How to defeat botnets

With help from Eric Geller and Martin Matishak

THE STAKEHOLDERS SEND THEIR REGARDS — Tech companies, wireless providers, trade groups, civil society groups and other interested parties filled up the National Telecommunications and Information Administration’s inbox with ideas for reducing the risks of botnets, the malicious armies of hacked devices that have powered spam campaigns and website takedowns. NTIA asked for public feedback to help it prepare a report to President Donald Trump on botnets as part of his cybersecurity executive order, and on Monday the agency posted all the comments it received by the July 28 deadline. Here are a few of the ideas it received:

— Transparency: If private companies cooperate with government agencies — for example, in the takedown of botnets using the companies’ infrastructure — they should do so as publicly as possible, argued the Center for Democracy & Technology. “One upside to compulsory powers is that they presumptively become public eventually, and are usually overseen by judges or the legislative branch,” CDT argued in its filing. “Voluntary efforts run the risk of operating in the dark and obscuring a level of coordination that would be offensive to the general public. It is imperative that private actors do not evolve into state actors without all the attendant oversight and accountability that comes with the latter.”

— Education: Because so many different players in the internet of things marketplace are responsible for overall security, it is essential that government and industry spread awareness of best practices and things to avoid, according to the Consumer Technology Association. “Within the United States, education and awareness is a challenge that must be addressed holistically. No single entity can reach out to all the necessary parties — from manufacturers to retailers to installers to consumers,” CTA said. “Overcoming these gaps requires effective teamwork and collaboration, information sharing about the threats and solutions, and awareness of which players are responsible for what actions and when.”

— Common sense: New America’s Open Technology Institute argued that IoT device makers should start equipping their products with basic security from the start — including by randomizing each device’s default username and password, making it much harder for hackers to locate and take over poorly configured devices. “The ability to modify login credentials should not be taken as a replacement for the implementation, where possible, of unique passwords for every device sold,” OTI wrote. Also on the common-sense front, OTI said that IoT devices “must be designed in such a way that they can be patched or updated.”

— Applause for NIST, NTIA: The two Commerce Department agencies are contributing well to productive discussions about internet of things security and botnets and should be encouraged to keep doing so, wrote the U.S. Chamber of Commerce. “The Chamber believes the NTIA IoT security upgradability and patching effort and related activities can advance the private sector’s interest in collaborative, voluntary best practices and shared information,” it said. And NIST, which produces a widely used cybersecurity framework, “did an admirable job” of seeking industry input on the document. “The Chamber believes the department is well positioned to convene stakeholders to identify existing standards and guidance to enhance the security and resilience of the IoT.”


WHAT IS DEAD MAY NEVER DIE Russia isn’t ruling out improvement to relations with the United States, following Congress’ passage of new sanctions and Moscow’s retaliatory removal of U.S. diplomatic personnel. President Vladimir Putin’s spokesman appealed Monday to Trump’s earlier pledges to heal the rift between the two countries during the 2016 campaign, when the U.S. intelligence community accused Russian hackers of digitally disrupting the election. “The will to normalize these relations should be placed on the record,” said the spokesman, Dmitri Peskov. “Of course we’re not interested in those relations being subject to erosion,” he added. “We’re interested in sustainable development of our relations and can only regret that, for now, we are far from this ideal.” But Putin said he had lost hope.

BEND THE KNEE, RUSSIA Trump’s top lieutenant, though, showed no signs Monday of relaxing rhetoric. “The United States stands with the nations and people of the Baltic States — and we always will. We stand with our NATO allies in our commitment to your security,” Vice President Mike Pence said in remarks at the HQ of Estonia’s defense forces. “Today we stand where East meets West — on a great frontier of freedom. No threat looms larger in the Baltic States than the specter of aggression from your unpredictable neighbor to the east.” Pence criticized Russian attempts to “undermine democracies of sovereign nations,” and its “malign influence” in the region. “To be clear: We hope for better days, for better relations with Russia, but recent diplomatic action taken by Moscow will not deter the commitment of the United States of America to our security, the security of our allies, and the security of freedom-loving nations around the world,” Pence said.

YOU KNOW NOTHING, CISO — Hackers say they have stolen 1.5 terabytes of data from HBO, including scripts for “Game of Thrones” and the network’s new show “Room 104,” according to Entertainment Weekly. The unknown thieves have already posted what they say are full episodes of “Room 104” and the HBO show “Ballers,” and they say more is “coming soon.” HBO told EW that it had experienced “a cyber incident” involving “the compromise of proprietary information.” In an email to employees, HBO CEO Richard Plepler wrote that the threat of hacking “is unfortunately all too familiar in the world we now find ourselves a part of.” Word of the hack first spread on Sunday, when a group claiming to have breached HBO emailed journalists to offer up the stolen material. There is no evidence that the hackers have stolen full episodes of “Game of Thrones.”



Continue reading…