Belgium researchers discovered a Wi-Fi security vulnerability affecting a wide range of Android and Linux users, as explained in a research paper. An attacker within range of a victim can penetrate security protocols using key reinstallation attacks (KRACKs) to steal sensitive information like passwords, credit cards and emails, and allow malware to be installed on computers. Mathy Vanhoef and Frank Piessens, researchers with imec-DistriNet Research Group, said the weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. The problem is with WPA2, a protocol that secures all modern protected Wi-Fi networks. "To prevent the attack, users must update affected products as soon as security updates become available," the researchers said. Google is "aware of the issue, and we will be patching any affected devices in the coming weeks," said a spokesman. Akamai blogged it's aware of the issue but the "bulk of our corporate wireless traffic access occurs over VPN" and is protected with encryption.

The Department of Homeland Security announced new security measures for email and websites run by federal agencies using .gov domains. Speaking at a Global Cyber Alliance meeting, DHS Assistant Secretary Jeanette Manfra said the agency is transitioning to an email security protocol DMARC (Domain-based Message Authentication, Reporting & Conformance) to prevent spammers and phishers from using federal agency email domains to conduct cyberattacks. Additional tools will heighten security in communications with the public, she said. The cross-sector group endorsed the move.

The IRS "temporarily suspended" a no-bid $7.25 million contract with Equifax "as a precautionary step" while it reviews the credit monitoring service's systems and security in light of a data breach (see 1710030034), said the agency Friday. House Commerce Committee Chairman Greg Walden, R-Ore., and House Digital Commerce Subcommittee Chairman Bob Latta, R-Ohio, said they're "pleased" the taxpayer identity verification contract was suspended but still want answers about its "timing and nature." Walden and Latta said their focus "remains on protecting consumers and getting answers for the 145 million Americans impacted by this massive breach." Other lawmakers, including Rep. Suzan DelBene, D-Wash., also inquired about the contract (see 1710110041, 1710040042 and 1710120016). The tax agency said the breach didn't compromise "the limited IRS data shared under the contract." Suspension means the agency "will be temporarily unable to create new accounts for taxpayers using Secure Access, which supports applications including online accounts and transcripts." Secure Access is the agency's identity authentication process for some online self-help tools. The agency said the contract doesn't affect current users or most services and tools.

Amazon is filling its ranks for the holiday season, announcing Thursday it's adding more than 120,000 positions in the U.S. in fulfillment and sorting centers and customer service sites. It expects to transition “thousands” of the positions to regular, full-time roles after the holidays, it said. New positions are available in 33 states.

The International Association of IT Asset Managers is urging Congress to rescind a no-bid $7.25 million IRS contract to Equifax in light of the credit monitoring service's massive data breach. “I have zero confidence that Equifax should be trusted to process information about U.S. taxpayers,” said IAITAM CEO Barbara Rembiesa. She said former Equifax CEO Richard Smith's testimony last week before congressional committees scapegoated one employee (see 1710030034, 1710040039 and 1710050045). Lawmakers including Rep Suzan DelBene, D-Wash., aren't pleased with IRS' explanation and plan to look deeper (see 1710110041 and 1710040042). Meanwhile, all Democratic members on the House Digital Commerce and Consumer Protection Subcommittee, led by ranking member Rep. Jan Schakowsky (Ill.), and the full committee's ranking member Frank Pallone (N.J.), seek more hearings on the Equifax data breach. In a Thursday letter to House Commerce Chairman Greg Walden, R-Ore., and subcommittee Chairman Bob Latta, R-Ohio, they said testimony from Smith was "an important first step ... but too many questions remain unanswered." Smith didn't provide good answers on how the breach occurred and seemed to give contradictory answers on that front, they said. He also couldn't fully explain how the company would move forward, they added. Democrats said they're seeking to advance bipartisan legislation before Dec. 15 that requires "enforceable robust data security practices, meaningful notice to consumers, and meaningful protections for victims of a breach."

Amazon refreshed the Kindle again, including some free cellular connectivity, and Audible, it said Wednesday.

CTA said technologies to watch include automation, artificial intelligence and smart machinery; 5G and smart cities, including the IoT; cybersecurity; and the experience economy using apps for everyday activities. More than 100 U.S. communities are developing 5G-based systems, said a spokesman at the association's conference in San Francisco Tuesday. He said it’s “critical that we train and educate our workforce with lifelong learning to adapt to these challenges and remain competitive.” The group hired a vice president of jobs in September to advance that mission (see report in the Sept. 7 issue of this publication).

The Electronic Frontier Foundation hit back on Deputy Attorney General Rod Rosenstein for his Tuesday speech about "responsible encryption" (see 1710100028). EFF General Counsel Kurt Opsahl criticized the deputy AG on a number of points in a Wednesday blog post, calling them fallacies. He said Rosenstein's coining of "responsible encryption" is "another glib phrase to describe a backdoor." Opsahl said DOJ has said it wants to have an "adult conversation" on encryption. "This is not it. The DOJ needs to understand that secure end-to-end encryption is a responsible security measure that helps protect people," he said.

More than 26 million U.S. broadband households will have professionally monitored security by 2021, Parks Associates reported Tuesday. Revenue will top $14 billion by 2020, it said. A fifth of U.S. broadband households plan to buy a smart all-in-one-security product in the next 12 months, the researcher said.

Additional funding and more resources for stronger enforcement of election laws that restrict foreign entities from interfering in U.S. elections is the "best first step" for congressional action rather than new regulations, blogged Electronic Frontier Foundation Executive Director Cindy Cohn Tuesday. Sens. Amy Klobuchar, D-Minn., and Mark Warner, D-Va., may introduce legislation as early as this week (see 1709250058) that would regulate online political ads. Cohn said applying traditional FCC and Federal Election Commission campaign finance rules for broadcast media -- which the proposed legislation largely does -- may not translate well for online platforms: Facebook, Google, Twitter and Reddit can handle requirements like reporting major ad buys, but such rules may burden smaller online platforms, websites and blogs. "Extending the TV and radio election rules to small speakers and free and low-cost Internet speech will discourage these smaller entities from allowing or engaging in political expression at all," said Cohn. Proposed rules also could require people to identify themselves, harming anonymous political speech and infringing Americans' rights to engage in public debate, she said. Internet companies can prevent foreign election interference without new rules by tracking and shutting down the malicious use of bots to spread fake news; being more transparent in how they choose ads for users (see 1710020056); and allowing independent auditors to analyze data that shows how fake stories, hoaxes and other misinformation were disseminated and their potential influence.