House Commerce Committee ranking member Frank Pallone, D-N.J., and other committee Democrats want a House Commerce hearing on the recent distributed denial-of-service attacks against DynDNS. The late October DDoS attacks caused outages and latency for multiple major U.S. websites (see 1610210056). Industry lobbyists predicted the attacks would prompt a wider examination of the cybersecurity of IoT-connected devices (see 1610260067). “The expansion of technology and increasing connectivity of devices make it imperative that we understand what happened in this recent cyberattack and assess what can be learned from it,” said Pallone and other committee Democrats in a Monday letter to House Commerce Chairman Fred Upton, R-Mich., and House Commerce Oversight Subcommittee Chairman Tim Murphy, R-Pa. “This could have wide-sweeping effects not only on telecommunications and Internet regulation, but also on many other areas under the Committee's jurisdiction. We urge you to hold hearings as soon as possible.” Upton raised concerns last week about the Dyn attacks, saying he was “closely monitoring the situation” (see 1610240038). The other signers of Pallone's letter were House Communications Subcommittee ranking member Anna Eshoo, D-Calif., House Commerce Oversight ranking member Diana DeGette, D-Colo., House Commerce Trade Subcommittee ranking member Jan Schakowsky, D-Ill., and Rep. Jerry McNerney, D-Calif.
Security researchers doing controlled research on consumer devices are temporarily exempt from the Digital Millennium Copyright Act as long as they don't violate the Computer Fraud and Abuse Act, starting Friday as authorized by the Librarian of Congress, wrote FTC Tech Policy Fellow Aaron Alva in a Friday blog post. Researchers previously couldn't investigate security vulnerabilities because DMCA makes it illegal to circumvent controls that prevent access to copyrighted material, he said. But the LOC has allowed exemptions from time to time for various technologies to take away any legal hurdle and protect conduct, he said. Alva said that in this case security researchers must act in good faith and meet a few requirements to be exempt, such as legally acquiring a device or software and doing research in a controlled setting to avoid harming the public. He said if the requirements are met then a researcher can test a connected toaster and gauge the risk from attack, but not steal a toaster, hack into it or set it on fire. "The exemption covers a broad array of consumer devices such as electric toothbrushes, home thermostats, connected appliances, cars, and smart TVs," as well as medical devices, he said, but it doesn't apply to "highly sensitive systems such as nuclear power plants and air traffic control systems."
House Homeland Security Committee ranking member Bennie Thompson, D-Miss., joined other members of Congress Wednesday in raising concerns about implications of the distributed denial of service (DDoS) attacks last week against DynDNS. The attacks caused outages and latency for multiple major U.S. websites, including Netflix and Twitter (see 1610210056). House Commerce Committee Chairman Fred Upton, R-Mich., and Senate Cybersecurity Caucus co-Chairman Sen. Mark Warner, D-Va., are among the other lawmakers who talked about the event (see 1610240038 and 1610250035). Thompson sought information Wednesday from Secretary of Homeland Security Jeh Johnson. “While DDoS attacks are not uncommon, these attacks were unprecedented not only insofar as they appear to have been executed through malware that [is] exploitingtens of thousands of Internet of Things devices but also because they were carried out against a firm that[provides]services that, by all accounts, are essential to the operation of the internet,” Thompson said in a letter to Johnson: It underscores "interdependencies among operators in the Information Technology Sector. It is critical that the Department has a dynamic picture of these relationships and foster robust relationships with those firms that are essential to the operation of the internet.” Thompson sought information from Johnson about how DHS' knowledge of IT sector interdependencies affects “its outreach and information sharing efforts and the status of its efforts to ensure that mechanisms are in place for companies providing essential services such as Managed DNS providers to access information and technical assistance from” the department.
A multistakeholder meeting to promote collaboration on vulnerability research disclosure between security researchers and software and system developers and owners will be held Nov. 7, said NTIA in a Monday news release. The noon-4 p.m. meeting will be at the American Institute of Architects, 1735 New York Ave. NW. The agency held a similar multistakeholder process last week on security upgrades for IoT devices in Austin, Texas (see 1610190051).
Senate Cybersecurity Caucus co-Chairman Sen. Mark Warner, D-Va., sought information Tuesday from the FCC, FTC and Department of Homeland Security's National Cybersecurity & Communications Integration Center on available and needed tools for preventing cyberattacks on IoT-connected consumer devices. He also raised a net neutrality concern. Warner said his inquiry stems in part from Friday's distributed denial of service attacks against DynDNS. The DDoS attacks caused outages of Twitter and other major websites that use Dyn's services (see 1610210056), leading to calls for action from other lawmakers and IoT stakeholders (see 1610250021). Warner cited the Mirai command-and-control botnet, saying it targeted “highly insecure” connected devices in increasing numbers since the start of October. The U.S. Computer Emergency Readiness Team also warned that release of the Mirai botnet’s code increased the risk of copycats. Mirai’s efficacy largely depends “on the unacceptably low level of security inherent in a vast array of network devices,” Warner said in a letter to FCC Chairman Tom Wheeler. Warner questioned FCC net neutrality rules mandating that “ISPs cannot prohibit the attachment of ‘non-harmful devices’ to their networks.” Devices “with certain insecure attributes could be deemed harmful to the ‘network’ -- whether the ISP’s own network or the networks to which it is connected,” Warner said. “While remaining vigilant to ensure that such prohibitions do not serve as a pretext for anticompetitive or exclusionary behavior, I would encourage regulators to provide greater clarity to internet service providers in this area.” The FCC "received the letter and [is] reviewing it," a spokeswoman said.
Federal prosecutors used a 2014 memo to determine when to open an investigation or charge an individual under the anti-hacking Computer Fraud and Abuse Act (CFAA), said DOJ, releasing the document in a Tuesday blog post. The department said prosecutors must consider several factors "to ensure that charges are brought only in cases that serve a substantial federal interest." Among the factors listed are: sensitivity of an affected computer system or information and the likelihood and extent of damage to a system or unauthorized access of the data; degree of damage to a system or access to data regarding national security, critical infrastructure, public health and safety, market integrity, international relations or other economic and national interests; how it may relate to a larger crime or threat to national security; impact of a crime on victims and others; and whether a defendant knowingly violated restrictions or altered computer data. Justice said prosecutors must consult the Computer Crime and Intellectual Property Section, among others, before bringing CFAA charges. Civil liberties groups are lobbying Congress to revise the 30-year-old statute because they allege government prosecutors are overcriminalizing routine behaviors (see 1609130012). CFAA was invoked in a recent lawsuit by Rep. Mike Honda, D-Calif., in a congressional race against Democratic challenger Ro Khanna (see 1610110003).
The Signaling System Number 7 (SS7) protocol “exemplifies” the vulnerabilities of communications tech transitions, FCC Chairman Tom Wheeler told Rep. Ted Lieu, D-Calif., in a letter released Friday and dated Oct. 14. Lieu is a member of the House Oversight Committee’s Subcommittee on Information Technology. The agency “continues to scrutinize our numbering initiatives and the increased concerns regarding robocalling to identify how underlying SS7 vulnerabilities may contribute to risks,” Wheeler said. “We continue to work with our federal government and communications sector partners to bring about meaningful solutions and risk mitigation strategies that will address the SS7 problem and continue the Commission’s mission of ensuring that communications networks are secure, reliable and resilient.” He cited work being done by a Communications Security, Reliability and Interoperability Council working group (see 1606220058), which gave an initial risk assessment last month and expects a final report with recommendations in March.
A suspected distributed denial of service attack against DynDNS early Friday resulted in outages or latency for many websites that use the service. The attacks primarily affected users on the East Coast. Dyn confirmed that a DDoS attack against its servers began at 7:10 a.m. EDT, with service restored by 9:20 a.m. Dyn said it subsequently began “monitoring and mitigating” a new DDoS attack by mid-day. Amazon Web Services said it began experiencing outages and latency at 7:31 a.m. EDT, but operations returned to normal by 9:10 a.m. GitHub was “one of the sites affected” by the DDoS attack, a spokeswoman said. Airbnb, Etsy, Netflix, Reddit, SoundCloud, Spotify, Tumblr and Twitter were among the other sites experiencing outages or connectivity issues. Sony said some of its PlayStation services were still “experiencing issues” at our deadline. Dyn didn't confirm the size or origin of the DDoS attacks. The Department of Homeland Security is “investigating all potential causes” of the attacks, a spokeswoman said.
Only 25 percent of organizations have sufficient cybersecurity personnel to detect and respond effectively to a cyberattack, said cybersecurity firm Tripwire Thursday. Dimensional Research did a survey for Tripwire in August of more than 500 IT security professionals. Sixty-six percent said their organizations faced increased security risks because of their lack of sufficient cybersecurity experts. Seventy-two percent said they faced challenges in hiring skilled cybersecurity staff, and 50 percent said their organizations don’t have an effective program to recruit and train skilled experts. Cybersecurity “is a growth industry for employees, and supply is falling far short of demand,” said Tripwire Director-IT Security and Risk Strategy Tim Erlin in a news release. “Smart organizations need to establish effective programs for educating and developing employee skills around information protection."
The FTC awarded the U.S. Attorney’s Office for the Southern District of New York’s Complex Frauds and Cybercrime Unit the commission’s Criminal Liaison Unit’s Prosecuting Attorney’s Award, recognizing prosecutors who “demonstrate an exceptional commitment to consumer protection in partnership with the FTC.” The Cybercrime Unit has a longstanding partnership with the FTC and prosecuted “dozens of individuals for their participation in mobile cramming, fake and abusive debt collection, and deceptive payday lending schemes,” the agency said in a Wednesday news release.