Sens. Maggie Hassan, D-N.H., and Rob Portman, R-Ohio, jointly filed the Hack Department of Homeland Security Act Friday in what they said is a bid to strengthen the department's cyber defenses. The bill would establish a “bug bounty” pilot program at DHS that would encourage hackers to identify and disclose to the department any undiscovered vulnerabilities in DHS' IT systems. Eligible hackers would need to register with DHS and go through a background check before being allowed to participate in the program, Hassan's office said. The bill would require DHS to work with the attorney general to ensure program participants don't face prosecution for their program-specific hacking activities. The program would be similar to those DOD and major tech companies use, Hassan's office said. Senate Homeland Security Committee ranking member Claire McCaskill, D-Mo., and Sen. Kamala Harris, D-Calif., are co-sponsors. The Hack DHS Act is the “first step to utilize best practices from the private sector to harness the skills of hackers across America as a force multiplier against these cyber threats,” Hassan said.
Close to 200 million video players and streamers run software vulnerable to "malicious subtitle files" that are downloaded by media players, with the hackable exploit allowing the take-over of the device, Check Point Software blogged Tuesday: Vulnerabilities are found in a variety of streaming platforms, including Popcorn Time, VLC, Kodi and strem.io, and it's "one of the most widespread, easily accessed and zero-resistance [vulnerabilities] reported in recent years." It said subtitles repositories loaded by users' media players "are, in practice, treated as a trusted source by the user or media player." The company said hackers can then "take complete control over any device" running the Trojan horse subtitle files. The firm reported the vulnerabilities to developers of vulnerable media players.
TechFreedom Executive Director Austin Carson endorsed the Protecting Our Ability to Counter Hacking Act. HR-2481/S-1157 would codify the vulnerabilities equities process (VEP) for government stockpiling and disclosing software and hardware vulnerabilities and make it transparent and accountable. Rep. Ted Lieu, D-Calif., and Sen. Brian Schatz, D-Hawaii, led sponsorship of the bill last week, after the WannaCry ransomware attacks (see 1705120055, 1705150008 and 1705170025). “Codifying the VEP process and adding oversight mechanisms will put the VEP on solid footing, removing the threat of policy changes at the whims of the executive branch and giving Congress the chance to more fully evaluate the tradeoffs,” Carson and TechFreedom Legal Fellow Ashkhen Kazaryan blogged. “In this era where cyber attacks are edging ever-closer to becoming cyber wars, the United States government should lead the way in balancing the interests at stake and addressing the cybersecurity concerns directly within its control.”
New York state settled with a manufacturer of Bluetooth locks that researchers found to be insecure, said Attorney General Eric Schneiderman’s office in a Monday news release. The locks by Utah-based Safetech Products failed to secure passwords and other information required for operation, making consumers vulnerable to hacking and theft, the AG's office said. Under the settlement, Safetech agreed to establish a security program, encrypt all passwords, electronic keys and other credentials in its locks and prompt users to change the default password after initial setup, it said.
The House passed the Modernizing Government Technology Act Wednesday on a voice vote. HR-2227, which the House passed last year but which stalled in the Senate, would create a central IT modernization fund and individual funds for the Department of Commerce and 23 other federal departments and agencies. “Government may never be like Silicon Valley, but it should not be stuck in the age of Mad Men,” House Majority Leader Kevin McCarthy, R-Calif., said on the floor. “That’s not only costly, it’s dangerous.” House Homeland Security Committee Chairman Michael McCaul, R-Texas, touted the bill during a CTIA event last month (see 1704270029). The Senate Homeland Security Committee is considering the Senate companion, S-990. A day earlier, the House passed 408-3 the Strengthening State and Local Cyber Crime Fight Act. HR-1616 and its Senate companion (S-904) would authorize the National Computer Forensics Institute to train state and local law enforcement officials, prosecutors and judges on investigating cyber and electronic crimes, doing computer and mobile device forensic examinations and responding to network invasion investigations (see 1705160080).
Legislation to codify a government process for stockpiling and disclosing software and hardware vulnerabilities and make it transparent and accountable was introduced Wednesday by a bipartisan, bicameral group of lawmakers. Sponsor Sen. Brian Schatz, D-Hawaii, said in a news release the Protecting our Ability to Counter Hacking (Patch) Act codifies the vulnerabilities equities process (VEP) and "will improve cybersecurity and transparency to the benefit of the public while also ensuring that the federal government has the tools it needs to protect national security.” VEP is a framework that guides agencies, which independently discover or acquire flaws from third parties, to determine whether to notify vendors so they can fix it. Senate Homeland Security Committee Chairman Ron Johnson, R-Wis., said the WannaCry ransomware attacks shows why government and the private sector need to work together (see 1705150008). Sen. Cory Gardner. R-Colo., and Reps. Blake Farenthold, R-Texas, and Ted Lieu, D-Calif., are co-sponsors of the bill. Information Technology and Innovation Foundation Vice President Daniel Castro said in a statement that VEP is broken and the bill would balance security and economic interests and disclose flaws to companies more quickly so patches can be developed sooner. Public Knowledge Cybersecurity Policy Director Megan Stifel said the bill would "enhance trust in the internet and internet-enabled devices."
Large majorities of healthcare respondents dismissed privacy, data protection and cybersecurity as concerns, said ABI Research in a Wednesday news release. The business tech survey of 455 U.S.-based companies found that 82 percent of healthcare respondents didn't rank privacy and data protection as a concern, and 58 percent didn't rank cybersecurity. “Cybersecurity within the healthcare sector has been traditionally poor, at best,” said analyst Michela Menting: Most comply with laws but don't understand what "comprehensive, multi-layered cybersecurity implementation" involves. ABI said medical devices and hospital equipment are "highly vulnerable" to cyberattacks like WannaCry, which hindered the U.K. healthcare system (see 1705120055, 1705150008 and 1705160008). ABI said the online survey was done in February and March.
Some cyberattacks are on the rise, Akamai reported Tuesday, with the U.S. the top source country for web applications attacks, showing an increase of 57 percent in Q1 year over year. Risks to the internet and to certain sectors "continue to evolve," said Martin McKeay, senior security advocate. "Use cases for botnets like Mirai have continued to advance and change, with attackers increasingly integrating Internet of Things vulnerabilities into the fabric of DDoS botnets and malware. It’s short sighted to think of Mirai as the only threat," he said of the distributed denial-of-service attack. Botnet families like BillGates, elknot and XOR are "mutating," he added.
Symantec’s dome-shaped Norton Core, billed as a “secure” Wi-Fi router, is available for preorder from Amazon and Best Buy, said the cybersecurity company Monday. Select Best Buy stores will have interactive touch-screen displays where consumers can learn about the router this summer, when the product is scheduled to ship. Symantec researchers identified security vulnerabilities in 50 different connected home devices such as smart thermostats and smart hubs that could be targets for cyberattacks. Computers in many countries were hit Friday with a major cyberattack (see 1705150008).
FCC Commissioners Mignon Clyburn and Mike O’Rielly said CTIA made the right move in establishing www.stolenphonechecker.org so consumers more easily can check if a used or refurbished smartphone was reported stolen or lost (see 1705110043). “Kudos to wireless industry for launch of consumer tool to help stop smartphone thefts,” Clyburn tweeted. O’Rielly said in a statement that it's “an example of the private sector addressing a need in a thoughtful and effective way.”