Yahoo-Then-Facebook CISO Alex Stamos Allows Yet Another Massive Data Breach
By
Duane Thresher, Ph.D. September 29, 2018
Yesterday, Facebook admitted to yet another massive data
breach; 50 million user accounts compromised. Alex Stamos was
(Jun 2015 – Aug 2018) Facebook's Chief Information
Security Officer (CISO a.k.a. CSO) when the hole that allowed
the breach was introduced into Facebook's code (Jul 2017).
Stamos was (Mar 2014 – Jun 2015) also CISO of Yahoo
during their two massive data breaches (late 2014); 500
million and 1 billion user accounts compromised. Stamos
staggeringly exemplifies another aspect of IT incompetence:
being overwhelmingly more interested in imposing his political
beliefs on customers than in being competent at his high-paid
IT job.
According to Facebook, in their current massive data breach:
... attackers exploited a vulnerability in Facebook’s code
[introduced in July 2017] that impacted "View As", a feature
that lets people see what their own profile looks like to
someone else. This allowed them to steal Facebook access
tokens which they could then use to take over people’s
accounts.
and also
This attack exploited the complex interaction of multiple
issues in our code.
Facebook makes it sound like a sophisticated attack, although
it was probably an obvious hole to any competent programmer,
who would be extra careful with any feature that lets a user
pretend to be some other user. This is exactly what a CISO,
like Alex Stamos at Facebook at the time (Jun 2015 – Aug
2018), should have been looking out for.
Facebook continued:
... we have yet to determine whether these accounts were
misused or any information accessed.
Facebook equates their ignorance, due to IT incompetence and
not wanting to know so not looking too hard, with proof that
accounts were actually not misused and information not
accessed.
Making the attack deceitfully sound sophisticated,
i.e. perpetrated by unstoppable geniuses, when most hacks are
perpetrated by script kiddies using holes that should already
have been patched, and saying absence of evidence is evidence
of absence, is typical of the whitewashing of data breaches by
IT incompetent organizations. As the victim of not one but
two
massive health insurer data breaches I have heard all this
nonsense before.
Alex Stamos quit Facebook in August 2018, not over
exasperation with Facebook's poor security, but in protest
over Facebook's handling of Russian meddling in the 2016
U.S. election. Politics over IT competence.
Before Facebook, Alex Stamos was CISO at Yahoo from March 2014
to June 2015. In late 2014 a data breach occurred at Yahoo
that compromised 500 million user accounts. A separate data
breach also occurred in 2014 that compromised 1 billion user
accounts. Stamos was CISO at Yahoo when he could and should
have done something to prevent these massive data
breaches.
Alex Stamos is a disaster moving from one place to the next
hoping his IT incompetence doesn't catch up with
him.
These two massive Yahoo data breaches were admitted only in
September and December 2016, respectively, which explains why
Facebook still hired Alex Stamos as CISO in June 2015. The
data breaches drastically and adversely affected the buying of
Yahoo by Verizon, which was being negotiated in late 2016, so
it is unlikely that even IT incompetent Facebook would have
hired Stamos as CISO had they known.
Alex Stamos quit Yahoo in June 2015, not over exasperation
with Yahoo's poor security, but in protest over Yahoo's
handling of NSA snooping of Yahoo email (although Facebook
allowed exactly the same thing, but maybe Stamos didn't know
that yet). Additionally and ironically, while CISO at Yahoo,
Stamos got himself invited to testify before Congress about
computer security and data privacy. Politics over IT
competence.
(Dictionary definition of "yahoo": a person who is not very
intelligent and is rude, noisy, or violent.)
Alex
Stamos claims to have a BS in Electrical Engineering and
Computer Science (EECS) from the University of California,
Berkeley. A BS in Electrical Engineering and Computer Science
from a good university is what I would require as a minimum
for IT competence (and a higher degree for higher positions,
like CISO of a Fortune 500 company); see
The
Most Important IT Credential: An IT Education in
Principles
of IT Incompetence. I have a BS in EECS from MIT (and a
Ph.D. in supercomputing from Columbia); see my
Credentials.
So is Alex Stamos IT competent? No. The "good university"
clause is the main catch (Stamos also only has a BS as CISO of
Fortune 500 companies). UC Berkeley is the quintessential
politics over competence university, and violently so at that.
You could have easily predicted Stamos's IT incompetent
political loudmouth career based on his being at UC Berkeley
for EECS. See
IT
Hiring: Trading IT Competence for Political Correctness
in
Principles of IT
Incompetence.
Alex Stamos is now at Stanford University "working to make
tech safer and more trustworthy for all via teaching and
research". A couple of sayings come to mind: "those who can,
do; those who can't, teach" and "politics over competence
universities, the last refuge of the incompetent". Stanford
has drastically degenerated: they hire incompetent non-PhD's
as research professors.
Finally, in my last article I warned that
Facebook
Has A Database Of User ID Photos (not profile photos). I
also warned that because of their IT incompetence, Facebook
might lose this user ID photo database to hackers, which they
very well might have now.
I have been meaning to write an article about biometric ID
data, e.g. fingerprints, like Apple and Microsoft have had
users submit, and which they could also lose to hackers. I
was also going to mention the DNA that people have sent into
companies they know nothing about to do genealogical
analysis.
Once all this ID data has been lost to hackers — and it
will be — hackers will be able to prove they are you
better than you can prove you are you.