U.S. takes aim at cyber attacks from
connected devices as recalls mount
Send a link to a friend
[October 25, 2016]
By Joseph Menn
SAN FRANCISCO (Reuters) - Obama
administration officials sought on Monday to reassure the public that it
was taking steps to counter new types of cyber attacks such as the one
Friday that rendered Twitter, Spotify, Netflix and dozens of other major
websites unavailable.
The Department of Homeland Security said it had held a conference call
with 18 major communication service providers shortly after the attack
began and was working to develop a new set of “strategic principles” for
securing internet-connected devices.
DHS said its National Cybersecurity and Communications Integration
Center was working with companies, law enforcement and researchers to
cope with attacks made possible by the rapidly expanding number of smart
gadgets that make up the "internet of Things."
Such devices, including web-connected cameras, appliances and toys, have
little in the way of security. More than a million of them have been
commandeered by hackers, who can direct them to take down a target site
by flooding it with junk traffic.
Several networks of compromised machines were directed to attack big
customers of web infrastructure company Dyn last week, Dyn officials and
security researchers said.
The disruption had subsided by late Friday night in America, and two of
the manufacturers whose devices had been hijacked for the attack pledged
Monday to try to fix them.
But security experts said that many of the devices would never be fixed
and that the broader security threat posed by the internet of Things
would get worse before it gets better.
“If you expect to fix all the internet devices that are out there, force
better passwords, install some mechanism for doing updates and add some
native security for the operating system, you are going to be working a
long time,” said Ed Amoroso, founder of TAG Cyber and former chief
security officer at AT&T.
Instead, Amoroso said he hoped that government officials would focus on
recommending better software architecture and that business partners
would insist on better standards.
[to top of second column] |
A padlock is displayed at the Alert Logic booth during the 2016
Black Hat cyber-security conference in Las Vegas, Nevada, U.S.
August 3, 2016. REUTERS/David Becker
In the meantime, fresh responses by two of the companies involved in
the attacks illustrated the extent of the problem.
Chinese firm Hangzhou Xiongmai Technology Co Ltd, which makes
components for surveillance cameras, said it would recall some
products from the United States.
Another Chinese company, Dahua Technology, acknowledged that some of
its older cameras and video recorders were vulnerable to attacks
when users had not changed the default passwords. Like Xiongmai, it
said it would offer firmware updates on its website to fix the
problem and would give discounts to customers who wanted to exchange
their gear.
But neither company has anything like a comprehensive list of their
customers, many of whom will never learn of the problems, said Dale
Drew, chief security officer with communications provider Level 3.
“I wouldn’t be surprised if the only way they are going to reach
their consumers is through media reports, Drew said.
(Reporting by Joseph Menn in San Francisco. Additonal reporting by
Dustin Volz in Washington.; Editing by Jonathan Weber and Leslie
Adler)
[© 2016 Thomson Reuters. All rights
reserved.]
Copyright 2016 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
|