
Notifying Our Users of Attacks by Suspected State-Sponsored Actors - _jomo
https://yahoo-security.tumblr.com/post/135674131435
======
jcrawfordor
A big source of confusion on this kind of thing is that the HN crowd tends to
see "state actor" and think "pervasive surveillance (by the NSA)".

In context, and in the security industry in general, "state actor" refers to
active (although often broadly cast) penetration attempts by groups thought to
be operated by foreign governments. These groups do not have significant
surveillance capabilities, so they're trying to build it by doing things like
getting access to the email of potentially interesting people, often via
credential stealing malware or plain old phishing. Their methods are often not
particularly sophisticated, but they're more persistent and better funded than
most other threat actors. On the other hand, their methods sometimes are very
sophisticated, so it's good to detect a problem as early as possible, as Yahoo
is trying to help users do.

~~~
psykovsky
So, what you are saying is we should lose all hope of ever being notified
about an NSA attack because they own the networks. Like that made it all-
right... REALLY????

~~~
mindslight
Consider this your notification.

------
jlgaddis
Based upon the amount of spam I receive from Yahoo! mail systems, I'm not
confident in their ability to detect "attacks by suspected state-sponsored
actors" as they apparently don't even have the ability to detect
phished/compromised accounts.

~~~
eli
At the risk of stating the obvious, a From or Reply-To address of
something@yahoo.com doesn't necessarily mean that Yahoo had anything to do
with the message.

~~~
dredmorbius
I've got more experience in hunting down spam than is healthy and can read
headers.

Receiving SPF, DKIM validated spam from Yahoo's email systems, then
discovering there's absolutely no way in hell to kick it back to them, sours
one rather rapidly.

Trying to send mail _to_ Yahoo has been roughly equally annoying for about as
long.

~~~
Pyxl101
Can you clarify regarding no way to kick it back to them? My understanding was
that they operate typical feedback loops per RFC 6449 (though I haven't
personally verified this).

They also host a spam FAQ which has a link to a form to submit spam reports:
[https://help.yahoo.com/kb/SLN3402.html](https://help.yahoo.com/kb/SLN3402.html)

~~~
dredmorbius
Try self-hosted mail. The section on reporting spam _from_ Yahoo conspicuously
omits such options as submitting full headers to abuse or postmaster. Doing so
in past (mutt, full headers) generates a "you're holding it wrong" messagee.

This goes back years, I've not tried recently, status may have changed. But
again, the long, long term experience has been pretty sour.

~~~
Pyxl101
The section on reporting spam from Yahoo has a link to a form where you can
submit spam reports from Yahoo:

> Submit your report using our "Got Spam?" form if your email provider doesn't
> offer a spam reporting feature.

The "Got Spam?" link takes you to a form where you can supply the headers and
content of the spam message sent from Yahoo.

~~~
dredmorbius
What part of "mail to abuse@ or postmaster@ fails" don't you understand?

The web-form workflow breaks in many ways: console tools (which I use for
email), mobile, and more.

The fact that I can simply "bounce" the whole message at Yahoo's spamtraps,
_if they had such a thing_ , and they can sort the message's legitimacy and
structure themselves, but they don't allow this, speaks volumes.

And again, this shit for a decade or more.

Now, if Yahoo wanted to creat CLI tools to incorporate into mailflows for
those of us who know what we're doing to slot into their systems, great.

But ultimately, their problems aren't mine, I've washed my hands.

------
dmlorenzetti
"State-sponsored actors" sounds like over-specification. If Yahoo detects a
"sophisticated attack" from a lone jerk with a computer, do they not notify
affected users of defensive actions to take?

It's no doubt interesting to know that your account is being targeted by your
own or some other government, but identification seems secondary to detection
and response.

------
grandalf
Google has a state sponsored actors warning. I received it a few years ago, a
red bar across the top of GMail.

So I turned on two factor auth and the warnings stopped.

I wish I knew which state and why my account was being attacked? I'm guessing
it was not a specific attack but perhaps the attacker was trying credentials
found in some other breach.

Considering that Google cooperates with the USG, I'd guess that it was some
state other than the US, but who knows. I'm not aware of having done anything
that would be of concern to any government.

------
whisk3rs
How do Yahoo, Google, Facebook, or others distinguish between state-sponsored
actors and non-state-sponsored actors?

~~~
21echoes
[https://en.wikipedia.org/wiki/Cybersecurity_Information_Shar...](https://en.wikipedia.org/wiki/Cybersecurity_Information_Sharing_Act)

This passed along with the budget bill at the end of last week. It establishes
a system whereby the US defense department shares with corporations their
signals for detecting state-sponsored attacks, and companies are allowed to
opt in to sharing anonymized attack information with the DoD

~~~
netik
CISA is a terrible bill and not a solution to this problem. Security teams
have been able to manage this data on their own for years without government
intervention.

There have always been other methods for determining if an attacker is state
sponsored. One example: Seeing your account, and a number of dissident or
activists being attacked from a block of IPs or similar password attempts,
probably means the attack is state sponsored.

That being said, in security, attribution is a very hard problem, and the
methods used to determine state sponsored attacks are also quite hard to
design.

There's a reason why companies won't elaborate on how they do this, but it is
usually a combination of login/account intelligence and threat feeds.

~~~
at-fates-hands
>> Seeing your account, and a number of dissident or activists being attacked
from a block of IPs or similar password attempts, probably means the attack is
state sponsored.

Used to work at a fairly large global corporation. One day I was chatting up
one of the senior sys admins. He was talking about the incredible traffic that
bombards their server everyday. I was pretty naive back then and said, "Cmon
man, it can't be _that_ much!"

He opened his terminal and ran a simple monitoring tool, then opened one
another terminal. In one was the constant traffic to several of their
applications that were from a specific block of IP addresses he thought he had
traced back to China. The other window was a running queue of mistyped
password attempts. It was like clockwork. They'd try three, get kicked out of
the system, then in an instant, you'd see a flurry of new IP addresses from
the same block, then some more attempts to guess the password. Kicked out,
rinse, repeat.

In the span of five minutes, I must have seen two dozen failed attempts to try
and do a dictionary password attack on their login page. He guessed it was
some kind of a bot that was running the tests considering how mechanical and
orderly the attacks were.

It really opened my eyes as to how often and how many businesses these
governments go after for intellectual property.

------
ColinWright
This looks to be very similar to the warning that Twitter was sending around a
while ago. Here:

[https://news.ycombinator.com/item?id=10722633](https://news.ycombinator.com/item?id=10722633)

That contains the text in the discussion, and links to the text, _etc._

------
oconnore
Just what middle-America needs, notification that the russkies are coming for
their baby pictures.

~~~
buro9
It's more likely to be the NSA nowadays.

It would be good if these notifications said where the attacks appeared to
originate.

~~~
WalterSear
Why would the NSA need to attack? They can just ask Yahoo for the data.

~~~
jlgaddis
Yep, or just intercept it themselves as it crosses the wire.

