Ransomware attacks will decrease in volume and effectiveness in the second half of 2017, while hardware and firmware will be increasingly targeted by “sophisticated” attackers, Intel Security’s McAfee Labs reported Tuesday. Intel surveyed 31 “thought leaders." IoT malware will open back doors in connected devices that could take years to detect, Intel said. Mobile attacks will combine mobile device locks with credential theft, increasing the vulnerability of personal information stored on consumers’ devices, Intel said. Hackers will attempt “dronejackings” using laptops for criminal and “hacktivist” purposes, Intel said. Hacktivists will also likely play an important role in exposing privacy issues, Intel said. “To change the rules of the game between attackers and defenders, we need to neutralize our adversaries' greatest advantages," said Intel Security Vice President-McAfee Labs Vincent Weafer. “To overcome the designs of our adversaries, we need to go beyond understanding the threat landscape to changing the defender-attacker dynamics in six key areas: information asymmetry, making attacks more expensive, improving visibility, better identifying exploitation of legitimacy, improving protection for decentralized data, and detecting and protecting in agentless environments.”
More than one in four of the more than 31 million Wi-Fi hot spots around the world is “just waiting to be hacked,” Kaspersky Lab said in a Thursday report. Kaspersky estimates 25 percent of the world’s Wi-Fi networks “have no encryption or password protection of any kind," meaning the information they transmit is “completely open and can be read by third parties.” Another 3 percent of hot spots use Wired Equivalent Privacy protocol to encrypt data, it said: “This unreliable protocol can be ‘cracked’ within minutes using tools that are freely available on the internet.” The rest of the world’s hot spots use “a more reliable form of encryption” based on the "family" of Wi-Fi Protected Access protocols, it said. “The effort required to hack these networks depends on the settings, including the strength of the password.” It’s “worth noting” that the top 20 countries with the highest percentage of non-encrypted Wi-Fi hot spots include many popular tourist destinations, among them in the U.S., Kaspersky said: “Travelers are among the most vulnerable because the nearest available Wi-Fi hotspot is often the only way for them to stay connected.”
The Broadband Internet Technical Advisory Group has released guidelines and recommendations aimed at helping consumer IoT manufacturers and other providers improve device privacy and security. Tuesday's BITAG report said consumers face threats from any internet-connected device, but the IoT is "unique" because it usually involves nontechnical or uninterested consumers who lack the expertise to evaluate privacy and security for such devices. The report said IoT threats potentially increase with the lack of incentives from manufacturers to develop and deploy software updates after initial product sales, difficulty in providing updates over a network, devices with limited resources and constrained user interfaces, and products that may ship with malware. To address insecure communications, data leaks, malware and service disruption, the group said IoT devices should be shipped with "reasonably" current software and have a way to receive automated and secure software updates. It said devices should use strong authentication and encryption with their configurations tested and hardened. The report recommended a privacy policy be included and easy to find and understand and industry should develop a cybersecurity program with a "Secure IoT Device" logo on retail packaging. Stakeholders, manufacturers and retailers should provide privacy policies, bug reporting systems and secure software programs, and support devices across their lifespans, BITAG said.
Only 42 percent of consumers who responded to an Intel Security survey said they take proper measures to ensure their connected devices’ cybersecurity. Consumers are aware it’s important to secure their devices but 47 percent of respondents indicated they were unsure whether they were taking the correct cybersecurity measures, Intel said Sunday. OnePoll queried 9,800 consumers at Intel’s request for the survey. There's increased interest from Capitol Hill on connected devices’ cybersecurity. Two House Commerce Committee subcommittees sought a potential middle ground last week on addressing IoT cybersecurity in response to last month's distributed denial of service attacks against Dyn (see 1610210056, 1610260067 and 1611160051), which Oracle is now buying (see 1611210047). “Unsurprisingly, connected devices remain high on holiday wish lists this year,” said Intel Security Chief Consumer Security Evangelist Gary Davis in a news release. “What is alarming is that consumers remain unaware of what behaviors pose a security risk when it comes to new devices.” Consumers “are often eager to use their new gadget as soon as they get it and forgo ensuring that their device is properly secured,” Davis said. “Cybercriminals could use this lack of attention as an inroad to gather personal consumer data, exposing consumers to malware or identity theft or even use unsecured devices to launch DDoS attacks as in the recent Dyn attack.”
Oracle said it’s buying internet traffic service Dyn, to extend its cloud computing platform. “Oracle cloud customers will have unique access to Internet performance information that will help them optimize infrastructure costs, maximize application and website-driven revenue, and manage risk,” said Dyn Chief Strategy Officer Kyle York in a Monday news release. A month ago Dyn’s DynDNS service experienced distributed denial-of-service attacks that resulted in outages or latency for many major websites, including Netflix and Twitter (see 1610210056). The attacks spurred interest on Capitol Hill in IoT cybersecurity (see 1610260067 and 1611160051).
Symantec agreed to acquire identity protection company LifeLock in a $2.3 billion cybersecurity transaction, the companies said Sunday in a news release. Symantec expects to close the deal in Q1 next year after it gets U.S. antitrust and shareholder approvals.
The National Association of State Chief Information Officers said Thursday that its top priority in 2017 will remain cybersecurity and risk management, rounding out a list that remains largely the same as it did headed into 2016. NASCIO’s other tech and policy priorities for the coming year include cloud services, consolidation, cost control and legacy systems modernization. NASCIO bases its annual priorities on the results of a survey of its members. “No major surprises in the priorities for 2017,” said Executive Director Doug Robinson in a news release. “State CIOs continue to recognize the importance of IT Governance as they address enterprise security, cloud services and drive IT consolidation.”
The Satellite Industry Association and Global VSAT Forum issued a set of cybersecurity core principles that they say should be central to private and public sector cybersecurity efforts. The three principles are an endorsement of "voluntary, industry-led efforts and public-private partnerships" as the best route to address cybersecurity; a plug for voluntary information sharing "free from fear of adverse consequences"; and a call for satellite industry groups to tackle cybersecurity issues "using industry best practices for risk management," the trade groups announced Thursday.
The Department of Homeland Security issued IoT security principles aimed at helping manufacturers and other stakeholders make better decisions about how they develop, build, implement and use such technologies and systems. “The growing dependency on network-connected technologies is outpacing the means to secure them,” said DHS Secretary Jeh Johnson in a Tuesday news release. "Securing the Internet of Things has become a matter of homeland security." The DHS principles emphasize integration of security measures at the design phase, vulnerabilities management, use of tested security practices, prioritization of security measures based on potential disruptions or failures, greater transparency across the IoT ecosystem, and consideration of what should be connected to the internet and what shouldn't. Wednesday, CTA issued an IoT white paper (see 1611160017).
The Trustworthy Accountability Group launched an anti-malware certification seal program for buyers, sellers and intermediaries in the digital advertising supply chain, said the ad industry initiative in a news release Tuesday. TAG, which was formed by the American Association of Advertising Agencies, Association of National Advertisers and Interactive Advertising Bureau, said it's also building and hosting an information-sharing hub to disseminate real-time intelligence about malware attacks to the industry and law enforcement. Adform, AppNexus, Google and RocketFuel are some ad companies and agencies that agreed to participate in the certification program, which entails complying with certain guidelines and best practices for scanning content for malware. The program "uses a multi-prong approach that includes consumer education, industry best practices, information sharing, and law enforcement to shut down malware distributors and protect the advertising supply chain," said TAG CEO Mike Zaneis. The threat-sharing hub will permit some companies to get data on the most recent infections, "serving as a type of immune system for the industry in helping it respond to new and emerging threats," TAG said. The anti-malware program is the fourth and last program in the initiative's mission to stop fraudulent traffic, fight malware and internet piracy and promote transparency.