Subscribe to:

Subscribe to :: ::

Most Sites Have Fixed Heartbleed Flaw, Many Remain Exposed

April 22, 2014 by mphillips  
Filed under Around The Net

The world’s top 1,000 websites have been updated to protect their servers against the “Heartbleed” vulnerability, but up to 2% of the top million remained unprotected as of last week, according to a California security firm.

On Thursday, Menifee, Calif.-based Sucuri Security scanned the top 1 million websites as ranked by Alexa Internet, a subsidiary of Amazon that collects Web traffic data.

Of the top 1,000 Alexa sites, all were either immune or had been patched with the newest OpenSSL libraries, confirmed Daniel Cid, Sucuri’s chief technology officer, in a Sunday email.

Heartbleed, the nickname for the flaw in OpenSSL, an open-source cryptographic library that enables SSL (Secure Sockets Layer) or TLS (Transport Security Layer) encryption, was discovered independently by Neel Mehta, a Google security engineer, and researchers from security firm Codenomicon earlier this month.

The bug had been introduced in OpenSSL in late 2011.

Because of OpenSSL’s widespread use by websites — many relied on it to encrypt traffic between their servers and customers — and the very stealthy nature of its exploit, security experts worried that cyber criminals either had, or could, capture usernames, passwords,\ and even encryption keys used by site servers.

The OpenSSL project issued a patch for the bug on April 7, setting off a rush to patch the software on servers and in some client operating systems.

The vast majority of vulnerable servers had been patched as of April 17, Sucuri said in a blog postthat day.

While all of the top 1,000 sites ranked by Alexa were immune to the exploit by then, as Sucuri went down the list and scanned smaller sites, it found an increasing number still vulnerable. Of the top 10,000, 0.53% were vulnerable, as were 1.5% of the top 100,000 and 2% of the top 1 million.

Other scans found similar percentages of websites open to attack: On Friday, San Diego-based Websense said about 1.6% of the top 50,000 sites as ranked by Alexa remained vulnerable.

Since it’s conceivable that some sites’ encryption keys have been compromised, security experts urged website owners to obtain new SSL certificates and keys, and advised users to be wary of browsing to sites that had not done so.

Sucuri’s scan did not examine sites to see whether they had been reissued new certificates, but Cid said that another swing through the Web, perhaps this week, would. “I bet the results will be much much worse on that one,” Cid said.



FTC Proceeding With Lawsuit Against Hotel Over Poor Data Security

April 9, 2014 by mphillips  
Filed under Around The Net

A U.S. court has ruled that the Federal Trade Commission can proceed with a lawsuit against hotel group Wyndham Worldwide Corp for allegedly failing to properly secure consumers’ personal information.

Wyndham had argued that the commission did not have jurisdiction to sue over what it saw as lax security leading to data breaches, It had asked for the lawsuit to be dismissed.

Judge Esther Salas, of the U.S. District Court for the District of New Jersey, disagreed and ruled that the FTC should be allowed to proceed with its case.

Wyndham said in a statement that it planned to continue its fight.

“We continue to believe the FTC lacks the authority to pursue this type of case against American businesses, and has failed to publish any regulations that would give such businesses fair notice of any proposed standards for data security,” the company said. “We intend to defend our position vigorously.”

The FTC has accused Wyndham of failing to provide adequate security for its computer system, leading to three data breaches between April 2008 and January 2010. It says the breaches led to fraud worth $10.6 million.

FTC Chairwoman Edith Ramirez said she was “pleased that the court has recognized the FTC’s authority to hold companies accountable for safeguarding consumer data.

“We look forward to trying this case on the merits,” she said.

Wyndham operates several hotel brands, including the value-oriented Days Inn and Super 8. It is one of many organizations to acknowledge in recent years that it had been hacked by people seeking either financial gain or intellectual property.


Banks Decide To Withdraw Lawsuit Against Target Over Data Breach

April 2, 2014 by mphillips  
Filed under Around The Net

Two banks that filed legal action against Target over its recent data breach have decided to withdraw such claims, apparently due to an erroneous allegation against a security vendor also named in the suit.

Green Bank of Houston filed a notice of dismissal Monday in the U.S. District Court for the Northern District of Illinois, effectively saying it will no longer pursue the claim. Trustmark National Bank of New York made a similar filing Monday.

The banks had alleged that Target’s data breach occurred because it failed to meet industry standards to protect payment card data. Also named as a defendant was Trustwave, a security company that specializes in payment card compliance.

Green Bank and Trustmark complained in the suit that U.S. banks have already spent $172 million replacing compromised payment cards. The lawsuit asked for unspecified compensatory and statutory damages.

However, on Saturday Trustwave CEO Robert J. McCullen wrote in a letter that Target had not outsourced its data security or its IT obligations to Trustwave. “Trustwave did not monitor Target’s network, nor did Trustwave process cardholder data for Target,” he wrote.

It’s not clear from the lawsuit why the banks thought Trustwave had provided that service for Target. Their suit alleged that Trustwave had scanned Target’s network on Sept. 30 but found no vulnerabilities.

Lawyers for Trustmark National Bank and Green Bank did not respond to requests for comments.

The lawsuit is just one of dozens filed against Target, which lost 40 million payment card details and 70 million other personal records in one of the largest data breaches in history.

Target executives have been called to testify several times before Congress. The company has said it believes attackers stole the data between Nov. 27, 2013, and Dec. 15, 2013, via malicious software installed on point-of-sale devices.


Can A Newly Discovered Security Flaw Brick Android Tablets And Smartphones?

March 26, 2014 by Michael  
Filed under Mobile

A security flaw in Google’s Android mobile operating system (OS) could be exploited by hackers looking to brick smartphones and tablets, security researchers have uncovered.

The security hole was found by independent researcher Ibrahim Balic, who revealed his Android bricking discovery in a blog post earlier this month. However, Taiwanese security company Trend Micro has since confirmed that Balic’s discovery of the memory corruption bug is authentic and that the flaw is exploitable.

“We believe that this vulnerability may be used by cybercriminals to do some substantial damage on Android smartphones and tablets, which include bricking a device, or rendering it unusable in any way,” Trend Micro mobile threat analyst Veo Zhang wrote in a blog post. “In this context, the device is bricked as it is trapped in an endless reboot.”

According to Trend Micro, the vulnerability means hackers could build a Trojanised application to target devices running Android versions 4.0 and above, which if the latest figures at the Android Developer forum are anything to go by, could affect up to 80 percent of all active Google smartphones and tablets.

Trend Micro senior threat researcher David Sancho said the company has yet to see evidence that hackers are actively exploiting the flaw, but warned that the early exposure by Balic could encourage criminals to begin using it.

“Trend Micro has not seen evidence of exploitation at this moment [but] as with every new vulnerability, this is no guarantee about the future. In fact, describing a new vulnerability might cause new attempts of exploitation.”

Earlier this month, another security researcher and CTO of startup company Doublethink, Bas Bosschert, discovered a flaw in the Android OS, claiming that it allowed cyber criminals to steal conversations from users of mobile messaging service Whatsapp.

Bosschert detailed the flaw in a blog post in which he demonstrated the method for accessing Whatsapp chats. He confirmed that the vulnerability still existed even after Google had updated the Whatsapp app the previous week.

Bosschert said the exploit is possible due to the Whatsapp database on Android being saved on the SD card, which can be read by any Android application if the user allows it to access the card.

Bosschert noted that this is an issue in the Android infrastructure, specifically a problem with Android’s data sandboxing system, as opposed to a security flaw in Whatsapp.

Whatsapp disputed such claims, calling them “overstated”.


25K Linux And Unix Servers Were Hacked in Two Years

March 21, 2014 by Michael  
Filed under Computing

25,000 Linux and Unix servers were compromised over the last two years to steal Secure Shell (SSH) credentials, redirect web users to malicious content and send spam, security firm ESET has reported.

ESET said the servers were exploited as part of a large server-side credential stealing malware campaign named Operation Windigo, and has published a report about the campaign.

“The gang behind Operation Windigo uses infected systems to steal credentials, redirect web traffic to malicious content, and send spam messages,” ESET said. “According to our analysis, over 25,000 servers have been affected over the last two years. More than 10,000 of them are still infected today.”

These servers have all been compromised with the Linux/Ebury OpenSSH backdoor, ESET established, which the firm said is significant considering that each of the systems has access to significant bandwidth, storage, computing power and memory.

“Well known organizations such as cPanel and were on the list of victims, although they have now cleaned their systems,” ESET said on a blog post. It reported that the infected servers are used to redirect half a million web visitors to malicious content every day.

“Our research also shows that the attacker is able to send more than 35,000,000 spam messages per day with his current infrastructure. Operating systems affected by the spam component include Linux, FreeBSD, OpenBSD, OS X, and even Windows (with Perl running under Cygwin),” said ESET.

ESET said it chose the name “Windigo” for its North American first nation roots and for its references to a malevolent half-beast. It is working on dismantling the operation with help from the European Organization for Nuclear Research (CERN) and the Swedish National Infrastructure for Computing to form an international working group.

“With the help of the working group, thousands of victims have been notified that their servers were infected, in an effort to clean as many systems as possible. We are now releasing a complete white paper in hopes of raising awareness around Operation Windigo and motivating administrators to clean up their compromised servers,” ESET said.


HP Wants To Make BYOD Printing More Secure

March 18, 2014 by mphillips  
Filed under Around The Net

Using mobile devices for one-off printing tasks on office printers may not be a big deal, but Hewlett-Packard is trying to minimize any security risk through direct wireless printing features it is bringing to enterprise printers.

HP is adding NFC (near-field communication) and Wi-Fi Direct to its new color LaserJet printers so mobile devices can establish a wireless connection directly to a printer without being logged into an office network. The printer establishes a peer-to-peer connection to tablets or smartphones, and users can send a print command direct to a printer within proximity.

The goal is to provide everyone in an office easy access to a printer, and keep rogue smartphones and tablets from a corporate network, said Todd Gregory, director at HP’s Personal and Printing Systems group.

Increasingly, office printers are being used to print personal documents, but rogue devices can be a security hazard in bring-your-own-device environments, Gregory said. The new peer-to-peer printing features can make BYOD environments easier to manage while ensuring document security on corporate networks.

“There is this balance between how do we protect the environment and how we enable access for temp employees, contractors, or even our own employees that have certain types of work that I don’t want floating around,” Gregory said.

Many printers are usually connected behind a firewall to the document workflow system, with security measures in place to print and access documents. A direct connection to printers through NFC or Wi-Fi Direct is independent of the firewall, and also spares system administrators from putting permissions in place in mobile-device-management software.

The new color laser printers introduced by HP on Monday have an independent module with Wi-Fi Direct and NFC that physically attaches to the printer and can be easily snapped out. Once snapped out, the peer-to-peer printing features cannot be used.

One of the new printers is the Color LaserJet Enterprise MFP M680. The printer can render 45 pages per minute, and costs $0.01 per grayscale page and $0.07 for each color page. New algorithms and technologies help squeeze more pages per cartridge, HP said. It has a keyboard and an 8-inch color touch panel. The printer will ship next month and be priced between $3,649 and $5,899. The MFP can also scan, copy and fax.

NFC features are also in the Color LaserJet Enterprise M651, which is only for printing. It will be available next month starting at $1,349.

HP is also offering software to secure printing. HP announced the ePrint Enterprise 3.2 app for mobile devices, which adds security layers before users are allowed to print either through a peer-to-peer connection or over a Wi-Fi network.

In addition, the new printers also support Mopria, a plug-in designed to make wireless printing via Android 4.4 easier.


Sears May Be Latest Victim Of Data Breach

March 4, 2014 by mphillips  
Filed under Around The Net

Sears Holdings Corp acknowledged it has launched an investigation to determine whether it was the victim of a security breach, following Target Corp’s revelation at the end of last year that it had suffered an unprecedented cyber attack.

“There have been rumors and reports throughout the retail industry of security incidents at various retailers and we are actively reviewing our systems to determine if we have been a victim of a breach,” Sears spokesman Howard Riefs said in a statement on Friday.

“We have found no information based on our review of our systems to date indicating a breach,” he added.

He did not say when the operator of Sears department stores and Kmart discount stores had begun the investigation or provide other information about the probe.

Sears Holdings Corp operates nearly 2,500 retail stores in the United States and Canada.

Bloomberg News reported on Friday that the U.S. Secret Service was investigating a possible secret breach at Sears, citing a person familiar with the investigation. The report did not identify that source by name.

The Bloomberg report said that its source did not disclose details about the scope or timing of the suspected breach.

A spokesman for the U.S. Secret Service declined comment when Reuters asked if the agency was investigating a possible breach at Sears.

The Secret Service is leading the U.S. government’s investigation into last year’s attack on Target, which the company has said led to the theft of some 40 million payment card numbers as well as another 70 million pieces of personal data.


Cybersecurity Firm Says It Has Uncovered Over 300M Stolen Credentials

February 27, 2014 by mphillips  
Filed under Computing

A cybersecurity firm has stated that it has found stolen credentials from some 360 million accounts that are available for sale on cyber black markets, though it is unsure where they came from or what they can be used to access.

The discovery could represent more of a risk to consumers and companies than stolen credit card data because of the chance the sets of user names and passwords could open the door to online bank accounts, corporate networks, health records and virtually any other type of computer system.

Alex Holden, chief information security officer of Hold Security LLC, said in an interview that his firm obtained the data over the past three weeks, meaning an unprecedented amount of stolen credentials is available for sale underground.

“The sheer volume is overwhelming,” said Holden, whose firm last year helped uncover a major data breach at Adobe Systems Inc in which tens of millions of records were stolen.

Holden said he believes the 360 million records were obtained in separate attacks, including one that yielded some 105 million records, which would make it the largest single credential breaches known to date.

He said he believes the credentials were stolen in breaches that have yet to be publicly reported. The companies attacked may remain unaware until they are notified by third parties who find evidence of the hacking, he said.

“We have staff working around the clock to identify the victims,” he said.

He has not provided any information about the attacks to other cybersecurity firms or authorities but intends to alert the companies involved if his staff can identify them.

The massive trove of credentials includes user names, which are typically email addresses, and passwords that in most cases are in unencrypted text. Holden said that in contrast, the Adobe breach, which he uncovered in October 2013, yielded tens of millions of records that had encrypted passwords, which made it more difficult for hackers to use them.

The email addresses are from major providers such as AOL Inc, Google Inc, Microsoft Corp and Yahoo Inc and almost all Fortune 500 companies and nonprofit organizations. Holden said he alerted one major email provider that is a client, but he declined to identify the company, citing a nondisclosure agreement.

Heather Bearfield, who runs the cybersecurity practice for accounting firm Marcum LLP, said she had no information about the information that Hold Security uncovered but that it was plausible for hackers to obtain such a large amount of data because these breaches are on the rise.

She said hackers can do far more harm with stolen credentials than with stolen payment cards, particularly when people use the same login and password for multiple accounts.

“They can get access to your actual bank account. That is huge,” Bearfield said. “That is not necessarily recoverable funds.”

After recent payment-card data breaches, including one at U.S. retailer Target, credit card companies stressed that consumers bear little risk because they are refunded rapidly for fraud losses.

Wade Baker, a data breach investigator with Verizon Communications Inc, said that the number of attacks targeting payment cards through point-of-sales systems peaked in 2011. That was partly because banks and retailers have gotten better at identifying that type of breach and quickly moving to prevent crooks from making fraudulent transactions, he said.

In addition to the 360 million credentials, the criminals are selling some 1.25 billion email addresses, which would be of interest to spammers, Hold Security said in a statement on its website.


Kickstarter Site Hacked, Recommends Users Change Passwords

February 18, 2014 by mphillips  
Filed under Around The Net

Kickstarter, the fundraising website used by millions of people to raise capital for creative projects and businesses, acknowledged that hackers had gained access to some of its customers’ data but that the breach had been repaired.

“No credit card data of any kind was accessed by hackers. There is no evidence of unauthorized activity of any kind on all but two Kickstarter user accounts,” Kickstarter Chief Executive Officer Yancey Strickler said in a blog post on the website. It noted that it does not store credit card data.

Recent data breaches at Target Corp and Neiman Marcus have sparked concern from U.S. lawmakers and consumers over who should bear the cost of consumer losses and how to improve cybersecurity.

Kickstarter’s information that was accessed without authority included user names, email addresses, mailing addresses, phone numbers and encrypted passwords, said Kickstarter, which was informed of the breach by law enforcement officials on Wednesday night.

It added that while passwords were not revealed, persons with computer expertise could still decipher encrypted passwords, and recommended users change their passwords as well as those for other sites or accounts for which the users had the same password.

Kickstarter said it had beefed up security in recent days. It also said it was working with law enforcement officials.

Kickstarter launched in 2009 as a conduit for funding of projects ranging from films and stage shows to video games and restaurant launches. Contributors to a project’s launch are often compensated with rewards, discounts, credits or other offers from the projects they help fund.

Since its launch more than 100,000 projects have been funded, with hundreds of millions of dollars pledged.


SEC Plans Roundtable On Cybersecurity

February 17, 2014 by mphillips  
Filed under Around The Net

The Securities and Exchange Commission said that its making plans to conduct a roundtable next month to discuss cybersecurity, after massive retailer breaches refocused the attention of the business community and policymakers on the area.

The SEC said that it would hold the event on March 26 to talk about the challenges cyber threats pose for market participants and public companies.

Recent breaches at Target Corp and Neiman Marcus have sparked concern from lawmakers and revived a long-running spat among retailers and banks over who should bear the cost of consumer losses and technology investments to improve security.

Last Thursday, trade groups for the two industries announced they are forming a partnership to work through the disputes.

U.S. lawmakers have also considered weighing in on how consumers should be notified of data theft. But progress on legislation is not guaranteed in a busy election year.

The SEC in 2011 drafted informal staff-level guidance for public companies to use when considering whether to disclose cyber attacks and their impact on a company’s financial condition.

SEC Chair Mary Jo White last year told Congress that her agency was reviewing whether a more robust disclosure process is needed. But she told reporters last fall she felt the guidance appeared to be working well and that she didn’t see an immediate need to create a rule that mandates public reporting on cyber attacks.


Was China Hit With A Cyber Attack?

January 24, 2014 by Michael  
Filed under Around The Net

An Internet outage in China that rerouted millions of users to a US website of a company which helps people get around Beijing’s censorship might have been a cyber attack.

Users were redirected to a site run by a company tied to the Falun Gong, a spiritual group banned in China which has been blamed for past hacking attacks. Chinese security experts claim that the outage could have been exploited by hackers, or could have been the result of a hacking attack.

The outage, which lasted for several hours, was due to a malfunction in China’s top-level domain name root servers on Tuesday. Chinese Internet users were rerouted to a U.S.-based website run by Dynamic Internet Technology (DIT), a company that sells anti-censorship web services tailored for Chinese users.

The Epoch Times, a publication produced by the Falun Gong which is banned in China, is a client and sponsor of DIT.


Phony Antivirus Program Using Stolen Signing Certificates

December 17, 2013 by mphillips  
Filed under Around The Net

A phony antivirus program in circulation is using at least a dozen stolen digital code-signing certificates, indicating cybercrooks are increasingly breaching the networks of software developers, according to Microsoft.

The application, branded as “Antivirus Security Pro,” was first detected in 2009 and has gone by a handful of other names over the years, according to a Microsoft advisory, which calls it by a single name, “Win32/Winwebsec.”

Digital certificates, issued by Certification Authorities (CAs), are used by developers to “sign” software programs, which can be cryptographically checked to verify that a program hasn’t been tampered with and originates from the developer who claims to write it.

If a hacker obtains the authentication credentials to use a certificate, they can sign their own programs, which makes it appear the applications come from a legitimate developer.

The samples of Antivirus Security Pro collected by Microsoft used stolen certificates issued “by a number of different CAs to software developers in various locations around the world,” the company wrote.

The certificates were issued to developers in the Netherlands, U.S., Russia, Germany, Canada and the U.K. by CAs such as VeriSign, Comodo, Thawte and DigiCert, according to a chart.

Using stolen certificates is not a new tactic, but it is usually considered difficult to accomplish since hackers have to either breach an organization or an entity that issues the certificates.

One of the certificates was issued just three days before Microsoft picked up samples of Antivirus Security Pro using it, indicating “that the malware’s distributors are regularly stealing new certificates, rather than using certificates from an older stockpile.”

Microsoft noticed another fake antivirus program, which is called “Win32/FakePav,” is also rotating stolen certificates.

Win32/FakePav has gone by more than 30 other names since its detection around 2010. It didn’t use any signing certificates in its early days. The malware was inactive for more than year until new samples were recently discovered that used a certificate, which was substituted after just a few days with another one. Both certificates were issued in the same name but by different CAs, Microsoft wrote.

To prevent problems, software developers should take care to protect the private keys used for code-signing on securely-stored hardware devices such as smart cards, USB tokens or hardware security modules. If a certificate is believed to have been compromised, CAs can revoke it.

“Not only is it inconvenient, and often expensive, to have the certificate replaced, it can also result in loss of your company’s reputation if it is used to sign malware,” the company wrote.


FTC Pushes To Be Enforcer Of Data Security Standards

December 16, 2013 by mphillips  
Filed under Around The Net

Despite growing resentment from companies and powerful industry groups, the Federal Trade Commission continues to insist that it wants to be the nation’s enforcer of data security standards.

The FTC, over the past years, has gone after companies that have suffered data breaches, citing the authority granted to it under a section of the FTC Act that prohibits “unfair” and “deceptive” trade practices. The FTC extracted stiff penalties from some companies by arguing that their failure to properly protect customer data represented an unfair and deceptive trade practice.

On Thursday, FTC Chairwoman Edith Ramirez called for legislation that would bestow the agency with more formal authority to go after breached entities.

“I’d like to see FTC be the enforcer,” Law360 quoted Ramirez as saying at a privacy event organized by the National Consumers League in Washington. “If you have FTC enforcement along with state concurrent jurisdiction to enforce, I think that would be an absolute benefit, and I think it’s something we’ve continued to push for.”

According to Ramirez, the FTC supports a federal data-breach notification law that would also give it the authority to penalize companies for data breaches. In separate comments at the same event, FTC counsel Betsy Broder reportedly noted that the FTC’s enforcement actions stem from the continuing failure of some companies to adequately protect data in their custody.

“FTC keeps bringing data security cases because companies keep neglecting to employ the most reasonable off-the-shelf, commonly available security measures for their systems,” Law360 quoted Broder as saying.

An FTC spokeswoman was unable to immediately confirm the comments made by Ramirez and Broder but said the sentiments expressed in the Law360 story accurately describe the FTC’s position on enforcement authority.

The comments by the senior officials come amid heightening protests against what some see as the FTC overstepping its authority by going after companies that have suffered data breaches.

Over the past several years, the agency has filed complaints against dozens of companies and extracted costly settlements from many of them for data breaches. In 2006 for instance, the FTC imposed a $10 million fine on data aggregator ChoicePoint, and more recently, online gaming company RockYou paid the agency $250,000 to settle data breach related charges.


Hackers Go After Finland Too

November 4, 2013 by Michael  
Filed under Computing

Foreign hackers from China and Russia carried out large-scale hacking into government communications, and a Finnish TV station.

Finland’s foreign minister Erkki Tuomioja said the breach of the Foreign Ministry’s data network was discovered in spring, and Finland’s intelligence service was investigating it as a case of serious espionage. Broadcaster MTV3 reported the hacking incident which until know had been kept under wraps, probably because everyone thought the Americans had done it.

Tuomioja declined to comment on suspects, but MTV3 had earlier said Chinese and Russian spies agents may have been involved. The report said that the hackers had gained access to its network for years and targeted communications between Finnish and European Union officials. Tuomioja insisted that there was nothing classified.


Commerce Dept. Propose Cybersecurity Standards For Corporations

October 24, 2013 by mphillips  
Filed under Around The Net

A U.S. bureau on Tuesday provided a draft of voluntary standards that businesses can adopt to boost cybersecurity – part of an attempt to protect critical industries without setting restrictive and costly regulations.

The National Institute of Standards and Technology (NIST), a nonregulatory agency that is part of the Department of Commerce, issued the so-called framework following input from some 3,000 industry and academic experts.

Cybersecurity experts warn that relentless efforts to hack into U.S. banksand financial institutions, the power grid and other critical infrastructure, paired with instances of disruptive attacks abroad, pose a national security threat.

President Barack Obama directed NIST to compile voluntary minimum standards in a February executive order aimed at countering the lack of progress on cybersecurity legislation in Congress.

Action on bills this year is stalled after the disclosures of vast online U.S. government spying programs.

The draft offers guidance on how companies could identify and protect network assets and detect, respond to and recover from breaches.

Steps might include keeping inventories of software platforms and applications they use, ensuring that top executives know roles and responsibilities, and setting information security policies.

The document also expands on how the companies could do all that while protecting privacy and civil liberties.

“Ultimately what we want to do is we want to turn today’s best practices into common and expected practices,” NIST Director Patrick Gallagher told reporters, calling the framework “a living document” that is expected to be flexible.

Many in the private sector have expressed fears that the voluntary framework will inevitably turn into a set of requirements or create new liabilities.

Another concern is that companies have little incentive to adopt the framework – something being reviewed by the Departments of Homeland Security, Commerce and Treasury.

“This is really just a stepping stone … . The meat of all of this still remains in the incentives program,” said Melanie Teplinsky, who teaches law at American University and serves as an adviser to cybersecurity firm CrowdStrike. “Even if this is perfect, who’s going to adopt this and why?”

Some trade groups and industry analysts say the framework appears vague and complex, and experts warn that may become a hurdle to adoption.

“I understand their problem, they’re trying to write something that any industry can apply. As soon as you do that, you’re going to get to a very big level of abstraction,” said Stewart Baker, a former Department of Homeland Security assistant secretary and now lawyer at Steptoe & Johnson.

“Much of the document is very procedural,” he said. “I fear that it won’t measurably improve cybersecurity without making it more expensive for everybody.”