As a relative novice when it comes to blogging, I have only recently picked up on the fact that website hits tend to equate to a title that aligns to what an interested party is likely to type into their search engine. More fool me you might say, however we all make mistakes, I just didn’t know.
Which leads nicely into this post. And being an avid recycler I decided that I’d reuse three words used three sentences ago!
Why didn’t they (Yahoo) know ?
I am hoping that this is going to be pretty much what the world will be asking this morning. And if Google does it’s stuff we at Foregenix and our friends at Thinkst will be bombarded with enquiries ;)
By it's very nature cyber security is an industry that is prone to ‘ambulance chasing’. Any attempt to offer assistance by way of a solution will inevitably be drowned out by all the noise. Ironic really because that is almost certainly the reason Yahoo didn’t know what was going on at the time the original breach occurred!
So, was it was the case that Yahoo knew a long time ago that something was up and are only just now letting the world know? Or they just didn’t know until very recently?
Either way the fall-out is not going to be pretty, especially when one considers that they are more than likely been blessed with cyber security budgets, resources and tools way beyond the means of most.
Therein may however be the problem. Cyber security tools are prone to pumping out huge amounts of useful stuff, or so we are led to believe. The problem is that with all the noise, it is often difficult to tune in to the signal! How the attackers managed to acquire such a colossal amount of data is anybody's guess. Did they break in, was it an inside job, or perhaps a more convoluted story involving supposedly trusted third party contractors. We just don’t know!
The Yahoo story, whilst hopefully an extreme exception will no doubt become a case study for not knowing. We the consumer / customer / public (tick as appropriate) and Yahoo, the service provider and custodian of our personally identifiable information (PII), just didn’t know ! What we do know is that many of their customers will likely be EU citizens and as such were this to have happened post General Data Protection Regulation (GDPR) taking effect in May 2018, Yahoo could be expecting a pretty hefty €20m fine from an EU state. Maybe more than one come to that, a sort of EU-wide GDPR class action !
What Yahoo and you the reader of this blog probably don’t know, is that Canary could have been part, if not THE solution to this situation ?
Far from me to ‘chase that ambulance’, on this one exceptional occasion I will be cheeky and suggest that someone at Yahoo might be interested in this little video clip: https://canary.tools/
And if you are not from Yahoo, we think you should know about Canary too!
Find out more about Canary at: http://www.foregenix.com/canary-incident-response-by-foregenix-digital-forensics
Yahoo has confirmed that hackers stole information from at least 500 million user accounts in what it describes as a “state-sponsored” attack. In a statement released Thursday, Yahoo’s Chief Information Security Officer Bob Lord said that the information was stolen from the company’s network in late 2014. “The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers,” he said.