Following the news about  the latest development of the Yahoo data breach that  Yahoo may have allowed US government to search user emails, Jeremiah Grossman, Chief of Security Strategy at SentinelOne commented below.

Jeremiah Grossman, Chief of Security Strategy at SentinelOne:

Jeremiah Grossman“As a security professional, my first thought on this whole situation is what a government backdoor does to technology at a base level. No matter how noble the intention, the creation of any backdoor for any reason opens up risks that our adversaries can exploit. Even the most top-of-the-line, advanced security tools may falter in the face of deliberate vulnerabilities.

If this story is accurate, it indicates there were potentially three breaches on Yahoo’s network: first the hackers found selling user data, then the alleged state-sponsored attack currently being investigated and now a self-compromising exploitation via a government surveillance system.

The most notable missing piece from this story so far is its resolution—did Yahoo find what the U.S. government was looking for? Is the backdoor still in use, and if not, at what point was it active? These are questions we would all like Yahoo to answer. Users deserve transparency – they deserve to know how, when and by whom their communications are being accessed.

If Yahoo really did search its users’ emails using a specific string of characters rather than searching for specific sending and receiving addresses, it’s evident they really didn’t know how the surveillance target was sending messages. This would be taking a real shot in the dark—it’s risky enough to be scanning emails at all, and compromising the entirety of Yahoo’s email could be found as wilfully putting users at risk.

We have to remember Yahoo, like many others, is a global company with global operations, and therefore has to comply with laws in every country it operates in. If this information sharing was, in fact, the result of Yahoo following a “lawful order” by the U.S. government, it begs the question which other governments the company’s leaders might be following orders from – past, present and in the future.

Any company in the data business, like Facebook, Google, Microsoft and many others large and small are going to carefully watch this story unfold. Then, they’ll decide whether they want to go along with government surveillance orders and comply without fighting back legally and technologically.

Though this is just the beginning of what will certainly be a developing story, the lesson we can learn for the time being is that end-to-end encryption must be used for everything possible. But unfortunately, we’re fighting an uphill battle when email providers (like Yahoo and Google) know that end-to-end encryption gets in the way of monetizing our data, thus becoming harmful to their business models. It’s time for companies that host personal, supposedly private communications to make a decision between user privacy and their own monetary gain – something many already have done.

Information Security Buzz