Is yahoo a lost cause? Probably!

Today I got an email from Yahoo,  they were very concerned for my account security.  So concerned in fact they told me.

Our external forensic experts have been investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password. Based on the ongoing investigation, we believe that a forged cookie may have been used in 2015 or 2016 to access your account.

That is nice.  Someone accessed my account.  I wonder what they actually accessed?  Yep, you guessed it. No information form the nice folks at yahoo on that subject.  Just a bland generic suggestion that I "Review all of your accounts for suspicious activity."  really,  this tells me what they accessed how?  Was that email from the Japaneese company I was negotiating the export contracts with in the account when it was accessed?  Was that why the group for Bangladesh managed to undercut my price?



Now this account has only one purpose,  it is one I created to test Thunderbird against the ever more bizarre processes used by Yahoo.  Looking back over the account from the time it was created on the 16th February 2011 it has received exactly two email not originating from me.  Both were from Thunderbird users trying to navigate the complexities of Yahoo. (the last of those emails was in 2014).  But it appears from Yahoo that I have been the victim of state sponsored hacking for the purpose of just peeking in I suppose.

We have connected some of the cookie-forging activity to the same state-sponsored actor believed to be responsible for the data theft we disclosed on 22 September 2016


Now this is where I get a little concerned.  They have connected "some of the ... activity" to that source.  So are they telling me that the account has been hacked by multiple parties on multiple occasions?  Are they telling me anything at all or just pressing the flesh and selling their new authentication protocol that offers them further advertising opportunities and more information about me as a person. I actually think both.  They are I think admitting their accounts have been an open door for years for those in the know.  I must wonder why Yahoo got those information requests from the US government.  Perhaps they are not as good at hacking as other nations

The older I get the more aware I am that TNSTAAFL  but the marketing spin and the sheer cheek here is astounding.  At this point, Yahoo have whatever details I gave them to create the account and they will not be fiction,  but may well be a long way from what my credit provider calls the truth.  This blog has more personal information that my yahoo account,  and that is no accident.  But this email does not encourage me to give Yahoo any more insight into who I am, they proved they are not capable of managing any personal data at all. Giving them a phone number is not something that will be happening.  Closing the accounts will be first.


But lets look at what they did say, "the creation of forged cookies" is what their external investigators are looking at. Almost everyone knows,  once you log into a web site it gives you an authorization cookie that validates you against subsequent pages,  like opening an email, so you do not have to enter your password for every page load.  Apparently Yahoo had an issue with these cookies, their algorithm for producing a secure authorisation was too simple or to well known and multiple unknown parties had unfettered access to just about everything they had in peoples accounts over a number of years. Now yahoo wants to put the genie back in the bottle. by replacing one single factor authentication method (A password) with another.  (Pressing ok on a phone app when I try and access their web site or mail.) 

What have yahoo done to stop the use of forged cookies?  Well, they invalidated the forged cookies. This implies that the forged cookies were still being used until very recently, like this week really. Good hey. That is like closing the garage door when you see your car turning the corner at the end of the street.

They (Yahoo) are also  "constantly enhancing our safeguards and systems that detect and prevent unauthorised access to user accounts".  Hey guys.  Just a concept here.  But I have been accessing this account from the same IP for years.  perhaps I do not need a phone app or a password to identify my connection as me.  Instead you come up with safeguards that make using your service a burden instead of a pleasure.  I do not need a new log in method.  I need a new provider of email. Sorry but bungling ham fisted bulk admissions really do not leave me feeling any better about Yahoo that I felt the day I first heard they had been hacked. 

For others that actually used their yahoo account;

• Did you have photos stored on yahoo that your would not like public?  They probably are now. 
• Did your business have sensitive document or email stored on Yahoo?  They are probably public now. 

No amount of generic admissions can excuse this breach of trust.  But to add insult to injury  Bob Lords email contains web beacons.  That is not what I would call a contrite apology.  More like meeting some legal requirement and garnering proof of doing so for use in subsequent litigation.

Anti Virus again

For a very long time I have been banging on about anti virus (AV) programs and how they appear to be designed to make email clients look bad.  Early on I though it was just me,  but then I found an MVP for Outlook Express that also had issues with Anti virus products and their continual ability to mess up email and email applications. Microsoft kindly removed his web presence.  I did get a copy of what he said in my post here though

Today I stumbled on a series of articles and discussion by people whose opinions I think are worth taking notice of.and they are all denouncing Anti virus products.  Some (most really) of this is not new.  But it would appear the cat may be out of the bag.  But You draw your own conclusions.

Robert O'Callahan, was a developer with Mozilla until about 12 months ago.  He has just posted to his blog a recommendation to Disable Your Antivirus Software (Except Microsoft's) a fairly strong statement followed up by a suggestion that. "At best, there is negligible evidence that major non-MS AV products give a net improvement in security".   So there we have it.  But why now?  Because when he tried doing something about the appalling way anti virus affected Firefox in 2012.  He was shut down for shaming Mozilla "partners".  Now having been away from Mozilla he feels he can freely express his opinion.  I encourage you to read everything he says on that blog post.  It really does not reflect well on so called "security" products.

This all gave me some vindication for my prior distaste for AV products,  but  then I wandered into  the twitter sphere of Chrome developer Justin Schuh where he said "AV is my single biggest impediment to shipping a secure browser." and "I could rattle off a laundry list of total security breakage due to worthless AV code."  So now we have developers involved with two major browser projects that are not at all happy with the way things are going with Anti Virus products.  Looking through that discussion you might notice a current Mozilla employee with a grime about AV caused problems,  and a computer technician that does not want thing to change because he makes his money fixing the mess left by anti virus products.  So who actually think these things are doing their job and making things more secure.

Logic would indicate that at east those selling Anti virus product would be supporting them as a good thing.  Not so. Anti virus products are "doomed to failure," according to Brian Dye, senior vice president for information security at Symantec, the maker of Norton brand of anti virus products.

"Antivirus products are catching less than half of all cyberattacks", Dye said, in May 2014.  For a company that is aware of the playing field,  I wonder why they are still in the market all these years latter. (As the Wall street journal article is behind a paywall.  I will link to the ZDNet report for further reading.)

To give Norton a break, they have concentrated more on whitelisting applications that their firewall will allow to access the internet in the past few years.  But this has issues all of it's own.  Thunderbird releases a new version and the support forums light up with users who can no longer get their mail because Nortons firewall has blocked the new version.

But the question is still open.  Is their software leaking?  Is it secure? I really do not know.  Norton had issues last year.  but given the speed of their releases, can they really be doing much more than patching vulnerability as they are notified of them?
The SecurityIntelligence article that reported the Norton issues stated. "It’s a relatable conundrum: Security companies don’t want to lose their share of the market and often choose speed over safety, something corporate IT departments struggle with on a daily basis. But the continuing parade of bad medicine stories suggests that it’s time for a change; using kernel privileges carries the risk of Heartbleed-like failure and simply isn’t worthwhile in the long term. "

The reality is all anti virus products have issues,  just how bad they are is still open to some discussion.  But I think everyone should take just a little time to actually consider what their anti virus product is doing for them, and what issues it might be causing for them.  Not the least of which is slowing your system down.

For once a bibliography.
ZDNet article that set me off on this journey 
Twitter discussion Justin Schuh
Robert O'Callahan's blog post
Antivirus Hall Of Shame discussion on mozilla.dev.platform
Security intelligence report on Norton's vulnerability.
ZDNet report on comments by Brian Dye, senior vice president for information security at Symantec