[ISN] ‘This is just the tip of the iceberg’: Aeroplane hacking case points to deeper cyber issues

http://www.theage.com.au/it-pro/security-it/this-is-just-the-tip-of-the-iceberg-aeroplane-hacking-case-points-to-deeper-cyber-issues-20150526-gh9n4y.html By Jeremy Wagstaf The Age May 26, 2015 Security researcher Chris Roberts made headlines last month when he was hauled off a plane in New York by the Federal Bureau of Investigation and accused of hacking into flight controls via his underseat entertainment unit. Other security researchers say Roberts – who was quoted by the FBI as saying he once caused “a sideways movement of the plane during a flight” – has helped draw attention to a wider issue: that the aviation industry has not kept pace with the threat hackers pose to increasingly computer-connected airplanes. Through his lawyer, Roberts said his only interest had been to “improve aircraft security.” “This is going to drive change. It will force the hand of organisations [in the aviation industry],” says Jonathan Butts, a former US Air Force researcher who now runs a company working on IT security issues in aviation and other industries. […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] The Pentagon Is Rethinking a $475 Million Cyber Defense Proposal

http://www.defenseone.com/technology/2015/05/pentagon-rethinking-475-million-cyber-defense-proposal/113635/ By Aliya Sternstein Nextgov May 25, 2015 Nearly a week after extending the terms of its original proposal, U.S. Cyber Command revoked a 5-year contract offer that aimed to backfill significant staffing shortages. Cyber Command has called off a sweeping solicitation that would have outsourced support for cyberspying and network attacks against foreigners, as well as the defense of military networks. As of Friday afternoon, there were few details on why the five-year-old command, which is racing to staff up, revoked an April 30 request for proposals from contractors. The jobs were worth up to $475 million over five years. Drawing major assistance from industry was supposed to help deploy the so-called Cyber National Mission Force, according to the original solicitation. The purpose of the venture was “to streamline USCYBERCOM’s acquisition of cyber mission support capabilities and services, information technology services, and cyber professional services” across multiple disciplines “under a centralized structure.” But now the Pentagon is rethinking the whole investment. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Skytalks 2015 CFP – NOW OPEN

Forwarded from: bluknight bluknight@skytalks.info> == https://skytalks.info == Skytalks is a ‘sub-conference’ that gives a unique platform for researchers to share their research, for angry hackers to rant about the issues of their industry, and for curious souls to probe interesting issues, all without the watchful eye of the rest of the world. With a strict, well-enforced “no recording” policy, research that is underway or critical of a vendor can be aired to your peers. You are talking to other security people, sharing your working knowledge of a topic. That said, this isn’t a soapbox to say and trash whoever or whatever you want. Skytalks is old-school DEF CON. We encourage handles – we want your material to stand on its own, not what company’s logo is on your slide deck. We encourage the audience to ask questions and challenge what does not seem to be right. Speakers will be held accountable for their material by their peers… loudly. We’re looking for talks that are about cutting edge material, either in-progress, or ready to be disclosed… at the risk of offending a company. Talks that challenge the industry norms are great. Calling out those who plague our beloved industry, welcome! Talks that are outside the realm of a PG rating, can find (and have found) a home here (was re: Teledildonics). First time speakers are welcome. We have had the privilege and honor of hosting for the first time some great names in the community. You, too, can be among that group. What you must bring: A compelling topic, slides, and willingness to educate and/or face your peers. You should be: outgoing, willing to educate, wanting to learn (yes, as a presenter), and wanting to engage your peers. If you lack any of these skills, we can fix this. Please bring a spare liver. A good talk is about mutual learning; it is a conversation. We just provide a room of professionals that want to converse, over booze. Sometimes… a lot of booze. Your submission must include a brief abstract that explains your talk. It must include a detailed outline of the major talking points. Optionally, you can give us additional information or arguments about why we should accept your talk. What we provide: A place to present, with projectors (VGA video). While we may have adapters on-hand, please be prepared and bring your own. We’ll have a PA system with appropriate microphones, as well as audio input from a device if you need it. Please let us know if you have any special requirements, such as a fire extinguisher for when you plan to set the table on fire. Please note: all speakers must already be badged Defcon attendees. Skytalks cannot provide DEF CON badges for speakers, and Skytalks badges, while great keepsakes, do not provide access to DEF CON itself. Also, dongs. == https://skytalks.info ==


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Flawed Android factory reset leaves crypto and login keys ripe for picking

http://arstechnica.com/security/2015/05/flawed-android-factory-reset-leaves-crypto-and-login-keys-ripe-for-picking/ By Dan Goodin Ars Technica May 21, 2015 An estimated 500 million Android phones don’t completely wipe data when their factory reset option is run, a weakness that may allow the recovery of login credentials, text messages, e-mails, and contacts, computer scientists said Thursday. In the first comprehensive study of the effectiveness of the Android feature, Cambridge University researchers found that they were able to recover data on a wide range of devices that had run factory reset. The function, which is built into Google’s Android mobile operating system, is considered a crucial means for wiping confidential data off of devices before they’re sold, recycled, or otherwise retired. The study found that data could be recovered even when users turned on full-disk encryption. Based on the devices studied, the researchers estimated that 500 million devices may not fully wipe disk partitions where sensitive data is stored and 630 million phones may not wipe internal SD cards where pictures and video are often kept. The findings, published in a research paper titled Security Analysis of Android Factory Resets, are sure to be a wake-up call for individual users and large enterprises alike. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] An unapologetic history of plane hacking: Beyond the hype and hysteria

http://www.zdnet.com/article/a-practical-history-of-plane-hacking-beyond-the-hype-and-hysteria/ By Violet Blue Zero Day May 21, 2015 Headlines and infosec pros alike have been going mental over security researcher Chris Roberts’ alleged mid-flight hacking of a commercial airplane, and his subsequent detainment by the FBI in April. Things got hysterical last weekend when a month-old FBI search warrant application surfaced in headlines hyping the FBI’s belief that Roberts tried to fly the plane by hacking in through the in-flight entertainment system. It remains to be seen whether or not a hacker can make a 747 “do a barrel roll” a la the maddeningly impossible fantasies of CSI Cyber. But as a result, the world is openly wondering whether there’s truth to the assurances from manufacturers and officials that aviation systems are as secure as claimed


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] FBI admits no major cases cracked with Patriot Act snooping powers

http://www.washingtontimes.com/news/2015/may/21/fbi-admits-patriot-act-snooping-powers-didnt-crack/ By Maggie Ybarra The Washington Times May 21, 2015 FBI agents can’t point to any major terrorism cases they’ve cracked thanks to the key snooping powers in the Patriot Act, the Justice Department’s inspector general said in a report Thursday that could complicate efforts to keep key parts of the law operating. Inspector General Michael E. Horowitz said that between 2004 and 2009, the FBI tripled its use of bulk collection under Section 215 of the Patriot Act, which allows government agents to compel businesses to turn over records and documents, and increasingly scooped up records of Americans who had no ties to official terrorism investigations. The FBI did finally come up with procedures to try to minimize the information it was gathering on nontargets, but it took far too long, Mr. Horowitz said in the 77-page report, which comes just as Congress is trying to decide whether to extend, rewrite or entirely nix Section 215. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] PCI council gives up, dumbs down PCI DSS for small business

http://www.theregister.co.uk/2015/05/22/pci_council_drafts_small_biz_security_militia/ By Darren Pauli The Register 22 May 2015 The Payment Card Industry Security Standards Council has created a taskforce charged with improving security among small businesses. The prodigious task will be tackled by encouraging small businesses to adopt security best practice and simplified Payment Card Industry Data Security Standards (PCI DSS). Barclaycard payment security manager and taskforce chair Phil Jones says the Small Merchant Taskforce will focus on the most vulnerable business vertical. “Though incidents of fraud are low, it’s small merchants that are particularly vulnerable to attack from hackers,” Jones says. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Coast Guard Needs Better PHI Security, Says OIG Report

http://healthitsecurity.com/news/coast-guard-needs-better-phi-security-says-oig-report By Elizabeth Snell Health IT Secutity May 21, 2015 The US Coast Guard (USCG) must do a better job in its PHI security measures, according to a recent report from the Office of the Inspector General (OIG). Specifically, USCG lacks a strong organizational approach to resolving privacy issues, the report stated, which leads to the agency having challenges when it comes to effectively protecting PHI. “We evaluated the safeguards for sensitive personally identifiable information and protected health information (privacy data) maintained by USCG,” OIG explained in its report. “Our objectives were to determine whether the USCG’s plans and activities instill a culture of privacy and whether the USCG ensures compliance with the Privacy Act of 1974, as amended, [HIPAA], and other privacy and security laws and regulations.” OIG outlined five areas that USCG needs to resolve in order to improve its PHI security: […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail