Cyber Security Today, April 23 2021 – More SolarWinds news, UK law will tighten consumer internet device security and a warning to QNAP storage users

/in


More SolarWinds news, UK law will tighten consumer internet device security and a warning to QNAP storage users.

Welcome to Cyber Security Today. It’s Friday April 23rd. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.

 

The number of organizations hit after the compromise of SolarWinds’ Orion network monitoring software last year may be more than originally thought. Security company RiskIQ took a closer look at the scheme and found 18 more servers for command and control than investigators first found. These servers would be used to distribute malware to compromised Orion installations. It was thought that of the 18,000 organizations that downloaded the compromised Orion security update perhaps 100 around the world had their systems hacked. But with the discovery that more servers were involved in the scheme there may be more victim organizations. The U.S., Canada and other countries say Russia’s intelligence service is responsible for the Orion compromise.

If your organization is going to create an app for its products the software had better be secure. According to a security researcher, until recently the app and website for tractor maker John Deere wasn’t. The researcher told Vice.com the vulnerabilities could have exposed data about John Deere customers including names, addresses, the equipment’s ID number and its vehicle ID number. The company has fixed the vulnerabilities, which it called “code misconfigurations.”

Many internet-connected consumer devices have poor security, including weak default passwords. In an effort to increase the cybersecurity of devices sold in the United Kingdom, the government this week promised new legislation with minimum product security requirements. No consumer-connected product will be allowed to be sold unless it has basic cybersecurity measures. These include a ban on default and easily guessable default passwords, having a way device owners can report vulnerabilities to the manufacturer and stating how long security updates will be available for a product. The government will create an enforcement authority to back up the law. It would apply to almost everything except laptops and…

Source…