Missing from the analysis and debate regarding the U.S. government's decision not to prosecute presumptive Democratic Party presidential candidate Hillary Clinton for using a private email server while secretary of state is this simple fact: Secure IT systems aren't tailored to function the way people behave.

Rightly or wrongly, Clinton wanted to combine her work and personal emails into a single system, an unsecured one she controlled and situated in her Chappaqua, N.Y., home. Clinton isn't alone. Many of us combine work and personal emails, especially in an era of mobile computing. But many systems, such as the highly secure one run by the State Department, aren't designed to allow such functionality.

"There's been a huge amount of finger pointing and angst and complaining whether the rules were followed or whether they weren't, about pointing out other individuals in previous administrations who have done the same or worse with less consequence," Purdue University Computer Science Professor Eugene Spafford says in an interview with Information Security Media Group (click player beneath Clinton's image to listen).

"But I haven't heard anyone talk about going back and looking at what are the fundamental reasons these things happen and giving some thought to at least asking if the rules are appropriate, if the procurement and email support for high-level officials is appropriate and how we should be doing all of this better to avoid these kinds of problems in the future," Spafford says. "I think this is more politically driven than it's functionally driven because if it were functionally driven, people would say, 'What are the root causes, and how do we fix them?' rather than trying to assign blame."

In my conversation with Spafford, he explains why:

Technologists should build secure systems that facilitate the way people function on the job; Many military leaders circumvent rules to get the job done in the battlefield; He turned down an assignment with the federal government because of an antiquated email system he would have had to use that would have interfered with the way he could do his job.

Recognized as one of the nation's leading authorities on cybersecurity, Spafford was named to the Cybersecurity Hall of Fame in 2013. His current research interests focus on issues of computer and network security, cybercrime and ethics, technology policy and social impact of computing. He is the founder and executive director of the Center for Education and Research in Information Assurance and Security, which draws on expertise and research across many of the academic disciplines at Purdue.

Let us know what you think. Leave a comment below.

Breach Response , Data Breach , Data Loss

Ashley Madison Seeks Security Reboot The World's Biggest Metaphor for Online Security Stupidity Lives On Mathew J. Schwartz (euroinfosec) • July 7, 2016     The new face of Ashley Madison (from left): Avid Life Media's Rob Segal, CEO, and James Millership, president.

The company behind infidelity-focused online dating website Ashley Madison - tagline: "Life is short, have an affair" - has revealed that it's facing an investigation by the U.S. Federal Trade Commission, nearly one year after hackers dumped personal information on millions of its members (see Hacktivism: An Affair to Remember).

See Also: Data Center Security Study - The Results

Avid Life Media CEO Rob Segal and president James Millership - both of whom were hired in April, and are now seeking to reboot the company and its brands - confirmed the FTC investigation to Reuters, although said they don't know precisely what the federal agency is probing.

Here's a guess: Given that the FTC can investigate deceptive advertising practices - including sites that claim to secure data but then fail to do so - one likely focus of the probe would be on the site's failure to safeguard data, including poor historical password security. Indeed, the hacker or hackers - calling themselves the Impact Team - that breached Ashley Madison dumped nearly 10 gigabytes of data, exposing internal emails as well as millions of user profiles tied to more than 30 million unique email addresses registered with the site. The attackers threatened to dump even more data unless the site closed down.

Second guess: Ashley Madison offered a "paid delete" service that claimed to expunge members' details from its systems after they quit the site. But the Impact Team claimed that it had recovered full details for these paid-delete users after it hacked into the site.

Third guess: The FTC will probe the company's use of so-called fembots, which are fake scripts designed to mimic real-life users. Impact Team, for example, claimed that Ashley Madison "is a scam with thousands of fake female profiles. ... 90-95 percent of actual users are male." But it's not clear if the hackers' assessment was based on details contained in the data dump, or rather a 2013 lawsuit filed by a former Avid Life Media employee based in Toronto - a Brazilian by birth - who said she'd been told to create 1,000 "fake female profiles" for a Portuguese version of the site.

Secret Fembot Confessions

In a July 4 statement from Toronto-based Avid Life Media's new executives, Millership confirmed that the company employed fembots until 2014 for its U.S. and Canadian sites, and until 2015 for sites aimed at other countries.

The fembot usage occurred while Noel Biderman was CEO of Avid Life Media; he left in August 2015 (see Top 10 Data Breach Influencers).

The new leadership team is already attempting to spin this past business practice. "My understanding is that bots are widespread in the industry," Millership says.

Heavy Legal Action

Beyond the FTC probe, the company also still faces a host of class-action lawsuits filed on behalf of both U.S. and Canadian users whose personal details got dumped, as well as relating to its fembot use.

But the executives claim to Reuters that the ratio of real-live male to female users on the site is now five to one.

They've also apologized for the criminal hack in 2015. "The company is truly sorry for how people's lives and relationships may have been affected by the criminal theft of personal information," Segal says in a statement.

Indeed, in the wake of the data breach, users reported a surge in related spam and extortion attempts, to say nothing of the potential boost it provided for divorce lawyers.

Desperately Seeking Reboot

The FTC's probe and class-action lawsuits notwithstanding, the new executives appear to be bullish on future opportunities, saying they're looking for new acquisitions and business partnerships.

The company has also hired Deloitte to overhaul its cybersecurity program and provide full-time monitoring of networks and systems. "Avid Life Media has been investing even more heavily in security enhancements and privacy safeguards to deal with evolving cyber threats over the past year, and that will continue," Segal says.

The company has also promised to offer "new, secure and discreet payment options." Next stop, bitcoins?

Once Bitten, Not Twice Shy

Despite having billed itself as "the world's leading married dating service for discrete encounters" and then failing to provide the promised discretion, Ashley Madison's potential survival shouldn't be underestimated.

For starters, many of the site's users didn't appear to be security-savvy, at least based on the fact that so many used email addresses that lead directly back to them after they were leaked, as well as weak passwords (see We're So Stupid About Passwords: Ashley Madison Edition).

Furthermore, the breach publicity may have done Avid Life Media some marketing favors, according to Mikko Hypponen, chief research officer of security firm F-Secure, citing information from information security and password expert Per Thorsheim.

«Ashley Madison has added 5 million users since they were hacked. WTF» - Per Thorsheim (@thorsheim) at #nordicitsec. pic.twitter.com/8FQhoUhSks

Indeed, by November 2015 - just four months after its data began getting dumped - Avid claimed to have added 5 million new Ashley Madison subscribers.

As cybersecurity expert Alan Woodward, a computer science professor at the University of Surrey, joked at the time: "Maybe Oscar Wilde was correct when he said there was only one thing worse than being talked about: not being talked about."

Anti-Malware , Technology

Mac Malware: Still No Need to Panic Eleanor and Keydnap Infections Most Likely Scant Jeremy Kirk (jeremy_kirk) • July 7, 2016    

Security vendors are warning of two new types of malware for Apple computers that could have serious security impacts if inadvertently installed, but users who've kept Apple's default security configurations should be safe.

See Also: How to Illuminate Data Risk to Avoid Financial Shocks

Even relatively mundane Mac malware tends to get attention since Apple computers are rarely targeted, compared to the daily onslaught of Windows malware. For many hackers, compromising computers is simply a numbers game, and Windows malware usually provides more result for the effort.

Enter Eleanor

Even so, multiple security firms - including Bitdefender, ESET and Malwarebytes - have begun sounding warnings over a new OS X backdoor dubbed Eleanor. ESET says the malware was seeded inside a fake software program, EasyDoc Converter, which purports to be a file-conversion application.

It's only the second piece of Mac malware to be found thus far this year, Thomas Reed of Malwarebytes writes in a blog post. The first was KeRanger, which is believed to be the first ransomware program to target Apple (see Alert: Ransomware Targets Macs).

Once on a Mac, Eleanor fires up a local web server. It also assigns each infected machine to a hidden Tor website. The attacker then can browse and control the infected computer through a web-based control panel. Hidden websites, signified by the ".onion" domain, offer more anonymity and are harder to trace to a specific hosting provider.

With Eleanor implanted, an attacker essentially has full control of the machine and can execute commands, turn on the webcam and send emails.

Eleanor does not have a digital certificate signed by Apple, which is good. That means if users have Apple's Gatekeeper set to only allow the installation of applications from the Mac App Store and identified developers - the default setting in OS X - it would be blocked.

Although security researchers have shown Gatekeeper can be fooled, it generally will block applications lacking a digital signature or ones that haven't been approved by Apple if it is configured to only allow downloads from the Mac App Store.

"In all, although this is a nasty bit of malware, the good news is that it's awfully easy to remove," writes Reed of Malwarebytes. "Further, the fact that it was disguised as a file converter meant to convert two relatively obscure file formats, coupled with the lack of any code signature, means that its distribution was probably fairly limited."

EasyDoc Converter was hosted on MacUpdate, a marketplace for Mac-compatible applications. EasyDoc Converter had user ratings that date back two years ago, Reed writes, but the malware only went live in April.

"I suspect that the real EasyDoc Converter may have been abandoned by its developer and somehow obtained by malware authors," he writes.

Keydnap Targets Keychain

Eleanor's appearance was quickly followed up by the third piece of Mac malware to appear so far this year. ESET calls it Keydnap, and it targets the Mac keychain, which is a very sensitive application.

That's because the keychain serves as a Mac's password manager, storing everything from router passwords to application and VPN passwords. It appears that Keydnap borrows proof-of-concept code published on GitHub, according to ESET malware researcher Marc-Etienne M. Léveillé. That code, written in October 2011 by Juuso Salonen, looks for master keys for the keychain in order to decrypt files.

Keydnap also seems to rely on social engineering. "When two new processes are created within two seconds, Keydnap will spawn a window asking for the user's credentials, exactly like the one OS X users usually see when an application requires admin privileges," Léveillé writes. "If the victim falls for this and enters their credentials, the backdoor will henceforth run as root, and the content of the victim's keychain will be exfiltrated."

The malware also uses Tor hidden services to communicate with its command-and-control server. ESET writes Keydnap may be distributed through spam messages or offered as a download on untrusted websites. The company is unsure how many people may have been infected. Keydnap does not have a digital certificate, so Gatekeeper will stop it.

Apple Products Increasingly Targeted

While Mac users are targeted less by malware than Windows users, Mac aficionados should remain vigilant. For years, Apple portrayed its OS as being immune from the problems Windows users experienced. But as a 2015 study from Carbon Black showed, hackers are increasingly writing malware for Macs: Five times more malware was found in 2015 than in the previous five years combined.

But it's important to not panic. Even a five-time rise in the quantity of Mac malware represents, well, only a relatively small number of malicious applications. And security experts say both pieces of malware are easy to remove, provided they're detected.

Accordingly, it's not a bad idea to run anti-virus software, which can nix most Mac malware. AV-Test, an independent security software evaluator, just published a report covering 12 anti-virus suites for Macs, four of which are free downloads.

Anti-Malware , Endpoint Security , Technology

Anti-Virus Wars: Sophos vs. Cylance Sophos Says Product Duel Was Rigged; Cylance Says No Jeremy Kirk (jeremy_kirk) • July 6, 2016    

The market for endpoint protection products is very large pie: Market researcher IDC estimates the consumer and enterprise market is worth just over $9 billion, combined, and will grow around 3.9 percent annually over the next three years. It's always been a fiercely competitive market, and vendors compete in no-holds-barred matches for customers.

See Also: Creating a User-Centric Authentication and Identity Platform for the Healthcare Industry

The latest conflict has erupted between Sophos and Cylance, two fairly well-known vendors. Both companies turned down repeated interview requests from Information Security Media Group for more details about their dispute, which unfortunately makes either side's position impossible to verify. But even so, the standoff shows how vendor competitiveness can quickly turn ugly.

In a blog post on June 29, Dan Schiappa, senior vice president at Sophos, accused Cylance of purposely hobbling Sophos' product during a one-on-one malware duel at a recent security event in Las Vegas.

Cylance does a road show called The Unbelievable Tour where it demos its product, which doesn't use traditional anti-virus signatures. Instead, Cylance's Protect product uses an algorithm to detect abnormal activity. Cylance is one of a range of vendors, including SentinelOne, that use this approach, which they claim offers better protection against malware.

Default Dispute

Schiappa writes that a customer from Chicago asked to see the default settings for Sophos' product during the test.

"On reviewing the settings, the customer discovered that key (and default) protection settings had been disabled," Schiappa writes. "When the customer insisted that Cylance enable the proper default configuration and re-run the test, Sophos beat Cylance."

Sophos also ran a test again after acquiring Cylance's product from a reseller, Schiappa writes. Sophos didn't cherry pick malware samples or alter the default, vendor-recommended settings. The video was then posted on YouTube, he writes.

Schiappa then alleges that Cylance contacted the reseller who provided the company's software to Sophos and threatened retribution if the video was not withdrawn. Sophos caved and removed the video.

"Again, to be very clear: the only reason we elected to take the video down was because the reseller was concerned about threats and pressure from Cylance, not because we believed the video was somehow inaccurate," Schiappa writes.

Sophos' version of events couldn't be verified with Cylance. But the company briefly responded to Sophos in a blog post of its own on June 30 dismissively titled "Sophos, So Far."

"This conversation has gone on long enough and wastes everyone's time," writes Ryan Permeh, Cylance's chief scientist and founder. "We strongly urge customers to test any solutions on their own systems and networks. It is the only truly independent and 'real world' metric that ever matters."

Testing is Tough

Anti-virus software testing has always been contentious. Vendors have often taken to task independent testing organizations such as AV-Test.org and AV-Comparatives.org, quibbling over malware samples used in tests and questioning methodologies, especially when products fare poorly.

Independent testers have a tough task, particularly as security products have evolved to incorporate more behavioral analysis as well as signature-based approaches. When it comes down to it, vendors are unlikely to promote any test result that isn't favorable.

Vendors also won't publish unbiased tests, says Simon Edwards, founder of the independent security software testing company SE Labs, which is based in London. Rather than unverified demonstrations, third-party tests are the important ones since the results are the unvarnished truth.

"This is a commercial reality, and they [vendors] will always claim to be the best, or one of the best, even if the technical truth is different," Edwards says. "No one test is perfect, but look at a combination of tests from different sources to judge the merits of a product."

'Truly Unbelievable'?

Edwards says Sophos makes a good point in its blog post that Cylance has not participated as widely in independent tests as other vendors.

"[Cylance's] own tests, embodied in its Unbelievable Tour, were truly unbelievable and literally incredible, in as much as they were not credible," Edwards says. "It was a clever marketing idea that achieved good press coverage, but now it's time for the company to expose itself to the same scrutiny that its competitors have had to face for many years - serious, independent and ethical testing."

From a marketing standpoint, meanwhile, this isn't the first case of vendors - and especially newer players - in the IT security market employing guerilla-marketing tactics, and claiming that their technology is superior solely via tests they've conducted on their own, says Andreas Clementi, chairman of AV-Comparatives.

But such claims don't always stand up to third-party scrutiny. For example, AV-Comparatives published a report in February detailing the results of its tests pitting Cylance's Protect product against Symantec's Endpoint Protection. The testing organization had trouble obtaining Cylance's product, as two resellers refused to license it to AV-Comparatives, according to the report. It eventually obtained access to the software through a third party.

The results? Symantec's Endpoint Protection fared far better than Cylance Protect, according to the AV-Comparatives report. It found that Symantec stopped 100 percent of in-the-wild malware and 92 percent of exploits, compared to 92 percent and 63 percent for Cylance.

What Goes Around?

Back to the Sophos versus Cylance spat: Just six days before Sophos went public with its gripe, Cylance published a blog post alleging that it was the victim of another anti-virus vendor meddling with its product before a test.

An unnamed "legacy AV vendor," which Cylance says sees hundreds of millions of dollars in annual revenue, produced a video of a product comparison in cooperation with a partner. Cylance says its product had been obtained by a "rogue employee" of the partner, who then disabled key features before testing.

"It's not surprising that this legacy AV vendor would resort to dirty tactics and essentially use a partner to wage a proxy war," Cylance writes. "The vendor was caught with their hand in the cookie jar and [is] now attempting to spin the matter into something else entirely."

Details of that situation couldn't be verified with Cylance, which didn't make executives available for interviews.