Yesterday, I brought you the news about a recent hacker attack on Yahoo Voices that compromised the user names and passwords of some old accounts leftover from the Associated Content days. Today, Yahoo put up this page where they assure us that they “take security very seriously and invest heavily in protective measures.”* They also insist that they have “taken swift action and have now fixed this vulnerability.”*
So exactly what happened? What sort of attack was it? It must have been the world’s smartest hacker using a complex super computer to break into a big internet company like Yahoo, right? Wrong. It was one of the oldest and most common hacks around. It’s so basic that many software packages that help programmers program, come with the basics countermeasures already built in so any code you write, gets the protections for free with the default settings.
What was it? A SQL-injection attack. This is where a lazy programmer runs queries against the database using run-time queries and URL parameters as query variables. This allows anyone with simple SQL knowledge to write their own query and poof, the results are on the hackers screen in seconds. Good programmers take the extra 26 seconds when writing queries to do server-side prepare statements. They also don’t expose where clauses to the browser’s URL and if they have to do that, they white-list the acceptable parameters. If they can’t come up with an exhaustive white-list, they at least provide a regular expression that the parameter must meet before allowing execution.
How else did Yahoo fail? They stored all the user account passwords as plain text. No one has done that since 1993 or at least I thought no one was still doing that. When Yahoo says they “invest heavily in protective measures,” I have to laugh and laugh and laugh and, oops, I peed a little. Encrypting passwords takes a novice programmer all of 10 lines of code. With the data encrypted, even if it is stolen, it’s useless without the decryption key. I guess Yahoo’s heavy investment doesn’t include hiring a temp or an intern to encrypt their sensitive data.
Other than the shear joy that comes from bashing Yahoo, what can you learn from their mistakes? One, take on-line security seriously. Even if you’re not a programmer, take security seriously. As a netizen, always assume that the data you entrust to a web site can and will be compromised. Don’t use the same password or password pattern between sites. That way when…not if, but when…one site exposes your account details, your accounts on other sites won’t be vulnerable.
You’re thinking, “But I can’t remember all those passwords!” You’re right. Few people have a memory for the mundane that is required to memorize all those passwords. Contrary to what you heard, there’s no harm in writing your passwords down. You just need to keep the list safe. If we’re talking about your personal accounts, keeping the list in your desk at home is perfectly safe. Trust me. A burglar in your home is looking for TVs, computers, jewelery, and cash. They’re not looking to steal your identity. If you put your passwords in a text or spreadsheet file on your computer, simply encrypt the file. There are plenty of free encryption software programs out there for download. Google “free encryption software” and you can spend the rest of the the evening looking through the 35,000,000 results.
What makes a strong password?
Also, forget what you’ve read about making you passwords “stronger” by including a mix of capital and lower case letters, numbers, and non-alphanumeric symbols. That’s how computers think. Most password-cracking software assumes that is the pattern of your password and starts by trying those permutations first. It’s actually more secure to just use three to five random words as your password. There’s actually math behind this, but I’ll let xkcd.com explain it. They even have a random-word password generator through that link. These type of passwords are easier to remember and harder for cracking software to hack. Just put a little thought into your passwords. I got a good belly laugh seeing how many of the stolen passwords were “123456”, “abc123”, or “password”.
So always assume the information you give a web site will be hacked. Be selective what information you give out and to whom. If you were one of the Yahoo Voices members on the stolen accounts list, Yahoo offers these suggestions:
You can also take additional steps to safeguard your Yahoo! account by:*
- Adding a mobile phone number to your Yahoo! account,
- Adding a non-Yahoo email address to your Yahoo! account, and
- Keeping your Secret Question & Answer up-to-date.
But, I’d think twice about that. Do you really want to give even more information to Yahoo just so they can lose it again? They’ve proven they don’t really know how or care to safe-guard your information. I’d think thrice before giving them more.