Even tech giants find themselves telling folk not to use default passwords on Internet of S**t kit

Top tips to defend against nation-state network intrusion

Microsoft's Security Response Center has issued a bunch of recommendations for orgs to protect against nation-state network intrusion via insecure IoT devices.

A report by the Windows giant's security unit describes three incidents earlier this year, where a VoIP phone, an office printer and a video decoder were compromised. In two cases the manufacturer's default password was unchanged and the third was not patched with the latest security update.

Once access was gained, scripts were used to sniff network traffic, enumerate administrative groups, and look for other insecure devices, under the direction of an external command-and-control server.

Microsoft attributed the attacks to a nation-state group it calls STRONTIUM, which largely targets governments, IT, military, defence and engineering organisations – as well as anti-doping agencies, political groups, and the hospitality industry. The company said it has reported nearly 1,400 STRONTIUM notifications to customers over the last 12 months, though some of these were reports of targeting rather than actual compromise.

Internet of Things

Don't put the 'd' and second 'i' in IoT: How to secure devices in your biz – belt and braces


"It's easy to see the need for better enterprise management," said Microsoft, which has come up with 12 actions for securing IoT devices. These include device approval, avoiding internet exposure, using a separate network if feasible, conducting patch audits, monitoring for suspicious activity ("e.g. a printer browsing sharepoint sites"), and including security requirements in contracts with third parties.

Some blame for this kind of vulnerability must fall on the device manufacturers. There is no need for devices to have a default password that is the same everywhere, for example. Another issue is that there is often no built-in mechanism for detecting when a security update is required and then applying it.

Customers may still think of devices like printers and phones as appliances, there to do one job only, rather than as computers on the network that need securing. If that attitude persists, we can expect many more intrusion reports. ®

Similar topics

Other stories you might like

  • It's the flu season – FluBot, that is: Surge of info-stealing Android malware detected

    And a bunch of bank-account-raiding trojans also identified

    FluBot, a family of Android malware, is circulating again via SMS messaging, according to authorities in Finland.

    The Nordic country's National Cyber Security Center (NCSC-FI) lately warned that scam messages written in Finnish are being sent in the hope that recipients will click the included link to a website that requests permission to install an application that's malicious.

    "The messages are written in Finnish," the NCSC-FI explained. "They are written without Scandinavian letters (å, ä and ö) and include, for example, the characters +, /, &, % and @ in illogical places in the text to make it more difficult for telecommunications operators to filter the messages. The theme of the text may be that the recipient has received a voicemail message or a message from their mobile operator."

    Continue reading
  • AsmREPL: Wing your way through x86-64 assembly language

    Assemblers unite

    Ruby developer and internet japester Aaron Patterson has published a REPL for 64-bit x86 assembly language, enabling interactive coding in the lowest-level language of all.

    REPL stands for "read-evaluate-print loop", and REPLs were first seen in Lisp development environments such as Lisp Machines. They allow incremental development: programmers can write code on the fly, entering expressions or blocks of code, having them evaluated – executed – immediately, and the results printed out. This was viable because of the way Lisp blurred the lines between interpreted and compiled languages; these days, they're a standard feature of most scripting languages.

    Patterson has previously offered ground-breaking developer productivity enhancements such as an analogue terminal bell and performance-enhancing firmware for the Stack Overflow keyboard. This only has Ctrl, C, and V keys for extra-easy copy-pasting, but Patterson's firmware removes the tedious need to hold control.

    Continue reading
  • Microsoft adds Buy Now, Pay Later financing option to Edge – and everyone hates it

    There's always Use Another Browser

    As the festive season approaches, Microsoft has decided to add "Buy Now, Pay Later" financing options to its Edge browser in the US.

    The feature turned up in recent weeks, first in beta and canary before it was made available "by default" to all users of Microsoft Edge version 96.

    The Buy Now Pay Later (BNPL) option pops up at the browser level (rather than on checkout at an ecommerce site) and permits users to split any purchase between $35 and $1,000 made via Edge into four instalments spread over six weeks.

    Continue reading

Biting the hand that feeds IT © 1998–2021