DDoSing has evolved in the vacuum left by IoT's total absence of security IoT botnets have transformed the threat landscape, resulting in a big increase in the size of DDoS attacks from 500Gbps in 2015 up to 800Gbps last year. Hackers have been able to "weaponise" digital video recorders, webcams and other IoT devices due to inherent security vulnerabilities, according to the DDoS mitigation firm …
Especially if the fines could be used to pay for a UL-style security certification group. Maybe have multiple levels ranging from "Definitely going to be part of a botnet the second you plug it in" to "More security than even a TEMPEST data-center would need" with many levels in between.
Or maybe just require manufacturers to include some kind of rating based on the device's security based off a weighted-average of CVE ratings.
UL rates devices for how long something will last in a fire, so why not some kind of rating for how long a device would last while being attacked in the wild?
Sure, the lack of security in those devices is indeed the culprit causing it all but in my opinion the actual underlying issue is money. Plain old cashing in, grabbing the cash without having to do too much in return.
Or to put this simple: companies don't care. At all. And to make this even worse our (European) governments are far too busy debating the risks of cookies and how that might track customers (which, in all honestly, does have a sense of truth in it of course!) but who will then also totally ignore any requirements of ensuring (or trying to ensure) Internet safety.
Now... Of course this is a very hot topic. I mean, I could easily argue that it might be a good idea to set up a European firewall which can be used to shield us from obvious hacked (Chinese & Russian) machines (the ones every sysadmin knows about when they go through their auth or mail logs), but we all know that's a very bad idea because it can (and will) eventually be used for other censoring purposes.
But why don't we have anything like this yet on a smaller scale? When I provide plenty of logs and evidence that a machine somewhere in Holland (where I happen to live) has been compromised and is actually causing problems on the Internet then it remains to be seen if the hosting company will actually take action. Some of those which value their reputation a bit will, but most who value their income more tend to ignore it.
And the worst part of this is that our political leaders have basically done nothing what so ever to try and put a stop to all that. If I take such a story to the police here then I'll have a very hard time explaining what exactly is going on and I'm 100% sure that the outcome will only consist of me losing a few hours of my time (assuming they'll actually listen to me for that long).
Yet on the other hand the government here is all too eager to utilize the Internet for their own gain. Government information? Websites. Tax applications? Digital. Heck, there has even been mentioning to try and remove snail-mail from our tax department entirely and move it all to the digital age. Although this may sound wonderful to some of us it also overlooks the main issue here: our government gladly accepts the benefits from the digital age (setting up information on a CMS is far more cheaper than having to print & post it to individuals) but cannot be bothered to take up their responsibility.
Oh, sorry mr./mrs. politician, my deepest apologies. Of course you did act on your responsibilities. If you hadn't then we didn't have to click yes on nearly every frickin' website around because of something as trivial as a cookie. Yet when it comes to ignoring signs of a compromised machine which could be used for god knows what then it's all different and no penalties or regulation exists. At all.
So yeah, picture me very surprised how this Internet of broken Things mess has come about. Because.. what negative effects will this have for the manufacturers anyway? None!
That is what botnet operators already do. They secure their victim so that they are the only that can use it. For a while, I saw some infected systems come into my shop with anti-virus running and configured, but with the malware added to the whitelist. There was one case where I saw someone had re-packaged ClamAV so that it would ignore their malware and actually had a their own virus definitions included that would kill off detection tools, other AVs, and a host of other pieces of malware that were unknown by AV companies at the time. The Malware's payload was embedded into ClamAV's executable as to provide a reason why the program needed internet access, kernel-level permissions, and would regularly thrash the filesystem.
It had nothing to do with ClamAV itself, it was just an ideal thing to target since it cross-platform, Open Source and was fairly lightweight (all of which are reasons why I use it on my own network)
Just as the beginnings of a privacy backlash start, here comes a deluge of IOT. Insecure and vulnerable to spying. Just like e-mail, web traffic, phone calls and all the other things our government spymasters are slurping up. Tracking your phone is one thing, but IOT gives the NSA/GHCQ a real-time window into your very home. Your so-called "smart TV" becomes a telescreen watching and listening to you. Because, you know, terrorists and stuff.
Now why would any government lift a finger to stop that?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
