
Yahoo Hacked - doctorshady
http://webcache.googleusercontent.com/search?q=cache:I8s8KmZhwXMJ:www.futuresouth.us/yahoo_hacked.html+&cd=1&hl=en&ct=clnk&client=firefox-a
======
secalex
Howdy, Hacker News. I’m the CISO of Yahoo and I wanted to clear up some
misconceptions.

Earlier today, we reported that we isolated a handful of servers that were
detected to have been impacted by a security flaw. After investigating the
situation fully, it turns out that the servers were in fact not affected by
Shellshock.

Three of our Sports API servers had malicious code executed on them this
weekend by attackers looking for vulnerable Shellshock servers. These
attackers had mutated their exploit, likely with the goal of bypassing IDS/IDP
or WAF filters. This mutation happened to exactly fit a command injection bug
in a monitoring script our Sports team was using at that moment to parse and
debug their web logs.

Regardless of the cause our course of action remained the same: to isolate the
servers at risk and protect our users' data. The affected API servers are used
to provide live game streaming data to our Sports front-end and do not store
user data. At this time we have found no evidence that the attackers
compromised any other machines or that any user data was affected. This flaw
was specific to a small number of machines and has been fixed, and we have
added this pattern to our CI/CD code scanners to catch future issues.

As you can imagine this episode caused some confusion in our team, since the
servers in question had been successfully patched (twice!!) immediately after
the Bash issue became public. Once we ensured that the impacted servers were
isolated from the network, we conducted a comprehensive trace of the attack
code through our entire stack which revealed the root cause: not Shellshock.
Let this be a lesson to defenders and attackers alike: just because exploit
code works doesn’t mean it triggered the bug you expected!

I also want to address another issue: Yahoo takes external security reports
seriously and we strive to respond immediately to credible tips. We monitor
our Bug Bounty (bugbounty.yahoo.com) and security aliases (security@yahoo.com)
24x7, and our records show no attempt by this researcher to contact us using
those means. Within an hour of our CEO being emailed directly we had isolated
these systems and begun our investigation. We run one of the most successful
Bug Bounty programs in the world and I hope everybody here will participate
and help us keep our users safe.

We’re always looking for people who want to keep nearly a billion users safe
at scale. paranoids-hiring@yahoo-inc.com

~~~
legohead
Patched twice? There are 7 known shellshock exploits (and 30 patches) so far..
[https://shellshocker.net/](https://shellshocker.net/)

Not knocking on you or anything, just more interested to know if all exploits
have been patched against, more than the # of patches applied.

~~~
tptacek
Before Yahoo poached him to be their CISO, Alex was one of the principals
behind iSEC Partners, our former arch-competitor and now sister company. He
knows what he's talking about. If he says they're on top of shellshock, my
money would be on him being right.

His team also recently poached Chris Rohlf, from his own company no less!, and
Chris is probably one of the best vulnerability researchers working.

(I have no affiliation whatsoever with Yahoo and while I like Alex fine, we're
not close friends. I'm pretty biased about Chris, though.)

This is more "vote of confidence" than your comment asked for; I'm just
heading off a potentially unproductive thread at the pass. :)

~~~
mbesto
This all sounds good - especially given your reputation for infosec.

However, genuine question - how does the laymen (like myself) rate infosec
specialists? Imagine for a second I'm a senior exec at Target and IBN (IBM's
fake arch-competitor) comes to me and says "no worries about security, we use
256-bit encryption, bank grade security, etc etc". Do I believe him?

I feel like infosec is a "I don't know what I don't know" industry and the
consequences could be potentially dire.

~~~
tptacek
If I knew, I'd be a lot wealthier. :|

~~~
ams6110
How much are e.g. SANS certifications worth? I subscribe to their vulnerablity
emails but they push the certification programs so hard it smells a little
like University of Phoenix.

~~~
tptacek
I'm not a fan of any security certification.

~~~
shawndrost
You make hiring decisions off of a home-grown security "course", right? You've
found that valuable -- would others?

~~~
tptacek
That's not an accurate summary of how we hire. We don't make decisions based
on the crypto challenges or Microcorruption; we use them to find people to
talk to. We have a whole process that actively evaluates candidates.

------
mukyu
This writeup doesn't really get to the point so, the tl;dr

He was looking for places to exploit shellshock by googling for cgi scripts.
Most of the ones he did find had already been hit by someone using a perl
script that made them join an irc channel that was being used as CnC. He also
joined it and monitored it. A bunch of different yahoo boxes were in the
channel and he saw some of them get rooted.

~~~
maximumoverload
Thanks.

This guy writes a lot of text but it takes him forever to get to the point.

~~~
Gigablah
The point was already in the article title and opening line.

------
madaxe_again
Not mentioned in the title, but important:

Winzip.com has been hacked as well. Do not trust their binaries.

Either this will be headline news tomorrow, or it will be suppressed in its
entirety. The OP will probably go to prison, unfortunately, as they will not
differentiate between this and black hat intrusion - the case will be judged
by someone who saw his nephew using a computer, once, and they _will_ go after
him, because they know who he is, and will not have any joy identifying the
actual intruders, and this will just go further to demonstrate that the spy
agency dragnets are as useful as a chocolate teapot in preventing and acting
against actual crime.

I hope he contacted a great defence attorney and the ACLU at the same time as
Yahoo and the FBI.

~~~
tantalor
Contrary to his claim, OP is clearly not a white hat "ethical hacker", since
he does not have consent from the owners of any of these systems.

> they will not differentiate between this and black hat intrusion

Should they? This reads like textbook unauthorized access to a computer
system,

> A quick `ps aux` on the box yielded...

This isn't just poking at web servers to see what secrets they freely reveal,
this is trespass.

~~~
chavesn
Trespassing is a good analogy. Neither all laws or violations of laws are
equal.

On one hand, there are the vandals, or outright criminals, who are using and
abusing my property for their gain to my detriment.

On the other hand, there's a passerby who knows about the criminals in the
area, knows no one else is looking for them, and trespasses my property
because the trail led him onto it.

Now that guy willingly alerts me to the criminals, offers an explanation of
what he did on my property and how he found the criminals -- what should my
response be?

I know that technically he broke the law, and there are those who want to see
anyone and everyone pay for their deeds, but in this situation, wouldn't a
reasonable person possibly consider tracking down the criminals first before
crying "trespassing!"

~~~
jMyles
It doesn't sound like this person trespassed at all, but merely traversed your
land during his investigation. He didn't do any damage or remove anything, so
what was the trespass?

~~~
bradleyjg
Trespass to land doesn't require damage, all it requires is the willful,
unauthorized, entry onto land in another's exclusive possession. Vandalism
requires that there by some property damage.

~~~
barrkel
This isn't true. You're overestimating the strength of property rights to
land. You should follow the link provided elsewhere in this branch of the
discussion -
[http://www.shouselaw.com/trespass.html](http://www.shouselaw.com/trespass.html)

~~~
jMyles
It's amazing how many people think that traversing and trespassing are the
same thing. Sadly, in many states, they are the same under the law.

I wish there were stronger free-to-roam laws. I don't think anybody has the
right to tell another person they can't traverse land so long as they don't
enter any structures, do any damage, take anything, disturb any wildlife, etc.

------
gopalv
Frick. A .pl CGI script on a production box?

All the yapache & yphp security fixes and is all undone by a a .pl with
+ExeCGI.

They used to run "crack days" where all of us used to get kicks out of
breaking & entering prod, whatever means available.

Was a fun way to weed through such low-hanging issues, by a highly motivated
(i.e otherwise bored) crowd.

I wonder if they still have them.

~~~
dTal
Golly. Who was this "they" and "all of us"?

~~~
darkstar999
People who use the word "frick" or "frickin'".

------
mrt0mat0
Am I the only one that thinks this kind of thing would be cool to see? I've
seen logs of attacks, but I've never watched a botnet irc live. that would be
crazy for me. Not really moving the conversation forward, but is this so
commonplace that I'm the odd man for marveling?

~~~
daveloyall
:) You're not the only one.

First, read this. Note the date. [http://www.crime-
research.org/library/grcdos.pdf](http://www.crime-
research.org/library/grcdos.pdf)

I read that shortly after it was originally published. And I thought to
myself: COOL!

I was seventeen. I had a spare Windows 95c (or was it 98se?) box laying
around, and some experience with inctrl5, a linux box which could operate as a
router, and some basic knowledge of tcpdump(1). Importantly, I could also
script the behavior of an IRC client.

At the time I was a channel operator in a relatively popular IRC channel on
EFnet... "Don't ask to ask!" :) Users would come in and request assistance
with malware all the time, so I was already roughly familiar with the
mechanisms of infection and CnC.

This is a long story that I must cut short: I ended up in the same CnC room as
Gibson did. Not the same type--the same one. I met some of the people in the
story. :D

~~~
na85
Do you still idle in that help channel?

~~~
daveloyall
Not for a while. I'm Sebboh. :)

------
Nyr
Mirror of the response, since the site is loading really slow:

[http://cl.ly/image/2E3D2H2B2d2t](http://cl.ly/image/2E3D2H2B2d2t)

~~~
pit
Classic. "Thanks for pointing out this insanely serious issue, which is
unfortunately not eligible for our bug bounty program." Maybe they'll send him
a free hat.

~~~
icelancer
Embarrassing. People should just sell their zero-days on the black market for
BTC until these companies wise up on paying out on "non-qualifying" bugs.
Facebook has done this too.

------
r721
"Though the FBI seemed intrigued by this, in my opinion, they aren’t moving
with any form of haste."

I am doubtful that FBI would share their plans and/or actions with OP.

~~~
jlgaddis
Exactly. It's not like they're going to call up the OP to give him status
updates.

------
onewaystreet
This guy works in the security industry and yet he couldn't google "yahoo
security" to find their security contact email address (second result for me)?
He was also unaware that Yahoo runs a Bug Bounty Program?

~~~
Zirro
According to this[1] article about the current issue:

"Before releasing this information, Hall emailed Yahoo and tweeted at its
engineering team and CEO Marissa Mayer.

It was confirmed to him that its servers had been infiltrated but Yahoo
refused to pay him for alerting them as it was not part of the company’s bug
bounty programme."

[1]: [http://www.independent.co.uk/life-style/gadgets-and-
tech/new...](http://www.independent.co.uk/life-style/gadgets-and-
tech/news/shellshock-romanian-hackers-are-accessing-yahoo-servers-claims-
security-expert-9777753.html)

EDIT: The quote previously included "Yahoo is notorious for its disregard of
bug bounty hunters, having last year rewarded one such hacker who identified
three bugs in Yahoo's servers with a $25 voucher for company merchandise." but
I moved it here as it caused confusion regarding which issue the article was
referencing.

~~~
elliottcarlson
Please read the follow up:

[http://yahoodevelopers.tumblr.com/post/62953984019/so-im-
the...](http://yahoodevelopers.tumblr.com/post/62953984019/so-im-the-guy-who-
sent-the-t-shirt-out-as-a-thank-you)

(and HN discussion:
[https://news.ycombinator.com/item?id=6488897](https://news.ycombinator.com/item?id=6488897))

------
seren
This is a courageous disclosure since the OP risks to be in some trouble for
his "ethical probing".

~~~
daveloyall
In the winzip email, he rambles about his mother.

Which makes his signature line pretty interesting. :)

> _A fool learns only from himself. A wise man will learn from the fool._

So he's got this 'honest fool' thing going for him. If he can marry that with
meticulous record keeping, maybe he'll be OK.

Of course, IANAL.

But ffs, I'm sick of this world where the defense "Wait, you misunderstand--
I'm the GOOD guy!" isn't good enough. Why isn't it?

~~~
antimagic
Well, mostly because if it was good enough, it would be the first thing out of
the mouth of every blackhat that was caught...

Or to put it in a slightly more nuanced fashion, as a blackhat I could
compromise your system, and then turn around and inform you that your system
was being compromised _whilst at the same time profiting from any data I had
already stolen_. If the company being contacted does not personally know the
person contacting them, it is not altogether unreasonable to treat the person
with great suspicion.

That said, people that _do_ have a public reputation for white-hat work
probably deserve to get a pass. This of course raises the question of how you
go about getting a whitehat reputation, because most whitehats get their rep
by doing the same things the blackhats do, without the profit motive.

~~~
AnthonyMouse
> Or to put it in a slightly more nuanced fashion, as a blackhat I could
> compromise your system, and then turn around and inform you that your system
> was being compromised _whilst at the same time profiting from any data I had
> already stolen_.

Which provides a perfectly reasonable way to distinguish the white hat from
the black hat. The black hat is the one making fraudulent charges to stolen
credit cards, or selling social security numbers, etc.

~~~
antimagic
" a perfectly reasonable way to distinguish "

Well no, not really. After all, the blackhat isn't telling you that they're
also busy selling your data to someone. And even if you are aware that the
data is being sold, the blackhat can claim that it must be another intruder
using the same flaw, and geez, you really should fix that!

~~~
AnthonyMouse
If the data "is being sold" then go arrest whoever is selling it. This is
basic police work. Someone is making fraudulent credit card charges? Go nab
the guy when he goes to pick up the merchandize, then turn him against whoever
provided the credit card numbers (if it wasn't the same person).

Doesn't that make a lot more sense than charging anyone who cuts across your
lawn with grand theft just because someone engaged in grand theft might cut
across your lawn?

------
benmmurphy
Mass scanning using ping back for shell shock was controversial. Starting a
remote shell would seem to cross the line.

------
chaostheory
Is this a new phenomenon? I always felt that Yahoo's systems weren't secure.
Until I shut down my Yahoo accounts, it would be a semi-regular occurrence for
both my Yahoo email and IM to send out spam to everyone in my Yahoo contacts
list. Am I wrong? I've since shut down my account since I got sick of dealing
with it.

~~~
rll
That's not a Yahoo hack though. When that happens it is almost always your
local machine that has been breached by a virus which simply reads the locally
stored contact list. And to answer your question, no, it is not a regular
occurrence for Yahoo, or any of the major players, to have their servers
hacked.

~~~
chaostheory
To my knowledge, my machine is secure. It wasn't Windows and I had both anti-
virus and a firewall active. For one thing, what made this strange was that I
haven't even logged into Yahoo for months (probably close to a year) when this
happened, repeatedly.

~~~
nitrogen
Another possible explanation is password reuse on a site that was breached.

~~~
chaostheory
I don't reuse my passwords.

------
sz4kerto
[http://webcache.googleusercontent.com/search?q=cache:I8s8KmZ...](http://webcache.googleusercontent.com/search?q=cache:I8s8KmZhwXMJ:www.futuresouth.us/yahoo_hacked.html+&cd=1&hl=en&ct=clnk&client=firefox-a)

futuresouth.us got Hacker News'd this morning.

------
milankragujevic
Here's a much shorter version that explains things in a less technical way...
[http://milankragujevic.com/post/65](http://milankragujevic.com/post/65)

------
markbnj
A pretty interesting read, despite the occasionally challenging style. If the
email to Mayer had been a little more focused then perhaps it might have
punched through. But in any case, kudos to the author for doing the work and
writing it up. I learned a few things. But at the same time, no kudos for
using what might be the most unfortunate metaphor ever. I suggest avoiding any
future attempts at picturesque description.

------
acostoss
Server seems to be having trouble keeping up with all the requests, so in the
meantime please use the Google's Cache[1] of the page

[1]:
[http://webcache.googleusercontent.com/search?q=cache:http://...](http://webcache.googleusercontent.com/search?q=cache:http://www.futuresouth.us/yahoo_hacked.html)

------
rdl
I wonder what best practice is for consumer websites which have domains like
yahoo.com which has mostly customers, and yahoo-inc.com for corporate, for
things like security@ addresses. It's reasonable someone wouldn't know about
yahoo-inc.com.

~~~
toomuchtodo
BCP is for domains to have abuse@, which for Yahoo.com should be tied into
their corporate security and intelligence group.

[https://www.ietf.org/rfc/rfc2142.txt](https://www.ietf.org/rfc/rfc2142.txt)

------
primitivesuave
Why didn't he use Shellshock to update bash on the vulnerable servers?

~~~
eyeareque
That would be illegal, unfortunately. If we could do that the internet would
be a much cleaner place for sure.

~~~
alvarosm
What he's been doing is illegal too anyway...

------
personjerry
Why is this a link to a cached version of the website?

~~~
personjerry
Ah nevermind, found the answer below. The site had problems handling HN
traffic earlier.

------
abjorn
Wow, Lycos is still around?

------
rkrkrk21
So when is Marissa Mayer's getting fired?

------
sauere
They got owned by shellschock? Common Yahoo, really?

