The FTC approved a final order Tuesday, resolving a complaint against Oracle that it deceived customers about security updates to the Java platform, standard edition (Java SE) software (see 1512210028), the commission said in a news release. The commission approved the order 4-0 after a public comment period. FTC announced the settlement in December when the commission said Oracle was aware of "significant security issues" with older Java SE versions -- installed in more than 850 million personal computers -- that support browser-based features such as calculators, online gaming, chat rooms and 3D images. FTC's complaint said Oracle didn't tell customers that software updates may have left older versions intact. The complaint said hackers could exploit the flaws in the older versions, potentially giving them access to consumers' usernames and passwords to financial accounts and enabling them to launch phishing attacks. The order requires Oracle to notify customers of any older versions on their computers during an update process, inform them of the risks and give them the choice to uninstall them. "In addition, the company will be required to provide broad notice to consumers via social media and their website about the settlement and how consumers can remove older versions of the software," the FTC release said.
The IRS isn't adequately protecting financial and sensitive taxpayer data, said a GAO report Monday. The IRS continued to focus on better securing information systems in fiscal 2015 by restricting access to certain financial applications and moving toward multifactor authentication, said congressional investigators. But they said "significant control deficiencies remained." For instance, the agency hasn't implemented functionality to identify and authenticate users through proper password settings nor appropriately restricted access to servers. The IRS also hasn't encrypted sensitive data or audited and monitored systems to ensure compliance. "In addition, unpatched and outdated software exposed IRS to known vulnerabilities," the report said. Unless the agency effectively implements elements of its information security program such as updating policies, testing and evaluation procedures and other steps, financial and taxpayer data will remain "unnecessarily vulnerable," GAO said.
Comments on FCC-proposed emergency alert system changes including "securing the EAS against accidental misuse and malicious intrusion" are due May 9, replies June 7, in docket 15-94, the agency said in Thursday's Federal Register. Paperwork Reduction Act comments are due May 23 on the NPRM, which also asks about "ensuring that alerting mechanisms are able to leverage advancements in technology, including IP-based technologies." Commissioners approved an NPRM on EAS at their Jan. 28 meeting. Commissioner Mike O'Rielly partially dissented because the item sought comment on Internet aspects of EAS (see 1601280057).
A National Institute of Standards and Technology analysis of comments on the Cybersecurity Framework indicates stakeholders affirm the framework’s current uses but also indicates that NIST should provide more guidance on framework use, NIST said Thursday in a blog post. Stakeholders disagreed on when NIST should form a multistakeholder process to update the Cybersecurity Framework, though they agreed on the need for a collaborative update process that would be similar to NIST’s original 2013-2014 development process, NIST said in its analysis. Major industry interests had told NIST not to pursue a major framework revamp in the near future (see 1602240065). Parties said they’re comfortable with NIST’s current leadership of framework guidance but continue to believe that a neutral third-party organization should eventually take the reins of framework stewardship, NIST said. “These comments provide strong input for the framework’s future and revealed that the number of organizations using the framework is growing,” Matthew Barrett, NIST program director-Cybersecurity Framework, said in a statement.
NTIA’s April 8 meeting of its multistakeholder process​ group on vulnerability research disclosure will be at the Westin Chicago River North in Chicago, NTIA said in a notice to be published in Friday’s Federal Register. The meeting, to run 10 a.m.-4 p.m. CDT, “will build on stakeholders’ previous work” on vulnerability research disclosure, NTIA said. Stakeholders further revised the scope of their work during a December meeting, with work to increase adoption of disclosure best practices generating the most debate (see 1512020063).
In wake of Tuesday’s attacks in Brussels and the Nov. 13 attacks in Paris, NAB is “adding guard dogs in Las Vegas in strategic locations and monitoring the situation locally, nationally and internationally” for enhanced security at the NAB Show, Dennis Wharton, NAB executive vice president-communications, emailed us Tuesday. The event opens April 16 at the Las Vegas Convention Center for a six-day run. “We are in contact with Las Vegas authorities to determine what additional safety precautions might be taken,” said Wharton. “Nothing to report on that just yet.” The Paris attacks prompted CES to impose stringent security measures at the January show, including bag restrictions, stadium-style bag searches, the use of metal detectors and pat-downs (see 1512180053).
Cloud computing and big data firms are expected to drive much of the global threat and vulnerability management (VM) market's predicted expansion over the next four years, which is expected to increase the market's revenue from $5.8 billion in 2015 to $8.6 billion in 2020, ABI Research said Wednesday in a report. Cyberattacks are driving an uptick in the use of VM services, with vulnerability assessments alone netting $2.1 billion revenue in 2020, ABI said. Software security testing should generate $6.9 billion in revenue in 2020, ABI said.
Fewer than half of information technology departments at the 50 top U.S. county governments provide software that monitors, manages and secures their employees' mobile devices, the International Association of Information Technology Asset Managers said in a survey released Tuesday. IAITAM said only a quarter of the counties require that such mobile device management software (MDM) be installed across all their government departments. The survey found 43 out of the 50 counties supply mobile devices to employees, but only 20 have MDM software and the remainder either lack such software or didn't respond. Of the 20 that do have MDM software, only nine require it be installed across all departments, two don't and nine didn't answer. In a separate IAITAM survey of 177 companies, trade groups and government agencies, 92 percent of respondents said they supply mobile devices to employees, 72 percent said they have MDM software in place and 70 percent require such software be implemented across all their departments. "Most government agencies and corporations fall down on the job when it comes to Information Technology Asset Management ... in general. But mobile device management, including best-practice policies and application of MDM software, is a real blind spot," said IAITAM CEO Barbara Rembiesa in a statement. The association said last week that San Bernardino County, California, had paid for MDM software, but it was never installed on the device supplied to Syed Rizwan Farook, one of two gunmen identified by the FBI in the Dec. 2 mass shooting. IAITAM said if the MDM software had been installed on Farook's phone, "investigators could have remotely and legally unlocked the phone and thereby circumvented the legal dispute now underway" (see 1603010013).
Harman completed its buy of cybersecurity company TowerSec (see 1601050057), it said Friday. TowerSec specializes in onboard network protection for connected vehicles. Harman expects the transaction to be dilutive to operational earnings by about 5 cents per share in FY 2016, and it will be reported as part of Harman’s Connected Car division, it said.
Kaspersky Labs announced Internet security software designed to safeguard children when they use the Internet on computers and mobile devices. Called Kaspersky Safe Kids, the software allows parents to monitor children’s online activity and physical location, prevent them from going to inappropriate websites and regulate the amount of time they can use their computers or mobile devices, said the company. A Kaspersky survey indicated 45 percent of parents were concerned that children are encountering inappropriate or explicit content online, 41 percent worry about children communicating with dangerous strangers, and 40 percent worry children share too much personal information online about themselves. The Safe Location feature allows parents to monitor their child’s location in real-time, set up safe areas and receive automatic alerts if their child moves outside an agreed perimeter, it said. The basic version is free, while the $14.99 version adds features such as Safe Location, it said.