The National Institute of Standards and Technology’s Cybersecurity Framework v1.1 is “a significant advance that truly reflects the success of the public-private model for addressing cybersecurity challenges,” said Director Walter Copan Tuesday, announcing the version’s release. It has updates for authentication and identity; self-assessing cybersecurity risk; managing cybersecurity within the supply chain; and vulnerability disclosure, said the agency.

CenturyLink called attention to botnets, saying it tracked an average 195,000 daily threats, affecting 104 million unique targets, from servers and computers to handheld and other devices. They "are one of the foundational tools bad actors rely on to steal sensitive data and launch DDoS [distributed denial of service] attacks," said Mike Benjamin, head of CenturyLink's Threat Research Labs, in a Tuesday release on a 2018 threat report. "The United States, Russia and China hold the lead as the three most common points of origin for malicious internet activities," followed by Brazil and Ukraine, the telco said. The U.S., China, Germany, Russia and the U.K. were the top five countries targeted in bot attacks, it said. "Scanning for vulnerable devices is the basis" for two common botnets, Mirai and a precursor Gafgyt (also called Bashlite, Lizkebab and Torlus), the report said: "Once vulnerable devices are identified, they are instructed to connect to a download server to install the malware. They then may be instructed to port scan for vulnerable devices or use external scanners to find and harvest new potential bots. ... Mirai and Gafgyt have been tied to DDoS attacks against gaming servers and the botnet owner’s perceived rivals.

Netflix added 7.42 million new subscribers in Q1, easily beating its forecasts of 6.35 million global net additions, the company said Monday in its quarterly letter to shareholders. It added 1.96 million subscribers in the U.S., well ahead of its forecast of 1.45 million net adds, it said. Internationally, Netflix had 5.46 million new subscribers, beating its forecast of 4.9 million, it said. Revenue grew 43 percent year over year in Q1, “the fastest pace in the history of our streaming business,” helped in part by a 14 percent rise in average selling price, it said.

ICANN should investigate the decision by domain name registrar GoDaddy to throttle Port 43 (automated bulk) access and mask the information in certain Whois fields, NTIA Administrator David Redl said in a Monday letter to ICANN board Chairman Cherine Chalaby. GoDaddy began throttling and masking in January to help reduce spam calls and emails, it said in a notice. But Redl said the actions "are of grave concern" to NTIA "given the U.S. Government's interest in maintaining a WHOIS service that is quickly accessible for legitimate purposes." It's worried that other registrars and registries could copy GoDaddy's approach, he said. The actions are inconsistent with ICANN's multistakeholder approach and could breach ICANN's registrar accreditation agreement, he said. Redl urged the board to investigate and to consider an ICANN cross-community discussion of the matter. NTIA also wants ICANN to look into allowing other players, such as non-ICANN accredited registrars, to offer enhanced domain name system security features.

States backing South Dakota in an online sales tax case before the Supreme Court (see 1804040061) want a return to antiquated models found in the Articles of Confederation or to maximize revenue with minimal effort, wrote Institute for Policy Innovation researcher Bartlett Cleland Friday: “Instead of doing the real work of simplifying their tax codes and finding an effective means to collect the taxes they impose, states have been fighting” to reverse Quill v. North Dakota. That 1992 decision established that states can require retailers to collect state taxes only if the companies are physically located in the state. The court hears oral argument Tuesday.

The Center for Cybersecurity Policy and Law will work with the tech sector to improve hardware vulnerability disclosure policy and processes, wrote Intel Director-Global Security and Internet Governance Policy Audrey Plonk Thursday. “The goal is to identify the specific needs and circumstances of the hardware ecosystem, opportunities to advance disclosure policy and practice, and options for future improvements.”

Backpage CEO Carl Ferrer is facing a maximum of five years in prison after pleading guilty to conspiracy to facilitate prostitution and money laundering, DOJ announced Thursday (see 1804090025). Ferrer, 57, admitted the “great majority of Backpage’s escort and adult advertisements” are prostitution ads, according to DOJ. He agreed to shutter the website and forfeit all corporate assets and Backpage-related property.

Uber agreed to expand data breach disclosure and record-keeping requirements as part of a revised settlement proposed by the FTC in 2017, stemming from allegations the ride-hailing company “deceived consumers about its privacy and data security practices,” the agency announced Thursday. Civil penalties are possible if Uber fails to disclose future data breach incidents, the FTC said. The agency’s revised complaint alleges Uber learned in November 2016 that intruders accessed third-party cloud storage files containing more than “25 million names and email addresses, 22 million names and mobile phone numbers and 600,000 names and driver’s license numbers of U.S. Uber drivers and riders.” Uber failed to disclose that breach while the FTC was investigating the company for a similar 2014 data breach that was settled in August 2017, the FTC said. Uber paid intruders involved in the 2016 breach $100,000 as part of its third-party “bug bounty” program, but didn't alert consumers about the situation until November 2017, the FTC said. Acting FTC Chairman Maureen Ohlhausen said the expanded settlement is “designed to ensure that Uber does not engage in similar misconduct in the future.” Uber Chief Legal Officer Tony West wrote in a statement he's “pleased that just a few months after announcing this incident, we have reached a speedy resolution with the FTC that holds Uber accountable for the mistakes of the past by imposing new requirements that reasonably fit the facts.”

The FTC will launch an educational campaign to help small businesses improve cyber defense and data security measures, the agency announced Tuesday. It will distribute “reader-friendly educational materials with information about cybersecurity that small businesses need,” the agency said.

Qualcomm wants to make the connected home more intelligent and efficient, with a platform based on edge computing, it blogged Wednesday. The chipmaker announced the first in a family of SoCs for the development of IoT smart devices. A home security camera that notifies a user every time it senses motion might be entertaining but not very useful. More compelling is a camera pointed to the front door that’s able to differentiate between a son or daughter who has been locked out or a burglar, it said. “This level of home security is possible, but it won’t happen overnight.” For such a camera to be effective, “it needs to be connected and intelligent enough to be able to process and analyze data in real time locally on the device, so it can recognize the things that matter and take immediate action,” it said. Rather than processing information in the cloud, the camera has intelligence to respond based on “what it knows,” it said, saying such integration will “push the IoT ecosystem forward, as developers move away from the cloud and focus on the capabilities of the device.”