The FCC should open an inquiry into Wi-Fi security and rogue access points, after news of the KRACK vulnerability (see 1710160043), network engineer Richard Bennett blogged, referring to key reinstallation attacks. Bennett said the commission should examine whether current anti-jamming policies -- dating to a 2014 order (see 1502170026) fining Marriott for jamming guest Wi-Fi hot spots -- make sense. "The means employed also have legitimate uses; such as removing the KRACK threat against Android devices," Bennett said Tuesday. Separately, the FTC issued a warning to smartphone, laptop or IoT users connecting to Wi-Fi that their information could be at risk, blogged FTC technologist Phoebe Rouge Thursday. Because the problem is with the WPA2 encryption standard that nearly all Wi-Fi devices on the market today use to secure communications, people connecting via Wi-Fi can't be certain their information will be safe, she said. While manufacturers are moving quickly to fix the problem with security updates and patches, the agency recommends consumers take precautions and use connections other than Wi-Fi until they're certain updates have been implemented. As a general rule, it advises consumers to keep up with software updates and avoid sending secure information over unencrypted websites.
U.S. critical infrastructure is less secure than 15 years ago, despite multiple government-industry efforts, said cybersecurity expert Joel Brenner of Massachusetts Institute of Technology, at an American Bar Association session Wednesday. "We continue to walk backwards on network security," said Brenner, who led a public-private effort to create better internet security when he was senior counsel at NSA. Brenner praised the presidential cybersecurity executive order released in May (see 1705110058), but said more needs to be done, citing his MIT report in March urging political leaders to address "deep strategic weaknesses in the architecture of critical systems." Systems operators are too focused on "short-term fixes and tactical improvements" and most new standards lack the teeth to make real change, Brenner said. Huge risks threaten the communications sector due to the size, complexity and interdependencies of network systems, the report said. Brenner backed liability protections for companies operating critical infrastructure to speed adoption of smarter technological solutions: "Most difficult cyber challenges are legal and commercial, not technological. Unless we can make changes, we will not become more secure."
To fight theft of U.S. intellectual property the Trump administration should create a public-private partnership to coordinate counterintelligence efforts with industry, said an Information Technology & Innovation Foundation report. Government "too often" investigates security breaches after they happen instead of responding to threat indicators, which would be more useful, ITIF said.
Belgium researchers discovered a Wi-Fi security vulnerability affecting a wide range of Android and Linux users, as explained in a research paper. An attacker within range of a victim can penetrate security protocols using key reinstallation attacks (KRACKs) to steal sensitive information like passwords, credit cards and emails, and allow malware to be installed on computers. Mathy Vanhoef and Frank Piessens, researchers with imec-DistriNet Research Group, said the weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. The problem is with WPA2, a protocol that secures all modern protected Wi-Fi networks. "To prevent the attack, users must update affected products as soon as security updates become available," the researchers said. Google is "aware of the issue, and we will be patching any affected devices in the coming weeks," said a spokesman. Akamai blogged it's aware of the issue but the "bulk of our corporate wireless traffic access occurs over VPN" and is protected with encryption.
The GAO accepted a request from House Commerce Committee ranking member Frank Pallone, D-N.J., and Senate Communications Subcommittee ranking member Brian Schatz, D-Hawaii, to do an independent review of the FCC’s claim that a May distributed denial-of-service attack caused outages to its electronic comment filing system (see 1705080042 and 1708170042), a GAO spokesman said. FCC Chairman Ajit Pai told Pallone, Schatz and other lawmakers a “non-traditional” DDoS attack hit the ECFS but the FCC declined to provide specific details on plans to protect ECFS against future attacks (see 1706280044 and 1707310071). The lawmakers repeatedly have questioned the FCC’s claims and previously sought GAO and FBI probes (see 1705310024 and 1707070039). The probe is “now in the queue,” but the GAO’s investigative work “won’t get underway for several months,” the spokesman said. "The scope won’t be determined until the work starts."
The IRS "temporarily suspended" a no-bid $7.25 million contract with Equifax "as a precautionary step" while it reviews the credit monitoring service's systems and security in light of a data breach (see 1710030034), said the agency Friday. House Commerce Committee Chairman Greg Walden, R-Ore., and House Digital Commerce Subcommittee Chairman Bob Latta, R-Ohio, said they're "pleased" the taxpayer identity verification contract was suspended but still want answers about its "timing and nature." Walden and Latta said their focus "remains on protecting consumers and getting answers for the 145 million Americans impacted by this massive breach." Other lawmakers, including Rep. Suzan DelBene, D-Wash., also inquired about the contract (see 1710110041, 1710040042 and 1710120016). The tax agency said the breach didn't compromise "the limited IRS data shared under the contract." Suspension means the agency "will be temporarily unable to create new accounts for taxpayers using Secure Access, which supports applications including online accounts and transcripts." Secure Access is the agency's identity authentication process for some online self-help tools. The agency said the contract doesn't affect current users or most services and tools.
“There’s no silver bullet to solving cybersecurity,” but multi-stakeholder research and collaboration are critical, said Senate Commerce Committee Chairman John Thune, R-S.D., at a Dakota State University roundtable in Madison, South Dakota. Thune convened cyber experts from Google, Amazon, Symantec, Visa, General Motors Citibank and the National Institute of Standards and Technology.
A week of field roundtables on cyber issues hosted by Rep. Jim Langevin, D-R.I., will highlight the importance of cybersecurity awareness. Langevin, founder and co-chair of the Congressional Cybersecurity Caucus, will meet with accountants, law enforcement, tech companies, students and cyber professionals. Senate Commerce Committee Chairman John Thune, R-S.D., plans a roundtable Friday in his state focusing on cybersecurity challenges the public and private sector face and discussing the committee's cyber agenda, a committee aide said.
The Electronic Frontier Foundation hit back on Deputy Attorney General Rod Rosenstein for his Tuesday speech about "responsible encryption" (see 1710100028). EFF General Counsel Kurt Opsahl criticized the deputy AG on a number of points in a Wednesday blog post, calling them fallacies. He said Rosenstein's coining of "responsible encryption" is "another glib phrase to describe a backdoor." Opsahl said DOJ has said it wants to have an "adult conversation" on encryption. "This is not it. The DOJ needs to understand that secure end-to-end encryption is a responsible security measure that helps protect people," he said.
The House unanimously passed a cybersecurity measure (HR-2105) directing the National Institutes of Standards and Technology to provide cybersecurity guidelines for small business. The bill would require NIST to develop voluntary guidance for small businesses that federal agencies would make available online.