Yahoo Hack in August 2013 Effects 1 Billion Accounts.
The Yahoo hack has put another nail in the coffin with Yahoo as they disclosed they have suffered another hack of 1 Billion accounts. Thanks for the late notice on this Yahoo – even if you didn’t know it happened until recently.
Dr. Evil would be proud.
Even worse, Yahoo’s chief information security officer, Bob Lord, says that the company hasn’t been able to figure out how the data from the one billion accounts was stolen. For a company this large, this is so troubling, scary, and truly amazing – to the fact it appears they aren’t capable of doing anything right.
So… (sigh). Now as opposed to giving you lots of data on this hack which most news outlets have already done, the following are some issues with legacy tech security and some promising technology on the horizon. But first, some issues on how things get hacked.
Issue #1: Legacy Username/Password Solutions
By itself, a standard username and password solution is more of a problem. You use this everyday – you log into websites, PCs, email, file servers – you name it. It is my opinion that Multi Factor Authentication (2FA or MFA) is no longer an option for anything. To get into any technology you should have a second way to prove it is you. e.g. Password > Fingerprint > PIN
This sounds movie-like, but available technologies like a fingerprint, an authentication app on your phone, retina scan, or facial recognition are already here. I know, this sounds like a pain but works well if properly implemented.
Alternatively, imagine waking up, opening your laptop and realizing that you can’t access your online accounts anymore. Your email has been breached, your social media accounts, your most precious client work is 100% gone, and your credit card was used for buying beers in Berlin. This situation is a lot more of a pain then typing in a 6 digit code that your mobile phone tells you to enter. Especially since this could have happened due to the Yahoo hack as you probably use the same password everywhere.
Issue #2: Blind Trust in your Cloud Provider
There is a lot of public blind trust with cloud service providers on where your files are at rest and who has access to them. Providers like Yahoo.com don’t generally disclose this information. Try to choose your Cloud provider wisely and if you can, keep a local copy of what is in the cloud.
If your provider doesn’t disclose their technology or security plan – its probably best to move on. At Network Medics, we are happy to work with you to review where your files are at rest, your backup, security plan, as well as monitor the flow of data.
Issue #3: Encryption is dead
Believe it or not, Quantum computing is a problem for encryption-based security solutions. Quantum computers are not science fiction and are in use today by major governments around the world – which are able to hack a 128Bit or 256Bit encyption key in a matter of minutes.
I have heard a lot of peers say that Quantum computing is still science fiction, but unfortunately it is not – it just hasn’t hit mainstream media until now. Computerworld.com recently assisted NIST, or the National Institute of Standards and Security with alerting everyone to the problem. It is so bad that the public sector is no longer trusted to solely fix the problem. NIST is inviting the public to propose and test any ‘quantum-resistent’ encryption schemes. Why? How do you think some world governments are so successful at hacking major cloud providers in recent years?
A Minnesota-based Emerging Security Technology
After some research the last year or so, I found a local Minnesota company (Secured2) with some amazing encryption-alternative technology patents that in my opinion truly make the cloud what it is supposed to be.
The cloud should be a secure place to share affordable computing resources and access your data worldwide.
When Secured2 technology (currently still in beta) is implemented, your information is “digitally shredded” and then uses their patented FBI/CIA-approved unhackable technology to store and provide the data to you. Google, Microsoft, Yahoo, and many other well known cloud providers are reviewing the technology to secure their cloud services from files to email. I was given the opportunity to sit through some demonstrations as well as did some testing on my own with their beta trial.
Personally, my main concern for our Network Medics customers was to see if the user experience with the technology would be easy. If our solutions team were to implement this some day, it has to provide the user experience you expect. To my surprise, even large photoshop files were no problem and opened quickly. It gave me the same experience I am used to, but the data was being served in an entirely new manner. Check out some amazing Minnesota-owned security technology.
Future Direction
In my opinion, if we can figure out a way to simply make hacking not worthwhile it will be more of a long term solution. It sounds far fetched, but in my opinion it is possible with how data is stored, served, and the technology needed to access it. I.e. if a burglar broke into my house but then couldn’t see, hear, feel, or use any other sense, that is what I feel is possible in the future in a digital sense.
As always, remember to change your passwords on a regular schedule. I have a previous blog post on password policy as it will help business with situations like a Yahoo hack. It can (obviously) take years for a company like Yahoo to tell you there was an issue. If you had changed your password multiple times since 2013, in theory, you should be in a better place then most with the Yahoo hack.
Written by:
Kevin Calgren
Partner of Network Medics
Minnesota Business IT Consultant