The Federal Trade Commission made an appeal at DEF CON in Las Vegas this past week in hopes of getting hackers to help them crack down on manufacturers and service providers that leave customers vulnerable.
Top of the list: ransomware, malvertising, networked cars and security for the internet of things.
Of particular interest in the case of IoT is preventing one device from compromising a consumer’s entire private network, says Lorrie Cranor, the FTC’s chief technologist.
She’d like to know what steps manufacturers of IoT gear can take so weaknesses in their products don’t enable attackers to pivot from one vulnerable device to others on the network to cause further harm or to breach privacy.
The FTC’s interest in getting hacker help is strong enough that it sent not only Cranor but also one of its commissioners, Terrell McSweeny.
+ BLACK HAT: How to make and deploy malicious USB keys +
Cars and the networking gear being built into them needs to be segmented so critical systems such as braking and steering can’t be hacked. This is a continuing area of concern, and other presentations at DEF CON focused on how such hacking can be done.
Also of concern is the use of sensors in children’s toys that represent a possible privacy risk, Cranor says, but that also threaten privacy of adults.
FTC seeks advice
Privacy concerns go beyond the security of devices and networks, though. Cranor says the commission would welcome advice on how users can control personal information that they submit in one context from being spread around without their knowledge or permission.
Smart devices that house a wealth of personal information would better serve privacy needs if they provide ways for their users to easily observe what communications they might be making in the background. Along with this the FTC would like advice on how to easily analyze apps to see whether they are secure and that their component code lifted from third-party libraries are as well.
New technologies such as virtual reality are on the commission’s radar, although it hasn’t identified specific threats. Still, it wants to know whether VR raises new consumer concerns for fraud and deception, areas where the FTC can take action.
The commission wants help finding the best ways to evaluate the risks that breaches and vulnerabilities pose to specific organizations. Metrics that can indicate what risks are would help determine whether vendors accurately represent dangers of products and services.
A tool could be used to figure out whether data stolen in a particular breach is employed elsewhere. For example, if a person’s credit card number is used fraudulently, is it possible to determine whether it was compromised in a particular breach? This comes into play in cases where consumers have tried to sue retailers for damages when their cards are used fraudulently and the card information was stolen in a breach.
Along the same lines, Cranor asked for help spotting fraud quickly and automating the process to sort through a higher volume of possible cases.
Anyone who wants to make suggestions can contact the FTC at research@ftc.gov for more information.
The commission is also seeking researchers to present their findings at conferences this fall and next year.
The commission is running a series of educational sessions to make consumers more knowledgeable with its Start with Security outreach program. It’s holding tech sessions on ransomware, drones and smart TVs later this year.