Episode 1—Caution: Falling rocks

Breach podcast - Episode 1
 

Featured guests include:

Ben Johnson
Ben is CTO and co-founder of Obsidian Security. He previously cofounded Carbon Black and most recently served as the company's chief security strategist.
Twitter: @chicagoben

Katie Moussouris
Katie is CEO and founder of Luta Security. A noted authority on vulnerability disclosure and bug bounties, she developed bug bounty programs for Microsoft and the US Department of Defense. She’s also our favorite hacker.
Twitter: @k8em0

Arthur Lucchesi Arthur is a Network Engineer with Layer 8 Security, LLC. He has more than twenty years of experience with network administration and information security.

Dr. Gavin Hales
Gavin is a Lecturer in the Division of Cyber Security at Abertay University. He covers topics like digital forensics, internet of things security and software development.
Twitter: @gmhales

Damon McCoy
Damon is an assistant professor of computer science and engineering at New York University's Tandon School of Engineering.
Website: http://damonmccoy.com/

Dennis Dayman
Dennis is chief privacy and security officer at Return Path. He has more than 20 years of experience combating spam, security/privacy issues, data governance issues.
Twitter: @ddayman

Daniel Clements
Dan is an IT cybersecurity consultant who has worked with many three-letter agencies. We won’t say more than that.

Breach Episode 1 - Transcript

 

RECORDING:

You have one new message.  To listen to your messages press one.

Beep sound

 

CARSON (AS RECORDING):

Goodbye, from Yahoo.

 

ALIA:

Okay so, Bob.

 

BOB:

Yeah.

 

ALIA:

I had a Yahoo account like maybe a decade ago.  I don't even really remember- I couldn’t probably get into that Yahoo account.

 

BOB:

You just described everyone on the Internet.  We all had Yahoo accounts, none of us know what our passwords were. 

 

ALIA:

Do you remember what your email address was?

 

BOB:

Yeah, I’m not gonna say it though.

 

ALIA:

That's wise.  I was just about to willingly offer up what I think mine was.  So anyway, I had this Yahoo account, I don't remember what it was, but we’re doing this project, I haven't told anybody about it at this point except maybe like my husband, but one morning I wake up and I get this voicemail.

 

CARSON (AS RECORDING):

Goodbye from Yahoo.

 

BOB:

Goodbye.

 

ALIA:

Yeah. 

 

BOB:

Is this like a bad breakup that just you know somebody forgot to initiate?

 

CARSON (AS RECORDING): 

This was an attempt to verify your identity as part of a two factor authentication feature from any of your online accounts.  If you did not request a verification code or are unsure of why you are receiving these calls, the most likely scenarios are someone other than you attempted to access your account...

 

BOB:

So I don't quite know what you are supposed to do in response to that.  What did you do?

 

ALIA:

I just had like a minor freak out.  My sweet husband was like ‘should we get some protection?’  I’m like from what from who, I don't know who this is.

 

CARSON (AS RECORDING):

Or someone other than you attempted to use your phone number to complete a transaction online.

 

ALIA:

Why did I get that?

 

BOB:

Well, it could be in the system’s working as advertised.

 

ALIA:

So, everything's fine, I signed up for these authentication voicemails like 10 years ago, and  the system is working.

 

BOB:

Or someone just tried to hack your account, change your preferences. 

 

ALIA:

I'm hacked.  This is Yahoo letting me know. 

 

BOB:

However, of course, in a world of hackers and scammers, these phone calls could just as easily be coming from a boiler room in Nigeria as they could be coming from Yahoo and you don't know.  When you just get a phone call like this, there’s really no way for you to know. 

 

ALIA:

So either I'm safe or I’m hacked. 

 

BOB:

Yes. 

 

ALIA:

This is Breach, a podcast investigating history’s most notorious data breaches, brought to you by Carbonite: How businesses protect their data.

 

MONTAGE/THEME

 

ALIA:

This season on Breach, we’re diving into the biggest data breach in history: the 2013 and 2014 hacks of Yahoo's entire user database.  And leading us on this journey is none other than Bob Sullivan.  He's a cybersecurity journalist, one of the founders of MSNBC.com, and the cyber Sherlock to my Watson. 

 

BOB:

I’m Bob Sullivan, I’m a technology journalist.  I’ve been writing about the dark side of technology from more than two decades and I've spent the last 20 years or so really worrying about things that are getting taken away from consumers without them realizing it.  And a big one is your sense of privacy and control, self awareness, self-determination. 

 

ALIA:

I am Alia Tavakolian, I’m a podcast producer.  I’m the producer of this podcast and apparent Yahoo hacking victim maybe.

 

BOB:

Well, there’s 3 billion of them, so odds are very high that you’re one of them.

 

CARSON (AS RECORDING):

Goodbye from Yahoo.

 

BOB:

Okay, scary message.  My problem is what were you supposed to do in response to that.  I was unclear.  Giving people a scary message and giving them no real options is a terrible thing to do. 

 

ALIA:

Okay, so if someone had gotten into my Yahoo account from a decade ago, they would've found I don't know like a stupid love letter to my high school boyfriend.  They might've found college applications or maybe like I signed up for the SAT with that email address.

 

BOB:

It’s already too much.  The name of your high school boyfriend is in there.  I guarantee your high school boyfriend's name has something to do with your personal security.  Most people think there is nothing in their email that they have to be afraid of, and that's the most frightening thing of all, particularly old email because like the escalation of privileges is so easy.  Okay so there's a college application in there.  Maybe it has your Social Security number on it; you forgot about that, especially from 10 years ago, you would have been much less sensitive to it back then. These things are treasure troves.  Your 10-year-old Yahoo account that you’re not even sure still exists, probably is the most risky thing in your whole digital portfolio. 

 

ALIA:

That's horrifying. 

 

BOB:

This is why people don't invite me to cocktail parties. 

 

MONTAGE of major data breaches

 

BOB:

Since the turn-of-the-century we have had one high-profile hack after another, all the names that you know, Target, Home Depot, tens of millions of people, everybody's credit card, Social Security numbers flying all over the place.  It’s been a living hell both for technology folks and for consumers.  But the biggest hack that's ever happened, billions of people, happened way back in 2013, and we didn’t even find out about it until 2016, three full years later.

 

MONTAGE of Yahoo data breach breaking news

 

ALIA:

A lot of us remember a Yahoo hack, but it was just a blip on the radar, one name on a much scarier list.  Over the next few episodes we’ll explore how the Yahoo hacks matter more than I and probably most of us ever thought. 

 

NICOLE:

This was the biggest breach of a company ever. 

 

DENNIS:

3 Billion, which actually ended up being the entire user database in the entire time that Yahoo's been opened. 

 

DAN:

Essentially hackers have taken over your Yahoo account.  And that again just morphs into more cybercrime.

 

DENNIS:

There's been some things happening right now in the underground.  There’s been some activities, some threats, some things that have been kind of got people kind of going ‘ooh okay this is getting really serious.’ 

 

BEN:

Where do the problems end?  You know like is the adversary still in there? 

 

NICOLE:

They suggested in the indictment that the Russian government officials were using that stolen Yahoo data to spy on American Government officials and some business executives.

 

ANDREI:

These days of course it’s not about spies, it’s about control. 

 

HARRI:

It's a completely different game.  The whole concept might be just to undermine the legitimacy, undermine the trust, undermine the concept of democracy. 

 

BOB:

We’re in this data Cold War already; it's already started.  There's been shots fired across the bow for several years.

 

KATIE:

So think about the exponential growth of the Internet today, and how much data we have online, and how much we trust the folks who are custodians of our data, and how much we can't opt out anymore.  That's really the thing.  We can no longer opt out. 

 

ALIA:

And for me, what started as a good story for a podcast, is growing more personal, more important, with every conversation we have. 

 

STEPHEN:

Yeah, this is crazy.  I cannot find any trace of it.

 

ALIA:

Do you think we were breached?

 

STEPHEN:

You know I- It’s been a constant worry of mine since we started this project.

 

ALIA:

Which is why I'm so glad we have Bob to help me make sense of this insane hack.

Yahoo: the insane hack. 

 

BOB:

Yahoo: everyone was hacked no one seemed to care.

 

ALIA:

But they should care.

 

BOB:

Well, you don’t know where to begin.  How you begin to figure out who to trust and who not to trust.  And without trust, relationships die, commerce ends.  So we are going to live with this problem, and it's sort of a meter that goes a little green a little red all the time.  But for my money, we’re in the red right now.  Like, the bad guys are winning, the trust is declining, and you know as a result we’re inventing things like Bitcoin to try to deal with this problem and they often create as many problems as they solve.  I’d like to think at a bare minimum we’re going to make people feel ‘oh you feel this too.  Thank goodness, because I thought I was crazy.’ 

 

ALIA:

Yes, and I-

 

BOB:

We’re here to tell you that you're not crazy.

 

ALIA:

That's right.  That's true.  That is what we’re here to do.  We’re here to remind you that you’re not insane. 

So before we jump into the Yahoo breaches, can you help us understand what a breach actually is?  I mean I feel like I hear that word all the time.  I hear there was an incident, or there was a breach, or a company was hacked, but I don't actually know what that means. 

 

BOB:

Well, you know it's- it’s a good question.  It's sort of a made up word.  We we eventually - we meaning media and technology folks - kinda settled on it about 20 years ago.  It literally means like the hull of a ship has been breached, right, and now there’s water leaking out.

 

ALIA:

So, we talked to a lot of experts, and everyone has their own way of thinking about a breach.

 

KATIE:

A data breach is- 

 

GAVIN:

So, a data breach is- 

 

ARTHUR:

-an incident or an event that's going to expose protected information or confidential information- 

 

BEN:

It's similar to if someone just walks into your company and then walks out wheeling file cabinets. 

 

KATIE:

Certain amounts of protected data- 

 

BEN:

-some records, some trade secrets- 

 

KATIE:

-something like- 

 

ARTHUR:

-Social Security numbers- 

 

KATIE:

-or driver’s licenses- 

 

ARTHUR:

-bank accounts, credit card numbers- 

 

BEN:

-or it could be an insider that's accessing something they shouldn't have. 

 

GAVIN:

It’s usually a flaw in the way that the system’s been written. 

 

BEN:

Now the challenge is really that you just copy the files.  They come in, they make a copy of everything, and they leave, and it's really hard for you to understand what they took or why they took it. 

 

ARTHUR:

I haven't been able to come up with a good metaphor.  It is what it is,  it’s a data breach, it's a violation of your information. 

 

BOB:

My mother has a box, a strongbox is what she called it.  And it's got personal documents in it, birth certificates for all of us.  Everyone has one of these in their house, a treasure chest, a chest in the living room with you know the things that you would grab if there was a fire.  In a breach, a criminal has free access to that strongbox in your house.  They can sort through it, best of all it's an ongoing relationship usually, so it’s not just one snatch and grab it’s for months or even years.  Whenever they want, they can go into that strongbox and take out whatever document is useful to them.

 

ALIA:

What does it look like to scale up that metaphor for a big company like Yahoo? 

 

BOB:

So picture a strongbox, and then picture you know your mom actually is the keeper of the strongbox for the whole extended family.  So maybe there's like 20 of those strongboxes in the basement, and now let's let's double that another time let's say your mom is actually the keeper of the strongbox for the whole town - that might be the records office in town hall or something right, so that's a lot of birth certificates that's a lot of primary data.  Now I want you to picture not not just all those strong boxes in the basement of town hall, but strong boxes in the basements of every town hall in America.  And now I want you to picture a tool that lets a criminal find exactly the birth certificate they want in less than a second for any purpose whatsoever, and outside of this magical facility we’re imagining is like a guy holding a golden retriever saying stay away. That's the struggle that IT security teams face right now.  The responsibility is enormous as you might imagine, you know the resources are always not quite there.

 

ALIA:

So you're telling me a criminal could essentially just command F or control F that treasure trove of information and find whatever she or he wants?

 

BOB:

I need to find who Alia’s high school boyfriend was.  Bang. 

 

ALIA:

That's terrifying.

Do you think the people understood the complexity and the implications of what information was taken from Yahoo? 

 

BOB:

Absolutely not, no.  One of the biggest problems with it - like the Yahoo hack for example I mean we’ve been struggling with it here.  The more you look at it, the bigger it gets.  You know it began as okay so you know some hundreds of millions of passwords, but that’s happened before.  No, now we know it's this massive Russian conspiracy.

 

ALIA:

I really feel like you buried the lead Bob.  Bob, when we started this, I just thought this was a story about a big data breach, and then you tell me it’s a massive Russian conspiracy with a cast of characters.  I mean, it's- it's an adventure!

 

BOB:

An adventure is one way to put it.  The US Government has indicted someone connected to the Russian Government in relation to this hack; that's never happened before.  It's really rare that we catch the bad guys in these kinds of crimes.  In fact it's really rare that we even learn how they were done or or who a suspect is or or point even a finger at a nationstate or a group or anything.  In this case not only do we have suspects, we have an indictment.  The indictment is one of the most colorful indictments I've ever read.  It's just full of detail about these foreign actors, some of them with direct links to the Russian government.

 

ALIA:

This is so wild to me.  So okay break this down for me.  You said earlier that this is like a heist like an Ocean's Eleven heist.

 

BOB:

It is.  It’s an operation that involves many layers and many different kinds of expertise and involves handoffs.  It involves a lot of wink wink from the Russian government, Russian FSB, the security force there, folks who have long-standing reputations in the Russian hacking community were involved.  And it involves an awful lot of data that that ultimately-

 

ALIA:

So wait, is this like a James Bond movie ‘From Russia with Love.’

 

BOB:

Oh this is a spy movie for sure.

 

ALIA:

 Yahoo the spy movie, not heist.

 

BOB:

Yeah, there’s nobody hoping to actually throw a bag of gold coins onto a train and run away in this movie.  This movie is all about gaining an upper hand in a cyber war.  People have been warning about a cyber 9/11 for so long that it used to be called a cyber Pearl Harbor.  We’re in this data Cold War already.  It’s already started.

 

ALIA:

And now, 500 million email accounts are the property of Russian intelligence, to Control F for whatever they want.

So, in a classic story we want to know the who, the what, the when, the where, and the why. 

 

BOB:

Sure.  Who, so we have an indictment with four people: two alleged FSB agents, one freelance hacker in Russia, and then one freelance hacker who was a Kazakh, but was living in Canada at the time.

 

ALIA: 

Who are those people? 

 

BOB:

Sushchin.  Sushchin? (Pronounced: SÜS-chin, SOOS-chin)

 

ALIA: 

Sushchin? (Pronounced: SOOS-chin)

 

BOB:

Sushchin.  Igor Sushchin (Pronounced: SOOSH-chin, EE-gor SOOSH-chin)

 

ALIA: 

Is it Belan or Belan? (Pronounced: buh-LAHN, buh-LAN)

 

BOB:

 I don't know. 

 

ALIA: 

This is what we’re going to find out right now.

 

ALIA & BOB:

Belan. (Pronounced: BEY-lahn)

 

ALIA: 

Belan.  (Pronounced: bey-LAHN)

 

BOB:

Alexsey Belan.  I don’t know, it’s Belan. (Pronounced: uh-LEHK-see buh-LAHN, buh-LAHN)

 

ALIA: 

Dokuchaev.   (Pronounced: doh-koo-CHAHY-ehv)

 

BOB:

Dokuchaev.   (Pronounced: doo-koo-CHAHY-ehv)

 

ALIA: 

Dokuchaev.   (Pronounced: dok-koo-CHAHY-ohv)

 

BOB:

Dmitry Dokuchaev.   (Pronounced: doo-MEE-tree doo-koo-CHAHY-ehv)

 

ALIA: 

Dokuchaev.   (Pronounced: doh-koo-CHAHY-ehy)

 

BOB:

Dokuchaev.   (Pronounced: doo-kuh-CHAHY-ehy’

 

ALIA: 

So then we have Karim Baratov.  (Pronounced: kuh-REEM BEYR-uh-tahv)

 

Bob:

Karim Baratov. (Pronounced: kuh-REEM BAR-uh-tahv)

 

ALIA: 

Baratov. (Pronounced: BEYR-uh-tahv)

 

BOB:

MrKarim.com.

 

ALIA: 

Mr. Karim.

 

BOB:

The chain of command goes right up to the highest law enforcement agency in in Russia.  The FSB for those who don't know is, would be a kind of akin to the KGB from the old Cold War days, but the FSB is a little bit more universal and a little bit more standardized, modernized, less spooky than like what we think of as the old KGB.

 

ALIA:

Okay so we've got Yahoo, this susceptible aging giant they own Email, Tumblr, Flickr.

 

BOB:

It's an enormous company that's kind of spun out of control and also the Internet shine is off of it.  People think of it as from the dot com era, not from the digital era, and it's led by Marissa Mayer.   (Pronounced: MAHY-er) 

 

ALIA:

I'm pretty sure it's Mayer.  (Pronounced: MAHY-er) 

 

BOB:

I've always hear Mayer, but-  (Pronounced: MAHY-er)

 

ALIA:

Yeah.

 

BOB:

She was a star at Google and now- 

 

ALIA:

Employee number 20 at Google.

 

BOB:

Yeah, and she’s largely credited with what we think of even today as the Google homepage.

 

ALIA:

She's the reason Google looks the way it does.

 

BOB:

She's going to be to Yahoo what Steve Jobs was to Macintosh.

 

NICHOLAS:

Yahoo had a big lead on on Google in many ways and then it blew it.

 

ALIA:

Okay now, the What, and the When.

 

BOB:

The What is in 2016 we found out that at least hundreds of millions of Yahoo users had been hacked and their email address and other information had been stolen.  While investigating that, Yahoo found out about another attack that was almost as large, but that one involved Russian agents, allegedly.  The US government thinks that several Russians actually actively went in and hacked not just email addresses, but did even more serious hacking of Yahoo's systems.  So we have this 3 billion hack involving almost everybody, and then we have the slightly smaller Russian hack that was quite a bit deeper.

 

ALIA:

And what about the 3 billion, who did that?

 

BOB:

To this day, we have no idea who was behind the 3 billion hack, and what happened to the data.  It's just a big mystery involving almost everyone who's ever been on the Internet.

 

ALIA:

That’s insane.

 

BOB:

It's insane, it's frustrating, but that's cybersecurity 

The first time we have Yahoo and hack in a headline is August 1, 2016, when this guy Peace offers for sale 200 million Yahoo passwords for the bargain-basement price of a couple thousand dollars, and Yahoo very ominously did not deny it when they were presented with this.  So as far as we know, that's the first external evidence that investigation was going on. 

 

ALIA:

Where did it happen?

 

BOB:

Where?  I mean it happened in cyberspace, we know that.

 

ALIA:

And most importantly, Why?

 

BOB:

Of course you rarely get a satisfying answer to that in many cases.  I think we wouldn’t know the why of this for 100 years.  I think it's entirely possible with this kind of super spook operation that the value of this data that Russia has on American citizens on other people around the globe, might not become manifest for decades.  There could be an incident where something like this is used years and years from now. 

 

ALIA:

So if we’re thinking about Bob’s strongbox metaphor, the information inside the box is important, but even more important is who the guy is trying to get into the strongbox.  Are they powerful enough to do something with it?  In this case, the person who took a bunch of stuff from your strongbox, was a powerful nationstate with extraordinary resources. 

We’re gonna take a short break so I can show Bob this email I just got from a Nigerian prince.

 

BOB:

I got the same one. 

 

ALIA:

What?

 

BOB:

Yeah. 

 

ALIA:

And when we’re back, we’ll try to make sense of an alleged vast Russian conspiracy.

 

CARSON:

And now, a letter to the hacker who has access to my email.  

Dear Hacker or your preferred Alias, 

Hello and welcome to my email.  You'll see I tagged important words in the subject line in hopes that you will search and find this note first.  Congratulations on your recent breakin.  It may be old hat for you, but I will never understand it.  I'm amazed, truly.  I have but one humble plea as you rifle through my email.  By now, I'm sure you’ve had access to all parts of my life through this email.  I only hope that you leave my insurance information alone.  I'm sure you know that medications can be incredibly expensive, and I would really like to only pay $10 a month for my birth control.  If you also get the urge to reply to some emails I've been avoiding, feel free.  You can find most of them in my flagged folder.  Wishing you all the best, Producer Carson McCain. 

 

ALIA:

We left off with the details of the Yahoo breach that we do know: the Who, the What, the Where, the When.  Every Yahoo account hacked in 2013 by ‘we have no idea,’ and 500 million accounts hacked in 2014 by a bunch of guys working for Russia's Federal Security Service, in a sophisticated, complicated way we can somewhat dive into thanks to the US indictment.  But it’s that Why that’s still bothering me.  Like, I know we might never know the exact reason why they launched this attack on Yahoo when they did, but what I want to know is a bigger Why.  Why would Russia even want our emails?  Why Yahoo?

 

NICHOLAS:

So basically, Yahoo was the internet in the beginning.

 

BOB:

Yahoo would have been one of two or three of the most powerful databases of not just Americans but worldwide government officials, citizens, people with security clearances, people in the military.  I mean it's almost a database of everyone.  And so getting access to all of Yahoo's emails or a large number of Yahoo's emails, would've been this incredible intelligence gathering operation for the Russian government and the Russian military.

 

ALIA:

Okay so but we do know that of the roughly 500 million accounts that these hackers potentially had access to, they only generated cookies for about 6500 of them. 

 

BOB:

What’s interesting about the Russian hack is they weren't looking for a haystack, they were looking for needles.  So they got you know hundreds of millions of pieces of information, but when you read the indictment they were looking for a couple of specific people in the Russian Athletic Federation.  They were looking for a couple of specific people in the government.  They were looking for journalists; that would be great place to go looking for them.  But imagine what it would be like if you were a dictatorial regime and you wanted to oppress the media, and you got access to journalists’ private email.  What an incredibly powerful tool.  You would know who they were talking to, you would find out who their sources were, you would know what stories they were working on.  That's the kind of thing that the US alleges Russia was doing with this Yahoo hack.

 

ALIA:

So what does this mean for the rest of us, the everyday people who aren’t the 6500 accounts Russia targeted?

 

BOB:

Well it means that everyone's a target and and everyone's risk of being victims just went up.  I sometimes wonder if we shouldn't all have like thermometers on our bodies that go up and down based on the current risk status of our personal data, because it does vary based on all of these incidents.  However, this Yahoo incident is more serious than most, because some of the things that we’ve talked about, like they didn't just have the email address and the password.  We also know they had access to unencrypted security question answers.

 

ALIA:

What's your pet’s name? 

 

BOB:

What’s the street that you first lived on? 

 

ALIA:

Where was your mother born?

 

BOB:

What’s your college mascot?

 

ALIA:

What’s the make and model of your first car?

 

BOB:

What was your mom's maiden name?

 

ALIA:

What’s your favorite food? 

 

BOB:

So they might know what your teenage boyfriend's name was, or what your pet's name was.  They might be able to reset your password at other accounts, which is really really critical.

 

ALIA:

Control F dog.

 

BOB:

Control F insurance.

 

ALIA:

Control F full name.

 

KEITH (AS JJJS):

John Jacob Jingleheimer Schmidt.

 

BOB:

Control F dinner.

 

ALIA:

Control F parent.

 

BOB:

Perhaps your Yahoo email was your backup reset email for a Facebook account, or even for your corporate account.  Many people set these things up you know a decade ago, before most of us were even really thinking that much about security.  So the escalation path with the tools that they had from this Yahoo hack are really really valuable. 

 

DAN:

Well the Yahoo breach had a lot of important issues to it.

 

BOB:

I talked to Dan Clements, because he's a he's a good guy.  He helped invent the technique that let good guys lurk in criminal chat rooms, observing stolen data, and figuring out where it came from, and returning it to its rightful owner.

 

DAN:

So the Yahoo breach was very important to look at how many were breached, and then to drill down and look at the passwords that were available in the Yahoo breach, because those passwords led to other accounts.  And that was really the main reason why the Yahoo breach was so disastrous.

 

BOB:

So these hackers, like Dan, sit in these chat rooms and look at data going by: two stolen credit cards here, maybe a driver’s license there.  And then all a sudden, a pile of data goes by too fast for the eye to see.  It’s obviously this massive attack.  Most of the time you know this is like sitting in a firehouse with very little going on, then and all a sudden, there’s a five-alarm fire.  Dan knows what those five-alarm fires look like and that's why we asked him about Yahoo.

 

DAN:

For one thing it looked like a lot of the passwords were not encrypted; that seemed to be the initial issue.  A lot of hacks you know the password is encrypted.  So that makes it a little bit harder for the bad guys to decrypt your password.  But the Yahoo passwords seemed to be in plain text and you know a lot of people have Yahoo accounts or an Amazon account or a Gmail account.  So once you have one of the big boys, that gives you an avenue to use that password to try and get into another account.  That database made it into the underground, and it was pretty quickly bartered and traded amongst hacker groups or pieces of it.  And you know it was an excellent database to try and obtain because then you can do spamming and phishing from that database.  And if you were to happen to get into somebody's Yahoo account, then you can email their contact list or their friends or their family.  

And the reason why you put breach data in a database - and we've all seen now that there are hundreds of breaches - is it allows you to compare data amongst say the Yahoo breach and the target breach and other breaches.  So we can see somebody's password progression. 

In other words we might see the password they used at Yahoo, and maybe they tweaked it a little and they used a different password at LinkedIn or Amazon or Gmail, but it certainly allows you to drill down on somebody and possibly compromise another one of their accounts.

More than 6 billion records have been compromised, including say the Equifax database that had the choice Social Security Numbers in it.  So essentially with 6 billion records, where you as the consumer have been in a dozen or 20 different hacks, there’s so much information out there in the underground to look at and build kind of a virtual profile on each consumer, to see where you’ve opened accounts, what your passwords look like, what you buy, and basically just kind of clone you virtually.  And they want to do that, so that they can predict what your next password might be, or they might want to try and emulate you and go after your bank accounts.

A virtual profile would be all of your data that you've ever used online: your name and address, your credit card number, your Social Security number, your date of birth, your ZIP Code, and the IPs, the Internet protocols of where you dialed in from, like your home.  And so when we see 20 of those hacks of you, it gives us a lot of information on where you live, what your date of birth is, what passwords you’ve used at 20 different sites, how you’ve modified your passwords when you were forced to.  So it's essentially creating a virtual profile on you, that we can then use to go after something bigger, you employer or bank or whatever.  So when we have this virtual profile on you, and we’ve looked at your social media, we know what your likes and dislikes are.  And if we were to attack you or send you an email that was something very specific to you, something that might've been in your password, like your dog’s name, you might click on that, you might fall for that.

 

ALIA:

So even if your Yahoo account wasn't specifically interesting to the Russian Government, every email and password in your inbox is incredibly interesting to all the other hackers who have access to it now.  Let’s go back to Bob’s strongbox metaphor.  Each piece of info in your strongbox helps a hacker get into thousands of other strongboxes.  In your Yahoo strongbox, there is a recovery email link sent from your personal Gmail account.  And your Gmail has a slightly similar password to the Yahoo password they already have.  In your Gmail account, there is an email you forwarded from your work email.  That helps the hacker get into your corporation.  From there, they access your Outlook calendar, your boss’s calendar, your boss’s boss’s calendar. 

 

BOB:

It really is like rattling off our subconscious.  It's a- it's almost a transcript of what's going on in our mind all day long.  It's the most personal kind of communication.  I would argue probably more personal than if someone wiretapped you all day long and listened to you.  Email’s probably even more personal than that.  So if someone has access to read your emails, they know what's on your mind all the time.

 

ALIA:

All of a sudden what's in your inbox seems a lot more valuable, which made us wonder: how much do people really care about what's in their inboxes?

 

ALIA:

Hey, can I look in your inbox?

 

DAN FORSYTHE (MAN ON THE STREET):

In my inbox?

 

ANONYMOUS (MAN ON THE STREET):

Yeah go for it. 

 

TREY DROSE (MAN ON THE STREET):

I’ve got nothing to hide here.

 

ALATHEA HENSLEY  (MAN ON THE STREET):

 I don't think any secrets will be in there.

 

WHITNEY MCANALLEN (MAN ON THE STREET):

I don’t think you could really access much.

 

ANONYMOUS 2 (MAN ON THE STREET):

No one wants to steal my stuff.  Like there’s nothing to steal.

 

ROB WILSON (MAN ON THE STREET):

They wouldn’t find any passwords.

 

 

KRISTEN LAZARCHICK (MAN ON THE STREET):

They would find nothing really of interest, so they would probably be pretty bored.

 

DAN FORSYTHE (MAN ON THE STREET):

Oh this is- this is my paycheck, my paystub.  Here it is.

 

KRIS NORVET (MAN ON THE STREET):

Click on the link below to reset your password.

 

SCOT MOSHER (MAN ON THE STREET):

I see a ton of private information.

 

ANONYMOUS 3 (MAN ON THE STREET):

Oh this is a good one.  This is my taxes.

 

ANONYMOUS (MAN ON THE STREET):

I lost my debit card and they sent me a claim.

 

SCOTT MOSHER (MAN ON THE STREET):

People's’ salaries, people’s Social Security numbers, people’s dates of birth.

 

MIKE TROZZO (MAN ON THE STREET):

Activate your new card.  Here are all the places you spend- 

 

CARSON MCCAIN-GRAY (MAN ON THE STREET):

Here’s my healthcare, you could just click right in.

 

PETE COULTER (MAN ON THE STREET):

Here’s this person's name and email, and when they start, and how much they get paid. 

 

DREW CARINI (MAN ON THE STREET):

Like bank statements and-

 

PETE COULTER (MAN ON THE STREET):

I also keep all of my emails, so...

 

KRISTEN LAZARCHICK (MAN ON THE STREET):

Oh God, what does that mean?

 

ALIA:

So when it comes to Russia's hack of Yahoo, we know who, what, where, we can speculate why, or at least why it matters, but we left a big one off.  Thanks to the indictment, we also know how.

 

BEN:

Yeah, so-

 

KATIE:

Ah, phishing and spearphishing- 

 

ARTHUR:

It's a practice of sending emails- 

 

BEN:

-it starts with something that's seemingly kind of small- 

 

KATIE:

-when an attacker sends out something like an email- 

 

BEN:

Phishing is typically more of a broad spray and pray kind of thing, like you just send a lot of emails-

 

KATIE:

-to a number of different people in an organization.  That email is forged and looks legitimate and tricks the user into clicking on something. 

 

BEN:

Whereas spearphishing is a little bit more targeted- 

 

ARTHUR:

It’s directed at a person or group. 

 

KATIE:

-users in a network who are going to be more valuable to compromise than others. 

 

BEN:

-and so you might craft your message a little bit more, you might do more research and more reconnaissance on that person before it goes in. 

 

KATIE:

-looking for you know probable targets that have high value and tricking them into clicking on something.

 

ARTHUR:

Then you have whale phishing.  Whale phishing is where you go after big targets, where it’s a CEO or a ‘C’ title in a company, someone who has the keys to the company credit card or bank accounts.

 

DENNIS:

The number one risk if you will, or the one- the number one reason security breaches happen is us, individuals.

 

ALIA:

That's Dennis Dayman.  He has more than 20 years experience combating spam and security and privacy issues.  We’re gonna be hearing more from him throughout the series.  He is kind of my cyberhacking spirit guide. 

 

DENNIS:

In the case of Yahoo, there was actually two hacks that actually happened believe it or not.  One of them was related to the Russian government, which I won’t get into all the details, but they wanted information, they wanted access to certain people's email accounts.  They hired a hacker who simply phished if you will, or right they sent a fake email to somebody who had all of the keys to the kingdom, right.  They had all the passwords,  or had one login that gave them access to everything.  The hacker got that person, that Yahoo employee to click on an email, and when they clicked on that email and put in their credentials into this fake you know website, the hacker then basically had the keys.

 

ALIA:

The Yahoo hack in 2014, which allowed Russia to get access to 500 million accounts, all started with phishing and spearphishing emails targeting specific Yahoo employees.

 

BOB:

The big crime right now that's exploding on the Internet, is called executive email compromise.  And it involves sending an email to important person at a company, or better yet his or her admin, and tricking them into doing something horrible like wiring $1.5 million to a bank account overseas.  We live in these crazy times right now, where once upon a time a in order to to do something like that, you would have to call someone sitting at their desk, between the hours of 9 and 12 or 1 and 5, when they had their work hat on.  Now imagine someone with a screaming baby in the arm getting out of the car at Costco, their shopping cart just hit somebody else's car, and on their phone pops an email that says I need a W-2 right now.  What are you going to do?  You can be vigilant 23 hours and 59 minutes a day.  All a hacker needs is that one minute where you are not on your game and you will fall for these things.  And the biggest piece of advice I ever give anybody is ‘if you think this can’t happen to you, you are the best target because it can happen to anyone.’ 

 

ALIA:

Maybe you trust yourself not to click a spearphishing link, but do you trust every one of your coworkers?  Do you trust everyone else who shares a server with you, Jan in HR, Michael the intern?

 

BOB:

And not just every one of your coworkers, but at every moment.  Remember that everybody has access to this email 24/7; roll over in bed in the middle of the night.  And all it takes is one weak moment from one fragile employee, who knows how, and the entire company is put at risk.

 

ALIA:

Yahoo had 10,000 employees in 2014.  It only takes one person, one click, for a hacker to get their foot in the door.

 

BOB:

The first really worldwide global malware shutdown was the result of somebody in the Philippines writing an email that said ‘I love you.’  Pacific love letter.  The love bug was the most massively successful malware probably in history, and it was just because it's- who's not going to click on a link that says ‘here's a love letter for you.’

 

ALIA:

Imagine you’re Yahoo.  One employee clicking a spearfishing email gets hackers into the system, but it's not just your company's info, it's everyone else's.  It's a breach of your company, and breach of trust for every person who uses a Yahoo email address.  And then, surprise, a breach in 2013, where 3 billion people, every single Yahoo user’s info is now in the hands of someone else to use however they see fit.

 

CARSON MCCAIN-GRAY (ManOnTheStreet)

My healthcare.

 

DAN FORSYTHE (ManOnTheStreet)

My paystub.

 

MARTIN ARISTA (ManOnTheStreet)

My taxes. 

 

ROB WILSON (ManOnTheStreet)

My business contacts.

 

DREW CARINI (ManOnTheStreet)

My bank statements.

 

SCOTT MOSHER (ManOnTheStreet)

Social security information.

 

ALIA:

So Midroll and Carbonite hire our little production company, Spoke Media, to create a podcast about a big hack.  We were psyched.  I was psyched.  This was a big important story we were going to get to do, and I thought we had our ducks in a row but turns out- 

What does that sound like to you?

 

CHRIS BROWN 

You were hacked.

 

ALIA:

Yep, while working on a show about a hack, we got hacked.  More on that very personal, extremely humbling front, later in the series.

 

CARSON:

And now it's time for a hack fact.  Did you know, that in 1983, there was a live televised broadcast of the discovery of a hack.  The BBC program, ‘Micro Live,’ decided to demonstrate email on their documentary series.  When they attempted to demonstrate email live on the air, they instead discovered a poem about cybersecurity and the dangers of poor password hygiene.  The poem was titled ‘The Hacker’s Song.’  This has been your hack fact.  Is that a dumb name?  Who knows?

 

ALIA:

A lot of people feel either in awe of or just helpless in the face of hackers, but some companies have just started hiring them.  It’s all very ‘Catch Me if You Can.’

 

KATIE:

I would say that you know I am- I am an entrepreneur who works with governments and large organizations to help them work with hackers.

 

ALIA:

That’s Katie Moussouris.

 

KATIE:

I am the CEO and founder of Luta Security.  And yes, I was among, you know, the very first wave of professional penetration testers on the Internet.

 

ALIA:

Which means she was one of the first of a generation of hackers to figure out how to make money off of hacking large organizations legally, with their permission.  Governments, banks, and big corporations, hired her to penetrate their security either online or in person, and let them know their weaknesses before criminal hackers could get to them.

My- my co-producer Carson and I, you know, we’re both like millennial women and we I guess look trustworthy, but we've been asking some strangers if we could look in their inboxes, and they all say- they have all said yes.  No one has said no, which is baffling to me.

 

KATIE:

What's really funny is, when I was a professional penetration tester, mostly I would do penetration testing via a computer, but occasionally I would be asked by a client to do physical penetration testing.  And that is a form of social engineering, where you're basically trying to socialize your way into places you're not supposed to be.  And we would do these exercises, I would try try a series of of attacks physically to to try and convince people to let me in places.  And then a coworker, who is male, would try the exact same attacks and methodology, and guess what?  It was the underestimation that I could possibly be a threat, that let me honestly waltz on into every server room I ever tried to get into.  I would even walk out with equipment.  People would hold the doors open for me, because you know chivalry is not to dead when it comes to hacking, right. 

So yeah, I'm not surprised that you were underestimated.  I’m not surprised at all.

 

ALIA:

I guess we would make good spies or criminals of any kind really, because like you said, no one would suspect us.

 

KATIE:

That's exactly right.  Well, I mean, I- I would- one of my favorite ones of these physical penetration tests was, literally there was - I can't tell you who it was, but- and it was not a military installation- but there were armed guards, there was a perimeter, you had to you know be on a list to even get past the guard gate you know in first place, and then you’d get a visitor pass, and then you know all of these steps.  

Well I basically just played stupid and you know said I was a temp,  and that I you know ‘Oh, I'm just a temp; that's why I'm not on the list.’ And you know they let me through the first gate, and because I had gotten through the first gate, even though I wasn’t on the list, I was issued a visitor pass.  So that’s a failure in process.  And then suddenly I had a visitor pass, right.  

Then I have a visitor’s pass and it’s a different color than the regular you know highly highly specialized internal employee passes. You know it’s an orange, bright orange pass.  So then I’m walking through this secured areas and everything, and I find the place where they are actually doing new employee orientation, it’s a giant amphitheater.  And in the back of the room, there's a pile of blue, regular employee badges.  So I just walk up to the pile, and I sort through and find one that kinda looks like me, and all of a sudden now I’m a regular employee, and now I have further access into the organization.  

Then I started changing, you know, changing it up with what I was doing; I had a clipboard, right.  So you gotta have a clipboard, can't do this without a clipboard, need the clipboard, right.  But I have this clipboard, and then I’m walking around to different people’s areas, you know their computers.  I’ve got a blue badge on, so clearly I’m legit, and I’m saying ‘Oh hi, I’m from IT audit, have you noticed your computer slowing down?  Would you mind if I take a look?  Okay, great.  You know what actually I’m going to have you type in your password here, and I need to download some tools from the IT storage.  And that’s me, the attacker, sitting down at their computer, downloading hacking tools.  

Literally underestimated, just you know playing- playing a story that anyone would buy.  ‘Of course, yes yes my computer has been slowing down.  Of course it has.  Yes, please come take a look.  I would love for you you know- I would love for you to speed it up for me.’  But, yeah, all of it, you know, all of it boiled down to you know folks just assuming and assuming, and this chain of assumptions, starting of course, that I was harmless.  That was- that was their first mistake.

 

ALIA:

We assume.  We assume no one would want my emails.  We assume our emails are safe.  We assume even if our emails aren't safe, they’re harmless.  Our computers assume this is us logging in, because the password was input correctly.  We assume it's our boss when we get an email from his or her corporate account.  We assume someone wants to send us a message that says ‘I love you.’  And what if this is our greatest mistake as digital consumers, assuming any of this was harmless.  

A hack is an attack on our privacy, on our information.  In the case of Yahoo, maybe even our country.  But the more we talk to people, the more we investigate Yahoo, the more we realize it's not just a breach of your data.  It's also a breach of something else. 

 

MARTIN ARISTA (ManOnTheStreet)

Definitely be disturbing, it- 

 

KRIS NORVET (ManOnTheStreet)

That would be prob- yeah I would not be okay with that.

 

ALATHEA HENSLEY (ManOnTheStreet)

That would feel awful.

 

ROB WILSON (ManOnTheStreet)

You would feel violated.

 

CARSON MCCAIN-GRAY (ManOnTheStreet)

There's no telling what they could've gotten their hands on, and that’s horrifying to me.

 

ALIA:

It's a breach of trust. 

 

KATIE:

Put it this way: back in 1999, everybody was worried about the Y2K bug, right, and the Internet was much smaller then.  It was much smaller.  If you think about it, there was a panic then, because even that level of dependence on the Internet that we had back in the late 90s, you know it still wasn't anywhere near the dependence we have on it now, and there was kind of global panic about what's gonna happen.  Are planes gonna fall from the sky?  And that was you know 18,19 years ago.  So think about the exponential growth of the Internet today, and how much data we have online, and how much we trust the folks who are custodians of our data, and how much we can't opt out anymore.  That's really the thing.  We can no longer opt out.

 

BOB:

Sadly, there was this horrible decision made back in the 1960s about how we set up the Internet.  And it was essentially designed for maximum sharing and minimum security.  And we’re still living with the consequences of that.  There is no real authentication built into the Internet.  So when you get an email from someone, you have no idea if it's really from that person or not.  And that's the reality we live in every day now.

 

ALIA:

Earlier, you know we were listening to my ‘rando,’ terrifying Yahoo voicemail, and you said giving people a scary message with no options is a terrible thing to do.  If we do our jobs right over the next few episodes, we’re going to make the Yahoo hack real to people.  But are we kind of just doing the same thing that that voicemail did to me?  Are we just giving people a problem?  Are we just telling people ‘you should be scared, K bye?’ 

 

BOB:

Okay so you're on the highway going 65 miles an hour on the Pennsylvania Turnpike, and you see a sign that says ‘caution falling rocks.’  What are you supposed to do?  Do you hit the brakes? Do you get off on an exit?  It's literally the worst advice you can give and yet almost every single piece of advice we give people in this realm is essentially ‘caution falling rocks.’

 

ALIA:

So we know some of what happened in Russia's attack of Yahoo in 2014.  it matters because email matters, and betraying the trust in digital spaces matter.  It's everyone's problem.  It’s not a matter of if you’ll be hacked, it's a matter of when.

 

BOB:

So I have a friend who has a security company, and he also has a website called thirdcertainty.com.  This is his concept behind it: There’s three certainties now in life: death, taxes, and getting hacked.

 

ALIA:

So I mean it's the third certainty of life, so we’re all in this together, no one can opt out, this is happening to all of us, and we’re gonna figure out how to navigate through it.

 

BOB:

We didn't ask to get on this boat.  We were sort of put on it, but now we’re here, we gotta do something about it.

 

ALIA:

Hacking always sounded dramatic to me.  And with Yahoo, it definitely is.  A cast of characters, massive nationstate, sophisticated cyber attacks, it deserves a soundtrack.  But mysterious Yahoo voicemail or no, this is all starting to feel more personal.  It feels horrible to realize someone out there is taking all of your information away from you.  No matter where you are, whatever you're doing, driving, washing the dishes, walking your dog, this is what it feels like to have your trust breached.  But this is what it sounds like:

Keyboard click

It doesn't sound like a heist or a spy movie.  It sounds like a regular day in 2018.  Caution, falling rocks.

On the next episode of Breach:

 

NICHOLAS:

The story of Yahoo really is the story of Silicon Valley. 

 

NICOLE:

At that time, Yahoo was so desperate to be relevant- 

 

NICHOLAS:

They had Mark Zuckerberg in the conference room at Yahoo headquarters, about to do the deal. 

 

NICOLE:

It was really weird to be explaining basic security to the Chief Executive of one of the biggest companies in Silicon Valley.

 

ALIA:

That’s next time, on Breach.

 

ALIA CREDITS:

Breach is a branded podcast brought to you by Carbonite, in partnership with Midroll, and Spoke Media.  You can find transcripts and show notes at carbonite.com/breach.  If cybersecurity reporting were tomb raiding, Bob Sullivan would be Lara Croft.  Our show is produced by Alia Tavakolian, that’s me, and Janielle Kastner, with associate producers Stephen Gardner and Carson McCain.  Thanks to Carson for reenacting verbatim that call I got from Yahoo.  Or maybe a Russian boiler room.  And thanks to actress  Allison Johnson for portraying an automated message, because intellectual property lawsuits are best when avoided.  When Bob and I are in the studio, we’re recorded by Jared O'Connell.  Our show is mixed and sound designed by Mark Moncrieff.  The songs you hear are provided by APM music.  Our executive producers are Alex DiPalma and Keith Reynolds, who has never had a Yahoo account, but his original email account at 14 was Saxy2100@Hotmail.com.  Special thanks to our slew of cybersecurity experts, Ben Johnson, Arthur Lucchesi, Gavin Hales, Dan Clements, and Damon McCoy.  Also, thanks to Dennis Dayman, my cybersecurity spirit guide, and Katie Moussouris, my favorite hacker.

 

BOB:

Okay, can someone fact check me on the age of an old gorilla?

 

ALIA:

Like ‘what is an old gorilla?’

 

 

BOB:

I think that they they live to be about 70 or 80, but- 

 

ALIA:

The 60-year-old is the oldest gorilla known in the United States.

 

BOB:

 See, isn’t Google great?

The Yahoo data breach left three billion users' private information vulnerable for three years before the public learned about it. How did it happen and what can we learn from the largest known data breach in history?

In the first episode of Breach, technology reporter Bob Sullivan and producer Alia Tavakolian investigate the events leading up to the massive Yahoo breach. Find out how Yahoo unknowingly set itself up as a prime target for hackers, and what could have been done to protect the company.

Learn about tactics that hackers use—like "whaling" and password reset scams—to expose business and personal data. And hear details about how hackers use the dark web to create "virtual clones" of their victims.


[ About this series ]