As Yahoo continues to investigate the biggest data breach in history, pressure is mounting on the company to admit when it knew about the attack, whether there was a delay in reporting it, and also about how it implements cryptography to secure data it’s responsible for.
Security company Venafi said it examined data from its internal certificate reputation service related to the security of Yahoo’s cryptographic keys and digital certificates. The results were a mixed bag of outdated hashing algorithms and self-signed certificates permeating Yahoo’s production environment.
Yahoo last week disclosed it was breached in 2014 and that a half-billion customer records were stolen by what the company believes was a state-sponsored actor. The attackers made off with users’ names, email addresses, phone numbers, dates of birth, recovery emails, and security questions and answers. Hashed passwords were also stolen, adding more urgency to the attack in a year in which massive password dumps have been the norm and password reuse is under greater scrutiny than ever.
A source familiar with the ongoing law enforcement and internal investigation said the majority of the stolen passwords were hashed with bcrypt, as Yahoo said, but a small percentage were secured with the outdated MD5 hash, long ago deprecated and considered unsafe.
Yahoo has forced a password reset for affected users and is recommending anyone who hasn’t changed their Yahoo passwords since 2014 to do so immediately. It’s unknown how deep the attackers’ penetration was; some experts likened the attack to the Aurora attacks against Google and other large enterprises and technology companies in 2009 and 2010. The Aurora attacks have been attributed to a Chinese APT group and the objective of the attack was to steal and modify source code from targeted organizations.
In the meantime, reports surfaced that a number of class-action lawsuits have already been filed by Yahoo users alleging that Yahoo was negligent in protecting users’ account information. The Financial Times also reported late on Friday that Yahoo CEO Marissa Mayer knew in July that Yahoo was investigating a potentially serious breach, well before reports arrived that 200 million Yahoo accounts were for sale on a dark web site called The Real Deal. Mayer, however, did not immediately disclose the investigation to Verizon, which is the midst of a $4.8 billion acquisition of Yahoo’s core business, nor did she disclose to the SEC in Yahoo’s latest quarterly finding. Verizon was not informed about the breach until last Tuesday, the FT said, 10 days after the SEC filing in which Mayer and Yahoo said it had no knowledge of any security breaches or intrusions of its systems. The SEC could investigate, the FT report said.
The Venafi analysis, meanwhile, does not paint a favorable picture of Yahoo’s encryption processes and policies. Yahoo would not comment on the research.
Some systemic issues include the use of MD5 certificates, many of which are self-signed. Venafi said it found that one MD5 certificate is a wildcard cert with a five-year expiration date (most certificates expire within 12 to 18 months after issuance). Venafi said 27 percent of the certs on external Yahoo sites have been in place since January 2015 and only 2.5 percent in deployment have been issued within the last 90 days.
Also, almost half (41 percent) of the external Yahoo certs Venafi looked at use SHA-1 as a hashing algorithm; SHA-1, like MD5, is being phased out and has been deprecated by all the major browsers.
Venafi, meanwhile, has to gain from this research being a company that develops technology to secure crypto keys and digital certificates; it concedes it has no knowledge of the Yahoo breach.
The apparent weaknesses could be a sign of an overall lack of visibility and centralized management of Yahoo’s crypto processes and policies, Venafi said, adding that it’s likely Yahoo is unable in its vast infrastructure to quickly find and replace certificates, for example.
Theoretically, a well-resourced opponent could take advantage of one of these loopholes to stand up their own self-signed Yahoo cert, encrypt and move stolen data off the network, or pose as a Yahoo property and intercept traffic.
“Theoretically yes, you could stand up a self signed cert or a wildcard self-issued cert; both of those are within reach of a persistent, willing attacker with resources,” said Hari Nair, cryptographic researcher with Venafi. “They could use it to establish a connection to the organization, and if there is a lack of visibility with respect to other certificates, they would get away with it.”
Nair said that key and certificate oversight aren’t the only means of detecting exfiltration of data, but an organization can use it as an indicator of compromise if it spots a certificate that has not been issued by a Yahoo-approved Certificate Authority in this case.
Certificates generally serve two purposes, authenticating that a site is what it says it is, and facilitating the encryption of data. If an organization lacks an oversight mechanism and policies stating what certs are acceptable, where they should be obtained and how long they’re valid, it’s impossible ensure an adequate trust relationship.
“A mature organization has visibility into its cryptographic assets. That makes it easier to see when a certificate no longer matches and triggers an alert,” Nair said. “Within an organization, unless any of my certs are issued by an approved issuer, proceed with caution. If there’s not mechanism or trust policy, it’s hard to say what you can trust and not trust.”