Category: Uncategorized

Threat of the malicious insider is very real, but accidental data leakage is a bigger problem.

It doesn't have a super-sexy moniker like KRACK or Heartbleed, but the spectre of the insider threat looms large for organisations, and has done so for as long as electricity, silicon, and computing have been paired up to store information.

While it's easy to imagine a disgruntled, unhappy employee becoming a malicious actor within an organisation, and dumping the family jewels out of spite, it is much more likely that a well-intentioned employee did something they really shouldn't have.

In recent times, it seems as though a spate of data leakage has occurred due to the discovery of data left sitting on world-viewable servers. For instance, Accenture left its keys to the kingdom exposed on four servers, Verizon had 14 million subscriber records sitting unprotected on Amazon S3, and even Australia's national broadcaster, ABC, was found wanting last week when it revealed to have had customer details and 1,800 daily MySQL database backups exposed.

"I always start from the point of view, your biggest threat is the insider threat," security advisor and former Telstra CISO Mike Burgess told ZDNet. "That's not because your staff are bad, or people in the supply chain are bad -- it's simply the human can generally do the greatest damage, and we've seen many examples of that."

A recent survey by Thales found that 54 percent of respondents said employee error was the most significant threat to sensitive or confidential data, with the company's APAC CISO Ben Doyle telling ZDNet that while there are often signs of malicious insider behaviour, it's harder to detect accidents.

"If you have a strong security culture, and not just information security culture, but an overall security culture, there are generally indications of the change of attitudes and things like that, if it's going to be a malicious insider, that you are going to have a chance [to pick it up]," Doyle said.

"I guess the threat for the inadvertent one is a lot of cases there may not be any indicators until you find yourself in trouble."

It's a view shared across the industry, with Sophos CTO Joe Levy saying an accidental insider is more likely to compromise a company than an outsider.

"They are closer to the data, just in terms of the amount of difficulty and the proximity, it's much more likely the latter is going to happen," Levy said.

For McAfee CTO Steve Grobman -- who spoke to ZDNet before the company had its own misadventures last week -- the definition of vulnerabilities needs to go beyond software.

"When we think about vulnerabilities, we can't think of vulnerabilities being just software vulnerabilities like Apache Struts -- we also need to think of vulnerabilities as misused access controls, so somebody drops content in an S3 storage [bucket]," Grobman told ZDNet.

"Part of the problem with data leakage or data loss is once the data is out there, there's really no remediation to get it back. When the toothpaste is out of the tube, you can't put it back in."

However, while the number of companies caught out by unintentional data leakage continues to rise, for Levy, it's a by-product of companies having to play in the software space due to an increasingly connected world.

"It is something that is very very new," he said. "People who have been in business for the past 30 years that have not been in the software business are probably not very familiar with these kinds of concepts and principles.

"There is going to be this window of exposure as people are learning and developing the muscle memory basically of how to do things correctly in software-land that is just going to create a lot of problems -- like people putting their AWS keys up on GitHub.

"Hopefully they are happening enough that people are learning about them, and there's levels of leadership in organisations and even boards of companies now that are beginning to learn themselves these sorts of things."

According to Burgess, the insider threat is nothing new; it's just able to occur faster than in the past.

"It's the downside of the upside of this technology-connected-enabled world," he said. "Nothing new here, people just need to grapple with the fact technology and connectivity means bad things can happen quickly.

"I am a little surprised, given everything that has happened in the world, that more people are not paying attention to this. But on the upside, more people are paying attention to this, and now they've just got to figure out the right way of identifying and managing the risk effectively."

For Grobman, the challenge in addressing insider threats is that it is more than a technology problem and requires policy as well.

"If you think about what an insider threat is, it's an insider that is abusing permissions, privileges that they've explicitly been given access to, so it is much harder to actually distinguish if this is actually a malicious set of activity, as opposed to something that is legitimate for somebody doing their job," he said.

"First and foremost, companies have to live by the principle of least privilege. The biggest set of abuses that I've seen are typically where there's lax policies in granting access to capabilities or functions that somebody doesn't truly need to do their job and it's just easier to give people carte blanche for all sorts of things."

As with many other aspects of security, the McAfee CTO said no company will ever be rid of the insider threat, but it is possible to reduce it through behavioural analysis or being able to detect massive data exfiltration.

"Thinking about making things harder is one of the key things that we can do, even if it doesn't solve the problem completely," he said.

Grobman said it was important not to go over the top and impose restrictions on users and administrators alike if they are unnecessary.

"The most important thing for people to think is understanding what the different risks in an organisation are, and right-sizing the controls so that you are not over-burdening the things you don't really care about, but at the same time you are able to put your most critical resources and policies on the things that matter," he said. "The other element that I think is important is not only the things that matter but things that are more difficult to remediate or repair.

"If you are protecting a piece of network infrastructure, if that is breached from a denial of service perspective, to recover from that, there is basically no long-lasting harm done, which is different from a data breach where if the data is either personal information or intellectual property or something that is going to be interesting for a long period of time, even if you fix the vulnerability, fix the permissions, if the data has already been stolen, the damage is much harder, if not impossible to remediate."

Since there is always going to be someone in an organisation that knows how the mousetrap is made, and the tolerances that trigger it, Levy said it is important for organisations to be able to investigate an incident after the fact, and to have an inventory of all compute instances and assets.

Burgess echoed a similar sentiment, and in addressing the issue of contractors and third-party providers leaking data, said businesses need to own their risk and not pass it up or down the supply chain.

"It should never be defence [to say] 'Well I trusted ACME sprocket engineering to do that and it is their problem and their fault'. If you haven't given to them or stated to them your expectations to them around that information, then you've failed, it's your risk," the former Telstra CISO said. "You can't outsource risk, you can't blame it on your outsourced provider, you own it."

Like so much to do with insider threats, Burgess said owning risk was a leadership issue, as was the example of pressure being put on an IT department to "just get a project over the line" and do whatever was needed.

"You'll still have someone do the wrong thing, but that example is just one of bad leadership," he said. "Good organisations have checks and balances in place -- not overly bureaucratic, but you will pay attention to your most valuable data, and you'll know what is happening to it.

"When instances like that do occur, you detect them to either prevent them, or actually once they do occur, you make it right quickly because that is a fact of you cannot eliminate this problem, but you can manage the risk. And to manage the risk, you've got to pay attention to the data and what is happening to it."

On the recent number of data leaks, Doyle said it would be incorrect to point the finger at the uptake of cloud computing.

"I think this behaviour was protected previously by a perimeter, therefore bad behaviour was less likely to become public. You don't have external people [looking] unless you have a really bad perimeter with your internal systems," he said.

"Whereas with Amazon S3 buckets, or any other cloud storage solution, if it isn't protected then obviously it is public."

According to the Thales APAC CISO, with the mobility of data in the modern world, it's important for enterprises to know where their information is and to understand the value of it.

"We've moved to a world where you've got to protect that valuable data at rest, in use, and in motion," Burgess concurred. "That's a very different mindset."

Across the board, the CXOs interviewed said handling and putting plans in place to deal with insider threats is a task that will involve all parts of a business -- whether that is identifying where sensitive data lives, to what data is sensitive in the first place -- and cannot be left to the IT department alone.

If your organisation has not looked into its data buckets in recent times to see what data might be mistakenly world-viewable, then it would be best to get on it before someone else does.

From ：http://www.zdnet.com/article/your-biggest-threat-is-inside-your-organisation-and-probably-didnt-mean-it/

Some 22 percent of businesses in Singapore use paper-based logbooks to manage privileged account passwords, while 55 percent monitor only some privileged accounts or not at all.

One in five businesses or 22 percent in Singapore still depend on paper-based logbooks to manage privileged account passwords, while 90 percent say they face challenges managing such passwords.

In comparison, 19 percent in Asia-Pacific and 18 percent globally still used paper logbooks for privileged password managements, revealed a survey by Dimensional Research, which polled 913 respondents from eight markets including Singapore, Hong Kong, Australia, Germany, and the UK. The study was commissioned by data access management vendor, One Identity.

Privileged accounts traditionally encompassed employees with admin access or control to root accounts.

Some 87 percent across the Asia-Pacific region acknowledged facing challenges in managing privileged passwords, slightly lower than 88 percent globally.

In Singapore, 55 percent confessed they were monitoring only some privileged accounts, or not monitoring at all, compared to 57 percent globally who said likewise.

Another 34 percent used spreadsheets to track privileged accounts and 21 percent expressed their inability to monitor or record activities performed with admin credentials. In addition, 28 percent said they could not consistently identify users who performed admin activities.

Furthermore, 38 percent of IT security administrators did not change a default admin password.

"Privileged accounts present an easy target for hackers or even malicious employees when poor security and management processes exist within an organisation," said One Identity's Asia-Pacific and Japan vice president and general manager, Lennie Tan, who warned that the study findings exposed the risk to data theft that the companies faced.

John Milburn, One Identity's president and general manager, added that security breaches involving compromised privileged accounts had resulted in "astronomical mitigation costs" and data theft.

The report pointed to a Forrester Research study that found 80 percent of breaches had involved privileged credentials.

From ：http://www.zdnet.com/article/one-in-five-singapore-firms-use-paper-to-manage-privileged-passwords/

The bug allowed the researcher to see the most sensitive vulnerabilities in Google's services.

A series of flaws in Google's internal bug tracker let a security researcher gain access to some of the company's most critical and dangerous vulnerabilities.

The company's internal bug reporting system, known as the Issue Tracker (or the "Buganizer"), is used by security researchers and bug finders to submit issues, problems, and security vulnerabilities with Google's software, services and products.

Most ordinary users have very little access to the bug tracker. But a security researcher found that by spoofing a Google corporate email address, he was able to gain access to the back-end of the system, and to thousands of bug reports -- some of them marked as "priority zero," the most severe and dangerous vulnerabilities, with which a hacker could do untold damage.

Alex Birsan, who discovered the flaws, told ZDNet that an attacker could have discovered and exploited submitted vulnerabilities to target and potentially compromise Google accounts.

Worse, an attacker could've used a vulnerability to infiltrate Google's internal network.

Birsan explained in a write-up of his findings that he created a Gmail account which, prior to verifying the new account by email, would let a user change their email address to any email address, including Google corporate accounts.

Although Birsan's newly-created fake Google account wouldn't give him direct access to the company's network, it was enough to trick the Issue Tracker into thinking he was an employee, giving him elevated privileges to view and interact with bug reports, such as receive notifications and updates on issues.

From there, he was able to send altered requests to the Issue Tracker server, letting him read any bug he wanted -- including the most sensitive vulnerabilities -- because of a failure to properly validate the logged-in user's permissions against each report.

Or, as Birsan described it, the "holy grail of Google bugs."

"Even worse, I could exfiltrate data about multiple tickets in a single request, so monitoring all the internal activity in real time probably wouldn't have triggered any rate limiters," he explained.

After he reported the bugs, his access was revoked and the vulnerability fixed within the hour.

Birsan didn't underestimate the severity of the vulnerabilities, but hedged his findings with a key caveat. The bigger the vulnerability, the quicker it gets fixed by Google, he explained. "So even if you get lucky and catch a good one as soon as it's reported, you still have to have a plan for what you do with it."

"That being said, I believe you'd have a pretty good chance of compromising Google accounts if you had a few specific targets and threw every attack at them," he said.

But a large-scale attack that puts hundreds of thousands of accounts at risk was less likely, he said. "All in all, it depends entirely on what other people report while you're eavesdropping," he added.

Given that thousands of internal issues were added each hour, he said, "Who knows what kind of juicy information could be found in there?"

These bug databases are ripe targets for nation-state attackers, who want to target major technology companies. Earlier this month, Reuters reported that Microsoft's secret bug database, which included flaws for Windows, was breached in 2013.

In all, Birsan was awarded a little over $15,600 in bug bounties from Google for the three bugs.

He was also given $3,133 as an additional grant to continue research on vulnerabilities with the Issue Tracker.

When reached, a Google spokesperson said: "We appreciate Alex's report. We've patched the vulnerabilities that he reported, as well as their variants."

From ：http://www.zdnet.com/article/google-bug-tracker-flaw-exposed-sensitive-security-vulnerability-reports/

Stolen credentials are used to launch attacks which include the ability to stream live video of the screens of infected users.

A previously unknown but highly organised hacking group is carrying out a series of cyber attacks against banks and financial institutions around the world, deploying trojan malware to gain entry into networks.

The attackers are capable of monitoring everything a victim does in order to provide them with all the information they need to sneak around bank networks and make off with stolen funds.

Uncovered by Kaspersky Lab, the 'Silence' hacking group is suspected to be a Russian-speaking operation which has hit at least 10 financial organisations including those in Armenia and Malaysia, but mostly within Russia.

The initial attack techniques of Silence campaigns are similar threat actors including the infamous Carbanak group - initial victims are tricked by phishing emails which give the attackers a foothold into the network. They'll remain there for a long time, only striking when they have enough information to steal large amounts.

Those behind Silence are appear to be actively targeting banks which have previously been attacked. They use emails from the addresses of real employees who have had accounts compromised - potentially bought from the dark web - to send a phishing email about what looks to be a routine request about opening a customer account.

The message comes with a malicious attachment in the form of a 'Windows help . CHM' file which runs once the document has been opened. An embedded JavaScript within this automatically downloads and executes a Visual Basic script which then in turn downloads the a malware dropper from a command and control server.

See also: Cyberwar: A guide to the frightening future of online conflict

It's the Russian language in the code which has led researchers to the conclusion that the attack group is Russian-speaking.

Once downloaded and installed on the system, the malware allows the attackers to take multiple screenshots of the victim's active screen, providing a real-time stream.

A similar technique was used by Carbanak to gain an understanding of the victim's day-to-day activity and points to the ultimate end goal of Silence - obtaining all the information required to eventually steal money.

The malware also includes a Winexecsvc tool which allows the execution of remote commands - useful when it comes to the attackers making their way around the infected network.

Researchers note that this particular campaign has been successful in attacking financial institutions, no matter where in the world they're based or what the network infrastructure looks like.

"We have seen this trend growing recently, as more and more slick and professional APT-style cyber-robberies emerge and succeed. The most worrying thing here is that due to their in-the-shadow approach, these attacks may succeed regardless of the peculiarities of each bank's security architecture," said Sergey Lozhkin, security expert at Kaspersky Lab.

While Silence uses very similar techniques to the Carbanak group - which has stolen more than $1 billion from banks worldwide - it's still uncertain if the two groups are at all related.

Researchers have warned the the attacks are still ongoing.

From ：http://www.zdnet.com/article/hacking-group-targets-banks-with-stealthy-trojan-malware-campaign/

Updated: Researchers have found vulnerabilities in the AmosConnect communication shipboard platform.

Researchers have uncovered severe vulnerabilities in software used by thousands of maritime ships worldwide.

On Thursday, IOActive researchers unveiled a new analysis of AmosConnect 8.0, which uncovered two critical security issues that could give attackers unfettered access to systems and information.

Stratos Global, an Inmarsat company, offers the AmosConnect communication shipboard platform to provide narrowband satellite communications, email, fax, interoffice communication, and more for those at sea.

International shipping firms and services often deal with confidential customer data and they may also hold valuable deliveries and so can be a target for threat actors.

As we've previously seen in a case where hackers spied on a shipping service to work out where the valuable packages were in order to steal them, the criminal gains can be lucrative, and so security is critical.

However, in the matter of AmosConnect, there was much left to be desired.

IOActive was able to find a critical vulnerability in login forms. The blind SQL injection bug allowed attackers to gain access to credentials stored in internal databases.

"The server stores usernames and passwords in plaintext, making this vulnerability trivial to exploit," IOActive says.
To make matters worse, the team also discovered a backdoor. The AmosConnect server features a built-in backdoor equipped with system privileges, which would give attackers full system and administration privileges and the ability to remotely execute code on the AmosConnect server.

"If compromised, this flaw can be leveraged to gain unauthorized network access to sensitive information stored in the AmosConnect server and potentially open access to other connected systems or networks," the researchers say.

The findings build on previous research conducted by IOActive's Ruben Santamarta, who discovered in September 2016 that he was able to gain full system privileges in AmosConnect 8.4.0, as well as access any other software or data stored therein.

"Essentially anyone interested in sensitive company information or looking to attack a vessel's IT infrastructure could take advantage of these flaws," said Mario Ballano, IOActive principal security consultant. "This leaves crew member and company data extremely vulnerable and could present risks to the safety of the entire vessel. Maritime cybersecurity must be taken seriously as our global logistics supply chain relies on it and as cybercriminals increasingly find new methods of attack."

IOActive informed Inmarsat of the vulnerabilities in October 2016. The Inmarsat AmosConnect 8.0 version has now been discontinued, and so the company recommends that customers revert back to AmosConnect 7.0 or switch to an email solution.

This is not the first instance of such a vulnerability. As previously reported by ZDNetresearchers from Pen Test Partners recently found similar issues in industrial control systems from other major brands including Telenor and Cobham.

In a number of cases, default credentials were ridiculously simple to crack, and in others, Transport Layer Security [TLS] cryptographic protocols were absent.

Ken Munro, one of the firm's security researchers, said these lapses in security are "simply not acceptable" -- and he is right. When these kinds of business are so integral to the economy at large, security cannot be an afterthought.

An Immersat spokesperson told ZDNet:

"Inmarsat had begun a process to retire AmosConnect 8 from our portfolio prior to IOActive's report and, in 2016, we communicated to our customers that the service would be terminated in July 2017.

When IOActive brought the potential vulnerability to our attention, early in 2017, and despite the product reaching end of life, Inmarsat issued a security patch that was applied to AC8 to greatly reduce the risk potentially posed. We also removed the ability for users to download and activate AC8 from our public website.

Inmarsat's central server no longer accepts connections from AmosConnect 8 email clients, so customers cannot use this software even if they wished to. "

From ：http://www.zdnet.com/article/hackers-gain-full-access-to-maritime-ships/

Three-quarters of the federal government uses encryption. Homeland Security says that isn't enough.

Homeland Security is ordering federal agencies to deploy basic web and email security features in an effort to boost cybersecurity across government.

Up until now, Homeland Security had been pushing businesses and enterprise customers to enable HTTPS web encryption across the board, which helps secure data in transit but also ensures that nobody can alter the contents of the website you're visiting. The agency has also pushed DMARC, an email validation system used to verify the identity of an email sender, which helps to protect against inbound spoofed emails and phishing attacks.

Now, the Homeland Security has set its sights on government agencies, which have for years fallen behind.

The agency has issued a binding operational directive, giving all federal agencies three months to roll out DMARC across their networks. Enabling that email policy will prevent spammers from impersonating federal email addresses to send spoofed email.

The agency is also requiring within the next four months for all federal agencies to employ HTTPS.

If you thought the government already had that policy, you're not wrong.

In 2015, the Obama administration issued a directive that all federal government sites should be HTTPS by default by the end of 2016. More than two years later, about one-quarter of all federal sites still don't support basic website encryption.

Perhaps ironically, only 70 percent of all Homeland Security domains support HTTPS. Even fewer enforce the encryption by default.

The agency hopes that the remaining non-encrypted sites can get up to speed by early next year.

The order also asks that government agencies use other kinds of encryption, such as STARTTLS, a protocol that sends email over an encrypted channel when it's available, on their email servers.

News of the announcement was lauded by one privacy-minded senator, who's been on a crusade to get federal agencies up to speed on security.

Wyden called today's move a "good, basic step," in a statement to ZDNet.

"STARTTLS encryption and anti-phishing technologies like DMARC are two cheap, effective ways to secure email from being intercepted or impersonated by bad guys," he said. "It's my hope that other government agencies recognize the clear security benefits of strong encryption, and that private sector companies move quickly to upgrade their own email security."

From ：http://www.zdnet.com/article/homeland-security-orders-federal-agencies-to-encrypt-email-website/

How secure is your business and its supply chain, and could it stand up to public scrutiny?

Too often when a company does a cyber boo-boo, it will get off pretty lightly by issuing a statement saying how seriously it takes security concerns, that no financial data was stolen in the breach, and that users should change their passwords to be on the safe side.

Security-minded people are likely to make a note of it in the back of their mind, but in general terms, the population moves on soon afterwards with little or no memory of what occurred.

Despite Yahoo finally confessing earlier this month that every single account was exfiltrated in 2013, the demographic and number of users that still rely on Yahoo services is unlikely to have changed.

And as for Equifax, which managed to have the personal data of around half of all Americans involved in a breach, there are very good questions to ask about how a company that failed at its one job -- to keep confidential information confidential -- is still in business, but perhaps the plethora of class actions will take care of that issue.

But these examples are massive, mainstream news-making breaches, and there are plenty of smaller ones that fly under the radar with little consequence.

While existing obligations such as data breach notification laws may require companies to inform users of their data being lost, in other circumstances, they may not.

Consider Australia's upcoming data breach notification laws that only require organisations to inform users when they are at "real risk of serious harm", alongside the case of Domino's Australia trying to find out how its customer details have been used for spamming.

Ransomware: An executive guide to one of the biggest menaces on the web | Here's every patch for KRACK Wi-Fi vulnerability available right now | Governments and nation states are now officially training for cyberwarfare: An inside look | Cybercrime and cyberwar: A spotter's guide to the groups that are out to get you | Research: Companies see mobile devices as big cybersecurity threat

Leaked: Facebook security boss says its corporate network is run "like a college campus"
Ransomware: Security researchers spot emerging new strain of malware
Is spamming serious enough to warrant a disclosure to customers? And even so, how many people outside of technology circles are going to head to a rival pizza store this weekend based on the ongoing spamming incident?

I would suggest that it is not too many, given the pizza chain has been in a holding pattern for the past two weeks and has suffered previous breaches all over the world in recent years, and is nowadays in a stronger position than ever.

Due to the lack of collective memory over these incidents -- and the headlong rush to put microphones, cameras, and internet-connected appliances into our homes under the cover of the smart prefix -- a move to remind the everyday consumer of the infosec sins that have gone before, or could be permitted, is needed.

Enter the cyber star rating system -- dubbed the Cyber Kangaroo in Australia -- which would function like an energy star rating, but for the security of devices and organisations.

In a perfect world, not only would a company's rating be impacted by its own security, but also those of its suppliers. In the Domino's case, it appears that the pizza chain's IT systems are free of guilt, but that working with an insecure supplier is the cause of the data leak.

Regardless of where the fault lies, as far as consumers are concerned, the leak is a result of doing business with Domino's, and, as such, it should be made to carry the can were a rating system to exist.

A cyber rating would more succinctly explain the difference between the Android and iOS patching processes, for instance, than trying to explain to people how Android updates have to pass from Google to manufacturers and finally to carriers, while iOS updates come directly from Apple. Under a cyber rating system, iOS devices could have five stars, and Androids three or four, and consumers would only need to look at the scoreboard to understand why Pixels get updates quicker than Sony or Huawei phones.

As for the Internet of Things, those devices should be handed a zero rating until capable of being proven otherwise.

It is probably beyond the abilities and funding envelopes of governments to properly oversee such a system, so it is likely to fall onto the private sector, specifically those involved in cyber insurance, which seem to be the catch-all for the further maturation of information security.

The key to this information being effective for the general public is have it readily accessible either at the point of purchase or via a portal of some sort. By doing so, it would force organisations to treat security as a first-order concern, something that is viewable and comparable by potential buyers.

In the same way that a vehicle safety rating or an energy rating label is treated by consumers, companies that fail to give cyber its proper priority, or partner with or source from those that also fail to, should be held accountable in order to let the market perform better.

It's not perfect, but it would be a vast improvement on what we have now.

From ：http://www.zdnet.com/article/businesses-need-to-think-about-a-public-cyber-star-rating/

The source of the recording said Facebook's senior management and executives were

apathetic to matters of cybersecurity. Facebook's security chief said he used one of the remarks "as a figure of speech."

Facebook's security chief has told employees that the social media giant needs to improve its internal security practices to be more akin to a defense contractor, according to a leaked recording obtained by ZDNet.

Alex Stamos made the comments to employees at a late-July internal meeting where he argued that the company had not done enough to respond to the growing threats that the company faces, citing both technical challenges and cultural issues at the company.

"The threats that we are facing have increased significantly and the quality of the adversaries that we are facing," he said. "Both technically and from a cultural perspective I don't feel like we have caught up with our responsibility."

"The way that I explain to [management] is that we have the threat profile of a Northrop Grumman or a Raytheon or another defense contractor, but we run our corporate network, for example, like a college campus, almost," he said.

Stamos added: "We have made intentional decisions to give access to data and systems to engineers to make them 'move fast' but that creates other issues for us."

The security chief also said that the company had issued a report on where the company stands from a security perspective, in what he described as a "very painful process." He said the report will be updated every six months, when the management team are briefed on its contents.

The comments were part of an internal talk to employees during which he discussed the challenges Facebook had with keeping its networks secure, amid a growing danger of state-sponsored actors and advanced persistent threats, which in some cases have near-limitless resources.

For his part, Stamos, when reached, said that he had used the "college campus" line several times internally to describe challenges that the company faces, and used it as a figure of speech.

"My team runs network security for the company, and of course we secure it thoroughly," he said Thursday.

Stamos denied that the comments were a criticism of the company's management. "They care a great deal," he said. "It's not a criticism of anybody, just a statement of why our team needs to be creative in how we protect our corporate network."

"Tech companies are famous for providing freedom for engineers to customize their computing environments and to experiment with new tools, frameworks and development processes," he said. "Allowing for this freedom helps creativity and productivity, but we have to weigh that against the fact that we have become a potential target of advanced threat actors. As a result, we can't architect our security in the same way a defense contractor can, with extremely limited computing options and no freedom."

"Keeping the company secure while allowing the culture to blossom is a challenge, but a motivating one that I'm happy to accept," he said.

In fairness, Stamos isn't wrong. Facebook likely has more citizen data now than most governments, making the social network as much of a target today as defense contractors were ten years ago.

But while Facebook may not be storing plans for spy planes and autonomous drones, private citizen data is a commodity -- the social network has billions of people's data -- and nation states are hungry for it.

Stamos, a staunch security and privacy advocate, joined Facebook in June 2015 after a brief stint at Yahoo as chief information security officer. While Stamos had pushed to build out an offensive security "red team" and spearheaded privacy-focused features for Yahoo's customers, the company had reportedly taken "a back seat" on security during his tenure, largely attributed to then-chief executive Marissa Mayer's persistent clashes with Stamos over funding for security features and defense. Stamos left after a little more than a year in the job, reportedly after Mayer's decision to acquiesce to a top-secret classified order to scan emails of Yahoo customers, which the security team is said to have only discovered when it thought the company had been hacked.

The recording's source, who has intimate knowledge of Facebook's security systems and internal processes but did not want to be named, said that the threats that the company faces are "way above [Facebook's] ability to handle."

But while the source argued that Stamos has internally pushed for stronger cybersecurity, policies, and processes, executives are too busy lobbying lawmakers, and focusing on the company's vision and products -- citing its "move fast" strategy (which has since been partially retired) and not listening enough to the company's security professionals.

Although Facebook has seen its fair share of privacy scandals over the years, it hasn't yet fallen victim to a data breach like Yahoo, Equifax, LinkedIn and Myspace.

The source indicated that Facebook was likely on borrowed time. It's a "painful process to get security across to executives," the source told ZDNet.

Even though the company has so far escaped the "hacked" headlines, its platform is still open to abuse.

Tech companies, including Facebook, are feeling the heat after admitting that Russian adversaries had used the platform to buy ads to influence the 2016 election. Congress is currently investigating the role that Russia had in the election. Several other companies, including Google and Twitter, have also discovered their ads were bought by the Russians in the months running up to the election.

As adversaries get stronger and more capable, security experts argue that it's only a matter of time before even the bigger companies get hacked, and the odds are almost never in the defender's favor.

While companies need to defend against every hack and intrusion, the hackers only have to succeed once.

From:http://www.zdnet.com/article/leaked-audio-facebook-security-boss-says-network-is-like-a-college-campus/

RedLock's latest cloud security report suggests that organizations are failing in the most basic security practices.

The enterprise is still ignoring the most basic security precautions when using cloud services, researchers claim.

On Thursday, RedLock released its annual cloud security report, which suggests that vulnerabilities in the cloud are being outright ignored, with poor database security and key leaks commonplace.

After analyzing customer environments, the cloud security firm said that roughly 38 percent of organizations in the enterprise have user accounts active which have potentially been compromised, and 37 percent of company databases allow inbound connections from the web, which is generally a poor security practice to implement.

In addition, seven percent of these databases are permitting requests from suspicious IP addresses, which suggests they have been compromised.

Throughout their research, the RedLock team discovered that at least 250 organizations, many of which far beyond the size of SMEs, which were leaking "access keys and secrets" from their cloud computing environments -- a similar scenario to the recent Viacom security debacle.

According to the report, a total of 53 percent of companies which use cloud storage services such as the Amazon Simple Storage Service (Amazon S3) have accidentally exposed these services to the public, 45 percent fall short of CIS (Center for Internet Security) security standards and checks, and 46 percent of these violations are "high severity issues" including network configurations which allow inbound SSH connections from the Internet.

In addition, the enterprise players included in the research failed 48 percent of PCI data security standard checks on average, and 19 percent of failures were critical -- such as failing to encrypt databases.

Hundreds of organizations are also leaking credentials through misconfigures services such as Kubernetes and Jenkins, the team claims, and a total of 64 percent of enterprise databases are not encrypted.

The researchers also found Kubernetes administrative consoles deployed on AWS, Microsoft Azure, and the Google Cloud Platform which was not password protected, and in some containers, threat actors were deploying illegitimate Bitcoin mining operations. This, in turn, has transformed legitimate business databases into bots generating revenue fraudulently.

In addition, access keys and secret tokens were discovered within Kubernetes instances that were stored in cleartext, granting attackers the opportunity to compromise critical infrastructure.

In total, 81 percent of companies do not manage host vulnerabilities in the cloud effectively. They may utilize vulnerability scanning tools, but fail to map the data from these tools to create a picture of cloud-specific content and threats, which may open the gates to compromise.

"Host vulnerability data needs to be correlated with host configurations in the cloud that can help identify the business purpose of the host and help prioritize patching," the team says. "For example, is this host a webserver or a database server? Is it running in production or staging? In addition, the network traffic should be monitored to identify whether the vulnerabilities are actually exploitable."

Awareness of data breaches, patching, and critical security practices may be on the up with the constant stream of security incidents constantly hitting the news, but based on RedLock's findings, it seems that some areas -- such as cloud services -- are still not being given the attention they require. Unless the enterprise steps up its game, practices such as storing passwords in cleartext are asking for attackers to strike, and companies will have nothing to blame but itself in the case of compromise.

From:http://www.zdnet.com/article/the-malware-that-wont-die-is-locky-reclaiming-its-title-as-king-of-ransomware/

The great big data land grab is on, and the Internet of Things is going to make ownership even more complicated. Get ready for a few ownership spats as data becomes the new oil.
On encryption, the UK sets a collision course with Europe
End-to-end encryption is still seen as a danger by British politicians but as a useful protection by Europeans.

Is encryption a threat to law and order, or an essential tool for staying secure online? Two events this week show how much disagreement there still is about it.

First, at a meeting at the Conservative party conference earlier this week the UK's home secretary Amber Rudd said technology experts had been "patronising" and "sneering" at politicians who try to regulate their industry.

She said: "I don't need to understand how encryption works to understand how it's helping -- end-to-end encryption -- the criminals." She went on: "I will engage with the security services to find the best way to combat that."

Her comments are in line with those from Conservative politicians over the past few years, who have regularly made loud noises about limiting access to encryption, and have indeed introduced legislation to limit its usage.

Their argument is that end-to-end encrypted messages, which can only be read by the sender and the recipient, are allowing crooks to plot crimes in a way that police cannot monitor.

And while the government has also said it doesn't want to ban the use of encryption, or force companies to install 'backdoors' that police can use to snoop on conversations, there is no obvious way to weaken end-to-end encryption without breaking it, making this an intriguing class of mathematics and politics.

The UK's recent Investigatory Powers Act legislation requires tech companies based in the UK to be able to remove any encryption they use to protect their customers' communications when asked to by the authorities.

But the law only applies to companies operating out of the UK, and it's very unclear what effect it will have on the big tech companies based in the US, like Apple or WhatsApp, which use end-to-end encryption to protect the messages sent by their customers.

However, as the UK continues to call for ways to crack down on the use of end-to-end encryption, politicians in Europe are doing exactly the opposite.

Just days after Rudd's comments, the European Parliament passed a resolution warning that more must be done to prevent cyberattacks and that individuals and businesses remain at risk because of a lack of knowledge and resources.

It called on member states to promote practical security measures such as encryption and warned governments not to "impose any obligation on encryption providers that would result in the weakening or compromising of the security of their networks or services, such as the creation or facilitation of 'back doors'".

That's not all: back in July the European Parliament published a draft of a report on electronic communications which also urged the use of strong encryption.

It said tech companies should make sure they can protect customers' communications from unauthorised access or alterations, and that the confidentiality is "guaranteed by the nature of the means of transmission used or by state-of-the-art end-to-end encryption of the electronic communications data".

It goes on: "Furthermore, when encryption of electronic communications data is used, decryption, reverse engineering or monitoring of such communications shall be prohibited. Member states shall not impose any obligations on electronic communications service providers that would result in the weakening of the security and encryption of their networks and services."

The final version of the document is due later this month and, according to one report, Europe is not likely to water down its stance on encryption.

The increasing use of end-to-end encryption does make it harder for police to monitor plotters, that's for sure. But they also still have plenty of ways to access communications.

Most smartphones and PCs are far from secure, which means in many cases police will be able to hack into them and access communications before they are scrambled with encryption. In the UK, police and intelligence agencies already have this power.

That seems to be a much more proportionate and targeted way of accessing data than by banning end-to-end encryption and obliging everyone to communicate in a less secure way, leaving them at greater risk of criminals and fraudsters and nation state-backed hackers.

It's not clear how this issue is going to be resolved: the UK is unlikely to make much headway in limiting the use of encryption while the rest of Europe's political class is in favour of it.

From ：http://www.zdnet.com/article/on-encryption-the-uk-sets-a-collision-course-with-europe/