Home‎ > ‎Be Alert‎ > ‎

Security Update

Updated 08/04/2017

Updates on Yahoo! Security, Verizon, and Our Involvement
   1.  Users of Yahoo! who changed their account passwords should be fine.
        For those who DID NOT CHANGE THEIR PASSWORD, they remain at risk and should change it ASAP.

   2.  It is understood that Yahoo! Groups is now under control of Verizon.

   3.  So far no changes, except for Terms & Conditions send by Yahoo!, have been made.
        It is reasonable to assume Verizon has some input into the changes prior to transfer.

   4.  We have no statements from Verizon on their directions or intent with Yahoo! Groups.

   5.  We plan to continue operating as we have.

   Articles suggest the most recent attack(s) may have compromised 300 million
   user accounts. It is recommended that members change their password on
   Yahoo! accounts they may hold whether they are in active use or not.

   Articles suggest these attacks are more targeted to Banks. Possible reasons:
   -  they don't want to report the attack to regulators so they will pay ransom
   -  this requires the purchase of BitCoins which drives their value higher
   -  one small bank in the US recently indicated they would wipe all of their computers
       clean and reload from backups and refused to pay the ransom demands.
   -  the use of BitCoins reduces the risk of capture from the financial exchange 

   While Christmas has come and gone, the Bad Guys may not pay much attention to
   what scams are run when as any day is a good day to get free money.

   While not exclusive to holidays, scams can come in many different types of e-mails
   ranging from soliciting money for poor children, stolen luggage and need money to
   get back home, an opportunity to get millions of US Dollars stolen during Middle East
   money transfers, Bibles for Iran, and on and on and on.

    Companies are moving towards voice identification versus PINs or Passcodes as a
    more reliable identity validation process. Avoid from answering the telephone by
   using the word "Yes". Yes is the frequently solicited response by people opening new
    accounts over the telephone with automated systems. Along these lines, also avoid
   from giving your first and last name until you know your caller.

   Use the standard practices to "sniff" out these scams such as:
   -  if a friend is in trouble, why do they not mention your name in asking for money?
   -  if a package has been lost, damaged or delayed, why do they also only have my
       e-mail address and no other information about me except in their attachment?
   -  if this is a government agency or court, why is everything in their attachment?
   -  if this is the IRS can only contact by US Mail ... e-mails are illegal.
   -  if this is an award from a large multi-national US based corporation, why are they
       using a personal e-mail account in a foreign country?
   -  why is this well known company not including their logo in the e-mail?
   -  when hovering your mouse over all links and text, does everything contain the
       same link?
   -  if this is legitimate, why must I transfer Bitcoins to them at a strange address?


   UPDATE:  2017-02-23 - We have not seen anything from Yahoo! or Verizon on
                                           plans for Verizon's plans for Yahoo! assets being
                                           acquired. This includes their Internet operations and it
                                           understood their on-line services which would include
                                           Yahoo! Groups.

   UPDATE:  2016-12-14 - Yahoo! Provided Document
                                           Yahoo Security Notice December 14, 2016

   UPDATE:  2016-12-14 - Yahoo discloses scope of the August 2013 attack

                                           involved over 1 Billion Accounts. Changing your
                                           password NOW can prevent future incursions to your
                                           account but means you may have been hit earlier.

   UPDATE:  2016-12-11 - There have been any found updates from Yahoo!
                                           The sale of Yahoo! is still on target but no specifics
                                           what Yahoo! assets are being sold or what Verizon
                                           will do with those assets.

                                           This may be a good time to reduce your personal
                                           information on any Yahoo! accounts as this may be
                                           the single largest valued asset going to Verizon.

   UPDATE:  2016-10-05 - New reports indicate Yahoo! may have agreed to
                                          provide US Intelligence group(s) with e-mail content
                                          containing certain specific words. While a point of
                                          concern in some circles, if this is the full extent of
                                          the activity, there should not be a major concern to
                                          the membership due to the "reporting trigger" being
                                          specific keywords in the e-mail.

   UPDATE:  2016-09-30 - Business Insider reports former Yahoo Insider
                                          believes the hackers could really have stolen over 1
                                          Billion accounts.
 Business Insider article on Yahoo! Exposure - Sept 30, 2016
                                                     Yahoo! Announcement of Hack (?)

   If you had a Yahoo! Account PRIOR to 2015 you need to change your password,

   even if you used a Non-Yahoo! ID for your access and/or e-mail with The CT
   Groups (which use Yahoo!’s system).

   Why are non-Yahoo! ID’s potentially involved?
   The “bad guys” reportedly gathered everything that was there and we must assume
   Yahoo! did not save Yahoo! IDs in a different place and in a different manner than
   any other ID that a user provided. Even then the risk of loss would still be possible.

   If you had an ID for Yahoo! (whether a Yahoo! ID or your personal e-mail account
   being used as a Yahoo! ID) prior to the end of 2014 but removed it starting January
   2015 and used the same ID and password for other purposes anywhere, be safe and
   change those passwords.  That ID with password potentially were compromised
   and thus creating a potential unwanted risk to you.

   If you DELETED the ID you were using for Yahoo! starting January 2015 and will NOT
   use the same password you should be safe. The smart move would be to retire the
   ID you used to avoid the loss of that layer of your security protection.

Humans are creatures of habit and comfort thus hackers are rarely wrong in
   assuming you will reuse the same ID and password over and over and over again
   with other accounts you hold.


   It was reported that:

        a)   An outside group, InfoArmor, Inc, indicates this was not “state-sponsored”
            but criminals who broke it but a group known as “Group E” and are believed
            to be Eastern European

       b)   Group E is believed to have stolen more than 2 Billion records from about a
            dozen web sites,
including LinkedIn, Dropbox and Myspace (you really want
            to change these passwords as well)

       c)    Per the Wall Street Journal, Date of Birth, Phone Number, and ZIP Code was
            associated with the accounts – I have not seen a full list of information that
            was taken or believed to have been taken

       d)   As of Sept 9, 2016, Yahoo!’s securities filing for the pending sale to Verizon
            Communications was uaware of any “security breaches” or “loss, theft
            unauthorized access or acquisition” of user data which potentially will be
            part of future news reports.

       e)   Yahoo! indicated passwords were cryptographically protected. The Wall
            Street Journal provided InfoArmor with 10 Yahoo! account names, and the
            company was able to crack the cryptographic password protection on eight
            of them within a day and produce the passwords and other user information
            on these accounts. THE TWO THAT COULD NOT BE PROVIDED HAD COMPLEX

       f)     InfoArmor believes the database was taken from Yahoo! prior to Dec 4, 2014

       g)   It was reported the Yahoo! database was sold 4 times: to groups called
            Tessa88 and Peace of Mind and an unnamed third group. The fourth was
            reported to be a foreign government.


   Information on Passwords and creating Strong passwords



    The example below uses 28 characters of a song lyric, commas and periods
    from one strong that you select and the strength is astronomical. Example:
    Let’s use The Beatle’s song “Let It Be” starting with the first word,
    “When I find myself in times of trouble, Mother Mary comes to me, speaking
     words of wisdom, let it be.”

     This contains:
     20 letters, 3 commas, 1 period = 24 items; we won’t count any spaces or periods.
     Yes, I know, the commas and periods are not in the original written lyrics but it
     helps the password strength and most people include the punctuation anyway.

     The password would be “WIfmit0t$MMctm$sw0w$lib7”.
     Yes, it looks complex until you hum the song and read the letters.

     The strength of this about
     which is very high thus it will be very time consuming to crack thus making it
     incredibly strong but very easy to remember!  Chances are The Bad Guys will
     simply have their computer move on to one of the other passwords for cracking.


     As a good rule, never ever use less than 10 characters today and the more the
     better as cracking passwords is getting easier with faster computers and studies
     on how people create passwords. The more characters the better your protection
     is over a longer time period. Remember two years ago, the minimum was 8
     characters so doing 20 or more is smart especially with this trick shown below.


     Password security strength is actually very simple:
     1.  it is a long string consisting of upper and lower case letters, numbers, and
          special characters to create the maximum number of possibilities in both
          items used and length of items in the password.

     2.  The more potential items used in the password and the length of the password
          creates a very large number representing the potential number of tries it may
          take to crack the password.

     3.  A password is not predictable, it is not something that is personal to you or
          your family or work, it is not something on anything you use or own, it is not
          found in any dictionary of any language including Klingon from Start Trek. It
          is an original complex creation.

     4.  Some of The Bad Guys are professionals on a thrill seeking event. Others are
          world class criminals who have many large computers and run a business of
          getting, cracking then selling this information. If a password is going to take
          too long to crack, it is costing them money thus they move on to the next one.

     If you want a strong password that is easy to remember here is a process you
     can use (which is in the link above):

        a)   Think of a song you know the words to but don’t go around humming or
            singing it to everyone

       b)   Take a few lines of the lyrics and write them down on paper using upper
            and lower case letters

       c)    Take the first letter of each word, including capitalization, and write it on
            the paper

       d)   Replace lower case “o” with the number zero, replace a period with the
            number seven and replace a comma with a dollar sign.

       e)   This password, most likely, will be significantly more secure than what you
            had and it is easy to remember


            If you follow the directions you have a potential of 26 upper case letters, 26
            lower case letters, 10 numbers and 33 (including space) special characters
            potentially used (total possibilities are 95 items).  As an example, let’s say
            you have:

                     28 letters, numbers and special characters in your new password.

            The strength is calculated as 95 items multiplied by 95 for 24 times.
            See the above example using just 24 items or 95 raised to the power of 24                      - or -  95 x 95 x 95 x 95 x 95 x 95 x 95 x 95 x 95 x 95 x 95 x 95 x 95 x 95
                       x 95 x 95 x 95 x 95 x 95 x 95 x 95 x 95 x 95 x 95
                       (see the answer shown above)           


       Personally, I sleep very well with passwords like this.

   1.  A very strong password is easy to create and remember,

   2.  Change your Password(s) if you created your Yahoo! ID -or- other ID used
        as a Yahoo! ID anytime in 2014 and before January 1, 2015,



   It is unfortunate we are all going through this process.