In fact, much of the coverage of the Yahoo hack so far has focused on how it might impact the company's pending $4.8 billion sale to telecommunications giant Verizon. The Wall Street Journal reported that "in a proxy filing related to the Verizon deal on Sept. 9, Yahoo said it wasn't aware of any 'security breaches' or 'loss, theft, unauthorized access or acquisition' of user data." Though the hack apparently occurred in 2014, Verizon apparently was notified of it this past week. Yahoo blamed the hack on "state-sponsored" attackers, but did not provide further details.
A Treasure Trove of Stolen Data
Attackers were able to access user account information, possibly including names, email addresses, telephone numbers, dates of birth, hashed passwords, and security questions and answers, according to various reports. Most of the passwords were hashed with the secure algorithm bcrypt, and while some security questions were encrypted, some were not. The attack was a textbook example of an Account Takeover (ATO) attack -- the most common form of cyber attack today.
"It depends a lot on how Yahoo implemented bcrypt," notes Oliver Lavery, IMMUNIO's VP of Research. "If they used a separate salt for each hash, and a sufficient number of rounds of bcrypt it could be quite secure. The problem is that cryptographic implementation is very difficult, and generally attackers can break the implementation much more easily than ciphers involved."
"The precise burden bcrypt imposes on the Yahoo attackers can't be calculated because the 'cost factor' used to hash the passwords is unknown," according to a report in ArsTechnica.
Runtime Application Self-Protection: A Better Line of Defense Against ATO Attacks
Given the stakes involved, companies must adopt more effective solutions to safeguard customer data. Emerging Runtime Application Self-Protection (RASP) solutions are designed to work inside the applications they protect.
Just as there’s no single point of entry to the corporate enterprise, there’s no single solution to address all the threats to your organization’s information assets. Protecting the network perimeter is critical, but with hackers increasingly targeting the low-hanging fruit of web applications, securing applications is the key to guarding against attacks that can breach the perimeter.
RASP protects against botnet attacks while they’re in progress, through rate limiting and threat intelligence feeds. It identifies bots and breaks them by automatically serving captchas, instantly stopping the attack in its tracks. With RASP, users receive alerts on accounts that have already been stolen, by tracking user behavior changes, browser usage, geographic information, amidst many other factors, identifying specific accounts or sessions that are suspected victims of ATO attacks.
And not only does RASP address the ATO threat, it also helps you address other application security risks such as SQL injection, OS command injection, and other OWASP Top 10 threats.