I viewed Yahoo's official response from the V.P. of mail and it's clear that he doesn?t comprehend the problem or solution. Yahoo recommends lengthening passwords, which is good practice, but had nothing to do with this breach of Yahoo's system in the Palin situation.
What actually happened is a college student with no hacking ability was able to do social engineering on a public persona by exploiting weaknesses in Yahoo?s ?password reset? feature. He was able to use publicly available information about Palin to breach her Yahoo email account.
First and foremost, no account maintenance should EVER be allowed on anyone?s accounts from any proxy used to mask identity. Had the student used a foreign proxy instead of a domestic proxy service, law enforcement would have had a much more difficult time in obtaining logs that identified the perpetrator.
Secondly, Yahoo needs to strengthen the challenge questions. For public persona, name, address, and zip code are all easily found in public records. All this individual had to do was guess on the question of where Palin met her spouse. Again, this is publicly obtained information that anyone could have determined with ease.
I work in security and have implemented systems for financial firms which are mandated by FFIEC regulations to use strong multi-factor authentication systems. If Yahoo is to be entrusted with personal information by customers, they should do the same.
There are good third party software products that provide features that would have prevented the Palin incident. RSA provides a product that passively examines machine information, stores it as profile data about that user, and uses it to challenge, if someone tries to access the account from a different computer/network. Challenge questions are presented, and if failure to answer challenge correctly, the account can be frozen until customer can be contacted to confirm identity. But, the system would have prevented this type of breach that occured, because it would have caught the proxy attempt at access of Palin's account.
In security terms, the ?what you know? aspect of Yahoo?s security questions are too easy to be social engineered from public data, and require strengthening, at a bare minimum. Again, nobody should be allowed to do account maintenance like password reset, or changing any account data from any proxy. Proxy?s are the main tools used by cyber criminals to mask identity.
Banning proxy traffic from its site would also help to resolve problems Yahoo has had with click fraud. spam rings, and ?pay to post rings? operating on their sites.
What actually happened is a college student with no hacking ability was able to do social engineering on a public persona by exploiting weaknesses in Yahoo?s ?password reset? feature. He was able to use publicly available information about Palin to breach her Yahoo email account.
First and foremost, no account maintenance should EVER be allowed on anyone?s accounts from any proxy used to mask identity. Had the student used a foreign proxy instead of a domestic proxy service, law enforcement would have had a much more difficult time in obtaining logs that identified the perpetrator.
Secondly, Yahoo needs to strengthen the challenge questions. For public persona, name, address, and zip code are all easily found in public records. All this individual had to do was guess on the question of where Palin met her spouse. Again, this is publicly obtained information that anyone could have determined with ease.
I work in security and have implemented systems for financial firms which are mandated by FFIEC regulations to use strong multi-factor authentication systems. If Yahoo is to be entrusted with personal information by customers, they should do the same.
There are good third party software products that provide features that would have prevented the Palin incident. RSA provides a product that passively examines machine information, stores it as profile data about that user, and uses it to challenge, if someone tries to access the account from a different computer/network. Challenge questions are presented, and if failure to answer challenge correctly, the account can be frozen until customer can be contacted to confirm identity. But, the system would have prevented this type of breach that occured, because it would have caught the proxy attempt at access of Palin's account.
In security terms, the ?what you know? aspect of Yahoo?s security questions are too easy to be social engineered from public data, and require strengthening, at a bare minimum. Again, nobody should be allowed to do account maintenance like password reset, or changing any account data from any proxy. Proxy?s are the main tools used by cyber criminals to mask identity.
Banning proxy traffic from its site would also help to resolve problems Yahoo has had with click fraud. spam rings, and ?pay to post rings? operating on their sites.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/newsbriefs/822/2629#2629