Yahoo hack effects Sky and BT emails as well

The world’s largest hacking of Yahoo also effects BT and Sky email users.

The world's largest hacking of Yahoo also effects BT and Sky email users.Yahoo wasn’t the tech giant in Silicon Valley that it used to be, but the news that half a billion user details were stolen from it over two years ago in 2014 should still concern everyone.

It now transpires that both BT and Sky used Yahoo’s email system and labelled it as their own.  Which is particularly ironic given that Sky’s parent company Fox has had to pay out hundreds of millions to people it had itself hacked it’s customers.

What is even more worrying is customer inertia- that’s because stubborn user behavior and the economics of darknet markets mean the chances of a serious breach at another major internet service increase dramatically with each hack.

The user behavior part is that people like to reuse their passwords—a lot.

One estimate, from Cambridge University’s Security Group, puts password reuse as high as 49%.

That is, we use the same password for every two accounts that require a log-in.

When a big cache of hacked passwords ends up traded on darknet markets, it often gets added to password databases. These databases can be used by corporations to ensure their users don’t use previously published, insecure passwords—or more maliciously by hackers, who will try to find passwords reused on other services.

It’s the equivalent of trying millions of different keys on a particular door, except it’s all automated and can be done in days, as the password cracker Jeremi Gosney has detailed for Ars Technica.

Password reuse and marketplaces for stolen data mean that password databases grow larger and more robust with each major breach. For example, LinkedIn was hacked in 2012 for more than 100 million user accounts. Parts of those stolen credentials wound up in darknet data dumps.

One of those log-ins belonged to a Dropbox employee, who apparently reused a password, allowing a hacker to enter the file-sharing platform’s corporate network. This led to the theft of 70 million Dropbox user passwords, which the company confirmed in August. One massive hack leads to another, forming a daisy-chain of insecurity.

The Yahoo breach is five times the size of the LinkedIn theft. That’s a lot more data to add to password-cracking lists.

The only thing we internet users have going for us now is to hope the “state-sponsored actor” that Yahoo says is behind the hack doesn’t dump the data in public, or sell it for profit. When that happens, we’re due for a password reset.

You can check if your email has been hacked and touted online at: https://haveibeenpwned.com/

Know your cyber attacker to defend yourself

Plus ca change- the Chinese general Sun Tzu said “know your enemy” 2,500 years ago- and the advice is as pertinent today as then when it comes to cyber security.

Plus ca change- the Chinese general Sun Tzu said Organisations can build better cyber defences by understanding which criminal underground is likely to target them, according to Robert McArdle, threat research team manager at Trend Micro.

There are several distinct types of cyber criminal undergrounds divided along language lines, each with their own particular characteristics, he told the Cloudsec 2016 conference in London.

The biggest and most mature are the Russian, English, German and Chinese cyber criminal undergrounds, but there also significant operations in Portuguese (Brazil) and Japanese.

“The all operate slightly differently and focus on different activities, so it depends on your business which of these undergrounds are the most likely to target your organisation,” said McArdle.

The Russian criminal underground is the longest-running, most mature criminal underground and was the first to introduce that as-as-service model, which has since been copied by most of the others.

The Russian cyber criminal underground is highly competitive, with most operations run along strict business principles, with some boasting dedicated sales departments and 24-hour support services.

The Trend Micro research team has identified several trends in the Russian underground, such as the fact that fierce competition is forcing prices lower, providing easier access to tools and services.

There has been a rapid increase in the number of tools and services targeting mobile devices and platforms in line with the growing popularity of mobile devices.

Another rapidly growing area is the trade in information about compromised sites that can be used in various cyber criminal campaigns.

Trade in credit card details continues to be strong on the Russian underground, with several sites dedicated to buying and selling this data.

“Some even have clickable maps that enable cyber criminals to view what credit cards are available in particular countries, cities and particular companies,” said McArdle.

“We have also seen the emergence of star-rating systems and the introduction of validation services that allows customers to try before they buy,” he said.

The Chinese underground is interesting, said McArdle, because although China is strongly associated with cyber espionage in the West, it is responsible for relatively little of run-of-the-mill cyber crime.

“Because of the language differences, the Chinese underground tends to build its own malware, does not rely on outside sources and mainly targets companies and individuals in China,” he said.

Although there is a fair amount of cyber crime hardware produced in China, such as card skimming devices, this tends to be sold through the cyber criminal markets based in South America.

The English cyber criminal underground is characterised by a much greater focus on physical goods, such as recreational drugs and fake identity documents, in addition to malware and killers for hire.

Distributed denial of service (DDoS) tools and services are very common in the English underground because they started out as tools developed by rival English-speaking gaming groups before migrating into extortion tools used by cyber criminals.

“We see a lot of tools and services for identity theft on the English underground, such as fake IDs, particularly in the US, where a stolen social security number can be used to impersonate someone to commit fraud by taking out loans, for example,” said McArdle.

Although the Portuguese cyber criminal underground based in Brazil is still relatively immature, he said it is growing and developing rapidly, driven by excellent online tutorials.

“Our researchers came across a three month tutorial programme for just £75 that is practically a masters level course on every aspect of conducting carding operations, including practical assignments with feedback on performance,” said McArdle.

The Portuguese underground is heavily focused on attacks on online banking, with 40% of Brazilians interacting with banks online. Consequently, most new attack methods aimed at online banking emerge in this region, providing a good indicator of what is likely to emerge in other parts of the world.

The Japanese underground is one of the least mature cyber criminal undergrounds, said McArdle, and, like the Chinese, it tends to focus on Japanese speaking customers and targets.

Although there is relatively little malware available because of the strict anti-malware legislation in Japan, he said there is a strong focus on Trojan malware and malware for webcams.

The Japanese underground is also characterised by gated communities, the use of coded language to refer to goods and services, and free porn websites pop-ups that demand payment for allegedly accessing member-only content.

“Strangely enough, around 10% of those targeted by these pop-ups pay the money demanded, even though the claims are false and no malware is involved,” said McArdle.

The German cyber criminal underground is the most mature in Europe and is not far behind the Russian underground.

“There are a lot of overlaps with the Russian underground, especially in terms of fake identity goods and services driven by demand from the growing Syrian refugee population in Germany,” said McArdle.

An understanding of nature of these undergrounds, he said, means that the banking sector should concentrate on the Russian and Portuguese undergrounds, for example, while those tasked with defending government or military networks would do well to concentrate on the Chinese underground.

“Understanding attackers is key to understanding what you need to defend against and building a strategy for doing so,” said McArdle.