Yahoo Engineer Personalizes Threats Against Users
Insider threats commonly wreak havoc via financial and identity thefts. But they typically aren’t personal attacks. Recently a Yahoo engineer personalized attacks by targeting young women exclusively. Here is what that can mean to security professionals who guard their clients online and in the real world.
Reyes Daniel Ruiz, a former Yahoo engineer, pleaded guilty to targeting 6,000 young women users, including friends and colleagues. His goal was to find and harvest “sexually explicit images and videos and other types of private data” on Yahoo. He also “used his access to the Yahoo accounts to compromise victims’ accounts on other services, including iCloud, Facebook, Gmail and Dropbox, in search of additional private images and videos,” according to an Ars Technica report.
While it is unclear as to what purpose Ruiz meant to use the compromising photos and videos and other personal information, it’s not hard to see the possibilities.
In the case of targeting young women, uses could vary from sexual satisfaction for the hacker to sexual harassment on or off the job. Such information could also be sold to sex offenders and sex traffickers.
In the case of business professionals and politicians, the compromising information could be used for anything from blackmail to assassinations.
Ruiz’s use of the private data, including passwords, that he gleaned from hacking Yahoo accounts was also used to hack accounts of those same users on other cloud services. Businesspeople, journalists and politicians could be similarly compromised and under threat. For example, if train, plane or a ride-sharing account were hacked, a target’s whereabouts and daily travel habits could easily be established and when combined with other information, be used so that the target could be subjected to blackmail or physical harm.
Thus real-world, physical threats to specific persons of nearly any walk of life is now a painfully obvious possibility.
“This gross intrusion of the privacy of thousands of individuals illustrates again the need for enterprise to invest more in detecting and preventing abuse of privilege. Investing in privilege pays dividends — it’s essential to protecting data from both insider and external threats,” said Gerrit Lansing, Field CTO of STEALTHbits Technologies.
Security professionals are already blending cyber and physical world defenses, but expanding those may be a good idea particularly in the areas of insider threats and user education. Training people to refrain from storing compromising photos or other information on any cloud services is vital for their own protection.
But so is stemming the tide of insider threats. A Crowd Research Partners survey found that privileged users are the biggest insider threat concern for organizations.
“An internal threat from an engineer with access is one of the most difficult things to guard against, but companies like Yahoo need to do more than they are doing today. One area of exposure is doing testing on live or near-live user data, putting engineers into contact with vulnerable data. This needs to be rarely done and carefully guarded, with multiple eyes on the exercise,” said Dan Tuchler, CMO with SecurityFirst.
“Another step is to limit access by job role and report any anomalies, which can be done with established technology, but it takes attention and resources to configure these controls correctly, Tuchler added. “Checks and balances exist which can limit the damage done by an insider, and enterprises need to take these steps, whether motivated by financial or regulatory reasons.”