Yahoo says hack of 500 million users "state-sponsored," but a security firm calls bullshit


#1

Originally published at: http://boingboing.net/2016/09/29/yahoo-says-huge-hack-was-sta.html


#2

This seems to be a pretty standard whitewashing technique in IT-disaster management.

If you can no longer deny the seriousness of the attack, which is step #1, the next-best thing is to play up the scariness of the attacker.

“Yeah, we got hacked by script kiddies because we suck.” would be totally embarrassing and suggest that you are incompetent. A “State-sponsored actor” or (until recently the most popular term) “Advanced Persistent Threat”, on the other hand? Those can happen to the best of us.

I don’t hold out much hope that Yahoo’s users are anything other than SOL; but I cannot help but wonder if Yahoo was…other than candid…about any of this stuff prior to being devoured by Verizon. Because they seem like the sort of people very, very, well equipped to express their unhappiness about any misrepresentation prior to the sale.


#3

big corps need to take heed but they don’t
it’s as bad as being subscribed to something that won’t accept
your unsubscribe request…

the internet needs clear thinking a method to remedy this alone
would fix about 0.5% of spam


#4

One of those nouns spelled differently according to whether they are yours or mine.


#5

When this story broke this was the first thing that occurred to me. “State-sponsored” is the internet version of “act of God”. Hey, what could little ol’ Yahoo do to stop this? There was a WHOLE government pouring all its resources into hacking them. shrug


#6

I wouldn’t trust any confidential information on their systems.

They have always been a mess. The entire AD of Yahoo! was pwn3d by hackers, back in about 2007. It had probably been owned for at least a year.

Ancient PCAnywhere was included with an admin cred in every corporate Windows image. AD admin roles were liberally granted.

This cascaded into credentials being exposed into non-windows production systems, and software dev infrastructure, including code repository.

They had great infosec people, hamstrung by remaining Filo and Yang culture. They also focused on the wrong security problems, building their own auth methods, etc.


#7

This topic was automatically closed after 5 days. New replies are no longer allowed.