Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)
Parents, Teach Kids to Not Share State Secrets via Yahoo
Cybersecurity Ignorance Makes Nation-State Hacks EasierMove over civics class, there needs to be a new, mandatory school lesson: cybersecurity smarts. That's because increasingly, the bad information security choices made by some people in positions of power have ramifications for the rest of us.
See Also: How to Take the Complexity Out of Cybersecurity
Case in point: Two Russian spies allegedly paid two freelance hackers to hack Yahoo - for intelligence-gathering purposes. Otherwise, why would cybercriminals - who operate with profit as their principle motive - have bothered? They'd have gotten better bang for their buck via other types of attacks, such as ransomware and banking Trojans.
Cybercriminals prefer easy pickings. Of course, that same ethos seems to inform many intelligence-gathering operations. As the recent WikiLeaks dump of CIA hacking tools demonstrates, don't worry about cracking crypto when you can just bug the smartphone.
On a related note, hacking Yahoo makes more sense when it comes to gathering intelligence, and especially intelligence about a certain generation of users. As Sean Cassidy, CTO of security firm DefenseStorm, notes via Twitter, "Yahoo/AOL use is high among a certain age group."
Unfortunately, some members of that age group also hold positions of power, yet appear to trust webmail services - AOL, Gmail, Hotmail, Yahoo - to send and store sensitive information, if not state secrets. "At first I was all: 'What good is 500m yahoo accounts? That's like, one step up from AOL,'" the operational security expert who calls himself the Grugq says via Twitter. "And then I remembered that Pence used AOL for work."
@thegrugq Yahoo/AOL use is high among a certain age group
— Sean Cassidy (@sean_a_cassidy) March 15, 2017
He's referring to U.S. Vice President Mike Pence, who used AOL to conduct public business while serving as the governor of Indiana. Perhaps not coincidentally, his AOL account has also been hacked.
Pence, 57, has been called out for apparent hypocrisy, because he'd accused Hillary Clinton, 69, of putting classified secrets at risk by using a private email server while she served as secretary of state. Clinton, meanwhile, appears to have gotten bad advice from her predecessor, Colin Powell, 79, who later had his AOL email account hacked and dumped, allegedly by Russians (see New Clinton Email Shows Bad Advice from Colin Powell).
As of January, meanwhile, U.S. president Donald Trump, 70, appeared to be using a conventional Android smartphone, at least for tweeting. As the CIA hacking-tool dump demonstrated, Android has seen more than its share of exploitable flaws, thus making the commander-in-chief's choice of device questionable, at best.
AOL Jumped the Shark
Pence's own choices also reveal an apparent lack of cybersecurity wisdom. Indeed, AOL was big in the late-1990s dial-up modem days, and arguably peaked in 1998 when its "you've got mail" tagline became the title of Nora Ephron's Tom Hanks and Meg Ryan rom-com of the same name.
Fast-forward to 2014, meanwhile, when AOL warned users that a single online attack had compromised 2 percent of its accounts and urged its tens of millions of users to change their passwords.
The next year, however, the now-former director of the Central Intelligence Agency, John Brennan, 61, was also caught out for poor cybersecurity choices after his personal AOL email account was hacked, apparently by an American teenager who stole emails and attachments. Not long after, WikiLeaks dumped the stolen data, which included personal information for some top U.S. intelligence and national security officials.
Easy Pickings
That's why hackers with nation-state handlers might target AOL or other webmail accounts, rather than just attempting to penetrate more heavily secured - and monitored - government-issued email accounts.
In the Yahoo hacking case, for example, the indictment charges Igor Sushchin and Dmitry Dokuchaev, both members of Russia's Federal Security Service, or FSB, with acting as handlers for a 22-year-old hacker named Karim Baratov.
"When the FSB officers, Sushchin and Dokuchaev, learned that a target of interest had email accounts at webmail providers other than Yahoo, including through information gained from the Yahoo intrusion, they would task Baratov to access the target's account at the other providers," according to the indictment. "When Baratov was successful, as was often the case, his handling FSB officer, Dokuchaev, paid him a bounty."
Baratov was arrested March 14 in Canada and remains in Toronto police custody. His alleged FSB handlers, meanwhile, remain in Russia.
Russian authorities have denied that its domestic spy agency, the FSB, was involved in the Yahoo hack. "We have said repeatedly that there can be no discussion of any official involvement of any Russian office, including the FSB, being involved in any unlawful cyber activities," Kremlin spokesman Dmitry Peskov told Reuters. He said Moscow had yet to receive any official communications relating to the indictment from U.S. authorities, saying the Kremlin had to date been relying on media reports.
Russian MP Leonid Slutsky, who chairs the Duma - Russia's legislative body - reportedly said the charges were an attempted smear campaign by the United States, and said his government has repeatedly called on "the respective U.S. agencies to cooperate to establish the truth and to prevent such situations in principle in the near future.
"But apparently, our U.S. colleagues are interested in fabricated and virtual hacks rather than the fight against real hacks," Slutsky told Russian news agency Tass. "Such situations are used for marginalizing Russia's image in the U.S. and the world."
Parents: Talk About 'Cyber' With Your Kids
Whatever your view of Russia's claims, as with so many things in life, the solution to these problems likely comes down to parenting. In fact, it's our duty, as the U.S. indictment revealed that hackers would not only target their victims directly, but also hack into the email accounts of people close to them, seeking potential leverage.
When it comes to online security, one takeaway from the Yahoo hacks, says Thomas Rid, a professor of security studies at King's College London, is to "sit down with your spouse and children and bring them up to speed."
If you take your own online security really seriously &emdash; you may want to sit down with your spouse and children and bring them up to speed pic.twitter.com/ZMMLyyvRn5
— Thomas Rid (@RidT) March 15, 2017
It may be too late for the likes of Clapper, Clinton, Pence, Powell and Trump. But we can still educate our kids.
Then again, as with all things technology - witness this month's fantastic primer on messaging securely in Teen Vogue - they're hopefully already well beyond the rest of us.