Many of the world’s largest retailers, wholesalers, and trade groups for the consumer electronics, home appliance, and consumer goods industries have voluntarily committed to improving the level of cybersecurity included in the items they sell. Amazon, Best Buy, Google, LG Electronics USA, Logitech, and Samsung Electronics are among the manufacturers and merchants who have announced their support and commitments to the initiative today. A newly designed “U.S. Cyber Trust Mark” in the form of a distinguishing shield emblem would be attached to items that fulfill defined cybersecurity standards in the event that the new program is implemented as planned. This mark would be visible to customers. The purpose of the program is to provide customers the resources they need to make educated judgments regarding the level of danger posed by the goods they decide to bring into their homes by way of various items.

The Federal Communications Commission (FCC), acting under its responsibilities to regulate wireless communication devices, is scheduled to seek public opinion on the proposed voluntary cybersecurity labeling scheme, which is projected to be up and running in 2024. This will be done in accordance with the FCC’s authorities to regulate wireless communication devices. According to the current plan, the program would make use of efforts led by stakeholders to certify and label products. The certification and labeling would be based on particular cybersecurity criteria published by the National Institute of Standards and Technology (NIST), which, among other things, mandates the use of unique and robust default passwords, data protection, software updates, and incident detection capabilities.

The current administration, including the Cybersecurity and Infrastructure Security Agency, will provide assistance to the Federal Communications Commission (FCC) in its efforts to educate customers to search for the new label when making purchase choices and to encourage large U.S. retailers to prioritize labeled items when putting them on store shelves and making them available online. These initiatives are intended to encourage big retailers to give labeled products more prominence.

The Federal Communications Commission (FCC) plans to offer customers with detailed and similar security information on these smart gadgets via the use of a QR code that links to a national register of approved devices. The Commission intends to implement supervision and enforcement protections to preserve trust and confidence in the program, and they expect to do so in collaboration with other regulatory agencies including the United States Department of Justice.
The National Institute of Standards and Technology (NIST) will immediately begin an endeavor to specify the cybersecurity criteria for consumer-grade routers, which are a higher-risk kind of equipment that, if hacked, may be used to eavesdrop, steal passwords, and target other devices and high-value networks. This work will be finished by NIST by the end of 2023, at which point the Commission will be able to decide whether or not to adopt these standards in order to broaden the scope of the labeling program to include consumer grade routers.
A collaborative endeavor to explore and establish cybersecurity labeling standards for smart meters and power inverters, both key components of the clean, smart grid of the future, was also announced today by the United States Department of Energy (DOE). This work will be carried out in conjunction with National Labs and industry partners. The United States Department of State is dedicated to providing assistance to the Federal Communications Commission (FCC) in order to engage friends and partners in the process of harmonizing standards and achieving mutual acceptance of comparable labeling initiatives on an international scale.

Amazon, Best Buy, Carnegie Mellon University, CyLab, Cisco Systems, Connectivity Standards Alliance, Consumer Technology Association, Consumer Reports, Google, Infineon, the Information Technology Industry Council, IoXT, KeySight, LG Electronics U.S.A., Logitech, OpenPolicy, Qualcomm, Samsung Electronics, UL Solutions, Yale, and August U.S. are among the participants in today’s announcement.

The post US Govt wants new label on secure IoT devices or wants to discourage use of Chinese IoT gadgets appeared first on Information Security Newspaper | Hacking News.

You can hack security cameras, as we see in the movies | WhatsApp now alerts when a message was sent many times

Below are the links of the cyber security news.

1. You can already hack security cameras, as we see in the movies

2. WhatsApp now alerts when a message was sent many times

The post POPULAR NEWS VIDEO 3 AUG appeared first on Information Security Newspaper | Hacking News.

This is the result of a recent experiment carried out by Johannes B. Ullrich, a member of the SANS Technology Institute. Ullrich bought an Anran DVR system and left it connected to the Internet for two days. Ullrich left the device in its default state, with the Telnet port open to external connections, and with its default credentials intact (root/xc3511).

The researcher logged everything that happened on the device and connected the DVR to a remote-controlled power outlet that reset it every five minutes. Resetting the device was necessary because this action removed any malware from previous infections.

Experiment results: DVR hijacked every two minutes

Results showed that 10,143 “users” connected to the device from 1,254 different IPs during the two-day experiment.

The device was left online for 45 hrs and 42 min, which meant that around every two minutes, someone connected to the device using the default credentials.

Ullrich analyzed the IP addresses using Shodan, and to nobody’s surprise, most of the IPs from where logins originated were traced back to other IoT devices from vendors such as TP-Link, AvTech, Synology, and D-Link, the usual suspects when it comes to botnet cannon fodder.

These devices were most likely infected with IoT malware. Mirai and most of today’s IoT malware families include Telnet or SSH scanners that select random IP addresses and attempt to log in via Telnet or SSH with a list of default credentials.

This type of self-spreading mechanism has been used for years, but it became very popular after the large-scale DDoS attacks carried out with the Mirai malware. After the Mirai malware source code was released online, Telnet and SSH scanners became almost prevalent.

Results similar to 2016 experiment

Last year, in the middle of all the Miria-powered DDoS attacks, security researchers carried out a similar test by putting an IP-based security camera with default credentials online. IoT malware took control over the camera in 98 seconds (1.5 minutes) on average.

Almost a year after that experiment, the security of IoT devices hasn’t improved at all, and IoT malware scanners are as aggressive as they were last year.

“This problem isn’t going away anytime soon,” Ullricht concluded. “If people haven’t heard yet about vulnerable DVRs and default passwords, then they will not read this article either.”

Ulbricht’s experiment comes on the heels of another IoT security woe after last week security researchers discovered a Pastebin list containing thousands of fully working Telnet credentials.

Source:https://www.bleepingcomputer.com/news/security/it-still-takes-2-minutes-to-have-vulnerable-iot-devices-compromised-online/

The post It Still Takes 2 Minutes to Have Vulnerable IoT Devices Compromised Online appeared first on Information Security Newspaper | Hacking News.