Image provided by: University of Oregon Libraries; Eugene, OR
About The skanner. (Portland, Or.) 1975-2014 | View Entire Issue (Sept. 28, 2016)
September 28, 2016 The Skanner Page 9 Business News Experts worry cybercriminals may use leaked data, including security questions, to unlock accounts on other websites By RAPHAEL SATTER Associated Press LONDON — As inves- tors and investigators weigh the damage of Yahoo’s massive breach to the internet icon, information security experts worry that the record-breaking haul of password data could be used to open locks up and down the web. While it’s unknown to what extent the stolen data has been or will be circulating — or how easy it would be to use if it were — giant breaches can send ripples of inse- curity across the inter- net. “Data breaches on the scale of Yahoo are the se- curity equivalent of eco- logical disasters,” said “ the “vast majority” of its passwords were stored in an encrypted form believed to be diicult to unscramble. On the other hand, Yahoo said the thet occurred in late 2014, meaning that hack- ers have had as many as two years to try to deci- pher the data. Ghosemajumder said he didn’t see a surge in new breaches so much as a steady increase in attempts as cybercrim- inals replenish their stock of freshly hacked passwords. The irst hint that something was wrong at Yahoo came when Moth- erboard journalist Jo- seph Cox started receiv- ing supposed samples of credentials hacked from Data breaches on the scale of Yahoo are the security equiv- alent of ecological disasters Matt Blaze, a security researcher who directs the Distributed Systems Lab at the University of Pennsylvania, in a mes- sage posted to Twitter . A big worry is a cy- bercriminal technique known as “credential stuing,” which works by throwing leaked us- ername and password combinations at a series of websites in an efort to break in, a bit like a thief inding a ring of keys in an apartment lobby and trying them, one ater the other, in every door in the build- ing. Sotware makes the trial-and-error process practically instanta- neous. Credential stuing typ- ically succeeds between 0.1 percent and 2 percent of the time, according to Shuman Ghosemajum- der, the chief technology oicer of Mountain View, California-based Shape Security. That means cy- bercriminals wielding 500 million passwords could conceivably hijack tens of thousands of oth- er accounts. “It becomes a num- bers game for them,” Ghosemajumder said in a telephone interview. So will the big Yahoo breach mean an explo- sion of smaller breaches elsewhere, like the ater- shocks that follow a big quake? That seems unlikely given that Yahoo says the company in early July. Several weeks later, a cybercriminal using the handle “Peace” came forward with 5,000 sam- ples — and the startling claim to be selling 200 million more. On Aug. 1 Cox pub- lished a story on the sale , but the journalist said he never established with any certainty where Peace’s credentials came from. He noted that Ya- hoo said most of its pass- words were secured with one encryption protocol, while Peace’s sample used a second. Either Peace drew his sample from a minority of Yahoo data or he was dealing with a diferent set of data altogether. “With the information available at the moment, it’s more likely to be the latter,” Cox said in an email Tuesday. The Associated Press has been unable to locate Peace. The darknet mar- ket where the seller has been active in the past has been inaccessible for days, purportedly due to cyberattacks. At the moment it’s not known who holds the passwords or whether a state-sponsored ac- tor, which Yahoo has blamed for the breach, would ever have an in- terest in passing its data to people like Peace . Even if the hack was a straightforward espio- nage operation, Gartner security analyst Avivah Litan said that wouldn’t be a reason to relax. Spies can mine trivi- al-seeming data from apparently random cit- izens to tease out their real targets’ secrets. “That’s how intelli- gence works,” Litan said in a phone call. Meanwhile Yahoo us- ers who recycle the same password across the in- ternet may still be at risk. While people can always change the passwords PHOTO BY DUANE STOREY (CC BY-NC-ND 2.0) Password Breach Could Have Ripple Efects Well Beyond Yahoo Security experts are worried that criminals will use credentials leaked during the Yahoo security breach – including security information – to steal personal information from other websites. across all the sites they use, Yahoo’s announce- ment that some security questions were compro- mised too means that the risks associated with the breach are likely to lin- ger. A password can be changed, ater all, but how do you reset your mother’s maiden name? Raphael Satter can be reached at: http://raphael- satter.com