The world of internet security, account management and copyright is a difficult place in 2016. A myriad of sites operate around the world, distributing unlicensed material. Every day thousands of accounts are hacked and security countermeasures are overcome.
This has made business rather tricky, where one group is constantly trying to get one step ahead of the other. From outsmarting programs that protect copyrights, evading laws that govern digital distribution rights and creating devastating hacks that expose security flaws, the world is awash with ideas about how things will pan out.
Of those people who try to predict these things, none would ever hope to predict that these things are happening without any knowledge in the wider world. Today, this came to pass, with the revelation that over One Billion User Accounts with one of the worlds leading email providers have been compromised.
Never before has the world seen a hack of this scale. While it may be impossible to work out the ramifications right now, it is certainly possible to understand how it all came about.
Yahoo is a dinosaur. Old, slow and out of touch with the modern age.
Ten years ago, it was in it’s prime, but like so many web-based businesses, they struggled to stay ahead of their market. This was partly due to a lack of investment in the right areas, and partly due to advances made my other companies such as Google.
This lack of investment was most noticeable within their security processes, with their spam filtering and encryption methods falling short of the high standards which were being set. Yahoo’s website would look for a ‘unique authentication cookie’ from the website.
Authentication cookies are text files that contain information about the user’s session. Cookies can contain a great deal of information, such as whether that the user has already authenticated to the company’s servers.
This was the exploit used to pull off the biggest hack in recorded history. No group has yet claimed responsibility for the hack publicly, but their method is well understood. The attackers in this case found a way to forge authentication cookies, granting them access to targeted accounts without needing to supply the account’s password. This is also an approach that can be used indefinitely, with the attackers able to remain logged in with no need to re-enter passwords or other security data.
Where is the danger?
Right now, the actual risk is hard to see. While data is valuable, it is the way in which the data can be used which has the potential to be damaging.
The hacking community is well aware of the potential value of user information. With all usernames, passwords, addresses, telephone numbers and security questions taken, this may well be the first step in a far more dangerous plot.
Many users use the same password for many different websites and accounts, it may well be that a proportion of the data may be exploited to hack other systems. The sheer scale of the data breach leaves so many questions open, many of which lead to truly terrifying prospects.
Following the public hack of the DMC servers in America, and Hillary Clintons accusal of Russia as instrumental within the hack, it seems that it will soon become a Geo-political issue.
Yahoo’s CIO Bob Lord seems to back up this assertion in a recent press release:
“We have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016,”
This was the hack which led to over 500 Million accounts to be breached – at the time the largest security exploit of it’s kind.
Staying ahead of the game
Business Leaders should know that today, there is not hiding place from Hackers. It’s a fact that all security measures can and will be broken given enough time. There are only two safe options:
- Do not hold personal data longer than required.
- Ensure the latest encryption for all data-streams which carry personal information
- Introduce the latest security measures across servers which hold customer data
If you are unable to ensure the latest security measures, recommended by governing bodies and regulated by industry, then it is advised NOT TO HOLD PERSONAL DATA.
Those companies which rely on ecommerce must now run regular PCI checks – industry standard penetration tests to ensure encryption of data is managed effectively. Any company that runs software should also ensure all data streams are funny protected and monitored effectively to halt any breaches in the first instance.
Failure to do either of these can have dramatic consequences, such as an inability to run business, the loss of financial information or even being locked out of a system entirely. Currently there are many companies around the world who are being blackmailed for failing to follow these best practice guidelines.