new post testing
Testing a paragraph.
By next year, five Internet of Things (IoT) devices are projected to be in use for every person on the planet.
IoT devices offer endless opportunities to improve productivity, economic growth, and quality of life. Think smart cities, self-driving cars, and the ways connected medical devices can monitor our health. The potential growth of IoT is virtually infinite.
But with opportunity comes a significant amount of risk. As much as we’d like to trust manufacturers to make sure burglars can’t watch our homes through data from an automated vacuum, many new devices lack even basic security features. And thousands of new devices are coming online each year without commitment to basic measures such as using unique passwords, encrypting our data, or updating software to address vulnerabilities.
To help people and businesses around the world prepare, a dedicated group is rising to the challenge of securing the Internet of Things though cooperation across borders and sectors.
They are government agencies, non-governmental organizations, and other organizations and experts working on IoT security joined together to form the IoT Security Policy Platform. We are proud to say the Internet Society is amongst them too. Together we’ve been discussing and sharing best practices and gaps that need to be addressed. In the process, we’ve realized that all of our frameworks hold a set of principles for global IoT security in common.
The Platform already has a solid foundation for success. Its members have produced their own frameworks for IoT security or are in the process of producing one. Many, such as in Canada, France, Senegal, and Uruguay, were created through multistakeholder processes in partnership with the Internet Society and others. But with so many frameworks come the very real and daunting challenge of fragmentation of policies at a global level – between countries, between industries, and between consumer and industrial IoT.
Hence the need for a coordinated, collaborative effort towards improving IoT security for everyone.
Using existing guidelines to identify common themes, goals, and opportunities for alignment, on November 14th 2019 the Platform released a vision that lays out an agenda to raise the bar for IoT security practices.
Among the existing regional and national frameworks, it highlighted shared recommendations including:
- Ensure that security is incorporated in all stages of the design, development, and life-cycle, including risk assessments, security testing, and evaluation;
- Ensure that personal and critical data is protected; and
- Make it easy for users to delete personal data.
Platform members also identified practical steps to put these principles in action. For example, manufacturers should:
- Implement a vulnerability disclosure policy;
- Make it clear to consumers what the minimum length of time for which a device will receive software security updates;
- Provide mechanisms to securely update software;
- Build devices with unique passwords or credentials;
- Protect the communication of security-sensitive data (such as via encrypted data streams); and
- Securely store credentials and security-sensitive data.
When it comes to securing people and information online, everyone can bring something to the table.
That’s why the IoT Security Policy Platform believes it is critical to continue collaborating and recruiting new partners to further develop these frameworks to keep pace with the rapid evolution and growth of the IoT ecosystem.
Want to find out how to join?
Read more about the IoT Security Policy Platform here.
As these devastating global ransomware attacks illustrate, cybersecurity is not an issue that can be ignored. Any time a device or system is connected to the Internet, it is a potential target. What was once just another lucrative means of extorting money from Internet users, ransomware is emerging as a preferred tool for causing widespread disruption of vital services such as hospitals, banks, shipping, or airports. Attacks are growing more sophisticated and more enduring, with longer term damaging effects and wider impact. Ransomware exploits the slow pace of security patching, systems that are dependent on old software, and poor backup practices. It also provides a smokescreen for other nefarious acts including stealing data and credentials, or even wiping data. So, the name “ransomware” becomes illusory: what we are really dealing with is “hydraware.”
Also, as the recent attack demonstrates, one security vulnerability in just one piece of software can wreak havoc across multiple critical government and business services. Information security experts have traced the “patient zero” in Petya/NotPetya to poisoned update servers for M.E.Doc, (accounting software developed by a Ukrainian company). This tactic is not new: as recently as May update servers for Handbrake, a a free and open-source transcoder for digital video files, were compromised with Proton malware, designed to scoop up the keychain (including all passwords) for future attack. These attacks underline how essential it is that vendors secure and monitor their software update servers.
Additionally, researchers tracing the progress of the Petya/NotPetya malware observed that it exploited user administrative privileges to gain access to credentials, which it used to infect other devices on the network. A timely reminder that giving users administrative privileges means a compromised device could more readily infect others in the network.
There are three other aspects of these attacks that should be called out – software patching, security vulnerability disclosure, and attribution.
Both the WannaCry and Petya/NotPetya malware exploited a security vulnerability in Windows OS known as “EternalBlue.” WannaCry should have been a warning to patch urgently, and many did. However, others did not. Why? Industrial systems may use legacy software. Enterprises may have poor software update policies, may be using unlicensed software, or old devices that cannot use supported software. Some of these scenarios are easy to fix than others. But, a good place to start is shortening the software update cycle for as many devices and systems as possible to improve the “herd immunity” of devices connected to the Internet.
While the EternalBlue security vulnerability was known at the time of the attacks, it was originally a zero-exploit held by the NSA, revealed to the public by ShadowBrokers. Imagine if it had not been exposed earlier in the year – how much worse might have the attacks been? These attacks bring to light the dangers of hoarding zero-day exploits and the importance of responsible security vulnerability disclosure.
Imagine you discovered that your neighbour forgot to lock their door, would you tell them? What if it was the door to their bank vault or medical file? Would you keep that information to yourself, planning to enter at your leisure when no one was looking? Or, would you help them secure their door? Or worse, were you hoping that only you will be able to try the handle when you decide you want something?
States have a vested interest in strengthening the security of the Internet and the devices that connect to it. Without the Internet, there would be no digital economy. Yet, anytime there is a known security vulnerability, it’s like leaving the door unlocked, hoping no one will try the handle. ZeroDay vulnerabilities might initially seem like attractive tools in the fight against cyber criminals, but as long as they exist they pose a real and imminent threat to hundreds or thousands of innocent users. And, as we saw with WannaCry and Petya/NotPetya, exploits of software security vulnerabilities can have real life consequences such as delays in medical treatment, suspension of banking operations, and disruption of port services.
Criminals will always search for any way in, but state actors have a responsibility to secure the Internet, not to weaken it. They should both practice and encourage swift responsible disclosure of security vulnerabilities so they can be patched everywhere. In the end, it’s about making sure we do all that we can to protect citizens online, and out in the world.
A number of security researchers speculate that the Petya/NotPetya attack was a state-sponsored attack on the Ukraine. If this is correct, it raises questions for which no one has an easy answer – Is attribution possible? When does a cyber attack rise to the level of an act of war? What should be the appropriate response? According to a statement from NATO’s Cooperative Cyber Defence Centre of Excellence, “NATO’s Secretary General reaffirmed on 28 June that a cyber operation with consequences comparable to an armed attack can trigger Article 5 of the North Atlantic Treaty.” In a recent speech, UK Defence Secretary Sir Michael Fallon clearly signaled that offensive cyber is part of their arsenal, and cyber attacks could be met with attacks by land, air, sea or cyber. A clear signal that cyber warfare could spill over into the realm of military warfare. Keep in mind too that Petya/NotPetya caused disruption and harm beyond Ukraine, across the world. If the target was Ukraine, the collateral damage was extensive. How might the “non-target” countries react? And, where might that take us?
These are not problems we can solve alone. However, it is clear that Internet security must be a priority, and deliberate acts to undermine it must be off limits. We must tackle Internet security from all fronts by ensuring: security vulnerabilities are identified early and responsibly disclosed; devices and systems are patched; security experts are able to coordinate and act; critical services have built in redundancy; and, users are alert to phishing and other types of social engineering.
Only through this type of collaborative security will we create an Internet we all can trust.
Whenever there’s a new attack on a global scale, the world trusts the Internet a little less. Today we are concerned with the many reports about this new ransomware attack called “Petyawrap”, “Petrwrap” or an older name of “Petya.”
The sad fact is: this new attack exploits the same vulnerabilities in Windows systems as last month’s WannaCry attack.
Fixes have been available for most Windows systems since March 2017!
The same tips Niel Harper provided last month to protect against ransomware also apply here.
Why haven’t the updates been applied? Often, smaller organizations may not have the needed IT staff. Enterprises may not fully embrace the level of business continuity planning they need. Companies may have legacy systems that are hard to patch.
Many organizations may have thought they were “safe” when they weren’t hit by WannaCry. They may have breathed a sigh of relief – and moved on to other critical needs.
The bad news is that this new attack gets nastier after the initial penetration of a network. Dan Goodin at ArsTechnia relays that the attack payload includes tools to extract user passwords. It can then infect other systems on your network using those credentials. Microsoft has more technical details. Unlike WannaCry, there seems to be no “kill switch” to stop the infections. (See update below.)
As Olaf Kolkman wrote last month in response to the WannaCry ransomware:
“When you are connected to the Internet, you are part of the Internet, and you have a responsibility to do your part.”
But yet as Brian Krebs reports at the end of his excellent piece, a recent ISACA survey found that:
- 62 percent of organizations surveyed recently reported experiencing ransomware in 2016
- only 53 percent said they had a formal process in place to address it
These attacks cause significant economic losses. They erode trust in the Internet. They limit the opportunities we all have online.
Collaborative security is a shared responsibility. We all have a part to play. We need to put the security processes in place to reduce these threats. In our companies and organizations. In nonprofits, schools, and community groups. In our homes. In our own actions.
We have the opportunity to shape tomorrow and build a stronger, more trusted Internet. One where ransomware no longer hits on a global scale.
The time is now.
UPDATE #1 – There are now reports of a “vaccine” in the form of a file you can create on a Windows system to prevent the ransomware from running. This is not a “kill switch” that can apply globally, but it is something that can be done on individual PCs. If the ransomware finds that this read-only file exists, it will not perform its attack on that machine.
See also our past articles about the WannaCry attacks: