by Lisa Vaas
Starting next month, the Japanese government is going to try its hand at credential stuffing the country’s Internet of Things (IoT), including gizmos at both the enterprise network level down to citizens’ “oops, never changed the default password!” webcams and everything in between.
Credential stuffing is when attackers grab login credentials that have been breached, then e-wander around plugging them into other places, trying to find out where else those same credentials have been used. Because a lot of users have the bad habit of reusing the same passwords across several websites, the tactic is successful far too often.
According to NHK, Japan’s national public broadcasting organization, the government approved of the first-of-its-kind venture on Friday.
The plan: in mid-February, staff at the National Institute of Information and Communications Technology (NICT) will generate user IDs and passwords and use them to try to break into a randomly selected batch of about 200 million IoT devices, such as routers and webcams.
Then, the owners of the breached devices will be told to bolster their cybersecurity.
The aim is to shrink the surface area available to attackers in the run-up to the Tokyo Olympics and Paralympics in 2020. That’s not a bad idea: after all, some systems went down around the time of the opening ceremony for the Winter Olympics in Pyeongchang, South Korea, last year.
We never did hear exactly what happened with the Winter Olympics 2018 incident, though some US intelligence operators reportedly blamed Russia, which, they said, tried to make it look like North Korea did it.
While the goal is to clean up for the Olympics, the collateral will be, hopefully, far greater security in general. The NICT has reported that IoT devices are at the heart of a large number – 54% – of the cyber attacks …
Author: Lisa Vaas