BreachExchange mailing list archives
Time to ignore manufacturers that are security slackers
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Wed, 20 Nov 2013 01:28:21 -0700
http://blogs.computerworld.com/cybercrime-and-hacking/23150/time-ignore-manufacturers-are-security-slackers In the near future, everything from refrigerators and coffeemakers to cars and home automation systems will be among the 10s of billions of devices on the Internet. But as the so-called Internet of Things grows, security remains a work in progress at best, and it's time for tech buyers to ignore manufacturers that refuse to step up their game. Security slackers Security has always lagged behind technology adoption. As the PC market grew in the 1990s, securing software and hardware was an afterthought until the Internet. Once people started connecting Windows PCs to the Web, the door was opened to hackers and Microsoft was left scrambling for years to plug the many holes in the market-dominating operating system. The pattern in the mobile industry is similar. Hundreds of millions of people using Android smartphones and tablets today face unnecessary risks because wireless carriers and manufacturers have yet to figure out a way to push out timely updates to patch vulnerabilities. Nevertheless, mobile security seems advanced when compared to the vast majority of other Internet-connected devices, which Cisco says will number 40 billion by 2020 from roughly 9 billion in 2012. Printers are a perfect example of how security is being shortchanged as we move toward the Internet of Things. Every printer today comes with a built-in Web server, yet by default, the majority of them don't even require a password. With such basic security missing, it's no surprise that vendors are slow in patching vulnerabilities through firmware upgrades. In the meantime, security researchers have already shown that it's possible to hack networked Hewlett-Packard printers and steal data. In July, a couple of researchers used a laptop wired to electronic control units of a Ford Escape and Toyota Prius to steer the vehicles left and right, apply the brakes and move the fuel gauge to zero. At the time, Ford and Toyota said the experiment wasn't a legitimate hack, since a wired connection was needed. But most experts agreed the demonstration showed that the day when a car could be commandeered wirelessly was coming, unless manufacturers worked faster to improve security. Devices that have already been hacked have included TV sets, video cameras, child monitors and power meters. Through such devices, intruders could violate people's privacy, steal personal data and build large botnets of compromised devices in order to launch denial of service attacks, experts say. The solution As the number of threats increase with the rise in Internet-connected devices, there are security tools available to defend against attacks. They include data encryption, strong user authentication, coding with security as a top priority and better testing of application programming interfaces. To a large extent, securing the Internet of Things isn't much different than locking down computers and mobile devices. Among the bigger hurdles of the IoT is rolling out firmware updates. The best place to start in securing future Internet-enabled devices is with the buyer. If consumers and businesses place security near the top of their features list, then manufacturers will respond. Without customer pressure, there will be little change in the status quo.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: # OWASP http://www.appsecusa.org # Builders, Breakers and Defenders # Time Square, NYC 20-21 Nov o()xxxx[{::::::::::::::::::::::::::::::::::::::::> Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security offers security intelligence, risk management services and customized security solutions. The YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Current thread:
- Time to ignore manufacturers that are security slackers Audrey McNeil (Nov 25)