The Basic Facts
Yahoo announced that it had a data breach in late 2014 and 500 million users’ account information was stolen. The account information may include names, email addresses, telephone numbers, date of birth, passwords (most encrypted with bcrypt, but apparently not all), security questions, and security question answers.
People who have Yahoo-based services should immediately change their passwords, change their security questions and answers, not use the same password on multiple accounts, and implement dual factor authentication where available.
The Message in the Message
In its notification message, Yahoo subtly invokes the “it’s not our fault, we were the victim of a state-sponsored actor attacking us” defense. I do not blame Yahoo, it works. It uses the words “state-sponsored actor” twice in the first paragraph and twice in the fourth paragraph:
- “A recent investigation by Yahoo! Inc. (NASDAQ:YHOO) has confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor.”
- “Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network.”
The words then appeared twice in the fourth paragraph, the last substantive paragraph of its notification:
- “Online intrusions and thefts by state-sponsored actors have become increasingly common across the technology industry.”
- “Yahoo and other companies have launched programs to detect and notify users when a company strongly suspects that a state-sponsored actor has targeted an account.”
Notice that Yahoo does not affirmatively state that it was a state-sponsored actor, only that it believes that it was.
Also, notice the organization of how this information was placed in the message.This classic persuasion technique is a favorite among lawyers and is called primacy and recency, described in one of my old trial advocacy books as follows:
The principles of primacy and recency may be applied to almost everything that a lawyer does in the course of a trial. In jury selection, opening statement, witness examination, final argument, even in making and responding to objections, the axiom holds true that people tend most to remember the things that they hear first and last. Thus, as a general rule, the most important points should come at the beginning and end of every presentation.” Steven Lubet, Modern Trial Advocacy p. 16 (3rd Ed. 2004).
Several news outlets are now reporting that the “state-sponsored actor” works for the Russian intelligence agencies. A Fortune article states, “Three U.S. intelligence officials, who declined to be identified by name, said they believed the attack was state-sponsored because of its resemblance to previous hacks traced to Russian intelligence agencies or hackers acting at their direction.”
“State-sponsored” has become almost like a magical talisman in cybersecurity circles and when its magical powers are invoked, the criticism of the victim company is usually less than otherwise. Obviously, Yahoo wants people to think this was a state-sponsored “act of war” type of attack because from that we infer that no company could have been expected to have defended itself. And, given the recent media narrative blaming “the Russians” for hacking their way into the American political process, how could anyone pass up the opportunity to further blame the Russians for their supposed hacking.
Was it Really the Russians? If So, Why?
Since last summer when it became so en vogue to blame the Russians for so many of our cybersecurity woes, I have tried researching the situations where the “it’s the Russians” play is used to see what facts those assumptions are usually based upon. The most common one I find is that it is tied to IP addresses known to be used by groups working as proxies for Russian intelligence agencies. I find this odd, for several reasons.
First, it reminds me of the Forged Fingerprint scene out of the Bourne Supremacy:
In the movie, Jason Bourne is the most intelligent, highly trained, skillful, badass covert operator on the planet — someone who knows how to leave a fingerprint and how not to leave a fingerprint — yet, based on “his fingerprint” being at the scene, the intelligence world jumps to the conclusion that it was him.
Let’s think about this for a moment, in the context of the Russians. Let me be clear, I have no idea if it was the Russians or not. But, is a digital fingerprint — an IP address — really what we seem to be going off of on these claims?
First, nearly everybody in the cybersecurity universe knows that someone with even moderate skills can spoof an IP address and hide their identity or make it look like somebody else was doing it. Here is a Wikipedia page on IP address spoofing.
Second, most would agree that the hackers for Russia’s intelligence agencies are near the top in terms of skills and abilities — close to the level of our American intelligence agencies’ hackers — the best in the world. Do they not understand that (a) they could spoof their IP addresses and (b) they are leaving such digital tracks behind? Seriously, if this is all that we have to go on, would not it be more reasonable to believe that it is anybody but the Russians that the IP addresses point to?
Third, and perhaps most importantly, why would the Russians care about hacking into Yahoo and stealing its account users’ information? Are the Russians now subsidizing their economy by selling stolen Yahoo users’ account information on the dark web?
Indeed, is this even about obtaining the value of the users’ account and identity information? Or, is this about causing harm to Yahoo? I have written several posts recently about the evolution of hacking for extortion and embarrassment in the context of the Sony breach and how that has transitioned into the shame hacking we saw in the Ashley Madison and Brazzers breaches.
Do you think the attack on Yahoo has more to do with obtaining its users’ data or with potentially impacting its value in the marketplace — especially now that Yahoo is in negotiations to sell itself to Verizon for $4.8 billion, which Verizon just learned of 2 days ago?
For a breach that occurred in late 2014, the timing of the hackers’ letting this information slip sure is an interesting coincidence …
Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.