One Article Review
| Source |  Errata Security |
|---|---|
| Identifiant | 267029 |
| Date de publication | 2016-12-05 23:41:40 (vue: 2016-12-05 23:41:40) |
| Titre | That "Commission on Enhancing Cybersecurity" is absurd |
| Texte | An Obama commission has publish a report on how to "Enhance Cybersecurity". It's promoted as having been written by neutral, bipartisan, technical experts. Instead, it's almost entirely dominated by special interests and the Democrat politics of the outgoing administration.In this post, I'm going through a random list of some of the 53 "action items" proposed by the documents. I show how they are policy issues, not technical issues. Indeed, much of the time the technical details are warped to conform to special interests.IoT passwordsThe recommendations include such things as Action Item 2.1.4:Initial best practices should include requirements to mandate that IoT devices be rendered unusable until users first change default usernames and passwords. This recommendation for changing default passwords is repeated many times. It comes from the way the Mirai worm exploits devices by using hardcoded/default passwords.But this is a misunderstanding of how these devices work. Take, for example, the infamous Xiongmai camera. It has user accounts on the web server to control the camera. If the user forgets the password, the camera can be reset to factory defaults by pressing a button on the outside of the camera.But here's the deal with security cameras. They are placed at remote sites miles away, up on the second story where people can't mess with them. In order to reset them, you need to put a ladder in your truck and drive 30 minutes out to the site, then climb the ladder (an inherently dangerous activity). Therefore, Xiongmai provides a RESET.EXE utility for remotely resetting them. That utility happens to connect via Telnet using a hardcoded password.The above report misunderstands what's going on here. It sees Telnet and a hardcoded password, and makes assumptions. Some people assume that this is the normal user account -- it's not, it's unrelated to the user accounts on the web server portion of the device. Requiring the user to change the password on the web service would have no effect on the Telnet service. Other people assume the Telnet service is accidental, that good security hygiene would remove it. Instead, it's an intended feature of the product, to remotely reset the device. Fixing the "password" issue as described in the above recommendations would simply mean the manufacturer would create a different, custom backdoor that hackers would eventually reverse engineer, creating MiraiV2 botnet. Instead of security guides banning backdoors, they need to come up with standard for remote reset.That characterization of Mirai as an IoT botnet is wrong. Mirai is a botnet of security cameras. Security cameras are fundamentally different from IoT devices like toasters and fridges because they are often exposed to the public Internet. To stream video on your phone from your security camera, you need a port open on the Internet. Non-camera IoT devices, however, are overwhelmingly protected by a firewall, with no exposure to the public Internet. While you can create a botnet of Internet cameras, you cannot create a botnet of Internet toasters.The point I'm trying to demonstrate here is that the above report was written by policy folks with little grasp of the technical details of what's going on. They use Mirai to justify several of their "Action Items", none of which actually apply to the technical details of Mirai. It has little to do with IoT, passwords, or hygiene.Public-private partnershipsAction Item 1.2.1: The President should create, through executive order, the National Cybersecurity Private–Public Program (NCP 3 ) as a forum for addressing cybersecurity issues through a high-level, joint public–private collaboration.We've had public-private partnerships to secure cyberspace for over 20 years, such as the FBI InfraGuard partner |
| Envoyé | Oui |
| Condensat | $100 $30 $500/hour for the this 000 100 180 1998 2003 2020 300 4:initial able about above absurd accidental account accounts action activists activity actually adding address addressing administration advocating afford again against agencies all almost already amazon ambassador ambassadorsvarious amounts analysis and homeland anonymity another antivirus any applications apply appointing appointment appropriately apps are around assess assessment assistant assume assumptions attacks attempting attributes authentication away backdoor backdoors bad banning based because been before being believe best bigger billion bipartisan blinding blizzard blogpost botnet break broken budget bug build building built bunch burdensome bush businesses but button buy call calls camera cameras can cannot car case caught caused cellphones challenges change changing characterization chasing cheap china chinese chose cisos citizens claims clever climb clinton closer clueless code coerce collaboration com come comes commerce commission common companies company competitiveaction complex concept concerns conclusionthis conform connect consultant consumer consumers contains control controls cornerstone cost costs could countries country crazier:action create creating current custom customers cyber cyberczar cyberczars cybersecurity cyberspace dangerous date days ddos deal debate debunk decade decisions declared default defaults democrat demonstrate demonstrates department departments dependencies described details details of detected develop development device devices different difficulties directly discussion disrespected distorting doc doctor document documents does doesn dollars dominated don done dream drive driven dystopic each earning education edward effect effectiveness employees endangered engineer enhance enhancing enjoy enormous enough entire entirely entity equivalent especially even eventually every everyone example examples exceed exe executive existent expand experience expertise experts explaining exploits exposed exposure facebook factor factory failed fails failure far faulty fbi feature federal file financial firewall first fix fixed fixing following forget forgets forum found framework frameworkaction frequently fridges from full fundamentally gamers gaming general get gets getting going gold good gotten government grab grants grasp group guides hackers hacking had hand happen happens harassed hardcoded hardcoded/default hardware harm has have having health heard help helps here high him himself his hoax how however hundreds hurt hygiene ideally identity ignores imagine immaterial immediately impartial improve include including incoming indeed independent industrial industry infamous infraguard inherently initiate injection injections innovation input insecurity instead institute institutions insurers intended interagency interest interested interests internet intrusion intuitively invented involved iot ironically isn issue issues it/computer it/computers it: itaction item items its joint justice justify keep kickstarter kids kill know knowledge label labelaction label†lack ladder large later law lawsuits lead an leadership least left leftists less level lgbtq liability lie like linked list little long lost made major majority make makes malicious managers mandate manufacturer many market marketspace matter mean means measures media mention mess mexico miles million minutes mirai miraiv2 miss misunderstanding misunderstands money months more most much must naive name names national nature ncp need networks neutral new next nist non none nonsense normal not nothing now nowhere nuance nutritional obama often old one ones online only open openssl opposite options order organization organizations other out outgoing outside over overabundance overhead overwhelmingly part partnership partnerships partnershipsaction party password passwords passwordsthe past paste paternalistic pay pentests people per person phishing phone pick picture pieter place placed places plan point police policies |
| Tags | Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.