By Andrew Paulette
1.) LEGISLATION PROPOSED TO SECURE CONNECTED IOT DEVICES (August 1, 2017)
Summary: A Senate bill introduced today would prioritize security in connected devices, requiring providers who sell to the U.S. government to implement measures that would have been an impediment to the IoT botnet-fueled attacks against DNS provider Dyn and webhost OVH.
Why it matters: While many would prefer for the “invisible hand” of economics to drive manufacturers to implement better security on their IoT devices, the speed at which new vulnerabilities can be weaponized and exploited against devices that are sluggishly patched (if they can be patched at all) represents a large risk that cannot be overlooked by governments. Bills introduced to require that certain protections be implemented on IoT devices will most likely become more common going forward and the cyber community should involve themselves in the conversation to ensure these policies benefit the most people with the least impact to businesses and end users.
2.) Protect the White Hat Hackers Who Are Just Doing Their Jobs (August 5, 2017)
Summary: The great irony of defending the world against malware is it requires security researchers to, well, mess with malware. This often leads them into gray areas, where something they might consider legitimate investigation or essential software development could, in the eyes of the law, be seen as criminal behavior.
Why it matters: Full details into Mr. Hutchins arrest are still developing at this time and are necessary before any better judgements can be made into the nature of his arrest. That said, policy and law should be passed akin to “good samaritin laws” to allow security researchers to continue the work they do while minimizing their chances of running afoul of law enforcement.
3.) UK calls for smart car cyber protection
Summary: A new generation of internet-connected cars will have to be better protected from cyber attackers, under tough new UK government guidance.
Why it matters: The principles promoted in this new guidance from the UK government adhere to most policy for cybersecurity across all organizations, including ensuring senior leadership’s support of cybersecurity practices, appropriate risk managment, ensuring products are protected through their development lifecycle (including while these vehicles are on the road via incident response and patching), etc. The more organizations choose to follow these basic cyber security policies, the more secure they will be.
4.) Self-Driving Cars can be Hacked by just putting Stickers on Street Signs (August 9, 2017)
Summary: Car Hacking is a hot topic, though it’s not new for researchers to hack cars. Previously they had demonstrated how to hijack a car remotely, how to disable car’s crucial functions like airbags, and even how to steal cars.
Why it matters: Technicians are still developing software that is able to interpret and classify input from its surroundings, and while it’s come a long way, it still has a ways to go. In this case, stickers placed on a stop sign could trick a self-driving vehicle to intepret the sign as something other than a stop sign (in one case, it was interpreted as a 45 mph speed limit). Since it will be impossible to truly eliminate this sort of error in classification, vehicle manufacturers need to make sure other systems are in place that use other forms of “input” (such as a car with its brakelights engaged) to understand its environment and how it should behave in the absence of other obvious identifiers.
5.) HBO Wanted to Disguise $250,000 Ransom Payment as Bug Bounty Reward (August 10, 2017)
Summary: The hackers who breached HBO’s servers have declined a ransom payment of $250,000 from a top HBO exec, according to an email leaked by hackers to the press.
Why it matters: This is not the first time a company attempted to conceal ransom payments as a “bug bounty” and it probably won’t be the last. Given the technical skill required to exfiltrate 1.5 TB of data from a company’s network, this seems to be the work of skilled cyber criminals. While the less technically inclined will continue to use ransomware and malware-as-a-service to accomplish their goals, it appears that for skilled criminals, attacks against single targets will be their method of choice to ensure the greatest profit from wealthy organizations.