Net Neutrality comments deeply corrupted – NY Attorney General

Share on Twitter
Share on Google+
Share on LinkedIn
Share on Reddit
New York Attorney General Eric Schneiderman called a press conference on Monday to demand a postponement of a 14 December 2017 vote by the Federal Communications Commission (FCC) on a proposed rollback of net neutrality regulations, declaring that the public comment process in advance of it has been “deeply corrupted.”
But Schneiderman is late – very late – to the party. Reports of fake and bot-generated comments started more than six months ago, before the official public comment period even began on 18 May 2017, after FCC Chairman Ajit Pai proposed the rollback.
ZDNet reported on 10 May 2017 that more than 128,000 identical comments had already been submitted. Some whose names were on those comments told ZDNet they had not submitted them – including one “commenter” who said that they didn’t even know what net neutrality was.
网络安全法视频宣传片 第二集 国家网络安全的现状与重要性概述
Those reports continued regularly through the year, and the flawed comments process, as Naked Security reported in October this year, was almost embarrassingly obvious.
Data analytics company Gravwell claimed at the beginning of October that only about 18% (3,863,929) of the 21.8 million comments submitted on the FCC website and via its API were unique.
The rest were likely from “automated astroturfing bots,” Gravwell founder Corey Thuen said, adding that the fakes were easy to spot.
Schneiderman, who was joined at the press conference by FCC commissioner Jessica Rosenworcel, demanded that the vote be delayed. Rosenworcel, an Obama appointee, was nominated for another term in July by President Trump, and confirmed by the Senate.
Schneiderman said his office carried out a review of the comments on the impending vote. They found that at least one million of these may have been made by impersonators, including up to 50,000 claiming to be from New York. He also accused the FCC of failing to help investigate who might be behind the fakes. Rosenworcel added that nearly 50,000 of the comments to the FCC were from Russian email addresses.
Sophos Home
Free home computer security software for all the family
Learn More
The FCC has now agreed to assist, but Schneiderman said that offer came on the morning of the press conference, after nine previous requests for FCC logs to show the origin of the comments.
It is not just fake comments at issue, either. There are also complaints from advocacy groups, including the National Hispanic Media Coalition (NHMC), saying that the docket – the collected files for and against the proposed rollback – doesn’t include the 50,000 consumer complaints filed about Internet Service Providers (ISP) since the Obama net neutrality rules took effect in 2015.

According to Ars Technica, 28 Democratic senators are also complaining about that omission. In a letter to Pai, they wrote:
50,000 consumer complaints seem to have been excluded from the public record in this proceeding… we believe that your proposed action may be based on an incomplete understanding of the public record in this proceeding.
At the press conference, Schneiderman contended:
You cannot conduct a legitimate vote on a rulemaking proceeding if you have a record that is in shambles, as this one is.
Advocates of the rollback agree that the comment process has been corrupted, but they say it has been happening on both sides. Brian Hart, an FCC spokesman, told the Washington Post that 7.5 million comments in favor of maintaining net neutrality appeared to come from 45,000 email addresses, “all generated by a single fake e-mail generator website.”
He said another 400,000 comments in favor of net neutrality appeared to come from a Russian mailing address.
And Tina Pelkey, also speaking for the FCC, declared in an emailed statement on Monday to reporters that neither Schneiderman nor Rosenworcel had identified, “a single comment relied upon in the draft order as being questionable.”
The key phrase there is, of course, “relied upon” – a tacit acknowledgement of the fake comments, but also an assertion that nobody on the FCC, including Pai, is giving them any credence.
There is no indication yet that the vote will be delayed. But opponents say they think the number of bogus comments will help them in a court battle to overturn the vote, if Congress doesn’t block it until an investigation is complete. Evan Greer, campaign director for the advocacy group Fight for the Future, told the Post:
It’s all about Congress for right now. But this (fake comments) will absolutely show up in court if we get there.



NIST Releases New Cybersecurity Framework Draft

NIST Releases New Cybersecurity Framework DraftUpdated version includes changes to some existing guidelines – and adds some new ones. The National Institute of Standards and Technology (NIST) has released the second draft of a proposed update to the national Cybersecurity Framework of 2014.
The draft document contains important changes to some existing guidelines, especially around self-assessment of cybersecurity risk, and introduces some new ones pertaining to authorization, authentication, identity proofing, and vulnerability disclosure.  
NIST also released a proposed update to its Roadmap for Improving Critical Infrastructure Security that describes planned future activities and topics to focus on for upcoming versions of the framework.
The changes and refinements reflect feedback and comments from public and private sector stakeholders to an earlier draft update to the Cybersecurity Framework that NIST released in January 2017. NIST will make draft 2 of the Framework open for public comment through close of day January 19, 2018 and will likely go live with the changes shortly after.
“NIST is hoping Framework version 1.1 will lead to a greater consideration of supply chain risk management [SCRM], cybersecurity within SCRM, and application of [the] Framework for that cybersecurity,” says Matt Barrett, NIST’s lead on the framework.
The hope also is that the new self-assessment section and related topics in the Roadmap such as Governance and Enterprise Risk Management will prepare stakeholders for a discussion on how to better align cybersecurity measures to support business outcomes and decisions, he says.
NIST developed the Framework as required by the Cybersecurity Enhancement Act of 2014. It is designed to provide a formal framework for managing cyber risk in critical infrastructure organizations. The goal is to provide organizations in critical infrastructure with guidance on the processes, practices, and controls they can use to manage cyber risk in line with their business imperatives.
The Cybersecurity Framework establishes a common language for security models, practices, and controls across industries. At a high-level, the framework provides guidance on how organizations can identify, protect, detect, respond to, and recover from, cyber threats. It offers a tiered set of implementation practices that organizations can choose from to deploy and manage these capabilities. The methods, processes, and controls in the framework are based on globally accepted best practices and standards.
Mandatory for the Feds 
Until recently, adherence to the Framework was purely voluntary for everyone. But the Trump Administration’s Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure in May has now made it mandatory for federal agencies, Barrett says. The order required agency heads to provide a risk management report to the White House Office of Management and Budget describing their plans to implement the Framework, he says. Originally designed for use by operators and owners of critical infrastructure, the Framework has become a de facto standard for developing and implementing cyber-risk management practices at organizations across all sectors.
The new version clarifies some of the language around cybersecurity measurement and provides more guidance on managing cybersecurity within the supply chain — an issue that has become critical in recent years. It also explains how the framework can be used to mitigate risk in the Internet of Things (IoT), operational technology and cyber-physical systems environments. In addition, NIST’s updated Cybersecurity Framework makes some refinements to the identity and access management control category to accommodate changing requirements around authentication, authorization, and identity vetting.
“The NIST updates are meant to be a dynamic, working document,” says Edgard Capdevielle, CEO of Nozomi Networks. “[They] cover a lengthy list of topics from confidence mechanisms, cyberattack lifecycles, beefing up the cybersecurity workforce, to reviewing supply chain risk management along with governance and enterprise risk management.”
While critical infrastructures cannot adapt to all prescriptive guidance overnight, the framework serves as a good roadmap to start implementation of best practices, collaboration, and new security technologies, he says. 
“With Draft 2 of Version 1.1, I expect critical infrastructure operators and federal agencies to focus more closely on supply chain, especially as weak links there have contributed to several well-known data breaches,” says Robert Vescio, managing director at Secure Systems Innovation Corporation (SSIC). “To reduce the impact of cyber incidents, it is crucial that each and every organization understands its role within the larger ecosystem, and actively contributes to proactively address emerging threats.”
Vescio believes that while most organizations can benefit from the framework, adoption should remain voluntary. A forced adoption would destroy the concept of each organization tailoring security strategies to their risk appetite and lead to spending on irrelevant controls, he says.
网络安全法视频宣传片 第二集 国家网络安全的现状与重要性概述
“NIST CSF should be important to everyone,” he says.  “Implemented correctly, [it] can help organizations evolve, while maintaining or working toward a pre-selected risk posture.”
Q&A: Matt Barrett, NIST’s Lead on the CyberSecurity Framework
(Excerpts from a Dark Reading email interview with Matt Barrett)
Q. What are the most significant changes in this draft?
Firstly, Section 4.0, previously entitled Measuring and Demonstrating Cybersecurity, has been reframed as Self-Assessing Cybersecurity Risk with the Framework to better emphasize how organizations might use the Framework to measure their risk. In acknowledgement of the wide variety of stakeholder perspectives on cybersecurity measurement and the need for a stakeholder dialog on the topic, the section was summarized and refined and NIST officially acknowledged Measuring Cybersecurity as an item on the Roadmap to Improving Critical Infrastructure Cybersecurity.

NIST clarified the use of the Framework to manage cybersecurity within supply chains by refining Section 3.3 Communicating Cybersecurity Requirements with Stakeholders. This included a simpler description of the parties involved in an organizations supply chain. We also further integrated cyber supply chain risk management language into the Implementation Tiers. This will better enable organizations to determine their current status and desired state with regard to cyber supply chain risk management practices.
We added a few Subcategories to account for authentication and coordinated vulnerability disclosure.
Q. Are federal agencies/critical infrastructure operators required to adopt the framework?
Yes. On May 11, 2017, the President issued Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. Among other things, the order states that “each agency head shall provide a risk management report to the Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB) within 90 days of the date of this order” and “describe the agency’s action plan to implement the Framework.”
NIST issued draft report NIST Interagency Report (IR) 8170 to support agency heads and senior cybersecurity leadership in Framework implementation planning. The draft summarizes eight private sector uses of the Framework, which may be applicable for federal agencies. By leveraging NISTIR 8170, agencies can better understand how to implement the Framework in conjunction with other NIST cybersecurity risk management standards and guidelines.
Q. Going forward, do you expect agencies/CI operators to be assessed against their adherence or failure to adhere to the framework?
With increasing use of Framework, this topic increasingly comes up. Whether it will or won’t, NIST doesn’t have charter to control such things, nor latitude to comment. However, I will offer this up.
Given the increasing dependence of organizations on technology, digital trust is an increasingly important topic. In other words, not only does an organization need to manage their cybersecurity risk, but they also need to communicate it in various forms to suppliers, partners, customers, auditors, and regulators. Framework provides a basis for a standardized communication – increasing and organizations efficiency and reducing the chances of miscommunication – and it also provides the high-level methods of determining cybersecurity state, deciding desired state, and planning the improvements necessary to achieve the desired state. 
Organizations may elect to use Framework to self-assess cybersecurity risk and communicate judiciously with others. They may also enlist external parties to assess cybersecurity risk. For this reason, NIST continues to encourage and support private sector in evaluating and implementing Framework confidence mechanisms.
Q. How should organizations use the framework?
There are many ways to use Framework and all the varied uses have a value.Out-of-the-box and without alteration, Framework offers a common and accessible vocabulary for cybersecurity risk management. In its simplest form, that vocabulary is Identity, Protect, Detect, Respond, and Recover. This allows people who are not cybersecurity experts to participate in the cybersecurity dialog. 
The Framework is also meant to be customized for a given sector, subsector, or organization.  That customization ultimately means some form of prioritization. 
Framework has some native methods of customizing and prioritizing. For instance, Framework Profiles help an organization determine and communicate the outcomes that are most important for a given set of circumstances, whether those circumstances are derived from the technical environment, cybersecurity requirements such as law and regulation, or desired organizational objectives. Similarly, the Implementation Tiers of Framework help and organization decide how they would like to manage cybersecurity risk for a given part of the organization. 
Related Content:
NIST Releases Cybersecurity Definitions for the Workforce
NIST Cybersecurity Framework Adoption Hampered By Costs, Survey Finds
NIST Releases Preliminary Cybersecurity Framework


网络安全法视频宣传片 第二集 国家网络安全的现状与重要性概述
辽宁一学生作业一字没写 被老师一脚踢到肾出血

Mad River Twp. Fire and EMS data hacked, encrypted with ransomware

Parker Perry reports:
The Mad River Twp. Fire and EMS station is without years of data after its server was breached and encrypted with ransomware.
Chief Elmer Beard said the virus was found in August and the department has tried to work out solutions to get the information unencrypted. The hackers demanded payment for the information in Bitcoin, which translates to thousands of dollars he said.
Read more on Springfield News-Sun.



网络安全法视频宣传片 第二集 国家网络安全的现状与重要性概述

Google Patches Critical Encryption Bug Impacting Pixel, Nexus Phones

Google patched a critical encryption bug found on its Pixel, Pixel 2 and Nexus phones this week along with delivering 49 other fixes, part of its December Pixel / Nexus Security Bulletin.
Five of the patches relate to vulnerabilities rated high. One of the patches (CVE-2017-13167) is for an elevation of privilege vulnerability and four others could open the door for a denial of service attack, according to Google.
Related Posts
The only critical patch (CVE-2017-14907) is tied to a bug in “Qualcomm closed-source components” that weakens the cryptographic strength of handsets while it derives a disk encryption key, Google stated.

A Common Vulnerabilities and Exposures (CVE-2017-14907) description of the encryption bug states: “In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, cryptographic strength is reduced while deriving disk encryption key.”
Android CAF (Custom Android Firmware) releases are custom branches of the Linux kernel developed to support Qualcomm chipsets. Qualcomm MSM chips are processors made for older model high-end phones. And Android for MSM, Firefox OS for MSM and QRD (Qualcomm Reference Design) Android each are Android projects that extend support for the Qualcomm MSM chips.
According to those familiar with the encryption bug, the vulnerability was discovered, patched and an update was released to customers and partners in May by Qualcomm. Qualcomm declined to comment on the vulnerability.
The Pixel/Nexus Security Bulletin coincided with the release of Google’s Android Security Bulletin. A total of 47 vulnerabilities and patches were listed in that report, with 10 rated critical in severity.
“The most severe of these issues is a critical security vulnerability in Media framework that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” according to the bulletin.
Google lists critical Media framework vulnerabilities (CVE-2017-0872, CVE-2017-0876, CVE-2017-0877, CVE-2017-0878 and CVE-2017-13151) that each create conditions favorable to a remote code execution attack on Android handsets. Media framework codecs impacted are libmpeg2, libhevc, libavc and libskia.
Google’s Android bulletin also warns of four critical Qualcomm component vulnerabilities, three of which are also tied to remote code execution conditions. Other vendors mentioned in the Android bulletin are Broadcom, Kernel, MediaTek and NVIDIA.
Patches are delivered over the air by handset manufactures and Google urges customers to accept and apply patches to their devices.


蚂蚁金服成立企业安全响应联盟 聚生态力量为企业构筑网络安全屏…
Cyber Security Law 网络安全法宣传视频《网络安全法》背景知识

Black Hat Cyber threats have evolved from been a solely technical issues to core issues of government policy, according to a senior US lawyer and former cyber diplomat.
Chris Painter, former co-ordinator for cyber issues at the US State Department, told delegates at the Black Hat EU conference that cyber issues have emerged as a core topic for governments worldwide. “Cyber is now seen as a core issue for defence policy, foreign policy and more… it’s not just a technical issue.
“Cyberspace is a new domain of war and all countries are involved in it,” he added.
The US, China and Russia have agreed that the rules of international law apply in cyberspace, so the rules of war apply to cyber attacks. That means that an attack on civilian infrastructure such as a dam would be considered as warranting reprisals, but the situation is more complicated than that in practice.
“A lot of malign activity is occurring below the high threshold of what could be classified as an act of war,” Painter explained.
“We’re doing a poor job at deterrence in cyberspace. The credibility of response is OK but timeliness is a problem partly because of attribution.”
Painter argued that although you can never have absolute certainty in attribution, by using a combination of technical and political analysis it’s possible to have a high degree of confidence about who is behind particular attacks, especially if they are long term campaigns.
Launching missiles in response to a cyber attack is unlikely unless there is a loss of life involved. This means that response boils down to applying diplomatic or political pressure on governments. “We need to expand the tool set,” Painter concluded.

One thing that is already possible in greater international co-operation, something that can be achieved through diplomatic channel. Painter explained how whilst at the US State Department he struck a deal to get help from other countries in taking down nodes of a botnet that was attacking US banks in return for a promise of co-operation from the US in the event of those countries needing assistance at some future date.
Painter also outlined efforts to promote norms – or “rules of the road” – in cyberspace. He also examined challenges that lie ahead and the need for the policy and technical communities to work together globally to meet those challenges. “We didn’t see the Russian threat coming,” Painter said. “Tech people need to tell policy people about the next coming threat.”
The former White House and US State Department official made his comments during an opening keynote presentation at the Black Hat Europe conference in London on Wednesday. ®



BlackBerry pens framework for securing connected and autonomous cars

(Image: BlackBerry)
BlackBerry on Wednesday laid out a recommended framework for automakers to address the cybersecurity challenges surrounding connected and autonomous vehicles.
No more Uber, Hertz, or even car owners: How Amazon and Apple will take us all for a ride
As driverless technologies improve, cars will likely become more of a membership perk than objects of ownership.
Read More
BlackBerry sees four industry trends that are making vehicles vulnerable to cyber attacks and failures: vehicles access, software control, autonomous driving, and the changing state of software. In its whitepaper, BlackBerry recommended changes through a seven pillar approach: Secure the supply chain: Ensure the supply chain and the software and hardware components it delivers are safe and secure.Use trusted components: Create a security architecture that is deeply layered in a defense in depth architecture, with secure hardware, software, and applications.Employ isolation and trusted messaging: Separate safety critical and non-safety critical systems and ensure trusted communication between these systems and to the outside world.Conduct in-field health checks: Monitor car health by regularly scanning and reporting a defined set of parameters while the vehicle is in the field.Create a rapid incident response network: Share common vulnerabilities and exposures (CVE) and advisories via a trusted network of subscribing enterprises.Use a lifecycle management system: Like a smartphone, proactively re-flash a vehicle with secure OTA software updates as soon as an issue is detected. Make safety and security a part of the culture: Ensure every organization involved in supplying auto electronics is trained in functional safety and security best practices to inculcate this culture within the organization.BlackBerry also teased tools and services, saying it will demonstrate its vision for connected cars and autonomous vehicles at CES in early January.
“Protecting a car from cybersecurity threats requires a holistic approach,” Sandeep Chennakeshu, President of BlackBerry Technology Solutions, said in a statement. “Leveraging our experience as a leader in cybersecurity and embedded automotive software, BlackBerry has created a recommended framework to protect cars from cybersecurity threats. If followed, we believe vehicles will not only be secure but BlackBerry Secure.”
BlackBerry’s interest in securing automotive and IoT hasn’t been a secret. In June, it debuted QNX Hypervisor 2.0 that creates containers to ensure that any breach in one auto application can be contained.
Top accessories to make your car smarter
1 – 5 of 14

Related Topics:
Security TV
Data Management


DNF新深渊模式开启 100次时空裂缝测试爆率

Nearly 2/3 of Industrial Companies Lack Security Monitoring

Nearly 2/3 of Industrial Companies Lack Security MonitoringNew Honeywell survey shows more than half of industrial sector organizations have suffered cyberattacks.A new survey by LNS Research on behalf of Honeywell shows that industrial sector networks are still playing catch-up in cybersecurity.
While more than half of the 130 decision-makers from industrial organizations in the survey say they work in a facility that has suffered a breach, just 37% of the respondents say their organizations monitor networks for suspicious activity and traffic.                                               
Nearly half, 45%, say they don’t have an enterprise leader for cybersecurity, and one-fifth are not employing risk assessments on a regular basis.
“Decision-makers are more aware of threats and some progress has been made to address them, but this report reinforces that cybersecurity fundamentals haven’t been adopted by a significant portion of the industrial community,” Jeff Zindel, vice president and general manager of Honeywell Industrial Cyber Security said in a statement.

A copy of the report is downloadable here.


特朗普点燃大炸弹 沙特:是对穆斯林“直白挑衅”

Senate Confirms New US Homeland Security Chief

The US Senate confirmed White House deputy chief of staff Kirstjen Nielsen as Secretary of Homeland Security on Tuesday, putting her in charge of implementing the Trump administration’s immigration crackdown.
Nielsen is close to White House Chief of Staff John Kelly, who was President Donald Trump’s first secretary at the Department of Homeland Security before he was brought in to discipline Trump’s chaotic office at the end of July.
Nielsen, 45, is a lawyer and veteran of the national security sector. She served in the transportation security unit of DHS during the George W. Bush administration, and was also Bush’s homeland security advisor in the White House.

Later she ran her own security advisory firm, Sunesis Consulting.
Known for expertise in cyber issues, she was named Kelly’s chief of staff when he took over DHS at the beginning of the Trump administration, and then followed him to the White House.
Described as tough and no-nonsense, she nevertheless lacks the experience of running a massive organization like the 240,000-strong DHS.
The agency oversees a wide range of security issues, from immigration, to cyber, terror threats and disaster relief. 
网络安全法宣传推广视频 004《网络安全法》的突出亮点
The Senate approved her nomination 62-37.
Her confirmation came on a day when DHS reclaimed substantial success in slowing illegal immigration across the southern border and arresting and deporting criminal aliens.
DHS said arrests of illegal immigrants were up 40 percent in the first nine months of the Trump administration, while border crossings plummeted based on tougher enforcement.
Trump has also ordered DHS to build a wall along the southern border.
But both Kelly and Nielsen have said that a wall on the entire 2,000 mile (3,200 kilometer) frontier with Mexico would be inappropriate, and that other measures, including electronic monitoring, would be required as well.


网络安全法动漫宣传片 002 国家网络安全的现状与重要性概述

Most Retailers Haven’t Fully Tested Their Breach Response Plans

Most Retailers Haven’t Fully Tested Their Breach Response PlansMore than 20% lack a breach response plan altogether, a new survey shows.Nearly 75% of IT security professionals from the retail industry say their companies do not have a fully tested plan to address a security breach, according to a Tripwire report today.
Some 28% of survey respondents do have a fully tested breach plan, while 21% lack a plan altogether, the report notes.
Additionally, 21% of survey respondents say they don’t have the means to notify customers of a data breach within 72 hours of its occurrence. That runs counter to the requirements of the General Data Protection Regulation (GDPR), which in May begins the financial penalty phase for noncompliance. GDPR fines can reach as high as 4% of a company’s revenues.
Only 23% of survey respondents feel fully prepared to incur financial penalties, the survey says. “Considering the amount of high-profile data breaches that have occurred recently, plus the continued discussion around GDPR, it is surprising and concerning that many retailers do not have a tested plan in the event of a security breach,” says Tim Erlin, vice president of product management and strategy at Tripwire, in a statement.
Read more about the survey here.



加强网络安全教育 筑牢保密安全防线 –包头市教育局组织召开网络安全…
网络安全法视频宣传片 第二集 国家网络安全的现状与重要性概述
韩国2018年国防预算同比增7% 增幅创9年来新高