Yahoo Voices breach highlights basic security failings

The data breach of the details of more than 450,000 Yahoo account holders highlights common enterprise security failings, say experts

Security experts say the breach that led to the publication of the login details of more than 453,000 Yahoo and other companies' customers, highlights common enterprise security failings.

The hacking group, known as D33Ds Company, said they had posted the details to highlight the vulnerability of the files. 

"We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call and not as a threat," said the D33Ds Company hackers.

Yahoo has confirmed that a file from Yahoo Contributor Network, previously Associated Content, containing the names and passwords for Yahoo and other companies' systems had been compromised, but it claimed that less than 5% the account passwords were still valid.

Yahoo Voices is an online publishing application for sharing information. It was developed by Associated Content and later acquired by Yahoo.

This breach highlights how enterprises continue to neglect basic security practices, said Rob Rachwald, director of security strategy at security firm Imperva.

It also highlights the challenges of security with third-party applications. 

"It is very challenging to have an effective secure development life cycle with third parties. Therefore, you need to put them behind a web application firewall," Rachwald said.

According to Rachwald, Union-based SQL injection is the basic form of the well-known attack method, yet many enterprises have still not implemented basic measures to block SQL injection, which is a popular hacking technique.

SQL injection attacks have become the method of choice among hackers seeking to exploit weaknesses in IT infrastructures, said Chris Hinkley, senior security engineer at secure cloud hosting company, FireHost.

"But with solutions readily available that are capable of blocking these threats, it’s frustrating that these attacks are still so successful," Hinkley said.

Hinkley said that while the cloud has traditionally been viewed as a risk to enterprise security, today’s new wave of cloud firms have designed their platforms to protect against even the most sophisticated of attacks.  

In a blog post, Rachwald wrote: "To add insult to injury, the passwords were stored in clear text and not hashed (encoded).  One would think the recent LinkedIn breach would have encouraged change, but no. Rather, this episode will only inspire hackers worldwide," Rachwald wrote in a blog post.

Hinkley said: "One of the most troubling trends we're seeing, over the last few high-profile breaches, is that organisations are not taking adequate steps to protect user information."

Although most of the stolen usernames and password seemed to be obsolete, Imperva researchers said the published file suggests that the hackers gained access to the whole database and were able to view some private data of account holders, including full name, address, phone number, education details and date of birth.

Organisations need to encrypt sensitive information on the server side and ensure security keys are stored outside the virtual environment to ensure compliance with the best practices of data protection, said Gary Clark, vice president for Europe at security firm SafeNet.

"The excuses for not encrypting all sensitive information have long run out and organisations need to follow the fundamental principles of data protection or risk losing the trust of their customers,” he said.

According to Slavik Markovich, CTO of Database Security at McAfee, It is often the case that obvious database vulnerabilities, such as weak passwords and default configuration settings, are initially overlooked and never fully remediated.

"An organisation’s sensitive information can never be adequately secured if it lacks dedicated tools and processes to gain complete visibility into their databases' security weaknesses and eliminate the opportunity for the bad guys to exploit them," he said.

The potential implications from this breach could be extensive, said Paul Ayers, vice-president for Europe at encryption firm Vormetric.

With every incident like this that happens, organisations worldwide are reminded of the changing threat landscape and the need for IT infrastructure to keep pace, he said.

According to Ayers, an organisation’s starting point should not be "if" it gets hacked, but "when". 

“Ultimately, focusing on a defensive perimeter around a network is not going to keep the bad guys out anymore," Ayers said.

Servers hold the crown jewels of enterprise information, such as databases, and organisations need to ensure the security and access control of that server data, said Ayers.

For databases in particular, he said, a combination of encryption and database activity monitoring ensures organisations can rest assured that no matter how or where data exists on systems, or whoever’s hands it falls into, that information remains secure.

Read more on Hackers and cybercrime prevention