欢迎访问译联翻译公司!  联系邮箱:fanyi@translian.com
当前位置:首页 > 新闻动态 > 行业新闻

新闻动态 / NEWS



作者: 来源: 日期:2016/12/23 8:47:29

Yahoo’s gift to cyber crooks is one that will last





Oh, Yahoo, where do I start? We used to be good together back in 2004. But now I’m angry and disappointed. And it’s not me, it’s Yahoo.



The data breach the company disclosed last week, affecting more than 1bn users, dates back to 2013 — a year earlier than the breach of 500m accounts reported in September. Whether you use Yahoo or not, disabuse yourself immediately of any notion that this breach is like the last. The implications are worse and reach beyond the company. And it’s not just about the number of people affected.



This time Yahoo is saying outright that all affected user passwords were stored in a manner that makes your average cyber security bod go nuts at the madness of the world. “Security! experts! slam! Yahoo! management! for! using! old! crypto!” ran a headline in The Register, an industry rag, mocking the internet company’s corporate punctuation.

这一次,雅虎直截了当地表示,所有受影响用户的密码存储方式,都会让对网络安全稍有了解的人对世界的疯狂跳脚。行业小报《The Register》的标题是:“安全专家抨击雅虎管理层使用旧的加密技术!”这里的惊叹号是在嘲弄雅虎这家互联网公司的标识。广州科技翻译公司。


To understand the frustration, imagine that a password database is like a bike in an area prone to high levels of bike theft — a university town such as Oxford, UK. It matters how securely your bike is stored and also how much it’s rendered unrideable with locks.



As Yahoo’s password bike is known to have been stolen (again), it’s the additional locks and how strong they are that now matter. In password terms, strength equates to how easy is it to recover the plain-text version of what you type in — such as hansolo81 — from the unusable hashed version that the company stores. A hashed version would look something like: 57dddf57a98dc88c64327fe6bb5b9358. If the thieves can recover hansolo81, they can ride it into your bank account, PayPal — or anywhere else you used this password or predictable variants of it, such as Hansolo81, han$olo81 or hansolo82.




So you’d think Yahoo would deploy chunky chain locks like those that cycle couriers use. But, actually, it looks as if the company instead tied a ribbon between the front wheel and the frame. In the jargon, they used a method involving a function called MD5 — the same poor choice made by adultery website Ashley Madison for some of its users’ passwords, and by music service Last.fm, both of which experienced breaches.

因此你会以为,雅虎会使用结实的链条锁,就像那些骑车的快递员所用的那种。但实际上,该公司好像是用一条丝带把前轮和车架拴在一起。用术语来说,他们所用的方法采用了一种被称为MD5的函数,与成人网站Ashley Madison为其一部分用户的密码以及音乐服务公司Last.fm做出的糟糕选择一样,这两家公司都遭遇信息被窃。广州科技翻译公司。


Ask tech nerds what they think about MD5 and you’ll hear incredulity that any company (let alone a large, internet-based company) was still using it in 2013, that doing so is outright negligence, that there’s no excuse for it and that it was discredited a couple of decades ago.



By the time of the 2014 breach, Yahoo had nearly finished a wildly overdue upgrade to its locks, switching to “bcrypt”. If well implemented, this makes its password bike unusable to thieves. Getting from 57dddf57a98dc88c64327fe6bb5b9358 to hansolo81 would be very unlikely. So, while that breach endangered users, it was a less epic fail than the more recently reported compromise.



It’s worth being clear about the consequences of Yahoo’s incredibly poor security practices as recently as three years ago: the company has probably unleashed the single biggest known data set showing how the world constructs passwords. This is a powerful tool for guessing one’s way into accounts, especially on services that don’t limit such attempts well or offer additional security measures, such as two-factor authentication. And it’s a gift to malicious actors who increasingly know us better than we know ourselves.



Also, Yahoo can force password resets only on its own service. There is nothing Yahoo can do to make people change identical or similar passwords used on other sites.



Furthermore, as with the last breach, the company hasn’t disclosed how many security questions and answers were badly stored. They state only that the data were kept either “encrypted or unencrypted” — the latter being in readable text. How many people can remember whether or not they once had a Yahoo account, let alone what security information they used, and whether they used that same information in their other accounts? Where else did you use your mother’s maiden name, first pet, favourite colour, school or teacher?



The consequences of organisations’ poor security decisions will come back to haunt us. I only hope Yahoo marks the worst, if not the last.