Here's what I’m reading this week:
- The Justice Department wants you ... to set up a vulnerability disclosure program: Last week DOJ’s Computer Crime and Intellectual Property section released a new guide for companies looking to design a vulnerability disclosure program. The guide lays out several key steps that every organization should take to make sure their program (and anyone that participates in it) stays on the right side of the law. To put it mildly, this is a must read for anyone looking to set up a program like this.
I'm reading: "A Framework for a Vulnerability Disclosure Program for Online Systems."
- In the blue corner, clocking in at a slender 20 pages: a new IoT bill!: After years of attempts at top-heavy, overbroad cybersecurity legislation, Sens. Mark Warner and Cory Gardner are taking a lean-and-mean approach to the challenges raised by IoT. For a narrowly tailored bill, it takes on a range of important issues. It requires that IoT sold to the USG be patchable via a “properly authenticated update” mechanism, not be shipped w/unsecurable vulnerabilities, and not use hard-coded passwords. It also proposes exceptions to the CFAA and DMCA to shield cybersecurity researchers looking to help make these systems safer. The bill has its share of problems (no approach to such a complex issue will be error free), but it’s a refreshingly focused attempt to tackle a very hard challenge.
Would you like ransomware with your coffee?: This week, a petrochemical plant reportedly suffered from repeated ransomware infections in its controllers because its supposedly-air-gapped SCADA network had in fact been connected to the outside world through a series of...wait for it...connected coffee makers. If you needed another object lesson in what happens when your network isn’t architected the way you think it is, this is it. This is still an anonymous report with relatively little detail, so keep an eye on this to see if more surfaces in the coming days and weeks.I'm reading: "How the coffee-machine took down a factories control room."
- Fighting terror with machine learning: Buzz words aside, virtually every online platform today is struggling to figure out how to quickly identify terrorist content and hate speech inside its ecosystem. This is – to put it mildly – a fraught challenge. Ignoring the problem gives malicious actors free range, but overzealous takedowns can stifle speech and send users fleeing to other communities. Earlier this week, Youtube announced a new program to leverage machine learning techniques combined with human review to better identify and flag suspicious content. Transparency and innovation around these efforts are essential steps – this is definitely one to watch as the effort moves forward.
I'm reading: "An update on our commitment to fight terror content online."
- Hacking voting machines like it’s 2001: At Defcon this year, researchers tackled 20 voting machines in an attempt to see just how insecure they were. The answer? Pretty insecure. Participants used a string of vulnerabilities – including a Windows XP vulnerabilities that has been patched since 2003 – to own machine after machine. The short answer here is not just that the voting machines were vulnerable, it’s that they were vulnerable using well-known, public, out-dated techniques. No James Bond needed here.
I'm reading: "Hacker Cracks Voting Machine in Less Than 2 Hours."
- Hacker's arrest draws attention & criticism, with many unanswered questions: Marcus Hutchins, the hacker who was partly responsible for stopping the WannaCry epidemic earlier this year by discovering and registering a "kill switch" domain found within the malware, was arrested by the FBI as he attempted to leave Las Vegas after Defcon. Hutchins was charged with creating and distributing a different piece of malware – the Kronos banking trojan. The information about his arrest is still limited (only the initial indictment is public at this point), but it has already been criticized by technical and legal experts. Depending on how the facts develop, this could be a serious flash-point for controversy in the weeks and months to come.
I'm reading: "Computer law expert says British hacker arrest problematic."