Ever since the announcement on Wednesday by the Department of Justice (DoJ) that it had indicted four men for their hack of Yahoo in 2014, information security experts have been responding with a range of comments.
The fact that Russian nationals working for the nation's premier spy agency were involved only exacerbates the impact of what is believed to be one of the largest hacks in history.
Two of the men under indictment, Dmitry Dokuchaev and Igor Sushchin, both worked for the Federal Security Service (FSB), a successor agency to Russia's KGB.
The slap in the face is that Dokuchaev was an officer in the FSB Centre for Information Security, a unit intended to investigate hacking incidents and served the FBI as a point of contact in Moscow. It's believed Dokuchaev worked for Sushchin.
Russian officials are denying that the men were involved. Official Russian agencies, including the FSB, have nothing to do with cyberattacks, Kremlin press secretary Dmitry Peskov said in response to yesterday's indictment from the DoJ.
“We have repeatedly stated that there can be absolutely no question of any official involvement of any Russian agency, including the FSB, in any unlawful actions in cyberspace,” Peskov said.
Regardless of statements from Russian officials, security experts in the U.S. are weighing in offering perspectives on everything from espionage to financial gain, as well as the tools and strategies that might have prevented such a breach
Adam Levin, founder of CyberScout and author of Swiped, offers the following consumer tips:
Use long, strong passwords that are unique to each site.
Never replicate your user IDs or passwords across your universe of websites. This is hard to do since so many organizations require your email address as your user ID.
Consider using a password manager.
Enable 2-factor authentication whenever and wherever possible.
Don't click on links in email or social media. You may be downloading malicious software onto your device.
Never trust someone who contacts you by email, phone or text asking for sensitive personal or financial information and claiming to be a representative of a government agency or trusted commercial institution.
Always verify. Hang up the phone, delete the email or text. Make sure that you have initiated contact and are in control of the interaction.
If you believe that your email contained any credit or bank account information, check your credit and bank accounts or sign up for ongoing, transactional monitoring.
The ramifications of password theft have become so complex that consumers need expert advice. Your insurance provider, financial services institution, or the HR department of your employer may offer low-cost or free cyber protection services to proactively protect and restore stolen identities.
“The only way attackers can move massive amount of data out of an organization while staying under the radar of security tools is by encrypting the data, so it's not surprising to learn that Russian attackers may be behind the Yahoo! hack," Kevin Bocek, chief security strategist for Venafi, told SC Media on Tuesday. "The ugly truth is that it's nearly impossible for any organization to detect unauthorized, encrypted traffic coming in or out unless they have very strong cryptography practices. Cybercriminals know how rare encryption protection is, and that's why attacks that leverage stolen or forged cryptographic controls are so successful."
Subversion of encryption seems very likely in the Yahoo! breach, Bocek said. "When we evaluated their cryptographic risk posture it was apparent that Yahoo! lacks deep visibility into many serious cryptographic risks. Unfortunately, this is pretty typical even in large organizations with deep investments in security."
The problem is that organizations use encryption to secure everything, but without a comprehensive understanding of cryptographic risks, there is absolutely no way for any organization to be confident about security or privacy. Bocek added
Tim Matthews, vice president of marketing for Imperva, told SC that this case is disturbing on many levels, but enterprises should take note. "Organizations may have been under the false impression that state-sponsored hacking was aimed at other governments – or at worst, political parties. Now we have learned that elite teams of state-sponsored conspirators and hackers are also seeking access to corporate data."
What's more, Matthews said, the state-sponsored conspirators of this cyberwar are, as in ancient times, giving the spoils of this war to their hacker combatants. "In this case, after collecting the data on their political targets, which includes employees of commercial entities in transportation and financial services, the hackers were given free rein with the spoils – the data from 500 million Yahoo users."
It's more important than ever for organizations not to become complacent, Matthews emphasized. "If a nation-state hacked Yahoo, who's to know what other companies may have been or will be hacked. Those who don't carefully monitor their networks today may well regret it down the road.”
“The Yahoo hackers gained access to users' activity on Flickr, Tumblr, fantasy sports and other Yahoo applications," Adam Levin, founder of CyberScout, told SC on Wednesday. But, he pointed out, that's only the beginning of the potential damage, since most users tend to re-use their passwords across multiple sites, including their online bank accounts.
"International cybercriminals will use powerful, brute-force technology to seek out a users' accounts across the web and gain access to those accounts, too. They'll also use hacked email accounts to spam consumers' social networks and fool friends into giving up their personal information.”
For Igor Baikalov, chief scientist at Securonix, the indictment announcement is another one of the very confusing announcements we've been hearing for the last year or so.
"One of the criminal hackers charged in this case, Aleksey Belan, was already charged twice before," Baikalov explained. "How the new charge is going to change his fate is unclear."
Further, the other Russian hacker, Karim Baratov, is actually a Kazakh and a Canadian citizen, nobody seems to know anything about him, Baikalov said.
"Dmitry Dokuchaev is a former hacker who got busted by the FSB back in 2006 for "carding," and was offered a job at the agency, "or else" – common practice with intelligence agencies around the world," Baikalov pointed out.
"What's interesting is that he was arrested back in December of 2016 for treason, allegedly cooperating with the CIA. Obviously, he cannot provide these services now, being under arrest. Is that why he is thrown under the bus?"
And, finally, Baikalov asks who is the fourth Russian indicted, Igor Sushchin? "He's mentioned as a superior of Dokuchaev, but apparently Dokuchaev was a deputy of Sergei Mikhailov, senior officer at the FSB known for his skills managing hackers, and who was also arrested back in December on treason charges."
There's definitely plenty of smoke, but Baikalov is not sure where the source of fire really is.
“Today's indictments shine a light on the muddy world of state-sponsored attacks, where government and private hackers work side by side," Nick Bilogorskiy, senior director of threat operations at Cyphort, told SC on Thursday.
"All companies should consider this a wake-up call and use this opportunity to review their strategy on advanced threats detection and breach response workflows."
Most importantly, listen to your security experts and prioritize security initiatives, unlike Yahoo executives, who denied Yahoo's security team financial resources, put off proactive security defenses, refused to reset of all user passwords after the breach and declined to implement end-to-end encryption in messages, Bilogorskiy said.
When it comes to the Yahoo! data breach and the countless other corporate cyber incidents that we have witnessed over the last several years, the wrong questions continue to be asked, Tony Busseri, CEO of Route1, told SC Media on Wednesday. "The focus this week has been on the indictment of those hackers responsible for the Yahoo! breach, but the much more critical issue is that corporations are simply not held accountable for their role in failing to protect sensitive data. Until this changes, massive data breaches impacting thousands, or even millions, of people will continue to be an almost daily occurrence."
Busseri said that the U.S. federal government has done an excellent job of implementing stringent cybersecurity requirements for its own civilian agencies through NIST – the National Institute of Standards and Technology. "NIST's guidance for federal agencies aims to ensure that sensitive federal information remains confidential when stored in nonfederal information systems and organizations – critical guidelines pertinent to user authentication, secure mobility, and more."
However, he pointed out, protocols similar to those implemented by NIST for the U.S. government have not been applied to corporate America.
"While I applaud the U.S. government's forward-thinking efforts to bolster its own cybersecurity, not enough has been done at the federal level to hold corporations to these same standards, Busseri told SC. He said he strongly advocates for the enactment of legally binding guidelines for enterprise security practice.
"In fact, I suggest that government and corporate entities collaborate on this issue, and utilize their collectively massive resources and influence to put in motion a sea change that will ripple across ALL organizations."
If enterprises continue to not be held accountable for their security shortcomings, however, this change will never occur, Busseri warned. "Outdated technologies that create massive risk vectors, including Virtual Private Networks, continue be utilized on a widespread basis."
What is the motivation for improving these and other cybersecurity flaws if corporations face no consequences for failing to do so, he asked "Until enterprises are held legally responsible protecting sensitive data, and face the possibility of class-action lawsuits and other ramifications that directly impact their ability to operate, they will continue to ignore security holes for the sake of convenience."