In 2016, data breaches and cyberattacks resulted in more than 2.15 billion records being compromised, including the more than 500 million Yahoo user accounts that were stolen two years ago, said cybersecurity firm IT Governance in an updated blog post Tuesday. Last year, breaches totaled 480 million, wrote Lewis Morgan, a social media marketing executive who compiled the list. He said he initially didn't include the breach at Yahoo in his count because it occurred in late 2014, but decided to add it because the incident was first reported in September (see 1609220046).
National Security Adviser Susan Rice pressed during a meeting Thursday with Chinese Minister for Public Security Guo Shengkun for China to fully adhere to the anti-cybertheft agreement that President Barack Obama and Chinese President Xi Jinping reached in 2015 (see 1509250059), the National Security Council said. Rice also told Guo that U.S. officials are concerned “about the potential impacts” of a newly enacted Chinese cybersecurity law that includes data localization rules, NSC said. Opponents claim the law has the potential to bar foreign-based tech firms from industries that China deems “critical” and could increase China’s online censorship. During an official joint dialogue a day earlier, Guo and Attorney General Loretta Lynch acknowledged continued progress on China-U.S. cybersecurity cooperation.
NCTA Senior Director-Digital Strategy John Solit said the DVRs that were among connected devices used as vehicles for the October distributed denial-of-service attacks against DynDNS “were particularly insecure. The DVR that your TV provider gives you is vastly more safe and protected.” The Dyn DDoS attacks caused outages and latency for multiple major U.S. websites, including Netflix and Twitter (see 1610210056). The attacks led to increased congressional scrutiny of IoT cybersecurity, including a November joint House Commerce Communications/Trade Subcommittee hearing (see 1610260067 and 1611150059). “There’s no way to 100 percent guarantee any device connected to the internet is secure or that it can’t be used in a DDoS attack,” Solit said in a Thursday blog post. “There’s more work to be done to make sure DVRs and all web-connected devices, including those provided by TV and internet companies, are as secure as possible.” Solit noted a recent Broadband Internet Technical Advisory Group report that included guidelines and recommendations aimed at helping consumer IoT manufacturers and other providers improve device privacy and security (see 1611220030). “While standards are getting sorted out and agreed upon, there are basic precautions everyone can take to better protect their homes and devices,” Solit said. “At a minimum, change the default password on all of your internet connected devices and make sure your home network firewalls are up and running.”
ComScore, Google and Omnicom Media Group are part of an initial group of companies to meet anti-fraud standards in a certification seal program for buyers, sellers, fraud detection vendors and intermediaries in the digital ad supply chain, said the Trustworthy Advertising Group in a Wednesday news release. "The initial recipients of the TAG 'Certified Against Fraud' Seal represent the connective tissue of digital advertising, including the world's largest publishers, ad agencies, and ad tech providers," said TAG CEO Mike Zaneis. A second group of certified companies will be announced early next year, the group said. Other companies certified under the program, which was first announced in May (see 1605230010), are Amobee, DoubleVerify, Dstillery, WPP's GroupM, Horizon Media, Integral Ad Science, Interpublic Group, Moat, OpenX Technologies, ProData Media, Rocket Fuel, Sovrn and White Ops. TAG was formed by the American Association of Advertising Agencies, Association of National Advertisers and Interactive Advertising Bureau to eliminate fraudulent traffic, fight internet piracy and malware and promote transparency.
Senate Commerce Committee GOP telecom policy director David Quinalty questioned the FCC approach on cybersecurity issues Tuesday during a Media Institute event (see 1612060055). He pointed to the collaboration of such government agencies as the Department of Homeland Security but said the FCC approach seems more inclined toward mandates, whether in reporting or regarding equipment. He said he sees no directive to the agency on cybersecurity regarding any of these actions. “We would be remiss if certain agencies were to go far afield” and start “freelancing,” said Quinalty, who works for Chairman John Thune, R-S.D. Commerce Committee staffers from both chambers dubbed the cybersecurity concerns an important issue to watch next Congress. “Legislation doesn’t necessarily need to take the form of mandates,” said David Goldman, counsel to House Commerce Committee ranking member Frank Pallone, D-N.J., speculating on the possibility of providing incentives. “It’s a tough issue to legislate on,” said Kelsey Guyselman, Republican counsel for the House Commerce Committee. FCC Chairman Tom Wheeler has been backing off a controversial draft policy statement on cybersecurity that would have allowed confidential industry meetings with the agency on the subject (see 1611300063). As of Friday, that draft was on circulation, said the list last updated that day, though some expect it may be removed. One issue Hill speakers differed on was how much the next Congress might address media ownership. It “hasn’t been as hot a topic” in the Senate in recent years, Quinalty said. But Guyselman said “it’s something I anticipate we’ll continue to look at,” citing the attention from incoming House Commerce Committee Chairman Greg Walden, R-Ore., who has led the Communications Subcommittee for years. “Do the results still make sense? … It’s not like it used to be.” Pallone is “paying attention” to the state of the media since the elections, Goldman said. “He’s very concerned about the state of the press.” Pallone would be on the lookout for any changes that would diminish “dissenting voices” in the market, Goldman said.
The Communications Security, Reliability and Interoperability Council will meet Dec. 21, the FCC said in a notice in Tuesday's Federal Register. The meeting will be CSRIC's seventh under its current charter, which charges the council to work on issues such as cybersecurity and wireless alert platforms. CSRIC's charter is to expire March 18. The meeting is to begin at 1 p.m. in the Commission Meeting Room at FCC headquarters.
Neustar rejected North American Portability Management accusations the incumbent local number portability administrator was to blame for the lack of information sharing by NAPM and PwC in the LNPA transition to Telcordia/iconectiv. Responding to complaints from Neustar IT experts (see 1611210039), NAPM counsel Todd Daubert had said Neustar was claiming a right to disclose confidential information it's receiving as the current LNPA and refused to sign a reasonable nondisclosure agreement (see 1611300026). Daubert "offered a series of false accusations and ad hominem attacks," said Neustar counsel Marc Martin in a letter posted Monday in docket 09-109. "Mr. Daubert falsely asserts that Neustar began claiming over a year ago the right to disclose publicly confidential information it receives from the Parties." He said NAPM can safely deliver confidential information to Neustar under an existing agreement. "The Parties know that Neustar has repeatedly expressed its willingness to accept a commercially reasonable non-disclosure agreement, but for nearly a year the Parties have been unwilling to address Neustar's concerns regarding the transparency of testing that is essential to the success of the transition as well as the need to address false or misleading statements made by others that could undermine the transition," he wrote. "Mr. Daubert's suggestion that confidential information about critical national infrastructure cannot be shared with Neustar is baseless and absurd. It was Neustar who proposed making explicit that national security-related information must be protected. Mr. Daubert's argument is particularly rich given that it is well established that the selected vendor caused significant delays due to its own compliance failures with certain national security-related obligations." Daubert didn't comment Monday.
Though the ability to access smartphone apps in the car is becoming increasingly important, consumers “are concerned about the security of their information when their mobile device is paired to an in-car system,” Strategy Analytics said in a Wednesday report. Most consumers canvassed by the research firm in the U.S., Europe and China “agreed that it is important to be able to connect their smartphone to their in-car system, so they can access apps and music through the in-car controls and displays,” the report said. But more than half said they “do not want their vehicle to collect driving data, even if it remains anonymous,” it said. “Most want to be assured that no data from their phone will remain on the in-car system after it is disconnected.” Consumers by and large are “aware that they have little choice in giving up part of their privacy in order to live in a more enriched world with connected devices,” said Strategy Analytics. “Providing personal data will be less a concern if consumers could know how their data will be used, why it needs to be used, who will have access to it, for what purposes, and that they will have the full control of the data access.” Elsewhere on the connected-car front, Public Knowledge plans a Tuesday briefing on Capitol Hill on connected-car cybersecurity, the nonprofit said Wednesday. The event at 11:30 a.m. in G11 Dirksen is on “Cybersecurity Vulnerability in Connected Vehicles.” Speakers include Sen. Ed Markey, D-Mass., and discussion of "threats posed to our privacy and cybersecurity as revealed by researcher Alex Kreilein of SecureSet in his latest report, ‘Security Considerations for Connected Vehicles and Dedicated Short Range Communications,’” or DSRC, PK said. "Existing DSRC technology makes cars easily identifiable, permitting tracking by third-parties and making DSRC-enabled vehicles targets for hackers." Using "DSRC spectrum and devices to support commercial applications dramatically increases the risk" of cyberattacks and identity theft, the group said.
Federal law enforcement agencies began aiding a multinational operation to dismantle the Avalanche cybercrime network, DOJ said Thursday. The Avalanche network has hosted more than two dozen types of “pernicious” malware and several money laundering schemes, Justice said. The enforcement operation resulted in the shutdown of more than 50 Avalanche servers and led to arrests and searches in five countries, DOJ said. The department's Computer Crime and IP Section and the FBI's Pittsburgh division are helping the operation, which also includes Europol, Eurojust and agencies in more than 40 other countries, it said. “The operation involves an unprecedented and ongoing effort to seize, block and sinkhole more than 800,000 malicious domains associated with the Avalanche network,” said Assistant Attorney General Leslie Caldwell and other officials in a news release.
A 32-year-old Syracuse, New York, man, convicted in March for computer hacking and wire fraud related to a widespread network outage in Pennsylvania six years ago, was sentenced to 24 months in prison, said DOJ in a Tuesday news release. District Court Judge Sylvia Rambo in Harrisburg also ordered Dariusz Prugar to pay $26,000 in restitution. DOJ said Prugar was a network administrator for Pa Online, when the ISP was located in Enola, Pennsylvania. He was fired in June 2010, and "days later" Prugar hacked into the company's network, installing programs that resulted in files and directories being erased and crashing the network, said Justice. More than 5,000 residential and 500 business customers were without service for a week, the department said. The company rebuilt the entire network because Prugar installed several back doors to get into the system, DOJ said. In a March release, Justice said the computer fraud charge was related to Prugar's unlawful network intrusion, and the wire fraud charge was related to his attempt to cause financial loss through the use of interstate wires.