Yahoo Issues Security Sitrep
Yahoo's new CISO Alex Stamos is wasting no time shoring up the company's weak security. His first moves have been encryption-focused, but that's just for starters. Hiring Stamos "was a great move," said SilverSky CTO Andrew Jaquith. "He's got serious street cred ... . Assuming he gets the funding and authority he needs, Yahoo should be able to make some serious strides."
04/03/14 2:05 PM PT
Yahoo has announced a new effort to upgrade its security, in the wake of a torrent of breaches and hacker attacks over recent months.
Yahoo's plans include encryption of data in motion, enabling HTTPS encryption, and implementing the latest in security best practices, said Chief Information Security Officer Alex Stamos, who took over the job in March.
A series of attacks that began last October resulted in Yahoo's servers being taken offsite for several days in December, forcing CEO Marissa Mayer to make a public apology. In early January, security firm Fox-IT reported Yahoo was serving malvertisements, and on Jan. 30, Yahoo reported a coordinated effort to gain unauthorized access to Yahoo Mail accounts using data from a third-party database.
Users posted a laundry list of complaints about Yahoo's service on Is It Down Right Now? going back to March 4. Some threatened to leave the service for Gmail.
"The fact that [Yahoo] have had issues suggests they need to up their game," remarked Andrew Jaquith, chief technology officer at SilverSky.
Yahoo "should have done this earlier," Sorin Mustaca, IT security expert at Avira, told TechNewsWorld, "but they were tackling other problems -- losing users, revenue issues, losing market share -- so security, as a nonfunctional requirement, was left to the end."
The Yahoo Security Roundup
As of March 31, traffic moving between Yahoo data centers has been fully encrypted, Stamos said.
Yahoo will encrypt all its platforms by default, implement additional security measures such as Perfect Forward Secrecy over the next few months, and work with partners to make sure the ecosystem is secure.
Browsing over HTTPS is now the default in Yahoo Mail, and encryption of mail between its servers and those of other mail providers supporting the SMTP TLS standard has been enabled.
HTTPS encryption also is enabled by default on the Yahoo home page and search queries running on it, as well as on most Yahoo properties.
Users can initiate encrypted sessions for Yahoo News, Yahoo Sports, Yahoo Finance and Good Morning America on Yahoo by typing "https" before the site URL in their Web browser.
An encrypted version of Yahoo Messenger is scheduled for release later this year.
"SSL is not the solution to all problems," said Avira's Mustaca. "There are plenty of others out there: malware; vulnerabilities in Yahoo's online services and those from their partners; and adware."
When an Elephant Dances
Given that Yahoo has been experiencing security problems for at least a year, should it perhaps have moved more rapidly to bring a chief information security officer on board?
"This is actually pretty fast for a company of Yahoo's size," Rob Enderle, principal analyst at the Enderle Group, told TechNewsWorld. "They had to find the right person and likely went through a lengthy process."
Hiring Stamos "was a great move," SilverSky's Jaquith told TechNewsWorld. "He's got serious street cred ... . Assuming he gets the funding and authority he needs, Yahoo should be able to make some serious strides."
The Risk for Yahoo
The stakes are high, especially for Yahoo's push into the small and mid-sized business market, Gerry Grealish, chief marketing officer at Perspecsys, told TechNewsWorld.
"These businesses, and the organizations they work with, are paying attention to the data privacy and compliance issues surrounding cloud-based systems," Grealish continued. "Encryption is getting a lot of visibility as a potential solution."
Yahoo also might see at least an outflow, if not an exodus, of users. As of April 2, users still were posting complaints on Is It Down Right Now?
Some, such as Stephanie Higgins, threatened to leave. "Gmail... you may have finally won me over," she wrote.
"Hello Gmail, I'm coming home," wrote June Salazar Mar. 8.
"Google is way more efficient and I will be going to that," wrote Molly Mcquinn-Biscan Mar. 4. "Yahoo, you stink. Inexcusable."