Overnight Cybersecurity: House panel to tackle security of internet-connected devices

Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We’re here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you’re a consumer, a techie or a D.C. lifer, we’re here to give you …

THE BIG STORY:

–THE INTERNET OF THINGS: Earlier this month, attackers demonstrated that internet connected devices were an existential threat to the web. By taking advantage of lax security on cameras and other devices, someone amassed a giant network of internet connected devices that simultaneously overloaded an important internet junction, briefly blocking access to Twitter and The New York Times. The same trick – called a distributed denial of service attack – was used to disconnect the nation of Liberia from the internet and slam a host of Russian banks. In fact, the tool used to run the attack is free to download. Now, lawmakers are paying attention. The House Commerce Committee takes up the issue tomorrow in a hearing. Here are some of the issues they’ll consider…

–…LEGACY DEVICES: In advance of the hearings, the Online Trust Alliance (which includes Microsoft and Twitter) released its comments for the congressional record. In it, the OTA notes “[I]t is important to recognize there is no perfect security and privacy and all products have a finite security lifespan. One example is Windows XP. In spite of Microsoft providing Windows XP users no charge support for over a decade, today millions of PCs running XP remain at risk. While such legacy devices may be secure when shipped, no degree of patching can address unforeseen threats decades later.”

–…CAN WE INCENTIVIZE GOOD BEHAVIOR? The security firm Pwny Express offered questions it hopes will be asked at the hearing, including how best to incentivize companies to take proper security precautions.

–…WHY DO WE THINK THAT THE U.S. HAS ANY SAY IN THE MATTER? The internet is global. Cheap cameras made in China sold to customers in Africa can be used in these denial of service attacks against the internet infrastructure in America.

–THE HEARING takes place Wednesday at 10 am.

A FEDERAL GUIDELINE UPDATE: The National Institute of Standards and Technology (NIST) formally unveiled their guidelines for increasing the security of internet-connected devices at a conference on Tuesday, a month ahead of schedule.

The guidelines provide advice to guard against the security problems to be discussed at Wednesday’s House Commerce hearing and more. It also address the potential for physical damage from hacked cars, medical problems from hacked health-care devices, military sabotage and unintended surveillance from hacked cameras and microphones.

“Trustworthiness doesn’t happen by accident,” said Ron Ross, the architect of the guidelines, which have circulated in draft form since 2014. “It needs to be engineered.”

To read the rest of our piece, click here.

The Department of Homeland Security (DHS) also released guidelines for the security of internet of things devices on Tuesday.

The DHS guide offers advice on improving security while products are being designed, managing risk, supporting updates and general security mindfulness.

Its report, “Strategic Principles for Securing the Internet of Things (IoT), Version 1.0” takes a broad-strokes approach to explaining best practices. 

DHS covered a broader strokes look at the issue, while the NIST report was more granular.

To read the rest of our piece, click here.

A LIGHTER CLICK: WHAT IS THE COLLECTIVE NOUN for hackers? I like “APT.”

A REPORT IN FOCUS:

ANDROIDS PHONE HOME (TO CHINA): A cybersecurity research firm says “several” models of Android mobile phones forward users’ personal information to a Chinese company.

Kryptowire discovered the security issue in Android devices using a commercial firmware updating service run by Adups Technology. The phones are designed to forward information — including the “full-body of text messages, contact lists, call history with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI)” — back to Adups in Shanghai, the security firm wrote in a press release. 

To read the rest of our piece, click here.

WHO’S IN THE SPOTLIGHT:

FORMER PACKETSLED CEO MATT HARRIGAN. Harrigan, the CEO of a San Diego-based technology company reportedly resigned Tuesday after death threats he made against President-elect Donald Trump went viral. 

To read the rest of our piece, click here.

IN CASE YOU MISSED IT:

Links from our blog, The Hill, and around the Web.

The Navy denies pirating 558,000 copies of a program for which it purchased less than 50 licenses. (Ars Technica)

The FBI has a contract with Dataminr, a Twitter intelligence company. Twitter has a stake in the company and blocked it from doing business with the CIA. (The Verge)

Jim (siren) Cramer says (air horn) cybersecurity stocks might be (breaking glass) in for a turn around. (The Street)

An MIT professor suggests polling places give voters cryptographic receipts to guarantee their votes were accurately counted. (MIT). 

IBM asks Trump to support “new collar” jobs. (CNBC)

If you’d like to receive our newsletter in your inbox, please sign up here.