WebProNews

Category: SecurityProNews

SecurityProNews

  • Hive Ransomware Now Targets Linux and FreeBSD

    Hive Ransomware Now Targets Linux and FreeBSD

    Linux and FreeBSD are being targeted by the latest version of Hive ransomware.

    Hive ransomware was first observed in June 2021, with the FBI warning about it in late August. Initially the ransomware targeted Windows only, but the creators are looking to expand that.

    According to security firm ESET, the hackers behind Hive have been working on a Linux and FreeBSD version.

    For the time being, the Linux and FreeBSD versions are not very effective. The ransomware tries to run as root but, unless it has root privileges, it fails to trigger encryption.

    While it’s good news that the Linux and FreeBSD versions of Hive don’t effectively work yet, “yet” is the operative word. It’s likely only a matter of time until the bugs are worked out, opening the Linux and FreeBSD communities to attack.

  • Microsoft Partnering With Community Colleges to Train Cybersecurity Personnel

    Microsoft Partnering With Community Colleges to Train Cybersecurity Personnel

    Microsoft is working with community colleges in an effort to train 250,000 cybersecurity personnel by 2025.

    Cybersecurity has become a major concern for companies, governments and organizations around the world. The US has suffered a number of high-profile attacks, many of them at the hands of state-sponsored hackers.

    Microsoft was one of the Big Tech companies that pledged billions to help combat the threat and, in a blog post, company president Brad Smith says tech companies have a responsibility to address those threats.

    “We recognize that no one has a higher responsibility to address cybersecurity threats than leading tech companies,” writes Smith. “It’s why we’ve increased cybersecurity investments and broadened our efforts across Microsoft, working closely with government and business leaders across the country.”

    As part of those efforts, the company is partnering with community colleges to train more cybersecurity personnel.

    “That’s why today Microsoft is launching a national campaign with U.S. community colleges to help skill and recruit into the cybersecurity workforce 250,000 people by 2025, representing half of the country’s workforce shortage,” Smith continues. “While some of these individuals will work at Microsoft, the vast majority will work for tens of thousands of other employers across the country.”

    Smith says the program will help fill a dire shortage of qualified workers, where “for almost every two cybersecurity jobs in the United States today, a third job is sitting empty.”

    As part of Microsoft’s efforts, it will make curriculum available free of charge for all public community colleges, provide training for faculty at 150 such colleges, and provide scholarships and resources to 25,000 students.

  • Only 17% of US Companies Encrypt Over Half of Their Cloud Data

    Only 17% of US Companies Encrypt Over Half of Their Cloud Data

    Despite a seeming endless litany of data breaches, a new report says only 17% of US companies are encrypting more than half of their cloud data.

    Data breaches have become an everyday occurrence, with company after company notifying users that their data has been exposed. More often than not, the exposure is the result of a database being left unencrypted and easily accessible via the web.

    Unfortunately, it seems that US companies are a little slow on the uptake, as the 2021 Thales Cloud Security Study shows that 83% are leaving over half of their sensitive cloud data unencrypted.

    Even more concerning, industry sectors containing sensitive information are only marginally better.

    Sectors such as financial services, transportation, and media and entertainment are only marginally better at 21% saying they encrypt more than half of their sensitive data.

    The report also found a correlation between multicloud deployments and low encryption levels. Of the organizations using multicloud environments, only 15% have encrypted more than 50% of their cloud data.

    The report emphasizes the need for companies to take action to better protect user data.

    To the extent that protecting customer data is a priority, organizations should strongly consider reviewing their strategies and approaches to proactively protect data in cloud, especially sensitive data. This includes understanding the role of specific controls and technologies including authentication, encryption and key management, as well as the shared responsibilities between providers and their customers.

    As data privacy and sovereignty regulations grow across the globe, it will be paramount for end-user organizations to have a clear understanding of how they remain responsible for data security and how they must make clear decisions about just who is in control of and who can access their sensitive data.

    The 2021 Thales Cloud Security Study gives a disturbing glimpse into how cloud-based companies are (mis)handling data and is well-worth a read.

  • Apple’s Craig Federighi a Keynote Speaker at Web Summit 2021

    Apple’s Craig Federighi a Keynote Speaker at Web Summit 2021

    Apple’s Craig Federighi has been selected as the keynote speaker for the Web Summit 2021 next week.

    Federighi is Apple’s SVP of Software Engineering, and a staple of the company’s WWDC and product-reveal events. Given his role overseeing Apple’s software, he’s a natural fit for the Web Summit 2021 keynote on user privacy and security.

    The conference’s website was updated with the announcement:

    Apple’s SVP of software engineering, Craig Federighi, delivers a keynote address on user privacy and product security.

    Federighi’s keynote is scheduled for Wednesday, November 3.

  • State Department Creating Cyber Office to Address Threats

    State Department Creating Cyber Office to Address Threats

    Emphasizing the Biden administration’s focus on cybersecurity, the US State Department is creating a new cyber office.

    Cybersecurity is front-and-center among the issues the Biden administration is trying to tackle. Ransomware attacks are on the rise, and many of the most devastating recent attacks have been at the hands of state-sponsored hackers.

    According to The Wall Street Journal, the State Department will reorganize to create “a new bureau of cyberspace and digital policy to be led by a Senate-confirmed ambassador-at-large and a new, separate special envoy for critical and emerging technology.”

    The changes are expected to be announced later this week, and come on the heels of a report by Microsoft that the Russia-backed group behind the SolarWinds attack has been ramping up its activity.

  • Microsoft: Russia-Backed SolarWinds Hackers Targeting Cloud Services

    Microsoft: Russia-Backed SolarWinds Hackers Targeting Cloud Services

    Microsoft is warning that Nobelium, the group behind the SolarWinds attack, is active again and targeting cloud services.

    Nobelium is a hacker group that is backed by and part of the Russian intelligence service SVR. The group was responsible for the devastating SolarWinds attack in 2020. The hack hit multiple US government agencies, as well as high-profile corporations, including Microsoft.

    Tom Burt, Microsoft Corporate Vice President, Customer Security & Trust, is warning in a blog post that the group is once again active, and is targeting companies that provide cloud services.

    Nobelium has been attempting to replicate the approach it has used in past attacks by targeting organizations integral to the global IT supply chain. This time, it is attacking a different part of the supply chain: resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers. We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers.

    Burt warns that Nobelium has already been extremely active in 2021,

    These attacks have been a part of a larger wave of Nobelium activities this summer. In fact, between July 1 and October 19 this year, we informed 609 customers that they had been attacked 22,868 times by Nobelium, with a success rate in the low single digits. By comparison, prior to July 1, 2021, we had notified customers about attacks from all nation-state actors 20,500 times over the past three years.

    The increased rate of attacks seems to indicate that Russia is working to achieve a long-term digital foothold in various cloud infrastructure platforms.

    This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling – now or in the future – targets of interest to the Russian government.

    The revelation is further evidence of the importance of companies and organizations of all sizes having strong, comprehensive security policies in place and building their products with a security-first mindset.

  • Government Agencies Hack REvil Ransomware Group, Taking It Offline

    Government Agencies Hack REvil Ransomware Group, Taking It Offline

    A group of government agencies have gone on the offensive against the REvil ransomware gang.

    REvil is one of the most notorious and prolific ransomware gangs. The gang is responsible for the Kaseya attack, believed to be the largest ransomware attack in history. REvil was also behind the JBS Foodsattack, and its associates were responsible for the Colonial Pipeline attack. The group went dark shortly after the Kaseya hack, before reappearing some time later.

    According to Reuters, a group of US agencies, in cooperation with other countries, have hacked REvil, significantly disrupting its operations.

    “The FBI, in conjunction with Cyber Command, the Secret Service and like-minded countries, have truly engaged in significant disruptive actions against these groups,” said Tom Kellermann, VMWare head of cybersecurity strategy and adviser to the U.S. Secret Service. “REvil was top of the list.”

    One of REvil’s leaders, “0_neday,” confirmed the group had been attacked.

    “The server was compromised, and they were looking for me,” 0_neday wrote on a cybercrime forum. “Good luck, everyone; I’m off.”

    Reuters reports that 0_neday is notable as one of the individuals who helped the group resume operations after the Kesaya attack, and inadvertently led to its demise. Following the Kesaya attack, law enforcement was able to obtain a decryption key and gain access to some of the group’s servers. After REvil’s websites went offline, 0_neday evidently restored the websites from backups, unaware the backups were made after the group’s servers had been compromised. This once again opened the door for law enforcement to mount their offensive.

    It’s too soon to know if REvil has been dealt a fatal blow, but the disruption is certain to be a welcome respite.

  • Microsoft Accused of Hosting Malware ‘For Years’

    Microsoft Accused of Hosting Malware ‘For Years’

    Microsoft is facing additional cybersecurity scrutiny, as a security expert and former employee says OneDrive has hosted malware “for years.”

    Microsoft has not had a good year, when it comes to cybersecurity. The company has had a number of high-profile issues its services, including its Azure cloud platform.

    Kevin Beaumont, a former Microsoft Senior Threat Intelligence Analyst, is calling the company out for not addressing OneDrive abuses.

    https://twitter.com/GossiTheDog/status/1449087925740838922?s=20

    Beaumont also accuses the company of profiting off of its own security failures.

    https://twitter.com/GossiTheDog/status/1449096856194195460?s=20

    Beaumont’s entire thread is a damning indictment of Microsoft’s failures, especially at a time when it is trying to emphasize the importance of cybersecurity.

  • New York Times: ‘Stop Paying for a VPN’

    New York Times: ‘Stop Paying for a VPN’

    Writing for the New York Times, Brian X. Chen makes the case that it’s time to stop paying for VPNs.

    Virtual private networks (VPN) are popular tools people use to protect their privacy online. Theoretically, a VPN masks a person’s activity by routing their traffic through the VPN’s network. As a result, it’s much more difficult for third parties to track a person’s movement online. The individual’s ISP can’t see what websites they’re visiting, and the websites can’t easily track their activity.

    Unfortunately, the world of VPNs can be among the most mysterious and opaque in the software industry. Many companies’ ownership is obscured, making it difficult for customers to have any real sense of accountability. Still others engage in activities and practices that are questionable at best — such as ExpressVPN knowingly hiring a former US intelligence operative that worked as a hacker-for-hire for the United Arab Emirates.

    Even worse, as Chen points out, a number of high-profile and popular VPN services have been purchased by shady companies. Kape Technologies is one such company, and has been accused of developing malware by Google and the University of California. Unfortunately, Kape has bought CyberGhost VPN, Zenmate and ExpressVPN, the latter a service that routinely receives high scores and recommendations from a slew of publications.

    Chen makes the case that the current state of the web, where the vast majority of websites are using HTTPS, makes VPNs unnecessary for most users. In addition, for Apple users, iCloud Private Relay is specifically designed to provide a layer privacy, although it doesn’t truly compete with a VPN.

    As Chen points out, there are some situations where a VPN is useful, specifically when a user needs to mask their location in order to access certain content.

    All-in-all, Chen’s piece is a thought-provoking look at an industry that, while once invaluable, may no longer be meeting the vast majority of its users’ needs.

  • 90% of AWS S3 Buckets Are Vulnerable to Ransomware

    90% of AWS S3 Buckets Are Vulnerable to Ransomware

    AWS is the leading cloud provider, but new research shows that 90% of S3 buckets are vulnerable to ransomware attack.

    AWS is the leading cloud provider, and has a good reputation for security and reliability. Despite that, however, research from Ermetic shows that identities pose a serious risk to security and open buckets up to the possibility of a ransomware attack.

    The IT community regards S3 buckets as extremely reliable. What organizations typically don’t realize is that the biggest risk to this storage comes from another source: identities. A compromised identity with a toxic combination of entitlements can easily perform ransomware on an organization’s data. Recent Ermetic research found that ransomware-vulnerable combinations are very common — putting most organizations using S3 buckets at risk.

    According to Ermetic, every enterprise environment the company studied had at-risk identities, with 90% of AWS S3 buckets vulnerable. A whopping 70% of machines were publicly exposed to the internet with permissions that could be exploited. Some 45%of environments had third party identities whose privileges could be escalated to admin level. In addition, 80% had IAM Users with access keys that had not been used for at least 180 days, but were still enabled.

    “Very few companies are aware that data stored in cloud infrastructures like AWS is at risk from ransomware attacks, so we conducted this research to investigate how often the right conditions exist for Amazon S3 buckets to be compromised,” said Shai Morag, CEO of Ermetic. “We found that in every single account we tested, nearly all of an organization’s S3 buckets were vulnerable to ransomware. Therefore, we can conclude that it’s not a matter of if, but when, a major ransomware attack on AWS will occur.”

    In a statement to WebProNews, Saumitra Das, Blue Hexagon CTO and Cofounder, said Ermetic’s research highlights the need to detect threats instead of simply trying to fix misconfigurations.

    “This report highlights the urgent need to “detect threats” in the cloud and not just focus on misconfigurations,” Das said. “Research from Cloud Security Alliance shows that even if misconfigurations are detected in S3 buckets or IAM access keys not being used for a long time, it takes a while for these to get detected and remediated – sometimes days, weeks and even months. It also highlights that ransomware is not just an on-premises problem but as the pandemic has accelerated cloud migration of workloads it has also accelerated cloud migration for attackers and ransomware criminal operators.”

    Das said there are three things companies must monitor, including runtime activity of identities; cloud storage, including read/write patterns; and network activity, which can help companies ascertain when instances are exposed to the internet and their identities misused.

    “You cannot guarantee that mistakes like identities being enabled for too long, too permissive, leaked in code will not happen,” Das continued. “They can only be reduced. On the other hand, keeping an eye on active attacks on the cloud infrastructure can thwart attackers from gaining enough privilege and access to ransom the data.”

  • Twitch Suffers Devastating Cyberattack Exposing Source Code

    Twitch Suffers Devastating Cyberattack Exposing Source Code

    Twitch, the popular video game streaming platform, suffered a major cyberattack that exposed its source code and payment model.

    Source code and financial details are some of the most sensitive information that companies take great pains to protect. Unfortunately for the Amazon-owned streaming service, that’s exactly what hackers exposed.

    “Jeff Bezos paid $970 million for this, we’re giving it away FOR FREE,” wrote one of the hackers, via Mashable, referencing the “entirety” of Twitch.tv’s source code, dating “back to its early beginnings.”

    It appears Twitch was specifically targeted, with the hackers citing the platform’s “disgusting toxic cesspool” as a motive, along with a desire to foster greater competition in the market.

    The hack also included information about how much Twitch pays its creators, from 2019 to the present.

    The company acknowledged it suffered a breach, and is working hard to investigate the incident.

    We have learned that some data was exposed to the internet due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party. Our teams are working with urgency to investigate the incident.

  • Lawmakers Introduce Bill Requiring Disclosure of Ransomware Payments

    Lawmakers Introduce Bill Requiring Disclosure of Ransomware Payments

    Senator Elizabeth Warren and Representative Deborah Ross have introduced a bill that would require companies to disclose ransomware payments.

    Ransomware has become one of the biggest cybersecurity threats in recent years. Businesses and organizations of all sizes, including government agencies, have been targeted. While the FBI discourages organizations from paying a ransom, there is an understanding that sometimes it’s necessary to quickly get back up and running.

    For the most part, many companies choose not disclose ransomware payments, for fear they will become an even bigger target when hackers realize they’re willing to pay. The Ransom Disclosure Act would change that, requiring full disclosure within 48 hours.

    “Ransomware attacks are skyrocketing, yet we lack critical data to go after cybercriminals,” said Senator Warren. “My bill with Congresswoman Ross would set disclosure requirements when ransoms are paid and allow us to learn how much money cybercriminals are siphoning from American entities to finance criminal enterprises — and help us go after them.”

    “Ransomware attacks are becoming more common every year, threatening our national security, economy, and critical infrastructure,” said Congresswoman Ross. “Unfortunately, because victims are not required to report attacks or payments to federal authorities, we lack the critical data necessary to understand these cybercriminal enterprises and counter these intrusions. I’m proud to introduce this legislation with Senator Warren which will implement important reporting requirements, including the amount of ransom demanded and paid, and the type of currency used. The U.S. cannot continue to fight ransomware attacks with one hand tied behind our back. The data that this legislation provides will ensure both the federal government and private sector are equipped to combat the threats that cybercriminals pose to our nation.”

    The bill seems designed to protect organizations from backlash, as the reports will be to the Department of Homeland Security (DHS). Although DHS will be required to disclose the previous year’s reports, those reports will exclude “identifying information about the entities that paid ransoms.”

  • White House Will Convene 30 Countries to Combat Cybersecurity Threats

    White House Will Convene 30 Countries to Combat Cybersecurity Threats

    The Biden administration is planning a meeting that will involve some 30 countries in a coordinated effort to combat cybersecurity threats.

    Cybersecurity has been a growing concern, and ransomware in particular has emerged as one of the most successful and dangerous forms of cybercrime. Companies and organizations of all sizes, and across all sectors, have been impacted. Especially devastating have been ransomware attacks against supply chain targets, such as the Colonial Pipeline and the JBS Foods attacks.

    The White House is preparing to organize an alliance of countries whose goal will be to fight back, according to CNN.

    “Cyber threats affect the lives and livelihoods of American families and businesses,” national security adviser Jake Sullivan told CNN.

    The alliance will work “to accelerate our cooperation in combatting cybercrime, improving law enforcement collaboration, stemming the illicit use of cryptocurrency, and engaging on these issues diplomatically.”

  • 96% of Third-Party Cloud Container Apps Have Known Vulnerabilities

    96% of Third-Party Cloud Container Apps Have Known Vulnerabilities

    A whopping 96% of third-party cloud container apps have known vulnerabilities, highlighting ongoing cloud security challenges.

    Cloud computing is often touted as more secure than traditional options. Unfortunately, this is only true if all parties involved make security a prime objective.

    According to Palo Alto Networks’ Unit 42 team, some 96% of third-party container apps have known vulnerabilities. In addition, 63% of third-party code templates contain insecure configurations.

    The news is especially concerning given the rise of supply chain attacks. Hackers are increasingly targeting widely used, third-party software, services, containers and plugins. Successfully compromising a single vendor who’s product is used by thousands of customers can have a far greater impact than compromising a single target.

    Unit 42 highlights the danger of supply chain cloud attacks:

    In most supply chain attacks, an attacker compromises a vendor and inserts malicious code in software used by customers. Cloud infrastructure can fall prey to a similar approach in which unvetted third-party code could introduce security flaws and give attackers access to sensitive data in the cloud environment. Additionally, unless organizations verify sources, third-party code can come from anyone, including an Advanced Persistent Threat (APT).

    Organizations that want to stay secure must start making DevOps security a priority:

    Teams continue to neglect DevOps security, due in part to lack of attention to supply chain threats. Cloud native applications have a long chain of dependencies, and those dependencies have dependences of their own. DevOps and security teams need to gain visibility into the bill of materials in every cloud workload in order to evaluate risk at every stage of the dependency chain and establish guardrails.

  • Android SMS Malware Using Fake COVID-19 Notifications to Spread

    Android SMS Malware Using Fake COVID-19 Notifications to Spread

    A dangerous Android SMS malware has been using fake COVID-19 notifications to spread in the US and Canada.

    Security firm Cloudmark has issued a report on the new malware, dubbed TangleBot. The malware is particularly dangerous, as it allows the attackers a significant degree of information access and control over the compromised device.

    TangleBot uses SMS text message lures with content about COVID regulations and the third dose of COVID vaccines to trick mobile subscribers into downloading malware that compromises the security of the device and configures the system to allow for the exfiltration of confidential information to systems controlled by the attacker(s). The malware has been given the moniker TangleBot because of its many levels of obfuscation and control over a myriad of entangled device functions, including contacts, SMS and phone capabilities, call logs, internet access, and camera and microphone.

    Until a security patch is released, Cloudmark recommends users not respond to unsolicited enterprise or commercial text messages. Users should not click on any links in such text messages. If a users believes the text may be legitimate, it’s still safer to manually enter the address in a web browser, rather than click on the link in the text.

  • ExpressVPN Linked to UAE Spy Ring, Company’s Integrity in Question

    ExpressVPN Linked to UAE Spy Ring, Company’s Integrity in Question

    ExpressVPN may be one of the most popular VPN options available, but some are calling for users to abandon it as its integrity is now in question.

    The US intelligence community was rocked by accusations that former operatives had turned mercenary-for-hire, working for the UAE to surveil the regime’s critics. Code-named “Project Raven,” the operatives’ efforts were not restricted within the UAE. Instead, Project Raven included surveillance of the regime’s critics around the world, including the US. The targets included activist and journalists.

    This revelation has roped in ExpressVPN, as one of those former intelligence operatives working as part of Project Raven included the company’s Chief Information Officer, Daniel Gericke. Some concluded that ExpressVPN was not aware of Gericke’s past when they hired him, but the company has said they were aware of that past — and hired him anyway.

    The news has not gone over well with the company’s critics or customers. In fact, Gizmodo has gone so far as to say customers should look for other options.

    ExpressVPN acknowledged how much it knew about Gericke’s past in a statement:

    When we hired Daniel in December 2019, we knew his background: 20 years in cybersecurity, first with the U.S. military and various government contractors, then with a U.S. company providing counter-terrorism intelligence services to the U.S. and its ally, the U.A.E., and finally with a U.A.E. company doing the same work. We did not know the details of any classified activities, nor of any investigation prior to its resolution this month.

    The investigation ExpressVPN mentions is one led by US prosecutors. A deal was reached in which the defendants, including Gericke, were able to avoid jail time in exchange for fines, cooperation and certain employment restrictions.

    ExpressVPN goes on to explain why it hired Gericke:

    To do that job effectively—to do it, as we believe, better than anyone else in our industry—requires harnessing all the firepower of our adversaries. The best goalkeepers are the ones trained by the best strikers. Someone steeped and seasoned in offense, as Daniel is, can offer insights into defense that are difficult, if not impossible, to come by elsewhere. That’s why there is a well-established precedent of companies in cybersecurity hiring talent from military or intelligence backgrounds.

    The company says its decision ultimately paid off:

    Since Daniel joined us, he has performed exactly the function that we hired him to do: He has consistently and continuously strengthened and reinforced the systems that allow us to deliver privacy and security to millions of people.

    Even if ExpressVPN was not aware of an active investigation into Gericke, it’s hard to imagine the company couldn’t see potential issues if they were aware of his past as they say they were.

  • Google, Microsoft and Oracle Had the Most Vulnerabilities in Early 2021

    Google, Microsoft and Oracle Had the Most Vulnerabilities in Early 2021

    AtlasVPN released a new report detailing the state of cybersecurity vulnerabilities in early 2021, and it’s bad news for Google, Microsoft and Oracle.

    The first half of 2021 has seen some of the biggest cybersecurity breaches in history. Colonial Pipeline, JBS Foods and Kaseya were victims of devastating ransomware attacks. Microsoft has warnedAzure users of severe security issues in its cloud platform, Apple has released iOS updates to address an exploit used by NSO Group to hack journalists’ iPhones and the Solar Winds attack compromised both government and commercial organizations.

    According to AtlasVPN, however, Google takes the top place for the most vulnerabilities in the first half of 2021, coming it at 547. Microsoft came in second place at 432, while Oracle rounded out the top three with 316. Interestingly, the other seven entries in the top 10 accounted for 643 vulnerabilities in total, less than any two of the top three and only slightly more than Google alone.

    It’s not particularly surprising that Google and Microsoft accounted for the top two spots, as an exploit against their systems provide hackers the widest possible attack vector.

    Exploiting vulnerabilities in Google or Microsoft products allow cybercriminals to probe millions of systems. While the tech giants are doing a fair job of keeping up with exploits and constantly update their software, people and organizations need to follow suit and keep up with the updates to prevent further exploitation.

  • Microsoft and Amazon May Be Headed for a Fight Over Charlie Bell

    Microsoft and Amazon May Be Headed for a Fight Over Charlie Bell

    Microsoft scored a major victory when it poached longtime Amazon exec Charlie Bell, but the fight to use him may be just getting started.

    Charlie Bell was a 23-year veteran of Amazon and a leading candidate to replace Andy Jassy as AWS CEO when the latter replaced Jeff Bezos as Amazon’s CEO. Needless to say, Bell surprised many when he accepted employment at Microsoft, Amazon’s main cloud competitor.

    Initially, Bell was listed as reporting to executive vice president and HR head Kathleen Hogan, an odd place for a veteran cloud executive to land. As we mentioned in our coverage, the listing was likely temporary until an official announcement could be made.

    It appears Bell has now been given an official role, at least in name, leading the newly formed Security, Compliance, Identity, and Management team. He made the announcement on LinkedIn.

    I’m thrilled to join Microsoft to take on one of the greatest challenges of our time, leading a newly formed engineering organization: Security, Compliance, Identity, and Management. As digital services have become an integral part of our lives, we’re outstripping our ability to provide security and safety. It’s constantly highlighted in the headlines we see every day: fraud, theft, ransomware attacks, public exposure of private data, and even attacks against physical infrastructure. This has been weighing on my mind and the best way I can think to describe it is “digital medievalism,” where organizations and individuals each depend on the walls of their castles and the strength of their citizens against bad actors who can simply retreat to their own castle with the spoils of an attack.

    Bell also had high praise for his new employer, and its ability to help address these challenges.

    We all want a world where safety is an invariant, something that is always true, and we can constantly prove we have. We all want digital civilization. I believe Microsoft is the only company in a position to deliver this and I couldn’t be more excited to work with this talented team to make the world safer for every person and organization on the planet.

    The elephant in the room, however, is how Amazon will respond. The company is notorious for suing employees that leave for rival companies, citing the non-compete agreements they signed.

    Microsoft, along with CEO Satya Nadella, hinted at the potential issues Amazon might raise.

    “We’re sensitive to the importance of working through these issues together, as we’ve done when five recent Microsoft executives moved across town to work for Amazon,” Microsoft said in a statement, according to Bloomberg.

    Nadella told employees in an email that Bell would start in his new role when “a resolution is reached with his former employer.”

    Microsoft’s statement is an interesting choice of words, drawing attention to how it handled losing five of its own executives to Amazon. The not-so-subtle implication being that Amazon should tread carefully lest Microsoft give it a taste of its own medicine.

  • Ditch the Password for Your Microsoft Account

    Ditch the Password for Your Microsoft Account

    Microsoft has announced that users can ditch the password for their accounts, a move that brings a new level of convenience and security.

    Remembering passwords has always been a challenge for many, one that grows with the number of services, apps and platforms a person uses. Add in some passwords being caught in data breaches and needing to be replaced, and keeping up with one’s passwords quickly becomes a chore.

    Microsoft is trying to help ease that frustration by making passwordless login a reality. CEO Satya Nadella tweeted about it Wednesday, September 15:

    Vasu Jakkal Corporate Vice President, Security, Compliance and Identity, expanded on how the feature will work.

    For the past couple of years, we’ve been saying that the future is passwordless, and today I am excited to announce the next step in that vision. In March 2021, we announced that passwordless sign in was generally available for commercial users, bringing the feature to enterprise organizations around the world.

    Beginning today, you can now completely remove the password from your Microsoft account. Use the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to your phone or email to sign in to your favorite apps and services, such as Microsoft Outlook, Microsoft OneDrive, Microsoft Family Safety, and more. This feature will be rolled out over the coming weeks.

  • Rotten Apple: Company Has a Bad Reputation in the Security Industry

    Rotten Apple: Company Has a Bad Reputation in the Security Industry

    Apple may be a leading consumer electronics company, but it isn’t making any friends in the security industry and may be leaving users vulnerable.

    Like many tech companies, Apple uses bug bounties to encourage white hat hackers — security researchers and ethical hackers — to try to find and report security issues so the company can fix them before they’re exploited in the wild.

    Unfortunately, the company is frustrating the very security researchers it depends on, according to The Washington Post. The company has developed a reputation for not always paying researchers what they believe they’re owed and being slow to fix the problems reported to them.

    Apple has a well-established reputation for secrecy, but the company is applying that same culture to its dealings with security researchers. Unlike other companies that publicly recognize researchers for their accomplishments, and provide support and resources, Apple remains tight-lipped. The company often doesn’t provide feedback on if or when a bug will be fixed. Worst of all, Apple is typically opaque on how it classifies bugs, meaning researchers have little information or recourse when the company doesn’t pay what the researcher thinks the bug is worth.

    In short, Apple’s approach is a recipe for disaster. Some researchers no longer bother notifying Apple of bugs they find, opting to sell them to governments or simply going public without giving Apple time to fix them first.

    Ultimately, researchers are concerned Apple’s users will pay the price.

  • WWW Inventor Sir Tim Berners-Lee Joins ProtonMail Advisory Board

    WWW Inventor Sir Tim Berners-Lee Joins ProtonMail Advisory Board

    Sir Tim Berners-Lee, known for inventing the World Wide Web and the first web browser, has joined ProtonMail’s advisory board.

    ProtonMail, despite recent controversy, is one of the most private and secure email platforms available, featuring full end-to-end encryption. While Sir Tim Berners-Lee may be best known for inventing the web, in recent years he’s become a staunch privacy advocate, making him a natural fit for ProtonMail.

    The company made the announcement on their blog:

    We are proud and humbled to announce that Sir Tim Berners-Lee, a fellow former scientist from the European Organization for Nuclear Research (CERN) and the inventor of the World Wide Web, will be joining Proton’s advisory board.

    Our vision is to build an internet where privacy is the default by creating an ecosystem of services accessible to everyone, everywhere, every day. It is what drives everything we do, from our development of transparent and encrypted services to our advocacy for better data protection laws.

    “I’m delighted to join Proton’s advisory board and support Proton on their journey. I am a firm supporter of privacy, and Proton’s values to give people control of their data are closely aligned to my vision of the web at its full potential,” said Sir Tim.