Yahoo collaborating with US intelligence agencies

Today it was revealed that Yahoo has been scanning people’s email for the federal government.

Yahoo Inc last year secretly built a custom software program to search all of its customers’ incoming emails for specific information provided by U.S. intelligence officials, according to people familiar with the matter.

The company complied with a classified U.S. government demand, scanning hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency or FBI, said three former employees and a fourth person apprised of the events. (Reuters)

This activity was, apparently, authorized by Yahoo CEO Marissa Meyer but not the former CSO Alex Stamos. Mr. Stamos left Yahoo in June 2015. He also publicly disagreed with the director of the NSA back in February 2015 about the NSA having access to encrypted data.

WttWColorEye_forBlog

This is probably the part where I’m supposed to write something insightful, but honestly, I don’t have much. Like many people, I’m shocked and dismayed at Marissa Meyer’s decisions to allow this. I’m also somewhat heartened by the fact that, reportedly, Yahoo staff detected the malicious software within a few weeks of it being deployed. Apparently the deployed software was buggy and could have been compromised by third parties.

On the heels of a major compromise of email accounts by “unrelated 3rd parties” I have to wonder how much more bad news Yahoo can take. They’ve had their ups and downs, but most folks I know who worked there don’t any longer. It’s certainly not a place anyone I know considers when looking for new jobs.

In many ways it’s sad to watch one of the foundations of the internet flail and fail. It didn’t have to be this way, I’m sure.

What’s interesting is who has commented on this.

Verizon: nothing I can find. If you remember, Verizon announced a deal to buy Yahoo for 4.83 billion dollars this past summer. The deal was supposed to close in Q1 2017. Wonder if Verizon is questioning their purchase now?

Other companies have responded.

Google: We didn’t and wouldn’t do this.

Microsoft: We didn’t and wouldn’t do this.

Twitter: We didn’t and wouldn’t do this.

Facebook: We didn’t, wouldn’t and will fight any attempt at this.

We know Apple has fought this kind of request, publicly. Interesting to note in that article, Yahoo is not one of the technology companies listed as supporting Apple’s stance.

I’m sure this isn’t going away any time soon. The internet, privacy, free speech, access, harassment, abuse… these are all issues many folks have hand waved around for a long time. Now we’re really going to have to start addressing them, not just with technology but also with real, concrete actions.

Related Posts

Working around email security

One of the common things I see as a delivery consultant is that companies do their best to set effective policies about email, but make it difficult to comply with those policies. It happens all the time. It’s one of the reasons that the tweets Steve shared about Sec. Clinton’s email server rang so true to me.
Security.
One of the commenters on that post disagrees, and uses banks and health care as an example.
Erik says:

Read More

Traffic Light Protocol

If you’re sharing sensitive computer security information it’s important to know how sensitive a document is, and who you can share it with.
US-CERT and many other security organizations use Traffic Light Protocol as shorthand for how sensitive the information in a document is. It’s simple and easy to remember with just four colour categories: Red, Amber, Green and White. If you’re likely to come into contact with sensitive infosec data, or you just want to understand the severity of current leaks, it’s good to know that it exists.
 

Read More

Another security problem

I had hoped to move away from security blogging this week and focus on some other issues. But today I see that both CAUCE and John Levine are reporting that there is malware spam coming from a Cheetahmail customer.
Looking at what they shared, it may be that Cheetahmail has not been compromised directly. Given mail is only coming from one /29, which belongs to one customer it is possible that only the single customer account has been compromised. If that is the case, then it’s most likely one of the Cheetahmail users at the customer got infected and their Cheetahmail credentials were stolen. The spammer then gained access to the customer’s Cheetahmail account.  It’s even possible that the spammer used the compromised customer account to launch the mail. If this is the case, the spammer looked exactly like the customer, so most normal controls wouldn’t have noticed this was a spammer.
This highlights the multiple vectors these criminals are using to gain access to ESPs and the mailing systems they use. They’re not just trying to compromise the ESPs, but they’re also attempting to compromise customers and access their accounts so that the spammer can steal the ESPs hard won and hard fought sending reputation.
Everyone sending mail should be taking a long, hard look at their security. Just because you’re not an ESP doesn’t mean you aren’t a target or that you can get away with lax security. You are also a target.

Read More