Yahoo declined to comment on details of its security practices, but said it routinely conducted drills to test and improve its cyber defences and highlighted campaigns such as a "bug bounty" programme in which it pays hackers to find security flaws and report them to the company. "Any changes to the user database took forever because they were understaffed, and it's an ultra-critical system - everything depends on it," said the former Yahoo employee. Then, when growth stalled, senior security staff left for other companies and the chances of getting approval for expensive upgrades dropped further, the person said. According to another former security veteran at Yahoo, even when the company was growing quickly, security sometimes took a back seat as the company focussed on system performance to keep up with the growth. Google, Facebook and Microsoft Corp did not immediately respond to requests for comment. Reuters could not determine how many companies besides Yahoo were using MD5 in 2013. "Hackers often have a capacity to burrow deeper than we thought into a system and remain for years," he said. Kellermann, now CEO of investment firm Strategic Cyber Ventures, said he was not surprised that it had taken Yahoo several years to identify the massive attacks. "This could happen to any large corporation," said Tom Kellermann, a former World Bank security manager and security industry executive. ![]() Other Internet companies, such as LinkedIn and AOL, have also suffered security breaches, though none nearly as large as Yahoo's. Hackers have managed to break into passwords that were encrypted using more advanced technologies than MD5. ![]() ![]() "When business is bad, you expect to see security get cut." To be sure, no system is completely hack-proof. "When business is good, it's easy to do things like security," said Jeremiah Grossman, who worked on Yahoo's security team from 1999 to 2001. Partly, that reflected the internet pioneer's long-running financial struggles: Yahoo's revenues and profits have fallen steadily since their 2008 peak while Alphabet Inc's Google, Facebook Inc and others have come to dominate the consumer internet business. "We have invested more than $250 million in security initiatives across the company since 2012." COMPETING PRIORITIES The former Yahoo security staffers, however, told Reuters the security team was at times turned down when it requested new tools and features such as strengthened cryptography protections, on the grounds that the requests would cost too much money, were too complicated, or were simply too low a priority. "Over the course of our more than 20-year history, Yahoo has focussed on and invested in security programs and talent to protect our users," Yahoo said in a statement to Reuters. Yahoo, which has confirmed it was still using MD5 at the time of the attack, disputed the notion that the company had skimped on security. "Most companies were using more secure hashing algorithms by then." He did not name specific firms. "MD5 was considered dead long before 2013," said David Kennedy, chief executive of cyber firm TrustedSec LLC. Stronger hashing technology would have made it more difficult for the hackers to get into customer accounts after breaching Yahoo's network, making the attack far less damaging, they said. government-funded vulnerability alert system: MD5 "should be considered cryptographically broken and unsuitable for further use." Yahoo's failure to move away from MD5 in a timely fashion was an example of problems in Yahoo's security operations as it grappled with business challenges, according to five former employees and some outside security experts. In 2008, five years before Yahoo took action, Carnegie Mellon University's Software Engineering Institute issued a public warning to security professionals through a U.S. MD5 can be cracked more easily than other so-called "hashing" algorithms, which are mathematical functions that convert data into seemingly random character strings. The timing of the attack might seem like bad luck, but the weakness of MD5 had been known by hackers and security experts for more than a decade. Yahoo only recently uncovered the hack and disclosed it last week. ![]() In August of that year, hackers got hold of more than a billion Yahoo accounts, stealing the poorly encrypted passwords and other information in the biggest data breach on record. By Joseph Menn, Jim Finkle and Dustin Volz SAN FRANCISCO/BOSTON/WASHINGTON (Reuters) - In the summer of 2013, Yahoo Inc launched a project to better secure the passwords of its customers, abandoning the use of a discredited technology for encrypting data known as MD5.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |