The US National Institute of Standards and Technology (NIST) published a draft guide NISTIR 8259 - Core Cybersecurity Feature Baseline for Securable IoT Devices: A Starting Point for IoT Device Manufacturers. The guide aims to assist Internet of Things (IoT) device manufacturers understand the cybersecurity risks of their customers. The publication defines six cybersecurity features that manufacturers can voluntarily apply in their IoT devices and that consumers can look for while shopping for these devices. These are the six features: (1) device Identification - the IoT device should have a way to identify itself, such as a serial number and/or a unique address used when connecting to networks; (2) device configuration - users should be able to change the device’s software and firmware configuration; (3) data protection – it should be clear how the IoT device protects the data it stores and warns from any unauthorized access and modification; (4) logical access to interfaces - the device should limit access to authorized local and network interfaces; (5) software and firmware update - device’s software and firmware should be updatable, using a secure and configurable mechanism; (6) cybersecurity event logging - IoT devices should log cybersecurity events and make the logs accessible to the owner or manufacturer. The deadline for public comments on this report is September 30. The guide complements the recent publication of NIST that dealt with IoT cybersecurity challenges of large organizations (e.g. federal agencies).
111 signatories of Cybersecurity Tech Accord agreed to implement vulnerability disclosure policies by the end of the year
Since it’s launch one of the main commitments of the Cybersecurity Tech Accord was the need for governments and industry to adopt vulnerability disclosure policies (VDP). On 25 July Cybersecurity Tech Accord welcomed four new signatories (Archive360, Exeltek Consulting Group, Indra Minsait, and Professional Option) and now the total amount of 111 is committed to adopting VDPs by the end of the year, in addition to those who already have them (Coordinated Vulnerability Disclosure by Microsoft and HP, for example). Notably, there are different approaches to VDP that reflect the needs and principles of a particular company and its customers, however, they are based on recommendations elaborated by the Global Forum for Cyber Expertise (GFCE).
In the aftermath of the data breach Equifax has suffered in 2017, which exposed the data of 143 million customers, the company has agreed to a settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau, and 50 US states and territories. The settlement includes up to $425 million to help customers affected by the data breach, who can file a claim for free credit monitoring and identity theft protection services, cash payments (capped at $20,000 per person), free help recovering from identity theft, and free credit reports.
Amazon informed its customers that the Align nutritional supplements sold on its platform by third-party vendors were counterfeits. The company recommended its customers to stop using and disposing of the supplements in the US. Amazon does not know if any of its customers have ingested something dangerous. They received a full refund for having purchased the fake supplements. Amazon has fought against fake products sold by third parties for years. The company alleges to investigate every claim of counterfeit, often with the assistance of brands, and to remove the illegal items for sale, permanently banning bad actors. However, Amazon’s liability for illegal third party products is limited in the US. Courts have ruled that market places such as Amazon and eBay are mere intermediaries between customers and sellers, and, therefore, are immune under section 230 of the Communications Decency Act (CDA). Amazon is both a retailer and a third-party marketplace. In a recent ruling, a court of appeal has admitted that Amazon’s product listing, featuring its own products but also third-party products, makes it difficult for customers to understand from whom they are purchasing the product.
The Information Telecommunication Union (ITU) convened the Global Symposium for Regulators (GSR-19) during the period of 9-12 July at Port Vila, Vanuatu. The GSR is a global multi-stakeholder platform to discourse persistent regulatory issues, share experiences, knowledge and collaborate on major issues facing the information and communication technology (ICT) sector. The GSR-19 tackled the different means to bring affordable, safe, secure and trusted online access to people everywhere. the sessions covered a wide range of topics including digital strategies and policies, infrastructure regulation, innovative investment and financing mechanisms, trust and confidence in a data driven economy, the need for spectrum, preparing for 5G, and the changing consumer role. During the event, the UN Broadband Commission for Sustainable Development held a session on ‘Getting the Next 3.7 Billion Online’ on 10 July 2019 to look at the role of collaboration in getting the offline population online, including the need for inclusive people-centered approaches and innovative investment models for affordable and secured connectivity. The session further addressed the partnerships and public-private cooperation mechanisms required to meet the sustainable development goals (SDGs) using ICTs.
During an Independent Inquiry into Child Sexual Abuse (IICSA), where evidence from various online companies such as Facebook, Apple, Microsoft, and Google on the initiatives taken by them to combat child abuse online was heard, Facebook has been accused of leaving 'broken children as collateral damage' for their commercial aims.
Barrister William Chapman, representing the abused victims, argued that the social media companies were not taking adequate measures to prevent paedophiles from reaching out to children online due to their business models and that the time had come for these platforms to be ‘fundamentally redesigned’. Few recommendations shared by the victims before the inquiry for the tech companies included paying compensation to the children abused by their services and to ban posing as a child online, without reasonable excuse.
US President Donald Trump signed an Executive Order on Securing the Information and Communications Technology and Services Supply Chain on 15 May. The order declares a state of emergency due to increased adversarial cyber-enabled actions, including economic and industrial espionage against the USA and its people. The order requires the US Secretary of Commerce to minimize the risks from foreign companies controlled by adversaries and deprive them from the American market from selling equipment and technologies as well as buying from US companies. The order is seen as clearly directed against China and its IT giant Huawei. Huawei was placed on the Entity List, a trade blacklist, that requires US companies to get government approval to engage in business with entities on the list. Google has suspended business operations with Huawei stating the Chinese tech giant will ’immediately lose access to updates to the Android operating system, and the next version of its smartphones outside of China will also lose access to popular applications and services including the Google Play Store and Gmail app’.
In the beginning of May, WhatsApp discovered that the service was used to install a sophisticated surveillance malware on an unknown number of smartphones. The hackers used the security flaw in WhatsApp’s voice calling function that enabled them to run ‘a remote code execution via specially crafted series of secure real-time transport protocol (SRTCP) packets sent to a target phone number’. The infection by the malicious code would happen even if the call had not been answered. The vulnerability enabled hackers to read messages on the target's device with interception tools bypassing the end-to-end encryption used in WhatsApp.
The scale of infected devices is unknown yet, but researchers claim the attack targeted a small number of human rights activists. The surveillance software was attributed by the Financial Times to the Israeli NSO Group, famous for its Pegasus program used by some governments to intercept the communications of human rights activists. However, the NSO Group denied its involvement in the attack. WhatsApp encouraged people to upgrade to the latest version of the app on Android, iOS, and Windows phone devices.
Technology companies, Facebook, Google, Apple, BT, and Microsoft have been accused of failing to prevent the online abuse of children. and will have to provide evidence on the adequacy of initiatives taken by them to prevent online abuse before the independent inquiry being held into sexual abuse of children in UK.
Opening the proceedings on Monday, legal counsel Jacqueline Carey shared cases of child abuse online and its devastating impact on their lives.The tech giants would have to provide evidence within the next ten days.
The UK’s National Police Chiefs’ Council lead on child protection, Simon Bailey suggests that the only way to force social media companies to pay attention and initiate steps to protect children online is a public boycott. He shared that currently he has not seen any initiatives taken by social media companies that indicate their sincerity to safeguarding children online. He added ‘Ultimately I think the only thing they will genuinely respond to is when their brand is damaged. Ultimately the financial penalties for some of the giants of this world are going to be an absolute drop in the ocean’.