IoT security, was Krebs on Security booted off Akamai network

bzs at TheWorld.com bzs at TheWorld.com
Sun Oct 9 20:19:07 UTC 2016


On October 9, 2016 at 20:07 mel at beckman.org (Mel Beckman) wrote:
 > Barry,
 > 
 > The problem isn't authentication during initial installation, since that can be done using SSL and a web login to the cloud service. The problem is that vendors aren't even using minimal security protections, such as SSL, and then leaving devices open to inbound connections, which is bad even behind a firewall (because viruses typically scan LANs for these vulnerable devices). These are the devices exploited by hackers to become DDoS attack vectors. 

It helps solve the bad (including manufacturer's default) password
problem which was one of the attack vectors.

The proposal only forces this to be used during initial installation
and configuration (and any reconfig) arguing that it so lowers the
threshold, just swipe a magstripe, there's really no excuse. And
eliminates the owner choosing a password for the device, bad or
otherwise.

But, again, alas no swipe hardware. Big historical error I think but
rectifying is feasible.

-- 
        -Barry Shein

Software Tool & Die    | bzs at TheWorld.com             | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD       | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*


More information about the NANOG mailing list