Advertisment

Throwback: Major Goof-Ups That 2016 Tasted

When Tech-spins end into Tail-spins, the bruises can range from financial, social, data-related, goodwill-sucking to yes, even political. The dents will take time to get fixed but the lessons shouldn’t.

author-image
Pratima Harigunani
New Update
ID

INDIA: What a year! Just when we thought Volkswagen has pulled off the most embarrassing and most expensive technology-fiasco of the decade, quite many challengers sprung in 2016 and claimed the trophy for the banana-peel-slip-Champ.

Advertisment

Time for a quick rewind of some major contenders. The wet-floor sign notwithstanding, you would find some marquee names of the industry, and ironically, people with some of the best glasses in the industry. So what came tumbling down and why? Do watch out for the collateral damage in these tales too:

Yahoo to NoHoo

If you considered Scott Thompson, the executive who apparently lied about having a Computer Science degree when joining Yahoo, as embarrassment Numero Uno for Yahoo, you can’t be judged for dropping that jaw when the email-account-hack admission trickled in.

Advertisment

Yes, something of that scale, and that level of ignorance (or brazen negligence, as some chided Yahoo for) can really happen.

In a wreck wherein billions of accounts were surmised to have been raided, including Email addresses, phone numbers, birth-dates, hashed passwords, as well as encrypted-unecrypted security Q&As etc being swiped in the heist; Yahoo found itself glaring and staring like a glazed deer in the headlights. The bad news was not just that. This break-in had occurred months back and was surfacing (or being acknowledged, who knows for sure) just now.

Such attacks had happened quite some time back, with both state-sponsored hackers and a social engineering coup being suspected as the devices in these big-scale instances. Yahoo confirmed that information associated with at least 500 million user accounts was stolen and that the company was now working closely with law enforcement on this matter.

Advertisment

Experts have berated the company massively for being reckless enough to not upgrade its MD5 password hashing or using salted hashes (use of random data in one-way functions) which could have been related to the numerous accounts that got stolen. Of course, the company avowedly started resolving the chink by substituting MDS hashing with bcrypt, as a password scrambling mechanism.

Security mavens were found reacting in shock that Yahoo was using a hashing algorithm that was outdated, insecure and broken for two decades, had well-spotted collision vulnerabilities and a definite role in many security breaches.

Critics also lamented the gross carelessness which did not appear venial when put across the web giant’s chase for huge user counts. Its un-orchestrated and outmoded use of Perl, PHP, and C code and lack of two-factor authentication as well as app agility etc, compounded with the conspicuous absence of any efforts for password-reset requests to users; also came under a serious scanner.

Advertisment

But nothing can beat the delay in talking about the elephant in the room. Three years is a long time, and disclosure may not blunt the blow of an attack but it has to come in as soon as the breach is discovered.

There is more in the furrows than those umpteen lawsuits over the security breach that the company faces. Loss of user trust, security confidence and equity at a time when Verizon sits across the table for a big deal – those wounds are not so easy to recover from.

Specially so as the company has reportedly confronted security breaches earlier too – in 2009 and 2012.

Advertisment

Was it a state-sponsored actor responsible for the security incident? Was it the use of cookies that could have enabled such intruder to bypass the need for a password? Is it really Yahoo! user account data that the hacker claimed?

Well, those questions do not dilute the action and timing of the response. Yahoo did advise people to change password and was in another pickle too because if some user had forgotten the password then the unencrypted security questions had also been probably deleted from the system.

Could the company have reacted better? Could it have at least replaced certificates to mitigate earlier breaches? Offered some actionable, usable service to help users tide over the soup? Can something be done to salvage it all by protecting the actual damage that a hacker might be after - online identities because of a user’s tendency to use the same passwords and security question answers for other uses?

Advertisment

Meanwhile, Yahoo is already finding itself in the pan fire after a Reuters report points out the possibility that Yahoo was scanning the email of unknowing users for US intelligence agencies.

Clearly, firing Thompson after 130 days and with some $7 million damage was not so heavy a cross to bear. Yahoo is walking a Sisyphean trek. The stones of privacy, trust and security have become unwieldy and slippery enough in the last few years.

But then, the road is not so uphill when you find some company to share the beads of sweat and regret.

Advertisment

Wrong Links

When a hacker advertised information like user IDs, passwords etc about some 117 million LinkedIn users on darknet and put it for sale, LinkedIn found itself baffled and disoriented too. It was quite an extensive list by the sound of it, squeezed through a big botnet; and the attribution a cyber attack that the networking site dealt with four years ago, twisted the knife further.

The company was obviously found sealing avenues of penetration that were possible and was claiming to have resorted to ‘swift’ response but the scenario of hackers getting past its cybersecurity systems, and making their way to some easy-to-bend whitelist-companies were some glaring inferences that experts distilled though.

Not hard to ignore against a Déjà vu effect, when in 2012, LinkedIn had wrestled with another breach and compelled its users for account resets.

Once bitten, twice shy, it should ideally be.

But what if you get only bite to recover from? What if the anti-dote comes way too late?

Hillary’s Choice of Pigeons

When Donald Trump uttered with brazen confidence that if elected, he would investigate Hillary Clinton and her use of a private email system while she was secretary of state; or when he said during a town-hall debate that he would hire a special prosecutor to look into this; this was not a potshot. Even if it was, the shot hurt Hillary deep and unexpectedly.

Hillary Clinton was grilled non-stop by media and opponents alike for one seemingly-small slip-up. She had possibly set up a private email server, kept it in her NY home basement, for a private email network for her aides like Abedin, and her family, correspondence with the Clinton Foundation, world leaders, some consulting firms etc so that her emails remained away from the federal government’ s access.

Was this a mistake? Or a huge one at that? Well, for starters, the FBI investigation was triggered with the contention that she has violated the Espionage Act of 1913 and had created room for national defense information to become vulnerable.

But Clinton just made a blooper on going against a sworn statement and for obstruction of justice? Was it so grave a fault to cost her considerable damage during crucial US elections? Was it just political wood that her rivals made good fire of?

It has also been alleged that Hillary Clinton used this server, which was, incidentally, kept alongside the Clinton Foundation’s server, to correspond with President Obama. Now things become not so easy to gloss over when the server was suspected to have an open webmail portal – enough to jack up vulnerability to hackers and attackers. Or when you have some classified information on that server, which is an allegation Hillary refuted in her defence.“There was nothing marked classified on my emails, either sent or received,” she maintained.

Was it just a violation of State Department policy that requires government business to be conducted on department systems? Was it a mistake of high valence because of record retention or disclosure-evasion implications? Did a software-sweep through BleachBit really happen? Was the private server surreptitiously shipped to a non-descript place? Was it all a technical crime, but made in innocence? Was her private email system better than Gmail? She was not hacked but were their formidable attempts that could have happened?

Like an industry watcher rightly veered into, the questions do not end at Hillary. How could federal-level security miss this rogue server at all? Specially one that was supposedly running for quite some years and connected to other crucial department servers?

These are not the only gaffes that the industry had to grapple with. If run-of-the-mill emails and social networks found themselves tying some loose ends, some really futuristic concepts were not spared either. Blockchain is,  arguably, the latest kid on the block when one thinks of disruptive models. But then the DAO, Ethereum’s ‘s first Decentralized Autonomous Organisation, happened to lose millions because someone figured out a loophole in the smart contract concept, created a child DAO and exploited it cleverly (because it was not a fraud but an act of con-manship in the way the chain’s own principles helped the transfer of funds).

Credibility loss and a hard fork later, the pro-Blockchain community opened its eyes to some glaring gaps in the seemingly iron-clad technology. Embezzlement met the crypto-technology world in its own dining room and left with a new smirk.

So yes, even mistakes that seem harmless on the face value can cost a lot of questions and awkward answers. In a surreal pattern, all these blunders had precedents that should have equipped their victims better – whether it was the breaches that Yahoo and LinkedIn suffered a few years back or the change-your-phone-warning that Hillary was proffered during a foreign trip. If only, warnings could be stinks instead of whiffs.

Intentional or otherwise, whatever bloopers 2016 brought, there is always some lesson that can be carried forward to the years that follow. At least from now on: starting with 2017.

linkedin blockchain cyber-attacks yahoo hack hillary-clinton