Tuesday, December 20, 2016

Ya-How?

   Just a few months ago, in September 2016, Yahoo announced that they had uncovered a breach that leaked passwords for 500 million accounts.  The actual breach took place in 2014 but took years to discover.  This breach was different than the prior breach announced in 2012.  We discussed this here.

   This announcement came at a time when Yahoo was deep into talks to be acquired by Verizon.  That September announcement led to speculation about effects to the purchase price.

   Well, truth is stranger than fiction, and Yahoo is back in the news again.  Now on December 14, 2016 it appears that yet another breach has been discovered.  This is different from the previous issues and seems to date from August 2013.  This latest discovery affects... wait for it... one billion accounts!  You'll recall that the 2014 breach discovered in Sept 2016 hit "only" half that many accounts!

   So if we look at the timeline, Yahoo had major breaches in 2012, 2013 and 2014 with discoveries in 2015 and 2016!  Good times.  Here is the latest announcement from Yahoo as well as some articles covering the details.

   This whole thing is a major issue (issues?) for a number of reasons, and it has to do with our dependence on email in our online world and Yahoo's role as major provider of free email.
  • We all use email daily for wide variety of reasons.  We have a need to trust email.  Of course, using email has made our lives easier... Not!
  • Spam and Phishing - when you receive a spam or phishing message from a "friend", you are more likely to click on the links.  Similarly, having your account taken over endangers your friends and contacts.
  • Password reuse - most people reuse passwords among internet sites because it's easier to remember fewer passwords
  • Linked accounts - as a convenience, you can connect accounts together so that you can use multiple services with one login.  This is most common with Facebook ("login with Facebook") but this is also available with Yahoo, Google and others.
  • Password resets and other verifications - often, password reset info or alerts or warnings are sent to an email address you specify.  If you specified your Yahoo account to receive these from your bank or other important site, and you account was compromised in any of the attacks we're discussing, the attackers could intercept this alert information.
   So what should you do?

Tuesday, December 6, 2016

Information Security Learning Resources part 2

   Today we have part 2 of a 2-part guest post by security analyst Chris Goff.  Chris has collected a set
of info, links and lists that definitely qualify as extremely cool resources!  You can check out Chris' website at http://chris-goff.com/ or follow him at https://www.linkedin.com/in/goffchris

   There's a lot of info packed in here, and it's pretty technical. But you don't have to memorize it all now and there won't be a test!  Just skim it, enjoy it and bookmark it!

Security Concepts
There are three key concepts of information security which you may or may not be familiar with:
    -      Confidentiality
o   Confidentiality is the characteristic of information whereby only those with sufficient privileges and a demonstrated need may access certain information. When unauthorized individuals or systems can view information, confidentiality is breached.
    -      Integrity
o   Integrity is the quality or state of being whole, complete, and uncorrupted. The integrity of information is threatened when it is exposed to corruption, damaged, destruction, or other disruption of its authentic state. Corruption can occur while information is being entered, stored, or transmitted.
    -      Availability
o   Availability is the characteristic of information that enables user access to information in a usable format without interference or obstruction. A user in this definition may be either a person or another computer system. Availability does not imply that the information is accessible to any user; rather, it means availability to authorized users.

This is known as the “security triad”. It can be further expanded upon:
    -      Privacy
o   Information that is collected, used, and stored by an organization is intended only for the purposes stated by the data owner at the time it was collected. Privacy as a characteristic of information does not signify freedom from observation (the meaning usually associated with the word), but in this context, privacy means that information will be used only in ways known to the person providing it. Many organizations collect, swap, and sell personal information as a commodity. It is now possible to collect and combine information on individuals from separate sources, which has yielded detailed databases whose data might be used in ways not agreed to, or even communicated to, the original data owner. Many people have become aware of these practices and are looking to the government for protection of the privacy of their data.
    -      Identification
o   An information system possesses the characteristic of identification when it is able to recognize individual users. Identification is the first step in gaining access to secured material, and it services as the foundation for subsequent authentication and authorization. Identification and authentication are essential to establishing the level of access or authorization that an individual is granted. Identification is typically performed by means of a user name or other ID.
    -      Authentication
o   An information system possesses the identity that he or she claims. Examples include the use of cryptographic certificates to establish Secure Sockets Layer (SSL) connections or the use of cryptographic hardware devices--for example, hardware tokens provided by companies such as RSA's SecurID--to confirm a user's identity.
    -      Authorization
o   After the identity of a user is authenticated, a process called authorization assures that the user (whether a person or a computer) has been specifically and explicitly authorized by the proper authority to access, update, or delete the contents of an information asset. An example of authorization is the activation and use of access control lists and authorization groups in a networking environment. Another example is a database authorization scheme to verify that the user of an application is authorized for specific functions such as reading, writing, creating, and deleting.
    -      Accountability
o   Accountability of information exists when a control provides assurance that every activity undertaken can be attributed to a named person or automated process. For example, audit logs that track user activity on an information system provide accountability. (Management of Information Security by Michael E. Whitman and Herbert J. Mattord)