Spy program could have given hacker access to all Yahoo email, claims ex-employee

Yahoo’s security team frozen out.

Yahoo email program

You may or may not agree with Yahoo agreeing to a US government request to scan every incoming email to search for specific information of interest to the NSA or FBI, and it's failure to put up a fight, but you should surely be concerned that the initiative was apparently undertaken without consulting with Yahoo's own security team.

And, according to a report in The Intercept, the snooping code was implemented in such a way that it could have allowed a hacker to "basically read everyone's Yahoo mail":

Alex Stamos, Yahoo's former information security chief who Reuters reported left the company after finding out about its cooperation with the U.S. government's scanning mandate, is said to have taken particular issue with how poorly the scanning tool was installed. "He was especially offended that he was not looped in on the decision," said the ex-Yahoo source. "The program that was installed for interception was very carelessly implemented, in a way that if someone like an outside hacker got control of it, they could have basically read everyone's Yahoo mail," something the source attributed to "the fact that it was installed without any security review."

...

"Standard protocol on the security team," the ex-Yahoo source explained, "is to open a security issue and assign it to the team responsible for that component, in this case Mail, saying you have to fix this within 24-48 hours," due to its severity. "At that point [Yahoo Mail] would have had to explain to [them] why they didn’t have to fix this, which was because they had installed it." But the source says that after the security team raised an alarm over the email scanning, still thinking it was the work of an outside hacker and not their coworkers, the complaint suddenly went missing from Yahoo’s internal tracker: "I looked for the issue and I couldn't find it," said the Yahoo alum. "I assume it was deleted."

If we're to believe the media reports, Yahoo CEO Marissa Mayer green lit the surveillance without consulting her security team, and - from the sound of things - there was an attempt to keep the company's security experts out of the loop even after they uncovered the suspicious code.

Is it any wonder that Alex Stamos quit?

Like I said, it's high time you closed your Yahoo account.

Tags: ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

,

5 Responses

  1. Jay

    October 10, 2016 at 1:12 am #

    I have been wondering, that for security reasons, maybe I shouldn't keep past email online. I'm lucky enough that I don't have to care about the NSA, but my mutual fund company and bank and employer send me regular emails that say "Your monthly statement is now ready!" I subscribe to Office 365 so it should be possible for me to just download my old emails vis Outlook and archive them locally, right? Does this make it safer than just leaving them sitting there on a free email service indefinitely?

    • Bob in reply to Jay.

      October 10, 2016 at 9:25 am #

      Yes and no.

      You ask if downloading your emails make it "safer than just leaving them sitting there on a free email service indefinitely" but in another breath you say you subscribe to "Office 365". I assume you're using their free email service instead of one of their paid offerings in which case your subscription is irrelevant here.

      If by safer you mean: if a hacker breaks in they won't be able to get everything then yes, downloading them makes you safer. But a strong password and 2SV will help reduce your risk here.

      If by safer you want to protect your emails from indiscriminate government scanning then downloading them will make no difference. They may already have been scanned and archived separately. Deleting them yourself will do nothing. It would however protect you if law enforcement made a request to Microsoft to see your inbox because there'd be nothing there to see although any future emails received may be the subject of a disclosure order.

      If you think downloading them and maintaining them offline is a good idea bear this in mind. If you don't backup your archive (which may or may not be fairy large) then you risk losing all your emails if your computer is lost, stolen or just crashes. Large PST files can be unreliable.

      If you delete your emails from your online account then searching through your messages on your mobile would become extremely difficult / impossible.

      If you're that concerned about email security then shell out for a paid service!

    • Thomas D Dial in reply to Jay.

      October 11, 2016 at 7:47 pm #

      Yes. Absolutely. If you care at all about the privacy of your email messages, you should be downloading them to a system under your control. You should have been doing that from the day you established the email accounts. Anyone who thinks otherwise is delusional. The one exception is email encrypted at the source using PGP or equivalently secure encryption.

      Storing messages on a server leaves them vulnerable to both authorized and unauthorized access by the service provider's employees and agents as well as external hackers, and also makes them available without your knowledge to respond to government demands.

      You cannot guarantee that downloading and deleting the messages will truly eliminate them, but the probability over time is high, as backups eventually expire. And while your personal system may be more vulnerable to criminal hackers, it is a much smaller target and much less likely to be attacked. Government demands almost always come with a subpoena or warrant, and if you are storing the email they will show it to you, and there will be no question of doing so without your knowledge as often is the case with subpoenas and warrants served on providers.

      The only valid use cases for leaving your with the service providers are your convenience in that it can be accessed from anywhere using a web browser and a wish to share it with others, as David Petraeus did with Paula Broadwell, at considerable cost.

    • Thomas D Dial in reply to Jay.

      October 11, 2016 at 7:47 pm #

      Yes. Absolutely. If you care at all about the privacy of your email messages, you should be downloading them to a system under your control. You should have been doing that from the day you established the email accounts. Anyone who thinks otherwise is delusional. The one exception is email encrypted at the source using PGP or equivalently secure encryption.

      Storing messages on a server leaves them vulnerable to both authorized and unauthorized access by the service provider's employees and agents as well as external hackers, and also makes them available without your knowledge to respond to government demands.

      You cannot guarantee that downloading and deleting the messages will truly eliminate them, but the probability over time is high, as backups eventually expire. And while your personal system may be more vulnerable to criminal hackers, it is a much smaller target and much less likely to be attacked. Government demands almost always come with a subpoena or warrant, and if you are storing the email they will show it to you, and there will be no question of doing so without your knowledge as often is the case with subpoenas and warrants served on providers.

      The only valid use cases for leaving your with the service providers are your convenience in that it can be accessed from anywhere using a web browser and a wish to share it with others, as David Petraeus did with Paula Broadwell, at considerable cost.

  2. Pete

    October 10, 2016 at 10:48 pm #

    Jay: Bob's reply identifies the reason it's difficult to answer your question:

    "Does this make it safer than just leaving them sitting there on a free email service indefinitely?"

    You haven't defined what you mean by "safer". From the standpoint of protecting your data against temporary loss of access or permanent loss of the data itself (always a risk when you let others store your data), then yes, it's always safer to store your data locally, where it's completely under your control.

    If by “safer” you mean securing your data against intrusion by others, archiving it to local storage and erasing it from the server can help prevent against new attacks, but not (as Bob points out) if the server has already been compromised.

    Evidently, you’re not concerned about spying by the state. That attitude is likely to change as constitutional freedoms continue to erode, but I won’t argue the point.

    However, you seem concerned (justifiably) about others having unauthorized access to your data. Well, for things like financial account information, there's not much you can do if the sender is so boneheaded as to include such information in unencrypted mail. In that case, you need to "encourage" them to step into the 21st century.

    But what about your other correspondence, say, between you and your business associates? If you’re not using encryption as a matter of policy, then you’re effectively saying that it’s not worth protecting your mail contents against unauthorized access.

    If you’re already using encryption everywhere you can, then congratulations; you’re part of a tiny minority of people who take privacy and security seriously. If not, you’re part of an overwhelming majority that provides a large part of the fertile ground for the trillion-dollar cybercrime sector.

Leave a Reply