The last week in cybersecurity has been a whirlwind. In an industry where insiders are rarely surprised, many of us were.
To start, we had a biggest ever Distributed Denial of Service (DDoS) attack on record and warnings regarding a Johnson & Johnson insulin pump where a vulnerability could cause the owner to overdose. Then came the announcement of a mega breach of Yahoo, allegedly by a state-sponsored adversary, exposing the data of more than 500 million people with precious few verifiable incident details.
This was followed by a report that under a U.S. government order, Yahoo had been scanning all incoming emails for a very particular set of characters—an action that CEO Marissa Mayer reportedly kept her security team in the dark about. And all this taking place during the Department of Homeland Security’s National Cyber Security Month. As the news cycles continue rolling in, the security community’s focus has turned reflective—what can we learn from these events?
Let’s operate under the assumption that the various reports are mostly accurate. What we allegedly know is that Marissa Mayer approved a government order to scan all Yahoo user emails, and when Yahoo’s security team discovered this activity, thinking it was a hack—they found the original source was the company itself, with the security team purposely kept in the dark.
Yahoo has made some good security moves over the years, such as hiring top-notch talent, but clearly has not made it a real priority to empower their security unit and is now dealing with the consequences: what may be three separate breaches on its network (or maybe two and a half, depending how you classify the surveillance system). This shows a serious disconnect between the company’s leadership and security team, which likely led to the ill-advised decision to automatically follow the government order.
It’s unclear whether Yahoo put up a fight, as a FISA appeal could be under seal. But that would not explain the abrupt departure of Alex Stamos, Yahoo’s Chief Information Security Officer at the time, or the carefully worded non-denial statement Yahoo issued this week. For perspective, both Google and Microsoft have said they received no similar government order and would not have complied. What’s more, Yahoo searching users’ emails for a string of characters, rather than specific sending and receiving addresses indicates the company didn’t really know much about what they were looking for, nor apparently did the NSA or FBI. In other words, this sounds like it was a real shot in the dark.
The whole situation is a enormous mess without indication whether the privacy violation had any payoff whatsoever, national security-related or otherwise. Any remedy going forward must include a lot of communication and transparency by Yahoo, as well as clear indication that the leaders of the company—not just the security team—are taking user privacy seriously.
Leaders who do so, paying attention to trends in threats and protection tools, will be far better equipped to make security decisions up to and including government surveillance. Modern attackers (and, yes, modern governments) have myriad ways of getting the information they want. The unfortunate fact is that many organizations tend to layer product after product out of desperation, spending money on a different solution for every type of attack already known. For reasons we’re all happy to speculate on, it doesn’t seem to be working.
In the interest of strong security, take an audit of your IT environment and your security controls. Train yourself and your team to think like the attacker. The guidance may sound strange or even pessimistic, but also consider assuming compromise, as it’s far safer and realistic as Yahoo found out. Better you find ‘the hack’ on your own before a customer, business partner, law enforcement officer or reporter brings it to your attention. Think about your company’s networks as a human body—weakness at any one point can affect the health of the entire being. And just as modern medicine has stunning power, today’s security technology has made incredible strides as machine learning provides the ability to view your networks holistically and function similarly to an immune system.
As most communications-focused security issues do, the Yahoo incidents brings up the need for strong end-to-end encryption to be used in web communication, text messages, email, everything possible. Unfortunately, for many online systems like email and social networking, we’re fighting an uphill battle when email providers (like Facebook, Yahoo and Google) know that end-to-end encryption can easily get in the way of monetizing user data.
It’s time for companies that store personal, supposedly private communications to make a decision between user privacy and their own monetary gain. And when you’re in the sale of personal data business, well, we know how that often plays out. It could be that legislation is the only way to enforce user privacy through encryption. Another consideration is making a decision on what data you really need to keep, and dump the rest out of an abundance of caution. After all, the bad guys can’t steal what you don’t have.
The most notable missing piece from the Yahoo story so far is its resolution. Did Yahoo find what the U.S. government was looking for? What was it exactly? Is the aforementioned surveillance system still in use? If not, at what period of time was it active? As a company that conducts business around the world and subject laws of other nations, would Yahoo grant similar access to China, Russia, Israel, Germany and so on? These are questions we would all like Yahoo to answer. People deserve transparency—to know how, when and by whom their communications are being accessed.
This is just the beginning of what will certainly be a developing story. In the weeks ahead, we could see government hearings and a subject discussed during upcoming presidential debates, and one that will continue educating the rest of the world on security health. The Internet — and security and privacy of its inhabitants — is simply too important to the world for us to carry on as we have been. With a lot at stake, I think of a quote from the late Steve Jobs that articulates my overall point:
“It doesn’t make sense to hire smart people and tell them what to do; we hire smart people so they can tell us what to do.”
Jeremiah Grossman is Chief of Security Strategy at SentinelOne, professional hacker, black belt in brazilian jiu-jitsu, off-road race car driver, founder of WhiteHat Security and Maui resident. He has received a number of industry awards, been publicly thanked by Microsoft, Mozilla, Google, Facebook, and many others for privately informing them of weaknesses in their systems — a polite way of saying ‘hacking them.’ He also previously served as information security officer at Yahoo.