Ci ‘So What’?

As the fallout from Yahoo’s admission about the loss of half a billion user’s details (as reported on this page last week) continues, an incredibly disturbing story has been published on the pages of the venerable New York Times.

The NYT interviewed a number of past and present Yahooers and established that two years ago, the then CIO – Alex Stamos, a man of great experience and repute (lone yachtsman, gourmet chef, Olympic fencer etc. etc.), had advised survival specialist Marissa Meyer (Yahoo CEO) to instruct all customers to change their passwords.

Clearly aware of the scale of the massive breach shared with the victims and public only last week, this would seem to be sage advice, apparently ignored in favour of vanity projects such as improving the look and feel of the Yahoo experience and the obvious concern about reputational damage.

Clearly that decision didn’t work out well. Stamos left (to Facebook) in June 2015 leaving the alarm clock with the dynamite strapped to it behind. The rest as they say is history.

Incredibly, Mr Stamos and his presumably crack security team were labelled ‘The Paranoids’ inside Yahoo and their suggestions to adopt end-to-end security (like WhatsApp and surprise, Facebook now do) were dismissed by management.

If taking the recommendations of world leading security professionals in a global public subscription service is perceived as ‘too hard’ and reprioritised, we are probably all in the brown stuff.

The New York Times article is here.

It has been alleged this week (by security researcher Andrew Komarov talking to the esteemed The Register) that a single Eastern European hacking group may be responsible for the Yahoo, Dropbox, LinkedIn and Tumblr breaches. Going by the name of Group E (mwahahaha) it looks like these five individual’s paw prints are all over the window ledges of these outfits and more besides. He also asserts that the Yahoo breach might be closer to a billion sets of credentials.

Read The Reg’s piece, complete with a mind map here (then reach for the tranquilisers).

These are crazy times. Alongside these massive breaches we are seeing a monster amount of patches for infrastructure devices as a result of the NSA toolkit expose.

All hands to the pumps and please take advice from ‘them what know’ seriously. A little bit of paranoia goes a long way.

If you would like to discuss anything security related, please contact us, from anything other than a Yahoo account at: [email protected] or call us on 020 7517 3900.