New laws aimed at improving the security of millions of internet connected devices in our homes have been proposed by the Department for Digital, Culture, Media & Sport (DCMS). 

A consultation (which is now open) has been launched to help protect consumer tech, which will see the government explore options including a mandatory new labelling scheme. The label would tell consumers just how secure the devices they are purchasing, such as “smart” TVs and appliances, are. Retailers would also only be able to sell products that met specific security requirements and carried an Internet of Things (IoT) security label. 

The consultation focuses on the top three security requirements, as set out in the current ‘Secure by Design’ code of practice: 

  • IoT device passwords must be unique and not resettable to any universal factory setting. 
  • Manufacturers of IoT products provide a public point of contact as part of a vulnerability disclosure policy. 
  • Manufacturers explicitly state the minimum length of time for which the device will receive security updates through an end of life policy. 

Ian Levy, NCSC’s Technical Director said:  

“Serious security problems in consumer IoT devices, such as pre-set unchangeable passwords, continue to be discovered and it’s unacceptable that these are not being fixed by manufacturers. 

“This innovative labelling scheme is good news for consumers, empowering them to make informed decisions about the technology they are bringing into their homes.” 

You can read more about the announcement on gov.uk. The NCSC has also published advice on how to set up and manage your smart devices to keep your home – and your information – safe. 

Most breached passwords revealed

The NCSC and Troy Hunt, creator of Have I Been Pwned, recently revealed the 100,000 most commonly re-occurring passwords that have been accessed by third parties in global cyber breaches. 

The results from the Have I Been Pwned data set show a huge number of regularly used passwords breached, highlighting 23.2 million victim accounts worldwide using ‘123456’ and 3.8million using ‘qwerty’ to try and protect sensitive information. 

Password lists like this could help users make sensible password choices. By releasing this information, the NCSC hopes to reduce the risk of users’ accounts being compromised and guide developers and System Administrators to protect their users. 

The NCSC has published guidance on password administration for system owners. 

If you are member of the public then some tips on using stronger passwords and other ways to stay secure online is now available. 

Phishing scam targeting Chase bank customers

Chase banking customers have been targeted by a new phishing scam, which not only asks for personal information, but requests a selfie holding a photo ID or a driving license. 

The Chase bank phishing site, found by MalwareHunterTeam, greets users with a convincing login page before asking for verification. Login details, coupled with the request for ID, gives cyber criminals the information they need to assume identities online. The phishing site was using the URL chasexxxx.ddns.net. 

Some phishing attempts still follow traditional patterns, and there may be warning signs you can spot. You can learn what these are in the phishing section of the NCSC’s Small Business Guide. 

The NCSC has published top tips for keeping yourself secure online for members of the public. Phishing guidance aimed specifically at large organisations is also available. 

You should report anything (even if you’ve already clicked) to Action Fraud or your internet service provider. Spotting a phishing attack isn’t always straightforward and it can happen to anyone, even the Technical Director of the NCSC.