Yahoo confirmed that at least 500 million user accounts were compromised in late 2014, possibly by a state-sponsored actor, resulting in the possible theft of users' names, email addresses, phone numbers, birth dates, hashed passwords and encrypted and unencrypted security questions and answers. "The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected," wrote Chief Information Security Officer Bob Lord in a Thursday blog post. Lord said there's no evidence the state-sponsored actor is still in the network, but the company is working with law enforcement in an investigation. The company, which also provided FAQs about the breach, said it's strengthening network security and provided instructions for users to improve their account security. A spokesman for Verizon, which announced in July that it's acquiring Yahoo for $4.83 billion in cash (see 1607250016), tweeted Thursday that it was notified "with the last two days" of the incident, but has "limited information and understanding" beyond that there's an ongoing investigation.
Retailers must not only design security into their devices but also into consumer data "from initial acceptance, through transit to the data center and while in storage," wrote Michelle Tinsley, Intel director-mobility and payment security, in a Wednesday blog post. As the IoT becomes more prevalent, retailers are collecting more data about their customers to provide personalized services and products, but risks also are prevalent, she said. Tinsley said 13.1 million Americans were victims of identity theft in 2015, citing Javelin Research. "Typically it takes a consumer six months and $4,000 to clear the errors from their credit record," she wrote. One answer, she added, is encrypting the data from source to storage. Tinsley will join Jeff Zubricki, Walmart director-global public policy, to discuss the issue at an Electronics Transactions Association event Thursday.
Governors are more aware of cybersecurity, but state chief information security officers (CISOs) still lack funding, said a report Tuesday by Deloitte and the National Association of State Chief Information Officers (NASCIO). More than 60 percent of state officials said cybersecurity is discussed at least quarterly at executive leadership meetings, compared with 48 percent in 2014. Nearly one-third of CISOs provided governors with monthly cybersecurity reports this year, up from 17 percent two years ago. There’s little funding: more than half of state cybersecurity budgets represent 0-2 percent of overall technology budgets, the report said. Four in five respondents said inadequate funding is a top barrier to effectively addressing cyberthreats, and 51 percent pointed to the lack of cybersecurity professionals. CISOs said they considered threats targeting employees -- phishing, pharming, social engineering and ransomware -- the most prevalent threat in the year ahead. The report found a “confidence gap” between CISOs and state officials on how prepared their states are to handle security threats: about two in three state officials said they’re very confident about defending against external cyberthreats, but 27 percent of CISOs felt that way. Deloitte and NASCIO received responses this year from CISOs in 49 states and territories, and 96 state business and elected officials. A NASCIO report released Monday said most states outsource at least some IT infrastructure (see 1609190022).
ViaSat got a $33.3 million contract from the Defense Department's Space and Missile Systems Center for the Protected Tactical Service Field Demonstration, which will demonstrate the ability to provide wideband anti-jam communications to tactical users of both government and commercial satellites. In a news release Monday, the company said the program includes development of a protected tactical waveform modem and an embedded cryptographic unit. The work is expected to be done by Sept. 30, 2020.
NTIA plans the first meeting of its multistakeholder process on cybersecurity upgradeability of the IoT Oct. 19 in Austin. NTIA said in August it was launching the IoT cybersecurity multistakeholder process on developing ways to improve consumers’ understanding of cybersecurity upgrades to IoT products (see 1608020060). The meeting will focus “on security upgradeability and patching, and to establish more concrete goals and structure of the process,” NTIA is set to say in Monday's Federal Register. The meeting also will be on how the process will be structured, including forming working groups on specific issues, and setting out “concrete goals” for the process, NTIA said. Future meetings will “encourage and facilitate continued discussion among stakeholders to build out a mapping of the range of issues, and develop a consensus view of a consolidated set of potential definitions,” NTIA said. “Discussions will also cover best practices for sharing security information with consumers. This discussion may include circulation of stakeholder-developed strawman drafts and discussion of the appropriate scope of the initiative.” The meeting is 10 a.m.-4 p.m. in the Renaissance Austin Hotel's Trinity Ballroom.
Most of the two dozen hospital cyberattacks globally in the first half of 2016, including 13 in the U.S., involved ransomware, said a McAfee Labs threats report Wednesday: Those attacks, which largely infected systems through phishing, weren't executed by malicious actors normally seen. "The code and attack was effective but not very sophisticated," the report said. But money can be made quickly through these attacks; the report said ransom paid in Q1 attacks against hospitals was about $100,000 total. The report said most hospitals didn't pay ransom, but those targeted by one threat called "samsam" did seem to pay. McAfee, which is part of Intel Security, said hospitals are easy targets due to a "combination of legacy systems with weak security, a lack of employee security awareness, a fragmented workforce, and the pressing need for immediate access to information." Experts at an FTC event last week on ransomware (see 1609070044) said it's a growing threat that's spreading to sectors beyond healthcare.
A dramatic increase in commercial and recreational drones -- expected to triple in four years -- will create bigger safety risks from collisions, cyberattacks and terrorism, said insurer Allianz in a report released Tuesday. Use of unmanned aircraft systems (UAS) likely would result in fewer work accidents and worker compensation losses, and speed up insurance claims, it said. But millions more drones in widespread use also could increase risks -- mainly mid-air collisions and loss of control -- resulting in potential multimillion-dollar claims against businesses, operators and manufacturers, Allianz added. Concerns that drones could be used for malicious acts and other "risk scenarios include the prospect of hackers ‘spoofing’ a UAS radio signal, potentially leading to a crash, the potential loss or theft of valuable recorded data when the device is transmitting information to the control station or after the flight by cyber-attack when the data has been stored," the report said. Registering drones and operators, training and educating pilots and using on-board cameras, flight communications and system maintenance are crucial to improving safety, said Allianz. Separately, ABI Research said in a Tuesday news release the small drone commercial market will exceed $30 billion by 2025.
One in three Americans was hit with a computer virus, hacked or suffered some other cyberattack over the past year, said a Zogby Analytics survey Tuesday. A news release on the survey, commissioned by Munich Re’s Hartford Steam Boiler Inspection and Insurance, said adults 18 to 24 were the most likely victims. Overall, in one-quarter of the cases, people spent up to $5,000 per incident to recover. About 56 percent spent less than $500. Sixty-six percent said they were concerned about potential cyberattacks, and 62 percent worried about online fraud. The online survey polled 1,500 U.S. adults.
Concerned about cybersecurity risks to on-board diagnostic ports in vehicles, House Commerce Committee Republican leaders want National Highway Traffic Safety Administrator Mark Rosekind to convene an industry-wide effort to address the potential problems, said the committee in a Monday news release. “In the past several years, information security researchers have discovered and demonstrated increasingly effective -- and increasingly frequent -- attacks on the internal networks of automobiles through the use of On-Board Diagnostic (OBD-II) ports and the devices that connect to them," they wrote to Rosekind. Researchers have demonstrated they could remotely unlock a vehicle's doors or cut its brakes or power steering and NHTSA needs to develop a plan to address the risk, they added. Signatories to the letter include House Commerce Committee Chairman Fred Upton, R-Mich.; Communications Subcommittee Chairman Greg Walden, R-Ore.; Oversight and Investigations Subcommittee Chairman Tim Murphy, R-Pa.; and Commerce, Manufacturing and Trade Subcommittee Chairman Michael Burgess, R-Texas. NHTSA didn't comment.
Allegations that Russia-backed hackers tried to disrupt the U.S. political process prompted Senate Homeland Security Committee ranking member Tom Carper, D-Del., to get information from Twitter. A Thursday letter to CEO Jack Dorsey cited reports the Russian Federal Security Service and the nation's military intelligence may have been involved in trying "to influence public opinion through the malicious use of Twitter and other social networking services." Carper said such "social" cyberattacks through bots, which he described as automated and false accounts, "pollute information streams by generating messages that appear to come from many different users." He asked Dorsey how his company estimates the number of false or spam accounts and if it has the ability to track or estimate the number of such accounts controlled by potential Russian state actors. Carper wants information by Sept. 30. Twitter didn't comment Friday. It's been suspending accounts since 2015 for promoting terrorism (see 1608180066) -- which Carper acknowledged. Twitter, Facebook, Google and Microsoft have been fighting online hate speech in Europe (see 1605310051 and 1606030037).