Yandex & Facebook & Meddling, Oh My!

A couple of years ago I discovered that Yandex, roughly described as Russia’s equivalent of Google and a known SigInt partner of the Kremlin, had installed key loggers on dozen’s of the Internet’s top web sites, including a leading porn payment gateway. This gave Yandex access to the login credentials, personal demographic data, account recovery details, credit card info and in the case of the porn gateway the kink preferences of tens of millions of users.

Naturally I tried to report this. First to the FBI. Then to my Senators. I got nowhere and eventually I was just tweeting about it to random strangers in government and IT Security. Nothing. This is the worst-case wide-scale compromise I’d ever heard of, it was happening in plain sight, and nobody seemed to care. This resulted in the most severe episode of Cassandra Syndrome I’ve ever had and nearly led me to quit IT Security altogether.

Fast forward to yesterday when my friends Joyce and Doc Searls forward an NYT article describing unusual access to the personal data of Facebook users that was granted to Yandex. I see this as a chicken-and-egg problem. The news reporting suggests that the Facebook data leak was a primary vector. To my way of thinking, the Facebook data leak is the kind of thing an attacker escalates to after stealing login credentials and compromat such as from the key loggers I found.

Why is that? The thing I identified was Yandex keystroke loggers stealing IDs and passwords off dozens of top web sites, including of one of the biggest porn payment gateways on the Internet. So at the very least, that gave Yandex full demographic data, card data, and excruciating detail of the kink preferences and porn consumption volume of tens of millions of compromised users. At worst, as many as 60% of those compromised users will also have used the same credentials for their banking accounts, exposing them to catastrophic financial loss.

Yandex can then contact a high-value target and threaten “if you don’t do what we want, we’ll release proof that you spend lots of time searching for and watching [fill in your kink] porn.” They know exactly what kind of porn it is and even if the target is watching from work. Or in the case of the people whose bank accounts were compromised the offer might be “do what we want and we’ll give you your life savings back.”

Gulp. That’s substantial leverage.

Who might they approach with this deal and what kind of things would they require? Developers/architects/system admins at Facebook seem likely. Or the same people at any bank. Or Equifax. Or Target. Whoever ran Podesta’s email server. How about Republican members of the [House|Senate] Intel committees?

Incidentally, password reuse is estimated at between 30% — 60% depending on who you ask, and the practice tends to skew toward older folks. That makes the membership of both houses of Congress among the population most likely to have had their bank accounts compromised from the Yandex key logger. If anyone’s porn habits aren’t compelling blackmail material, hijacking of their bank accounts would be.

Of course I don’t know for sure that Yandex is saving the sensitive personal information to which their key loggers give them access, or if they are that it has been used as I’ve described here. But the key loggers are operating in plain sight. It takes no special skill to see them in the wild. The question to ask then is how likely is it that Yandex built and deployed an extremely effective Internet-scale compromat generator completely by accident, has no clue what it’s good for, and hasn’t exploited it?

Assuming that scenario seems unlikely, the next obvious question is whether we should assume that the compromise hasn’t already been exploited against high value targets in government, media, political party leadership, and people with root access all across the public and private IT admin landscape. Given the degree of vulnerability and scale of the key logging, compromise of at least some people from all these groups is a near-certainty.

We tell people they can’t possibly be safe on the Internet without antivirus and malware detection software installed locally to prevent things like keystroke loggers. At the same time we enshrine into the HTML and other net standards an architecture that guarantees server-side keystroke loggers always work and are ubiquitous. That someone would exploit them was inevitable, as was that people in positions of power would be among the compromised users. Whether it has been leveraged by Yandex as I describe is an open question, but it would be naïve to operate on the assumption that it hasn’t.

Yesterday’s news about Facebook and Yandex not only doesn’t surprise me, but it is apredictable and expected result of the compromise I identified a couple years back. What’s worse, even if it’s as bad as I’m implying here. what we’ve seen so far is just the tip of the iceberg of what’s possible.

So do we care about server-side key loggers yet? If past experience is any indicator, probably not.

WebSphere MQ security guy! My Tweets/views are my own. Also blogging at http://ask-an-aspie.net and http://tdotrob.wordpress.com