TechFreedom Executive Director Austin Carson endorsed the Protecting Our Ability to Counter Hacking Act. HR-2481/S-1157 would codify the vulnerabilities equities process (VEP) for government stockpiling and disclosing software and hardware vulnerabilities and make it transparent and accountable. Rep. Ted Lieu, D-Calif., and Sen. Brian Schatz, D-Hawaii, led sponsorship of the bill last week, after the WannaCry ransomware attacks (see 1705120055, 1705150008 and 1705170025). “Codifying the VEP process and adding oversight mechanisms will put the VEP on solid footing, removing the threat of policy changes at the whims of the executive branch and giving Congress the chance to more fully evaluate the tradeoffs,” Carson and TechFreedom Legal Fellow Ashkhen Kazaryan blogged. “In this era where cyber attacks are edging ever-closer to becoming cyber wars, the United States government should lead the way in balancing the interests at stake and addressing the cybersecurity concerns directly within its control.”
Close to 200 million video players and streamers run software vulnerable to "malicious subtitle files" that are downloaded by media players, with the hackable exploit allowing the take-over of the device, Check Point Software blogged Tuesday: Vulnerabilities are found in a variety of streaming platforms, including Popcorn Time, VLC, Kodi and strem.io, and it's "one of the most widespread, easily accessed and zero-resistance [vulnerabilities] reported in recent years." It said subtitles repositories loaded by users' media players "are, in practice, treated as a trusted source by the user or media player." The company said hackers can then "take complete control over any device" running the Trojan horse subtitle files. The firm reported the vulnerabilities to developers of vulnerable media players.
The recent WannaCry ransomware attack underscores questions about providing software and hardware patches, who has the responsibility for installing them and the role of high-level executives in organizations for understanding and appropriately investing in cybersecurity (see 1705150008, 1705160038 and 1705180032), said FTC Commissioner Terrell McSweeny in an interview on C-SPAN that was slated to be televised over the weekend on The Communicators. The commissioner discussed the agency's role in providing guidance for organizations and individuals to protect against such threats, and its enforcement role if organizations don't adequately protect consumer data. McSweeny noted the FTC's role in an expanded interconnected ecosystem that includes wearables, home devices like smart TVs and cars and efforts to give consumers a say in whether their personal data should be collected. The FTC, she said, needs additional resources and technologists to keep pace with evolving technology, how the tech works and how new uses could harm consumers. McSweeny, a Democrat, said the FCC's push to undo the open internet order (see 1705180029) could tilt the playing field toward a few large broadband providers that may want to prioritize their own content at the expense of small, entrepreneurial players. She seemed hopeful the recent 9th U.S. Circuit Court of Appeals' decision to rehear the agency's case against AT&T Mobility (see 1705100063) will "fix an error" made by a three-judge panel that effectively removed the FTC's oversight of broadband providers. She said Congress needs to clarify the commission's jurisdiction in this area (see 1705190053).
Large majorities of healthcare respondents dismissed privacy, data protection and cybersecurity as concerns, said ABI Research in a Wednesday news release. The business tech survey of 455 U.S.-based companies found that 82 percent of healthcare respondents didn't rank privacy and data protection as a concern, and 58 percent didn't rank cybersecurity. “Cybersecurity within the healthcare sector has been traditionally poor, at best,” said analyst Michela Menting: Most comply with laws but don't understand what "comprehensive, multi-layered cybersecurity implementation" involves. ABI said medical devices and hospital equipment are "highly vulnerable" to cyberattacks like WannaCry, which hindered the U.K. healthcare system (see 1705120055, 1705150008 and 1705160008). ABI said the online survey was done in February and March.
Legislation to codify a government process for stockpiling and disclosing software and hardware vulnerabilities and make it transparent and accountable was introduced Wednesday by a bipartisan, bicameral group of lawmakers. Sponsor Sen. Brian Schatz, D-Hawaii, said in a news release the Protecting our Ability to Counter Hacking (Patch) Act codifies the vulnerabilities equities process (VEP) and "will improve cybersecurity and transparency to the benefit of the public while also ensuring that the federal government has the tools it needs to protect national security.” VEP is a framework that guides agencies, which independently discover or acquire flaws from third parties, to determine whether to notify vendors so they can fix it. Senate Homeland Security Committee Chairman Ron Johnson, R-Wis., said the WannaCry ransomware attacks shows why government and the private sector need to work together (see 1705150008). Sen. Cory Gardner. R-Colo., and Reps. Blake Farenthold, R-Texas, and Ted Lieu, D-Calif., are co-sponsors of the bill. Information Technology and Innovation Foundation Vice President Daniel Castro said in a statement that VEP is broken and the bill would balance security and economic interests and disclose flaws to companies more quickly so patches can be developed sooner. Public Knowledge Cybersecurity Policy Director Megan Stifel said the bill would "enhance trust in the internet and internet-enabled devices."
Some cyberattacks are on the rise, Akamai reported Tuesday, with the U.S. the top source country for web applications attacks, showing an increase of 57 percent in Q1 year over year. Risks to the internet and to certain sectors "continue to evolve," said Martin McKeay, senior security advocate. "Use cases for botnets like Mirai have continued to advance and change, with attackers increasingly integrating Internet of Things vulnerabilities into the fabric of DDoS botnets and malware. It’s short sighted to think of Mirai as the only threat," he said of the distributed denial-of-service attack. Botnet families like BillGates, elknot and XOR are "mutating," he added.
Symantec’s dome-shaped Norton Core, billed as a “secure” Wi-Fi router, is available for preorder from Amazon and Best Buy, said the cybersecurity company Monday. The $279 router, available for preorder for $249 for a limited time, is bundled with a one-year subscription to Norton Core Security Plus, which protects an unlimited number of connected personal devices, Symantec said. After the first year, the subscription is $9.99 per month, billed annually, it said. Select Best Buy stores will have interactive touch-screen displays where consumers can learn about the router this summer when the product is scheduled to ship. Features include an app consumers can use to monitor and manage their network, including enabling guest access and monitoring suspicious behavior; parental controls; and automatic updates, said the company. Symantec researchers identified security vulnerabilities in 50 different connected home devices such as smart thermostats and smart hubs that could be targets for cyberattacks.
With more than 96,000 complaints about tech support scams reported since 2015, the FTC said it's ramping up actions against companies that deceive consumers into thinking their computers are infected with malware and then charge them hundreds of dollars to fix nonexistent problems. At a Friday news conference in Tampa, Florida, FTC Consumer Protection Bureau acting Director Thomas Pahl and Florida Attorney General Pam Bondi announced that Operation Tech Trap -- with federal, state and international law enforcement agencies -- resulted in 16 new actions, including complaints, indictments, guilty pleas and settlements, against these scams in the past few weeks, bringing actions to 29 over the past year (see 1507310027, 1510200050 and 1610170020). Consumer losses from the scams so far have totaled more than $24.6 million, said Pahl. He said consumers browsing the internet get a pop-up message telling them their computer is infected with a virus or has another security problem. The message urges them to call a toll-free number, which connects them to telemarketers, usually located in India, who say they're certified or authorized by Apple or Microsoft to fix the problems. The scammers are allowed to remotely access the computer, diagnose it and supposedly fix it at a cost of $200 to $300. He said Apple, Microsoft and other companies gave the commission affidavits that they have nothing to do with such operations, making it easier to prosecute. Such scams began several years ago when telemarketers cold called consumers to buy services, a scam that has evolved into pop-up messages, said Pahl. Complaints to the FTC have increased year over year, including a 13 percent hike from 2015 to 2016 about the scams, which have also grown in sophistication, he added. Pahl said the 96,000 complaints are the "tip of the iceberg" since many go unreported and scripts are becoming "far more slick," misleading more people and making it harder to prosecute. Bondi said personal data is at risk from these scams, which can also leave devices inoperable. She said the scams "damage consumer confidence" and undermine trust in using the internet for transactions. Pahl said the agency recently acted against a company falsely offering tech support services on behalf of the FTC. He called this a scam "trying to injure people twice, which indicates just how pernicious this behavior is." Officials said consumer education and more reporting to law enforcement agencies are the only way to stop such scams.
Sen. Orrin Hatch, R-Utah, and industry stakeholders diverged Thursday and Friday in statements on President Donald Trump’s cybersecurity executive order. The order, released Thursday after months of delays and drafts (see 1701310066 and 1702280065), directs the Office of Management and Budget and the Department of Homeland Security to assess all federal agencies' cybersecurity risks. It directs DHS and the Department of Commerce to explore ways to “promote action by appropriate stakeholders to improve the resilience of the internet and communications ecosystem and to encourage collaboration with the goal of dramatically reducing threats perpetrated by” botnets (see 1705110058). The EO “is an important step in modernizing and improving federal cybersecurity policies and protocols,” Hatch said. “For several years, I have been very concerned about the state of our federal government’s cybersecurity and computer systems.” Hatch said the order “mirrors the intent” of his enacted 2015 Federal Computer Security Act, which “was to require federal agencies to be accountable and proactive about securing critical infrastructure and computer systems from cyberattacks.” The Information Technology Industry Council believes the order “is a promising start for the administration’s cyber efforts,” said President Dean Garfield. “We are pleased to see the Trump Administration embrace actions we have consistently advocated for, including orienting federal government cybersecurity risk management around the [National Institute of Standards and Technology] Cybersecurity Framework and utilizing public-private partnerships to advance cybersecurity.” Cybersecurity IT company CSRA sees the EO as providing “a monumental boost to the effort to update and secure the government’s IT infrastructure,” said CEO Larry Prior. “Aging systems and outdated requirements are costing our government time and money, and jeopardizing our security.” The Information Technology and Innovation Foundation is “disappointed to see that this executive order is mostly a plan for the government to make a plan, not the private sector-led, actionable agenda that the country actually needs to address its most pressing cyber threats," said Vice President Daniel Castro. “This order leans heavily on the government for ideas and implementation rather than a public-private partnership approach.”
The FCC Electronic Comment Filing System seemed to still be experiencing problems Wednesday, as it has been this week. Access to filings was intermittent and apparently limited to only some dockets when we did have access. The agency declined to comment. The commission has been receiving high volumes of comments on its open internet draft proposals, which Sunday night was the target of a commentary by HBO comedian John Oliver. His 2014 commentary was credited with helping spark a wave of public comments in a previous net neutrality rulemaking that apparently helped crash the agency's system (see 1406040046). Beginning Sunday at midnight, the commission was "subject to multiple distributed denial-of-service attacks" that eventually tied up servers in the agency's commercial cloud host's system, preventing responses to people trying to submit comments, said Chief Information Officer David Bray Monday (see 1705080042). Fight for the Future, which backs net neutrality rules, Tuesday questioned whether the DDoS attacks took place right after Oliver's commentary, and Sens. Ron Wyden, D-Ore., and Brian Schatz, D-Hawaii, wrote the FCC Tuesday to ask questions about the situation and urge an alternative way to file comments (see 1705090063).