CIO

The holidays in security: US govt takes IoT security stand as 2017 promises ransomware, DDoS escalation

Internet of Things (IoT) device hackers would be salivating at the opportunities shown by the latest gadgets at the annual Consumer Electronics Show (CES), where new opportunities to exploit connected devices promise to fulfil predictions that 2017 will be loaded with malicious machine learning and filled with “lucrative chaos” from profit-minded cybercriminals plundering the online world and filling it with, among other things, problematic fake news.

Experts were advising that IoT vendors start treating LAN environments as hostile operating spaces, while vendors were put on notice to improve wearable device security if they were to have any hope of avoiding damaging breaches. The US Federal Trade Commission sees the issue as so important that it launched a landmark case against for poor security in its routers and cameras, and offered a $US25,000 ($A34,000) prize for automatic IoT patching techniques.

Even as the world saw the first reports of Android-based TVs being infected with ransomware, experts were warning of ‘ransomworm’ code that will add worrying new elements to the ransomware scourge, which netted over $US1 billion last year by some accounts. This ratchets up the pressure on businesses that have several choices to make when their data is taken hostage – as happened to what began as hundreds and, ultimately, saw more than 10,000 MongoDB installations erased and held for ransom, in part of a growing trend that is seeing cyber-sabotage tools adopting ransomware techniques as well.

Speaking of being taken hostage: after a period of uncertainty, revelations that Russia did in fact hack the US election in favour of Donald Trump led to a flurry of recriminations. US government authorities recommended a range of retaliatory cyberattacks against Russia, which said the allegations were fuelling a ‘witch hunt’. And while there were doubts about the FBI’s investigation of Democratic National Committee servers, even Trump, who originally denied the plausibility of the allegations, eventually came around by warning that ‘no computer is safe’ from hackers.

Questions of safe havens led some to suggest that the cloud is the only safe place for data. Yet with DDoS marketplaces thriving and even some security products failing to stop man-in-the-middle attacks, the threat is hardly going to go away.

Meanwhile, Apple stepped away from a mandate that iOS developers encrypt their applications’ communications by the end of 2016, while the makers of the Plone content management system were rejecting claims that a flaw in their system was used to hack the FBI.

US immigration authorities are collecting social-media details from certain visitors. But that wasn’t the only travel news, with warnings that despite supposed security measure it is still far too easy to change other people’s flight bookings.

Financial clearinghouse SWIFT was taking a new, multi-pronged approach to reduce interbank messaging fraud, while security experts were reinforcing the importance of the ‘endpoint plus network’ security architecture.