Verizon just raised a big warning flag for Yahoo
washingtonpost.comWhile I suspect some of this is posturing for a better price, I'm certain from some past experience that Verizon is very serious about security.
A lot of large enterprise take an approach my colleagues have referred to as 'rubber stamp security', that checks boxes in a compliance report while still remaining largely ineffective. For example, these companies buy tools and install them, but then never configure them properly.
From what I've seen of Verizon, they are more serious about security and beyond requiring an effective toolset, they take the approach of hiring new people who already know the tools well or give effective training to their existing and competent people as part of the onboarding process. This sounds like a no-brainer, but a lot of companies either don't do this or do it very poorly.
Beyond any kind of material impact of the breach on Yahoo's business, it would require a _lot_ of work from their security teams to absorb Yahoo in a way that raises them to Verizon's standards. An acquisition of this size is rarely very easy, but having to completely overhaul the acquired company's entire security posture just adds to this effort. Verizon's security team has to consider Yahoo's infrastructure with very little trust at this point. I wouldn't much care for the prospect of having a flaming bag of poo deposited on my porch, either.
Given that not too long ago they were publicly shamed for implementing an invasive tracking system that completely undermines their customers' privacy, [1] you'll have to do a little better than "some past experience" and "from what I've seen" if you want your assertion that "Verizon is very serious about security" to be taken seriously.
[1] https://www.wired.com/2014/10/verizons-perma-cookie/amp/
One has nothing to do with the other
You can be VERY good at systems security, while simultaneously wanting to violate your customers privacy....
Well ironically, in this case, Verizon's problem with Yahoo is allegedly about customers' privacy.
Well, it is just anecdotal. Feel free to withhold judgement, it is just an anonymous internet comment instead of a detailed report from a thorough study. I'm certainly not giving you my CV. However, I was referring to what I saw of their stance towards their own security, rather than toward the privacy of their customers.
Still, I think the point that there's more for Verizon to worry about from Yahoo than the direct impact of the exposed customer data is a valid one. Failure to discover (if we believe them), or at least a failure to disclose, a breach for close to two years, does not speak well for them. Maybe this breach was only possible during some temporary time period two years ago, but it's also possible that whatever allowed the breach was open for a long time, allowing further opportunity to exploit other services on their network. The claim that it was possibly a 'state actor' either means they don't know and are covering their incompetence, or it was a fairly advanced threat that could potentially still be in place or even have expanded its footprint since 2014.
Just don't rely on Verizon for your own 2FA security, partly because the phone system is too easy to redirect and spoof in various ways, and partly because Verizon is too easy to social-engineer.
https://medium.com/the-coinbase-blog/on-phone-numbers-and-id...
this... is certainly not my experience. However, they're a large organisation so they're most likely schizophrenic.
It's certainly not a lot of people's experience. Youtuber boogie2988 (3.5m subscribers) had his accounts hacked and his channel deleted (his primary source of income) via a Verizon social engineering hack. The hack via Verizon gained the hackers access to his Twitter, YouTube/Google accounts, even his PayPal account.
Verizon may be quite serious about protecting Verizon and its infrastructure, while still indifferent to retail subscriber account takeovers.
Here are more details about that[1]. I'm still surprised how they could have gained access to his Youtube and Twitter just by using his phone number.
[1] https://www.reddit.com/r/boogie2988/comments/4psg4x/i_was_ha...
If you know someone's Gmail account used for YouTube and have access to their cell phone to receive text message verifications for account resets, you have full access.
Being able to verify a code sent to the mobile phone registered with the account is used as proof of identity for account recovery by basically everything online except banking.
k. But in boogie2988 case, did the hacker got access to his actual cell phone or just cell number? That's not clear.
A social engineer goes to the Verizon store and tells customer service that they have lost their cellphone. Customer service deactivates the owner's phone and gives the social engineer a brand new phone that's connected to the owner's account.
Weird! Don't the Verizon guys do an ID verification that the person requesting the new phone is really who he claims he is?
They apparently didn't in boogie's case.
That's fair, I definitely don't have a global insight. Security teams are usually segmented in some way, rather than monolithic, with varying levels of competency among different teams.
They do periodically put out some interesting reading. If you want to look at it, their annual Data Breach Investigations Report are worth checking out:
http://www.verizonenterprise.com/verizon-insights-lab/dbir/
(prior year reports don't require registration and are still fairly applicable)
I once had verizon admit they'd oversold their capabilities for Incident Response and security consulting and were in dire need of support. Of course they wanted bottom barrel rates at $140 an hour.. seriously. Naturally we turned away from the opportunity as it wouldn't be profitable. I'm not convinced Verizon is anymore secure than Sony after that call ....
Yahoo's operating income since Mayer took seat.
2012: 802.5M 2013: 579.4M 2014: 218.7M 2015: -127.5M
Wait til 2016 numbers come in.
Revenue flat at $5 billion.
Ouch that's painful to look at.
Now, those numbers do not explain everything.
Consider Uber revenue, and operating income ... the numbers are horrible, but the overall outlook is obviously different.
Uber's revenue
2013: 160m 2014: 440m 2015: 1.5 billion
Yahoo's revenue
2012 - 2015: 5 billion flat, with dip in the middle.
Uber experienced explosive growth in user base... can't say the same about Yahoo.
Apple - orange comparison.
So... Uber's revenue is still less than Yahoo's, right?
Explosive growth? If you are losing money, like Uber is, that means exploding loss. Is that good?
How about operating income? They both seem to be bleeding money.
Found the yahoo shareholder.
From a thread about the data breach:
> Investors are conflicted: on the one hand, Yahoo had a data breach that will cost them trust, but on the other hand, investors are surprised to hear there are still 500 million Yahoo users.
One wonders how many of those users would flee if mail forwarding were restored.
> but on the other hand, investors are surprised to hear there are still 500 million Yahoo users.
Not the onion.
The delay informing Verizon is also a big deal: they are surely wondering what else they haven't been told.
But Silliman made clear on Thursday that the “state-sponsored” nature of the breach would have no bearing on the analysis of materiality.
“From a legal perspective,” he said, “the question . . . ‘is it a state-sponsored attack?’ isn't really relevant in terms of what we're looking at. The question is whether this [had] a material or an adverse effect on the asset we are buying.”
One can see why he didn't want to call "bullshit" publicly, and the news media is required to be dumb, but does anyone with a clue really believe these oh-so-convenient "state actor" attributions? We're supposed to imagine that Russia: 1) wanted what Yahoo had, and 2) wanted to get caught at it. What's the motivation? Did Marissa cut in front of some favored oligarch at the ski lift in Davos or something?
It really doesn't matter what Verizon believes about who did the breach. Say you want to buy my car, but then it gets destroyed, and I say Superman did it. Whether you believe me or not, it doesn't matter, you still won't buy a destroyed car.
This is somewhat different from Yahoo users' perspective: in their case, as well, the point is not if the breach was state-sponsored, the point is: did it take mass destruction weapons and hundreds of spies coordinated for months, or did it take five minutes and a hairpin?
Come on...
WikiLeaks drops shit on Clinton, blame Russia.
Mayer does a terrible job, blame Russia.
Who wants to bet that next we'll hear Elizabeth Holmes blaming Russia for her silly Edison machines not working properly.
What media conglomerate did China pay off? They used to get blamed for all the magical unavoidable super hacking... well, them and North Korea both.
After a certain point you can't blame people for robbing you if you keep leaving the door unlocked.
It's a big warning flag for everybody: pay attention to security (broadly) or there could be no exit at the end of the road of your startup.
Any way to bypass the free article limit on Washington Post?
Try 'Reader View' on Firefox.
open incognito