Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet Security.ca and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet Security.ca today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Yahoo found negligent when it comes to internet security practices

Sponsered ads:
Read the latest IT news. Visit ItDirection.net. Updated several times daily.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

December 15, 2016

The struggling internet company Yahoo has been found grossly negligent for failing to appropriately manage the never ending challenge of upgrading its MD5 password security implementation before some one billion Yahoo accounts were stolen and compromised yesterday.

This isn't the first time Yahoo is in the news on critical security issues and it probably won't be the last.

A while back, the German Office of Information Security says police and security researchers have been closely following thousands of computers that have been infected by malware to spy on users and then send large quantities of spam, among several other security mishaps at Yahoo in the past 24 months.

Today, the security-battered firm just revealed that attackers have stolen more than a billion Yahoo accounts in August 2013 in the internet's history biggest security breach ever.

In that single security breach, hackers stole names, addresses, phone numbers, and MD5 hashed passwords in a major incident for social engineers who could then use the data to compromise the very identity of Yahoo users all over the globe.

To say that this event is critical would be an understatement. Such eye-watering news followed the company's September 2016 admission that over 500 million accounts had been stolen in separate attacks by alleged state-sponsored hackers in 2014, an incident that came two years after staff became first aware of the security breach.

Yahoo said today that it has since replaced its MD5 hashing with the far superior bcrypt, moving from the world's worst password protection mechanism to a better one.

Yet this is little comfort for those who use legitimate personal details when signing up to Yahoo's service, including many American subscribers to AT&T and other major cable and DSL providers which use Yahoo for its default email services, along with Kiwi carrier Spark which unsurprisingly ditched the service in September.

For now, it isn't known if the MD5 hashes were salted, since Yahoo did not mention the critical additive in its statement. Doing so would mitigate much risks from using MD5, asserts Jeffrey Goldberg, security expert at AgileBits, makers of the 1Password credential vault.

"What is most important for now is whether the hashes, be they MD5, SHA1, or SHA256, are salted," Goldberg added. "Today, there is absolutely no valid excuse to use unsalted hashes."

But that Yahoo was even using the unsafe algorithm in the first place has drawn serious criticism and even mockery from established and reputable internet security researchers.

"Most people in the industry are well aware that the MD5 hashing algorithm has been considered not just insecure but alright broken for more than two decades," asserts Ty Miller, director of Sydney-based internet security firm Threat Intelligence, noting that MD5 collision vulnerabilities were also found as early as 1996 with practical attacks developed in 2005, more than eleven years ago.

"I consider this grossly negligent of an organization the size of Yahoo, which has a direct obligation to protect the private data of over one billion of its users, to be utilizing such an outdated, insecure and totally ineffective control to protect the passwords of its customers," he warned the public.

The insecure algorithm is a real joke in internet security circles today. Rainbow table databases serve as directories that transform hashes into cleartext passwords, and the internet is now littered with free and paid services that can reveal logins within just a few seconds.

David Taylor, principal security consultant with Perth-based Asterisk Information Security, offered a similar opinion-- "Yes, it would be extremely a poor form on their part to be still using MD5 for hashing in December of 2016," he says.

"There has been numerous issues reported for MD5 dating back to the mid 2000s," he warned. Board director with the lauded Open Web Application Security Project (OWASP) Andrew van der Stock, also chief technology officer at The Threat Intelligence, is an advocate of integrating security into the development process and sees many shortcomings in Yahoo's overall security models.

"This security breach clearly demonstrates that Yahoo's previous approach to security was less than ideal, and it's obvious that the people at Yahoo's so-called security team were unable to move the needle sufficiently with management to upgrade password hashing from a very outdated and totally insecure algorithm to something more modern, secure and acceptable by the industry," he asserted.

"That the outdated MD5 algorithm is still commonly found in many of the worst security breaches today is an indication that the continued use of that obsolete technology is correlated with other poor security practices," he added.

The security breach comes at a notably poor time for Yahoo-- the company will soon be acquired by Verizon, possibly at a damaged-goods discount, and is apparently (we are told) conducting a 'security recruitment' drive in Australia in a bid to attract local security talent, van der Stock added.

"We all understand that without a complete revamp of senior management support for security and alignment with customer desires for privacy and security of their data, there is no point in taking on a position at Yahoo," he asserted.

To be sure, network admins were salting password hashes in the 1980s, but many still fail to apply the complexity additive today. The cryptography measure introduces random data into one-way functions preventing the use of rainbow tables by ensuring identical passwords have unique hashes, adding a much-needed layer of extra security.

Goldberg underlined the 2012 large security breach at LinkedIn to clearly demonstrate the importance of salting, something the security expert wrote about at the time.

"LinkedIn had used SHA1, an improvement over MD5 in general, but it really didn’t matter that it was SHA1 instead of MD5," Goldberg asserted. "What really mattered is that it was not salted. I strongly argued almost five years ago that it was totally irresponsible for LinkedIn to have used unsalted hashes, and that certainly applies to Yahoo as well in using unsalted hashes."

Put simply, a bland salt-free password earns the "contempt" of Goldberg and his kin, while the use of slow hashes like bcrypt, PBKDF2, or the upcoming Argon2 wins their praise.

Hackers can easily guess salted passwords, whereas bcrypt slows the rate at which those guesses can be made. "With a simple cryptographic hash function like SHA256, MD5, etc, any attacker might be able to make ten million guesses per second on a single hash. But with the 'slow hashing' functions, that might be reduced to a few tens of thousands of guesses per second," he asserted.

The greatly decreased rate gives users a window to change their passwords. Yet even that may not have helped Yahoo. "But after four years, the details of the hashing scheme don’t really matter. Any guessable password will have been guessed by now," he laughed.

Source: Threat Intelligence LLC.

Sponsered ads:
Read the latest IT news. Visit ItDirection.net. Updated several times daily.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.


Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet Security.ca    Terms of use    Privacy agreement    Legal disclaimer