Public Knowledge is asking the FCC to investigate the exposure of millions of Verizon customer records in a cloud server, discovered last month by a security researcher. PK Policy Fellow Yosef Getachew said Verizon failed to protect its customers' privacy, and also to notify them of the exposure. "The FCC is well within its authority to investigate Verizon’s data security breach and take appropriate enforcement action," he said. Neither the FCC nor a Verizon spokesman Thursday commented on PK's request for a probe. The Verizon spokesman said the investigation is ongoing and the company is working with the vendor "to make sure this never happens again." In a Wednesday news release, the telco said records of 6 million unique customers -- not 14 million as cybersecurity firm UpGuard initially blogged -- were exposed. "The overwhelming majority of information ... had no external value" and no Social Security numbers or Verizon voice recordings were exposed, said Verizon. There was "no loss or theft" of customer data, it added. UpGuard blogged Wednesday that its researcher Chris Vickery discovered the breach June 8 of the cloud server owned by Israel-based Nice Systems.
Arris launched a cable modem gateway with McAfee internet security protection exclusively through Best Buy, it said Wednesday. The device is designed to “move the security burden” off individual connected devices and onto the home gateway for “easier and better protection,” said Arris.
Senate Communications Subcommittee ranking member Brian Schatz, D-Hawaii, and Sen. Ron Wyden, D-Ore., are jointly urging the FCC to ensure its systems are ready for the planned Wednesday protest against a rollback of 2015 net neutrality rules. The Fight for the Future-led protest, which Amazon, Mozilla and others back, aims to include the filings of thousands of comments in opposition to a May NPRM that examines the 2015 rules and reclassification of broadband as a Communications Act Title II service (see 1706060056). Schatz and Wyden noted their past criticism of the FCC’s response to a May incident that the agency says was caused by a distributed denial-of-service attack against the electronic comment filing system application program interface (see 1705090063 and 1706280044). A similar cyberattack might occur amid the Wednesday protest, which is concerning because the FCC’s response to the May attack “was an unacceptable mistake that left Americans disenfranchised from your comment process,” the senators said in a letter to FCC Chairman Ajit Pai released Monday. “We encourage you to seek out and employ ECFS measures that allow for flexible scalability and alternative methods of filing.” Schatz and Wyden also said the agency should take “temporary measures to ensure a functioning system” during the anticipated comments surge. The commission didn’t comment.
In response to the WannaCry ransomware that affected hundreds of thousands of computers worldwide last month (see 1705180032 and 1705160038), House and Senate lawmakers proposed bipartisan legislation that would establish baseline, voluntary cyber hygiene best practices that would be publicly accessible online. In a joint news release, Reps. Susan Brooks, R-Ind., and Anna Eshoo, D-Calif., and Sens. Orrin Hatch, R-Utah, and Ed Markey, D-Mass., said the Promoting Good Cyber Hygiene Act would direct the Department of Homeland Security, the FTC and the National Institute of Standards and Technology to create those standards and consider measures such as multifactor authentication and data loss prevention. Eshoo said experts suggested 90 percent of successful cyberattacks are due to system administrators "overlooking" cyber hygiene and security management. She said the attacks cost the U.S. economy "half a trillion dollars annually" in identity theft, exposed financial data and other things.
House Commerce Committee ranking member Frank Pallone, D-N.J., urged the DOJ and FBI to investigate whether comments on the FCC May NPRM on a potential rollback of the 2015 net neutrality order and reclassification of broadband as a Communications Act Title II service filed under stolen identities violated federal law. Fourteen people claimed last month that comments were submitted fraudulently under their names in support of a rollback of the rules (see 1705250064). Additional claims since allege comment astroturfing and filings using false names (see 1705310019 and 1706070017). Pallone said in a Wednesday letter to Attorney General Jeff Sessions and acting FBI Director Andrew McCabe he's concerned by reports that about 450,000 identical comments submitted to docket 17-108 used information obtained from data breaches. “I am deeply concerned that the sheer number of these potentially false comments suggest a coordinated attempt to materially mislead the FCC, and therefore a coordinated attempt to break federal law,” Pallone told Sessions and McCabe. “I urge you to take swift action to investigate who may be behind these comments and, if appropriate under applicable federal law and regulations, prosecute the people behind these fraudulent comments.” Pallone and other House Democrats wrote commissioners and Department of Homeland Security National Cybersecurity and Communications Integration Center Director John Felker seeking information about the May distributed denial-of-service attacks on the FCC website believed to have affected comments in the net neutrality proceeding (see 1705170067 and 1706260059). Separately this week, the commission released its response to other members of Congress on the attack (see 1706280044).
The FCC electronic comment filing system was the victim May 8 of a "non-traditional" directed denial-of-service attack, Chairman Ajit Pai said in letters released Tuesday to Sens. Ron Wyden, D-Ore., and Brian Schatz, D-Hawaii, in response questions the two asked after last month's ECFS cyberattack (see 1705090063). Pai said the DDoS attack targeted the ECFS application program interface that's normally used by automated programs or bots for bulk filings. The FCC didn't have the technical option of blocking or removing the bots hitting the API and instead increased API capacity. Pai said the agency "continue[s] to research additional solutions to strengthen ECFS' controls." Pai said the FCC has multiple commercial services and tools for protecting its systems from DDoS and other cyberattacks, but "the non-traditional DDoS that we experienced is quite different than typical attacks in that it used legitimate commercial providers to introduce bots and poorly structured queries to overload the system." Pai said the cloud-based ECFS typically receives close to 10,000 comments a day, but its record is more than 400,000 comments on May 11, "showing the system can scale to accommodate a large number of visitors when other external factors are not present." House Communications Subcommittee ranking member Frank Pallone, D-N.J., separately urged the DOJ and FBI to investigate whether comments filed under stolen identities broke federal law (see 1706280043).
Ranking Democrats on a number of House committees and subcommittees wrote FCC commissioners and John Felker, director-National Cybersecurity and Communications Integration Center (NCCIC), Department of Homeland Security, asking for information about the May distributed denial-of-service attacks on the FCC website believed to have affected comments in the net neutrality proceeding (see 1705170067). Noting allegations that numerous comments in the net neutrality docket were forged (see 1705250064), the FCC letter's signers asked the agency "to examine these serious problems and irregularities that raise doubts about the fairness, and perhaps even the legitimacy, of the FCC's process in its net neutrality proceeding." Both were released Monday. The FCC letter sought answers to a variety of questions by July 17, including what steps the agency is pursuing to protect its electronic comment filing system, how the commission and FBI jointly determined the attack didn't rise to the level of an incident that would necessitate FBI involvement, and whether the agency contacted DHS's NCCIC Hunt and Incident Response Team about the cyberattacks -- and if it didn't, why not. The Felker letter also set a July 17 deadline as it asked for NCCIC to provide copies of all communications between it and the FCC on the May cyberattacks, plus any forensic analyses by and recommendations from NCCIC. The letter also requested a July 19 briefing. Signers were House Commerce Committee ranking member Frank Pallone, D-N.J., Communications and Technology Subcommittee ranking member Mike Doyle, D-Pa.; Oversight and Government Reform ranking member Elijah Cummings, D-Md.; Oversight and Investigations Subcommittee ranking member Diana DeGette, D-Colo.; Information Technology Subcommittee ranking member Robin Kelly, D-Ill.; and Government Operations Subcommittee ranking member Gerald Connolly, D-Va. The FCC didn't comment.
Intel joined Team8, the Israeli cybersecurity “syndicate” with members including AT&T, Cisco, Microsoft, Nokia and Qualcomm, Team8 said in a Wednesday announcement. Intel will work with Team8 to secure future computing, IoT, mobile, automotive and cloud technologies, it said: “Intel and Team8 will collaborate to identify security gaps in future networks, technologies and infrastructures with a view to developing new cyber paradigms to address these challenges.”
Comments to NTIA about improving industry ability to deal with botnets and other automated and distributed threats (see 1706090008) were extended to July 28, said the Department of Commerce in a notice slated to appear in Thursday's Federal Register.
American consumer concerns about identity theft, bank card fraud, hacking, viruses and online transactions have grown considerably in the past three years, found a Unisys survey of more than 13,000 consumers in 13 countries released Tuesday. The only issue far more concerning to Americans is national security as it relates to war or terrorism, said the survey -- which dates to 2007 and is the first conducted since 2014. Bill Searcy, Unisys vice president-global justice, law enforcement and border security, said at a news conference that the rising numbers show people "feel they have a lack of control," given terrorism and cybercrime stories in the news. ID theft, he said, is another major problem, citing the 2015 Office of Personnel Management breach (see 1507090049) and other attacks. "Those of us who really don't understand computer systems are just that much more vulnerable, so I think that's why there's some concern," he said. Frank Cilluffo, who directs George Washington University's Center for Cyber and Homeland Security, said physical and cyber threats are converging "a lot quicker" than decision-makers and communities can understand. He said the threat spectrum is "vast and diverse" along with the growing interconnected IoT devices that presents a bigger attack landscape. "If there were a clarion call right now, it's that we need to start baking security into the design of our very infrastructures," he said. National Institute of Standards and Technology fellow Ron Ross said the complexity of internet and computer systems is growing, which also is a security threat. "We have to build an infrastructure that is leaner and meaner" and trusted, he said. He said the White House's cybersecurity executive order (see 1705110058) along with NIST publications like the Cybersecurity Framework can help.