Yahoo Defends Information Security Mojo to Senators (InfoRiskToday)

Breach Notification
Breach Response
Data Breach

Yahoo Defends Information Security Mojo to Senators
Irony Alert: Congress Has Yet to Enact Data Breach Notification Legislation

February 27, 2017    

Yahoo Defends Information Security Mojo to Senators
Yahoo’s letter to senators

What did Yahoo executives know about multiple data breaches and attacks that the company suffered, and when did they know it?

See Also: Today’s Threat Landscape: Reduce Risk & Prevent Data Breaches

Those questions have continued to dog Yahoo as it negotiates its sale to Verizon for $4.5 billion. That’s $350 million less than the offer Verizon made last summer, before Yahoo last year revealed that it had discovered – or failed to appreciate the full extent of – massive breaches.

“We are keeping an eye out for signs of support for a national breach notification law.” 

Here’s a brief timeline of Yahoo’s related breach notifications:

  • Sept. 22, 2016: Yahoo reports that a late-2014 breach affected 500 million or more users. Yahoo says it learned about the breach in 2016 from law enforcement agencies.
  • Nov. 9, 2016: Yahoo warns that attackers have been using forged cookies to access users’ accounts without authorization.
  • Dec. 14, 2016: Yahoo says a breach, believed to date from August 2013, compromised 1 billion user accounts.
  • Feb. 15: Yahoo warns more users that they may have been targeted via forged cookie attacks.

Yahoo last month promised to brief U.S. Senate staffers on the latest information relating to the 2013 breach, including details of 2015 and 2016 cookie-forging attacks that allowed attackers to access some users’ accounts without a password. But at the end of January – apparently with more cookie-forging attack details coming to light – Yahoo abruptly canceled its briefing.

Cue blowback from senators. On Feb. 10, Sen. John Thune, R-S.D., chairman of the Senate Committee on Commerce, Science and Transportation, and Sen. Jerry Moran, R-Kan., chairman of the committee’s subcommittee on data security, wrote to Yahoo CEO Marissa Mayer, demanding answers to numerous breach-related questions, including a detailed timeline listing when breaches were discovered, law enforcement agencies alerted and affected consumers notified. Moran set a deadline of Feb. 23 for the responses.

On Feb. 23, April Boyd, Yahoo’s head of global public policy, responded to the committee, saying that “in the spirit of cooperation,” Yahoo would answer the committee’s questions. She noted that the company, reflecting public statements that it’s made, continues to investigate the breaches with the help of two outside digital forensic investigation firms – Stroz Friedberg and Mandiant.

And she said that during the current management team’s tenure, the company has invested $250 million “in security initiatives … including creating a ‘Red Team’ and developing the ‘Bug Bounty’ program” (see How Yahoo Hacks Itself).

Yahoo Dishes Out Breach Details

Yahoo’s answers largely rehash what the search giant had already revealed via press releases and Securities and Exchange Commission filings.

The company says it believes that “a majority of the user accounts that were affected by the 2014 [security] incident … [were] affected by the 2013 incident.” But given that the 2013 breach may have compromised 1 billion accounts – or nearly all of Yahoo’s user base – that’s not exactly a shocking finding.

Yahoo also said that in September and December of last year, it required any users who had not changed their password since 2014 to do so, and also invalidated all security questions that it had been storing in unencrypted format, which it believes attackers also stole.

Boyd emphasized that Yahoo, which is publicly traded, had disclosed many of these details relating to its breach response and findings via quarterly updates to the SEC.

She also detailed a number of information security initiatives that the company has undertaken, such as providing users with a view of all devices and browsers that have been used to access their account, providing a “global logout” capability, hashing passwords using the bcrypt algorithm – plus salt, and continuing to refine authentication mechanisms, for example via OAuth as well as by “leveraging fingerprint-based authentication on certain smartphones.”

Boyd also promised that Yahoo would be providing briefings to senators’ staff.

Late last year, the SEC reportedly launched its own investigation into Yahoo and whether the company issued timely enough warnings about the breaches to investors.

National Breach Notification Deficit

One elephant in the room with Yahoo’s back and forth with senators – or the SEC’s investigation – is that details of the search giant’s data breaches haven’t come to light thanks to any national breach-notification rules in the United States, but rather state-level laws.

Some 47 states – plus the District of Columbia, Guam, Puerto Rico and the Virgin Islands – have breach notification laws on their books. Only Alabama, New Mexico and South Dakota have no laws relating to consumer breach notification.

Despite Congress debating a federal breach notification mandate for over a decade, it has failed to pass such a measure. One concern has been that some proposed bills would have put in place relatively weak requirements, meaning that breached organizations would then have to comply not just with the national law, but also any state laws mandating stronger notification requirements.

“We are keeping an eye out for signs of support for a national breach notification law,” write privacy attorneys Cynthia J. Larose and Michael B. Katz of law firm Mintz Levin, in a recent blog post. “So far, there does not appear to be much political motivation for undertaking this effort.”

In 2016, they say, 26 states weighed bills that revised their already existing breach notification processes, and five states passed related legislation. In multiple cases, legislation has expanded the definition of what constitutes “personal information,” for example “to include medical, insurance or biometric data,” Larose and Katz write.

Meanwhile, Europe has enacted the General Data Protection Regulation, which will begin to be enforced in May 2018. GDPR requires any breached organization, anywhere in the world – including the United States – to alert any affected consumers in Europe about breaches.

Source: SANS ISC SecNewsFeed @ February 27, 2017 at 08:33AM