[For a device that is likely to be Internet-connected, a pretty basic security feature is code to force a change of password prior to enabling functions on the first occasion that a device is used.
[The effort required to do that is pretty small. [And retro-fitting such a feature shouldn't be all that much harder. [Personally, I'd regard the absence of such a measure in, say, 2014, as negligence. And I'd be interested in a legal discussion about whether it constitutes criminal negligence, and a policy discussion about whether it *should* do so.] Chinese 'DDoS camera' maker recalls vulnerable devices By Staff Writers on Oct 25, 2016 12:37PM Users do not change the default password. http://www.itnews.com.au/news/chinese-ddos-camera-maker-recalls-vulnerable-devices-440028 Chinese firm Hangzhou Xiongmai Technology will recall some of its products sold in the United States after it was identified by security researchers as having made parts for devices that were targeted in a major hacking attack on Friday. Hackers unleashed a complex attack on the internet through common devices like webcams and digital recorders, and cut access to some of the world's best known websites in a stunning breach of global internet stability. The electronics components firm, which makes parts for surveillance cameras, said it would recall some of its earlier products sold in the United States, strengthen password functions and send users a patch for products made before April last year. It said the biggest issue was users not changing default passwords, claiming reports that its products made up the bulk of those targeted in the attack were false. "Security issues are a problem facing all mankind. Since industry giants have experienced them, Xiongmai is not afraid to experience them once, too," the company statement said. Friday's cyber attack alarmed security experts because it represented a new type of threat rooted in the proliferation of simple digital devices such as webcams. These often lack proper security, and hackers found a way to harness millions of them into a botnet using the Mirai and Bashlight malware to perpetrate the distributed denial of service (DDoS) attack. -- Roger Clarke http://www.rogerclarke.com/ Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA Tel: +61 2 6288 6916 http://about.me/roger.clarke mailto:[email protected] http://www.xamax.com.au/ Visiting Professor in the Faculty of Law University of N.S.W. Visiting Professor in Computer Science Australian National University _______________________________________________ Link mailing list [email protected] http://mailman.anu.edu.au/mailman/listinfo/link
