At least half a billion Yahoo accounts have been breached by what investigators believe is a nation-sponsored hacking operation. Attackers probably gained access to a wealth of holders' personal information, including names, e-mail addresses, phone numbers, birth dates, answers to security questions, and cryptographically protected passwords.
"We have confirmed, based on a recent investigation, that a copy of certain user account information was stolen from our networks in late 2014 by what we believe is a state-sponsored actor," Lord wrote. "The account information may have included names, e-mail addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers."
The Federal Trade Commission (FTC) has released a step-by-step video to users whose personal information may have been exposed in a data breach. This video provides instruction on how to report an incident and develop a personal recovery plan after a data breach has occurred.
A security researcher from the University of Cambridge has found a way to hack the iPhone NAND memory hardware to sufficiently bypass an important security feature, allowing a brute-force attack against the passcode lock of an iPhone 5C. This is the same lock that stymied the FBI as part of the highly publicized privacy case in which they demanded Apple create a workaround to access the phone of the San Bernardino, Calif., shooter. Apple refused on ethical grounds and a media frenzy ensued. Ultimately, the FBI dropped the legal case against Apple and reportedly paid $1 million to an unknown security company to unlock the phone.
Recently a security researcher wrote a paper and then built a hacking rig to do the same, for about $100. The iPhone 5C security control in question is one that limits the number of attempts to enter an unlocking PIN. After a certain number of attempts, the phone will wait for a long period before allowing another attempt. After 10 attempts the device permanently deletes the encryption keys, making all the data on the phone irretrievable. This check is controlled in the firmware and hardware of the device to prevent a brute-force attack, which is designed to try all combinations. A four-digit pin has 10,000 possible combinations, from 0000 to 9999. Attempts to try even a small number of them will result in the phone quickly being locked and ultimately the data rendered unrecoverable.
The researcher created a cloned NAND memory chip under his control, to replace the one embedded in the iPhone. It reset the counter after every pin attempt. Thus automating the process, a brute-force attack succeeded. Even with such a rudimentary system, a four-digit code was cracked in about 40 hours. With a more powerful system, a crack could occur much faster.
There is no doubt hardware is the final frontier in cybersecurity. Hacking hardware can bypass all software-based controls. On the other hand, leveraging hardware for security makes every attack visible and presents the toughest barriers for attackers to overcome.
In this case a savvy security researcher and very little money proved that the manipulation of hardware is a powerful force in unlocking even the most secure smartphones. It is in the interest of manufacturers, businesses, consumers, and agencies to better understand the nuances of how hardware, firmware, and software security controls work.
Hardware based security and hacking is the future of cybersecurity. The only question is who will take the high ground first, the attackers or defenders? Hackers, nation-states, and ethical researchers are exploring exploitable vulnerabilities in both firmware and hardware. At the same time, hardware designers and manufacturers are adding features to make devices more resistant to compromise and give security software better capabilities. Apple in particular is updating its hardware, firmware, and operating system architectures to be more secure. The race is on!
In August, a dealer in stolen data who goes by the online moniker "Peace"—the person or persons who previously sold data from the accounts of MySpace and LinkedIn users—announced that the results of another "megabreach" were for sale. This time, it's the account information of 200 million Yahoo users. According to a report by Recode's Kara Swisher, Yahoo is preparing to confirm the four-year-old breach, potentially creating problems for the company's planned $4.8 billion acquisition by Verizon.
A previous examination of a sample of the data obtained by Motherboard was inconclusive. There has been a number of other claimed breaches of Yahoo's account data, including a claim of 40 million Yahoo accounts among a total of 272 million alleged stolen credentials reported in May. But that data that may have just as easily been stolen from other sources.
According to a spokesperson at LeakedSource, however, a small sample file of legitimate Yahoo user data exists. But it's not clear whether it's representative of the rest of the data "Peace" has, because no one has been able to look at the full dump yet—"Peace" has offered to sell it for 3 Bitcoin (about $1,860).