The Federal Communications Commission today adopted rules that require broadband ISPs to protect the privacy of their customers. The rules ensure broadband customers have meaningful choice, greater transparency and strong security protections for their personal information collected by ISPs.

The rules implement the privacy requirements of Section 222 of the Communications Act for broadband ISPs, giving broadband customers the tools they need to make informed decisions about how their information is used and shared by their ISPs.

To provide consumers more control over the use of their personal information, the rules establish a framework of customer consent required for ISPs to use and share their customers’ personal information that is calibrated to the sensitivity of the information. This approach is consistent with other privacy frameworks, including the Federal Trade Commission’s and the Administration’s Consumer Privacy Bill of Rights.

The rules separate the use and sharing of information into three categories and include clear guidance for both ISPs and customers about the transparency, choice and security requirements for customers’ personal information:

Opt-in: ISPs are required to obtain affirmative “opt-in” consent from consumers to use and share sensitive information. The rules specify categories of information that are considered sensitive, which include precise geo-location, financial information, health information, children’s information, social security numbers, web browsing history, app usage history and the content of communications.

Opt-out: ISPs would be allowed to use and share non-sensitive information unless a customer “opts-out.” All other individually identifiable customer information – for example, email address or service tier information – would be considered non-sensitive and the use and sharing of that information would be subject to opt-out consent, consistent with consumer expectations.

Exceptions to consent requirements: Customer consent is inferred for certain purposes specified in the statute, including the provision of broadband service or billing and collection. For the use of this information, no additional customer consent is required beyond the creation of the customer-ISP relationship.

In addition, the rules include:

• Transparency requirements that require ISPs to provide customers with clear, conspicuous and persistent notice about the information they collect, how it may be used and with whom it may be shared, as well as how customers can change their privacy preferences
• A requirement that broadband providers engage in reasonable data security practices and guidelines on steps ISPs should consider taking, such as implementing relevant industry best practices, providing appropriate oversight of security practices, implementing robust customer authentication tools, and proper disposal of data consistent with FTC best practices and the Consumer Privacy Bill of Rights
• Common-sense data breach notification requirements to encourage ISPs to protect the confidentiality of customer data, and to give consumers and law enforcement notice of failures to protect such information.

The scope of the rules is limited to broadband service providers and other telecommunications carriers. The rules do not apply to the privacy practices of web sites and other “edge services” over which the Federal Trade Commission has authority. The scope of the rules do not include other services of a broadband provider, such as the operation of a social media website, or issues such as government surveillance, encryption or law enforcement.

from Help Net Security http://ift.tt/2eKv4Do

Researcher Jonathan Andersson, a member of Trend Micro’s TippingPoint DVLabs, has demonstrated how a specialized hardware module dubbed Icarus can be used to hijack a variety of widely-used hobbyist drones and make them do your bidding.

Why are such tools necessary

As any technology, flying drones could be put to good use or can be misused to enable crimes and endanger the public and/or individuals. Terror attacks via drones, smuggling contraband into prisons, spying on people – these are just a few examples of (potential) misuse.

Law enforcement, emergency responders, security personnel and others tasked with the safety of individuals and groups are looking into ways to ground these unmanned vehicles without destroying them. Offered solutions and those still being tested vary from point-and-shoot tools that can take control of drones to trained eagles that can take them down.

About Icarus

Andersson recently showcased Icarus’ capabilities at the PacSec 2016 security conference in Tokyo.

Those include seizing complete control of drones in range of the device, as well as extracting the drones’ digital fingerprint, so that the owner and his or her motivation for using the drone might be discovered.

Icarus is able to hijack all types of vehicles that use the DSMX remote control protocol, which has been designed and is licensed by Horizon Hobby.

It can discover the unique secret key shared between the vehicle and the operator’s controller by simply observing the (unsecured) protocol, then applying brute-forcing techniques to ferret the key out.

The key is then used to impersonate the operator’s controller – the Icarus operator can use a timing attack vulnerability to transmit orders to the drone just before the real operator does. The drone will accept them as valid and reject those by the legitimate operator.

According to Dan Goodin, Horizon Hobby has declined to offer a comment on this new research. But even if they are willing to work on the issue and remedy this particular problem, not all radio transmitters currently allow the implementation of firmware upgrades.

This state of affairs proves, once again, that introducing security from the very beginning is crucial. Unfortunately, it is too often a victim of manufacturers’ desire for fast development and monetization.

More information about Icarus is included in the video below:

from Help Net Security http://ift.tt/2dLRxQX