While there has been much talk since yesterday's announcement by Yahoo that half a billion accounts' worth of private information had been pilfered by hackers - and the usual post breach advice (change your password, don't reuse your password on multiple sites, etc.) has circulated throughout the media, there are several critical lessons that are not getting sufficient attention, but which are of paramount importance to both businesses and consumers.
1. Do not use challenge questions for authentication
In its official statement, Yahoo noted that it "invalidated unencrypted security questions and answers so they cannot be used to access an account" and recommended to impacted parties to "Change your password and security questions and answers for any other accounts on which you used the same or similar information used for your Yahoo account."
Simple enough, right?
No. In many cases, it's effectively impossible.
You cannot reset your mother's maiden name. You cannot move your mother's birthday to a new date. And you cannot retroactively change the color of your first car, or the location at which you first met your spouse. Yes, people can memorize and utilize phony answers to such questions - but doing so simply transforms the challenge question into a demand for a second password, and, especially if you have to change that "password" more than once in response to multiple breaches, any remembrance benefit of asking a question over a password disappears.
Challenge questions are usually extremely weak forms of authentication that are problematic for many reasons. Let's hope the Yahoo breach serves as the catalyst for more firms to get rid of them.
Igor Baikalov, Chief Scientist at Securonix, mentioned a similar thought to me: "From the user perspective, the biggest problem is unencrypted security questions and answers lost in this breach - while you can easily change that constantly compromised password, how many favorite pets can you possibly have?"
2. After-breach statements - often written with the assistance of crisis management and public relations experts - continue to downplay the risk to people of breaches.
Yahoo noted in its release that the passwords that were stolen were "hashed passwords (the vast majority with bcrypt)" without explaining in layman's teams what that means or that, even with hashing, users are at risk of their passwords being cracked -- especially since the hackers have likely had the Yahoo data for nearly two years. As Michael Lipinski, CISO and Chief Security Strategist at Securonix, put it, "The Yahoo team looks to be trying to deflect the risk to users by saying that passwords were hashed using bcrypt. Ask them how that worked out for Ashley Madison. They used the same salt hash and the hackers found a work around to the brute force methods of cracking the password."
Of course, organizations can take precautions to reduce the risk of brute force password cracking in the event of a password-database breach. As Amichai Shulman, CTO of Imperva, worded it: "To prevent brute force attacks, security officers should not rely on only password policies , but should take specific detection measures like rate limiting login attempts, detecting login attempts from automated browsers, treating with caution logins from unexpected countries and anonymous sources, and comparing login data to popular passwords and stolen credentials." That said, defenses against brute force attacks are not totally bullet proof, and people need to understand that hashed password leaks are a real problem.
3. Criminals - and even state actors - want people's private information.
As I mentioned in an article earlier this week, today's hackers are often more interested in stealing data than stealing a few dollars from peoples' checking accounts. People need to understand this and take personal precautions with their own computer systems.
As Tim Erlin, Senior Director of IT Security and Risk Strategy at Tripwire explained, "It can be difficult for the average consumer to understand why personal data is valuable to criminals, especially since the initial reports rarely go deeper than the price the initial attacker can get for such records. Personal information, like names, email addresses, and birth dates, are most often used for either phishing campaigns or identity theft."
Jonathan Sander, Vice President of Product Strategy at Lieberman Software, noted that the Yahoo breach was apparently committed by "a state level actor, which isn't surprising the amount of effort and resources it likely took to break security at one of the Internet's biggest names."
Yes, governments are interested in knowing people's private information; armed with such data, governments can find good recruitment targets for their espionage programs, blackmail people in order to force them to perform various actions, discover which foreign government workers may be careless with information security, and achieve other aims.
So, with 500 million accounts breached, we should focus on more than once again simply resetting passwords.