The Yahoo hack is old news by now, but it’s still worth pointing out how completely they failed. Not only did they not notice someone accessing this rather sensitive database, but all the user login information was stored plaintext. (Encryption in general may be a trap, but with login information it’s a no-brainer.) Apparently whoever set this back-end didn’t know much about security, and I can guess why.
Working for any large organization gives you intellectual tunnel vision. As a cog in a supermassive machine, there’s a lot you don’t need to know. The classic case of this is people who join the military and then find it very hard to to function in normal society, but it applies to companies too. The organization requires its employees to do only a few things, therefore they need only learn certain skills.
(Judging by some of the other stuff I’ve linked to, there may be an ulterior motive as well: if the workers knew enough to divine the big picture, they might run screaming.)
The problem is, defending yourself takes a really broad background and a variety of seemingly unrelated skills. Depending on an abstraction layer is a recipie for getting betrayed by your dependency.
My guess is that’s what happened here: the engineer had always found the default access controls good enough, so he or she didn’t dig any deeper.
“What’s shocking about the development isn’t that usernames and passwords were stolen — that happens virtually every day. The surprise is how easily outsiders cracked a service run by one of the biggest Web companies in the world.[…]
“Yahoo failed fatally here,” said Anders Nilsson, security expert and chief technology officer of Scandinavian security company Eurosecure. “It’s not just one specific thing that Yahoo mishandled — there are many different things that went wrong here. This never should have happened.”
Nilsson said Yahoo screwed up on three fronts: The site should have been built more robustly, so it wouldn’t have been susceptible to something as simple as a SQL attack. It should have secured users’ log-in information, and it should have put the equivalent of trip-wires in place to set off alarm bells when such an easily noticeable break-in occurred.
“I mean, this is Yahoo we’re talking about,” Nilsson said. “With the security policies it has in place for its other sites, it should have known to at least put up a firewall to detect these kind of things.””