An anonymous reader quotes a report from IEEE Spectrum, written by Stacey Higginbotham: The IoT Cybersecurity Improvement Act of 2020 has given the nation an excellent framework that will influence IoT security across the world. So, what's to like about the law? Two things, as it turns out. First, the law isn't focused on securing individual devices by dictating password requirements or encryption standards, both of which will need to evolve. Instead, it relies on the National Institute of Standards and Technology (NIST) to set many of the requirements that government agencies have to follow when purchasing connected devices. These policies see overall security as the sum of several parts, requiring specific prescriptions for device, cloud, and communication security. NIST's initial rules include today's best practices, such as having an over-the-air device update program, unique IDs for each device so it can be identified on a network, and a way for authorized users to change features related to access and security. The recommendations also include logging the actions taken by an IoT device or its related app, and clearly communicating the specifics of a device's security to the user. The other reason to like the law is that it remains adaptive and flexible by requiring NIST to assess the best practices for cybersecurity for connected devices every five years. Hacks, by their nature, are also adaptive and flexible, and so preventing them needs equally adaptable legislation. That means buying IoT devices that can receive over-the-air software updates, for example, to patch up any newly discovered exploits."Unfortunately, the law isn't airtight," writes Higginbotham. She worries that the waiver process for devices needed for national security or research could be abused. There's also a loophole that exempts devices that are secured using "alternative and effective methods." The law doesn't clarify what agency evaluates the efficacy of these alternative methods or how that evaluation is made.

Read more of this story at Slashdot.

A security researcher has discovered a novel steganography technique for hiding data inside a Portable Network Graphics (.PNG) image file posted on Twitter, a tactic that could be exploited by threat actors to hide malicious activity. Threatpost reports: Researcher David Buchanan heralded his discovery on Twitter earlier this week, accompanied by a photo declaring: "Save this image and change the extension to .zip!" He made the source code for his method available in a ZIP/PNG file attached to the image as well as on a post on GitHub that explains his methodology. Specifically, Buchanan demonstrated how he could hide both MP3 audio files and ZIP archives within the PNG images hosted on Twitter. The reason he was successful is because while Twitter strips unnecessary data from PNG uploads, they don't remove trailing data from the DEFLATE stream inside the IDAT chunk if the overall image file meets the requirements to avoid being re-encoded, he explained. There are some requirements for both the images used to obscure files and the files being hidden inside them for his method to work, Buchanan explained. "The cover image must compress well, such that the compressed filesize is less than (width * height) -- size_of_embedded_file," he wrote in his post. "If the cover image does not have a palette, then it must have at least 257 unique colors (otherwise Twitter will optimize it to use a palette)." Resolution on images can be up to 4096 x 4096, although Twitter will serve a downscaled version by default for images greater than 680 x 680 depending on certain factors, Buchanan wrote. The image also should not have any unnecessary "metadata chunks," he added. For embedded files, the total output file size must be less than potentially 5MB, but kept under 3MB to be on the safe side, otherwise Twitter will convert the PNG to a JPEG file, Buchanan explained. Moreover, if the embedded file is a ZIP, then the offsets are automatically adjusted so that the overall file is still a valid ZIP, he said. "For any other file formats, you're on your own," Buchanan added, noting that many will work without special parameters, including PDF and MP3 files.

Read more of this story at Slashdot.