Tommi - Fotolia
CSO Stamos leaving Facebook, according to reports
News roundup: Is Alex Stamos leaving Facebook? The CSO hasn't confirmed, but reports say yes. Plus, an Orbitz breach exposed the payment card data of 880,000 people, and more.
According to reports, Facebook's chief security officer, Alex Stamos, is leaving the company by August following recent clashes with leadership over Russian manipulations of the platform.
The New York Times reported earlier this week on Stamos leaving Facebook, though there has been no official announcement from either Stamos or Facebook. The report came on the heels of claims that a political data analytics firm, Cambridge Analytica, exploited Facebook's access to gathered user data to influence elections worldwide -- including the 2016 U.S. presidential election.
Stamos reportedly called for more transparency from Facebook on how the Russians were able to to manipulate elections by taking advantage of the social media network and spreading misinformation. However, according to The New York Times, many at Facebook, including those in leadership positions, disagreed with him. As a result, Stamos' day-to-day responsibilities were reassigned in December, and rumors have been floating around about Stamos leaving Facebook altogether.
Despite the reports, however, Stamos tweeted that he is still active in his CSO role.
Despite the rumors, I'm still fully engaged with my work at Facebook. It's true that my role did change. I'm currently spending more time exploring emerging security risks and working on election security.
— Alex Stamos (@alexstamos) March 19, 2018
Before joining Facebook, Stamos was the chief information security officer at Yahoo, where it was rumored that he also had a disagreement with the top executives over user privacy violations.
In the wake of the reports of Stamos leaving Facebook, security executives from Google and Twitter also announced their departures from their respective companies.
Michal Zalewski, the director of information security engineering at Google, said on Twitter that he would be leaving the company by the end of the month.
So, after almost 11 years, I'm gonna be leaving Google by the end of the month. It's been a fun ride.
— lcamtuf (@lcamtuf) March 21, 2018
There's been no word yet on why Zalewski is leaving Google or what his next move will be.
Twitter's CISO, Michael Coates, also announced he will be leaving his post. Coates said he is leaving to co-found a security startup.
In other news:
- A piece of legislation was introduced in an attempt to improve cybersecurity at the U.S. State Department. Reps. Ted Lieu (D-Calif.) and Ted Yoho (R-Fla.) co-sponsor the bill, called the Hack Your State Department Act. The bill, if enacted, would create a vulnerability disclosure program and a bug bounty program for the State Department. Under the proposed legislation the State Department would be required to detail the amount and severity of security vulnerabilities reported to the House Committee on Foreign Affairs and the Senate Committee on Foreign Relations. The State Department would be able to decide which department should house the program, which type of vulnerabilities the program should target, and would provide the opportunity to name the offices and individuals who would be responsible for dealing with security vulnerability reports. If the bill becomes law, the State Department would have six months to establish the vulnerability disclosure program and a year to set up the bug bounty program.
- Travel website Orbitz disclosed a data breach of 880,000 payment cards this week. Orbitz, which is owned by Expedia, was first made aware of a possible breach of its consumer and partner platforms on March 1. The consumer platform was open to attack during early 2016, and the partner platform was open between January 2016 and December 2017. Compromised data includes customer payment card information, including names, phone numbers, email and billing addresses. Orbitz has said no U.S. consumer data was part of the breach, and Expedia's platform was not affected. While it's unclear how the data breach was made possible, Orbitz said it took place on one of its legacy systems.
- Netflix launched a bug bounty program that's open to the public through Bugcrowd. While the Netflix bug bounty program was by invitation only for the past five years, the entertainment company has now opened the program to the public. The rules for the bug bounty include provisions such as hackers must stop testing and immediately report the issue if they gain access to any nonpublic applications or credentials, and participants must not access the personal data of Netflix customers and employees. Also noted in Netflix's rule guide is that "Netflix will not bring a lawsuit against you or ask law enforcement to investigate you if we determine that your research and disclosure meets these requirements and guidelines." Dropbox similarly updated its bug bounty program rules recently, saying, "And there’s one thing our [vulnerability disclosure policy] does not contain: we don't gate researchers who wish to publish vulnerability details. Using policy or bug bounty payments to muzzle or curate scientific publication would be wrong." Both of these updates are intended to protect security researchers from the legal ramifications of what can be considered ethical hacking.