached Yahoo, it's increasingly clear that the Internet's very interconnectedness is what makes us so vulnerable to online attacks. It's enough to want to just unplug from the Internet and go back to semaphore and Morse code.

The Justice Department's indictments against four individuals allegedly responsible for the two attacks against Yahoo in late 2014 and August 2013 included several bombshells, including the fact that two members of the Russian FSB were involved. Yahoo had previously stated the attackers had stolen names, recovery email addresses, telephone numbers, hashed passwords, and birthdates from more than a billion victims. The indictment claimed the attackers used data gleaned from the stolen cache to carry out secondary attacks against a smaller, targeted set of victims.

Secondary attacks refer to using information obtained in one incident to launch attacks against a different target. The most common example to date has been trying the passwords obtained in one breach against other sites to see if they work.

With password reuse so common, these attempts are often successful, such as the recent incident where credentials stolen from LinkedIn was used to access multiple Citrix GoToMyPC accounts. This is why after every data breach, users are encouraged to change their passwords on other sites, especially if the stolen password had been reused elsewhere.

The personal/professional overlap

Secondary attacks succeed precisely because the modern digital life is an increasingly interconnected one. Compromising one account is frequently enough to break into other accounts. The fact that many people's work and personal lives bleed into each other online should worry IT administrators because it means public data breaches can affect the security of corporate networks.

The Yahoo attackers -- Dmitry Dokuchaev, Igor Sushchin, Alexsey Belan, and Karim Baratov -- did far more than just recycle passwords for their secondary attacks. The indictment described how they used the recovery email addresses to identify Yahoo email accounts belonging to targets of interest, such as Russian journalists, U.S. and Russian government officials, and staff at the International Monetary Fund. Employees from various private sector companies were targeted, including Russian and U.S. financial services and private equity firms, a U.S. airline, a Swiss bitcoin wallet firm, and a U.S. cloud storage company. Many of the victims were high-level executives and officials.

These accounts were identified because the user "had provided a recovery email account hosted by a specific company of interest to the conspirators (e.g., exampleuser@ExampleCompany.com) showing that the user was likely an employee of the company of interest," the indictment said.

By forging authentication cookies for those accounts, the attackers were able to gain full access to at least 6,500 accounts and perform tasks like initiating password resets for other sites, searching through messages for saved passwords and other sensitive information, and collecting information that could be used to answer security challenge questions. In one 2015 incident, the attackers searched the Yahoo account belonging to a "U.S.-based technology and internet-related services company" for phrases like "VPN" and "password."

Separation anxiety

It's easy to conclude that work and personal accounts should be kept separate. These Yahoo email accounts were likely intended for private use, so there was no reason to add corporate email addresses to the recovery address. Nor should the corporate VPN password be saved in the personal email account.

However, that's easy to say, but difficult to enforce realistically. Not everyone has multiple personal email addresses, so if an online account's security relies on a backup email address, it's to be expected that some people would use their work address, as it's the only other email address they regularly use. And generous storage quotas and improved search has transformed email inboxes into an all-purpose notebook and vault. Sensitive work information shouldn't be stored in personal email accounts, but there's only so much corporate IT can do to stop that.

Professional social networking platform LinkedIn is a perfect example of how work and personal spheres overlap for modern professionals, as many users link the account to their personal email addresses to avoid having to change the account when moving to a new job. The platform also makes it easy to find contacts and colleagues, so it's a goldmine of information which can be used in social engineering.

Going back to the indictment, there are multiple examples of what the attackers did with the information obtained from the Yahoo accounts, including sending spam messages using the names of contacts, and stealing credit card and gift card details. The attackers also sent spear phishing emails against at least 50 Gmail accounts, identified through recovery email addresses and other information found within the victims' Yahoo email inboxes. But it's likely the bulk of their secondary attack activities would remain unknown.

"Today's indictments remind us that the political or strategic incentives of breaching such personal email accounts are as real as the obvious financial ones for criminal actors," said Intel Security CTO Steve Grobman.

Not IT's fault, but IT's problem

From an IT perspective, the fact that it's hard to know what form these secondary attacks could take -- or have already taken -- is deeply worrying. Just because the public data breach was on some other environment IT has no control over doesn't absolve IT from its responsibility to keep networks and data safe. So IT is left trying to guess what might happen and tilting at windmills.

An easy first step is to warn employees to be on the lookout for phishing and spam emails in the aftermath of a breach. Executives have to hear that warning too, especially with the reminder that the messages can be spoofed to look like they're coming from colleagues, friends, and even family members. But as the indictment showed, that's just the beginning.

Conventional wisdom says if there are corporate-approved cloud alternatives, employees won't be inclined to use personal cloud services or consumer applications to get their work done. IT should definitely offer such tools, but no one should assume that would entirely solve the problem of corporate information being saved to personal accounts.

It always goes back to the basics: Know what employees are doing on the network, recognize what normal patterns of behavior looks like. Question what users are doing, why machines are connecting to certain IP addresses. Learn to love logs and security alerts. Yes, SEIM (security information and event management) software is going to be cool again. The focus should be on figuring out how to make sense of the information overload that's inevitable with SIEM, but if these past breaches have taught us anything, it's that the clues are almost always in the logs.

IT can't go back to the time where personal lives and work lives didn't intersect online. Perhaps that world never really existed. So let's work in the world where everything is interconnected, and a public data breach of personal information means corporate networks are also at risk.