The Yahoo! breach that resulted in the compromise of 500+ million account credentials in late 2014 came into the public sphere recently, and while virtually every outlet hit the story in one way of another, it was the Defensive Security hosts who inspired response from me after episode 172. The fact that Yahoo! was breached was not that notable. It was the fact that it is being reported that they learned about this breach shortly after it happened in 2014, and we are just now finding out about it that draws ire. It is unreasonable to expect a company that you are trusting with your personal information to never be breached. It is not unreasonable to expect them to be transparent and open about what they find when they are. 500 million users were out there with exposed credentials for close to 2 years. There is a lot of damage that could have been done in that time, and almost all of it could have been easily prevented.
In the podcast, Andrew lays many business reasons why Yahoo! may have made the choice they did to not share the fact of the passwords being stolen with the customers. He cites fears of turning people off to Yah00!, losing accounts, etc. But it is our job in infosec to make sure it is perfectly clear that that is not an acceptable outcome. Andrew didn’t say it was, but didn’t condem it either. When we sound the alarm that this is unacceptable, we raise the counterpoint in the board room. “What if we tell them and we lose accounts?” “What if we don’t and all the trusted secuirty experts tell everyone they know that we can’t be trusted with their data?” That second statement makes a big impact on this conversation.
When we share personal data with a company like Yahoo!, there is an agreement there that we are trusting them with our data, and while we can’t expect they won’t have issues, we can expect that they will be upfront with us. They don’t have to force a password reset. But they have to give us that choice. Then the burden of action shifts back to us.
The other topic was a favorite of Andrews’s – attribution. Andrew eventually gets to a defensible place, that it doesn’t matter who it is to most defenders. But the path there is full of this distrust in anyone who may have some reason to benefit from the conclusion. I understand that attribution is hard, but Andrew will only believe it if the conclusion is also against the benefit of the speaker. Yet, at the same time, he can’t think of any reason why a nation state would want to steal credentials from one of the US’s largest webmail providers. Really? I would suggest that you spend a couple seconds (minutes?) thinking about it.