ABI Research said smartphones will be a primary driver for a forecast $3.1 billion in global revenue in 2015 for the biometrics industry’s consumer and enterprise sectors. Rapid advances in biometrics will drive further smartphone hardware upgrades, ABI said Wednesday. “Biometry is moving rapidly into the security ecosystem and its adoption by CE devices will jumpstart this phenomenon,” said ABI analyst Dimitrios Pavlakis in a news release. “Smartphone biometrics provide not only a secure alternative for authentication, mobile payments, and [bring your own device] initiatives but also enhance user experience, navigation, mobility, and versatility.”
A cloud network security company started Tuesday. ProtectWise, with employees who used to work at IBM and McAfee, said it differs in that it deploys a virtual camera in the cloud to deliver “unlimited retention” of network data, which can be analyzed years later to “uncover threats that were previously unknown using the latest intelligence.” It allows a replay to detect threats or breaches as intelligence is updated, said CEO Scott Chasin in an interview last week. It’s a “time machine for threat detection,” he said. The average time between a breach occurring and being detected is about 205 days, the company said in a news release Tuesday. “The era of prevention is coming to a close, and visibility and detection are now more important than ever for all organizations to focus on,” the company said. The camera in the cloud “passively records” everything it sees, but companies can control what data is shared and analyzed, said Chief Technology Officer Gene Stevens. If a customer discovers an attack, ProtectWise automatically will look for similar breaches in real time and retrospectively, he said. The firm recognizes that “companies are suffering from alarm fatigue,” Stevens said, pointing to a 2015 Ponemon Institute survey saying the average enterprise receives almost 17,000 malware alerts weekly. Of those, 19 percent are reliable and 4 percent are investigated. ProtectWise has received more than $17 million in financing from Arsenal Venture Partners, Crosslink Capital, Paladin Capital Group and Trinity Ventures. The company has “more than a dozen” clients in industries such as technology, financial services, healthcare, and media and entertainment, including Universal Music Group, the company said in a news release Tuesday.
“One of the most common motivations for hacking is the theft of financial information,” the Department of Justice wrote in blog post Friday. It’s now a crime to sell “access devices” such as credit card numbers, and the government can prosecute offenders located outside of the U.S. as long as the card number involved was issued by an American company and the government can prove an “article” used to commit the offense moved through the U.S. or that the criminal held his or her illicit profit in an American bank, DOJ said. These “requirements have proved increasingly unworkable in practice,” Justice said. When digital data is stolen, it’s not clear what “article” could be involved, the DOJ said, which is why it has proposed an amendment to the Personal Data Notification & Protection Act that “would strike the unnecessary language in the current statute.” The proposed amendment would let DOJ “prosecute anyone possessing or trafficking in credit card numbers with intent to defraud if the credit cards were issued by a United States financial institution, regardless of where the possession or trafficking takes place,” Justice said. “This kind of jurisdiction over conduct that occurs abroad is fully consistent with international norms and other criminal laws aimed at protecting Americans from economic harm.”
Sens. Chuck Grassley, R-Iowa, and Patrick Leahy, D-Vt., want the Department of Justice (DOJ) to provide information on “whether law enforcement’s use of technology capable of scanning data from thousands of cell phones is part of a domestic test operation on behalf of the intelligence community,” said a Monday joint release about a March 18 letter to Attorney General Eric Holder and Acting Deputy Attorney General Sally Yates. Grassley and Leahy sent a letter to the DOJ in June and December last year asking about the use of cell-site simulators, also known as “IMSI Catchers,” “dirtboxes,” or “Stingrays,” which “mimic standard cell towers and force affected cell phones to reveal their approximate location and identifying serial number,” the March 18 letter said. The FBI and the U.S. Marshals Service (USMS) both “maintain that they do not use the devices in this way,” and said they “purge any data collected from non-targeted telephones once an investigation is complete,” the letter said. But the Wall Street Journal reported March 10 that the “USMS field-tested various versions of this technology in the United States on behalf of the Central Intelligence Agency,” the letter said. “If this report is true, such practices raise additional concerns,” and the DOJ’s “failure to answer” previous questions have “heightened our concerns,” the letter said. The senators asked the DOJ to provide a written response to their questions by March 27. Questions included: Does DOJ policy ever permit the use of cell-site simulators to capture the content of communications domestically? Has DOJ or any DOJ entity tested cell-site simulators or other surveillance technology on behalf of the intelligence community, by employing the devices in the course of domestic law enforcement operations? What, if any, DOJ policy governs the testing and deployment of new surveillance technology?
Security updates addressing multiple vulnerabilities for the open-source content-management framework Drupal were made available Thursday, said a notice from U.S. Computer Emergency Readiness Team. According to a security advisory, attackers were able to access a Drupal user’s account without knowing the account’s password, as password reset URLs were forged in some circumstances on Drupal 6 and Drupal 7 versions.
A security update is available for Ubuntu, an open source software platform that “runs everywhere from the smartphone, the tablet and the PC to the server and the cloud,” the U.S. Computer Emergency Readiness Team (U.S.-CERT) said Thursday. Multiple PHP vulnerabilities affecting Ubuntu 14.10, 14.04 LTS, 12.04 LTS and 10.04 LTS, may have allowed a hacker to cause a denial of service or execute arbitrary code, a U.S.-CERT notice said. The problem can be corrected by updating the system, Ubuntu said.
NTIA published the Internet Policy Task Force’s request for comment on possible cybersecurity issues that the IPTF should explore. The IPTF has said it’s seeking out topics that largely veer away from securing critical infrastructure, a topic that’s been the focus of other cybersecurity efforts like the National Institute of Standards and Technology’s Cybersecurity Framework (see 1503160059). Comments are due 5 p.m. May 18, NTIA said in a Thursday notice in the Federal Register.
Twitter started its rollout of a tool to allow users to report threatening tweets to law enforcement, the company said in a blog post Tuesday. The tool lets users email the tweet, its URL and the time stamp to law enforcement, it said. “While we take threats of violence seriously and will suspend responsible accounts when appropriate, we strongly recommend contacting your local law enforcement if you’re concerned about your physical safety,” Twitter said.
Yahoo announced a new authentication option at South by Southwest Sunday that would let users log in to their accounts without a password. It's now available for U.S. users, a Yahoo news release said. Passwords are texted directly to a user’s mobile phone during the sign-in process under this new authentication system, which Yahoo hopes will “ease anxiety around password memorization and improve security for users,” the release said. Users must opt in to receive “on-demand” passwords, Yahoo said.
The National Retail Federation (NRF) asked senators to reject legislation that would “impose data security rules designed for the banking industry on retailers and other nonbank businesses.” The letter was sent Monday to members of the Senate Commerce Committee, said an NRF news release. The group cited a new NRF-commissioned white paper by former FTC Bureau of Consumer Protection officials Joel Winston and Anne Fortney saying the “broad expansion of data security standards similar to the Gramm-Leach-Bliley Act (GLBA) guidelines to virtually every unregulated business in the U.S. economy would be a serious error,” said the letter to Sens. John Thune, R-S.D., Bill Nelson, D-Fla., Jerry Moran, R-Kan., and Richard Blumenthal, D-Conn. Section 501(b) of the GLBA “required each of the federal bank regulatory agencies and the FTC to establish standards for the financial institutions subject to their respective jurisdictions with respect to safeguarding consumers’ nonpublic, personal financial information,” Winston and Fortney said. The GLBA guidelines shouldn't apply to nonfinancial businesses because the FTC is a regulatory agency, not a law enforcement agency; nonbank businesses would have little to no authority to implement changes to payment cards; and the FTC historically has objected to expanding GLBA requirements to retailers as doing so would not enhance the agency’s ability to protect consumers, Winston and Fortney said. “The FTC lacks supervisory examination authority and lacks the resources to provide the specific guidance and ongoing oversight that would be necessary to effectuate guidelines-type rules covering the huge diversity of nonbank entities,” Winston and Fortney said in their white paper. “While many merchants would like to see new credit cards being issued incorporate both a computer microchip and a personal identification number (PIN) to reduce fraud, banks and card issuers plan to issue chip-only cards, and merchants have no power to mandate the extra security that would be provided by a PIN,” said an NRF news release. While the NRF opposes expanding GLBA requirements to nonbanks, the association has supported a “uniform national data breach law,” its news release said.