Yahoo Hack Complicated by Rootkits and MD5 Algorithms

October 5, 2017

Author: Benjamin Baughman

Yahoo was doomed long ago.

Due to “recently obtained new intelligence,” Yahoo recently disclosed that all of its three billion user accounts have been compromised. Verizon’s purchase of Yahoo in 2015 became complicated when it was disclosed that nearly a billion user accounts had been hacked. This article discusses how rootkits and outdated hash algorithms potentially played a role in the world’s largest known data breach.

This recent evidence exemplifies how difficult it can be to identify and to eradicate a sophisticated exploit. According to Yahoo’s help page, they claim that forged cookies allowed bad actors access to user accounts by circumventing passwords, effectively tricking a web browser’s “remember me” functionality. Yahoo also stated that user password hashes were still using a MD5 hashing technique, which has been cryptographically broken for years.

For years now, MD5 has only been suitable for checking the integrity of files. An example would be when downloading a Linux distro, you are often given a MD5 checksum to verify that the ISO image hasn’t been altered in some way. Hashing is nonreversible in nature; hashes are matched to a corresponding hash (versus encryption/decryption techniques). Yahoo states that they have been working towards upgrading password hashing to bcrypt, which uses the blowfish cipher, includes a salting technique, and is intentionally slow to operate; these features help protect against rainbow tables and the ever-increasing amount of available computing power used for “brute force” cracks.

Continuously using the MD5 hashing algorithm could potentially be considered willful neglect. However, Yahoo may have been doomed long ago. One could easily surmise that Yahoo’s problems started years earlier when the US government “carelessly implemented” a backdoor into Yahoo’s mail server in an attempt to discover communications from “state-sponsored terrorist organizations.” Though the US government insists this falls under the Foreign Intelligence Surveillance Act (FISA), there aren’t any conceivable scenarios in which a cybersecurity professional would consider a “backdoor” acceptable.

Essentially, a rootkit, AKA backdoor, is a block of binary code that has been altered such that it retains its original functionality, yet allows access to the system in some other specific way. The back door becomes an easy and undetectable entry point for whomever is in control. Even after the original exploit has been discovered and patched, a malicious actor can still retain access to the system(s). Once inside, the bad actor can install other programs that hide their existence and cover their tracks (consider an installed program that overwrites network log traffic). Due to these types of situations, rootkits are extremely difficult to detect. Detection involves using behavioral-based scanning techniques, signature scanning, or a thorough forensics analysis of a memory dump. There are no sure-fire methods capable of detecting backdoors easily. Often times, you need to rebuild the system from the ground up to ensure that your system is completely secure again. In the case of Yahoo, this probably was not feasible.