More About Yahoo’s System Hack


Yesterday, I brought you the news about a recent hacker attack on Yahoo Voices that compromised the user names and passwords of some old accounts leftover from the Associated Content days. Today, Yahoo put up this page where they assure us that they “take security very seriously and invest heavily in protective measures.”* They also insist that they have “taken swift action and have now fixed this vulnerability.”*

data stream
It may look like nothing, but it’s your data

So exactly what happened? What sort of attack was it? It must have been the world’s smartest hacker using a complex super computer to break into a big internet company like Yahoo, right? Wrong. It was one of the oldest and most common hacks around. It’s so basic that many software packages that help programmers program, come with the basics countermeasures already built in so any code you write, gets the protections for free with the default settings.

What was it? A SQL-injection attack. This is where a lazy programmer runs queries against the database using run-time queries and URL parameters as query variables. This allows anyone with simple SQL knowledge to write their own query and poof, the results are on the hackers screen in seconds. Good programmers take the extra 26 seconds when writing queries to do server-side prepare statements. They also don’t expose where clauses to the browser’s URL and if they have to do that, they white-list the acceptable parameters. If they can’t come up with an exhaustive white-list, they at least provide a regular expression that the parameter must meet before allowing execution.

How else did Yahoo fail? They stored all the user account passwords as plain text. No one has done that since 1993 or at least I thought no one was still doing that. When Yahoo says they “invest heavily in protective measures,” I have to laugh and laugh and laugh and, oops, I peed a little. Encrypting passwords takes a novice programmer all of 10 lines of code. With the data encrypted, even if it is stolen, it’s useless without the decryption key. I guess Yahoo’s heavy investment doesn’t include hiring a temp or an intern to encrypt their sensitive data.

Lessons Learned
Other than the shear joy that comes from bashing Yahoo, what can you learn from their mistakes? One, take on-line security seriously. Even if you’re not a programmer, take security seriously. As a netizen, always assume that the data you entrust to a web site can and will be compromised. Don’t use the same password or password pattern between sites. That way when…not if, but when…one site exposes your account details, your accounts on other sites won’t be vulnerable.

You’re thinking, “But I can’t remember all those passwords!” You’re right. Few people have a memory for the mundane that is required to memorize all those passwords. Contrary to what you heard, there’s no harm in writing your passwords down. You just need to keep the list safe. If we’re talking about your personal accounts, keeping the list in your desk at home is perfectly safe. Trust me. A burglar in your home is looking for TVs, computers, jewelery, and cash. They’re not looking to steal your identity. If you put your passwords in a text or spreadsheet file on your computer, simply encrypt the file. There are plenty of free encryption software programs out there for download. Google “free encryption software” and you can spend the rest of the the evening looking through the 35,000,000 results.

What makes a strong password?
Also, forget what you’ve read about making you passwords “stronger” by including a mix of capital and lower case letters, numbers, and non-alphanumeric symbols. That’s how computers think. Most password-cracking software assumes that is the pattern of your password and starts by trying those permutations first. It’s actually more secure to just use three to five random words as your password. There’s actually math behind this, but I’ll let xkcd.com explain it. They even have a random-word password generator through that link. These type of passwords are easier to remember and harder for cracking software to hack. Just put a little thought into your passwords. I got a good belly laugh seeing how many of the stolen passwords were “123456”, “abc123”, or “password”.

Yahoo – noun – pronounced ‘Yaa-who’: an ape like creature of low intelligence fond of playing with its own feces; created by Jonathan Swift in Gulliver’s Travels

So always assume the information you give a web site will be hacked. Be selective what information you give out and to whom. If you were one of the Yahoo Voices members on the stolen accounts list, Yahoo offers these suggestions:

You can also take additional steps to safeguard your Yahoo! account by:*

  • Adding a mobile phone number to your Yahoo! account,
  • Adding a non-Yahoo email address to your Yahoo! account, and
  • Keeping your Secret Question & Answer up-to-date.

But, I’d think twice about that. Do you really want to give even more information to Yahoo just so they can lose it again? They’ve proven they don’t really know how or care to safe-guard your information. I’d think thrice before giving them more.

*Direct quotations from Yahoo’s article in response to the attack and stolen data.

Advertisements

2 Comments

Add yours →

  1. I’m with you on that one. I do like, however, the way Google does account protection. If anyone tries to log in to my Google account, on any machine other than this one I’m on right now, it sends a text to my cell phone and I have to enter the 6-digit verification number it sends me in order to log in. Without both my password AND my cell phone, they can’t get into my account. AND, just in case they try to get into my account and manage to do it, and they want to change the cell phone to their cell phone or something, you have to enter these key codes that Google gives you when you set that verification system up. It seems like a pain, but after you set it up, it’s really not. Sure, every now and then, I’ll log in from the desktop (though I almost never use it any more) and I’ll have to find my phone when it goes off and I grrrr…, but for the peace of mind it saves me, it’s really nothing.

    For PayPal, I have one of the PayPal security keys, so when I log in there, I have to have my password and also my key, so I push the button, and enter the 6-digit key they put on the the keychain thingy. They have a cell phone verification security key too. I really like the PayPal one, because I know my stuff is safe, even if my password gets hacked and stolen. Also, when you set up the security key, they have you set some security questions that allow you to get into your account if you have lost or misplaced or temporarily don’t have the security key with you. These questions are not your run-of-the-mill ‘what’s your birthday’ questions, either.

    I realize it’s crazy to expect all websites to do these types of stringent security measures, but since Google owns me (not really, but seems like it some days) and PayPal handles all my online banking and financial transactions, they are nice security measures. So unlike some who panicked when they thought of Yahoo!’s breach and whether PayPal was compromised too by knowing their passwords, I never worried. Sure, I regularly change my passwords and such, but this gives me a level of safety that gives me a little peace of mind.

    Anyway, sorry for writing a novel… thanks for addressing this for everyone. I find it amusing that Yahoo! just sent me out the email TODAY telling me my account was one of the ones compromised, when I read about this days ago on other sites and all over Facebook. Really on the ball there.

    Love and stuff,
    Michy

  2. When I heard this, I changed all my Yahoo passwords. After going white and feeling faint.
    I was taught this hack in 1999! Jesus, I’m not a hacker, but a kid could do this! It makes me think that if they were a bank and fit robbed, they’d say “We never set the alarm! And keeping the cash in big boxes on trolleys was just easier “

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: