DZone
Security Zone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
  • Refcardz
  • Trend Reports
  • Webinars
  • Zones
  • |
    • Agile
    • AI
    • Big Data
    • Cloud
    • Database
    • DevOps
    • Integration
    • IoT
    • Java
    • Microservices
    • Open Source
    • Performance
    • Security
    • Web Dev
DZone > Security Zone > Biggest Data Breach Yet: What Are the Implications of the Yahoo Hack?

Biggest Data Breach Yet: What Are the Implications of the Yahoo Hack?

The biggest security story of this week by far was the massive data breach at Yahoo.

Maria Lee user avatar by
Maria Lee
·
Sep. 27, 16 · Security Zone · Opinion
Like (1)
Save
Tweet
1.96K Views

Join the DZone community and get the full member experience.

Join For Free

The biggest security story of this week by far was the massive data breach at Yahoo. The implications of this breach -- widely reported to be the largest of its kind in history -- will be wide-ranging and complex. As the Yahoo hack (and many others like it) prove, it's still very difficult for companies to keep up with and ensure the security of their websites, applications, and customer data. And there's no doubt that their security posture is emerging as a major factor in corporate valuations.  

In fact, much of the coverage of the Yahoo hack so far has focused on how it might impact the company's pending $4.8 billion sale to telecommunications giant Verizon. The Wall Street Journal reported that "in a proxy filing related to the Verizon deal on Sept. 9, Yahoo said it wasn't aware of any 'security breaches' or 'loss, theft, unauthorized access or acquisition' of user data." Though the hack apparently occurred in 2014, Verizon apparently was notified of it this past week. Yahoo blamed the hack on "state-sponsored" attackers, but did not provide further details. 

A Treasure Trove of Stolen Data

Attackers were able to access user account information, possibly including names, email addresses, telephone numbers, dates of birth, hashed passwords, and security questions and answers, according to various reports. Most of the passwords were hashed with the secure algorithm bcrypt, and while some security questions were encrypted, some were not. The attack was a textbook example of an Account Takeover (ATO) attack -- the most common form of cyber attack today. 

"It depends a lot on how Yahoo implemented bcrypt," notes Oliver Lavery, IMMUNIO's VP of Research. "If they used a separate salt for each hash, and a sufficient number of rounds of bcrypt it could be quite secure. The problem is that cryptographic implementation is very difficult, and generally attackers can break the implementation much more easily than ciphers involved."

"The precise burden bcrypt imposes on the Yahoo attackers can't be calculated because the 'cost factor' used to hash the passwords is unknown," according to a report in ArsTechnica.  

Runtime Application Self-Protection: A Better Line of Defense Against ATO Attacks

Given the stakes involved, companies must adopt more effective solutions to safeguard customer data. Emerging Runtime Application Self-Protection (RASP) solutions are designed to work inside the applications they protect.

Just as there’s no single point of entry to the corporate enterprise, there’s no single solution to address all the threats to your organization’s information assets. Protecting the network perimeter is critical, but with hackers increasingly targeting the low-hanging fruit of web applications, securing applications is the key to guarding against attacks that can breach the perimeter.

RASP protects against botnet attacks while they’re in progress, through rate limiting and threat intelligence feeds. It identifies bots and breaks them by automatically serving captchas, instantly stopping the attack in its tracks. With RASP, users receive alerts on accounts that have already been stolen, by tracking user behavior changes, browser usage, geographic information, amidst many other factors, identifying specific accounts or sessions that are suspected victims of ATO attacks.

And not only does RASP address the ATO threat, it also helps you address other application security risks such as SQL injection, OS command injection, and other OWASP Top 10 threats.

Data (computing) Hack (falconry) Application security

Published at DZone with permission of Maria Lee, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • How to Build Microservices With Node.js
  • Version Number Anti-Patterns
  • Python 101: Equality vs. Identity
  • 3 Best Tools to Implement Kubernetes Observability

Comments

Security Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • MVB Program
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends:

DZone.com is powered by 

AnswerHub logo