Saturday, February 25, 2017

Is yahoo a lost cause? Probably!

Today I got an email from Yahoo,  they were very concerned for my account security.  So concerned in fact they told me.

Our external forensic experts have been investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password. Based on the ongoing investigation, we believe that a forged cookie may have been used in 2015 or 2016 to access your account.
That is nice.  Someone accessed my account.  I wonder what they actually accessed?  Yep, you guessed it. No information form the nice folks at yahoo on that subject.  Just a bland generic suggestion that I "Review all of your accounts for suspicious activity."  really,  this tells me what they accessed how?  Was that email from the Japaneese company I was negotiating the export contracts with in the account when it was accessed?  Was that why the group for Bangladesh managed to undercut my price?

Now this account has only one purpose,  it is one I created to test Thunderbird against the ever more bizarre processes used by Yahoo.  Looking back over the account from the time it was created on the 16th February 2011 it has received exactly two email not originating from me.  Both were from Thunderbird users trying to navigate the complexities of Yahoo. (the last of those emails was in 2014).  But it appears from Yahoo that I have been the victim of state sponsored hacking for the purpose of just peeking in I suppose.

We have connected some of the cookie-forging activity to the same state-sponsored actor believed to be responsible for the data theft we disclosed on 22 September 2016

Now this is where I get a little concerned.  They have connected "some of the ... activity" to that source.  So are they telling me that the account has been hacked by multiple parties on multiple occasions?  Are they telling me anything at all or just pressing the flesh and selling their new authentication protocol that offers them further advertising opportunities and more information about me as a person. I actually think both.  They are I think admitting their accounts have been an open door for years for those in the know.  I must wonder why Yahoo got those information requests from the US government.  Perhaps they are not as good at hacking as other nations

The older I get the more aware I am that TNSTAAFL  but the marketing spin and the sheer cheek here is astounding.  At this point, Yahoo have whatever details I gave them to create the account and they will not be fiction,  but may well be a long way from what my credit provider calls the truth.  This blog has more personal information that my yahoo account,  and that is no accident.  But this email does not encourage me to give Yahoo any more insight into who I am, they proved they are not capable of managing any personal data at all. Giving them a phone number is not something that will be happening.  Closing the accounts will be first.

But lets look at what they did say, "the creation of forged cookies" is what their external investigators are looking at. Almost everyone knows,  once you log into a web site it gives you an authorization cookie that validates you against subsequent pages,  like opening an email, so you do not have to enter your password for every page load.  Apparently Yahoo had an issue with these cookies, their algorithm for producing a secure authorisation was too simple or to well known and multiple unknown parties had unfettered access to just about everything they had in peoples accounts over a number of years. Now yahoo wants to put the genie back in the bottle. by replacing one single factor authentication method (A password) with another.  (Pressing ok on a phone app when I try and access their web site or mail.) 

What have yahoo done to stop the use of forged cookies?  Well, they invalidated the forged cookies. This implies that the forged cookies were still being used until very recently, like this week really. Good hey. That is like closing the garage door when you see your car turning the corner at the end of the street.

They (Yahoo) are also  "constantly enhancing our safeguards and systems that detect and prevent unauthorised access to user accounts".  Hey guys.  Just a concept here.  But I have been accessing this account from the same IP for years.  perhaps I do not need a phone app or a password to identify my connection as me.  Instead you come up with safeguards that make using your service a burden instead of a pleasure.  I do not need a new log in method.  I need a new provider of email. Sorry but bungling ham fisted bulk admissions really do not leave me feeling any better about Yahoo that I felt the day I first heard they had been hacked. 

For others that actually used their yahoo account;
  • Did you have photos stored on yahoo that your would not like public?  They probably are now. 
  • Did your business have sensitive document or email stored on Yahoo?  They are probably public now. 
No amount of generic admissions can excuse this breach of trust.  But to add insult to injury  Bob Lords email contains web beacons.  That is not what I would call a contrite apology.  More like meeting some legal requirement and garnering proof of doing so for use in subsequent litigation.