Yahoo’s CISO responds to data breach questions

Sometimes the Chief Information Security Officer’s (CISO) role is hidden in the shadows, and they may generally be unheard of. However, Yahoo’s CISO, Bob Lord, has been in the limelight in recent years after two massive data breaches – arguably the biggest ones in recent history – that affected approximately a billion and a half of Yahoo’s users.

Mr Lord made jokes during an interview at TechCrunch Disrupt New York saying that he “may have broken a record” for the amount of emails sent. The email that circulated was to inform users of the breach.

Not sure the rest of us are finding this funny…

Two grave data breaches

There were two breaches; the first was disclosed in September 2016 where 500 million accounts were reportedly hacked. The second was disclosed just a few months later where reports confirmed that approximately 1 billion accounts were hacked.

To date, Yahoo seem to have been unable to find the source of intrusion; details of how it happened and who was responsible for it. It could’ve been as a result of the 2014 cyber-attack, although Yahoo say there isn’t enough evidence to comment further on this point.

Notifying users – why did it take so long?

When asked how he felt when informed about the breach, Mr Lord likened the feeling to a weird parallax and trying to put the different pieces together was no easier.

Hackers reportedly broke into the system in 2014, but it took over 2 years for Yahoo to publicly disclose this. What was the reason for the delay in detecting or disclosing the cyber-attack? Mr Lord noted that campaigns can run for extended periods of time, saying that the breach wasn’t a “smash and grab attack; these are long-term plays”. He continued to note that, when they figured it out, they were interested in understanding the nature of cyber-attack.

Serious lessons need to be learned. Mr Lord gives his word that there has been a number of changes that have refined its security programme; saying they now have a group of experts working at Yahoo called the Paranoids who know what they’re doing to clamp down attacks.

Indictments

Four people have been charged; three Russians and one Canadian. But the question to ask is how they were able to go that deep into Yahoo’s systems to start with.

Mr Lord admitted that it was due to long-term compromises, and also said that the cyber-attackers must’ve worked hard to fly under the radar and gain access to the system that they were tasked with. More surprisingly, Mr Lord seemed to praise their professionalism by noting that they were “skilled individuals”.

The CISO didn’t seem to answer the question posed of how the cyber-attackers actually accessed the system. Instead, he answered: “I’m not going to go into technical details.” This may feel like a deflective strategy used to avoid answering the question, but he vaguely listed how attackers gain access to cyber-security systems:

• See what servers are out there
• See what compromises there are on the system to make an initial intrusion
• Elevate privileges
• Operate laterally. They have to move from machine to machine to find what they’re looking for. Each one requires different techniques and tools.

Are breaches of this nature possible in the future?

At the end of TechCrunch, Mr Lord was asked:

…how does he know that there still isn’t a hacker in their system?

Mr Lord couldn’t 100% confirm there wasn’t as he said it was trying to prove a negative, but he said Yahoo has built-up circumstantial evidence to show that the cyber-attacks that took place before just aren’t possible any more.

He said Yahoo has programmes in place to reduce the chances of further exploitation; but that doesn’t give the one billion plus users any peace of mind as Yahoo are unable to give reasons for the second cyber-attack.

University of East Anglia under fire for leaking sensitive and confidential data about students

Hackers publish private information of 25,000 patients from a Lithuanian cosmetic surgery clinic