Cyber Attacks, Threats, and Vulnerabilities
Did a hacker really make a plane go sideways? (Christian Science Monitor Passcode) A FBI affidavit in a case involving security researcher Chris Roberts claims that he took over the navigation system of an airliner. But if those claims are indeed true, they raise troubling questions about the state of airline security
Alleged plane hacker said he pierced Boeing jet's firewall in 2012 (Ars Technica) Chris Roberts also claimed to access International Space Station system
Hacker says he took over a flight's engine controls; Boeing casts doubt on claim (Fox 13 News) A cybersecurity consultant told the FBI he hacked into computer systems aboard airliners up to 20 times and managed to control an aircraft engine during a flight, according to federal court documents
FBI Claims Banned Researcher Admitted Hacking Plane Controls… But Is Someone Lying? (Forbes) Chris Roberts is not happy with the FBI officers who interviewed him last month. The security researcher was questioned for four hours after being removed from a United Airlines flight on 15 April and his equipment seized for a tweet he said was a joke, though it indicated he was able to tinker with in-flight communications to compromise the oxygen supply on the flight
Hacker Chris Roberts told FBI he took control of United plane, FBI claims (Washington Post) A hacker who allegedly said he took over the controls of a plane in mid-flight has been investigated by the FBI — even as he pokes fun at the agency, saying he is only out to improve airline security
Security experts concerned that planes can be hacked through in-flight entertainment network (Techspective) The little TV screens on the back of the headrest on every seat on many commercial planes are awesome
Is there such a thing as ethical hacking? (Computerworld) A recent news report about hacking into a commercial jet raises concerns about how we view ethical hacking
Lets Call Stunt Hacking What it is, Media Whoring. (Carnal0wnage) I recently read this article: [linked in original] and it brought to mind some thoughts that have been percolating for quite a while
Operation "Oil Tanker": The Phantom Menace (Panda Labs) Everything started on a cold January day in a coastal town in the North East of England, an area with a strong presence of petrochemical companies
'BND en NSA tapten internetverkeer Nederland' (NU) De Duitse inlichtingendienst BND en het Amerikaanse NSA zouden met medewerking van het telecombedrijf Deutsche Telecom internetverkeer naar Nederland, Oostenrijk en Frankrijk hebben afgetapt
Cyberattacks mine universities for intellectual-property data (FierceBigData) Penn State's College of Engineering was cyberattacked and security experts expect more universities to be actively mined by cyberattackers in the near future if they aren't already under attack. But these attacks are looking for more than the usual data payoff. Much more
How hackers used Microsoft TechNet to run their botnet (Win Beta) A report released by FireEye, a California based network security firm, exposed an obfuscation tactic a group of Chinese hackers employed that used Microsoft's TechNet web portal to cloak their botnet from standard counter measures
FireEye helps Microsoft fight hackers in its own backyard (IT Pro) Security firm teams up with Redmond to detect malware on TechNet forum
Anonymous Italy Steals 1TB of Data from Best Union Ticketing Service During Expo 2015 Attacks (Freedom Hacker) Anonymous Italy has continued to target Expo 2015 with a series of high-scale Distributed Denial of Service (DDoS) Attacks under the collectives Operation Italy (#OpItaly). Anonymous hackers have targeted Expo 2015's systems and supporting organizations with a series of high-profile cyberattacks for the past few weeks and show no sign of stopping
St. Louis Federal Reserve Suffers DNS Breach (KrebsOnSecurity) The St. Louis Federal Reserve today sent a message to those it serves alerting them that in late April 2015 attackers succeeded in hijacking the domain name servers for the institution
Can Hackers Commit the Perfect Murder By Sabotaging an Artificial Pancreas? (IEEE Spectrum) Robotic systems are, at last, beginning to take over some of the burden of managing the fluctuations in blood glucose in patients with Type 1 diabetes. But a new report warns that as the systems get adopted more widely, the risk of criminal eavesdropping and sabotage will also increase
MetroHealth reports data breach affecting select heart patients (19 Action News) On March 17, 2015, The MetroHealth System discovered malware on three computers in its Cardiac Cath Lab
UPMC alerts 2,200 patients to data breach (Pittsburgh Post-Gazette) UPMC is alerting 2,200 patients treated at its hospital emergency departments that information from their medical records may have been disclosed by an outside contractor
Rombertik's disk wiping mechanism is aimed at pirates, not researchers (Help Net Security) Rombertik, the information-stealing malware that was recently analyzed by Cisco researchers and which apparently tries to prevent researchers from doing so by rewriting the computer's Master Boot Record, is actually a newer version of an underground crimeware kit known as Carbon FormGrabber (or Carbon Grabber), Symantec researchers have found
Address spoofing vulnerability in Safari Web Browser (Internet Storm Center) A new vulnerability arised [sic] in Safari Web Browser that can lead to an address spoofing allowing attackers to show any URL address while loading a different web page
"Failure In Parcel Delivery" Fake Email Drops Malware On USPS Customers? PC (HackRead) Please note that the email that appears to be sent by USPS informing that due to incorrect address the firm has failed to deliver a parcel to the recipient is actually a malicious message
SPSS Vulnerability Is Tough To Exploit But Stakes Are High For Client Base (Fortinet Blog) SPSS is one of the most widely used statistical analysis packages in the world. It was first released in 1968 and gained considerable traction among social sciences researchers
Uber in hot water again — this time over plaintext passwords in emails (Naked Security) Isabelle Berner has been taking a lot of Uber rides in the UK lately, for somebody who lives in New York City
Florida EOC testing delays caused by outside cyber attack again, officials say (Tampa Bay Times) Interruptions in Florida's end-of-course biology, civics and U.S. history exams last week came courtesy of outside hackers, a Florida Department of Education spokeswoman told the Gradebook on Monday
Investigation underway after cyber attack against ODU student newspaper (ABC 13 News Now) Old Dominion University's student-run newspaper, The Mace and Crown, was hacked this weekend
About the supposed factoring of a 4096 bit RSA key (Hanno's Blog) Keystl;dr News about a broken 4096 bit RSA key are not true. It is just a faulty copy of a valid key
Global black markets and the underground economy (Help Net Security) What are currently the most vital global black markets and how do cybercriminals access them?
Why Thieves Would Rather Steal Your Apple Watch Than Your iPhone (Intego Blog) There's something important you need to know about the Apple Watch
Cyber Trends
Bad Ads and Zero Days: Reemerging Threats Challenge Trust in Supply Chains and Best Practices (TrendLabs Security Intelligence Blog) Best practices are failing. No matter how good you are at sticking to them, they can no longer guarantee your safety against the simplest threats we saw last quarter
G-Data Security Labs Malware Report (G-Data Security Labs) The number of new malware strains increased enormously in the second half of the year (H2); 4,150,068 were counted. There were 1,848,617 instances in the first half of 2014, meaning that the experts recorded an increase of around 125%
50 shades of grey hat: When is it right to go public about a security breach? (ZDNet) The ethics of IT security are still evolving: one in five security professionals say they have worked for a company that covered up a data breach
Adblockers are immoral and mobile networks should know better (The Next Web) As an editor, I feel resentful of people who enjoy my work but proudly run an ablocker to starve my content of revenue. Now the Financial Times reports that European mobile networks are planning to offer ad-blocking as a service to their customers. If true, those networks should be ashamed
Clients demand more of firms on data security (Global Legal Post) The increasing focus on data security and privacy, which permeates all levels of the business community, is starting to force the pace of change in the legal profession
What does the "post-Sony" world mean for IT security? (IT Pro Portal) The Sony pictures hack last November was both shocking and unexpected. Beginning with an ominous warning that the entertainment company had been "hacked by GOP." large amounts of private and sensitive information was subsequently leaked
Marketplace
A Tidal Wave Of Cybersecurity Jobs (Homeland Security Today) Crime involving computers and networks costs the world economy more than $445 billion annually, according to a 2014 report by the Center for Strategic and International Studies. And, all indications are that cybercrime will continue trending up in 2015. This escalation in cybercrime is fueling an explosive cybersecurity job market
Partners To Cisco: Forget FireEye, Look At Palo Alto, Splunk (CRN) The Cisco partner community was abuzz last week following rumors that the networking giant had put in a whopping $9 billion bid to acquire advanced threat detection company FireEye
Cisco is not acquiring FireEye, but there are other potential targets for acquisition (FierceEnterpriseCommunications) Recent rumors indicated Cisco was making a play to purchase network threat prevention vendor FireEye, but those rumors were quashed not only by Cisco, but also by FireEye. Sources at the FireEye told Re/Code the company wouldn't even be up for sale until revenue hit $1 billion
How AT&T Is Virtualizing Security (Wall Street Journal) AT&T Inc.T -1.06% is rethinking how it approaches security as it upgrades its data centers and network to better handle growing data and video traffic
Avast Opens North Carolina Office (Digital Journal) Avast Software, maker of the most trusted mobile and PC security in the world, today announced the opening of its Charlotte, North Carolina office bringing 60 new IT, marketing, business development and tech support jobs to the area
Splunk Appoints Snehal Antani as Chief Technology Officer (MarketWatch) Former GE Capital CIO and long-time Splunk customer to drive strategy and innovation
Products, Services, and Solutions
In Ambitious Security Play, Skyport Launches The Next Generation of Secure Infrastructure (TechCrunch) Winter is coming to the icy land of IT departments. Ferocious cyberattacks against corporate IT infrastructures are proliferating, and it seems like every day we hear about another company that has had a critical data breach
Microsoft clarifies again that its free Windows 10 upgrade is not for pirates (FierceCIO) Microsoft clarifies again that pirated versions of its Windows operating system will not be transformed into genuine copies with Windows 10 update
L'analyse du comportement utilisateur, nouvel eldorado de la sécurité (LeMagIT) Quel est le point commun entre Fortscale et SentinelOne, finalistes de l'édition 2015 de l'Innovation Sandbox de RSA Conference, et HP? L'analyse du comportement des utilisateurs, ou User Behavior Analytics (UBA)
Intercede enables secure payments and banking for financial technology specialist Interpay (IT Security Guru) Korean m-payments specialist Interpay has signed up to use Intercede's MyTAM to protect third party payment and banking apps running on the Android platform. The service allows Interpay to utilise the Trusted Execution Environment (TEE) to ensure sensitive consumer data is isolated from potential threats on the main operating system
Lastline Adds Rapid Host Breach Verification, Bridging Network and Endpoint Security (BusinessWire) Evasive malware detection pioneer expands platform to verify endpoint compromises
ThreatConnect, Inc. Announces STIX Integration (GlobeNewsWire) ISAC and ISAO members better able to share and aggregate threat intelligence into existing security processes to defend organizations
Marsh and FireEye collaborate on service to assess vulnerability to cyber attacks (Property Casualty 360) Cyber attacks appear to be proliferating around the world, and a major issue for companies is detecting the attacks before they wreak havoc with the organization's data
FireEye and ACE Group Announce Strategic Alliance to Mitigate Cyber Risk (MarketWatch) New offering pairs leading technical expertise from FireEye with pioneering cyber insurance from ACE to more effectively manage cyber risk for organizations worldwide
Dropbox for Business achieves ISO 27018 for cloud privacy (FierceCIO) Dropbox for Business has achieved certification with ISO 27018, an emerging standard for privacy and data protection in the cloud
Technologies, Techniques, and Standards
IEEE Cybersecurity Initiative Releases "Building Code for Medical Device Software Security" (BusinessWire) Establishes baseline requirements for secure software development & production of medical devices
5 common misconceptions about DDoS protection (IT Pro Portal) Defending organisations networks against DDoS attacks has long been a daunting challenge — but now cybercriminals are making it even more so; headlines today are rife with news of another DDoS attack, data breach or other security incidents
How to make life difficult for Internet of Things hackers (Beta News) The "Internet of Things" is a buzzword which is becoming more and more prevalent in today's society. This is mostly due to the rise of crowd funding schemes and an insurgence of low power, highly capable microcontroller platforms such as Arduino
Part 4 — How to Prevent Phishing: Setting up WiFi and Instant Messaging Protections (Trend Micro: Simply Security) If you've ever been "phished," you've experienced the dangers of receiving phony emails, downloaded files, instant messages, or links to false websites masquerading as real ones
Design and Innovation
Alibaba Reveals a New Kind of QR Code to Fight Counterfeits (Wired) Chinese e-commerce giant Alibaba has a fake goods problem. The company knows it, and the Chinese government has made abundantly clear it knows, too. Now, to combat counterfeits, the company has come up with a solution: Slap unique QR code-like tags on every product
Wanted: Better designed systems for operators (Control) Operators responding to abnormal situations need better designed systems. The challenge is not inundating the operator while being sure to wake them up
Decoding the Enigma of Satoshi Nakamoto and the Birth of Bitcoin (New York Times) It is one of the great mysteries of the digital age
Academia
La. Tech honored for cyber education (News Star) The National Security Agency (NSA) and the U.S. Department of Homeland Security (DHS) have designated Louisiana Tech University as a National Center of Academic Excellence in Cyber Defense Education
New Degree in Cybersecurity Available at URock (Penobscot Bay Pilot) The University of Maine at Augusta and University College have announced that the University of Maine System (UMS) Board of Trustees approved a new Bachelor of Science in Cybersecurity
Legislation, Policy, and Regulation
Tech Giants Tell Obama To Resist Calls For Backdoor Access To Encrypted Data (TechCrunch) Apple, Google, Yahoo and more than 140 other tech industry companies have written to President Obama urging him to shoot down demands for 'backdoor' access to user data on smartphones and other communication devices and platforms
Opinion: The Pentagon's troubling new battle against Internet anonymity (Christian Science Monitor Passcode) With its updated cybersecurity strategy, the Department of Defense redoubles a campaign against Web anonymity. But without anonymity, the expression and political activity that it protects may vanish, too
The US and a spiral of cyberfear (Christian Science Monitor) In a newly revealed strategy, the Pentagon poses the threat of a digital counterattack on those who launch a cyberattack on the US. This offensive capability, however, might trigger a cyber arms race. Is the US fear well founded to justify a possible escalation of fear?
10th Fleet's the Charm? US Navy Looks to Beef Up Cyber Capabilities (Diplomat) The U.S. Navy's nascent 10th fleet plans to beef up its ability to fight off cyber intruders. Will that be enough?
Rhetoric flies as deadline looms to renew bulk phone metadata surveillance (Ars Technica) Spying program Snowden exposed expires June 1 unless reauthorized by Congress
Chris Christie: Edward Snowden Is a Criminal and NSA Fears Are 'Baloney' (Government Executive) New Jersey Gov. Chris Christie will condemn Edward Snowden as a "criminal" and charge civil libertarians with drumming up "baloney" concerns about the National Security Agency's spying practices Monday during a foreign policy speech to be delivered in New Hampshire
America Needs an Open Source Intelligence Fusion Center (Cicero) The humanitarian world often has a healthy suspicion of the military. This is understandable. It can be very dangerous for humanitarian organizations and USAID personnel to be conflated with the military, which skeptical locals sometimes consider the same thing as the CIA overseas
Spyware — required by law on South Korean teenagers' smartphones (Graham Cluley) It seems it's not that much fun being a teenager in South Korea
Litigation, Investigation, and Law Enforcement
A court ruling on "The Innocence of Muslims" is a big win for Google — and for Hollywood studios (Quartz) A panel of federal judges in San Francisco has overturned a decision that required Google to pull the controversial film The Innocence of Muslims from its video-hosting site YouTube
Ulbricht's lawyer: Silk Road was "the most responsible" drug market in history (Ars Technica) DPR paid a doctor $500 per week to give advice on "harm reduction"