“One customer can see the other customer’s data, Amazon can see your data, and the customers can change the Amazon code and hack the system,” Oracle CTO Larry Ellison said last week. ORACLE

(Note: After an award-winning career in the media business covering the tech industry, Bob Evans was VP of Strategic Communications at SAP in 2011, and Chief Communications Officer at Oracle from 2012 to 2016. He now runs his own firm, Evans Strategic Communications LLC.)

CLOUD WARS – Oracle founder Larry Ellison this week said businesses using arch-rival Amazon’s AWS cloud have become major cybersecurity threats because the AWS cloud architecture allows them to see and steal data belonging to other customers using the AWS cloud.

Ellison made the remarks in a keynote at Oracle’s annual OpenWorld conference on Monday while extolling the advantages of Oracle’s new Generation 2 Cloud versus traditional cloud architecture such as what he said Amazon currently uses.

The comments were striking because while cybersecurity has unquestionably become one of the major issues for business leaders in our increasingly digital economy, the blame for cyber attacks and cybercrime has rarely been put on customers—instead, organized teams of cybercriminals and/or nation-states looking to exploit digital weaknesses in other countries have almost always been named as the culprits.

But Ellison on multiple occasions cited AWS “customers” as the agents or potential agents of data manipulation, data exfiltration and data theft—and I’ll offer verbatim examples from his keynote in just a moment.

Before getting to those verbatim comments, I want to offer a few thoughts that help provide some context for Ellison’s remarks—because while cybersecurity and cyberattacks have been a major theme in some of Ellison’s recent public presentations, he has never, as far as I can discover, cited “customers” as the bad guys.

  1. It’s essential to understand that Oracle and Amazon are arch-rivals in the cloud, and that relative to Amazon’s whopping market share in the public-cloud infrastructure segment, Oracle’s presence is almost nonexistent. So Ellison clearly had a purpose in attempting to make a dramatic case for how and why Oracle’s new “Gen 2 Cloud” is radically different from and superior to the traditional architecture used by AWS—and perhaps he figured the “customer” angle would draw attention.
  2. When I reached out to Oracle’s communications team to request some data or research that would substantiate Ellison’s contentions that business customers using the AWS cloud have become major cybersecurity threats, I was told that “bad actors can poseas customers on any public cloud, so from the perspective of an actual customer, a bad actor is a ‘customer.’ ” I’ll share more of the rationale from that Oracle spokesperson as well.
  3. And third, it’s important to remember that while Ellison has been quite forceful and eloquent in highlighting the danger of not only cybercrime but also cyberterrorism, he has not to my knowledge ever spoken of business customers as being part of that threat. So why make that huge change now, particularly knowing that his OpenWorld keynotes always draw huge interest? By contrast, to see how he’s framed his thoughts on cybersecurity in the past, please check out two of my earlier Forbes.com pieces: Equifax Breach ‘Won’t Be Isolated Attack,’ Says Oracle Founder Larry Ellison and Larry Ellison on Cyber Attacks: ‘It’s A War—And We’re Losing This Cyberwar’.

So let’s take a look at Ellison’s verbatim comments about customers as cyberthreats and cybercriminals, which I transcribed from the video archive of his keynote address:

  • “If you look at the AWS cloud, in that machine could be one customer, could be multiple customers—but in that machine is the AWS cloud-control code sharing the computer with customer code. That means you better trust your customers—you better trust all your customers.”
  • “If you’re going to let your customers inject code—or use the computer that you use to control the cloud—if you’re going to let customers share that computer, the computer you use to control your cloud—and those customers are smart—they can look at your cloud-control code. They can change your cloud-control code; they can move from one computer to the other. They can look at other customers’ data.”
  • “They can schedule—the other customers’ data is exfiltrated out of the cloud someplace else. And they can make sure that you get the bill—twice! You pay for the exfil[tration], and your data is lost.”
  • “If you have a single shared computer running your cloud and running your customer code, one customer can see the other customer’s data, Amazon can see your data, and the customers can change the Amazon code and hack the system and take control of the code and steal data.”
  • “But we will never put our cloud-control code in this same computer that has customer code—that creates an incredible vulnerability to our cloud-control system. So we’ve added a completely separate network of dedicated cloud-control computers that not only protect the perimeter of the cloud—protect from threats coming from the outside and getting into the cloud—but we also form a perimeter around each individual customer zone. So customers can’t get out of their zone and into your And they can’t hack our cloud-control computer because there’s no way to access it—there’s no access to our cloud-control computer. They can’t look at the memory, they can’t add code, they can’t do anything to it—it’s an isolated network they can’t get at.”

Those are very strong words about the business customer that are using the enterprise cloud. I asked the Oracle spokesperson if she could share any data that supports what Ellison was saying—for example, does Oracle consider that 10 percent of customers engage in cybercrime in the way Ellison described, or is it 25 percent, or something higher?—but Oracle did not offer any such facts. Here’s the statement I received from Oracle:

“The point is that that bad actors can pose as customers on any public cloud, so from the perspective of an actual customer, a bad actor is a “customer.” 

“You can have bad actors using cloud instances for distributing unlawful content or performing otherwise forbidden tasks (crypt mining) while paying for their cloud instances with stolen credit cards. You can also deal with sophisticated attackers who will attempt to make use of malicious code and known vulnerabilities in an attempt to break multi-tenant separation (recent highly publicized vulnerabilities come to mind). So…Yes. Bad actors posing as customers in the cloud are potential cyber threats. We prevent bad actors from committing nefarious acts. Bad actors posing as customers are to clouds, what insider threats are to traditional on-premises environments…

“There is nothing stopping operatives from a rogue nation, for instance, from posing as a business of some kind, and opening an account with any public cloud vendor. From that standpoint, they are a customer – but they are also a bad actor who, once set up inside Microsoft or Amazon or Google cloud, to name a few, can start using malicious code to either mess with the infrastructure’s control code or attempt to move sideways to steal data from other (legitimate) customers. 

“From the standpoint of a legitimate customer, using such a less-secure-than-Oracle cloud vendor, that bad actor LOOKS LIKE A CUSTOMER.

Since public cloud vendors aren’t the FBI or other law enforcement, they can’t be in the business of vetting the legitimacy of customer x or customer y.

Thus, bad actors posing as “customers” are a potential threat agent that Oracle can protect its other customers from by, among other security measures, isolating control code from software that manages the virtual machines or bare metal servers used by other customers.” (End of Oracle response.)

To be sure, those are all very reasonable thoughts. But Larry Ellison’s a very reasonable guy—so why didn’t he at least allude to a couple of these points during his hour-long keynote?

So Oracle’s just unveiled a sophisticated new “Generation 2 Cloud” to help customers avoid becoming victims of cyber attacks in the cloud, and Oracle’s also warning its good customers to watch out for its bad customers and/or truly bad guys posing as customers.

All in all, more proof that life’s never dull in the Cloud Wars.

I’ve analyzed and written about the enterprise-tech business for more than 20 years from the media side as an editor-in-chief and chief content officer, and more recently as Chief Communications Officer at Oracle from 2012-2016. I’ve written thousands of articles and columns…

MORE

As businesses jump to the cloud to accelerate innovation and engage more intimately with customers, my Cloud Wars series analyze the major cloud vendors from the perspective of business customers.

SOURCE: FORBES

So long as it receives federal court approval next month, the settlement terms of the class action lawsuit will also provide two years of free credit-monitoring services to U.S.- and Israel-based victims of the hack, which is believed to be the biggest data breach ever to have taken place.

The stolen information included names, email addresses, phone numbers, dates of birth, hashed passwords, as well as security questions and answers.

As if that wasn’t bad enough, Yahoo took three years to disclose details of the data theft, and even then, the true scope of the hack wasn’t properly revealed.

Complicating matters further, the revelation came after Verizon had agreed to buy the web company in a deal worth $4.8 billion. Issues connected with the security breach forced Yahoo to reduce that figure by $350 million.

The settlement reached this week in a federal district court in San Jose, California, covers around a billion accounts held by an estimated 200 million people in the U.S. and Israel from 2012 through 2016.

Verizon has agreed to pay half of the settlement cost, while Altaba — a firm set up to take on the parts of Yahoo not acquired by Verizon — will pay the rest.

Payout for those affected

Should the court approve the deal, affected users can put in claims for some of the $50 million fund.

“The costs can include such things as identity theft, delayed tax refunds or other problems linked to having had personal information pilfered during the Yahoo break-ins,” the AP said in its report.

For example, Yahoo account holders with documented losses can claim for up to 15 hours of lost time, which at $25 an hour would come to $375. Those unable to document losses can put in claims of up to five hours, or $125, for time spent dealing with the fallout of the hack.

In addition, Yahoo account holders who forked out up to $50 a year for a premium email account will be able to claim a 25-percent refund.

Final approval of the proposed settlement will be considered during a session at the Northern District of California on November 29, 2018, and if it goes through, affected account holders will be notified soon after.

SOURCE: Digital Trends

A total of 945 data breaches has led to 4.5 billion data records being compromised worldwide in the first half of 2018…

…according to Gemalto’s Breach Level Index, a global database of public data breaches.

Compared to the same period in 2017, the number of lost, stolen or compromised records increased by a staggering 133 percent, though the total number of breaches slightly decreased over the same period, signaling an increase in the severity of each incident.

A total of six social media breaches, including the Cambridge Analytica-Facebook incident, accounted for over 56 percent of total records compromised. Of the 945 data breaches, 189 (20 percent of all breaches) had an unknown or unaccounted number of compromised data records.

According to the Breach Level Index, almost 15 billion data records have been exposed since 2013, when the index began benchmarking publicly disclosed data breaches. During the first six months of 2018, more than 25 million records were compromised or exposed every day, or 291 records every second, including medical, credit card and/or financial data or personally identifiable information. This is particularly concerning, since only one percent of the stolen, lost or compromised data records were protected by encryption to render the information useless, a percent-and-a-half drop compared to the first six months of 2017, says Gemalto.

Jason Hart, VP and CTO of Data Protection, Gemalto
We also expect to see more data breaches reported by European Union countries bound by the new General Data Protection Regulation and in Australia with the new Notifiable Data Breaches law.

SOURCE: The Fast Mode
IMAGE: Gemalto

The nation’s second-largest health insurer has agreed to pay the government a record $16 million to settle potential privacy violations in the biggest known healthcare hack in U.S. history, officials said Monday.

The personal information of nearly 79 million people — including names, birthdates, Social Security numbers, and medical IDs — was exposed in the cyber attack, discovered by the company in 2015.

The settlement between Anthem Inc. and the Department of Health and Human Services represents the largest amount collected by the agency in a healthcare data breach, officials said.

“When you have large breaches it erodes people’s confidence in the privacy of their sensitive information, and we believe such a large breach of trust merits a substantial payment,” said Roger Severino, director of the HHS Office for Civil Rights. The office also enforces the federal health care privacy law known as HIPAA, or the Health Insurance Portability and Accountability Act.

Severino said the Anthem settlement is nearly three times larger than the previous record amount paid to the government in a privacy case. That sends a message to the industry that “hackers are out there always and large health care entities, in particular, are targets,” he added.

The Blue Cross-Blue Shield insurer also agreed to a corrective action plan under government monitoring, which involves a process for the company to assess its electronic security risks, take appropriate countermeasures and maintain ongoing surveillance.

Indianapolis-based Anthem covers more than 40 million people and sells individual and employer coverage in key markets like New York and California. The payment is in lieu of civil penalties that HHS may have imposed. Anthem admitted no liability. The civil case involving privacy laws is separate from any other investigation the government may be pursuing.

In a statement Monday, Anthem said it’s not aware of any fraud or identity theft stemming from the breach. The company provided credit monitoring and identity theft insurance to all customers potentially affected.

“Anthem takes the security of its data and the personal information of consumers very seriously,” the statement said. “We have cooperated with (the government) throughout their review and have now reached a mutually acceptable resolution.”

The company discovered the data breach in early 2015, but hackers had been burrowing into its systems for weeks. Security experts said at the time that the size and scope of the attack indicated potential involvement by a foreign government.

Hackers used a common email technique called spear-phishing in which unwitting company insiders are tricked into revealing usernames and passwords. The Anthem attackers gained the credentials of system administrators, allowing them to probe deeply into the insurer’s systems.

HHS said its investigation found that Anthem had failed to deploy adequate measures for countering hackers. The company lacked an enterprisewide risk analysis, had insufficient procedures to monitor activity on its systems, failed to identify and respond to suspected or known security incidents, and did not implement “adequate minimum access controls” to shut down intrusions from as early as February 2014.

SOURCE: The Republic

The U.S. Department of Defense confirmed on Friday that personal information and credit card data of some 30,000 U.S. military and civilian personnel have been compromised in a breach affecting a DoD’s third-party contractor.

Apparently, no classified information was accessed by the attackers.

What is known about the breach

The Associated Press cited an unnamed U.S. official who says that the breach might end up involving the information of more than 30,000 workers, but that the investigation is still ongoing.

Later, Pentagon spokesman Lt. Col. Joseph Buccino confirmed that they still don’t know the extent of the compromise and who the attackers are.

But, he pointed out that “this was a breach of a single commercial vendor that provided service to a very small percentage of the total population” of DoD personnel.

The breach was recently discovered but it’s still unknown how long the attacker had access to the information and to the third party vendor’s systems. DoD leaders were informed about it by a department cyber team on October 4.

Those affected will soon be notified directly by the DoD, and will be provided with fraud protection services, Buccino added.

He also said they won’t be naming the vendor due to security reasons, but that the DoD “has taken steps to have the vendor cease performance under its contracts.” He did not say whether that’s only a temporary cessation.

Poor security

The scope of this breach pales in comparison with the 2014/2015 breach of the US Office of Personnel Management’s (OPM) network when all kinds of sensitive information about current and former US federal government employees (including those in the DoD) was compromised.

The disclosure of this latest breach comes just days after the U.S. Government Accountability Office released a report saying that the DoD is doing an extremely poor job when it comes to securing weapon systems against cyber attackers.

“The testers found embarrassing, elementary screw-ups of the sort that would get a middle school computer lab administrator in trouble, to say nothing of someone safeguarding lethal weapon systems,” the Intercept reported.

SOURCE: Help Net Security