Hacks against airline ticketing, registration, and customer-relations services are nothing new, but yesterday Poland's LOT suffered something more noteworthy: an attack against flight planning software. No risk to aircraft safety, but the incident forced cancellation of some ten flights.
More reports suggest Russian false-flag cyber operations are posing as ISIS attacks. (Last week's cyber vandalism of a US community college site — North Central Michigan College — is more typical of Caliphate sympathizers.)
Saudi Arabia's Ministry of Foreign Affairs says Wikileaks' diplomatic cables release won't affect Saudi commitment to transparency.
The long-running intrusion into the US Office of Personnel Management (OPM), pretty definitively attributed to China (although to exactly which Chinese government threat group remains in dispute) is generally regarded within the US as an infosec disaster that should have been averted or at least contained by well-understood precautions. Some have called this the long-feared "cyber Pearl Harbor," but the disanalogy is too obvious. US anger is directed more against OPM than China. Whichever Chinese agency was collecting seems no longer active in OPM networks, not because they've been expelled, but because they've got what they came for.
Espionage it may be, but the OPM hack has prompted thought (notably in the US and Australia) about how the law of armed conflict applied in cyberspace.
The cyber insurance market seems in the early unmistakable phase of forcing better security: negligence won't be indemnified, and consensus on standards of care is emerging.
Cyber companies and researchers watch export control law with mounting concern.
Today's issue includes events affecting Australia, China, Czech Republic, Iraq, Israel, Kuwait, Poland, Qatar, Russia, Saudi Arabia, Syria, United Arab Emirates, United Kingdom, United States.
The CyberWire will be covering SINET's Innovation Summit in New York this week. We'll live-tweet the proceedings and devote at least one special issue to the conference.
Hackers Ground Polish LOT Airline Flights(CSO) The Polish national airline, LOT, announced on Sunday that they cancelled 10 flights as a result of the airline's ground computer systems at Warsaw's Okecie airport being subject to attack by hackers. The airline's ground computer systems are used to manage the flight plans for the airline. LOT stated that no ongoing flights or other airport computer systems were affected and that flights already in the air or scheduled to land at Warsaw were not at risk
U.S. Employee Data Breach Tied to Chinese Intelligence(Reuters via Newsweek) The Chinese hacking group suspected of stealing sensitive information about millions of current and former U.S. government employees has a different mission and organizational structure than the military hackers who have been accused of other U.S. data breaches, according to people familiar with the matter
FireEye Identifies Chinese Group Behind Federal Hack(Re/code) Computer security firm FireEye has identified a Chinese group that may have carried out a devastating hacking attack against the U.S. Office of Personnel Management last year, leading to the theft of information on millions of federal employees and retirees. The hack was first disclosed earlier this month
Attack Gave Chinese Hackers Privileged Access to U.S. Systems(New York Times) For more than five years, American intelligence agencies followed several groups of Chinese hackers who were systematically draining information from defense contractors, energy firms and electronics makers, their targets shifting to fit Beijing's latest economic priorities
The massive Chinese hack of US security clearance info keeps getting worse(Business Insider) We may be witnessing 'the worst breach of personally identifying information ever' Why China wants as much personal data from US government servers as possible Recently retired CIA senior officer: 'I'm really glad to be out of the game' Hackers who infiltrated the Office of Personnel Management (OPM) had access to the agency's security clearance computer system for over a year, giving them ample time to steal as much information as possible from OPM's database of military and intelligence officials
No excuse for security breach(Standard Examiner) Despite repeated and urgent warnings from the Inspector General (IG) dating back to 2007, the Office of Personnel Management (OPM) failed to remedy major system vulnerabilities to protect federal employees against cyber attacks. The agency's decision not to encrypt personally identifiable information exposed the data of at least 4.2 million people — with some reports estimating as many 14 million people compromised. In Utah, the breach could affect as many 35,000 people, many of whom hold security clearances and handle classified information
Wikileaks Reveals Saudi Intrigue and Unpaid Limo Bills(AP) At the Saudi Embassy in Tehran, diplomats talked about airing the grievances of disenchanted local youth using Facebook and Twitter. At the embassy in Khartoum, they reported anxiously on Iran's military aid to Sudan
Overlayfs flaw in Ubuntu(Internet Storm Center) There was a vulnerability released earlier this week that has quite the potential to be a biggie. It is worth noting mainly because Ubuntu is quite prevalent and the propensity to patch systems is quite low, or at least slow. Ubuntu is also used as part of the underlying infrastructure for many a VPS provider
Your Phone Ain't as Safe as You Think(Wired) Another week chock-full of hacks and vulns, and if you thought your password manager and cell phone were safe, you'll want to pay close attention to the LastPass breach
CyberUnited LIFARS Raises Additional Concerns About LastPass Breach(Marketwired via Digital Journal) Enterprises are also vulnerable following this week's breach of LastPass, according to CyberUnited LIFARS, a joint venture between two of the nation's top cyber consulting firms. They are recommending that organizations, not just consumers, take action to prevent their own breaches based on the LastPass break in
The Real Dawn of the Age of Cyber Warfare(Diplomatic Courier) World War IV, Cyber War, digital Pearl Harbor or cyber 9/11 — people talk about catastrophic scenarios in cyberspace, whereas academics and other experts point out that there is a danger in the overuse of the cyberwar rhetoric. But is the overuse premise still valid? What if recent events in cyberspace make it no longer correct? Should states brace themselves for the age of cyber warfare?
The Right to Strike Back(Dark Matters) Last week, at the HiP Conference in Paris, there was a debate on whether or not it should be allowed to strike back when you are being hacked. Currently, criminal law in most countries does not allow it. But is this tenable in today's highly digitized society rife with cybercrime?
'Threat intelligence' is the latest buzz word in cyber security(Newsweek) Are you "threat intelligent"? Is your government "threat intelligent"? If you are an American, especially an American civil servant, you might conclude from the recent "massive" cyber attack on the federal agency responsible for collecting data on employees and issuing security clearance that your government is not threat intelligent at all
Security Slice: Fighting Security Stereotypes(Tripwire: the State of Security) The Telegraph recently published an article profiling six hacker "tribes": secret agents, voyeurs, hacktivists, white hats, glory hunters, and cyber thieves. The article made some broad assumptions about cybercriminals that were not well-received by industry experts
Why We Decided Not to Say the Astros Were 'Hacked'(Motherboard Vice) On Tuesday, the St. Louis Cardinals were accused by federal investigators of accessing proprietary information on a database owned by the Houston Astros. The Cards allegedly got into the Astros' data because a former employee didn?t change his password. Immediately, the Motherboard team began debating: Was this a hack?
Why are there still so many website vulnerabilities?(CSO) The cracks in the armor of most enterprise websites are many including recurring holes in OpenSSL, PHP, and WordPress and are largely due to a combination of extensive customizations paired with a shortage of testing and fixing of vulnerabilities when compared with that of long-standing commercial OS software
'Boring' companies just as much fun for hackers(FierceCIO) Smaller organizations may often feel they can "hide in plain sight" when it comes to cyberdefense. After all, they're probably too 'boring' and 'insignificant' to be on any hacker's hit list
Valuing cybersecurity outcomes instead of oversight(FCW) Every day, new technologies and applications offer opportunities to change how we work, live and play. This frenetic pace is rivaled only by the ever increasing number and sophistication of the cybersecurity threats we face
Consumers Trust Energy Providers to Safeguard Personal Data(Infosecurity Magazine) In today's digital world of connected devices, energy consumers are nearly twice as likely to trust their energy providers to safeguard their personal data than to advise them on energy consumption, according to new research by Accenture
Digital security is a boardroom problem(Technology Spectator) Digital attacks can threaten an organisation's global reputation and at its very worst, its ability to operate, making online security a key business governance issue. Business leaders who relegate security to the IT department risk significant business damage: the results of a successful attack can include financial loss, loss of Intellectual Property (IP), Privacy Act non-compliance and sabotage
Relying on your insurer for security? Think again!(Help Net Security) Data breaches are a regular occurrence, one need simply look at the papers to read about the myriad of breaches that have occurred over the last year. From the Sony attack in late 2014, to the more recent breach on Government employees in the US, it is clear that security breaches will continue to happen; and the threat landscape, as opposed to "going away", will continue to evolve at a pace as fast as those working to prevent it
Cyber Insurance — Pathway to the Silver Clouds of Cyber Risk Transference(Information Security Buzz) Earlier this year Lloyd's of London reported a remarkable figure that the cyber insurance market grew by 50% in Q1. Despite this growth, the Corporate Executive Programme (CEP), found that 40% of major US companies have cyber insurance cover compared to 13% of UK businesses
Are shipowners ready to prevent cyber attacks?(Marine Electronics & Communications) Shipowners should be prepared to battle cyber threats to their assets, and the industry should be doing more to prevent successful hacking. Cyber security is becoming an increasingly important issue for the maritime industry as ships are open to a growing number of threats. As more onboard systems are run by computers, hackers may gain access to key equipment, including navigation, steering, engineroom and cargo handling systems
Waratek Can Automatically Fix Security Flaws In Java Apps(Forbes) Waratek, which came to light in Accenture's London FinTech Innovation Lab with its software to run multiple Java apps on a single server, has found its technology also provides protection against even previously unknown threats, so-called zero day attacks
Trend Micro and Booz Allen Take the Offensive on Cybersecurity(Trend Micro: Simply Security) Organizations today hold a massive amount of highly sensitive information that is being targeted for cybercrime, corporate espionage and beyond. In this era of highly sophisticated attacks by well-funded and aggressive adversaries, it's incumbent upon organizations to have proper procedures and mechanisms in place to keep data secure. The stakes are high with legal and civil liabilities, as well as corporate reputations on the line
15 signs you've been hacked(GFI Blog) Hardware, software, wetware, bloatware, crapware… and the newest piece of shiny is on sale now! Far too often users think slow or unreliable performance is just part of the fun of using computers, and when the Internet is slow, it's because someone in another office is probably watching Netflix
Linux Enumeration And Privilege Escalation — LinEnum(CyberPunk) LinEnum will automate many Local Linux Enumeration & Privilege Escalation checks documented in this cheat sheet. It’s a very basic shell script that performs over 65 checks, getting anything from kernel information to locating possible escalation points such as potentially useful SUID/GUID files and Sudo/rhost mis-configurations and more
Cyber Boot Camp: a head start for tomorrow's cyber workforce(We Live Security) What is Cyber Boot Camp? Every June, a select group of students from high schools and middle schools in San Diego County, California, get five days of intense education in the art of defending computer systems, organized by the unique community-wide security awareness non-profit, Securing Our eCity, and sponsored by a variety of organizations, including security solutions-provider, ESET. This year more than 50 students will experience a week of hands-on instruction, plus lectures from leading cyber security experts from San Diego companies as well as local and national law enforcement. The 2015 Cyber Boot Camp starts Monday, June 22
Teaching Encryption Soon to Be Illegal in Australia(Bitcoinist) Under the Defence Trade Control Act (DTCA), Australians could face up to ten years in prison for teaching encryption. Criminal charges will go into effect next year. The new legislation will make it illegal for Australians to teach or provide information on encryption without having a permit
Jailing of security czar Zhou turning point in Chinese politics(Gulf News) Zhou Yongkang was no ordinary Chinese politician, but the third ranking member since 2007 of the Politburo Standing Committee (PBSC). The Standing Committee members are the real rulers of China. His responsibility — the control and supervision of the vast internal security apparatus, including the criminal justice system — gave him immense power and prestige
Upcoming U.S.-China talks may be strained by recent cyber attack(PBS) Tensions between the U.S. and China are growing over its island-building in the South China Sea and over suspicions that Beijing was behind a massive hack into a federal government server that resulted in the theft of personnel and security clearance records of 14 million employees and contractors
US to abandon Chinese-owned Waldorf at UN General Assembly(Fox News) The State Department will abandon decades of tradition this fall at the annual U.N. General Assembly by setting up shop in a hotel other than New York's iconic Waldorf-Astoria, which was purchased last year by a Chinese company
FCC: Subsidize Rural Broadband, Block Robocalls(InformationWeek) The FCC voted 3-2 to extend and reform a program that would help low-income Americans gain access to the Web through subsidies. The commission is also allowing customers to block spam and robocalls
DOD looks to better data for better security(FCW) Pentagon officials are trying to do a better job of reaping the low-hanging fruit of cyberattack data to make their networks more secure, according to Richard Hale, the Defense Department's deputy chief information officer for cybersecurity
Spy court clears path to renewing NSA powers(The Hill) The secretive federal court that oversees the nation's spies is laying the groundwork for temporarily reauthorizing the National Security Agency's (NSA) sweeping collection of U.S. phone records
The OPM Hack and the New DOD Law of War Manual(Just Security) Last Friday was a big day in cybersecurity news. OPM announced that, in addition to the compromise of the personnel information of federal employees revealed on June 4, Chinese hackers also breached a database containing millions of security clearance forms. Meanwhile, on the other side of the Potomac, the Department of Defense released its new Law of War Manual — the first since 1956 — including a new chapter on "Cyber Operations." Considering the OPM hack in light of the Law of War Manual shows why, as a legal matter, the U.S. government is in a tough spot in responding to the hack
Opinion: #CyberDeflategate and the beginning of sports hacking(Christian Science Monitor Passcode) It was only a matter of time before American sports added hacking to its tricks for gaining the upper hand. But unlike other cheating scandals that have led to suspensions and fines, computer crimes can lead to prison time
Millions of fake online reviews are gumming up the joy of buying stuff(Naked Security) The UK Competition and Markets Authority (CMA) announced on Friday that it's opened an investigation into the problem of what it says are millions of fake online reviews, be they "This changed my LIFE!" bogosity or disgruntled employees who post fake negative reviews — just two of the many flavors of fake reviews out there
Sussex businesses hit by cybercrime(Chicester Observer) Almost half of all small and micro businesses in the south East report having experienced cybercrime, according to new research from the Association of Accounting Technicians
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
Fifth Annual International Cybersecurity Conference(Tel Aviv, Israel, June 22 - 25, 2015) The conference, held jointly this year by the Yuval Ne'eman Workshop for Science, Technology and Security, the National Cyber Bureau, the Prime Minister's Office, the Blavatnik Interdisciplinary Cyber...
Cybersecurity Executive Roundtable(Blacksburg, Virginia, USA, June 23, 2015) experts from across the country will convene at Virginia Tech to meet with rising cybersecurity talent to discuss solutions for the country's cyber workforce shortage in an executive roundtable titled...
Cyber Security for Defense(Augusta, Georgia, USA, June 24 - 26, 2015) This conference serves as an opportunity for solution providers to break through the background noise and present their unique ideas and products in an environment specifically tailored to highlighting...
AFCEA PNC Tech & Cyber Day(Tacoma, Washington, USA, June 25, 2015) The Armed Forces Communications & Electronics Association (AFCEA) - Pacific Northwest Chapter (PNC) will once again host the 5th Annual Information Technology & Cyber Day at Joint Base Lewis-McChord (JBLM)...
Cybersecurity Outlook 2016(Tysons Corner, Virginia, USA, June 26, 2015) Cybersecurity Outlook 2016 is a breakfast event by Potomac Tech Wire and Billington CyberSecurity that brings together senior executives in the Mid-Atlantic to discuss technology issues in a conversational,...
US News STEM Solutions: the National Leadership Conference(San Diego, California, USA, June 29 - July 1, 2015) San Diego offers the perfect backdrop for the 4th annual U.S. News STEM Solutions National Leadership Conference, June 29 — July 1, 2015 in San Diego, CA. Please make your plans now to join fellow...
NSA Information Assurance Symposium (IAS) 2015(Washington, DC, USA, June 29 - July 1, 2015) The NSA Information Assurance Directorate (IAD)'s Information Assurance Symposium (IAS) is a biannual forum hosted by the National Security Agency (NSA). IAS events of the past have proven to be the preferred...
Information Assurance Symposium (Washington, DC, USA, June 29 - July 1, 2015) The NSA Information Assurance Directorate (IAD)'s Information Assurance Symposium (IAS) is a biannual forum hosted by the National Security Agency (NSA). IAS events of the past have proven to be the preferred...
Cyber Security for Healthcare Summit(Philadelphia, Rennsylvania, USA, June 29 - July 1, 2015) Our IQPC Cyber Security for Healthcare Summit will help Hospitals and Medical Device manufacturers to prepare and manage risks by viewing cybersecurity not as a novel issue but rather by making it part...
Information Assurance Symposium(Washington, DC, USA, June 29 - July 1, 2015) The NSA Information Assurance Directorate (IAD)'s Information Assurance Symposium (IAS) is a biannual forum hosted by the National Security Agency (NSA). IAS events of the past have proven to be the preferred...
Cyber Security for Healthcare Summit(Philadelphia, Pennsylvania, USA, June 29 - July 1, 2015) Our IQPC Cyber Security for Healthcare Summit will help Hospitals and Medical Device manufacturers to prepare and manage risks by viewing cybersecurity not as a novel issue but rather by making it part...
Cybergamut Tech Tuesday: The Truth About Security Your System(Elkridge, Maryland, USA, June 30, 2015) What does it take to secure a system? What is the logical approach to successfully achieve this endeavor? First, an understanding of who wants access and why is a necessary baseline to form a strategic...
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.