Yahoo LogoYesterday, Yahoo announced that back in 2013, approximately 1 billion accounts were hacked, and information about those accounts, including names, hashed passwords, dates of birth, and more were taken. This is on top of the 500 million accounts that they announced last September had been hacked.

First off, Yahoo was using MD5 for hashing passwords. MD5 was shown years ago to be crytographically insecure. I know engineers at Yahoo are pretty smart, but this is pretty dumb.

Second, how do you let 1.5 billion accounts get compromised? Why does Yahoo not take security seriously? In an email to affected accounts, Yahoo said this about what happened:

Law enforcement provided Yahoo in November 2016 with data files that a third party claimed was Yahoo user data. We analyzed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data. Based on further analysis of this data by the forensic experts, we believe an unauthorized third party, in August 2013, stole data associated with a broader set of user accounts, including yours. We have not been able to identify the intrusion associated with this theft. We believe this incident is likely distinct from the incident we disclosed on September 22, 2016.

Here’s what’s worrying about the announcement. They can’t seem to find out how it happened. They posted this on a Tumblr (?!) site:

We have not been able to identify the intrusion associated with this theft.

Wow. Seriously? 10,000 employees and you can’t figure out how your systems got hacked, again?

If you have been affected by this or a previous breach at Yahoo, here is my professional advice:

STOP USING YAHOO!

If you are using Yahoo for your main personal email, stop immediately. Use Gmail. Yahoo has shown it does not take security and the safety of your data seriously, so don’t use them. Even if we don’t take into account that Yahoo was scanning emails for content and giving it to US intelligence agencies, it’s not safe.

Change all your Yahoo passwords immediately. Email, Flickr, Fantasy Football, all of it. Now. Stop reading this.

I have a spare email address there I use for signing up for dubious looking sites and other mailing lists, fantasy football, and some other things and I’m changing my password there just the same.

R.I.P. our data.

 

Amazon S3Since the beginning of this blog in 2008, I’ve written many times about Amazon and Amazon Web Services. I use AWS tools like S3 every day for mission critical web projects and applications. I back up sites there, I serve media from there, I compute there. Even with all that, I barely scratch the surface when it comes to AWS products. There are so many products they continue to roll out, including their new business analytics tool, it’s difficult to keep up with.

For me, the main product I use is S3, their Simple Storage Service. Coupled with their CloudFront content delivery network, it’s allowed me to rest easy knowing that my site and app assets, from images to CSS and javascript files, serve quickly and efficiently. For the many years I’ve used it, I’ve watched Amazon cut the price they charge for each gigabyte stored. As they get more efficient and better at what they do, they pass those savings on their customers.

Today is no different. Starting Dec. 1, 2016, Amazon is again reducing the pricing of storage in S3. For several areas, the cost per GB will be $0.023 for the first 50 TB you store. Two cents a gigabyte. Crazy.

I think its safe to say at this point that cloud storage is now a commodity. If you’re not leveraging these services for your university or business web app or site, you’re missing a great opportunity

I think you’d be surprised to know that many large service providers use Amazon Web Services to power their infrastructure, even big names like Apple.

Yes, much of Apple’s iCloud offering is powered by Amazon. Morgan Stanley estimates that Apple spends $1 billion yearly on Amazon’s web services.

Same goes for Netflix. Rather than make huge investments in IT and infrastructure, using AWS ensures they can scale, soI can watch Black Mirror with no buffering in beautiful 4k. You can watch a video case study on Netflix’s AWS usage.

The list goes on and on: Spotify, AirBNB, Slack, Major League Baseball–they all use AWS because the service is robust and the costs are low.

 

 

 

Trump Spam Over Time

Let me start this post by saying this is not a political post. I promise.

I was looking at my Google Analytics account for this site the other day and in the list of languages my website visitors were using. Anything look odd here?

Trump Spam in Analytics

Starting on November 7, I’ve been getting visitors to this site using the language “Secret.ɢoogle.com You are invited! Enter only with this ticket URL. Copy it. Vote for Trump!” I don’t know where they speak that language.

That sure is an interesting to spam a website, especially in a way that normal site visitors would never see. Whoever the person doing is this, they aren’t leaving spam Trump comments that are getting blocked, they aren’t doing referral spam to Trump sites, they are visiting the site with that set as their language.

The timing of these posts is what stands out to me. The spam here really started on the day of the US election, and has grown ever since. The election has come and gone, I don’t see the benefit of continuing the spamming – especially when only people looking at Google Analytics will ever see that information.

Trump Spam Over Time

The other part of this that’s concerning is the URL.

Look at what they’re using – Secret.ɢoogle.com. Notice, that’s different than Google.com. The URLs are different, and for the average person who isn’t paying attention, potentially very dangerous.

I found this link from Martin Sickafoose at Purdue, who tweeted about it on Monday. That lower case G in there, which you may just gloss over and click on, it’s not a G but a Unicode character, in this case Unicode 0262. If you type in ɢoogle.com, you are not taken to Google, the search engine, but rather to this site:

xn--oogle-wmc.com

That URL is spam and dangerous. Don’t click on it.

If you want to filter that out of your referrals and other areas of Google Analytics, you can setup a filter. AnalyticsEdge has directions.

Are you noticing this happening on in your Analytics? Is there anything we can do to stop it?