Security

Fixing Yahoo cybersecurity when they're 'really out to get you'

After finding out Yahoo had set records for the worst hacks in history, cybersecurity chief Bob Lord got that dizzying horror film feeling.

Chief Information Security Officer Bob Lord didn't start Yahoo's fires, but he's set on putting them out.

Noam Galai, Getty Images for TechCrunch

It's not easy being the chief information security officer for the company that suffered the worst hack in history -- twice.

But that's exactly what Bob Lord faced after he joined Yahoo in 2015 to take its top cybersecurity role. The former Twitter security executive was not in charge when 500 million Yahoo accounts were stolen in a 2014 hack, or when the company broke its own record after finding out it had lost 1 billion accounts to cyberthieves in a 2013 breach.

Once he realized Yahoo had been hit with historic hacks, Lord said it seemed like something out of Alfred Hitchcock's "Vertigo."

"I remember feeling that when I was putting all the different pieces together. And that's not a great feeling," he said at TechCrunch Disrupt on Monday.

Lord didn't start the fires, but he was the one Yahoo called to put them out. Because of Yahoo's massive user base, that's been a bit tricky.

Attacks are also getting more sophisticated. It's not always a matter of a simple piece of malware that steals passwords or banking information, with no participation by the bad guys who put it together.

"That kind of fire, you can put out," Lord said in an interview. "But what we're seeing increasingly is that there are these active adversaries who are working against companies. They're trying to burrow in, to steal access to other systems."

Lord got a good look under the hood while working with the FBI to figure out who was behind the massive Yahoo breaches. When the Justice Department indicted four people for the 2014 breach, court documents accused Russian spies of prompting hackers-for-hire to break into Yahoo so they could steal information on politicians, while the alleged thieves ran off with the rest for profits.

The hackers were able to breach Yahoo by spear-phishing employees, sneaking into their servers through fake authentication cookies, and then downloading malware onto the website's network. To prevent such a break-in from happening again, Lord knew he needed to change the company's perspective on cybersecurity from top to bottom. All it takes is one mistake to lose 500 million emails.

He doesn't see his role as just helping Yahoo protect itself against malware programs. Lord wants to change Yahoo's culture so the company understands it's up against savvy hackers, not one-track machines.

"There's a mindset and there's a mental model that is not yet common in enough executive suites and boards. A lot of them want to deal with this almost like a performance issue," Lord said. "That transactional relationship isn't going to prepare you for the truly intelligent adversary, who is really out to get you."

Since the breaches, Lord has advocated for Yahoo to be as transparent as possible about its security. He's written blog posts, sent update emails to Yahoo's users and attended conferences in a bid to earn back the public's confidence.

"We will continue to earn our users' trust by publicizing the bug bounty program," Lord said. "They're asking other people to try to probe our systems and tell us about any soft spots."

Since it kicked off in 2013, the bounty program has paid out $2 million to people who have found flaws in Yahoo's system. After extensive investigations into the massive breaches, Lord doesn't expect any more bad surprises or to break its own record again.

"We've turned over every rock we could find," he said. "I think we have as much understanding as we're going to get at this point."

Tech Enabled: CNET chronicles tech's role in providing new kinds of accessibility.

It's Complicated: This is dating in the age of apps. Having fun yet? These stories get to the heart of the matter.