‘Prevent brazen attacks’
Stamos calls for culture change among hackers
LAS VEGAS, July 27, (Agencies): Against a backdrop of cyberattacks that amount to full-fledged sabotage, Facebook chief security officer Alex Stamos brought a sobering message to the hackers and security experts assembled at the Black Hat conference in Las Vegas. In effect, he said, it’s time to grow up.
Too many security researchers, he suggested, are focused on “really sexy, difficult problems” that don’t address the common vulnerabilities that allow malware attacks to wreak havoc. And too many securityminded hackers seem intent on demonstrating newly discovered hacks, such as making an ATM spit out cash or taking remote control of an internet-controlled car, rather than shoring up more mundane defenses. While part of that reflects the healthy intellectual curiosity of hackers, it’s also driven by marketing and economic incentives, Stamos said. “I appreciate the showmanship, but we need a little more thoughtfulness, a little less showmanship in our field,” he told reporters after his speech.
Global attacks, serious damage
Since May, the world has been rocked by two major international cyberattacks — the ransomware WannaCry and a likely state-sponsored attack called NotPetya that spread out of Ukraine. Those and other recent digital assaults have paralyzed hospitals, disrupted commerce, caused blackouts and interfered with national elections.
Stamos himself was formerly the chief security officer at Yahoo, which last year disclosed breaches of more than a billion user accounts that dated back to 2013 and 2014.
Matured
Black Hat, now in its 20th year, has matured since what Stamos, a longtime attendee of the computer security conference, described as its “edgy and transgressive” early days. It has grown more professional and corporate over time.
Stamos called for a culture change among hackers and more emphasis on defense — and basic digital hygiene — over the thrilling hunt for undiscovered vulnerabilities. And he called for diversifying an industry that skews white and male, and generally showing more empathy for the people whom security professionals are tasked to protect.
“It’s unfair for us to say that users should be better,” said Stamos, challenging his profession to find better ways to help people solve the most common vulnerabilities, such as reuse of passwords , email phishing attempts , and not updating devices to patch bugs.
Building a wall, metaphorically
Stamos announced that Facebook is investing $1 million to encourage defensive security research through an upcoming contest.
He also revealed the company will contribute $500,000 to a Harvard University-based bipartisan election-security project. That effort will be co-led by former presidential campaign officials for Democrat Hillary Clinton and Republican Mitt Romney. Facebook and its rival Google will help create an information-sharing and analysis hub that Stamos said could help local officials and campaigns prevent attacks.
Stamos isn’t the only one calling for a broader focus on defensive techniques.
“We should celebrate defense,” said conference attendee Amit Yoran, CEO of Columbia, Marylandbased security firm Tenable, and a former cybersecurity official during the administration of President George W. Bush. “We focus on the threat of the day, the attack of the day, instead of focusing on the foundational issues.”
But some attendees — Stamos among them — also point out that the bug-squashing hacker ethos still plays an important foundational role in helping to understand what needs to be fixed.
“Every single hacker is going to start by attacking and trying to hack things,” said Jaime Blasco, a chief scientist at San Mateo, California-based Alienvault, who has been trying to compromise systems since he was a 12-year-old growing up in Spain. “I don’t think it’s bad. If you want to be a good defender, you have to understand hackers, and you have to have been one of them to know what you’re dealing with.”
Facebook Inc will provide initial funding of $500,000 for a nonprofit organization that aims to help protect political parties, voting systems and information providers from hackers and propaganda attacks, the world’s largest social network said on Wednesday.
The initiative, dubbed Defending Digital Democracy, is led by the former campaign chairs for Democrat Hillary Clinton and Republican Mitt Romney, and will initially be based at Harvard University’s Kennedy School of Government, which announced the project last week.
Facebook said it hoped additional participants would turn it into a freestanding information-sharing center controlled by its members. Facebook, with two billion monthly users, bills itself as a vehicle for political debate and education, but was also used as a major platform to spread fake news and propaganda during the US election campaign in 2016.
Facebook Chief Security Officer Alex Stamos announced the company’s backing at the opening of the Black Hat information security conference in Las Vegas on Wednesday. The event, named after the term for malicious hackers, is aimed mainly at corporate and government security professionals.
Stamos declined to say how much money the Facebook would spend.
“Right now we are the founding sponsor, but we are in discussions with other tech organizations,” Stamos said in an interview before the speech. “The goal for our money specifically is to help build a standalone ISAO (Information Sharing and Analysis Organization) that pulls in all the different groups that have some kind of vulnerability.”
The project will be managed by Eric Rosenbach, a former US Assistant Secretary of Defense who is codirector of the Kennedy School’s Belfer Center for Science and International Affairs.
“Most campaigns don’t have the tools right now to defend themselves from cyber attacks,” Clinton campaign chair Robby Mook said in an email. “Our initiative aims to fill that void and to help both Democratic and Republican campaigns defend themselves with greater information-sharing and security tools.”
“This is a forward-looking and bipartisan effort to tackle a real problem,” said 2012 Romney campaign manager Matt Rhoades in an email.