Yahoo still hasn’t implemented strong digital certificates despite ‘state-sponsored hackers’ stealing the personal information of at least 500 million accounts following a security breach in 2014.
Cybersecurity specialist Venafi conducted research into how well Yahoo reacted to the breach, in particular the cryptographic controls Yahoo still has in place, and said the results were “damning”.
Researchers said Yahoo had still not “taken the action necessary to ensure they are not still exposed and that the hackers do not still have access to their systems and encrypted communications.”
Furthermore Venafi warned that “Yahoo is still using cryptography (MD5) that has been known to be vulnerable for many years now.”
Read More: What next for businesses after Yahoo data breach?
Venafi says that when a breach has taken place, replacing certificates is “critical critical mitigation practice” to ensure hackers do not have ongoing access to encrypted communications.
Furthermore it seems that only 2.5 percent of the 519 certificates deployed have been issued within the last 90 days, so it’s likely that Yahoo! does not have the ability to find and replace digital certificates quickly.
“Unfortunately, this is a very common problem, even in very large organisations with a significant online presence,” said the security firm.
And Venafi also discovered that a surprising number of Yahoo! digital certificates use MD5, a cryptographic hashing function that can be reversed with brute force attacks.
“MD5 also suffers from many serious, well documented vulnerabilities,” said Venafi. “For example Flame, a family of malware used for targeted espionage by nation states, relied on an MD5 vulnerability.”
It also found that 41 percent of the external Yahoo! certificates in the TrustNet data set use SHA-1, a hashing algorithm that is no longer considered secure against well-funded opponents. Indeed, major browsers will stop accepting SHA-1 certificates in January next year.
“In our experience major breaches, such as the one suffered by Yahoo!, are often accompanied by relatively weak cryptographic controls,” said Alex Kaplunov, vice president of engineering for Venafi.
“To confirm this assumption we took an in-depth look at external facing Yahoo! web properties and the details of how these sites are using cryptography,” said Kaplunov. “We found the encryption practices on these properties to be relatively weak. This is not surprising. In our experience most enterprises, even global brands with deep cyber security investments, have weak cryptographic controls.”
“Any one of these cryptographic issues would leave an organisation extremely vulnerable to attacks on encrypted communication and authentication,” said Hari Nair, director of product management and cryptographic researcher for Venafi.
“Collectively, they pose serious questions about whether Yahoo! has the visibility and technology necessary to protect encrypted communications and ensure its customers privacy,” said Nair. Our research has led us to believe that there is usually a high degree of co-relation between weak cryptographic controls and overall cybersecurity posture”
It should be noted that the 2014 data breach of Yahoo was not the first time the firm has been exposed. In 2012 Yahoo admitted it had been hacked, after more than 450,000 Yahoo passwords had been posted online.
Meanwhile the 2014 breach could affect millions of Sky and BT broadband customers. This is because BT had used Yahoo Mail for its email service until 2013. Even worse is Sky, which still uses Yahoo for its email service.
How well do you know network security? Try our quiz and find out!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…