The Senate Consumer Protection Subcommittee plans a Feb. 6 hearing on the Uber data breach affecting 57 million accounts, the “overall value” of cybersecurity “bug bounty” programs and other approaches to identifying vulnerabilities. Uber disclosed its data breach in 2017 after concealing it for a year (see 1711270047). The hearing will examine “lessons learned” from the breach and “allegations of impermissible payments” by Uber aimed at concealing the incident, the Senate Commerce Committee said Tuesday. Uber Chief Information Security Officer John Flynn, HackerOne CEO Marten Mickos and Luta Security CEO Katie Moussouris are to testify. The hearing will begin at 2:45 p.m. in 253 Russell.
Data privacy concerns are slowing sales cycles for up to 65 percent for businesses globally, with an average estimated delay of 7.8 weeks, Cisco reported. Enforcement of EU’s general data protection regulation to begin in May might be a factor, the study said, noting customers are increasingly concerned products and services they buy provide appropriate privacy protections. GDPR provisions apply to any company that processes, stores or uses this data. Also Thursday, the Identity Theft Resource Center and CyberScout reported U.S. data breaches in 2016 hit a record high of 1,093, a 40 percent gain over 2015. That could be partially attributed to better data breach notification reporting by states, said CEO Eva Velasquez.
House Commerce Committee Republicans want an explanation of the “information embargo” Amazon, AMD, Apple, Arm, Google, Intel and Microsoft invoked regarding Meltdown and Spectre vulnerabilities (see 1801050050), said a letter sent Wednesday to company CEOs. “While we acknowledge that critical vulnerabilities such as these create challenging trade-offs between disclosure and secrecy,” the lawmakers wrote, “cybersecurity is a collective responsibility.” House Commerce Chairman Greg Walden, R-Ore., signed the letter along with the subcommittee chairmen of Oversight, Gregg Harper, R-Miss.; Communications, Marsha Blackburn, R-Tenn.; and Digital Commerce, Bob Latta, R-Ohio. “This reality raises serious questions about not just the embargo imposed on information regarding the Meltdown and Spectre vulnerabilities, but on embargos regarding cybersecurity vulnerabilities in general,” the letter said. Arm “received the committee's letter and will respond accordingly to address their questions within the time frame they have outlined,” a spokesman said. Intel plans to attend an in-person briefing with the committee on the cyber vulnerabilities and welcomes "the opportunity to continue our dialogue with Congress on these important issues," a spokeswoman said. The other companies didn't comment.
Technology companies “are directly addressing our concerns” about terrorism activities occurring on social media networks, Department of Homeland Security Kirstjen Nielsen told a Senate Judiciary Committee oversight hearing Tuesday in prepared testimony. “While the internet itself is not the source of the problem, it is abused to promote radicalization, recruitment to violence, and to raise funds for terrorist organizations.” She's seen progress in talks with tech companies, including Facebook, Google, Twitter and YouTube, to develop ways to make “platforms less hospitable to terrorists.” Sen. Orrin Hatch, R-Utah, pushed Nielsen on how DHS would continue its work on public-private cybersecurity collaboration, specifically the agency’s lead role in combating the Wannacry attacks, which the White House in December publicly blamed North Korea for fomenting (see 1712190043). Nielsen’s hearing, which only tangentially touched on cyber and tech platform issues, came a day ahead of a scheduled Wednesday Senate Commerce Committee hearing (see 1801090069) on “#IsBigTechDoingEnough?” to “combat the spread of extremist propaganda over the Internet.” Clint Watts, fellow, Foreign Policy Research Institute, was added to the witness list.
Intel CEO Brian Krzanich thanked the Google Project Zero team in an open letter Thursday for “creating the opportunity for the industry to address these new issues in a coordinated fashion,” referring to chip-based security vulnerabilities revealed last week that were initially largely attributed to Intel (see 1801030053). Jann Horn, of the Google Project Zero team, blogged last week that the team had reported the issue to Intel, AMD and ARM in June, saying: “We have discovered that CPU data cache timing can be abused to efficiently leak information out of mis-speculated execution, leading to (at worst) arbitrary virtual memory read vulnerabilities across local security boundaries in various contexts.” Variants of the issue are “known to affect many modern processors, including certain processors by Intel, AMD and ARM. For a few Intel and AMD CPU models, we have exploits that work against real software. We reported this issue to Intel, AMD and ARM on 2017-06-01,” Horn said. Intel said last week the software analysis methods -- which, when used for malicious purposes, have the potential to “improperly gather sensitive data from computing devices” -- were not unique to Intel. “Based on the analysis to date, many types of computing devices -- with many different vendors’ processors and operating systems -- are susceptible to these exploits,” it said, adding it was working with AMD, ARM and other operating system vendors on an industry-wide approach to resolve the issue. In his Thursday letter, Krzanich thanked Google Project Zero “for practicing responsible disclosure, creating the opportunity for the industry to address these new issues in a coordinated fashion.” Krzanich outlined Intel’s pledge for “customer-first urgency,” saying that by Jan. 15 it will have issued updates for “at least 90 percent of Intel CPUs introduced in the past five years, with updates for the remainder of these CPUs available by the end of January.” Updates for older products will be handled by priority set by customers, he said. Krzanich also promised “transparent and timely communications” and “ongoing security assistance.” To accelerate security across the industry, Krzanich committed Intel will “publicly identify significant security vulnerabilities following rules of responsible disclosure and, further, we commit to working with the industry to share hardware innovations that will accelerate industry-level progress in dealing with side-channel attacks.” Intel will add funding for academic and independent research into potential security threats, he said. Google further detailed in an update Thursday how it protected Google Cloud products against "speculative execution vulnerabilities," and ensured Google Cloud customers saw minimal impact to performance.
The FTC would be charged with creating a new cybersecurity office to track credit monitoring agencies in legislation introduced Wednesday by Sens. Elizabeth Warren, D-Mass., and Mark Warner, D-Va. It would impose penalties for breaches of consumer data beginning with a base penalty of $100 for each consumer who had one piece of personal identifying information compromised and another $50 for each additional instance. “Under this legislation, Equifax would have had to pay at least a $1.5 billion penalty for their failure to protect Americans’ personal information,” Warren blogged in a Medium post. The Equifax breach “highlighted that credit reporting agencies like Equifax hold vast amounts of data on millions of Americans but lack adequate safeguards against hackers,” Warren said. Consumers Union welcomed the bill.
Luxul, a pro-grade IP networking company for the custom channel, announced KRACK firmware updates are available for its wireless routers and access points. KRACK is a weakness in the WPA2 system that secures the Wi-Fi connection between a router and computer, Luxul said. KRACK lets attackers eavesdrop on unencrypted traffic "or slip malware into otherwise legitimate websites when the WPA2 system breaks down," Luxul said. For an attack to happen, an attacker would have to "physically be within Wi-Fi range to carry it out,” said the company. Although "nearly every device that uses Wi-Fi is vulnerable, an attack would require a lot of preparation and be targeted very specifically," it said. That reduces the risk of an average person being affected, said the company, which began working on the fix in October when the vulnerability was exposed.
The Commerce and Homeland Security departments released a draft report noting botnet mitigation efforts and cybersecurity hurdles Friday, with public comments due Feb. 12 and final report to the president set for May 11. It seeks input on how to address automated and distributed threats to the digital ecosystem. "No single investment or activity can mitigate harms, but organized discussions and stakeholder feedback will allow us to further evaluate and prioritize activities," the report said. It noted that "effective tools exist, but are not widely used," that "market incentives are misaligned" and that "automated, distributed attacks are an ecosystem-wide challenge." The National Institute of Standards and Technology will host a Feb. 28 and March 1 event on the subject. NIST didn't provide details. Also Friday, chipmakers and tech companies and stakeholders continued working to address separate cybersecurity vulnerabilities (see 1801050050).
Congress should enact data breach notification legislation, said a letter signed by 22 trade groups representing tech, telecom and other industries, sent to House Commerce Committee leaders Thursday. The bill should include a flexible, scalable data protection standard that can be adapted to companies of varying size and complexity; a timely notification regime; consistent enforcement provisions, including ability for the FTC to impose penalties for violations of the new law; and pre-emption of existing state law, said the letter. Those supporting the effort include banking, insurance and retail stakeholders and ACT|The App Association, BSA|The Software Alliance, CTIA, Internet Commerce Coalition, TechNet, 21st Century Privacy Coalition and USTelecom.
At least one large-scale data breach will occur in 2018 and a major botnet attack can be expected, blogged Paul Rosenzweig, founder of Red Branch Consulting. DOJ is likely to find a case where encryption was used to protect a terrorist, which will prompt Congress to take up legislation mandating back-door decryption capabilities, Rosenzweig said. Rollout of Europe's general data protection regulation in May "will have substantial negative impacts on cross-Atlantic data flows" and could trigger a "full-scale data trade war," exacerbated by the Supreme Court's U.S. v Microsoft overseas data storage case (see 1710160009), in which he expects the court will force Microsoft to repatriate data held in Ireland, with Europeans adopting reciprocal restrictions. The court is likely to decide "Americans have a privacy interest in their locational information in Carpenter v U.S. (see 1711290043), he said. Rosenzweig doesn't see any major cybersecurity legislation this Congress: "They may fiddle a bit, but Rome will continue to burn."