nanog mailing list archives
Re: IoT security, was Krebs on Security booted off Akamai network
From: Mel Beckman <mel () beckman org>
Date: Sun, 9 Oct 2016 20:24:11 +0000
You might as well wish for fingerprint readers. It's not going to happen, and thus can't be remedied. But there are already acceptable COTS solutions that need no special hardware. IoT vendors simply have to use them. -mel beckman
On Oct 9, 2016, at 1:20 PM, "bzs () TheWorld com" <bzs () TheWorld com> wrote:On October 9, 2016 at 20:07 mel () beckman org (Mel Beckman) wrote: Barry, The problem isn't authentication during initial installation, since that can be done using SSL and a web login to the cloud service. The problem is that vendors aren't even using minimal security protections, such as SSL, and then leaving devices open to inbound connections, which is bad even behind a firewall (because viruses typically scan LANs for these vulnerable devices). These are the devices exploited by hackers to become DDoS attack vectors.It helps solve the bad (including manufacturer's default) password problem which was one of the attack vectors. The proposal only forces this to be used during initial installation and configuration (and any reconfig) arguing that it so lowers the threshold, just swipe a magstripe, there's really no excuse. And eliminates the owner choosing a password for the device, bad or otherwise. But, again, alas no swipe hardware. Big historical error I think but rectifying is feasible. -- -Barry Shein Software Tool & Die | bzs () TheWorld com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
Current thread:
- Re: IoT security, was Krebs on Security booted off Akamai network, (continued)
- Re: IoT security, was Krebs on Security booted off Akamai network Large Hadron Collider (Oct 09)
- Re: IoT security, was Krebs on Security booted off Akamai network Valdis . Kletnieks (Oct 09)
- Re: IoT security, was Krebs on Security booted off Akamai network Mel Beckman (Oct 09)
- Re: IoT security, was Krebs on Security booted off Akamai network Valdis . Kletnieks (Oct 09)
- Re: IoT security, was Krebs on Security booted off Akamai network Jim Shankland (Oct 09)
- Re: IoT security, was Krebs on Security booted off Akamai network Mel Beckman (Oct 09)
- Re: IoT security, was Krebs on Security booted off Akamai network Mel Beckman (Oct 09)
- Re: IoT security, was Krebs on Security booted off Akamai network bzs (Oct 09)
- Re: IoT security, was Krebs on Security booted off Akamai network Mel Beckman (Oct 09)
- Re: IoT security, was Krebs on Security booted off Akamai network bzs (Oct 09)
- Re: IoT security, was Krebs on Security booted off Akamai network Rich Kulawiec (Oct 10)
- Re: IoT security, was Krebs on Security booted off Akamai network bzs (Oct 10)
- Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey Large Hadron Collider (Oct 09)