As reported by the BBC, bus and train operator Translink has reported a suspected hack of its internal IT systems to the police. The firm confirmed it has reported an “incident” to the Police Service of Northern Ireland (PSNI) after experiencing difficulties with its internal IT systems. Bus and train services have not been affected, a spokesperson said.
Jake Moore, Cybersecurity Expert at ESET:
“I applaud organisations that report cyberattacks at the earliest opportunity, which in turn gives them the best chance of quicker recovery. Attacks such as ransomware are not legally required to be reported as usually personal data isn’t compromised in this way, but holding your hands will usually attract external expert support.
After the wake of the Travelex cyberattack, it has been proven that the reporting aspect of the situation is just as important as getting back to business as usual. Ransomware, although hugely impactful on a company, needn’t be embarrassing and we need to steer away from the stigma of damaging the brand or being further targeted. Cyberattacks are unfortunately inevitable but it’s the honesty from the start, including learning from what has happened, that will help put a company back on its feet with a stronger defence.”
The UK Government has unveiled new regulatory proposals for the consumer Internet of Things (IoT), forcing the IoT ecosystem to take a more rigorous and conscious approach to cybersecurity. With an estimated 75 billion internet connected devices worldwide forecasted for 2025, there is no denying that the scope of IoT is becoming a more integral part of our lives; yet with this comes the increased security risks.
Whilst the new law outlines requirements for unique passwords, no ‘factory reset’ options, vulnerability reporting functions and minimum timeframes for security updates, Paul Farrington, CTO of EMEA at Veracode believes that as some of the worst offenders when it comes to fixing flaws, the proposal should be extended to ensure manufacturers are building in software security at the early stages.
Below is a comment from Paul on the topic. Please let me know if you’re interested in running it in a story. Alternatively, we can offer you a briefing or opinion piece from Paul to discuss this issue further.
Paul Farrington, CTO of EMEA at Veracode:
“The outcome of the consultation will provide a necessary first-step in enhancing IoT device security. The Government has attempted to balance the needs of industry with those of users. Removing default passwords, coordinating vulnerability reporting and bringing clarity to technical support coverage is progress. These measures do fall well short of what is necessary to protect users. Research shows that the manufacturing is one of the worst sectors at dealing with security bugs. 83% of software apps have at least one security issue. On average, firms take 171 days to fix a security defect. Improving ways for people to report problem is really a bare minimum. What we really need is a way for IoT device manufacturers to evidence how they are building security to the process, at the earliest stages. The toy industry has had to do something similar around safety-testing for decades. The Government will need to revisit IoT security legislation again before too long.”
It has been reported that security flaws have been found in videoconferencing platform Zoom that would have allowed a potential hacker to join a video meeting uninvited and listen in, potentially accessing any files or information shared during the meeting. While Zoom has addressed the issue, the report raises deeper concerns about the safety of videoconferencing apps that require access to microphones and cameras.
Commenting on this. Jonathan Knudsen, senior security strategist at Synopsys, said “When running an online meeting, make sure you can identify all users who have joined. If you expect that any part of the meeting is information you want to keep confidential, use the password feature to protect the meeting from casual intruders. Meeting recordings should be protected with similar vigilance. For example, recording files should not be placed on unauthenticated servers, and any links to streaming recordings should be protected by some form of authentication.”
According to BBC News, the UK government is developing laws that would require manufacturers to ensure their smart gadgets cannot be hacked and exploited via the internet. This is in the face of concerns that many internet-enabled devices lack basic security features. Under the proposed laws, manufacturers would have to:
- ensure all internet-enabled devices had a unique password
- provide a public point of contact so anyone could report a vulnerability
- state the minimum length of time a device would receive security updates
Jake Moore, Cybersecurity Expert at ESET:
“Confidence in the security of smart devices should come as standard so this new proposal can’t come soon enough. Long has there been a standoff between security professionals and manufacturers battling it out over the protection of customers and their gadgets, so if the government muscle in on the action it could just be the answer we have been fighting for.
Unique passwords are more important than most people tend to realise, so this simple yet effective ‘security by design’ move will add an instant layer of protection without the user having to think. Security doesn’t have to be difficult, but it is far more successful when the user is obliged to protected themselves by design. However, this is no doubt the end of the matter as cyber security is a never-ending battle against persistent threat actors. If this new law is constantly monitored and updated, this could be an extremely positive movement in the right direction.”