Application security, Breach, Data Security, Malware, Vulnerability Management

Secret compliance with FISA directive, massive breach spell trouble for Yahoo

Yahoo Wednesday refuted a Reuters report on Tuesday that said the tech giant, in complying with a FISA directive, developed custom software capable of mining through email accounts to search for an unspecified string of characters at the behest of either the FBI or National Security Agency (NSA). 

"Misleading," the company said in a statement. But reverberations are still being absorbed following the disclosure and suspicions remain.

"From a privacy perspective, what's really egregious is that this software was indiscriminate in whose email was searched," Fatemeh Khatibloo, principal analyst at Forrester, told SCMagazine.com on Tuesday. "If the reports are accurate, every single piece of mail was scanned by Yahoo for specific 'character strings' – and that means that by virtue of being on some email chain, or sharing something you found online, your Yahoo email could flag you as a 'person of interest,'" she said.

And, Khatibloo added, while Google already scans emails in order to better target advertising, there's a functional difference. "Google encrypts this stuff," she said, and "doesn't make it available to government agencies without warrants." Additionally, Google is "pretty transparent" about these practices, she said.

Meanwhile, in its statement on Wednesday, Yahoo claimed: "We narrowly interpret every government request for user data to minimize disclosure. The mail scanning described in the article does not exist on our systems." 

Regardless, the privacy implications are being debated not only by the tech and legal communities but the public as well, particularly on top of the revelations last week that a massive breach at the tech giant exposed account details of 500 million customers.

But wait, there's more. That figure is now being said to be a low estimate. An unidentified former executive at the company told Business Insider (BI) that the data breach in 2014 may have affected as many as one billion users. The insider, who is said to have knowledge of the company's security practices, told BI that in order to authenticate users, all of Yahoo's services make use of one principle back-end system to house its user database. 

With Yahoo in the process of being acquired by Verizon, these developments are sure to affect the sale. Verizon announced its intentions in July to buy Yahoo's internet business for $4.8 billion. 

"The hack represented a very different risk to the Verizon acquisition," said Khatibloo. "If they could prove in court that the hack materially changed the value of Yahoo – either because, for example, consumers left in droves or the remediation of the breach would significantly devalue Yahoo's assets – they could potentially get out of the deal."

In fact, the custom software Yahoo developed for searching emails could have made the company more vulnerable to intrusion from hackers. "Given Yahoo's recent track record in failing to secure software and systems they develop when security is involved, it's hard to believe clandestine code would be as or more secure than what they built when they actually involved the security team," Jeff Pollard, principal analyst at Forrester, told SCMagazine.com on Tuesday.

It's a clear omen of corporate synergy, he said. "On one side, you have organizations like Apple and Microsoft that comply when legally compelled to, but also push back and seek more transparency in the process. On the other side, Yahoo and Verizon seek to comply without hesitating."

In a statement issued on Wednesday, Patrick Toomey, a staff attorney with the American Civil Liberties Union, agreed: “Based on this report, the order issued to Yahoo appears to be unprecedented and unconstitutional. The government appears to have compelled Yahoo to conduct precisely the type of general, suspicion-less search that the Fourth Amendment was intended to prohibit."

“It is deeply disappointing that Yahoo declined to challenge this sweeping surveillance order, because customers are counting on technology companies to stand up to novel spying demands in court. If this surveillance was conducted under Section 702 of the Foreign Intelligence Surveillance Act, this story reinforces the urgent need for Congress to reform the law to prevent dragnet surveillance and require increased transparency.”

Other experts too are expressing dismay at Yahoo's security practices now that inside business dealings are being exposed. Alex Stamos, Yahoo's CISO in 2015, is reported to have been left out of the loop when the firm's CEO, Marissa Mayer, complied with the intelligence agency's directive to spy on user emails. Stamos and his security team only discovered the intrusive coding following routine tests of the system's vulnerabilities. Upon discovering the spy software, they initially believed it to be the work of hackers. Stamos departed soon after for a similar post at Facebook. 

His predecessor, Justin Somaini, left the firm a year earlier after it was disclosed that he too had been left out of a security decision. In that instance, it's been reported that a member of his staff disclosed that the firm's legal department ordered the security team to not reveal their investigation of a hack to Somaini.

Pollard said it's a platitude to say that security needs the sponsorship of the business to be successful. "Yahoo appears to be the candidate for a case study in what happens when senior leadership decides not simply to ignore, but deliberately circumvent talented security teams."

But the backdoor is another matter. "It's hard for me to see a legitimate argument on Verizon's behalf," Khatibloo said. "Besides, my colleague [Pollard] makes an excellent point that Verizon's own data privacy practices have not been completely above board – the supercookie controversy from two years ago is proof of that." [Supercookies were tracking cookies that Verizon used to log customers' visits to unencrypted websites.]

"If privacy has been on life support in this country, this case officially pulls the plug," Adam Levin, chairman and founder of IDT911, told SCMagazine.com on Wednesday. "With the hack of Yahoo exposing 500 million user emails and personal information and the company being criticized for not addressing the issue for two years, along with this case, it begs the question who is leading the charge when it comes to consumer privacy and security?"

Levin, author of a book on identity theft called Swiped, added that if we can't rely on tech giants to sure up cyber defenses and advocate for privacy rights, then we are in serious danger. "Cybersecurity and the protection of consumer privacy must be a front burner issue," he said. "This puts a major black eye on the Yahoo brand because now this is no longer about curtailing the government's invisible hand. This shines a light on the fact that private companies like Yahoo are now stirring the pot with that hand and willingly trampling on the privacy rights of the consumers they are supposed to protect."

Khatibloo added that she is anxiously awaiting comment from the other "internet giants" and email providers to go on record as to their responses to what was surely a widespread request by the FBI. She agrees that there's little chance that Yahoo was the only email provider who was asked to create this software. "The question now is, how many others complied?"

Well, several of the giant tech companies have weighed in subsequent to the Yahoo news. Facebook, for one, said it would not comply. A spokesperson from the social media giant told SCMagazine.com on Tuesday that it has never received a request like the one described in these news reports – from any government. "If we did, we would fight it,” the spokesperson said.

Google too has stated it would not comply. “We've never received such a request, but if we did, our response would be simple: ‘no way',” a spokesperson from Google told Fortune.

An Apple spokesperson told The Intercept: "We have never received a request of this type, and if we were to receive one, we would oppose it in court." 

And Microsoft, whose Hotmail email program boasts millions of accounts, has also denied participating in scanning programs. “We have never engaged in the secret scanning of email traffic like what has been reported today about Yahoo,” said the company in a statement sent to Fortune.

Despite all the negative media attention, Yahoo's stock was up more than one percent as of 4 p.m. EST Wednesday. The company's stock has grown 29 percent this year.

An In-Depth Guide to Application Security

Get essential knowledge and practical strategies to fortify your applications.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds