Yahoo - More bad news coming out.

[Teken]

In the last few weeks Yahoo has been on the hot plate for their lack luster ability to place the consumer first opposed to thinking about themselves and market share.

 

This latest article illustrates how this poorly managed company actually circumvented their own IT Security work group to help facilitate spying on their very own customers.

 

One can only wonder what else this company has been doing behind the scenes. 

 

To think one of the smartest guys like Alex Stamos had to endure this sort of abuse and stupidity is quite sad. 

 

 

 

Yahoo created program to scan customer emails for U.S. intelligence agencies, report says

By Mikey Campbell
Tuesday, October 04, 2016, 08:23 pm PT (11:23 pm ET)

A report on Tuesday claims Yahoo last year cooperated with U.S. government agency requests to create and deploy software that scanned hundreds of millions of customer emails as they arrived at the company's servers. 

Citing multiple sources familiar with the matter, including former employees, Reuters reports Yahoo complied with the wishes of either the National Security Agency or the Federal Bureau of Investigation with its email scanning program. 

U.S. intelligence officials through a classified request tasked Yahoo with picking out emails containing a particular set of characters, such as a phrase or attachment, and storing them for remote retrieval. It is unclear what the government was looking for, sources said. Whether Yahoo released any data to government agencies as part of the initiative is also unknown. 

"Yahoo is a law abiding company, and complies with the laws of the United States," Yahoo said in a statement provided to Reuters.

As noted by the publication, some security experts believe the incident is the first known case of a U.S. internet company agreeing to such terms. It is also the first to involve software created specifically for the purpose of snooping. Email service providers — like phone companies — have in the past acquiesced to requests for bulk data searches and limited real-time monitoring, but certain laws restrict state actors from imposing undue burden on these firms by asking them to create special surveillance systems. 

Yahoo CEO Marissa Mayer green lit the project in a decision that didn't sit well with other high-ranking employees, the report says. In particular, sources claim Mayer's move resulted in the resignation of former Chief Information Security Officer Alex Stamos in June 2015.

At the time, Mayer and other decision makers accepted the government directive because they thought Yahoo would ultimately lose if they chose to fight, sources said. Further, instead of seeking guidance from Yahoo's security team, executives had engineers write and deploy the program. As can be expected, the security team found the software shortly after it was installed, believing it to be the work of a hacker, not company policy. 

Experts believe the same government agencies behind the Yahoo request, whether it be the NSA, FBI or some other shadowy group, likely extended the same demand to competing firms offering similar services. Google and Microsoft told the publication they have never participated in email scanning operations like those reported. A Google representative went further, saying, "We've never received such a request, but if we did, our response would be simple: 'No way.'"

Apple, too, has butted heads with government entities seeking information under the Foreign Intelligence Surveillance Act (FISA), a key law cited in the Yahoo debacle. To increase transparency on the issue, Apple releases a biannual report detailing requests for information from various state players. Its latest findings, published in April, note law enforcement agencies lodged 1,015 requests for customer account information affecting 5,192 users in the second half of 2015. 

Earlier this year, Apple found itself at the center of a heated public debate over personal device encryption when the company declined a federal court order to access an iPhone tied to the San Bernardino terror attacks. Specifically, the company refused to build a workaround to built-in iPhone safeguards, saying doing so would undermine the security of millions of devices worldwide. The U.S. Department of Justice ultimately withdrew the case after FBI agents successfully bypassed the phone's passcode lock using a technique purchased from an unnamed third-party.

News of Yahoo's surreptitious activities comes just two weeks after the company confirmed reports of a massive security breach that impacted at least 500 million accounts in 2014.

 

[Teken]

This is the follow up article from the CNBC which details how security was literally placed in the back burner or a after thought.

 

 

 

Defending Against Hackers Took a Back Seat at Yahoo, Insiders Say

Nicole Perlroth and Vindu Goel

Wednesday, 28 Sep 2016 | 10:05 AM ETThe New York Times

377

SHARES

     

     

     

     

     

     

108

COMMENTSJoin the Discussion

 

Six years ago, Yahoo's computer systems and customer email accounts were penetrated by Chinese military hackers. Google and a number of other technology companies were also hit.

 

The Google co-founder Sergey Brin regarded the attack on his company's systems as a personal affront and responded by making security a top corporate priority. Google hired hundreds of security engineers with six-figure signing bonuses, invested hundreds of millions of dollars in security infrastructure and adopted a new internal motto, "Never again," to signal that it would never again allow anyone — be they spies or criminals — to hack into Google customers' accounts.

Yahoo, on the other hand, was slower to invest in the kinds of defenses necessary to thwart sophisticated hackers that are now considered standard in Silicon Valley, according to half a dozen current and former company employees who participated in security discussions but agreed to describe them only on the condition of anonymity.

When Marissa Mayer took over as chief executive of the flailing company in mid-2012, security was one of many problems she inherited. With so many competing priorities, she emphasized creating a cleaner look for services like Yahoo Mail and developing new products over making security improvements, the Yahoo employees said.

The "Paranoids," the internal name for Yahoo's security team, often clashed with other parts of the business over security costs. And their requests were often overridden because of concerns that the inconvenience of added protection would make people stop using the company's products.

But Yahoo's choices had consequences, resulting in a series of embarrassing security failures over the last four years. Last week, the company disclosed that hackers backed by what it believed was an unnamed foreign government stole the credentials of 500 million users in a breach that went undetected for two years. It was the biggest known intrusion into one company's network, and the episode is now under investigation by both Yahoo and the Federal Bureau of Investigation.

Certainly, many big companies have struggled with cyberattacks in recent years. But Yahoo's security efforts appear to have fallen short, in particular, when compared with those of banks and other big tech companies.

More from the New York Times:
What the Hacking at Yahoo Means for Verizon
How Yahoo's Data Breach Could Affect Its Deal With Verizon
Yahoo Says Hackers Stole Data on 500 Million Users in 2014

To make computer systems more secure, a company often has to make its products slower and more difficult to use. It was a trade-off Yahoo's leadership was often unwilling to make.

In defense of Yahoo's security, a company spokeswoman, Suzanne Philion, said the company spent $10 million on encryption technology in early 2014, and that its investment in security initiatives will have increased by 60 percent from 2015 to 2016.

"At Yahoo, we have a deep understanding of the threats facing our users and continuously strive to stay ahead of these threats to keep our users and our platforms secure," she said.

Register for the Cambridge Cyber Summit

The breach disclosed last week is the latest black eye for Ms. Mayer, whose failed turnaround effort resulted in Yahoo's agreement in July to sell its core operations to Verizon for $4.8 billion. It is unclear whether the episodewill affect the sale. Although Yahoo's email users are its most loyal and frequent customers, the company has been losing market share in email for years.

"Yahoo is already suffering. I don't think they'll suffer more because of this," said Avivah Litan, a security analyst with the research firm Gartner.

Ms. Mayer arrived at Yahoo about two years after the company was hit by the Chinese military hackers. While Google's response was public, Yahoo never publicly admitted that it had also been attacked.

A former Google executive credited with creating the search company's simple, colorful aesthetic, Ms. Mayer turned her attention at Yahoo to beating Google at search, creating new mobile apps, and turning Yahoo into a video powerhouse with television-style broadcasts featuring big-name talent like Katie Couric.

But in matters of security, Ms. Mayer, current and former employees said, was far more reactive. In 2010, Google announced it would start paying hackers "bug bounties" if they turned over security holes and problems in its systems. Yahoo did not do the same until three years later, after it lost countless security engineers to competitors and experienced a breach of more than 450,000 Yahoo accounts in 2012 and a series of humiliating spam attacks in 2013. Yahoo said it had paid out $1.8 million to bug hunters.

In 2013, disclosures by Edward J. Snowden, the former National Security Agency contractor, showed that Yahoo was a frequent target for nation-state spies. Yet it took a full year after Mr. Snowden's initial disclosures for Yahoo to hire a new chief information security officer, Alex Stamos.

Jeff Bonforte, the Yahoo senior vice president who oversees its email and messaging services, said in an interview last December that Mr. Stamos and his team had pressed for Yahoo to adopt end-to-end encryption for everything. Such encryption would mean that only the parties in a conversation could see what was being said, with even Yahoo unable to read it.

Mr. Bonforte said he resisted the request because it would have hurt Yahoo's ability to index and search message data to provide new user services. "I'm not particularly thrilled with building an apartment building which has the biggest bars on every window," he said.

The 2014 hiring of Mr. Stamos — who had a reputation for pushing for privacy and antisurveillance measures — was widely hailed by the security community as a sign that Yahoo was prioritizing its users' privacy and security.

The current and former employees say he inspired a small team of young engineers to develop more secure code, improve the company's defenses — including encrypting traffic between Yahoo's data centers — hunt down criminal activity and successfully collaborate with other companies in sharing threat data.

He also dispatched "red teams" of employees to break into Yahoo's systems and report back what they found. At competitors like Appleand Google, the Yahoo Paranoids developed a reputation for their passion and contributions to collaborative security projects, like Threat Exchange, a platform created by Yahoo, Dropbox, Facebook, Pinterest and others to share information on cyberthreats.

But when it came time to commit meaningful dollars to improve Yahoo's security infrastructure, Ms. Mayer repeatedly clashed with Mr. Stamos, according to the current and former employees. She denied Yahoo's security team financial resources and put off proactive security defenses, including intrusion-detection mechanisms for Yahoo's production systems. Over the last few years, employees say, the Paranoids have been routinely hired away by competitors like Apple,Facebook and Google.

Mr. Stamos, who departed Yahoo for Facebook last year, declined to comment. But during his tenure, Ms. Mayer also rejected the most basic security measure of all: an automatic reset of all user passwords, a step security experts consider standard after a breach. Employees say the move was rejected by Ms. Mayer's team for fear that even something as simple as a password change would drive Yahoo's shrinking email users to other services.

On Tuesday, six Democratic senators, led by Patrick Leahy of Vermont,sent a letter to Ms. Mayer demanding more details about the 2014 breach and what Yahoo was doing to prevent a recurrence. Another senator, Mark Warner, Democrat of Virginia, has asked the Securities and Exchange Commission to investigate Yahoo's disclosures to investors regarding the incident. And the company is already the subject of several class-action lawsuits from users over the intrusion.

 

[kohai]

Americans seem to be getting a weird sense of privacy and security.  In a post-Snowden world you would think people would be really worried about it, but they really aren't.  In fact, I think his leak had the opposite effect.
 

The end result of Snowden's leaks isn't the promotion of privacy, it has promoted that there should be no privacy.  It has promoted the leaking of private information.

 

As an example:

I made the mistake the other day of reading the comments section of an article about some leaked, unauthorized recordings of a private organization talking about an upcoming public vote on a topic they were concerned about.  Nothing surprising in the recordings at all, but the comments on the news article website had many people saying that all discussions on public topics among individuals at a private organization should be open to the public and shared with all and that there is no right to privacy in such discussions.  THAT is a scary idea to read people promoting.

[Teken]

Part of me hopes what you wrote above is not true - but part of me thinks its more than true. None of this privacy / security is unique to the United States. Anyone can find one of dozens of articles of countries from A-Z and the abuses the Governments have inflicted upon their citizens.

 

I am sure people can find the polar opposite of those who believe Snowden was completely wrong vs those who truly believe it was the right thing to do.

 

I always find it laughable when people say *Hey he should have followed the chain of command or the whistle blower mechanisms in place* The laws and processes is not only flawed its broken and doesn't protect anyone who is a whistle blower. As I have noted in the past here in the *Coffee Forum* with the advent of IoT the Government won't have to try very hard to access a persons data or have the ability to snoop on them.

 

People of this era are too complacent and place convenience over security anytime the choice is presented to them. There are too many old and young people in the Government who really need to be removed from their respective positions of power.

 

Yahoo is just a perfect example of management who place *Profit before people* instead of serving their customers. Everyone knows I will throw any company under the bus when warranted. But I have to acknowledge Apple single handily stood their ground to ensure a persons privacy and security was the primary business goal.

 

Even though it was still self serving in the big picture . . .

 

Anyone who doubts what the PRISM program and similar have done to the likes of Apple, Microsoft, Google, IBM, etc just has to read the Snowden leaks.

[kohai]

The show Person of Interest is probably more prophetic than we think.  

[Teken]

The show Person of Interest is probably more prophetic than we think.  

 

LOL . . .

 

Somehow I knew that TV show was going to be referenced!

[Teken]

Latest update with respect to Yahoo and how the company allowed the FBI and others to install a root kit deep within the mail server services of Yahoo.

 

TECH

 

OCT 14 2016, 12:52 PM ET

Lawmakers Ask the White House to Review Yahoo's Email Spying

by REUTERS

• SHARE
•  
•  
•  
•  
•  

A bipartisan group of 48 lawmakers in the U.S. House of Representatives on Friday asked the Obama administration to brief Congress "as soon as possible" about a 2015 Yahoo program to scan all of its users' incoming email at the behest of the government.

Lawmakers want to learn more about a 2015 Yahoo program to scan all of its users' incoming email at the behest of the government. REUTERS/Dado Ruvic REUTERS

The request comes amid scrutiny by privacy advocates and civil liberties groups about the legal authority and technical nature of the surveillance program, first revealed by Reuters last week. Custom software was installed to search messages to hundreds of millions of accounts under an order issued by the secretive Foreign Intelligence Surveillance Court.

"As legislators, it is our responsibility to have accurate information about the intelligence activities conducted by the federal government," according to the letter, organized by Republican Representative Justin Amash of Michigan and Democratic Representative Ted Lieu of California.

"Accordingly, we request information and a briefing as soon as possible for all members of Congress to resolve the issues raised by these reports."

Investigators searched for messages that contained a single piece of digital content linked to a foreign state sponsor of terrorism, sources have told Reuters, though the nature of the content remains unclear.

Intelligence officials said Yahoo modified existing systems used to stop child pornography and filter spam messages on its email service.

But three former Yahoo employees told Reuters the court-ordered search was done by a module buried deep near the core of the company's email server operation system, far below where mail sorting was handled.

The Senate and House intelligence committees were given a copy of the order when it was issued last year, sources said, but other members of Congress have express concern at the scope of the email scanning.

Some legal experts have questioned the breadth of the court order and whether it runs afoul of the U.S. Constitution's Fourth Amendment protections against unreasonable searches.

Half of registered U.S. voters believe the Yahoo program violated the privacy of customers, according to a poll of 1,989 people conducted last week by Morning Consult, a polling and media company.

Twenty-five percent were supportive of the program because of its potential to stop criminal acts, the survey found, while another quarter did not know or had no opinion.