Senator Ron Wyden’s complaints focus on Windows security and the Kerberoasting attack technique.
The post Senator Urges FTC Probe of Microsoft Over Security Failures appeared first on SecurityWeek.
Sen. Ron Wyden, D-Ore., on Wednesday called for the Federal Trade Commission to investigate Microsoft, saying the company’s default configurations are leaving customers vulnerable and contributing to ransomware, hacking and other threats.
That includes the 2024 Ascension hospital ransomware attack, which resulted in the theft of personal data, medical data, payment information, insurance information and government IDs for more than 5.6 million patients.
Wyden, whose staff interviewed or spoke with Ascension and Microsoft staff as part of the senator’s oversight, said the attack “perfectly illustrates” the negative consequences of Microsoft’s cybersecurity policies.
Ascension told Wyden’s staff that in February 2024, a contractor using one of the company’s laptops used Microsoft Bing’s search engine and Microsoft Edge, the default web browser that came with it. The contractor clicked on a phishing link, which infected the laptop and spread to Ascension’s broader network. The hackers gained administrative privilege to the company’s accounts through Active Directory, another Microsoft product that manages user accounts, and pushed ransomware “to thousands of other computers in the organization.”
Wyden noted in his letter to FTC Chair Andrew Ferguson that the hackers used a technique known as Kerberoasting to access privileged accounts on Ascension’s Active Directory server. This method takes advantage of weaknesses in encryption protocols that have been obsolete and vulnerable for decades.
“This hacking technique leverages Microsoft’s continued support by default for an insecure encryption technology from the 1980s called RC4 that federal agencies and cybersecurity experts, including experts working for Microsoft, have for more than a decade warned is dangerous,” Wyden wrote.
Still, organizations that rely on RC4 continue to be compromised through Kerberoasting. In 2023, the Cybersecurity and Infrastructure Security Agency warned about exploitation of RC4 and Kerberoasting in the health care sector. A year later, CISA, the FBI and the National Security Agency all warned that foreign countries like Iran were also exploiting the same technique to target American companies.
Wyden questioned why the company continued to support RC4, saying it “needlessly exposes its customers to ransomware and other cyber threats” and pointing out that better encryption technologies exist — like the Advanced Encryption Standard (AES) — that have federal government approval and could have better protected Microsoft customers.
While Microsoft has said the threat can be mitigated by setting long passwords that are at least 14 characters long, their default settings for privileged accounts do not require it.
In response to Wyden’s letter, a Microsoft spokesperson told CyberScoop that “RC4 is an old standard and we discourage its use both in how we engineer our software and in our documentation to customers – which is why it makes up less than .1% of our traffic.”
“However, disabling its use completely would break many customer systems,” the spokesperson wrote. “For this reason, we’re on a path to gradually reduce the extent to which customers can use it, while providing strong warnings against it and advice for using it in the safest ways possible.”
Wyden wrote that in conversations with his staff in 2024, Microsoft officials agreed to discontinue support for RC4, but have yet to do so nearly a year later.
Microsoft’s press office told CyberScoop that the company plans to have RC4 disabled by default in Active Directory installations starting Q1 of 2026. They also said that disabling RC4 more broadly is “on our roadmap” but did not provide a timetable for doing so.
But Wyden’s letter emphasized that he believed Microsoft, not the public, should bear the security burden of fixing the problem.
“Microsoft chooses the default settings, including the security features that are enabled automatically and the required security settings (e.g. minimum password length),” Wyden wrote, noting that while organizations can change those settings, “in practice, most do not.”
The post Wyden calls on FTC to investigate Microsoft for ‘gross cybersecurity negligence’ in protecting critical infrastructure appeared first on CyberScoop.
Rebecca Slaughter’s return-to-work orders have been put on hold for the second time this year, after the U.S. Supreme Court stepped in to block a lower court ruling that ordered her reinstatement at the Federal Trade Commission.
Last week a lower court ruled that Slaughter had been illegally fired by President Donald Trump, citing a 90-year-old Supreme Court precedent upholding the FTC’s independence from the executive branch and preventing presidents from firing commissioners for political reasons.
On Monday, Chief Justice John Roberts halted that order while the Supreme Court considers the case. Roberts provided no explanation for the Supreme Court’s reversal, but ordered the parties in the case to respond by Sept. 15.
Slaughter, who has remained vocal on FTC business and last week expressed her eagerness to return, has been through this once already. Earlier this year, she was briefly reinstated to the FTC by a lower court, only to have that order reversed by another court days later.
Alvaro Bedoya, the other Democratic FTC commissioner Trump purported to fire, has since resigned due to the financial difficulties tied to fighting his dismissal. He described the fight as a lose-lose situation: He is no longer receiving a federal salary as commissioner, and is also prohibited by conflict-of-interest rules from accepting other employment in the meantime.
Bedoya has said that beyond the immediate fates of their jobs, the commissioners are ultimately fighting for an FTC that they believe works in the best interests of the public and is supported by Supreme Court precedent. He has argued the agency — which regulates and enforces against unfair or deceptive business practices, technology, data privacy and other issues — must be insulated from political pressure.
In an online post last week, Slaughter said her top priority was reinstating the FTC’s Click to Cancel rule, a Biden-era regulation that would have forced companies to provide a simple and straightforward means to cancel their paid subscriptions.
Roberts’ order does not specify how the Supreme Court intends to rule on the case. Legal experts and former FTC officials have said it’s no secret that the Trump administration is looking for the court’s conservative majority to overturn Humphrey’s Executor v. the United States, which was unanimously upheld by the Supreme Court in 1935.
The high court’s decision this week to reverse the D.C. District Court of Appeals ruling is also notable because the court voted 2-1 that Slaughter — not the government — deserved the benefit of the doubt while the case was being adjudicated, citing unambiguously clear and binding legal precedent that had not yet been overturned.
That the Supreme Court overturned it anyway suggests they may agree with D.C. Appeals court Judge Neomi Rao, who wrote in her dissent that forcing FTC staff to acknowledge Slaughter’s legitimacy in the face of presidential orders “directly interferes with the President’s supervision of the Executive Branch and therefore goes beyond the power of the federal courts.”
If the Supreme Court does ultimately side with the administration, it would track with what observers such as Berin Szóka, a technology lawyer and president of the think tank TechFreedom, predicted earlier this year. Szóka, who has supported Slaughter and Bedoya’s efforts, wrote in March that “the fired Democratic FTC Commissioners may win early battles in their lawsuits but, in all likelihood, will ultimately lose at the Supreme Court — unfortunately.”
Roberts and the Supreme Court’s conservative majority have “made clear it will not apply Humphrey’s, if it remains good law at all, to today’s more powerful FTC,” Szóka wrote.
The post Supreme Court blocks FTC commissioner Slaughter’s reinstatement appeared first on CyberScoop.
The Federal Trade Commission announced a settlement Tuesday with a Chinese robot toy manufacturer, following an investigation that charged the company with illegally collecting the location data of U.S. children who buy its products.
In a complaint filed in the U.S. Northern District Court of California, the Department of Justice on behalf of the FTC charged Shenzhen, China-based Apitor Technology — makers of programmable robot toys for children — of violating U.S. federal law by tracking the geolocation of users under the age of 13 through an online app that users download to operate the robots.
Apitor collected this data without informing parents or asking for permission, the FTC said, violating parental consent requirements in the 1998 Children’s Online Privacy Protection Act.
This collection, ongoing since at least 2022, “subjects underage consumers to ongoing harm and deprives parents of the ability to make an informed decision about the collection of their children’s location information,” the FTC alleged in its complaint.
“Apitor allowed a Chinese third party to collect sensitive data from children using its product, in violation of COPPA,” Christopher Mufarrige, director of the FTC’s Bureau of Consumer Protection, said in a statement. “COPPA is clear: Companies that provide online services to kids must notify parents if they are collecting personal information from their kids and get parents’ consent — even if the data is collected by a third party.”
The toys made by Apitor are sold on Amazon and other online marketplaces, marketed to children between the ages of 6-14, and promise educational benefits such as teaching children coding skills.
Apitor’s products come with a companion application, downloadable on Android and iOS mobile devices, for children to remotely control the robots. It also included a third-party software development kit called JPush, made by a Chinese phone developer and analytics company, that collects “the precise geolocation data for thousands of children,” the agency said.
The company’s own privacy policy expressly affirms its intentions to adhere to U.S. law, at one point stating “[w]e are committed to complying with the Children’s Online Privacy Protection Act” without disclosing the tracking of geolocation data through JPush.
In a proposed order detailing terms of the settlement, Apitor did not admit or deny the allegations but agreed to pay a $500,000 civil fine for previous violations and delete collected geolocation data or obtain express parental consent from each user.
The company also agreed to 10 years of compliance monitoring and must include a “clear and conspicuous” disclosure in any visual, audible or electronic marketing about its robots that it intends to collect geolocation data — or any COPPA-protected personal data — and request explicit consent from parents before doing so.
The post FTC announces settlement with toy robot makers that tracked location of children appeared first on CyberScoop.
For the second time, a court has ruled that President Donald Trump’s attempted firing of Federal Trade Commission members Rebecca Slaughter and Alvaro Bedoya was illegal and ordered the agency to reinstate the commissioners.
By law, the FTC governs by a bipartisan 3-2 split, with the president’s party getting an extra seat and controlling the chair. But earlier this year, Trump attempted to fire just Bedoya and Slaughter, leaving only Republican-appointed members on the commission.
A district court temporarily reinstated Slaughter but that decision was reversed in another court ruling just days later. Bedoya eventually resigned his position, citing financial difficulties.
Now, the District Court of Appeals for the District of Columbia has ruled 2-1 that the attempted firings ran afoul of the law, this time saying the government was likely to lose its case on the merits.
In their opinion, Judges Cornelia Pillard and Patricia Millett specifically cited the precedent set by the Supreme Court in Humphrey’s Executor v. United States, a 1935 case in which justices unanimously ruled that FTC commissioners could only be fired for specific cause.
That precedent, the judges wrote, remains the law of the land until the Supreme Court says otherwise.
“The government has no likelihood of success on appeal given controlling and directly on point Supreme Court precedent,” Pillard and Millett wrote. “Specifically, ninety years ago, a unanimous Supreme Court upheld the constitutionality of the Federal Trade Commission Act’s for-cause removal protection for Federal Trade Commissioners.”
After Trump’s attempted firings in March, Slaughter and Bedoya quickly challenged the legality of the move in court, saying they were fired “not because they were inefficient, neglectful of their duties, or engaged in malfeasance, but simply because their ‘continued service on the FTC is’ supposedly ‘inconsistent with [his] Administration’s priorities.’”
While Humphrey’s Executor remains the law of the land, the administration and some former officials have argued that the FTC now plays a far more important policy role in the executive branch than it did in 1935, when the court cited the “quasi-legislative” and “quasi-judicial” functions of the agency.
The current Supreme Court, they argue, does not share the same views, pointing to a 2020 case where the court majority suggested that the conclusions about the FTC’s role in Humphrey’s Executor “has not withstood the test of time.”
“No administration until now has wanted to push the limits on that but the current administration has made clear they think it’s wrongly decided,” one former FTC official, who requested anonymity to speak candidly, told CyberScoop in March.
The DC District Court of Appeals said the government “acknowledges that Humphrey’s Executor ‘remains binding on this Court’” but argues that the court should disregard that precedent.”
“Over the ensuing decades — and fully informed of the substantial executive power exercised by the Commission — the Supreme Court has repeatedly and expressly left Humphrey’s Executor in place, and so precluded Presidents from removing Commissioners at will,” Pillard and Millett wrote.
Millett and Pillard argued that the FTC in 1935 had the same core authorities and mission as it does today: to promulgate rules and regulations, investigate violations of federal law, issue subpoenas and enforce violations.
The “present-day Commission exercises the same powers that the Court understood it to have in 1935 when Humphrey’s Executor was decided,” they added, and “bucking such precedent is not within this court’s job description.”
The D.C. District Court likely won’t have the last word. The administration continues to appeal and most observers expect the matter to ultimately reach the Supreme Court. In the meantime, Slaughter said she intends to return to her job this week.
“Amid the efforts by the Trump admin to illegally abolish independent agencies, [including] the Federal Reserve, I’m glad the court has recognized that he is not above the law,” Slaughter wrote on X Tuesday after the decision. “I’m eager to get back first thing tomorrow to the work I was entrusted to do on behalf of the American people.”
In a dissent, Judge Neomi Rao referred to the FTC as a “so-called independent agency” and disagreed with the court majority, saying she believed the government would ultimately prevail on the merits.
The circuit court “need not definitively determine whether Slaughter’s removal was lawful” because in previous cases this year where officials fired by the president were reinstated by courts, the Supreme Court has intervened on the administration’s behalf — at least while the cases are winding through the court system.
By forcing FTC staff to ignore the president’s directive and treat Slaughter as commissioner in good standing, the district court’s decision “directly interferes with the President’s supervision of the Executive Branch and therefore goes beyond the power of the federal courts,” Rao wrote.
The post Court rules ‘fired’ FTC commissioners be reinstated — again appeared first on CyberScoop.
The Federal Trade Commission thinks AI detectors might be BS.
The agency announced a consent order this week with Workado, an Arizona-based company that makes an AI content detector tool. The order forces the company to retract its public claims about the tool’s effectiveness and to notify its customers.
The settlement follows an investigation by the FTC this past year into Workado’s public claims that its AI content detector could determine with near-perfect accuracy whether a piece of text was generated by popular commercial large language chat models from OpenAI, Anthropic, Google and others.
That included claims that the detector “is one of the most trusted and goes deeper than a generic AI detector.” It claims to accurately detect AI-generated content 98% of the time, while at the same time offering a pro version of the software that it claimed could “transform AI text into undetectable AI content.”
But according to an FTC complaint in April, Workado “did not build, train or finetune” the actual AI model behind its product, which was pulled from Hugging Face, an open-source and publicly available AI repository.
That model was only trained on academic content — not Wikipedia, blogs and other sources — and limited to ChatGPT, excluding other commercial models. The developers’ testing data “also showed that the AI Model struggled to identify AI-generated content as AI-generated when evaluating nonacademic content, correctly detecting AI-generated text merely 53.2% of the time,” not 98% as Workado claimed.
“Consumers trusted Workado’s AI Content Detector to help them decipher whether AI was behind a piece of writing, but the product did no better than a coin toss,” said Chris Mufarrige, Director of the FTC’s Bureau of Consumer Protection, in April.
The FTC settlement specifies that Workado “must not make any representation expressly or by implication” about the effectiveness of its product at detecting AI-generated or altered content “unless the representation is non-misleading.”
In order to do that, Workado must ensure that “at the time such representation is first made, and each time such representation is made thereafter, they possess and rely upon competent and reliable evidence, which when appropriate based on the expertise of professionals in the relevant area must be competent and reliable scientific evidence, that is sufficient in quality, quantity, and timeliness based on standards generally accepted in the relevant fields when considered in light of the entire body of relevant and reliable evidence, to substantiate that the representation is true.”
Essentially, that means every time Workado publicly claims its software can spot signs of AI manipulation, it must repeat its testing process and update the software to keep pace with newer models. As part of the order, the company is required to securely store all test data and related documentation for future review and submit to ongoing government compliance monitoring.
Workado, which did not formally acknowledge wrongdoing as part of the order, must also contact its customers using an FTC-drafted letter to acknowledge it settled charges of false or unsubstantiated advertising claims about the accuracy of its AI content detector.
“We claimed that our AI Content Detector will predict with a 98% accuracy rate whether text was created by AI content generators like ChatGPT, GPT4, Claude, and Bard,” the draft letter states. “The FTC says we didn’t have proof to back up those claims. We’ve stopped making those claims. In the future, we won’t make claims about the accuracy of our AI content detection tools unless we can prove them.”
To be clear, designing a program that can reliably detect AI-generated content models over long periods of time is a challenging, but legitimate, field. Because both deepfakes and deepfake detectors are built on the same underlying LLM technology, their algorithms can learn from each other’s innovations and models can be trained to more effectively find (or evade) each other. This creates a perpetual cat-and-mouse game, where the effectiveness of AI detectors gradually degrades over time unless they’re updated.
Researchers at the Defense Advanced Research Projects Agency (DARPA) have been aware of this problem for years and have worked to design systems that can both accurately identify AI-manipulated content in text, video and audio. They also have designed these systems to be adaptable, allowing them to evolve as AI technology advances.. While there is a clear need for forensic tools to analyze media for synthetic content, creating solutions that can consistently remain effective will always be a moving target.
But the investigation and settlement with Workado demonstrates that the FTC understands the fluidity of the science behind AI detection, and believes the bar for companies to claim their tools work as intended is higher and requires constant, science-backed vigilance to remain true over time.
The post Workado settles with FTC over allegations it inflated its AI detectors’ capabilities appeared first on CyberScoop.
The Federal Communications Commission announced Monday it has blocked more than 1,200 voice service providers from having access to the country’s phone network for failing to comply with anti-robocall regulations, marking the agency’s largest enforcement action against companies that facilitate illegal automated calls.
The providers were disconnected after violating FCC rules requiring accurate certifications in the agency’s Robocall Mitigation Database, a system designed to track compliance with caller authentication protocols. The action affects approximately half of the 2,411 companies that received compliance warnings in December 2024.
“Robocalls are an all-too-common frustration — and threat — to Americans (sic) households,” FCC Chairman Brendan Carr said in a release. “The FCC is doing everything in its power to fight back against these malicious and illegal calls. Providers that fail to do their duty when it comes to stopping these calls have no place in our networks. We’re taking action and we will continue to do so.”
The removal follows a preliminary warning issued to 185 companies, along with further action from attorneys general dubbed “Operation Robocall Roundup,” which among other things, included sending warning letters to 37 voice providers demanding compliance with federal requirements.
The removals center on the STIR/SHAKEN protocol system, a caller authentication framework that requires telecommunications carriers to verify caller identity before routing calls through networks. The system addresses a core challenge in robocall prevention: tracing calls that traverse multiple carrier networks before reaching consumers.
Providers must certify STIR/SHAKEN implementation on all internet protocol-based network portions and submit robocall mitigation plans to maintain database access. Companies removed can only rejoin with express approval from FCC enforcement bureaus.
The FCC has invested approximately $250 million in STIR/SHAKEN implementation since the system’s 2020 launch, but significant gaps remain. The authentication system functions only on modern Voice Over Internet Protocol (VoIP) networks, leaving older telephone infrastructure vulnerable.
The enforcement action reflects the government’s struggle in defeating the scourge of robocalls. Earlier this year, Federal Trade Commission Chair Andrew Ferguson told Congress that his agency received more than 2 million complaints about unwanted calls in fiscal year 2024, with 1.1 million specifically concerning robocalls.
The FTC has also contacted 31 Voice Over Internet Protocol providers believed responsible for more than 450 distinct robocalling campaigns. Ferguson indicated in testimony that earlier communications resulted in behavioral changes and reduced activity from most contacted providers.
During May congressional testimony, Carr described robocalling as “probably the number one issue” raised by consumers, calling the problem “exceptionally frustrating.” He noted that robocallers have demonstrated adaptability to previous mitigation efforts, often shifting tactics when one avenue is blocked.
Recent actions have established significant penalties for non-compliance. Lingo Telecom, a Texas-based provider, received a $1 million fine for authenticating AI-generated robocalls that targeted New Hampshire primary voters with fake Joe Biden messages. The incident prompted new FCC rules in January tightening STIR/SHAKEN reporting requirements.
While the focus of the action is on bad actors inside the U.S., international robcall operations present ongoing challenges. Many illegal calls originate from overseas locations where U.S. agencies lack direct authority, complicating efforts to pursue bad actors at their source.
You can read the full list of blocked providers here.
The post FCC removes 1,200 voice providers from telephone networks in major robocall crackdown appeared first on CyberScoop.
Federal Trade Commission Chair Andrew Ferguson warned U.S. tech companies not to accede to laws in foreign countries that weaken Americans’ free speech or data privacy rights.
Specifically, Ferguson cited laws like the European Union’s Digital Service Act and the U.K.’s Online Safety Act as statutes that incentivize U.S. tech companies “to censor speech, including speech outside of Europe.” He said that could lead to heightened surveillance of Americans by foreign governments and increase their risk around identity theft and fraud.
“Companies might be censoring Americans in response to the laws, demands, or expected demands of foreign powers,” Ferguson wrote in letters to 13 different tech companies Thursday. “And the anti-encryption policies of foreign governments might be causing companies to weaken data security measures and other technological means for Americans to vindicate their right to anonymous and private speech.”
Additionally, as companies continue to face fragmented and balkanized internet laws across different countries, Ferguson worried that some companies may opt for maximally invasive or restrictive policies toward its users to stay in compliance with the strictest laws.
“I am also concerned that companies such as your own might attempt to simplify compliance with the laws, demands, or expected demands of foreign governments by censoring Americans or subjecting them to increased foreign surveillance even when the foreign government’s requests do not technically require that,” he wrote.
Ferguson sent the letters to executives at Akamai, Alphabet, Amazon, Apple, Cloudflare, Discord, GoDaddy, Meta, Microsoft, Signal, Snap, Slack and X.
He criticized the Biden administration for “actively” working to censor American speech online. The Supreme Court has largely upheld the constitutionality of the federal government’s conversations with tech companies under the Biden administration.
President Donald Trump has publicly attacked and pressured many of same companies Ferguson is targeting, in some cases threatening to use the power of the federal government to force them to adopt his preferred policies — not only on content moderation and disinformation, but also tariffs, diversity, equity and inclusion programs, unflattering search engine results and numerous other demands. Nevertheless, Ferguson praised Trump for allegedly putting “a swift end” to the weaponization of the federal government against Americans for their speech.
The FTC chair said in his letter that the agency is focused on the importance of offering strong end-to-end encryption to users, regardless of what laws or regulations in other countries may require.
“If a company promises consumers that it encrypts or otherwise keeps secure online communications but adopts weaker security due to the actions of a foreign government, such conduct may deceive consumers who rightfully expect effective security, not the increased susceptibility to breach or intercept desired by a foreign power,” Ferguson wrote.
The FTC’s letters were sent the same week that Director of National Intelligence Tulsi Gabbard announced the U.S. government had successfully engaged with U.K. leaders to drop their demand that Apple provide law enforcement with a means to access encrypted user cloud data for investigations, even for users outside the U.K.
The demand resulted in Apple withdrawing its Advanced Protection Program feature from U.K. iPhones and Apple computers, as privacy advocates continued to argue that any access given to law enforcement would fundamentally weaken the encryption that all its users rely on.
The post FTC warns tech companies not to weaken encryption, free speech practices for foreign governments appeared first on CyberScoop.
Tom Smith // At Black Hills Information Security (BHIS), we deal with all manner of clients, public and private. Until a month or two ago, though, we’d never dealt with […]
The post Why Do Car Dealers Need Cybersecurity Services? appeared first on Black Hills Information Security, Inc..
Login