The National Institute of Standards and Technology is seeking comments by Jan. 19 on a second draft of its Cybersecurity Framework released Tuesday that is based on extensive consultation with the private and public sectors, NIST said. Internet Security Alliance President Larry Clinton praised the updated framework for making “significant achievements toward achieving the goals of the original [Cybersecurity] Executive Order.” The new draft clarifies supply chain risk management assessments, and extends use of the framework to include information technology systems and IoT, the agency said. As the agency works on the second draft, it will be looking at ways to help organizations of all sizes use the framework to meet their specific cybersecurity needs, NIST said.

The Senate confirmed Kirstjen Nielsen as secretary of homeland security Tuesday 62-37. Senate Homeland Security Committee ranking member Claire McCaskill, D-Mo., and Senate Intelligence Committee ranking member Mark Warner, D-Va., were among the Senate Democrats who joined with Senate Republicans to vote for Nielsen. Senate Homeland Security advanced Nielsen’s nomination in November (see 1711160029). Elaine Duke has worked as acting homeland security secretary since July 31, after former DHS Secretary John Kelly was named President Donald Trump’s chief of staff (see 1707310017).

Entities that knowingly conceal data breach information would face cash penalties​ and up to five years in prison, in a bill introduced Thursday by Senate Commerce Committee ranking member Bill Nelson, D-Fla., Richard Blumenthal, D-Conn., and Tammy Baldwin, D-Wis. The push for legislation was prompted by Uber's disclosure of a data breach affecting 57 million accounts that was concealed for a year (see 1711270047), said the members' statement. The proposal would require companies to notify consumers of data breaches within 30 days and direct the FTC to develop security standards to help businesses protect consumers' personal and financial data and provide incentives to businesses that adopt new technologies that make consumer data unusable or unreadable if stolen during a breach. "We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that info has been stolen,” said Nelson, who introduced a similar bill with Blumenthal last year.

Work to protect Americans’ data has a “long way to go” as malicious actors rapidly build, share and sell stolen credentials, House Commerce Committee Chairman Greg Walden, R-Ore., said at a Commerce Oversight Subcommittee hearing Thursday. Without "meaningful legislation, we'll continue to see more data breaches and the unfortunate ripple effects," said ranking member Frank Pallone, D-N.J. Subcommittee Chairman Morgan Griffith, R-Va., said the hearing kicks off "a much longer conversation" Congress is undertaking to address identity verification issues. Witnesses were asked to provide perspective on threats from repackaged stolen identities into new data sets that can override knowledge-based authentication protections, which rely on a series of user-unique questions. Public and private sectors have recognized the problem, but “significant work remains,” said a subcommittee hearing memo. The recent Equifax breach starkly illustrates that attackers can easily override “first-generation tools” to protect identity, said prepared testimony of Venable Managing Director Jeremy Grant, advocating a bigger role for government to address critical vulnerabilities. “There’s an active trading scene exchanging data both for monetary gain and simply as a hobby,” said Australian security author and educator Troy Hunt. Few people realize how vulnerable they are and how many times their data has already been breached, said Hunt, who offers a free service to help people understand their exposure. “There’s not enough incentive to do things right and not enough disincentive to do them wrong before the pattern repeats,” he said. US PIRG consumer program director Edmund Mierzwinski's testimony called for Congress to take a “careful approach,” and not override state authority to enact strong consumer protection. California, Massachusetts, Illinois and Texas have strong data breach notification laws, he said, and 17 other states have laws that allow victims to sue data breach notification violators. Congress should extend free credit freezes at the three national consumer reporting agencies and ensure one-stop shopping, Mierzwinski said. "This is the best way to protect identity theft."

Web application attacks rose 69 percent in Q3 over the same time last year, continuing a trend of increasing vulnerabilities fueled in part by unsecured IoT devices (see 1711210047), Akamai reported Tuesday. With holidays approaching, criminals may increase malicious activities, including use of ransom letters, it said: The Mirai botnet and WireX malware attacks suggest attackers may be leveraging IoT and Android devices to build future botnet armies. The Android-based WireX botnet infected as many as 150,000 devices within weeks, illustrating the "worrisome potential for cyber attackers to compromise and leverage mobile devices in their exploits," the company said. More promising is the multicompany effort that successfully stopped the botnet while still in its relative infancy, it said. Nonetheless, criminals are getting smarter and new attacks on mobile platforms are likely, wrote Senior Security Advocate Martin McKeay. "Our experience suggests that an army of new potential attackers comes online every day." NCTA blogged Monday that it's working with the Messaging, Malware and Mobile Anti-Abuse Working Group to improve information sharing on distributed denial of service attacks, and to develop IoT security standards. "We should expect to see more end-user devices supporting automatic software updates," wrote Matt Tooley, vice president-broadband technology. "A huge and growing problem involves devices ... not getting a security patch and then later being used by cyber criminals."

Uber must respond by Dec. 11 to questions about its recent data breach (see 1711220029) and allegations it paid hackers $100,000 to quash the stolen information, said a letter sent Monday to CEO Dara Khosrowshahi by chairs of the Senate Commerce Committee and its Consumer Protection subcommittee and Senate Finance and its Social Security subcommittee. Sen. Mark Warner, D-Va., ranking member of the Banking Subcommittee on Securities, wants Uber to explain why it didn't employ more "robust access management mechanisms, including strong multi-factor authentication, enabled to prevent unauthorized access to passenger and driver data," in a letter sent Monday to Khosrowshahi. "Our goal is to understand what steps Uber has taken to investigate what occurred, restore and maintain the integrity of its systems, and identify and mitigate potential consumer harm and identity theft-related fraud against Federal programs," said the letter signed by Republican Sens. John Thune, S.D., also chair of the Commerce Committee; Jerry Moran, Kan.; Orrin Hatch, Utah; and Bill Cassidy, La. The letter asks Uber when it first learned that hackers accessed consumer information; how many consumers and drivers were affected; what was done to provide notice of the breach; what types of data were compromised; whether payments were made to hackers and if so who authorized payments and how were they made; and what steps have been taken, other than monitoring services, to further protect customers from harm from the incident. The letter asks for a detailed timeline of the data breach occurrence and confirmation that customers' Social Security numbers were not obtained by hackers or in any way compromised.

Akamai completed its acquisition of cybersecurity firm Nominum, a deal disclosed in October, the buyer announced Monday.

NordVPN, a virtual private network security provider, is offering a 77 percent off Black Friday deal during what it said is one of the busiest times of the year for online fraud. The offer is $2.75 per month with a three-year agreement. As more people shop online for Black Friday and Cyber Monday deals, the risk for cybercrime is higher, and “not all Internet retailers are prepared to handle this kind of growth,” said the company. Websites could be spoofed with fraudulent sites set up by hackers to steal users’ data, or an e-commerce site may not use a secure encryption protocol to protect customers’ information, it said. Among its tips for e-commerce safety: (1) Look for https ahead of the website’s URL indicating a secure protocol and that data is encrypted properly; (2) don’t share financial information over public Wi-Fi networks; (3) be wary of providing personal information; (4) choose strong passwords; and (5) use a VPN.

Equifax is being asked to provide more details on its data breach affecting 145 million people, in a letter sent Monday by leaders of the House Science and Oversight committees. The committees requested the names of executive staff employed between March 1 and Sept. 30; communications between Equifax and government agencies; security notifications from the Department of Homeland Security; documents identifying prior breaches on Equifax networks starting in June 2014; and March 8-Sept. 30 communications between former Chief Security Officer Susan Maudlin and those handling security updates.

Equifax is being questioned further on handling of a major data breach, in a letter sent Friday by House Commerce Committee leaders to interim CEO Paulino do Rego Barros and Chairman Mark Feidler. The lawmakers seek additional information about the "breach, post-breach response, and consumer protection remediation offered by Equifax." An Oct. 3 House Digital Commerce Subcommittee hearing (see 1710030034) heard from ex-CEO Richard Smith, but additional vulnerabilities disclosed Oct. 13 "raise more questions," the letter said. Written responses are requested by Dec. 4.