If there’s anything more ironic than security software destroying one’s security, I am at a loss to offer examples.
Earlier this week Tavis Ormandy, a security researcher at Google, discovered critical vulnerabilities in the entire suite of Symantec antivirus software. The aging giant’s 17 enterprise products and eight Norton consumer and small business products all contained severe flaws. So severe that, taken together, a hacker could exploit them to hijack a customer’s machine—or worse, “easily compromise an entire enterprise fleet,” as he wrote. That bad, yes.
Worse still, Ormandy noted that the vulnerabilities were “wormable”—meaning self-replicable. An attacker could fully take control of computers just by sending an email or link, without requiring any victim to open or click it. The infections spread like a toxic miasma. (Good luck holding your breath.)
If you think this news reflects poorly on Symantec (it does), you’re missing the bigger point. Ormandy, a Boba Fett-level computer bug bounty hunter, has uncovered vulnerabilities of all shapes and sizes in software sold by cybersecurity companies ranging from FireEye to Kaspersky to McAfee to Trend Micro. Rather, what Ormandy’s findings show are this: a flagrant disregard on the part of security vendors for securing their own code.
Perhaps that’s unfair. These companies do try to lock down their software, no doubt. Their livelihoods are predicated on the notion of selling security, after all. Yet when something goes this wrong, it’s worth taking a long hard look in the mirror and initiating a thorough code review.
Blast shields should not explode in your face.
Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach me via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.
Update your Symantec antivirus software. A Google security researcher discovered critical vulnerabilities in Symantec and Norton antivirus products. The flaws allow a hacker to take over a person’s machine simply by sending an unopened email. (Fortune)
Google and Facebook fight face-scanning law. Class action lawsuits against Facebook and Google are underway that claim the tech giants bucked biometrics laws by scanning people’s faces in photos without consent. The companies have been lobbying and filing legal arguments to justify their activities. (Fortune)
Cisco buys cloud security startup. The networking giant is purchasing CloudLock, an API-based cloud security startup, for $293 million. Cisco said it expects the deal to close in its first fiscal quarter, sometime between August and October. (Fortune)
Citi Ventures helped mint a cyber-unicorn. In June, the antivirus software startup Cylance raised $100 million, ushering the firm into the billion-dollar private valuation club. Citi Ventures, the venture capital arm of Citigroup, also participated in the round. (Fortune)
Banks roll out eye-scanning tech. As many as 30 banks are introducing eye-scanning technology into their apps. The image recognition software will authenticate people based on the patterns of blood vessels in their eyes. (Fortune)
Intel might sell security unit. The chip giant is exploring a sale of Intel Security, the division it picked up six years ago for $7.9 billion. Originally named McAfee after John McAfee, the company changed it (Fortune)
By the way, you’re probably implementing two-factor authentication incorrectly.
Share today’s Data Sheet with a friend:
Looking for previous Data Sheets? Click here.
Fortune’s Roger Parloff reports on spy tech that reads your mind.
On any given morning at a big national bank or a Silicon Valley software giant or a government agency, a security official could start her day by asking a software program for a report on her organization’s staff. “Okay, as of last night, who were the people who were most disgruntled?” she could ask. “Show me the top 10.”
She would have that capability, says Eric Shaw, a psychologist and longtime consultant to the intelligence community, if she used a software tool he developed for Stroz Friedberg, a cybersecurity firm. The software combs through an organization’s emails and text messages—millions a day, the company says—looking for high usage of words and phrases that language psychologists associate with certain mental states and personality profiles. Ask for a list of staffers who score high for discontent, Shaw says, “and you could look at their names. Or you could look at the top emails themselves.” Read the rest on Fortune.com.
The Pending EU-U.S. Data Pact Is Great News, Unless You’re British by Jeff John Roberts
What Mark Zuckerberg’s Password Hack Says About Cybersecurity by Brett McDowell
Hillary Clinton Aide Huma Abedin Defends Private E-mail Server by The Associated Press
Cybersecurity Tools That Protect Companies From Their Own Employees by Robert Hackett
IBM Is Pushing a Blockchain Business Model But Will It Work? by Jeff John Roberts
Google CEO Sundar Pichai Hacked By Zuckerberg’s Hackers by Don Reisinger
Hack/secure Plans to Jumpstart 100 Cyber Firms in 3 Years by Robert Hackett
Edward Snowden Denounces Russia’s New “Big Brother” Surveillance Bill by David Z. Morris
ONE MORE THING
There’s no such thing as a free lunch. The “free Wi-Fi” kiosks in New York City that are backed by Sidewalk Labs, a division of Google’s parent company Alphabet, come equipped with sensors and cameras. These data collection outposts have the ability to film pedestrians, although the cameras have not (yet) been turned on. (Fortune)