Fight for the Future, a group that supports the 2015 net neutrality rules, is questioning whether distributed denial-of-service attacks (DDos) against the FCC Electronic Comment Filing System took place after HBO comedian John Oliver urged the public to weigh in on net neutrality (see 1705080042). Oliver directed viewers to “gofccyourself.com,” which redirects to the comment filing site. A former senior FCC official told us the problem is the FCC never really fixed ECFS after the last time it crashed in 2014 under similar circumstances, and three years ago, the agency made similar claims of a cyberattack. “Fight for the Future is extremely skeptical of the FCC's claim that they experienced a DDoS attack at the exact same time that large numbers of people would have been commenting on their site in support of Title II net neutrality protections following John Oliver's viral segment on Sunday,” the group said in a statement Tuesday. “We have now read that the FCC is claiming this also happened in 2014 during the last John Oliver segment about the issue, and we are even more skeptical.” The FCC should release its logs “to an independent security researcher or major media outlet who can verify their claims and inform the public about what really happened here,” the group said. “The agency has a responsibility to maintain a functioning website to receive large numbers of comments and feedback from the public.” Sens. Ron Wyden, D-Ore., and Brian Schatz, D-Hawaii, are probing the FCC statement. They sent a letter to the commission Tuesday asking several questions and urging the FCC to set up an alternate way to comment if need be, such as a dedicated email address. Schatz first made that suggestion in a Monday tweet. “Any potentially hostile cyber activities that prevent Americans from being able to participate in a fair and transparent process must be treated as a serious issue,” they wrote. They want answers by June 8: “Has the FCC sought assistance from other federal agencies in investigating and responding to these attacks? … Did the DDoS attacks prevent the public from being able to submit comments through the FCC’s website? If so, do you have an estimate of how many individuals were unable to access the FCC website or submit comments during the attacks? … Does the FCC have all of the resources and expertise it needs in order to combat attacks like those that occurred on May 8?” The FCC received and is reviewing the letter, a commission spokesman said. Matt Wood, policy director at Free Press, said his group has similar questions. "We share the skepticism, and at minimum hope the FCC will demonstrate that it's not characterizing a flood of comments as an attack,” Wood told us. Scott Cleland, chairman of NetCompetition, slammed the Oliver segment in an opinion article in The Hill. Cleland said Oliver is likely to have little impact given the makeup of the current FCC under Chairman Ajit Pai. “Is net neutrality policy the joke here?” Cleland asked. “Or is the joke really that net neutrality activists think late night comedy is the most effective way for them to influence the FCC on public policy?” Public interest group Popular Resistance said it launched a new campaign, Protect Our Internet. The group urged net neutrality supporters to engage in a campaign of “Ajit-ation.”
When Gmail users received a phishing email impersonating Google Docs they clicked a link in the email that led them to the attacker's application requesting access to their accounts, said Mark Risher, Google director-counter-abuse technology, in a Friday blog post about the spoofing campaign last week. "If the user authorized access to the application (through a mechanism called OAuth), it used the user's contact list to send the same message to more people." Google said it stopped the attack within an hour of detecting it Thursday, and fewer than 0.1 percent of users were affected (see 1705040025). Risher said Google protects users from such attacks via machine learning technology that can detect spam and phishing messages with a 99.9 percent accuracy; "safe browsing" warnings that alert users to dangerous links within Gmail and across more than 2 billion browsers; prevention of suspicious account sign-ins; and email attachment scans for malware. The company, he said, is updating policies and enforcement of OAuth apps and anti-spam systems and expanding monitoring of "suspicious" third-party apps that seek information from users.
Intel will send out an update to fix a firmware vulnerability that could give a hacker access to business computers or devices that use its Active Management Technology (AMT), Intel Standard Manageability (ISM) or Small Business Technology (SBT), said a news release Friday. Intel, which issued a security advisory about the vulnerability May 1, said it implemented and validated an update to address the issue and is working with computer makers to integrate it into their software, with the update available beginning Monday. Before then, Intel said companies using computers and devices that incorporate AMT, ISM or SBT can download a tool that will analyze a system. If the tool detects the vulnerability or can't determine if a system is at risk, administrators can follow a mitigation guide published with the advisory or they can contact customer support.
Google said it stopped a phishing email campaign impersonating Google Docs that was attempting to compromise Gmail users. "We've removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again," said a Wednesday tweet. In a later statement, the company said it resolved the issue about an hour after it first tweeted that it was investigating a phishing email. It said the phishing campaign "affected fewer than 0.1% of Gmail users. While contact information was accessed and used by the campaign, our investigations show that no other data was exposed."
Access Now is asking the FTC to investigate sex toy maker Svakom Design USA, alleging its internet-enabled vibrator with an embedded camera can be easily compromised. In a Wednesday news release and complaint, Access Now said Svakom released its "Siime Eye" vibrator in 2016 "with grossly inadequate security" because hackers can access personal data including video feeds. Risk of personal data might "lead to the loss of professional opportunities as well as harassment, severe reputational and emotional impacts, and other substantial privacy impacts," said the complaint. Access Now said the company's failure to provide proper security is both an unfair and deceptive trade practice. The complaint stems from research presented by technologist Ken Munro of U.K.-based Pen Test Partners, which provides vulnerability testing and security services, during a March 30 session at Access Now's RightsCon annual conference in Brussels. In a demonstration, Munro exploited a vulnerability in the Siime Eye software in two minutes, giving him full access to the video feed, the complaint said. It said Svakom provides little guidance in its device instructions to help users reasonably avoid harm. Security experts tried to tell the company about the problem, but it "ignored the notification and took no additional steps to increase the device security," said the complaint. Access Now wants the FTC to investigate and stop the sale of the Siime Eye products and try to recall those that have been sold. It also wants the commission to force Svakom to push security patches and notifications to users and implement a comprehensive privacy and security audit of the company's internet-connected products and services. Svakom and the FTC didn't comment.
About 17 percent of incidents in which personally identifiable information (PII) is compromised occur without any malicious intent from those responsible, meaning it's likely human error, said a report released Thursday by the Center for Identity at the University of Texas at Austin. "Vulnerabilities caused by human error are frequently exploited by opportunistic hackers and fraudsters," said the 2017 Identity Theft Assessment and Prediction Report, which analyzed a database of about 5,000 incidents that occurred between 2000 and 2016. In another finding, the report said only 0.36 percent of incidents "spanned the whole U.S.," as did the 2013 Target data breach (see 1312200034), meaning most of the cases are "confined to a local geographic region or victim profile." The report said California had the highest number of incidents in which PII was compromised (476) followed by Florida (309), New York (303) and Texas (244). The report also said the impact of emotional distress to victims "is consistently higher than" financial and property losses and one-third of incidents were perpetrated "solely" by insiders such as company employees and family members.
Manufacturers’ plant production and equipment processes had productivity increases in the past year due to IoT integration, but 19 percent of participants in a study said they weren’t confident in their cybersecurity programs. That's according to a BDO report Monday saying many manufacturers are leaving cybersecurity and R&D financing out of their IoT strategies. Cyberattackers often exploit third-party vulnerabilities to gain access to their targets, leaving "dangerous" security gaps in manufacturers’ supplier networks, said BDO. Some 27 percent of manufacturers surveyed didn’t have a cybersecurity policy in place for supply-chain partners, it said. The study of 374 global manufacturers was done in November and December for consultant firm BDO by The MPI Group.
NTIA will hold the next meeting April 26 of its multistakeholder process on IoT security upgradeability. The process, which convened in October (see 1610190051), is now divided into working groups focused on existing standards and tools, technical capabilities, communicating security upgradeability and adoption incentives and barriers. Participants aim to use the meeting to “share progress from the working groups and hear feedback from the broader stakeholder community,” NTIA said in a notice to have run in an upcoming Federal Register. “Stakeholders will also discuss their vision of the timing and outputs of this initiative, and how the different work streams can complement each other.” The meeting is to run 10 a.m.-4 p.m. at the American Institute of Architects’ offices in Washington.
The American Cable Association urged the National Institute of Standards and Technology to clarify its approach to developing metrics as part of the agency’s work to update the 2014 Cybersecurity Framework, in comments released Tuesday. NIST collected feedback through Monday on its draft v1.1 framework update, which included metrics language aimed at starting a conversation on how to effectively measure use of the framework (see 1701100084). Other commenters urged NIST to be cautious about metrics development and urged inclusion of language in the framework on vulnerability disclosure guidelines and cybersecurity insurance (see 1704110045). The metrics language in NIST’s draft v1.1 “is confusing, and in some respects contradictory,” ACA said. “It is not nearly ready for adoption,” in part because ACA said it “fails to convey clear, definitional guidance, and this lack of clarity is likely to frustrate small operators and may lead some to give up on the Framework altogether. Moreover, based on the proposed changes, those that do attempt to implement the entire Framework, including its recommendations on measurement, may end up relying overmuch on a one-size-fits all checklist assessment created by third party consultants or auditors, rather than making the type of inward-looking, individualized approach to cybersecurity risk management that the Framework otherwise encourages.” NIST should instead “continue to work with the private sector to develop a clearer and more useful approach,” ACA said.
Chinese “nation-state threat actors” breached the National Foreign Trade Council’s (NFTC’s) website between Feb. 27 and March 1, using a link leading to a remote script that would launch when anyone visited certain pages on the website, Fidelis Cybersecurity said. Fidelis first observed the “inject” on the registration page for an NFTC board meeting in Washington scheduled for March 7, the firm said. The remote script was the “Scanbox framework,” a web reconnaissance tool exclusively known in the research community to have been used by bad actors working with or sponsored by the Chinese government, Fidelis said. It's “highly probable” that the hack targeted private sector players involved in lobbying on U.S. foreign trade policy, the company said. The NFTC didn’t comment.