FTC seeks research help from DEF CON hackers

FTC objective is better security and privacy in consumer services and products

The Federal Trade Commission made an appeal at DEF CON in Las Vegas this past week in hopes of getting hackers to help them crack down on manufacturers and service providers that leave customers vulnerable.

Top of the list: ransomware, malvertising, networked cars and security for the internet of things.

Of particular interest in the case of IoT is preventing one device from compromising a consumer’s entire private network, says Lorrie Cranor, the FTC’s chief technologist.

She’d like to know what steps manufacturers of IoT gear can take so weaknesses in their products don’t enable attackers to pivot from one vulnerable device to others on the network to cause further harm or to breach privacy.

The FTC’s interest in getting hacker help is strong enough that it sent not only Cranor but also one of its commissioners, Terrell McSweeny.

+ BLACK HAT: How to make and deploy malicious USB keys +

Cars and the networking gear being built into them needs to be segmented so critical systems such as braking and steering can’t be hacked. This is a continuing area of concern, and other presentations at DEF CON focused on how such hacking can be done.

Also of concern is the use of sensors in children’s toys that represent a possible privacy risk, Cranor says, but that also threaten privacy of adults.

FTC seeks advice

Privacy concerns go beyond the security of devices and networks, though. Cranor says the commission would welcome advice on how users can control personal information that they submit in one context from being spread around without their knowledge or permission.

Smart devices that house a wealth of personal information would better serve privacy needs if they provide ways for their users to easily observe what communications they might be making in the background. Along with this the FTC would like advice on how to easily analyze apps to see whether they are secure and that their component code lifted from third-party libraries are as well.

New technologies such as virtual reality are on the commission’s radar, although it hasn’t identified specific threats. Still, it wants to know whether VR raises new consumer concerns for fraud and deception, areas where the FTC can take action.

The commission wants help finding the best ways to evaluate the risks that breaches and vulnerabilities pose to specific organizations. Metrics that can indicate what risks are would help determine whether vendors accurately represent dangers of products and services.

A tool could be used to figure out whether data stolen in a particular breach is employed elsewhere. For example, if a person’s credit card number is used fraudulently, is it possible to determine whether it was compromised in a particular breach? This comes into play in cases where consumers have tried to sue retailers for damages when their cards are used fraudulently and the card information was stolen in a breach.

Along the same lines, Cranor asked for help spotting fraud quickly and automating the process to sort through a higher volume of possible cases.

Anyone who wants to make suggestions can contact the FTC at research@ftc.gov for more information.

The commission is also seeking researchers to present their findings at conferences this fall and next year.

The commission is running a series of educational sessions to make consumers more knowledgeable with its Start with Security outreach program. It’s holding tech sessions on ransomware, drones and smart TVs later this year.

Join the CSO newsletter!

Error: Please check your email address.

More about Federal Trade CommissionFTCSmart

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place