Yandex Said It Caught an Employee Selling Access To Users' Inboxes (zdnet.com) 35
An anonymous reader quotes a report from ZDNet: Russian search engine and email provider Yandex said today that it caught one of its employees selling access to user email accounts for personal gains. The company, which did not disclose the employee's name, said the person was "one of three system administrators with the necessary access rights to provide technical support" for its Yandex.Mail service. The Russian company said it's now in the process of notifying the owners of the 4,887 mailboxes that were compromised and to which the employee sold access to third-parties. Yandex officials also said they re-secured the compromised accounts and blocked what appeared to be unauthorized logins. They are now asking impacted account owners to change their passwords. It also said that there was no evidence to suggest that user payment data was accessed during the recent incident.
Well, Russkie Oligarch, (Score:3, Insightful)
learn your lesson, you don't hire former Comrade KGB Major as "security expert" without hiring all his baggage, including the propensity to sell his own mother, wife and kids for hard currency.
Re: (Score:2)
The real lesson to learn. People with passwords, pay them real well, they basically hold the corporations life in their hands. Access to email account, really odd though, sounds more like commercial and industrial espionage. The pattern behind the selections of the exposed users could reveal a lot.
Every nation in the world faces that problem. The tech people with the keys are paid a whole lot less than the bean counters at the top and this presents real security problems, which has been exposed repeatedly a
Re: (Score:2)
The real lesson is that this is not a problem to resolve with more pay. This problem's true solution is to not to design systems that have full-access administrator accounts.
One would think that with the many tools available, someone would finally start doing it, but alas... It ain't happening.
Re:Well, Russkie Oligarch, (Score:4, Insightful)
Guess what; the real solution is neither one nor the other. It's both, and a bunch of other actions all together. Yes, a system that's well designed will be much better than just relying on people. However, you need the good trustworthy people too. Nothing is perfect and if they are well paid and loyal, when they find that hole, they'll report it to you instead of exploiting it. And then you need more. Things like a paranoid attitude. When one technical employee reports a hole, check if any others have been exploiting it. Then when you catch them, don't let them know before you find out who they have been exploiting for and why. Then, when you fix the problem follow up on it and make sure anything else related and similar is closed too.
Just relying on one thing, even good quality software, will never be enough. Layered approaches, paranoia and verification. Defence in depth.
Re: Well, Russkie Oligarch, (Score:1)
At some point you have to give someone the keys. Many of us have access to data centers with millions of dollars of equipment and potentially billions of dollars of information. There are hundreds of ways to sniff network traffic or compromise servers without any passwords if you have physical access.
It doesnâ(TM)t matter that you have the latest and greatest firewalls and intrusion detection. Someone will have to reset the passwords, someone will have to create the user accounts.
Re: (Score:2)
Your ignorant beliefs still no substitute for knowledge and skills, but on the upside you can try applying for a security job at Yandex.
Re: (Score:2)
Re:Well, Russkie Oligarch, (Score:4, Insightful)
Re: (Score:2)
Maybe they do, but the topic is Russian internet companies and the choices of "security experts" they make.
Re: (Score:3)
Are you sure its a maybe ?
The entire American economy is about doing anything for money, including selling out your country.
A prime reason that China is as rich and powerful today is because of Americans shipping as much as possible to cheaper places to save a buck.
Go watch Hollywood or listen to music, rich and money is glorified above everything else.
Re: (Score:2)
My take on the situation: They probably knew this was going on. They probably benefited from it themselves. It's likely that something came up that compromised the operation, threatening for it to become public knowledge, causing a lot of damage to powerful people.
So they did what most large and powerful organizations (yes also Americans of course) do in such a case, they get ahead of the curve by finding some patsy they can blame everything
Re: (Score:2)
Who is "they"? Due to my consulting or partnership tasks, I wind up talking to different personnel in distinct groups of a company, and people in one group may not know or may simply be lied to about what security practices exist. Access to user's passwords is far too common: The ability to forward _all_ of someone's email, or to provide privileged access to all their mailboxes, is often built into the system.
The ability to monitor email at scale, and at whim, was built into US telecoms to support the "Carn
Re: (Score:2)
That's how it usually goes in my experience. The higher ups often do know to some degree degree at least what is going on, tolerate it, and or even participate in it by taking a cut.
The first example the comes to my mind right now would be Diesel Gate. From what we know now it's been some executive decisions that caused the entire thing to to happen. But when i
Re: (Score:2)
Your perspective is interesting. Make no mistake, email monitoring is widespread in the USA. Look up the "Carnivore" program, which has been upgraded and renamed, not discarded as a practice. And look at details published by Edward Snowden about illegal domestic monitoring by the NSA. And sadly, as long as such tools are widely used for officially snactioned monitoring, and as long as that monitoring is done in secret without court orders or notification to those monitored, it will be used illegally for per
Re: (Score:2)
I'm not denying that this is widespread in the USA.
Even where I live here in Germany the BND forks all traffic from DE-CIX, the largest internet exchange point in the world.
They say that they only do it for foreign traffic, but can't always distinguish between foreign and domestic traffic. So what they're saying is that they're trying to monitor everything, all the time. DE-CIX also sued in court against the snooping by the BND. They've had some progress [de-cix.net] recently. But until
Re: (Score:2)
> So why can't we discuss Yandex without having to point fingers at others
Because the monitoring of email is built into the system. It is pointless to blame an ISP for failing to use the right technology protect individual user's email when arbitrary access to individual email is both expected, and mandated, by their federal government and their security agencies. They are effectively _prohibited_ from thoroughly protecting individual email by the need to answer subpoenas and Patriot Act requests in the
Re: (Score:2)
That's what I don't get. To me these look like entirely separate issues.
One that is a problem for people that use US services and one that is a problem for people that use Russian services.
In the end this means there are two problems (there's a lot more, like that DE-CIX issue in Germany, stuff in the UK, France, China
Re: (Score:2)
It's endemic to ISP's that they access private email. They are not permitted to operate _without_ providing administrative access to private email. It's the ideas that this can be solved through technology, through providing robust private encryption of stored email and thorough password based access, that I'm trying to point out is sadly naive. It's the same problem, and it's not a technological issue. It's a social and legal one. Services that provide robust personal security are harassed and face compell
Re: (Score:2)
But I still do not understand why we would rather discuss the US here.
And as far as being compliant with government mandated stuff, ISPs in Germany, among them the largest one the Deutsche Telekom refused to implement data retention technology. They sued and the German Constitutional Court ruled that forcing private companies to implement data retention was unconstitutional. They came to a similar ruling with the DE-CIX and BND case last year.
Now that
Re: (Score:2)
I'm fascinated that the Deutsche Telekom refused to implement data retention technology. I also strongly suspect that they lie about this, or at least permit live monitoring of transmitted email. It's not possible to run an email system without some storage of the messages for forwarding to the target SMTP server, and monitoring of the SMTP traffic at the trunk fiber links can provide _enormous_ access to sensitive email. Look up "Room 641a" in the history of email monitoring by US intelligence agencies, or
Huh? I'm a little confused (Score:2)
I'm not sure I'm following you.
The article says their security team caught a customer service admin selling access, to the accounts that admin was allowed to access.
That's the security person's doing wrong how?
By they catching the guy?
Did one of us misread what happened?
Re: (Score:2)
It is a case of:
1. Ensure that a corrupt employee cannot access mail and other personal data technically. Google had similar site engineer problems including a couple of very public cases in Ireland years ago.
2. Ensure you pay people adequately. Though if you do not do "1", this will never be enough because in a large company there will always be an idiot to do that. Once again Google example is a proof of that. They pay ASTRONOMICAL money by the Irish standards, but that has not prevented
Re: (Score:2)
Unfortunately, ISP's and telecoms are served warrants, subpoenas, or security orders to provide just such access. The inability or unwillingness to provide such access to local law enforcement, whether or not the order is legal, can get a business shut down _very_ quickly.
Its the firing squad for him (Score:1)
Re: (Score:2)
No worries, the FSIN will Gulag the guy before the night is over and turn him into a pajamas Ivan Denissovich.
In Russia (Score:2)
This is why things should be encrypted (Score:1)
Only one? (Score:2)
Either you are a lucky bastard or an unlucky liar!
Nice (Score:2)
The employee got a promotion.
it is a common practice in Russia (Score:1)
it is a common practice in Russia to sell personal information, phone billing information, past travel information, all sorts of data is available on the 'black market' (in reality it is right in the open, left, right and center. Reputation institution is not well developped in that country, so companies don't care much, but maybe it became a little scarrier for companies now, that Navalny and Bellingcat posted videos https://youtu.be/smhi6jts97I [youtu.be] using this type of information to uncover the group of FSB
Really? (Score:2)
B-b-b-ut Donald Trump said the Russians are innocent cherubs!