National Security reforms needed before the Internet of things


The half way approach putting all Australian’s at risk: Why it’s time to decide if security technology should or shouldn’t be regulated by Police and Fair Trading Departments

This article concerns the inadequate and unworkable legislation affecting the physical and cyber security sectors in Australia, with State based legislation being applied when a national approach is required and urgent reform needed as the convergence of physical and cyber security systems continue rapidly towards the Internet of Things.

In early October, the US government formally accused Russia of hacking the Democratic party’s computer networks and said that Moscow was attempting to “interfere” with the US presidential election. The accusation marks a new escalation of tensions with Russia and came shortly after the US secretary of state, John Kerry, called for Russia to be investigated for war crimes in Syria.

Then there is Ukraine. The December 2015 Ukraine power outages, referred to in the ACSC Threat Report 2016, highlight the “vulnerabilities of critical infrastructure to sophisticated adversaries. In a well planned and highly coordinated operation, an adversary successfully compromised and affected the systems supporting three power control centres, taking down 30 substations and leaving over 225,000 Ukrainians without power for several hours. The adversary also delayed restoration efforts by disabling control systems, disrupting communications and preventing automated system recovery. These effects were the result of over six months of planning and involved a range of activities, including compromise through spear phishing, the theft of user credentials through key loggers, and data exfiltration.”

In late September, security researcher Brian Krebs’ site KrebsOnSecurity got knocked offline by one of the biggest DDOS attacks ever recorded, which peaked at 620 Gbps. But the most crucial distinction from a normal DDOS strike: These bots were mostly IoT devices. The majority of the estimated 145,000 devices were CCTV cameras and DVRs. Many of these were using either default passwords or easily-guessed ones (“1234,” “password,” “admin”)…Click HERE to read full article.