The growing presence of connected devices is increasing efficiency in homes, workplaces and other areas of life that have seen the introduction of the IoT. Despite the expansion of connected devices however, there remains a number of consumers who are reluctant to adopt the IoT due to security concerns.

One of the reasons for this is that security often remains an afterthought when developing a device that, once in the hands of the consumer, may contain vulnerable software, making the consumer an easy target for being hacked.

Source: IoT security is an afterthought | Beta News

Don’t expect the Federal Communications Commission to rush into issuing network security rules anytime soon, even in the face of a congressional inquiry seeking the agency’s response to the massive Oct. 21 distributed-denial-of-service attack.

At issue is whether the FCC’s Open Internet rules restrict internet service providers’ ability to block insecure Internet of Things (IoT) devices from their networks and whether the commission should mandate greater safeguards.

But the commissioners generally believe the Open Internet order already gives ISPs sufficient leeway to protect their networks from vulnerable internet-connected devices without additional regulations or standards. And, according to FCC officials, there isn’t much of an appetite to issue any new mandates now.

Source: FCC Holds Off on Security Mandates for Internet of Things – Morning Consult

Last week we experienced the first security attack publicly and widely attribute to the Internet of Things (IoT). This day has been a long time in coming. It’s really far from the first IoT security breech mind you, but this is the first one that affected a wide group of people and received major press as an Internet of Things attack.

Source: DDoS And 3 Recommendations To Secure The Internet Of Things (IoT) | Forbes

The distributed denial of service attacks against dynamic domain name service provider Dyn this morning have now resurged. The attacks have caused outages at services across the Internet.

But this second wave of attacks appears to be affecting even more providers. According to Dale Drew, the chief security officer at Level 3 Communications, the attack is at least in part being mounted from a “botnet” of Internet-of-Things (IoT) devices.

Source: Double-dip Internet-of-Things botnet attack felt across the Internet | ARS Technica

Distributed denial-of-service attacks are a family of attacks that cause websites and other internet-connected systems to crash by overloading them with traffic. The “distributed” part means that other insecure computers on the internet—sometimes in the millions—are recruited to a botnet to unwittingly participate in the attack. The tactics are decades old; DDoS attacks are perpetrated by lone hackers trying to be annoying, criminals trying to extort money, and governments testing their tactics. There are defenses, and there are companies that offer DDoS mitigation services for hire.

Basically, it’s a size vs. size game. If the attackers can cobble together a fire hose of data bigger than the defender’s capability to cope with, they win. If the defenders can increase their capability in the face of attack, they win.

Source: We Need to Save the Internet from the Internet of Things | Motherboard

Earlier this month, an underground forum released the code for the Mirai malware, which lets attackers hijack the thousands (and counting) of Internet of Things devices that are used to carry out distributed denial-of-service attacks.

Panic ensued.

Of course it did. This hack means that everyone can now view the code that allowed someone using the name Anna-senpai to harness 380,000 bots via weak telnet connections. Let’s ignore for now that in 2016 there is absolutely no reason to have telnet on any IoT device.

That aside, much of the subsequent hand-wringing over default password damage control missed the one glaring thing that manufacturers, startups, and providers can do to prevent this sort of devastating vulnerability: Don’t use default usernames and passwords in the first place.

The most common reasons for using default usernames and passwords boil down into a few key arguments (when you leave out “we’ve always done it this way,” which I won’t even dignify with a response because I know if you’re reading this, that’s not an argument you care about).

Source: IoT Default Passwords: Just Don’t Do It | Dark Reading

Multiple stories published here over the past few weeks have examined the disruptive power of hacked “Internet of Things” (IoT) devices such as routers, IP cameras and digital video recorders. This post looks at how crooks are using hacked IoT devices as proxies to hide their true location online as they engage in a variety of other types of cybercriminal activity — from frequenting underground forums to credit card and tax refund fraud.

networktechniciansRecently, I heard from a cybersecurity researcher who’d created a virtual “honeypot” environment designed to simulate hackable IoT devices. The source, who asked to remain anonymous, said his honeypot soon began seeing traffic destined for Asus and Linksys routers running default credentials. When he examined what that traffic was designed to do, he found his honeypot systems were being told to download a piece of malware from a destination on the Web.

Source: IoT Devices as Proxies for Cybercrime | Krebs on Security

More than a year ago, an eye-opening RAND study on cybersecurity comprehensively explored just how vulnerable the Internet of Things (IoT) is and was going to be.Afterthought-style patch-on-patch security, as well as significant vulnerability risks involved with slapping internet connectivity on previously non-connected objects, were among the startling findings and predictions in that report.

Since then, questions have arisen as to just how one should approach the security needs of the soon-to-be billions of networked, smart, cheap sensors expanding around the globe like popcorn.

There is a “need for IoT security,” affirms the Cloud Security Alliance (CSA) in its 80-page guidance released today.

Source: IoT security guidance emerges | Network World

No one doubts anymore that internet of things (IoT) devices pose a huge security threat, as a recent massive IoT-fueled DDoS attack made clear. But what many enterprises have yet to wake up to is that major structural changes are needed, involving IT and C-level executives above IT. IoT is a new and different kind of threat that can’t be effectively battled in an old-fashioned way.From an enterprise’s perspective, there are three sides to the IoT threat: 1) being attacked by an IoT army from around the world; 2) allowing enterprise-owned IoT devices to participate in such an attack against others; and 3) allowing your IoT devices to attack your own company. Making structural changes to your business will do nothing to help you defend against the first scenario, but it could make a profound difference in blocking attack scenarios two and three.

Source: Let’s get serious about IoT security | Computer World

Overly optimistic market predictions have led to high expectations for the Internet of Things (IoT), but those forecasts are becoming more modest as adoption of the IoT proves to be slower than projected. Dr. Shipeng Li, CTO of IngDan, weighs in on the next steps in overcoming issues with usability and usefulness and spurring adoption of the IoT.

Source: When will the IoT reach critical mass? | IoT Design