December 23, 2024

Yahoo! Changes Tune After Saying Servers Were Hacked By Shellshock

Posted on October 7, 2014 by in Security

On Monday afternoon, Yahoo confirmed to SecurityWeek that servers associated with Yahoo Games had been hacked as a result of the recently disclosed “Shellshock” vulnerability, but has since said its original conclusion was wrong.

In its original statement issued Monday afternoon, the company said that on Sunday night, a “handful” of its servers were impacted but said there was no evidence of a compromise to user data.

Hours later, Yahoo! Contacted SecurityWeek with a change in tune, saying that after all, the servers in question were NOT compromised via the Shellshock vulnerability, but rather a “minor bug in a parsing script”.

“Earlier today, we reported that we isolated a handful of servers that were detected to have been impacted by Shellshock. After investigating the situation fully, it turns out that the servers were in fact no affected directly by Shellshock, but by a minor bug in a parsing script,” a Yahoo! Spokesperson told SecurityWeek. “Regardless of the cause, our course of action remained the same — to isolate the servers at risk and protect our users’ data.”

The company maintained its position that no evidence has been found suggesting that user information was affected by the incident.

Yahoo! CISO, Alex Stamos provided additional details in a post to Y Combinator’s Hacker News.

“Three of our Sports API servers had malicious code executed on them this weekend by attackers looking for vulnerable Shellshock servers,” Stamos explained. “These attackers had mutated their exploit, likely with the goal of bypassing IDS/IDP or WAF filters. This mutation happened to exactly fit a command injection bug in a monitoring script our Sports team was using at that moment to parse and debug their web logs.

Stamos, who became VP of Information Security and CISO at Yahoo! in March 2014, continued:

“As you can imagine this episode caused some confusion in our team, since the servers in question had been successfully patched (twice!!) immediately after the Bash issue became public. Once we ensured that the impacted servers were isolated from the network, we conducted a comprehensive trace of the attack code through our entire stack which revealed the root cause: not Shellshock. Let this be a lesson to defenders and attackers alike: just because exploit code works doesn’t mean it triggered the bug you expected!

The original story with more background on the incident can he found here

Managing Editor, SecurityWeek.

Previous Columns by Mike Lennon:


SecurityWeek RSS Feed

Yahoo CISO Says Now Encrypting Traffic Between Datacenters, More Encryption Coming

Posted on April 3, 2014 by in Security

Yahoo’s recently-appointed VP of Information Security and CISO said that, as of this week, Internet traffic moving between Yahoo’s data centers is now fully encrypted.

Alex Stamos, who joined the company last month and has been tasked with securing Yahoo’s online products, provided a status update Wednesday on the company’s initiatives to protect users and their data.

The efforts by Yahoo are the latest as Internet and technology firms scramble to boost their security efforts and up encryption after Edward Snowden began to leak classified details on the scope of US government spying.

According to Stamos, the company has accomplished the following:

• Made Yahoo Mail more secure by making browsing over HTTPS the default.

• Has enabled encryption of mail between its servers and other mail providers that support the SMTPTLS standard.

• The Yahoo Homepage and all search queries that run on the Yahoo Homepage and most Yahoo properties also have HTTPS encryption enabled by default.

• Implemented the latest in security best-practices, including supporting TLS 1.2, Perfect Forward Secrecy and a 2048-bit RSA key for many the company’s global properties.

He also said that users can initiate an encrypted session for a variety of the company’s news and media services by typing “https” before the site URL in their web browser.

“One of our biggest areas of focus in the coming months is to work with and encourage thousands of our partners across all of Yahoo’s hundreds of global properties to make sure that any data that is running on our network is secure,” Stamos wrote in a blog post. “Our broader mission is to not only make Yahoo secure, but improve the security of the overall web ecosystem.”

A new, encrypted, version of Yahoo Messenger will be available in the months ahead, Stamos said.

“In addition to moving all of our properties to encryption by default, we will be implementing additional security measures such as HSTS, Perfect Forward Secrecy and Certificate Transparency over the coming months,” Stamos continued. “This isn’t a project where we’ll ever check a box and be “finished.” Our fight to protect our users and their data is an on-going and critical effort. We will continue to work hard to deploy the best possible technology to combat attacks and surveillance that violate our users’ privacy.” 

Late last month, Google announced that its Gmail service would use added encryption to protect against eavesdropping and keep messages secure.

In December 2013, a group of US-based Internet giants called on Washington to overhaul its surveillance laws. In an open letter to President Obama and Congress, the tech giants called on Washington to lead the way in a worldwide reform of state-sponsored spying.

In January, President Barack Obama announced plans to curtail the reach of massive phone surveillance sweeps by the NSA, but said bulk data collection must go on to protect America from terrorists.

In December, Microsoft said it would “pursue a comprehensive engineering effort to strengthen the encryption of customer data” in order to protect its customers from prying eyes and increase transparency.

Managing Editor, SecurityWeek.

Previous Columns by Mike Lennon:


SecurityWeek RSS Feed