Teach citizens IoT dangers, engineering students cybersecurity, Uncle Sam suggests The US Department of Commerce (DoC) and Department of Homeland Security have put out a draft cybersecurity report that recommends, among other things, that the American government fund a public awareness campaign on IoT security, and make cybersecurity a compulsory part of future engineering degrees. The 38-page report [PDF] …
The 38-page report [PDF] titled "Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats" is the first of many that are heading to the president's desk following an executive order signed in May, following a number of abortive attempts.
Do they really expect him to read 38 pages?
You'd never guess any of this concern from the CES show this year, WTF?
The pollyannic coverage on the BBC alone, was pretty hard to understand!
The MSM is blind: LG's robot clusterfuck alone is a screaming warning sign!
The whole IoT & Smart 'Reality Distortion Field' of Tech is just plain nuts???
Whereas 'IoT reality' and VTech's recent fine? That hardly gets mentioned!
This post has been deleted by its author
I know that the USG has this thing about not telling business what it must do and setting sensible requirements stifling innovation, but surely they could legislate for minimum standards to fix defects and automatically update devices for (say) 10 years, and make manufacturers/retailers liable for damages if they don't? Once a few well known names had been sued into oblivion we might see security being taken a bit more seriously.
"Due to its traditional hands-off approach to industry and the fact that the internet mostly resides in private hands, there is little that the DoC or DHS can do in real, solid terms."
If an electricity supplier switched 11kV onto a domestic feeder, resulting in damage and/or injury; would the attitude be the same?
Children need to learn from an early age the disadvantages as well as the advantages of devices that are connected to the Internet.
They need to learn that these devices are being watched, monitored and recorded by organisations [1] known and unknown and that these organisations are operating for their benefit and not for yours.
Further they need to learn the analogy that an Internet connection is akin to leaving a window open in your house. The longer it is open — and especially when it is left permanently open — the greater the likelihood that someone will come in through it.
[1] God damn it, El Reg, 'organisation' is a valid spelling in English. Either fix your spell-checker or turn it off. These red-wavy lines are annoying.
"[1] God damn it, El Reg, 'organisation' is a valid spelling in English. Either fix your spell-checker or turn it off. These red-wavy lines are annoying."
Or note that it was written by an American person, reporting on an American subject directly quoting an American publication.
NAT tools act as an incidental firewall, preventing devices in the home from being directly reached by the sort of mass-scanning tools that spread malware and lead to widespread infection.
The logical answer would be to convert all those "incidental firewalls" into actual firewalls. Sadly, ISP-provided consumer routers have historically been prototypical of IoT security incompetence.
I can see this going in several directions, if in fact it goes anywhere at all. One of those would be the creation of a new bureaucratic money pit using the Food and Drug Administration model. The best result of that being the system will still have the occasional bout of digital food poisoning or the worst being that security updates cost as much a cancer treatments.
Isn't the issue with IPv6 that with dedicated address spaces, it will be easier to guess the addresses for certain organizations or manufacturers? Doesn't matter that the IP space is 128 bits if the first 96 bits are always the same for something you're trying to attack.
Could any legislation mandating automatic mandatory updates also include a prohibition of extraneous changes whose purpose is solely to the detriment of the user and benefit of the vendor?
Of course legislatures are pretty good at ignoring their own rules (if any) about "No unrelated riders on must-pass laws", so if the regulated firms "do as government do, not as they say", we are in for bruising time.
This report is another example of taxpayer funds wasted. This is a snowflake report written by individuals who apparently believe each corporate community should follow best practices and create common standards.
I believe this sort of thing has been in just about every OMB information security report since 1999.
More so... it addresses the obvious without any mention of risk assessment.
Get a clue guys. Every company with a network pulse would love to have a common guideline to go with and purchase the latest/greatest technology. Here is the problem... 1: This is the USA. You can't force a business to do something without creating law. Since companies own politicians... good luck with this. 2: Pocketbooks aren't unlimited. 3: While corporations have been held accountable, the penalties and punitive damages haven't been costly enough to change risk assessments yet. Target, Google, etc... has just been slapped on the wrist while consumers pay huge costs.
Start chanting accountability and punitive damages along with large legal suit dollars and you just might begin to make traction. Until consumers can overcome political greed from corporate contributions, you will not see a lot of change.
Teach router manufacturers to not leave UPnP switched on by detault
This would solve 95% of problems where dumb lusers buying some IoT device they barely understand and just plugging it into the network without a clue what the device is doing.
How many of these 'masses of morons' have heard of ShieldsUp
I bet zero, they just dont care, ignorance is bliss, or so they think
The US government is pushing federal agencies and private corporations to adopt the Modern Authentication method in Exchange Online before Microsoft starts shutting down Basic Authentication from the first day of October.
In an advisory [PDF] this week, Uncle Sam's Cybersecurity and Infrastructure Security Agency (CISA) noted that while federal executive civilian branch (FCEB) agencies – which includes such organizations as the Federal Communications Commission, Federal Trade Commission, and such departments as Homeland Security, Justice, Treasury, and State – are required to make the change, all organizations should make the switch from Basic Authentication.
"Federal agencies should determine their use of Basic Auth and migrate users and applications to Modern Auth," CISA wrote. "After completing the migration to Modern Auth, agencies should block Basic Auth."
Carnival Cruise Lines will cough up more than $6 million to end two separate lawsuits filed by 46 states in the US after sensitive, personal information on customers and employees was accessed in a string of cyberattacks.
A couple of years ago, as the coronavirus pandemic was taking hold, the Miami-based biz revealed intruders had not only encrypted some of its data but also downloaded a collection of names and addresses; Social Security info, driver's license, and passport numbers; and health and payment information of thousands of people in almost every American state.
It all started to go wrong more than a year prior, as the cruise line became aware of suspicious activity in May 2019. This apparently wasn't disclosed until 10 months later, in March 2020.
In brief A Japanese contractor working in the city of Amagasaki, near Osaka, reportedly mislaid a USB drive containing personal data on the metropolis's 460,000 residents.
A cyberattack on a software company almost a week ago continues to ripple through labor and workforce agencies in a number of US states, cutting off people from such services as unemployment benefits and job-seeking programs.
Labor departments and related agencies in at least nine states have been impacted. According to the Louisiana Workforce Commission in a statement this week, Geographic Solutions (GSI) was forced to shut down state labor exchanges and unemployment claims systems, and as many as 40 states and Washington DC, all of which rely on GSI's services, could be affected.
In a statement to media organizations, GSI President Paul Toomey said the Palm Harbor, Florida-based company "identified anomalous activity on our network," and took its services offline. Toomey didn't elaborate whether GSI was hit with ransomware or some other type of malware.
Matt Ramberg is the vice president of information security at Sanmina, a sprawling electronics manufacturer with close to 60 facilities in 20 countries on six continents and some 35,000 employees spread across the world.
Like most enterprises, Sanmina, a big name in contract manufacturing, is also adapting to a new IT environment. The 42-year-old Fortune 500 company, with fiscal year 2021 revenue of more than $6.76 billion, was an early and enthusiastic adopter of the cloud, taking its first step into Google Cloud in 2009.
With manufacturing sites around the globe, it also is seeing its technology demands stretch out to the edge.
In brief Google on Friday pledged to update its location history system so that visits to medical clinics and similarly sensitive places are automatically deleted.
In this post-Roe era of America, there is concern that cops and other law enforcement will demand the web giant hand over information about its users if they are suspected of breaking the law by seeking an abortion.
Google keeps a log of its users whereabouts, via its Location History functionality, and provides some controls to delete all or part of those records, or switch it off. Now, seemingly in response to the above concerns and a certain US Supreme Court decision, we're told Google's going to auto-delete some entries.
The new head of Israel's National Cyber Directorate (INCD) has announced the nation intends to build a "Cyber-Dome" – a national defense system to fend off digital attacks.
Gaby Portnoy, director general of INCD, revealed plans for Cyber-Dome on Tuesday, delivering his first public speech since his appointment to the role in February. Portnoy is a 31-year veteran of the Israeli Defense Forces, which he exited as a brigadier general after also serving as head of operations for the Intelligence Corps, and leading visual intelligence team Unit 9900.
"The Cyber-Dome will elevate national cyber security by implementing new mechanisms in the national cyber perimeter, reducing the harm from cyber attacks at scale," Portnoy told a conference in Tel Aviv. "The Cyber-Dome will also provide tools and services to elevate the protection of the national assets as a whole. The Dome is a new big data, AI, overall approach to proactive defense. It will synchronize nation-level real-time detection, analysis, and mitigation of threats."
Air raid sirens sounded for over an hour in parts of Jerusalem and southern Israel on Sunday evening – but bombs never fell, leading some to blame Iran for compromising the alarms.
While the perpetrator remains unclear, Israel's National Cyber Directorate did say in a tweet that it suspected a cyberattack because the air raid sirens activated were municipality-owned public address systems, not Israel Defense Force alarms as originally believed. Sirens also sounded in the Red Sea port town of Eilat.
Netizens on social media and Israeli news sites pointed the finger at Iran, though a diplomatic source interviewed by the Jerusalem Post said there was no certainty Tehran was behind the attack. The source also said Israel faces cyberattacks regularly, and downplayed the significance of the incident.
In brief More than half of the 24.6 billion stolen credential pairs available for sale on the dark web were exposed in the past year, the Digital Shadows Research Team has found.
Data recorded from last year reflected a 64 percent increase over 2020's total (Digital Shadows publishes the data every two years), which is a significant slowdown compared to the two years preceding 2020. Between 2018 and the year the pandemic broke out, the number of credentials for sale shot up by 300 percent, the report said.
Of the 24.6 billion credentials for sale, 6.7 billion of the pairs are unique, an increase of 1.7 billion over two years. This represents a 34 percent increase from 2020.
RSA Conference IBM has expanded its extensive cybersecurity portfolio by acquiring Randori – a four-year-old startup that specializes in helping enterprises manage their attack surface by identifying and prioritizing their external-facing on-premises and cloud assets.
Big Blue announced the Randori buy on the first day of the 2022 RSA Conference on Monday. Its plan is to give the computing behemoth's customers a tool to manage their security posture by looking at their infrastructure from a threat actor's point-of-view – a position IBM hopes will allow users to identify unseen weaknesses.
IBM intends to integrate Randori's software with its QRadar extended detection and response (XDR) capabilities to provide real-time attack surface insights for tasks including threat hunting and incident response. That approach will reduce the quantity of manual work needed for monitoring new applications and to quickly address emerging threats, according to IBM.
The Register - Independent news and views for the tech community. Part of Situation Publishing
Biting the hand that feeds IT © 1998–2022
