Montevideo, Uruguay, and San Francisco, May 30, 2019 – New best practices recommendations for ISPs issued by LACNOG and M3AAWG this month define basic security criteria for home routers and other customer premise equipment (CPE) and are expected to help protect the internet against common attacks, especially DoS attacks arising from the abuse of these devices. The guidelines will strengthen internet service providers’ security efforts by identifying requirements for the hardware devices connected to their networks that are susceptible to exploitation when basic safeguards are ignored.
The best practices document, LACNOG-M3AAWG Joint Best Current Operational Practices on Minimum Security Requirements for Customer Premises Equipment (CPE) Acquisition, is being translated into multiple languages for use by ISPs worldwide. It was published by the Latin American and Caribbean Network Operators Group and the Messaging, Malware and Mobile Anti-Abuse Group, and is available at www.lacnog.net/docs/lac-bcop-1 and www.m3aawg.org/CPESecurityBP or with current translations at https://www.m3aawg.org/published-documents.
The recommended security settings and functionality are based on industry experience and are essential in deterring Denial of Service (DoS) attacks that make use of vulnerable network infrastructure devices, Internet of Things (IoT) devices and malware infections. A Table of Requirements is provided to help ISPs customize security recommendations for their networks in a concise format they can provide to CPE manufacturers.
Worldwide Effort to Strengthen Online Protection
The document is currently being translated into Portuguese, Spanish, French, German and Japanese with other languages expected to follow. The translated best practices will be useful worldwide as a tool for ISPs to set requirements for secure defaults on the customer premise equipment they will connect to their networks, according to the document’s editor Lucimara Desiderá, chair of the Latin American and Caribbean Anti-Abuse Working Group (LAC-AAWG) and security analyst at CERT.br (the Brazilian National Computer Emergency Response Team).
“Latin American computer security incident response teams have identified the lack of CPE security as a severe problem in attacks for the past several years. These new best practices will make it easier for ISPs to negotiate with CPE vendors to ensure the equipment they connect to their networks meet minimal security requirements, which will help reduce the number and intensity of attacks on the internet overall, and as a result, the negative impact they cause on ISPs’ operations,” Desiderá said.
The guidelines cover documentation and vendor contact information, software security, remote updates and device management functionality, default configuration preferences and support policies related to security fixes. Among the recommendations:
- Passwords should not be hardcoded into the firmware, must be changeable and vendors should not use the same default password for all devices.
- There needs to be a mechanism for periodic remote software updates, including a method to verify the authenticity of a downloadable update file.
- The equipment should be restrictively configured rather than permissively configured.
As an example of the scope of the problem, the Mirai malware responsible for several major website attacks contains a table of more than 60 common factory default user names and passwords it references to log in and infect home security cameras, home routers and other IoT devices. The new guidelines would make the login table ineffective, according to M3AAWG Chairman of the Board Severin Walker.
Walker said, “M3AAWG collaboration with LACNOG and its LAC Working Group on this document was a priority, in part, because of our ongoing work with regional network operator and incident response groups to address global threats to secure communications. It was also important because we need to continue evolving our members’ focus on the security of IoT, mobile and other consumer devices in order to help prevent the increasingly larger attacks originating from them.”
The best practices document was developed by LACNOG and M3AAWG and issued at the LACNIC 31 meeting in the Dominican Republic on May 8. It is based on the expertise of LACNOG's working groups LAC-AAWG and the BCOP Working Group, in cooperation with M3AAWG members, its Senior Technical Advisors and the M3AAWG Technical Committee.
LACNOG (www.lacnog.net) is the Latin American and Caribbean Network Operators Group that is structured around a Board, Program Committee and Working Groups. It provides an environment for network operators and any interested parties to exchange experiences and knowledge through mailing lists, working groups and annual meetings. LACNOG also promotes local Network Operators Groups (NOGs) and peering forums, the development and adoption of best practices, technical training activities and tutorials.
About the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG)
The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) is where the industry comes together to work against bots, malware, spam, viruses, denial-of-service attacks and other online exploitation. M3AAWG (www.m3aawg.org) members represent more than two billion mailboxes from some of the largest network operators worldwide. It leverages the depth and experience of its global membership to tackle abuse on existing networks and new emerging services through technology, collaboration and public policy. It also works to educate global policy makers on the technical and operational issues related to online abuse and messaging. Headquartered in San Francisco, Calif., M3AAWG is driven by market needs and supported by major network operators and messaging providers.
# # #
Media Contact: firstname.lastname@example.org
M3AAWG Board of Directors and Sponsors: 1 & 1 Internet SE; Adobe Systems Inc.; AT&T; Comcast; Endurance International Group; Facebook; Google, Inc.; LinkedIn; Mailchimp; Marketo, Inc.; Microsoft Corp.; Orange; Proofpoint; Rackspace; Return Path, Inc.; SendGrid, Inc.; Vade Secure; Valimail; VeriSign, Inc., and Verizon Media (Yahoo & AOL).
M3AAWG Full Members: Agora, Inc.; Broadband Security, Inc.; Campaign Monitor; Cisco Systems, Inc.; CloudFlare, Inc.; dotmailer; eDataSource Inc; ExactTarget, Inc.; IBM; iContact; Internet Initiative Japan (IIJ); Liberty Global; Listrak; Litmus; McAfee; Mimecast; Oracle Marketing Cloud; OVH; Spamhaus; Splio; Symantec; USAA; and Wish.
A complete member list is available at http://www.m3aawg.org/about/roster.