Failure to disclose a Google Plus security vulnerability for a reported six months (see 1810120039) raises questions about whether the platform again violated FTC agreements, Sens. Amy Klobuchar, D-Minn., and Catherine Cortez Masto, D-Nev., wrote CEO Sundar Pichai Tuesday. The lawmakers compared the situation to the FTC’s investigation of the Facebook-Cambridge Analytica privacy breach. A Google spokesperson cited an article saying the company did nothing illegal.
Communications, financial services and power sectors will soon expand their joint catastrophic cyber incident response plan across all “critical sectors” and eventually incorporate it into the Department of Homeland Security’s National Response Framework, CenturyLink Senior Director-National Security/Emergency Preparedness Kathryn Condello blogged Monday. Certain catastrophic events, like cyber-induced, sustained power outages, need joint resources, she said: “Everyone and everything are connected."
The FTC and various agencies announced the launch of a national education campaign to help small businesses combat cyberthreats. The campaign from the Department of Homeland Security, the National Institute of Standards and Technology and the Small Business Administration includes fact sheets, videos and quizzes.
Sens. Richard Blumenthal, D-Conn., and Marco Rubio, R-Fla., warned against Chinese back doors allowing a foothold for commercial espionage and destructive cyberthreats, responding to a recent report of Chinese spies targeting U.S. companies (see 1810090029). The lawmakers Tuesday prodded Super Micro Computer, which is on the list of alleged targets that also include Apple and Amazon. The companies denied the validity of Bloomberg Businessweek's report, with Supermicro “strongly” refuting claims that “servers it sold to customers contained malicious microchips in the motherboards of those systems.” The Department of Homeland Security said it had “no reason to doubt the statements from the companies named in the story.”
A report Chinese spies used tiny chips to exploit networks of dozens of U.S. companies is “not true,” Apple wrote Congress Monday. Bloomberg Businessweek’s recent article suggests Chinese state-owned entities planted malicious chips that infiltrated Apple servers. “Bloomberg provided us with no evidence to substantiate their claims and our internal investigations concluded their claims were simply wrong,” Apple Vice President-Information Security George Stathakopoulos wrote. “We are eager to share the facts in this matter because, were this story true, it would rightly raise grave concerns.” The letter was sent to leadership for the Senate and House Commerce committees. Tuesday, Bloomberg didn’t comment.
The Department of Homeland Security reduced the time it takes to patch a cyber vulnerability to within 30 days, Assistant Homeland Security Secretary for Cybersecurity and Communications Jeanette Manfra said in an interview for C-SPAN's The Communicators series, set to be televised later She conceded the agency struggled with patching vulnerabilities in an acceptable amount of time in the past. Shrinking the response had a ripple effect throughout the federal government, she said. The digital economy is so interconnected that cyber infections can spread quickly across the world, she said, calling cyberthreats a “constant, ever-present activity that everyone has to face.” She said the department had “limited visibility” of foreign influence campaigns in the 2016 election. DHS has worked hard in the past two years to deploy more “sensing capabilities,” particularly with state and local authorities, she said, and more than 1,500 jurisdictions participate in information sharing.
There's no evidence those behind Facebook’s recent hack (see 1810010032) accessed other applications using the Facebook login, it said Tuesday. The company analyzed logs “for all third-party apps installed or logged in during the attack,” Vice President-Product Management Guy Rosen wrote. Fifty million users’ access tokens were stolen, and the platform as a precaution reset access for another 40 million. In a separate issue, the Campaign for a Commercial-Free Childhood accused Facebook of improperly collecting children’s data without proper parental consent on Facebook Messenger Kids. The group asked the FTC to investigate. The agency didn’t comment. A Facebook spokesperson said in a statement that parents, safety experts and privacy experts agree Messenger Kids is "one of the safest apps for kids to connect with their family and friends, and we also continue to support research on the relationship between technology and kids' wellbeing.”
Facebook discovered Tuesday that hackers stole access to as many as 90 million user accounts, it announced Friday. “While I'm glad we found this, fixed the vulnerability, and secured the accounts that may be at risk, the reality is we need to continue developing new tools to prevent this,” CEO Mark Zuckerberg said. The vulnerability, which allowed exploitation of the “view as” feature, was patched Thursday, and law enforcement notified, said Vice President-Product Management Guy Rosen said. The feature lets users see what their profiles look like from another's perspective. The vulnerability let hackers steal “access tokens” and take control of accounts. “Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app,” Rosen said. Facebook reset access to almost 50 million accounts “we know were affected,” and as a “precautionary measure,” reset access tokens for another 40 million “that have been subject to a ‘View As’ look-up in the last year.” The feature is disabled until the security review is completed. The vulnerability “stemmed from a change we made to our video uploading feature in July 2017,” Rosen said. Sen. Mark Warner, D-Va., said a swift investigation should be made public: “Congress needs to step up and take action to protect the privacy and security of social media users. ... The era of the Wild West in social media is over.”
Uber reached a $148 million settlement with all 50 states and the District of Columbia on the company’s yearlong delay in reporting a data breach affecting some 600,000 drivers and riders (see 1804120056), Missouri Attorney General Josh Hawley (R) announced Wednesday. Uber learned about the breach in November 2016 but didn’t report it until November 2017, said Hawley. “Even though some of that information triggered Missouri law requiring Uber to notify affected Missouri residents, Uber failed to report the breach in a timely manner,” Hawley’s office said. Affected Missouri drivers are eligible for $100 in compensation, Hawley said. “Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year – and actually paid the hackers to delete the data and keep quiet,” Pennsylvania AG Josh Shapiro (D) said. “That is outrageous corporate misconduct.” Uber will "continue to invest in protections to keep our customers and their data safe and secure, and we’re committed to maintaining a constructive and collaborative relationship with governments around the world," Uber Chief Legal Officer Tony West said Wednesday.
President Donald Trump signed a national cyber strategy to coordinate defensive and offensive activities, National Security Adviser John Bolton said Thursday. The strategy was finalized in connection with rescinding an Obama-era directive requiring interagency coordination on offensive U.S. cyberattacks. Bolton called the reversal a warning sign for adversaries like China, Russia, Iran and North Korea. It's the first “fully articulated cyber strategy in 15 years,” Bolton said. Presidential policy directive 20, in 2012 by President Barack Obama, established an interagency framework for approving U.S. cyberattacks. The administration eliminated that directive several weeks ago, Bolton told reporters. The U.S. no longer has its hands tied, he said: “We’re going to do a lot of things offensively, and I think our adversaries need to know that. ... We’re not just on defense as we have been primarily.” U.S. Cyber Commander Paul Nakasone, Homeland Security Secretary Kirstjen Nielsen, Director of National Intelligence Dan Coats and FBI Director Christopher Wray agreed on the change Bolton said. The new plan recognizes public and private sectors have struggled to secure systems, said Bolton. Overcoming those challenges will require technical advances and a thriving tech sector, Bolton added. He cited the WannaCry cyberattack and a recent attack against Atlanta as evidence threats aren't going away. The 2015 Office of Personnel Management data breach is one type of attack the U.S. is looking to deter, Bolton said. Asked about the administration eliminating the top cyber policy adviser position (see 1805160046), Bolton said he inherited a duplicative staffing structure. Numerous senior directors -- for defense and intelligence, for example -- don't have coordinators, he said. The strategy emphasizes “promoting American prosperity,” “preserving peace through strength,” “advancing American influence” and securing a “cyber future.” It's an extension of Trump’s May 2017 cybersecurity executive order, the White House said. DOD said Tuesday the U.S. needs to collect intelligence in cyberspace to combat malicious efforts by China and Russia, which pose an unacceptable risk to the U.S. North Korea and Iran pose similar threats, officials said.