A number of flights operated by the Polish national airline LOT were grounded on Sunday, June 22 as the unknown hackers gained access to LOT's computers. According to the official communique the computers were attacked in a way which made impossible to print flight plans for airliners departing from Warsaw. According to LOT there was no danger to any of the aircraft already in the air, the only thing the attack prevented was creation and printing of flight plans for regular flights departing from Warsaw. LOT has informed about the problem at 4pm on Sunday and the problem was apparently resolved by 8.45 pm. At the moment no other details are know. http://niebezpiecznik.pl/post/komputery-lot-u-zaatakowane-samoloty-uziemione/ - link in Polish only, sorry.
A hospital employee and seven others were indicted on Friday on charges of stealing the personal information of as many as 12,000 patients. http://www.nytimes.com/2015/06/20/nyregion/8-indicted-in-identity-thefts-of-patients-at-montefioremedical-center.html
http://www.businessinsider.com/the-us-agency-plundered-by-chinese-hackers-made-one-of-the-dumbest-security-moves-possible-2015-6 Contractors in Argentina and China were given "direct access to every row of data in every database" when they were hired by the Office of Personnel Management (OPM) to manage the personnel records of more than 14 million federal employees, a federal consultant told ArsTechnica. [See also, from Monty Solomon: Undetected for nearly a year, Chinese intruders executed a sophisticated hack that gave them administrator privileges in government networks. Their ultimate target: information on anyone seeking a security clearance. http://www.nytimes.com/2015/06/21/us/attack-gave-chinese-hackers-privileged-access-to-us-systems.html PGN]
Ars via NNSquad http://arstechnica.co.uk/tech-policy/2015/06/australia-passes-controversial-anti-piracy-web-censorship-law/ As well as being based on a false premise, the new law will also be ineffectual, since Australians can simply use to web proxies and VPNs to circumvent any blocks that are imposed. This has raised the fear that the courts will go on to apply the new law to VPN providers, although Australia's Communications Minister Malcolm Turnbull has insisted this won't happen. According to TorrentFreak, last week Turnbull said: "VPNs have a wide range of legitimate purposes, not least of which is the preservation of privacy--something which every citizen is entitled to secure for themselves--and [VPN providers] have no oversight, control or influence over their customers' activities." If Turnbull sticks to that view, it is likely that Australians will turn increasingly to VPNs to nullify the new law.
Reason.com, a leading libertarian website affiliated with Reason magazine, received a federal grand jury subpoena compelling them to identify anonymous commenters. The subpoena included a gag order so Reason.com could not talk about it. Until now: http://reason.com/blog/2015/06/19/government-stifles-speech http://popehat.com/2015/06/08/department-of-justice-uses-grand-jury-subpoena-to-identify-anonymous-commenters-on-a-silk-road-post-at-reason-com/ http://popehat.com/2015/06/11/media-coverage-of-the-reason-debacle/ But Reason.com is not the dark web. Many of our regular commenters voluntarily display either personal website information or their email addresses. In fact, three of the six commenters subject to this very subpoena voluntarily displayed public links to personal blogs at Blogger as part of their comments, one of which further links to a Google+ page. Raising the question: How can the government view these so-called "threats" as so nefarious when people posted them in such a non-anonymous fashion?
http://www.wired.com/2015/06/facebook-real-name-policy-problems/ "TWO WEEKS AGO, Facebook locked me out of my profile. My photos and friends are gone, my profile vanished without a trace. Someone reported my account as pseudonymous, and Facebook kicked me out. To get back in, I must provide various forms of identification proving the authenticity of my username. I'm not going to. I am one of many casualties of Facebook's recently rejiggered "authentic name" policy, wherein anonymous users can report a name as fake and trigger a verification process. Part of the motivation is stopping the proliferation of celebrity imposter accounts and profiles made for pets. But it's also allowed Facebook to shutter the accounts of real people, based on "authenticity." What does "authentic" mean, though? It's both confusing and contextual, because identity itself is confusing and contextual." Yet another difference with Google. When they realized that the entire "real name" paradigm just didn't work out well for users in Google+, Google actually learned from this and moved beyond it to an open naming model. In contrast, Facebook just keeps repeating its own mistakes again, and again, and again ... [FaRcebook with R for Repeat? PGN]
(was: Japanese pension organization phished ... (Macintyre RISKS- 28.67) "... very few employers seem interested in factoring [IT certifications] into their hiring process." Over many years I have interviewed prospective employees for a variety of roles, from screen-watchers in a SOC to top-flight consultants in 'Big Six' practices. A great many have adduced certificates of competency in IT and IT/Information Security. Few have stood my scrutiny. I have seen candidates with CISSP after their name who had zero trade experience; I have seen CISAs who couldn't audit their way out of a paper bag; I have seen people with a "practitioner" certificate whose acquired knowledge is useless in practice; and I have shown the door to those with a plethora of Microsoft, Cisco and other manufacturer certifications who couldn't explain what the first letter in SFTP, SSH, SHTTP meant, let alone how it worked. In short, I have never put much store by certificates, but a lot on real-world, nose-to-the-grindstone, ear-to-the-ground, demonstrable experience, ideally with a major cock-up in their past from which they have learned major lessons. As a consequence, I have recruited great people who were logical in thought, thorough in approach, and tenacious in execution, and who have gone on to have great careers. But not one of the best I could name had any certificate to back up the skills I hired them for. The Ark was built by one man with no qualifications, the Titanic by people with certificates.
Here's the problem: our election system is *already* hacked and has been for decades. It seems perversely (and perhaps intentionally) designed to keep all but the most fervent partisans from voting, especially in off-year elections, where most of the mischief seems to now occur. News archives are replete with tales of voters standing for hours in enormously long lines, waiting for the chance to exercise their franchise. Shortages of paper ballots are frequent. And, now, of course, states seem to be intent upon erecting further roadblocks to voting through voter ID laws, which "solve" the largely non-existent problem of voter fraud. And we wonder why voter turnout becomes progressively worse each election and why all too often elections are decided by a few zealots, resulting in the warped Congress and Senate currently installed in Washington, DC. (and that includes members of *both* parties, mind you). Now I'm not necessarily advocating electronic voting and certainly not Internet voting, given the current state of the technology, but perhaps the time has come for the technologists and security mavens reading this list to go beyond mere nay-saying and skepticism and come up with verifiable, auditable solutions that make voting as easy as, say, ordering a new gadget from Amazon.
Look on the bright side: at least the risks were made obvious and apparent in a vote that has enough importance for people to care (and for publicity), but less importance than a real governmental vote.
Please report problems with the web pages to the maintainer