Yahoo Hackers Plundered Data on 500 Million.

SAN FRANCISCO — Yahoo announced on Thursday that the account information of at least 500 million users was stolen by hackers two years ago, in the biggest known intrusion of one company’s computer network.

“seriousness of this breach at Yahoo is huge.”

In a statement, Yahoo said user information — including names, email addresses, telephone numbers, birth dates, encrypted passwords and, in some cases, security questions — was compromised in 2014 by what it believed was a “state-sponsored actor.”

While Yahoo did not name the country involved, how the company discovered the hack nearly two years after the fact offered a glimpse at the complicated and mysterious world of the underground web.

The hack of Yahoo, still one of the internet’s busiest sites with one billion monthly users, also has far-reaching implications for both consumers and one of America’s largest companies, Verizon Communications, which is in the process of acquiring Yahoo for $4.8 billion. Yahoo Mail is one of the oldest free email services, and many users have built their digital identities around it, from their bank accounts to photo albums and even medical information.

Changing Yahoo passwords will be just the start for many users. They’ll also have to comb through other services to make sure passwords used on those sites aren’t too similar to what they were using on Yahoo. And if they weren’t doing so already, they’ll have to treat everything they receive online with an abundance of suspicion, in case hackers are trying to trick them out of even more information.

The company said as much in an email to users that warned it was invalidating existing security questions — things like your mother’s maiden name or the name of the street you grew up on — and asked users to change their passwords. Yahoo also said it was working with law enforcement in their investigation and encouraged people to change up the security on other online accounts and monitor those accounts for suspicious activity as well.

“The stolen Yahoo data is critical because it not only leads to a single system but to users’ connections to their banks, social media profiles, other financial services and users’ friends and family,” said Alex Holden, the founder of Hold Security, which has been tracking the flow of stolen Yahoo credentials on the underground web. “This is one of the biggest breaches of people’s privacy and very far-reaching.”

How to Protect Yourself After the Yahoo Attack

Yahoo said on Thursday that hackers stole the account information of at least 500 million users. Here are some answers to frequently asked questions about how you can protect yourself.

The Yahoo hack also adds another miscue to what has been a troubled sale of a long-troubled company. In July, Verizon said it would acquire the internet pioneer, roughly a month before Yahoo security experts started looking into whether the site had been hacked. It is unclear what effect, if any, the breach will have on Yahoo’s sale price.

In a statement on Thursday, a Verizon spokesman, Bob Varettoni, said his company learned of the breach of Yahoo’s systems only two days ago and had “limited information and understanding of the impact.”

It is unclear whether security testing — such as a test to see if security experts could break into the Yahoo network — was performed as part of Verizon’s due diligence process before it agreed to the acquisition.

But such security is often overlooked by investors, even though breaches can result in stolen intellectual property, compromised user accounts and class-action lawsuits. To date, no law requires such security checks as part of due diligence.

“Cybersecurity can absolutely affect a valuation, and these are important questions that investors need to be asking,” said Jacob Olcott, vice president of BitSight Technologies, a security company.

Yahoo said it learned of the data breach this summer after hackers posted to underground forums and online marketplaces what they claimed was stolen Yahoo data. A Yahoo security team was unable to verify those claims. But what they eventually found was worse: a breach by what they believe was a state-sponsored actor that dated back to 2014.

A potential breach of Yahoo’s systems was first reported by the tech news site Recode early Thursday morning.

The first sign that something was amiss appeared in June, when a Russian hacker who goes by the user name Tessa88 started mentioning, in underground web forums, a new trove of stolen Yahoo data, Mr. Holden said. In July, Tessa88 supplied a sample of the stolen collection to people in the so-called underground web for authentication.

Backup generators and buildings housing computer servers at a Yahoo facility in Lockport, N.Y. Credit Andrew Harrer/Bloomberg
Backup generators and buildings housing computer servers at a Yahoo facility in Lockport, N.Y. Credit Andrew Harrer/Bloomberg

The sample contained valid Yahoo user accounts, but it was unclear whether the data was from a breach of a third-party service or Yahoo itself. And it was not clear whether it came from a recent Yahoo breach or a previous incident in 2012, when the internet service acknowledged that more than 450,000 user accounts were compromised.

Then, in August, a second hacker who goes by the alias Peace of Mind began offering a large collection of stolen Yahoo credentials — including user names, easily cracked passwords, birth dates, ZIP codes and email addresses — on a site called TheRealDeal, where hackers can buy and sell stolen data, Mr. Holden said.

TheRealDeal uses Tor, the anonymity software, and Bitcoin, the digital currency, to hide the identities of buyers, sellers and administrators who are trading attack methods and stolen data.

After looking into that data, Yahoo did not find evidence that the stolen credentials came from its own systems. But it did find evidence of a far more serious breach of its systems two years earlier.

Two years is an unusually long time to identify a hacking incident. According to the Ponemon Institute, which tracks data breaches, the average time it takes organizations to identify such an attack is 191 days, and the average time to contain a breach is 58 days after discovery.

Security experts say the breach could bring about class-action lawsuits, in addition to other costs. An annual report by the Ponemon Institute in July found that the costs to remediate a data breach is $221 per stolen record. Added up, that would top Yahoo’s $4.8 billion sale price.

Thursday afternoon, Senator Mark R. Warner, a Democrat from Virginia and former technology executive, issued a statement that said the “seriousness of this breach at Yahoo is huge.”

He weighed in with a call for a federal “breach notification standard” to replace data notification laws that vary by state. Senator Warner added that he was “most troubled” that the public was only learning of the incident two years after it happened.

800,000 Users Exposed in Brazzers vBulletin Vulnerability

Nearly 800,000 users’ information has been exposed in a vBulletin vulnerability of the porn site Brazzers.  The user data appears to have been taken from the Brazzers forum. However, many users used the same login details for the forum as they did for the main site, leaving hundreds of thousands of people exposed.

The data leak is said to have included email addresses, user-names, and unencrypted passwords, which most websites typically encrypt or hash in case of leak scenarios. This means that users on the porn site who have used the same email address and password on other sites may be vulnerable to attacks elsewhere.

“Problem with a hack like that is it’s a forum. Worse than just adult website (credentials), this is what people were talking / fantasizing about.”

Troy Hunt on Twitter said highlighting the fact that users’ specific sexual fetishes and fantasies could now be leaked into the open.

The leak, which actually happened in 2013 but has only just been discovered, was reportedly due to the forum’s vBulletin software. Brazzers has confirmed that vBulletin was the cause of the vulnerability and is currently taking “corrective measures” to protect its users and their information from cyber criminals.

Obama: Internet Cannot Be like Wild, Wild West

President Barack Obama called for a series of international agreements to regulate activity on the Internet, citing his preference not to start an arms race in cyberspace. Obama Says Cyber Hacking Can’t Become ‘Wild, Wild West’

“What we cannot do is have a situation where this becomes the wild, wild West, where countries that have significant cyber capacity start engaging in unhealthy competition or conflict through these means,”

President Obama said during a press conference in China on Monday after the G-20 Summit, referring to every country using the Internet as they wished, including using it to hack into other countries’ data. He added that nations have enough to worry about in the realm of cyber attacks from non-state actors without nation-states engaging in hacking against one another. Obama claimed, however, that America was winning the Internet battle, despite repeated hacks into the data controlled by the U.S.

“Frankly, we’ve got more capacity than anybody, both offensively and defensively,”

He bragged, referring to a growing escalation of cyber-capabilities from other governments.

He added that he wanted to avoid an arms race in cyberspace, but rather institute international norms “so that everybody’s acting responsibly.”

Russian hackers having been implicated in some current cyber threats and security issues was a key topic. Though Obama didn’t identify specific instances, he said:

“we have had problems with cyber intrusions from Russia in the past”

And that the goal is to not to duplicate a “cycle of escalation” that has occurred in arms races of the past. This cycle of escalation refers to the trade of vulnerabilities and the expansion of capabilities by military actors to attack one another in a shadowy war known as a cyber war. Journalists questioned the President about recent reports that Russian hackers had hacked into voters’ election data, and he declined to discuss the reports in detail, citing an ongoing investigation.

Threats to Internet Freedom

Threats to Internet Freedom

There are many threats to Internet freedom in the digital society. They include massive surveillance, censorship, digital handcuffs, non-free software that controls users, and the War on Sharing. Other threats come from use of web services. Finally, we have no positive right to do anything in the Internet; every activity is precarious, and can continue only as long as companies are willing to cooperate with it.

Friday, 5 February 2016 Bern, Switzerland: Richard Stallman

Facebook, Instagram and Whatsapp are surveillance engines using Face Recognition and they can recognize people by the back of their heads.

Flash requires a proprietary player that is malware, and you shouldn’t install it. By the way, that’s not just an exaggeration. It’s not an insult. It’s a factual statement. I’ll tell you more later.

You should always complain to any website that has Flash.

Including Non-free Javascript code sent in the page itself is unacceptable for redistribution of this article. This is Creative Commons license and it represents a point of view.

I think that participation in a digital society can be good or bad; depending on whether that society is just or unjust.  If digital society becomes unremittingly unjust and we can’t fight that then our goal should be digital extraction from that digital society. And we’re getting pretty close to that point.

So, I’m going to talk about various threats to our freedom in the digital society, starting with software that the users do not control. In other words, software that is not free. By free software, I mean Libre, not Gratuit. It’s frais, not costamos.

Whether you pay for a program, we’re not concerned either way. What concerns us is not how you get the copy, but what you get when you get the copy. Does it respect your freedom, or does it attack your freedom?

You might think your computer obeys you, when really it obeys someone else first.

With a program there are two possibilities either the users control the program or the program controls the users.

What is freedom? It’s having control over your own life. Having freedom of the activities in your life.

So the programs that respect users freedom are generally those that are under the user’s control.

Freedom 0 is to run the program as you wish.

Having access to the source code is essential.

Freedom 1 requires access to the source code.

These two freedoms give us separate control over the program.

Freedom 1 is essential, but insufficient on its own. We need collective control, which means you are free to work with others to affect the program. Non-programmers can participate in a group deciding which changes to make. The people who work together are those who are free to work together. They are also free to run the program separately or join some other group.

Freedom 2 is the freedom to copy and redistribute the program to others. They can even publish them and offer them to the general public. Freedom 2 includes giving and selling copies. It involves non-commercial and commercial redistribution.  Any attempt at stopping people from sharing copies is an attack on society that we must not tolerate.

If one of these freedoms are missing are incomplete then we don’t control the program.

A proprietary software is a scheme to subjugate people. Proprietary software, non-free software, is an injustice. It’s worse. Now, it’s much worse.

Malicious Functionalities

Non-free software is commonly malware, because it’s designed to do malicious things to the user.

For instance, they spy on the user.

We know of spy facilities in Windows, in Mac OS, in i things and Flash player and nearly all portable phones.

Then there’s the functionality of stopping users from doing things.

DRM

This is known as digital restrictions management, or DRM.  It’s the malicious functionality of stopping users from doing what they want to do. It can only be done with proprietary software. In Free software, users would be free to add the feature. The contents of a Blu-ray disc is encrypted in a secret way and we don’t have Free software to even read them at all. The result is that every Blu-ray disc is an enemy of your freedom.

We know of these digital restrictions management features in Windows, in Mac OS, in iOS, in Adobe Flash and in the Amazon Swindle.

There are backdoors that allow commands to attack the user without asking the user for permission. For example, the (Kindle) has a backdoor for deleting books. We know about this by observation.  Amazon deleted thousands of copies of 1984 by George Orwell.

There was a lot of criticism so Amazon promised to never do this again unless ordered by the State. Amazon never intended to keep its promise.  Amazon was once again found to be arbitrarily erasing books without demand from the State. Thus they recognized that these devices were jails for their users.

Jailbreaking

Microsoft followed the same thing with Windows Phone devices. Then there’s sabotage. There’s been one in Windows since Windows XP. Microsoft did not admit it, but people proved that it was there. In Windows 10, there is still a universal backdoor, but now Microsoft says so openly. Universal backdoors are known also in the Amazon (Kindle) and nearly all portable phones. Android has something a little like a backdoor.  Google could make an app especially for you and force install it. And there’s another kind of sabotage: Microsoft first shows its security bugs to the NSA, before they patch them.

Do you think the Swiss government should run Windows?

We know Microsoft does this. We don’t know if other companies do this. I’ve demonstrated that people who use proprietary software are in general already being dragged behind the bus.

We have dozens of more examples in gnu.org/proprietary/ for them.

It’s very important not to praise non-free distros.

Javascript

Once you’ve installed a free distro, there’s still a chance that you’ll end up running non-free software as you browse the web. Many web pages contain programs. They can be free or non-free, and some of them are free, but most of them are non-free. These programs are written in the JavaScript language. So, we can refer to them by talking about JavaScript programs, but really the point is that they come into your machine in a web page and your browser installs them and runs them and doesn’t even tell you. So, to protect ourselves we’ve developed LibreJS. It’s an add-on for Firefox that checks every JavaScript program to see if it’s either trivial or free.  In those cases, it is permitted to run. If not, it warns you.

It does one other useful thing. If you’ve ever tried to complain to webmasters, it’s hard to find where to contact them.

Service as a Software Substitute

Always find journalists’ sources and imprison them Surveillance vs. Democracy You’ll find Ways to reduce Surveillance. Another threat to our freedom is censorship.

We thought 20 years ago that the Internet would destroy censorship. Any government that is willing to tolerate a certain amount of resentment and some money can censor the Internet. Finland imposed Internet censorship in 2006. Somebody decided to study the actual practices of censorship in Finland. It proves the point. There is almost no government you can trust not to try to censor the Internet. Switzerland is now faced with the threat.

You know that Facebook collects a lot of data from its used.  Facebook doesn’t have users it has useds. If you see a like button, Facebook knows that your computer has visited that page.

It’s getting data about you, even if you’ve never used the Facebook service itself.

Icecat is a variant of Firefox.

They also ask for a lot of data. It’s still collecting people’s data, and it’s still dangerous. We need to be able to say no. I don’t use those kind of disservices. In addition, there are services that offer to hold your data for you. Unless you’re very careful, that is surveillance of you.

Fortunately, there is no piracy in Switzerland. I reject their propaganda. They began perverting our technology. Hackers found ways to break their handcuffs. They developed new methods that became more difficult to break.

DMCA

The Digital Millenium Copyright Act, makes it a crime to distribute anything that breaks DRM unless it has another valid commercially important use.

Only commercial importance is considered valid. This demonstrates that in selling out to that law that they sold out to business, but people found ways to break DRM until it got harder.

Streaming makes it incredibly hard. The problem is they probably have 10 more variants ready to release at a moment’s notice. If they find out the DRM has been broken into they can simply release a new version, which means that it’s basically hopeless to break their handcuffs that way, but they didn’t stop with that.

People started sharing works P2P online. Proposals were made to attack people for sharing. In some countries, they have abolished the basic principle of justice; no punishment without a fair trial. For instance, the U.K., New Zealand, Australia, Panama, and the US tried to impose it on Columbia, but the Supreme Court objected to the laws that were adopted, so they’re still trying to do it.

In the US, it would be unconstitutional to punish people without at least a pretense of a fair trial. So Obama arranged a voluntary agreement between the major US ISPs and the publishers where the ISPs agreed to punish their own customers and eventually help the publishers sue their customers. Suing their customers is something that they’ve done anyway. And they’ve sued thousands of teenagers for hundreds of thousands of dollars each, which is a very nasty thing to do. In Japan, to download something from the Internet is a two year prison sentence. Of course, they will only do this when a really important publisher demands it. In their war on sharing, they will go to whatever lengths they find necessary to maintain their dominion over people. Because they are such irreconcilable enemies of our freedom, I never use anything with DRM unless I have what is necessary to break the DRM. If you have the free software to decrypt the video on a DVD, then by all means use the DVDs.

So, it’s no coincidence that they keep using ever nastier methods.

The only way to stop people from sharing is with cruel, draconian measures. We have to put an end to this entirely.We must end the war on sharing, by legalizing sharing. Everyone has the right to share copies. Sharing means non-commercial redistribution of exact copies.

The government of Switzerland is planning to surrender to the aristocrats army this time. They are coming to conquer you again. Not literally with an army. To impose cruel copyright rules. The war on sharing is still going on.

They are proposing mandatory Internet filtering for Switzerland.

They want to be able to require ISPs to block access to sites in the name of Copyright.

And, they want to impose the DMCA’s take-down system.

Google set up something called content ID; it’s unreliable. It makes mistakes. It blocks things wrongly.

But in Switzerland, they’re proposing to make content ID required for all platforms. So, if you’re small don’t think about running a platform for people to post on.

And then, they’re planning to make libraries pay for permission to lend books, as if libraries were not under enough pressure already. And, they’re planning to make ISPs reveal the identities of their users, so that Hollywood companies can sue them.

And, after talking so much about bowing down, how we have to cater so much to the authors and artists, at one point they’ve wanted to dismiss us all and ignore what we’ve said we want. When we release a work under a license that says you’re allowed to redistribute in certain ways…

The above is a transcription of Richard Stallman's talk titled "Threat's to Internet Freedom" dated Friday, 5 February 2016 Bern, Switzerland