back to article Teach citizens IoT dangers, engineering students cybersecurity, Uncle Sam suggests

The US Department of Commerce (DoC) and Department of Homeland Security have put out a draft cybersecurity report that recommends, among other things, that the American government fund a public awareness campaign on IoT security, and make cybersecurity a compulsory part of future engineering degrees. The 38-page report [PDF] …

  1. Doctor Syntax Silver badge

    The 38-page report [PDF] titled "Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats" is the first of many that are heading to the president's desk following an executive order signed in May, following a number of abortive attempts.

    Do they really expect him to read 38 pages?

    1. Destroy All Monsters Silver badge
      Go

      Actually it was handed to the desk.

      The prez is too busy whoring for money and less 24/7 condemnation in the well and truly "managed meedja"defending Israel's Self-interest.

      Why isn't there a Gallic Shrug icon?

    2. John Smith 19 Gold badge
      Unhappy

      "Do they really expect him to read 38 pages?"

      Indeed, that would be about 37 and a half pages too long.

      Probably not too bad for the rest of us.

  2. Anonymous Coward
    Anonymous Coward

    Kudos to US Govt Inc.. BUT

    You'd never guess any of this concern from the CES show this year, WTF?

    The pollyannic coverage on the BBC alone, was pretty hard to understand!

    The MSM is blind: LG's robot clusterfuck alone is a screaming warning sign!

    The whole IoT & Smart 'Reality Distortion Field' of Tech is just plain nuts???

    Whereas 'IoT reality' and VTech's recent fine? That hardly gets mentioned!

  3. Yet Another Anonymous coward Silver badge

    This is the same US govt

    That on the same day, also in the name of security, they demanded that a backdoor to everyone's phone be given to 1000s of law enforcement agencies ?

  4. This post has been deleted by its author

  5. Anonymous Coward
    Anonymous Coward

    Make the producers liable

    I know that the USG has this thing about not telling business what it must do and setting sensible requirements stifling innovation, but surely they could legislate for minimum standards to fix defects and automatically update devices for (say) 10 years, and make manufacturers/retailers liable for damages if they don't? Once a few well known names had been sued into oblivion we might see security being taken a bit more seriously.

    1. frank ly

      Re: Make the producers liable

      "Due to its traditional hands-off approach to industry and the fact that the internet mostly resides in private hands, there is little that the DoC or DHS can do in real, solid terms."

      If an electricity supplier switched 11kV onto a domestic feeder, resulting in damage and/or injury; would the attitude be the same?

  6. deadlockvictim

    Dangers of 'Always On'

    Children need to learn from an early age the disadvantages as well as the advantages of devices that are connected to the Internet.

    They need to learn that these devices are being watched, monitored and recorded by organisations [1] known and unknown and that these organisations are operating for their benefit and not for yours.

    Further they need to learn the analogy that an Internet connection is akin to leaving a window open in your house. The longer it is open — and especially when it is left permanently open — the greater the likelihood that someone will come in through it.

    [1] God damn it, El Reg, 'organisation' is a valid spelling in English. Either fix your spell-checker or turn it off. These red-wavy lines are annoying.

    1. Anonymous Coward
      FAIL

      Re: Dangers of 'Always On'

      "[1] God damn it, El Reg, 'organisation' is a valid spelling in English. Either fix your spell-checker or turn it off. These red-wavy lines are annoying."

      Or note that it was written by an American person, reporting on an American subject directly quoting an American publication.

  7. Anonymous Coward
    Anonymous Coward

    Incidental firewalls

    NAT tools act as an incidental firewall, preventing devices in the home from being directly reached by the sort of mass-scanning tools that spread malware and lead to widespread infection.

    The logical answer would be to convert all those "incidental firewalls" into actual firewalls. Sadly, ISP-provided consumer routers have historically been prototypical of IoT security incompetence.

  8. Anonymous Coward
    Anonymous Coward

    FDA of IoT

    I can see this going in several directions, if in fact it goes anywhere at all. One of those would be the creation of a new bureaucratic money pit using the Food and Drug Administration model. The best result of that being the system will still have the occasional bout of digital food poisoning or the worst being that security updates cost as much a cancer treatments.

  9. hellwig

    IPv6 Too Big to Scan?

    Isn't the issue with IPv6 that with dedicated address spaces, it will be easier to guess the addresses for certain organizations or manufacturers? Doesn't matter that the IP space is 128 bits if the first 96 bits are always the same for something you're trying to attack.

  10. Anonymous Coward
    Anonymous Coward

    FAIL

    So even the government doesn’t realize that you can firewall IPv6 without having to use NAT?

  11. Mike 16 Silver badge

    One request

    Could any legislation mandating automatic mandatory updates also include a prohibition of extraneous changes whose purpose is solely to the detriment of the user and benefit of the vendor?

    Of course legislatures are pretty good at ignoring their own rules (if any) about "No unrelated riders on must-pass laws", so if the regulated firms "do as government do, not as they say", we are in for bruising time.

  12. Anonymous Coward
    Anonymous Coward

    Good idea, but...

    ... thanks to Millennial fashion, it's no longer possible to tell who's a citizen and who's an engineering student.

  13. Aodhhan

    20 minutes I'll never get back

    This report is another example of taxpayer funds wasted. This is a snowflake report written by individuals who apparently believe each corporate community should follow best practices and create common standards.

    I believe this sort of thing has been in just about every OMB information security report since 1999.

    More so... it addresses the obvious without any mention of risk assessment.

    Get a clue guys. Every company with a network pulse would love to have a common guideline to go with and purchase the latest/greatest technology. Here is the problem... 1: This is the USA. You can't force a business to do something without creating law. Since companies own politicians... good luck with this. 2: Pocketbooks aren't unlimited. 3: While corporations have been held accountable, the penalties and punitive damages haven't been costly enough to change risk assessments yet. Target, Google, etc... has just been slapped on the wrist while consumers pay huge costs.

    Start chanting accountability and punitive damages along with large legal suit dollars and you just might begin to make traction. Until consumers can overcome political greed from corporate contributions, you will not see a lot of change.

  14. FlamingDeath Silver badge

    Here's an idea

    Teach router manufacturers to not leave UPnP switched on by detault

    This would solve 95% of problems where dumb lusers buying some IoT device they barely understand and just plugging it into the network without a clue what the device is doing.

    How many of these 'masses of morons' have heard of ShieldsUp

    I bet zero, they just dont care, ignorance is bliss, or so they think

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

  • Start using Modern Auth now for Exchange Online
    Before Microsoft shutters basic logins in a few months

    The US government is pushing federal agencies and private corporations to adopt the Modern Authentication method in Exchange Online before Microsoft starts shutting down Basic Authentication from the first day of October.

    In an advisory [PDF] this week, Uncle Sam's Cybersecurity and Infrastructure Security Agency (CISA) noted that while federal executive civilian branch (FCEB) agencies – which includes such organizations as the Federal Communications Commission, Federal Trade Commission, and such departments as Homeland Security, Justice, Treasury, and State – are required to make the change, all organizations should make the switch from Basic Authentication.

    "Federal agencies should determine their use of Basic Auth and migrate users and applications to Modern Auth," CISA wrote. "After completing the migration to Modern Auth, agencies should block Basic Auth."

    Continue reading
  • Carnival Cruises torpedoed by US states, agrees to pay $6m after wave of cyberattacks
    Now those are some phishing boats

    Carnival Cruise Lines will cough up more than $6 million to end two separate lawsuits filed by 46 states in the US after sensitive, personal information on customers and employees was accessed in a string of cyberattacks.

    A couple of years ago, as the coronavirus pandemic was taking hold, the Miami-based biz revealed intruders had not only encrypted some of its data but also downloaded a collection of names and addresses; Social Security info, driver's license, and passport numbers; and health and payment information of thousands of people in almost every American state.

    It all started to go wrong more than a year prior, as the cruise line became aware of suspicious activity in May 2019. This apparently wasn't disclosed until 10 months later, in March 2020.

    Continue reading
  • Contractor loses entire Japanese city's personal data in USB fail
    Also, Chrome add-ons are great for fingerprinting, and hacked hot tubs splurge details

    In brief A Japanese contractor working in the city of Amagasaki, near Osaka, reportedly mislaid a USB drive containing personal data on the metropolis's 460,000 residents.

    Continue reading
  • Cyberattack shuts down unemployment, labor websites across the US
    Software maker GSI took systems offline, affecting thousands of people in as many as 40 states

    A cyberattack on a software company almost a week ago continues to ripple through labor and workforce agencies in a number of US states, cutting off people from such services as unemployment benefits and job-seeking programs.

    Labor departments and related agencies in at least nine states have been impacted. According to the Louisiana Workforce Commission in a statement this week, Geographic Solutions (GSI) was forced to shut down state labor exchanges and unemployment claims systems, and as many as 40 states and Washington DC, all of which rely on GSI's services, could be affected.

    In a statement to media organizations, GSI President Paul Toomey said the Palm Harbor, Florida-based company "identified anomalous activity on our network," and took its services offline. Toomey didn't elaborate whether GSI was hit with ransomware or some other type of malware.

    Continue reading
  • $6b mega contract electronics vendor Sanmina jumps into zero trust
    Company was an early adopter of Google Cloud, which led to a search for a new security architecture

    Matt Ramberg is the vice president of information security at Sanmina, a sprawling electronics manufacturer with close to 60 facilities in 20 countries on six continents and some 35,000 employees spread across the world.

    Like most enterprises, Sanmina, a big name in contract manufacturing, is also adapting to a new IT environment. The 42-year-old Fortune 500 company, with fiscal year 2021 revenue of more than $6.76 billion, was an early and enthusiastic adopter of the cloud, taking its first step into Google Cloud in 2009.

    With manufacturing sites around the globe, it also is seeing its technology demands stretch out to the edge.

    Continue reading
  • Google location tracking to forget you were ever at that medical clinic
    Plus: Cyber-mercenaries said to target legal world, backdoor found on web servers, and more

    In brief Google on Friday pledged to update its location history system so that visits to medical clinics and similarly sensitive places are automatically deleted.

    In this post-Roe era of America, there is concern that cops and other law enforcement will demand the web giant hand over information about its users if they are suspected of breaking the law by seeking an abortion.

    Google keeps a log of its users whereabouts, via its Location History functionality, and provides some controls to delete all or part of those records, or switch it off. Now, seemingly in response to the above concerns and a certain US Supreme Court decision, we're told Google's going to auto-delete some entries.

    Continue reading
  • Israel plans ‘Cyber-Dome’ to defeat digital attacks from Iran and others
    Already has 'Iron Dome' – does it need another hero?

    The new head of Israel's National Cyber Directorate (INCD) has announced the nation intends to build a "Cyber-Dome" – a national defense system to fend off digital attacks.

    Gaby Portnoy, director general of INCD, revealed plans for Cyber-Dome on Tuesday, delivering his first public speech since his appointment to the role in February. Portnoy is a 31-year veteran of the Israeli Defense Forces, which he exited as a brigadier general after also serving as head of operations for the Intelligence Corps, and leading visual intelligence team Unit 9900.

    "The Cyber-Dome will elevate national cyber security by implementing new mechanisms in the national cyber perimeter, reducing the harm from cyber attacks at scale," Portnoy told a conference in Tel Aviv. "The Cyber-Dome will also provide tools and services to elevate the protection of the national assets as a whole. The Dome is a new big data, AI, overall approach to proactive defense. It will synchronize nation-level real-time detection, analysis, and mitigation of threats."

    Continue reading
  • Israeli air raid sirens triggered in possible cyberattack
    Source remains unclear, plenty suspect Iran

    Air raid sirens sounded for over an hour in parts of Jerusalem and southern Israel on Sunday evening – but bombs never fell, leading some to blame Iran for compromising the alarms. 

    While the perpetrator remains unclear, Israel's National Cyber Directorate did say in a tweet that it suspected a cyberattack because the air raid sirens activated were municipality-owned public address systems, not Israel Defense Force alarms as originally believed. Sirens also sounded in the Red Sea port town of Eilat. 

    Netizens on social media and Israeli news sites pointed the finger at Iran, though a diplomatic source interviewed by the Jerusalem Post said there was no certainty Tehran was behind the attack. The source also said Israel faces cyberattacks regularly, and downplayed the significance of the incident. 

    Continue reading
  • There are 24.6 billion pairs of credentials for sale on dark web
    Plus: Citrix ASM has some really bad bugs, and more

    In brief More than half of the 24.6 billion stolen credential pairs available for sale on the dark web were exposed in the past year, the Digital Shadows Research Team has found.

    Data recorded from last year reflected a 64 percent increase over 2020's total (Digital Shadows publishes the data every two years), which is a significant slowdown compared to the two years preceding 2020. Between 2018 and the year the pandemic broke out, the number of credentials for sale shot up by 300 percent, the report said. 

    Of the 24.6 billion credentials for sale, 6.7 billion of the pairs are unique, an increase of 1.7 billion over two years. This represents a 34 percent increase from 2020.

    Continue reading
  • IBM buys Randori to address multicloud security messes
    Big Blue joins the hot market for infosec investment

    RSA Conference IBM has expanded its extensive cybersecurity portfolio by acquiring Randori – a four-year-old startup that specializes in helping enterprises manage their attack surface by identifying and prioritizing their external-facing on-premises and cloud assets.

    Big Blue announced the Randori buy on the first day of the 2022 RSA Conference on Monday. Its plan is to give the computing behemoth's customers a tool to manage their security posture by looking at their infrastructure from a threat actor's point-of-view – a position IBM hopes will allow users to identify unseen weaknesses.

    IBM intends to integrate Randori's software with its QRadar extended detection and response (XDR) capabilities to provide real-time attack surface insights for tasks including threat hunting and incident response. That approach will reduce the quantity of manual work needed for monitoring new applications and to quickly address emerging threats, according to IBM.

    Continue reading

Biting the hand that feeds IT © 1998–2022