Internet Routing Security Enhancement Roadmap; Security Camera Company Faces Financial Repercussions Over Inadequate Data Security and CAN-SPAM Violations

Combatting all forms of hijacking and forgery requires strong authentication and integrity services, which in turn need reliable and ubiquitous cryptographic key infrastructure services – BGP and RPKI is just one example. The US government needs to use its market power to require all suppliers and recipients of government funding to move to strongly protected services – much the way years ago the US federal government required strong crypto to be used in browsers and that drove the overall adoption and improvement of SSL.

Improvements in routing security have been ongoing. Many larger IPSs have implemented RPKI over the last few years. Let’s hope this initiative will help us cross the finish line to a more secure routing infrastructure.

This directive is intended to require network providers to implement ROA, RPKI and ROV, which are the current best practices for BGP security, including disclosure of the status of those implementations, ultimately resulting in restrictions or requirements in purchase agreements or contracts. This follows the June requirement from the FCC for the nine largest US broadband providers to file confidential reports on their plans to bolster BGP security. At this point about 70% BGP route originations on the global Internet are ROA-valid.

It is high time this issue was addressed. We need a robust, resilient, and trustworthy infrastructure. That said, a quarter of a century of history and experience suggests that it represents a tolerable risk.

Setting up the infrastructure for RPKI comes at additional cost and complexity; and that, perhaps, is the reason it hasn’t been implemented in North America. Absent a mandate by the USG, it’s just another nice document to put on the shelf.

The Verkada incident started in 2021, where credentials were compromised allowing access to as many as 150,000 CCTV cameras. The investigation then revealed many security flaws including lack of data protection, even possible HIPAA violations. Now, in addition to the fine, they need to not only address the shortfalls but also implement a security program for the next twenty years. The FTC is putting companies on notice that they need to take protecting customer data seriously.

Interesting settlement, using an email SPAM law to focus attention on a non-existent information security program. Might I suggest the CIS Critical Security Controls, Implementation Group 1, as the cybersecurity framework to use for the next 20-years. https://www.cisecurity.org/controls/implementation-groups/ig1

There is no need to panic. Extracting the secrets not only requires physical access, but also requires the attacker to open the key, which is usually destructive to the housing. Remind users to properly secure keys with PINs and expedite reporting of misplaced keys.

The flaw is specific to the Infineon ECDSA implementation and could be used to recover ECDSA private keys. It requires physical access to the device, knowledge of the accounts they wish to compromise, the device PIN or authentication key, expensive equipment and expertise to exploit. Risks to the FIDO key can be reduced by requiring more frequent FIDO authentication. Risks to PIV/OpenPGP signing keys can be mitigated by using the RSA algorithms. Yubico has removed the Infineon cryptographic library in favor of their own library in current devices. Historically, Yubico has addressed security flaws by working with customers to issue replacement devices as the firmware doesn't support updates.

We are at the point where services, such as the Oyster portal, are offline, but TfL is not providing specifics, and rumors about what happened are flying. Saying all is well, declining to comment on reported details, yet turning off or disabling services isn't ideal. Make sure your communication plan includes as much transparency as possible. By day four, you should have identified entry points and potential root causes. Don't assume communication to staff will not be released to the media.

My question: does this sort of response help or it’s simply a lawyer crafted response to a regulatory requirement?

Halliburton is one of the world's largest fracking operators, and as such is a critical infrastructure target. This attack has been attributed to the RansomHub ransomware gang, whose activities were described in the CISA, FBI, HHS and MS-ISAC joint advisory AA24-242A. https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-242a: #StopRansomware: RansomHub Ransomware

As expected, a ransomware attack. We still have weeks to go before we find out what sort of data was exfiltrated.

Microchip is still validating their claims for legitimacy and has restored critical systems, resumed order processing and shipping; while the recovery is not complete, indications are they will not be paying any ransom.

Again, no mention of financial materiality. This kind of defensive reporting is defeating the purpose of the requirement to report, i.e., to inform investment decisions.