Tuesday, October 25, 2016

Senator Asks Federal Agencies For Information On Massive Internet Of Things Breach

A massive denial of service attack last week has already resulted in the recall of a number of webcams that may have been used to aid hackers in taking popular sites like Twitter, Github, Reddit, and others offline throughout the day. Now, lawmakers are asking federal agencies what else can be done to prevent future attacks.

Virginia Senator Mark Warner, a member of the Senate Select Committee on Intelligence and a co-founder of the Senate Cybersecurity Caucus, sent letters to the Federal Communications Commission, the Federal Trade Commission, and the Department of Homeland Security’s National Cybersecurity & Communications Integration Center requesting information on the tools available to prevent future hackings through Internet of Things devices.

With the rise in popularity of IoT products — like webcams, smart thermostats, and other devices — Warner expressed concern that hacks similar to the one that occurred Friday are imminent.

Friday’s attack centered on DNS host Dyn. Attackers sent massive amounts of coordinated traffic to Dyn in order to overwhelm its ability to function. As a result, legitimate users connecting to sites managed by Dyn were not able to access the content they were looking for, due to the barrage of robotic requests running interference.

On Monday, Chinese company Hangzhou Xiongmai Technology Co Ltd announced the recall of all products — primarily webcams — that contain circuit boards or components from the company that were sold in the U.S. after they were identified as having a part in the recent attack.

Security researchers believe the easy-to-guess default passwords for the devices aided hackers in the massive web attack.

In his letters, Warner claims that similarly weak security features in connected devices could enable “access to user data by hackers, create easy entry points to home or work networks, and allow hackers to hijack devices into enormous botnets used to send crippling amounts of data to specific Internet sites and servers.”

“Because the producers of these insecure IoT devices currently are insulated from any standards requirements, market feedback, or liability concerns, I am deeply concerned that we are witnessing a ‘tragedy of the commons’ threat to the continued functioning of the internet, as the security so vital to all internet users remains the responsibility of none,” Warner wrote. “Further, buyers have little recourse when, despite their best efforts, security failures occur.”

To that end, he is asking the agencies to provide “expert opinions and meaningful action” on tools that can be used to “better protect American consumers, manufacturers, retailers, Internet sites and service providers.”

Specifically, he asks for information on what kind of network management practices are available for internet service providers to respond to threats; what strategies can be used to take devices that are deemed harmful out of commerce; and what kind of alerts can be used to inform consumers of risks from hacks.

[via Krebs On Security]


by Ashlee Kieler via Consumerist

No comments:

Post a Comment