Companies are now required to use an international standard for “testing the effectiveness” of device data encryption, the National Institute of Standards and Technology said Tuesday. NIST updated its federal information processing standard, recognizing international standard ISO-19790. The international standard should “streamline” the process for bringing devices to market “because it reduces redundancy for companies trying to sell products internationally,” the agency said. It wanted to minimize the timeline because there’s “a limited time window before a product becomes obsolete,” NIST computer scientist Mike Cooper said.
The Senate Security Subcommittee plans a hearing on IoT cybersecurity at 2:30 p.m. April 30 in 562 Dirksen. Witnesses: CTA Vice President-Technology and Standards Michael Bergman, Chamber of Commerce Vice President-Cybersecurity Policy Matthew Eggers, Rapid7 Public Policy Director Harley Geiger, USTelecom Senior Vice President-Cybersecurity Robert Mayer and National Institute of Standards and Technology Information Technology Laboratory Director Charles Romine. The hearing will touch on 5G network security for connected devices and “the manner in which the federal government, businesses community, and consumers can promote and support increased IoT cybersecurity.”
Some Microsoft Outlook users potentially had their email accounts hacked between Jan. 1 and March 28, a Microsoft spokesperson confirmed Tuesday. The company didn’t specify how many accounts. “Bad actors could have had unauthorized access to the content of their email accounts,” the spokesperson said, but most of those affected weren't at risk of email access. About 6 percent of the original subset of users could be at risk, the company said: “We addressed this scheme, which affected a limited subset of consumer accounts, by disabling the compromised credentials and blocking the perpetrators’ access.” The company also increased “detection and monitoring” for impacted accounts “out of an abundance of caution.”
Sens. Mark Warner, D-Va., and Cory Gardner, R-Colo., reintroduced a bill Monday authorizing a Department of Homeland Security grant program for states developing “cyber resiliency measures.” Introduced in the House by Reps. Derek Kilmer, D-Wash., and Michael McCaul, R-Texas, the State Cyber Resiliency Act would deliver grants based on funding allocations determined by the DHS. Warner and Gardner cited a 2018 Deloitte-National Association survey showing that “most states” allocate “between zero and three percent of their overall IT budget for cybersecurity purposes.”
A third-party app exposed more than 540 million Facebook user records for an unknown period, including comments, likes, reactions, account names and user IDs, UpGuard Cyber Risk reported Wednesday. The security firm linked the breach to Mexico-based media company Cultura Colectiva. Another app, At the Pool, exposed plain text Facebook passwords for 22,000 users, UpGuard said. Both data sets were stored on separate Amazon S3 buckets, which allow public downloads. “The data exposed in each of these sets would not exist without Facebook, yet these data sets are no longer under Facebook’s control,” the report said, arguing millions of app developers are responsible for securing the information. Facebook policy prohibits storing information in public databases, a spokesperson said: “Once alerted to the issue, we worked with Amazon to take down the databases. We are committed to working with the developers on our platform to protect people's data.”
Noting cybercrimes are expected to cost $6 trillion annually by 2021, USTelecom released its guide to such policy. USTelecom’s commitment is to “take cyberthreats seriously,” it said Wednesday. “We are working across different industries and with government partners (at home and abroad) to bolster our defenses and institute smart cybersecurity policy to protect consumers and businesses.”
The Supreme Court denied an appeal from Amazon online retailer Zappos, allowing a class-action lawsuit about a breach that exposed some 24 million customers’ personal data to proceed. Some 20 Zappos customers claimed data misuse due to the 2012 breach. Industry groups argued those customers can’t prove actual harm or “substantial risk.” Zappos attempted to appeal a 9th Circuit U.S. Court of Appeals decision stating the lawsuit should proceed because the customers faced substantial risks of identity theft and fraud. Amazon didn’t comment.
Potentially hundreds of millions of Facebook users’ passwords were exposed in plain text to employees, it announced Thursday. The passwords, exposed on internal data storage systems, weren't visible externally, there’s no evidence of abuse, and the issue was corrected, wrote Vice President-Engineering, Security and Privacy Pedro Canahuati. The company plans to notify “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users,” who were potentially affected. The platform discovered the issue during a routine security review in January. “This caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable,” Canahuati wrote.
U.S. antitrust authorities won't oppose Juniper Networks buying wireless cloud company Mist Systems, said an FTC early termination notice dated Monday and released Tuesday. That ends the $405 million deal's Hart-Scott-Rodino waiting period.
A bipartisan, bicameral group of lawmakers reintroduced legislation Monday to require U.S. government devices follow minimum security requirements. The Internet of Things Cybersecurity Improvement Act was introduced by Sens. Mark Warner, D-Va.; Cory Gardner, R-Colo.; Maggie Hassan, D-N.H.; and Steve Daines, R-Mont., along with Reps. Robin Kelly, D-Ill., and Will Hurd, R-Texas. The National Institute of Standards and Technology would issue recommendations for “secure development, identity management, patching, and configuration management for IoT devices.” The bill has support from BSA|The Software Alliance, CTIA, Mozilla and Symantec.