2016-09-23

Yahoo Hacked? - The real reason for the news articles at this time

Today we see on the news that Yahoo discovered they were hacked in 2014 (or was it 2012?), with upto 500 million accounts compromised (or was it 300 million), but not to worry, the perps did not get anything significant like bank accounts etc. And they were "state actors", so FBI - dont waste your time looking for them.

I dont think we need to question whether a hack took place some years ago. Yahoo did in fact notice a hack then, and asked many (or all) of its users (like me) to change their passwords at that time. We did, and so should be past that. So why bring this up again now?

Yahoo recently decided to sell itself to Verizon. Have you ever thought about what that means when you want to merge the list of authorized users? The gold standard today on password security is to encrypt the password in a way that nobody can reverse engineer it. You store the encrypted version, and encrypt the password the user supplies every time they login, and match that encrypted version against the stored encrypted password. That way, the unencrypted password is not recorded anywhere, and not even administrators who can look at the contents of memory and disk have access to the unencrypted password. Different companies have different encryption algorithms, and Yahoo used a particularly strong one called BCRYPT. The merged system is forced to use both algorithms and remember where the user originally signed up, essentially forever.

But if you can get people to change their password, then at the time they make the change you can use the algorithm you plan to use going forward on the new password. Of course, you could always redesign your login page to pass back the unencrypted password. But this would make any security engineer extremely uncomfortable, as you would be using the unencrypted password for another purpose, and you would be breaking security (and maybe Yahoo's explicit or implied contract with its users) for the time it takes for all users to eventually login, which could be 6 months, a year, or more. By putting out the scare, you hurry up the process, and dont break people's expectation of what your software is doing with their password. And of course there is an underlying threat to speed things up - if the user does not change his/her password after a reasonable amount of time, you have given yourself a reason and a right to lock them out.

There is another thing to think about. Verizon is primarily a communications company. As such they have tighter coordination with government, and less regard for user privacy vis-a-vis government than a primarily Internet services company. In Britain for example, communication companies are expected to help with decryption, and many accommodate by storing user passwords and keys. In the US, privacy laws are less stringent for email stored for more than 6 months. So their promises about what they do with your password may be less stringent than what Yahoo has made/practises. Expect some changes in the privacy language.

Best bet for securing your email? Follow the advice given Hillary Clinton - have your own mail storage server that is physically under your control, and store your email long term on that server only. It should be configured to allow data to flow in only. You can still get features like spam filtering by using a web email host like Yahoo, but use the POP service feature to regularly download all email, and delete the email on the web based email provider after you get it on your own mail storage server. You decide what email remains with the email provider and accessible from anywhere (and potentially accessible to hackers).