Yahoo Found Wanting on Crypto Security

Yahoo’s security challenges are showing no signs of abating after crypto specialist Venafi highlighted multiple issues which could indicate hackers are still present inside key systems following Yahoo’s disclosure of a massive data breach last week.

Venafi analyzed data from certificate database business TrustNet which showed over a quarter of certs issued for externally facing Yahoo sites hadn’t been reissued since January 2015.

The security vendor argued that unless breached firms replace certificates following an incident, there’s no guarantee hackers haven’t got access to encrypted communications.

Nearly half (41%) of those certificates use the SHA-1 algorithm which many browser firms are planning to withdraw support for because it's insecure.

In addition, Venafi claims to have found some of Yahoo’s certificates use the MD5 cryptographic hashing function – which is apparently susceptible to brute force attacks and is riddled with bugs which can be exploited by determined attackers such as those behind the Flame campaign.

Yahoo was also criticized for self-issuing many of its certificates, using so-called ‘wildcard’ certs, and for using certificates with long expiration dates. All of these betray poor security controls, Venafi claimed.

“Any one of these cryptographic issues would leave an organization extremely vulnerable to attacks on encrypted communication and authentication,” said Hari Nair cryptographic researcher at Venafi.

“Collectively, they pose serious questions about whether Yahoo has the visibility and technology necessary to protect encrypted communications and ensure its customers privacy. Our research has led us to believe that there is usually a high degree of co-relation between weak cryptographic controls and overall cybersecurity posture.”

More worrying still is the fact Yahoo is not alone in its apparently poor handling of certificate security, with many major global brands also following the same practices, the vendor concluded.

Yahoo confirmed the breach of 500 million records late last week, barely a month after a hacker claimed to have stolen the details of 200 million users.

The internet pioneer claimed in a statement that a state-sponsored actor was to blame, adding that there’s no evidence to suggest they’re still in the network following the incident in 2014.

Infosecurity Editor, Eleanor Dallaway, spoke to BBC Radio 1 Newsbeat about the Yahoo breach last week. You can listen to that interview here. 

What’s Hot on Infosecurity Magazine?