House Judiciary Committee Chairman Bob Goodlatte, R-Va., and committee Republicans urged FBI Director James Comey Wednesday to “follow all legitimate investigative leads regarding Russia's alleged interference in the 2016 U.S. presidential election, as well as leads regarding the mishandling of classified information.” House Judiciary Republicans said they want Comey to brief them on President Donald Trump's claim that former President Barack Obama ordered a wiretap of Trump Tower ahead of the election. An Obama spokesman called Trump’s wiretap claims “simply false,” and other former Obama administration security officials denied the charge. Senate Judiciary Committee members Lindsey Graham, R-S.C., and Sheldon Whitehouse, D-R.I., separately sought DOJ information about Trump’s wiretap claims, including “copies of any warrant applications and court orders.” House Judiciary Republicans also want Comey to explain how “information classified at the highest level, including methodologies of surveillance, has made its way into the public domain.” WikiLeaks posted more than 8,700 documents Tuesday purporting to originate from the CIA’s Center for Cyber Intelligence, including some thus far unverified files that discuss how the agency could use smart TVs and other devices as surveillance tools (see 1703070047). The documents also include some claiming to detail security vulnerabilities in mobile device operating systems’ software. The FBI didn’t comment.
Samsung representatives didn’t comment Tuesday on WikiLeaks’ disclosure that the CIA worked secretly with U.K. authorities in 2014 to hack Samsung smart TVs and turn them into covert microphones. The CIA also developed “numerous attacks to remotely hack and control popular smart phones,” WikiLeaks said of the 8,000-plus pages of CIA materials it released online Tuesday, the authenticity of which couldn’t be confirmed. “Infected phones can be instructed to send the CIA the user's geolocation, audio and text communications as well as covertly activate the phone's camera and microphone,” WikiLeaks said in a news release. In the case of the hacking of Samsung smart TVs, documents of “engineering notes” purported to be from a joint U.S.-U.K. “workshop” in June 2014 describe malware code-named “Weeping Angel” that can “suppress” the TV’s LED backlight to “improve the look” of a so-called “Fake-Off mode” that gives the owner the false impression the set is turned off when in fact it's listening to private conversations. A to-do list under the heading of “Future Work” expresses frustration that Samsung’s internet firmware updates may remove the Weeping Angel “implant” or “portions of the implant,” the documents say. CIA engineers also expressed concern that a blue LED on the back of the Samsung TV “remains powered when in Fake-Off mode” and thus threatened to tip off the unsuspecting owner, the documents say. Apple and Google representatives also didn’t comment Tuesday on the aspects of the leaked documents that describe how the CIA hacked iOS and Android smartphones from afar.
President Donald Trump's anticipated cybersecurity executive order is "moving along and maybe within a week or so we could see something," said former IBM CEO Sam Palmisano during a Center for Strategic and International Studies event Monday. Palmisano, vice chairman of the federal Commission on Enhancing National Cybersecurity, said he would attend a White House meeting later Monday to provide feedback on the revised order. Palmisano said he has not received any official confirmation on the EO's timeline. The White House didn’t comment. The White House has continued to revise the anticipated order in the weeks since officials first delayed Trump's planned late January signing of it. Then, the order would have directed the Office of Management and Budget to assess all federal agencies' cybersecurity risks and required agencies to manage their risk using the National Institute of Standards and Technology's Cybersecurity Framework (see 1701310066). Recent drafts of the EO have included language that would direct the Department of Commerce to explore ways to encourage “core communications infrastructure” companies “to improve the resilience of such infrastructure and to encourage collaboration with the goal of dramatically reducing threats perpetrated by” botnets (see 1702280065). Likely requirements for agencies’ cybersecurity accountability will be “a very important piece of this” executive order, said former National Security Adviser Tom Donilon, who chairs CENC, during the CSIS event. “That is a contract, if you will, between the president and the people he hires to run the agencies and departments.”
The House Homeland Security Committee plans a Thursday hearing on the efficacy of the Department of Homeland Security’s current engagement with private sector cybersecurity stakeholders, the committee said Friday. Intel Security Group Chief Technical Strategist Scott Montgomery and Symantec Senior Director-Global Government Affairs and Policy Jeffrey Greene are among those set to testify. Palo Alto Networks Vice President-Cybersecurity Strategy and Global Policy Ryan Gillis, HITrust Alliance CEO Daniel Nutkis and New America’s Open Technology Institute Policy Counsel Robyn Greene will also testify, House Homeland Security said in a notice. The hearing is to begin at 10 a.m. in House Capitol Visitor Center Room 210.
Yahoo is enhancing its information security program, reducing exposure of sensitive data and taking other "extensive" technical and organizational steps to protect its systems, said April Boyd, head of global public policy, in an eight-page letter released Friday to a Senate Commerce Committee inquiry. Senate Commerce Chairman John Thune, R-S.D., and Consumer Protection Subcommittee Chairman Jerry Moran, R-Kan., sent a letter to CEO Marissa Mayer (see 1702100059), seeking more information about the 2013 and 2014 breaches that compromised a combined 1.5 billion user accounts. The company disclosed the incidents last year and has been dealing with fallout, including congressional inquiries, lawsuits and uncertainty over a Verizon deal to acquire it (see 1612150010 and 1612230029). The companies said last week they agreed to a price that's $350 million less (see 1702210024). Boyd provided details about how Yahoo notified affected users, types of data compromised, efforts to mitigate harms and its ongoing focus on security. She wrote that even before the incidents were disclosed, the company worked to enhance security. "These matters have received and continue to receive significant attention from executives in the company, including near-daily working sessions with the CEO, a security-focused presentation by Yahoo's Chief Information Security Officer at the company's all-hands meeting each week" and engineering security improvements of products and systems, she wrote. Boyd indicated in the letter that the Yahoo board's independent committee will provide a briefing to members and staff, emailed a Senate Commerce spokesman
LG's webOS 3.5 Security Manager is the first smart TV platform to land UL certification “for its effective cybersecurity capabilities,” LG said in a Tuesday announcement. UL tested the webOS 3.5 Security Manager for malware susceptibility and vulnerabilities, software weaknesses and security controls under its 2900-1 Cybersecurity Assurance Program, LG said. “UL assessed the effectiveness of each webOS 3.5 security layer by subjecting the software to a variety of virtual network penetrations and vulnerability attacks.”
FTC staff recommended that a draft template to help security researchers disclose cybersecurity vulnerabilities to industries, particularly for automobile and medical device manufacturers, can be "useful tool for any company providing software-based products and services to consumers," said the agency in a Thursday news release. Commissioners voted 2-0 to authorize staff to comment on the draft template that was produced by an NTIA-driven multistakeholder process (see 1612150074). The FTC said its staff suggested "the draft template be revised to make clear that the recommendations could apply to more than just safety-critical industries. In its comment, the staff noted that companies that provide Internet-connected products or collect sensitive consumer information should consider implementing a vulnerability disclosure policy and related processes."
“Mega” distributed denial-of-service attacks increased 140 percent year-over-year in Q4, Akamai said Tuesday in a report. Akamai said it considers any DDoS attack larger than 100 Gbps to be a “mega” attack. Twelve such attacks took place in Q4, it said. The largest DDoS attack during Q4, from non-IoT botnet Spike, peaked at 517 Gbps, Akamai said. Seven of the 12 mega attacks are “directly attributed” to the Mirai botnet, which caused the October DDoS attacks against Dyn, Akamai said. The number of IP addresses associated with DDoS attacks also grew during Q4 even though the overall number of DDoS attacks dropped, the company said. The U.S. was the source of the most IP addresses associated with DDoS attacks during the quarter, and remained the top source country for web app attacks, Akamai said. “As we saw with the Mirai botnet attacks during the third quarter, unsecured [IoT] devices continued to drive significant DDoS attack traffic,” said Senior Security Advocate Martin McKeay in a news release. “With the predicted exponential proliferation of these devices, threat agents will have an expanding pool of resources to carry out attacks, validating the need for companies to increase their security investments. Additional emerging system vulnerabilities are expected before devices become more secure.”
Senate Commerce Committee Chairman John Thune, R-S.D., and Senate Commerce Consumer Protection Subcommittee Chairman Jerry Moran, R-Kan., sought answers Friday from Yahoo CEO Marissa Mayer on the internet company’s massive data breaches in 2013 and 2014 (see 1612140076 and 1609220046). Yahoo is facing at least two dozen lawsuits over the data breaches, which may have compromised up to a combined 1.5 billion user accounts (see 1612230029). Verizon indicated in late January it was still assessing the impact of the breaches as it evaluates whether to proceed with its planned $4.83 billion acquisition of Yahoo (see 1701240048). “Despite several inquiries by Committee staff seeking information about the security of Yahoo! user accounts, company officials have thus far been unable to provide answers to many basic questions about the reported breaches,” said Thune and Moran in a letter to Mayer. They said the company's cancellation of a planned Jan. 31 briefing with Senate Commerce staff also “prompted concerns about the company’s willingness to deal with Congress with complete candor about these recent events. We hope that you will dispel these concerns.” Moran and Thune sought information on how many users were affected by the Yahoo breaches, the company’s “efforts to identify and provide notice to these users,” and a timeline on the breaches. The senators also sought information on what data may have been compromised in the breaches and what steps Yahoo is taking to mitigate harm to affected users and to improve its cybersecurity. Mayer must submit answers to Senate Commerce by Feb. 23, Moran and Thune said. Yahoo is "in receipt of the letter, reviewing it and will respond as appropriate," a spokeswoman said.
The House Research and Technology Subcommittee set a hearing Tuesday on recommendations in recent cybersecurity-related reports, including the Commission on Enhancing National Cybersecurity's December report. CENC said many of its recommendations merited action within the first 100 days of President Donald Trump's administration, including forming an independent organization to develop the equivalent of a cybersecurity “nutritional label” for tech devices and services and additional promotion of the National Institute of Standards and Technology's Cybersecurity Framework (see 1612020050). Industry lawyers said they believe CENC's recommendations will have value for Trump (see 1611220065). House Research Technology said its hearing will also examine the Center for Strategic and International Studies Cyber Policy Task Force's January recommendations to Trump on cybersecurity policy (see 1701050073) and recent GAO reports. NIST Information Technology Lab Director Charles Romine and GAO Information Security Issues Director Gregory Wilshusen are among those to testify, with VMware Chief Technology Officer Iain Mulholland and Institute for Information Infrastructure Executive Director Diana Burley. The hearing will begin at 10 a.m. in 2318 Rayburn.