The FBI paid Best Buy Geek Squad employees to act as informants (see 1706010015) in a close relationship dating back at least 10 years, said documents released Tuesday that the Electronic Frontier Foundation obtained through a Freedom of Information Act lawsuit. An FBI memo said the company hosted a bureau cyber working group meeting at its Kentucky repair facility in September 2008 and worked with the agency to flag illegal material on customer computers, which EFF claims violates the Fourth Amendment. The documents detail communications between Best Buy employees and the FBI’s Louisville office over customer material believed to be child pornography and illegal material discovered through manual device searches. Best Buy said in a statement that at least four employees, three of whom no longer work there, received payment for turning over alleged child porn to the FBI. “Any decision to accept payment was in very poor judgment and inconsistent with our training and policies,” said its statement Wednesday, noting the fourth employee was reprimanded and reassigned. The company said Geek Squad repair employees discover what appears to be child porn about 100 times a year inadvertently through recovering lost customer data. “We have a moral and, in more than 20 states, a legal obligation to report these findings to law enforcement,” the retailer said. “We share this policy with our customers in writing before we begin any repair.” The company denies employees received law enforcement training, saying they do only what's “necessary” to solve customer queries. The FBI didn’t comment.
Data from an additional 2.4 million consumers was compromised during Equifax’s 2017 breach, it said Thursday (see 1710020021). About 145 million Americans were reportedly affected by the breach, which involved private data like names, addresses, birth dates, driver's license information and Social Security numbers. Interim CEO Paulino do Rego Barros said the disclosure wasn't about “newly discovered stolen data” but resulted from sifting through previous information, analyzing databases not taken by attackers and “making connections that enabled us to identify additional individuals." House Commerce Committee Chairman Greg Walden, R-Ore., and House Digital Commerce Subcommittee Chairman Bob Latta, R-Ohio, called the announcement “deeply concerning,” saying it raises further questions about the company’s “total failure.” They requested a briefing with Mandiant that's investigating the breach. Senate Commerce Committee Chairman John Thune, R-S.D., criticized Equifax for taking a “piecemeal” approach in addressing consumer issues. “The company knew the incident affected nearly the entire population of credit-active consumers in the United States and had every reason to believe this number could grow,” he said.
Industry and government representatives have been “handicapped” in defending global digital infrastructure, and USTelecom and the Information Technology Industry Council “stand ready” to create “new solutions,” their executives wrote Monday. The organizations last week announced the Council to Secure the Digital Economy (CSDE) (see 1802230054). USTelecom CEO Jonathan Spalter and ITI CEO Dean Garfield co-authored an opinion piece in the Morning Consult saying industries most often targeted for cyberattacks are those with the most to lose, including government and critical infrastructure. They said government and industry made “significant advances” in applying security measures in the U.S., Europe and Asia, but there hasn't been adequate strategic and operational coordination across sectors and countries. Garfield and Spalter cited some positive developments, including President Donald Trump’s executive order in 2017 and other executive branch measures on botnets and automated threats.
An Arkansas man was sentenced Friday to 33 months in federal prison for aiding and abetting computer intrusions by developing and selling his NanoCore RAT and Net Seal malware to individuals who then used it to conduct such intrusions as surreptitiously activating webcams, DOJ said. It said U.S. District Judge Liam O'Grady of Alexandria, Virginia, also ordered that Taylor Huddleston, 27, of Hot Springs, serve two years of supervised release after his prison sentence. DOJ said Huddleston pleaded guilty in July.
FCC Commissioner Mike O'Rielly called Tom Wheeler's cybersecurity regulation views unhinged from the law. O'Rielly said he had ignored Wheeler's "musings, despite their inaccuracies and overall misguided perspectives," but felt compelled to call out the former chairman for "gibberish" he had "pontificated" (here) on the commission's lack of action on internet network security. "Wheeler's views reaffirm that he is unwilling to read the law and follow basic principles of statutory construction," O'Rielly blogged Wednesday. He said Wheeler is "abusing" Communications Act Section 1 (which explained the purposes for creating the FCC) by arguing it gives the commission direct "authority over all communications activity, especially cybersecurity." That reading would constitute a "massive" expansion of jurisdiction, giving the FCC "authority over 'communications by wire or radio' ... without bounds," O'Rielly said. He said the plain reading of Section 1 is as a preamble, offering a "policy statement, not actual authority." If the section gave the FCC direct authority, he said, it wouldn't need "ancillary authority" or the rest of the Act. O'Rielly said U.S. Court of Appeals for the D.C. Circuit rulings support his view, including Comcast v. FCC (2010) on net neutrality. While respecting O'Rielly "as a patriot," Wheeler said Thursday the blog post "seems to be in keeping with Donald Trump's refusal to respond to Russia's attack on our system. Networks have always been attack vectors; that a new network has opened up a new means of attack is no surprise. What is surprising is that when our nation is under attack we decide to have law-school quibbles about language instead of stepping up and protecting the nation."
The SEC adopted interpretive guidance to help companies prepare disclosures about cybersecurity risks and incidents, the agency said Wednesday. Chairman Jay Clayton said the guidance highlights federal securities laws' disclosure requirements and the importance of policies and procedures for disclosure controls. He said the aim of the guidance is "clearer and more robust disclosure by companies" about cybersecurity risks, giving investors more complete information. The commission said it's not suggesting companies must make detailed disclosures such as specific technical information about their systems or potential system vulnerabilities, but they should disclose incidents and risks material to investors, including financial, legal or reputational consequences. The agency said companies might need to disclose previous or ongoing incidents to put risk discussions in context.
Companies are increasingly relying on artificial intelligence and automated security systems, as the majority of cybersecurity attacks result in more than $500,000 in damages, Cisco reported Wednesday. Cisco surveyed 3,600 chief information security officers, and found more than half reported cybersecurity attacks that cost organizations more than $500,000 in damages. Thirty-nine percent of respondents rely on automation, 34 percent on machine learning, and 32 percent are “highly reliant” on AI. The extent of system breaches expanded, with respondents claiming 32 percent of breaches affected more than half their systems. That compares with 15 percent reported for 2016.
Many web hosting companies that cater to small businesses don't offer proper access to email authentication and anti-phishing technologies, putting small businesses at risk of facilitating phishing, FTC staff reported. Staff surveyed 11 web-hosting companies. Two used domain-based message authentication, a technology to reject phony emails with domain-authentication discrepancies, and three provide a way for configuring that. Small businesses should “pay close attention to the security features offered by web hosts so that they can choose a host that will protect their websites and email accounts with SSL/TLS and email authentication technologies.” The agency didn't identify the companies.
U.S.-based web application attacks increased 31 percent in Q4 from the year-ago quarter, and perpetrators continue to focus on industries with high-value data, Akamai reported Tuesday. The report showed the retail industry was the hardest hit from web application threats, with 38 percent of attacks. Media and entertainment had 18 percent, technology 11, the public sector had 4.4 percent. Senior Editor Martin McKeay said attackers increasingly seek more direct ways for financial gain, such as ransomware. Worldwide web application attacks increased 10 percent, with a 10 percent increase in SQLi attacks globally. “Of the 17 billion login requests tracked through the Akamai platform in November and December, almost half (43 percent) were used for credential abuse,” the report said.
DOJ established a Cyber-Digital Task Force to focus on “detecting, deterring and disrupting malicious cyber activity.” According to a memo from Attorney General Jeff Sessions, it will be chaired by a senior department official appointed by the deputy AG. It would deliver an initial report on the department’s current cyber-related activities and a series of recommendations by June 30.