Yahoo's Database Security - Coursework Example

Yahoo’s Database Security Introduction Yahoo is currently one of the major e-mail providers. It has users across the globe. However, it only began as an idea and hobby by David Filo and Jerry Yang, who at that time were Ph.D students at the Stanford University (An Introduction to Yahoo, 2015). Their primary objective was to keep records of their interests on the internet. In 1994, these two developers decided to customize Yahoo into a database that could serve quite a number of users through an online platform, precisely the internet (An Introduction to Yahoo, 2015). From that time, Yahoo gradually gained popularity all over the world. Today, users get to access it quickly via typing a simple Uniform Resource Locator (URL) in their respective browsers; http://www.yahoo.com. However, the ever changing technology has seen Yahoo face a number of attacks from hackers, resulting in the loss of data confidentiality and integrity because several users end up losing their logins credentials. In this regard, this paper will investigate into security breaches suffered by Yahoo in the recent past. For a structured understanding of this problem, this study will employ a descriptive research technique, using online sources as the primary source of data since it is a desk research. In this regard, this paper will be divided into a number of segments, including types of Yahoo Databases and how they are used, security breach suffered by Yahoo, the problems faced when protecting users’ data, and the methods used by Yahoo to safeguard their users’ data. In the end, a conclusion will be provided. Types of Yahoo Databases and how they are used Column-oriented Database In this system, the values of data are stored in a single field of a column; hence contrasts conventional databases, which stores values as individual records. Yahoo uses this system to achieve the highest degree of data compression, which ensures that it uses the minimal disk space to store user data; hence small and less costly hardware for storing data can be used (smadden, 2007). Massively Parallel Processing System In this system, information is distributed across several servers so that the distributed data can be individually processed by the respective servers’ processors. However, this is only possible in the presence of a network interconnection. One advantage associated with this database is that no contention is available because it employs a shared-nothing architecture (Introduction to Massively Parallel Processing (MPP) database, 2012). Yahoo uses this system to parallelize execution of queries done by other Database Management Systems to ensure that those queries are divided into smaller ones and allocated to several Database management servers; thus enabling it to concurrently process large amounts of data and ensure availability to users. As such, Yahoo guarantees efficiency and effectiveness to the users it serves. Key-Value Storage System This system employs unique keys, commonly referred to as primary keys to store data. As such, Yahoo relies on this system to enhance its performance, especially when a user reads a single record (KeyValue Databases), through acquiring a key-value data model that is simpler than conventional and relational database systems. Security breach suffered by Yahoo SQL Injection (SQLi) Yahoo has recently suffered security breaches, as a result of contracting third parties. The first breach was facilitated by SQLi attack, which is one of the famous web vulnerabilities (Gilbert, 2013). After Yahoo had acquired Yahoo Voices, which was initially an online content publishing platform in 2010, it did not immediately integrate that platform into its process, but went ahead to rely on its existing platform to run this new segment. Two years later, a hacker employed SQLi to exploit Yahoo voices, resulting in a loss of over 400000 users’ login credentials (The Yahoo Security Breach: Third Parties Are the New Weak Links, 2015). Portal Attack A similar breach to the one discussed above was suffered by AstroYogi.com, an Indian website for astrology, which had been contracted by Yahoo to serve its lifestyle users. As a result, a good number of users lost their logins for the second time (The Yahoo Security Breach, 2015). To achieve that breach, the hacker targeted AstroYogi.com, knowing that this site had no correlation with Yahoo and, therefore, was not being protected by the strong encryption deployed on the Yahoo servers (Gilbert, 2013). This breach can be classified as a portal attack because all that the hacker did was to infiltrate the database of Yahoo after gaining unauthorized access into AstroYogi.com as the two shared information about lifestyle users. The security breach did not stop at that level because in 2014, Yahoo again lost several user credentials for its email service as reported by Forbes (Lyne, 2014). The problems faced by Yahoo when protecting users’ data Password inadequacy With the ever changing technology, hackers have managed to develop new tricks that by-passes logins credentials. Precisely, the use of password as a means of authentication is almost being rendered useless. In this regard, Yahoo and other online providers have opted for longer phrases as passwords (Savitz, 2012). Although this approach can limit hackers’ efforts to gaze users’ logins, it still inadequate and subject to brute-force cracking (Savitz, 2012). Threat from the organization itself Although it is considered less risky, hackers tend to entice an organization’s employees with material gains in order to obtain confidential data. In actual essence, internal attacks are more dangerous because it is very hard to establish an employee who collaborates with outsiders to commit malice. Most of them ensure that they have a better understanding of the system functionality and its vulnerabilities before involving themselves into malice. In addition, hackers employ the use of spy applications like keyloggers, whereby they include them on websites and configures them to automatically pop-up once a user signs into his/her account with a prompt to perform a vital task, for instance, “your registry has errors, please click this button to repair it”. Once a user responds positively to such a request, the application automatically installs itself into his/her computer and automatically start collecting and sending confidential data from that particular machine to the hacker, whenever the user makes a login to any account. To this extent, it is clear how hard it is for service providers who include Yahoo to protect their user login because the firm itself is not the hacker’s target, even though the firm itself is indirectly affected in terms of loss of reputation and standards. State-sponsored espionage Recently, the U.S government has supported the use of surveillance programs like PRISM to compel online providers submit their user data. Yahoo’s effort to object this foreign surveillance order did not bear any fruit because it gave in after being threatened to be fined $250,000 per day and that the fine would appreciate twice each week in case Yahoo failed to turn in the requested data (Strohm, 2013). In doing this, users’ data is rendered vulnerable because it does not belong to the State. Such government supported attacks can only be prevented by implementing more robust strategies like HTTP Strict Transport Secure (HSTS). In addition, Yahoo should not concentrate on known attacks and vulnerabilities that online services are subjected to, but try to safeguard its databases against possible threats to come (Savitz, 2012). Methods used by Yahoo to protect users’ data The primary method used by Yahoo to protect information transmitted by its users over its platform is data encryption. Data encryption involves the use of special algorithms to convert readable electronic data into an unreadable format. Yahoo recently took an initiative to encrypt all information exchanged between its mail servers and other emails from external providers like Gmail and Microsoft among others, and between its data centers as an effort to limit surveillance activities facilitated by spy applications in an effort to prevent hackers from illegally obtaining confidential data from its database (Rushe, 2014). The rationale behind the companys implementation of this strategy is due to the increasing security concern about user data, especially information exchanged over online platforms. According to an analysis done by the Tech Times (Sandoval, 2015), compromising the information of users of a particular organization translates into a compromised reputation, as well as standards of that particular firm. Thus, by protecting users data, Yahoo will also be protecting its public figure as far the online market is concerned. Just to confirm the encryption strategy implementations by Yahoo; queries keyed into Yahoo search engine and the whole site, has by default been encrypted by Hypertext Transfer Protocol Secure (HTTPS) (Sandoval, 2015). In fact, browsing on this site has been upgraded to use HTTPS, unlike the usual HTTP. As such, all sessions by users on Yahoo have been encrypted. In the near future, the company intends to add more protection to its user data using more robust technologies like HSTS, Certificate Transparency, and Perfect Forward Secrecy (Sandoval, 2015). It should be understood that after implementing these techniques, Yahoo will still go ahead to encourage and partner with other providers across the world to enhance and improve security of the Internet community, and thus ensure safe browsing of the internet (Sandoval, 2015). Conclusion Yahoo is a major email provider that uses several databases highlighted above to ensure efficient and effective services to its users. However, this firm has recently suffered security breach in the form of losing credentials used as logins by its users due to contracting companies that do not have strong data security in place. As a result, Yahoo has taken a significant step to protect user data by encrypting all data exchanged on any of its platforms while ensuring secure browsing sessions on its search engine. In addition, Yahoo intends to partner with other online providers, in addition to using more robust techniques mentioned above to make online browsing more secure and minimize the vulnerabilities that the online community is currently subjected to. References Introduction to Massively Parallel Processing (MPP)database. (2012, December 28). Retrieved April 21, 2015, from Data Warehouse: https://dwarehouse.wordpress.com/2012/12/28/introduction-to-massively-parallel-processing-mpp-database/ An Introduction to Yahoo (2015). Retrieved April 21, 2015, from Southwest Colorado Interactive Learning Network: http://scilnet.fortlewis.edu/edtech/Search/Yahoo.htm Yahoo Security Breach (2015, January 12). Retrieved April 21, 2015, from Veracode: http://www.veracode.com/blog/2015/01/yahoo-security-breach-third-parties-are-new-weak-links Gilbert, D. (2013, January 31). Major Security Issues with Cloud Computing Being Ignored. International Business Times. KeyValue Databases. (n.d.). Retrieved April 21, 2015, from Datafloq: https://datafloq.com/big-data-open-source-tools/os-keyvalue/ Lyne, J. (2014, January 31). Yahoo Hacked And How To Protect Your Passwords. Forbes. Rushe, D. (2014, April 3). Yahoo unveils encryption measures to protect users data. The Guardian. Sandoval, L. (2015, April 3). Yahoo toughens up encryption to protect user data, announces a better version of Messenger. Tech Times. Savitz, E. (2012, December 11). 5 Key Computer Network Security Challenges For 2013. Forbes. smadden. (2007, September 11). Good things come in small packages: The advantage of compression in column databases. Retrieved April 21, 2015, from Verica: http://www.vertica.com/2007/09/11/good-things-come-in-small-packages-the-advantage-of-compression-in-column-databases/ Strohm, C. (2013, July 4). Yahoo Faced $250,000-Day Fine for Not Giving U.S. Data. Retrieved April 21, 2015, from Bloomberg: http://www.bloomberg.com/news/articles/2014-09-11/yahoo-faced-250-000-day-fine-for-not-giving-u-s-its-user-data Read More