Yahoo-Then-Facebook CISO Alex Stamos Allows Yet Another Massive Data Breach
By Duane Thresher, Ph.D. September 29, 2018
Yesterday, Facebook admitted to yet another massive data breach; 50 million user accounts compromised. Alex Stamos was (Jun 2015 - Aug 2018) Facebook's Chief Information Security Officer (CISO a.k.a. CSO) when the hole that allowed the breach was introduced into Facebook's code (Jul 2017). Stamos was (Mar 2014 - Jun 2015) also CISO of Yahoo during their two massive data breaches (late 2014); 500 million and 1 billion user accounts compromised. Stamos staggeringly exemplifies another aspect of IT incompetence: being overwhelmingly more interested in imposing his political beliefs on customers than in being competent at his high-paid IT job.
According to Facebook, in their current massive data breach:
... attackers exploited a vulnerability in Facebook’s code [introduced in July 2017] that impacted "View As", a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts.and also
This attack exploited the complex interaction of multiple issues in our code.Facebook makes it sound like a sophisticated attack, although it was probably an obvious hole to any competent programmer, who would be extra careful with any feature that lets a user pretend to be some other user. This is exactly what a CISO, like Alex Stamos at Facebook at the time (Jun 2015 - Aug 2018), should have been looking out for.
... we have yet to determine whether these accounts were misused or any information accessed.Facebook equates their ignorance, due to IT incompetence and not wanting to know so not looking too hard, with proof that accounts were actually not misused and information not accessed.
Making the attack deceitfully sound sophisticated, i.e. perpetrated by unstoppable geniuses, when most hacks are perpetrated by script kiddies using holes that should already have been patched, and saying absence of evidence is evidence of absence, is typical of the whitewashing of data breaches by IT incompetent organizations. As the victim of not one but two massive health insurer data breaches I have heard all this nonsense before.
Alex Stamos quit Facebook in August 2018, not over exasperation with Facebook's poor security, but in protest over Facebook's handling of Russian meddling in the 2016 U.S. election. Politics over IT competence.
Before Facebook, Alex Stamos was CISO at Yahoo from March 2014 to June 2015. In late 2014 a data breach occurred at Yahoo that compromised 500 million user accounts. A separate data breach also occurred in 2014 that compromised 1 billion user accounts. Stamos was CISO at Yahoo when he could and should have done something to prevent these massive data breaches.
These two massive Yahoo data breaches were admitted only in September and December 2016, respectively, which explains why Facebook still hired Alex Stamos as CISO in June 2015. The data breaches drastically and adversely affected the buying of Yahoo by Verizon, which was being negotiated in late 2016, so it is unlikely that even IT incompetent Facebook would have hired Stamos as CISO had they known.
Alex Stamos quit Yahoo in June 2015, not over exasperation with Yahoo's poor security, but in protest over Yahoo's handling of NSA snooping of Yahoo email (although Facebook allowed exactly the same thing, but maybe Stamos didn't know that yet). Additionally and ironically, while CISO at Yahoo, Stamos got himself invited to testify before Congress about computer security and data privacy. Politics over IT competence.
(Dictionary definition of "yahoo": a person who is not very intelligent and is rude, noisy, or violent.)
Alex Stamos claims to have a BS in Electrical Engineering and Computer Science (EECS) from the University of California, Berkeley. A BS in Electrical Engineering and Computer Science from a good university is what I would require as a minimum for IT competence (and a higher degree for higher positions, like CISO of a Fortune 500 company); see Stop IT Incompetence. I have a BS in EECS from MIT (and a Ph.D. in supercomputing from Columbia); see my Credentials.
So is Alex Stamos IT competent? No. The "good university" clause is the main catch (Stamos also only has a BS as CISO of Fortune 500 companies). UC Berkeley is the quintessential politics over competence university, and violently so at that. You could have easily predicted Stamos's IT incompetent political loudmouth career based on his being at UC Berkeley for EECS.
Alex Stamos is now at Stanford University "working to make tech safer and more trustworthy for all via teaching and research". A couple of sayings come to mind: "those who can, do; those who can't, teach" and "politics over competence universities, the last refuge of the incompetent". Stanford has drastically degenerated: they hire incompetent non-PhD's as research professors.
Finally, in my last article I warned that Facebook Has A Database Of User ID Photos (not profile photos). I also warned that because of their IT incompetence, Facebook might lose this user ID photo database to hackers, which they very well might have now.
I have been meaning to write an article about biometric ID data, e.g. fingerprints, like Apple and Microsoft have had users submit, and which they could also lose to hackers. I was also going to mention the DNA that people have sent into companies they know nothing about to do genealogical analysis.
Once all this ID data has been lost to hackers -- and it will be -- hackers will be able to prove they are you better than you can prove you are you.