[heroprotagonist]

While I suspect some of this is posturing for a better price, I'm certain from some past experience that Verizon is very serious about security.

A lot of large enterprise take an approach my colleagues have referred to as 'rubber stamp security', that checks boxes in a compliance report while still remaining largely ineffective. For example, these companies buy tools and install them, but then never configure them properly.

From what I've seen of Verizon, they are more serious about security and beyond requiring an effective toolset, they take the approach of hiring new people who already know the tools well or give effective training to their existing and competent people as part of the onboarding process. This sounds like a no-brainer, but a lot of companies either don't do this or do it very poorly.

Beyond any kind of material impact of the breach on Yahoo's business, it would require a _lot_ of work from their security teams to absorb Yahoo in a way that raises them to Verizon's standards. An acquisition of this size is rarely very easy, but having to completely overhaul the acquired company's entire security posture just adds to this effort. Verizon's security team has to consider Yahoo's infrastructure with very little trust at this point. I wouldn't much care for the prospect of having a flaming bag of poo deposited on my porch, either.

[ghughes]

Given that not too long ago they were publicly shamed for implementing an invasive tracking system that completely undermines their customers' privacy, [1] you'll have to do a little better than "some past experience" and "from what I've seen" if you want your assertion that "Verizon is very serious about security" to be taken seriously.

[1] https://www.wired.com/2014/10/verizons-perma-cookie/amp/

[syshum]

One has nothing to do with the other

You can be VERY good at systems security, while simultaneously wanting to violate your customers privacy....

[bartl]

Well ironically, in this case, Verizon's problem with Yahoo is allegedly about customers' privacy.

[heroprotagonist]

Well, it is just anecdotal. Feel free to withhold judgement, it is just an anonymous internet comment instead of a detailed report from a thorough study. I'm certainly not giving you my CV. However, I was referring to what I saw of their stance towards their own security, rather than toward the privacy of their customers.

Still, I think the point that there's more for Verizon to worry about from Yahoo than the direct impact of the exposed customer data is a valid one. Failure to discover (if we believe them), or at least a failure to disclose, a breach for close to two years, does not speak well for them. Maybe this breach was only possible during some temporary time period two years ago, but it's also possible that whatever allowed the breach was open for a long time, allowing further opportunity to exploit other services on their network. The claim that it was possibly a 'state actor' either means they don't know and are covering their incompetence, or it was a fairly advanced threat that could potentially still be in place or even have expanded its footprint since 2014.

[RockyMcNuts]

Just don't rely on Verizon for your own 2FA security, partly because the phone system is too easy to redirect and spoof in various ways, and partly because Verizon is too easy to social-engineer.

https://medium.com/the-coinbase-blog/on-phone-numbers-and-id...

[fowl2]

this... is certainly not my experience. However, they're a large organisation so they're most likely schizophrenic.

[JohnTHaller]

It's certainly not a lot of people's experience. Youtuber boogie2988 (3.5m subscribers) had his accounts hacked and his channel deleted (his primary source of income) via a Verizon social engineering hack. The hack via Verizon gained the hackers access to his Twitter, YouTube/Google accounts, even his PayPal account.

[closeparen]

Verizon may be quite serious about protecting Verizon and its infrastructure, while still indifferent to retail subscriber account takeovers.

[rms_returns]

Here are more details about that[1]. I'm still surprised how they could have gained access to his Youtube and Twitter just by using his phone number.

[1] https://www.reddit.com/r/boogie2988/comments/4psg4x/i_was_ha...

[JohnTHaller]

If you know someone's Gmail account used for YouTube and have access to their cell phone to receive text message verifications for account resets, you have full access.

Being able to verify a code sent to the mobile phone registered with the account is used as proof of identity for account recovery by basically everything online except banking.

[rms_returns]

k. But in boogie2988 case, did the hacker got access to his actual cell phone or just cell number? That's not clear.

[DanieI]

A social engineer goes to the Verizon store and tells customer service that they have lost their cellphone. Customer service deactivates the owner's phone and gives the social engineer a brand new phone that's connected to the owner's account.

[heroprotagonist]

That's fair, I definitely don't have a global insight. Security teams are usually segmented in some way, rather than monolithic, with varying levels of competency among different teams.

They do periodically put out some interesting reading. If you want to look at it, their annual Data Breach Investigations Report are worth checking out:

http://www.verizonenterprise.com/verizon-insights-lab/dbir/

(prior year reports don't require registration and are still fairly applicable)

[086421357909764]

I once had verizon admit they'd oversold their capabilities for Incident Response and security consulting and were in dire need of support. Of course they wanted bottom barrel rates at $140 an hour.. seriously. Naturally we turned away from the opportunity as it wouldn't be profitable. I'm not convinced Verizon is anymore secure than Sony after that call ....