Weekly Threat Report - 12th October 2018
Californian state law change for connected devices
In a bid to strengthen cyber security, California passed a state law requiring all manufacturers of internet connected devices to improve their security features.
By 2020, in order to sell their products in California, manufacturers will need to ensure that devices such as home routers have a unique pre-programed password or an enforced user authentication process as part of the set up. Default passwords such as ‘password’ or ‘default’ will be deemed weak and in breach of the state law. This could then open the manufacturer up for prosecution should the user become the victim of cyber crime because of weak security on the device.
This positive step will encourage the manufacture of products with greater cyber security that will roll out to wider global markets.
Internet of Things (IoT)-related cyber crime is well documented, with the Mirai and Owari botnets widely reported. In March 2018, DCMS (The Department of Digital, Culture, Media and Sport) and the NCSC published a report on Secure by Design, and called for industry, academic institutions and civil society to contribute to the proposed interventions. The report identifies two main risks associated with insecure IoT devices:
consumer security, privacy and safety may be undermined by the vulnerability of individual devices; and
the wider economy faces an increasing threat of large-scale cyber attacks launched from large volumes of insecure IoT devices.
The NCSC and DCMS will be publishing the Secure by Design Code of Practice, in addition to consumer guidance on IoT devices, in the coming weeks.
Google+ and Project Strobe
On 8 October, Google announced the existence of Project Strobe – a comprehensive review of third-party developer access to Google account and Android device data, and their philosophy around apps’ access to data.
As part of that announcement they disclosed that in March 2018 they had identified and immediately patched a bug in the Google+ platform. That bug potentially exposed customer data including “name, nickname, email address, occupation, gender, relationship status, birthday and age”. Google’s analysis identified that in the two weeks prior to the bug’s fix, the profiles of up to 500,000 accounts were potentially affected. Google found no evidence that any developer abused the bug, nor evidence that any profile data was misused. However, for privacy reasons Google only retain two week’s log data, so they were unable to rule out misuse prior to this period.
Google has decided to shut down the Google+ service in August 2019, due to lack of use and the difficulty of maintaining the service.
For any user of social media, this breach is a reminder that social media applications that you no longer use may still contain your data and this could potentially be leaked.
It is recommended that any active or inactive users of social media platforms review their data held by such platforms to limit any future exposure to breaches. They should also review their privacy settings with companies, including Google, which have introduced further privacy checks with the introduction of the GDPR act.