Yahoo breach highlights cookie security issues
Last year Yahoo reported several data breaches occurring between 2013 and 2016 which affected a large number of user accounts. Personal information stolen could have included email addresses, telephone numbers, dates of birth, hashed passwords and encrypted or unencrypted security questions and answers.
Following forensic investigations Yahoo has revealed that fake cookies were a probable method used by attackers to access user accounts without a password. According to Yahoo, the attacker was able to create fake cookies by accessing the company's proprietary source code.
In response Yahoo invalidated unencrypted security questions and advised affected users to change their passwords. The company also recommended that users adopt its authentication tool instead as it eliminates the need for a password on Yahoo accounts. It is unclear how the fake cookies managed to evade website security but this advice indicates authorisation and authentication issues.
A cookie is a small file that a website puts on a user's computer to store information, potentially ranging from website links visited to personally identifiable information. Cookies can also be used to store passwords and other login details. They have many functional advantages but if they are not managed correctly with appropriate security measures, attackers may be able to exploit them.
Data leak reveals spam techniques
Security researcher Chris Vickery has reported that almost 1.4 billion user records from River City Media (RCM) were exposed after being backed up online without password protection. The data has since been taken offline, but it is unknown whether other actors have accessed it.
US-based RCM describes itself as an email marketing firm, but is listed in the top 10 of the Spamhaus Register of Known Spam Operations. As a result of the leak, RCM's infrastructure has been blacklisted by anti-spam organisations.
The leak also revealed techniques used to force legitimate mail servers to deliver up to a billion emails daily. The sender's computer sends deliberately slow and incomplete requests to the mail server, keeping existing connections open, while opening as many new connections as possible. Once the sender is ready, they resume normal speed requests and use the open connections to send a flood of emails before they can be blocked. This is very similar to a Denial of Service (DoS) attack known as Slowloris, which uses large numbers of slow connections to consume server resources and prevent other users from gaining access.
Upstream services attacked to target end users card credentials
A reported security breach at the US retail platform provider Aptos has led to malware infecting machines that the company uses to host online retail services. Forty e-commerce stores using Aptos services are said to be affected by the incident, which allowed malicious actors in some cases to access customer names, phone numbers, addresses, email addresses as well as payment card numbers and expiration dates. The malware is reported to have been present on Aptos systems for up to ten months during 2016. The company is working with US authorities to investigate the breach.
This incident illustrates the risk of upstream service and software providers being compromised to reach a broader victim base. A single attack on an upstream provider can deliver a much higher return on investment, compared to attacking each retailer separately. The success of such attacks is likely to encourage cyber criminals to target more upstream service providers.
It also highlights that while services can be outsourced, responsibility for customer data ultimately lies with those who collect it. Businesses need to demand high cyber security standards from third party organisations with access to their customer data, including software and service suppliers. Read how the NCSC is interacting with the retail sector in an increasingly digitalised environment.