(844) 627-8267
(844) 627-8267

What the FTC’s order against Ring means | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

Good morning! It’s finally June.

Reading this online? Sign up for The Cybersecurity 202 to get scoops and sharp analysis in your inbox each morning.

Below: The White House reportedly taps an official to be the nominee for second-in-command of Cyber Command, and millions of motherboards were reportedly sold with a firmware backdoor. First:

What the FTC’s order against Ring means

A new case against Amazon’s home surveillance unit, Ring, underscores how far federal regulators will go to enforce strong cybersecurity and user privacy practices at companies where they allege wrongdoing has taken place.

The Ring case goes back years. The FTC said Ring didn’t implement basic cybersecurity steps for years even as it faced cyberthreats.

“As a result,” the FTC said in its complaint, “more than 55,000 U.S. customers suffered from credential stuffing and brute force attacks that compromised Ring devices. Through these attacks, bad actors gained access to hundreds of thousands of videos of the personal spaces of consumers’ homes, including their bedrooms and their children’s bedrooms — recorded by devices that Ring sold by claiming that they would increase consumers’ security.”

(Amazon founder Jeff Bezos owns The Washington Post.)

The disturbing 2019 breaches at Ring intruded into everyday Americans’ homes — including, according to the complaint, through “harassment, slurs, and threats.”

The Ring complaint isn’t the only bad news for Amazon coming out of the FTC on Wednesday. The commission also fined the company $25 million after it found that the company broke a law designed to protect children, as my colleagues Caroline O’Donovan and Cat Zakrzewski reported.

Amazon spokeswoman Parmita Choudhury told Caroline and Cat that the company takes “our responsibilities to our customers and their families very seriously.”

  • “Our devices and services are built to protect customers’ privacy, and to provide customers with control over their experience,” Choudhury said. “While we disagree with the FTC’s claims regarding both Alexa and Ring, and deny violating the law, these settlements put these matters behind us.”
  • Amazon worked on the Ring privacy issues “before the FTC began its inquiry,” Choudhury said. Amazon also agreed to “remove child profiles that have been inactive for more than 18 months,” she said.

The FTC plans to require that Ring comply with a long list of cybersecurity and privacy rules. While a federal court still has to approve the order, the FTC’s plan includes restricting access to databases with recordings so only employees on authorized networks can access them.

And notably, the FTC also plans to make Ring’s employees and contractors attest that they only access some video recordings for reasons laid out by Ring — and not for any other reason.

That appears to be designed to help mitigate the threat posed by malicious insiders. Insider threats at Ring posed an issue several years ago, according to the FTC complaint:

  • “Ring gave every employee — as well as hundreds of Ukraine-based third-party contractors — full access to every customer video, regardless of whether the employee or contractor actually needed that access to perform his or her job function,” the complaint said.
  • In 2017, a Ring employee “viewed thousands of video recordings belonging to at least 81 unique female users” for months, according to the complaint.
  • According to a whistleblower, a Ring employee gave out cameras and then took copies of those users’ recorded videos when they left the company in 2019.

The FTC order could also serve as a warning shot to other companies.

“Ring’s disregard for privacy and security exposed consumers to spying and harassment,” FTC consumer protection bureau director Samuel Levine said in a statement. “The FTC’s order makes clear that putting profit over privacy doesn’t pay.”

White House nominates Army general for second-in-command at Cybercom

Army Maj. Gen. William Hartman has been tapped by the White House to be deputy commander of U.S. Cyber Command, Martin Matishak reports for the Record.

  • Hartman was marked for nomination in the congressional record but the post was not specified, the report adds.

If confirmed, Hartman would replace Lt. Gen. Timothy Haugh, who President Biden tapped to lead U.S. Cyber Command and the National Security Agency amid the pending departure of Gen. Paul Nakasone.

  • Hartman has a long history with Cybercom, leading the Cyber National Mission Force (CNMF) — which plans and directs cyber operations — since 2019, Matishak writes.
  • “Prior to leading the CNMF, he served as deputy commander of Joint Force Headquarters-Cyber Army, overseeing digital teams and operations in North America, the Middle East and Africa,” the report said.
  • “He then succeeded Haugh as chief of the CNMF … acting as Cyber Command’s co-lead of a joint election security task force with the NSA that worked to protect the 2020 presidential election,” it added.

The Pentagon on Wednesday announced that Haugh had been nominated to lead Cyber Command and the National Security Agency. It also announced that Lt. Gen. Jeffrey A. Kruse, a military adviser to Director of National Intelligence Avril Haines, has been nominated to lead as director of the Defense Intelligence Agency.

The confirmations are likely to face complications as Sen. Tommy Tuberville (R-Ala.) said he will put a hold on military nominees due to a dispute with the Defense Department over its abortion care policy.

Rubio asks Justice Dept. to investigate if TikTok CEO lied during testimony

Sen. Marco Rubio (R-Fla.) is calling on the Justice Department to investigate whether TikTok CEO Shou Zi Chew committed perjury when he testified to Congress in March.

Chew told House lawmakers that U.S. user data “has always been stored in Virginia and Singapore in the past”; however, in a tweet, Rubio cited a report by Forbes’ Alexandra Levine indicating that U.S. TikTok creators’ sensitive financial info has been stored on servers in China that are accessible to employees based there.

  • TikTok has come under scrutiny from the U.S. and other Western governments mainly over national security concerns. The Biden administration is supporting a bill that would allow the Commerce Department to evaluate the security risks of foreign technologies like TikTok and make recommendations about whether they should be banned from the United States.

Rep. Cathy McMorris Rodgers (R-Wash.), who chairs the House committee that Chew testified to:

The Justice Department did not respond to a request for comment.

TikTok spokesperson Alex Haurek told Forbes, “We remain confident in the accuracy of Shou’s testimony.” TikTok parent ByteDance did not respond to the publication’s request for comment.

Millions of motherboards sold with insecurely installed backdoor, making them ripe for hijacking

Firmware-focused security research firm Eclypsium discovered a hidden backdoor in the firmware of Taiwan-based motherboard manufacturer Gigabyte that could enable malicious hackers to hijack it to install malicious code, Andy Greenberg reports for WIRED.

Gigabyte products are used frequently in video game PCs and high-performance machines, such as motherboards and graphics cards. The flaw was discovered while sourcing customer computers for malicious code, the report said. The company found that more than 250 models of Gigabyte motherboards have the backdoor.

  • “While Eclypsium says the hidden code is meant to be an innocuous tool to keep the motherboard’s firmware updated, researchers found that it’s implemented insecurely, potentially allowing the mechanism to be hijacked and used to install malware instead of Gigabyte’s intended program,” Greenberg writes.
  • “If you have one of these machines, you have to worry about the fact that it’s basically grabbing something from the internet and running it without you being involved, and hasn’t done any of this securely,” John Loucaides, who leads strategy and research at Eclypsium, told WIRED.

The updater also sometimes installs code to a user’s machine without proper security guardrails or authentication, the report added. “This would allow the installation source to be spoofed by a man-in-the-middle attack carried out by anyone who can intercept the user’s internet connection, such as a rogue Wi-Fi network,” it said.

Gigabyte did not return multiple requests for comment from WIRED.

Russia’s FSB says U.S. NSA penetrated thousands of Apple phones in spy plot (Reuters)

Iranian dissidents’ claim of presidential hack likely legitimate, experts say (CyberScoop)

China investing in open-source intelligence collection on the U.S. (New York Times)

AI and China are ‘defining challenges of our time,’ CISA director says (Federal Computer Week)

Bipartisan lawmakers introduce bill to expand cyber partnership with nations in Abraham Accords (The Hill)

Moody’s cites credit risk from state-backed cyber intrusions into US critical infrastructure (Cybersecurity Dive)

Ransomware attack on US dental insurance giant exposes data of 9 million patients (TechCrunch)

  • The Senate Judiciary Committee will consider amendments to bills aimed at preventing drug trafficking on social media platforms and preventing online child exploitation at 10 a.m.
  • Anne Neuberger and other cybersecurity officials speak at the Center for Strategic and International Studies about cyberthreats to critical infrastructure at 2 p.m.
  • Jessica Salmoiraghi joined BSA | The Software Alliance as senior director for IT modernization and procurement. She joins from the General Services Administration.

Thanks for reading. See you tomorrow.


Click Here For The Original Source.

National Cyber Security