A criminal stole “a significant amount of data” in a hacking attack that targeted one of the busiest airports in Australia.According to The West Australian, the breach occurred in March 2016 when a Vietnamese man named Le Duc Hoang Hai abused a third-party contractor’s credentials to access the systems at Perth Airport, the fourth busiest airport in Australia. Kevin Brown, chief executive of the airport, says Perth’s IT team ultimately detected the breach and notified both the Australian Cyber Security Centre and the Australian Federal Police. As quoted in a statement provided to 9News Australia:The assistance and hard work of these two agencies has resulted in the successful identification and prosecution of the individual responsible for the cyber intrusion. Based on evidence gathered by the Australian Federal Police, it appears that credit card theft was the motivation for the illegal accessing of our system. No personal data of members of the public, such as details of credit card numbers, was accessed but other Perth Airport documents were taken.Those documents included building schematics and details of physical security measures that staff had implemented at the airport.
Perth Airport. (Source: Wikipedia)Upon hearing from Perth Airport, the Australian Cyber Security Centre and the Australian Federal Police traced the attack back to Vietnam and tipped off local authorities. Vietnamese law enforcement subsequently began looking into the matter. Their investigation identified 31-year-old Hai as the culprit responsible for hacking not only Perth but also additional targets in Vietnam including banks and an online military newspaper.Perth was Hai’s only Australian target.Vietnamese police thereafter arrested Hai. In early December 2017, a military court ordered him to serve four years in prison for his digital offenses.Prime Minister Malcolm Turnbull’s digital security adviser Alastair MacGibbon hasn’t found any evidence that Hai was working as part of a larger group or sold the stolen information. Even so, the hack to him constitutes “a sign of the type of work we are going to be doing a lot more of in the future.” That includes improving the security measures at Perth and other airports regarding what types of information third-party contractors can access.This isn’t the first security incident to expose an airport’s sensitive data. News of this attack comes less than two months after Britain’s largest and busiest airport launched an investigation to determine how someone found a USB containing 2.5GB of its data on the street. That data included maps of CCTV cameras and other security measures.
Presently sponsored by: Matchlight by Terbium Labs: Know when your exact data appears on the dark web. Contact us for a demo today.
As many followers know, I run a workshop titled Hack Yourself First where I spend a couple of days with folks running through all sorts of common security issues and, of course, how to fix them. I must have run it 50 times by now so it’s a pretty well-known quantity, but there’s one module more than any other that changes at a fierce rate – HTTPS.
I was thinking about it just now when considering how to approach this post launching the new course because let’s face it, I’ve got a lot of material focusing on the topic already. But then I started thinking about the rate of change; just since the beginning of last year, here’s a bunch of really major HTTPS stuff that’s happened (and this is just the ones that spring immediately to mind):
- Apr 2016: Let’s Encrypt officially launched
- Oct 2016: WoSign and StartCom certs started being distrusted (looks like StartCom finally died just this month)
- Oct 2016: We passed the halfway mark with more than 50% of page loads occurring over HTTPS according to Mozilla
- Jan 2017: Chrome removes support for SHA-1 certificates
- Jan 2017: Chrome and Firefox started showing warnings when logins forms were loaded over HTTP
- Oct 2017: Chrome started showing warnings when anything was entered into an input field loaded over HTTP
- Nov 2017: Some sites got desperate to suppress browser security warnings about a lack of HTTPS
- Dec 2017: Let’s Encrypt became the largest issuing CA in the Alexa Top 1 million
There’s plenty of other stuff coming too, for example Chrome’s certificate transparency requirement hitting in April next year and I suspect in the not too distant future, a change to the way DV and EV certs are indicated in the browser (this is actually an enormously contentious issue, read more). Anyway, the point is that things are rapidly changing and there’s always new things to talk about.
So that’s what we’ve done – Lars Klint and I teamed up again and recorded another Pluralsight “Play by Play”, so this is where we both have an on-camera discussion that’s complimented with screen recordings. It’s not a deep discussion and it’s perfect for consumption by people at all levels of technical competency that have an interest in delivering secure applications via the web. We talk a lot about the changes (some of which I mentioned above), new approaches to easing the burden of HTTPS adoption and how many people think the padlock icon is really a handbag. True story.
This course actually went out a few weeks ago but as some of you know, I’ve been kinda busy. But that’s given me a bit of time to see how it’s performed and it’s done surprisingly well. I actually have a more formal HTTPS course that goes deep titled What Every Developer Must Know About HTTPS and that’s been enormously popular this year (also rating 4.9 stars 😎), but over December, the new Play by Play has actually outdone that one to become my third most popular course in the library! Apparently, a bunch of people really do think HTTPS is worth paying some attention to.
Play by Play: What You Need to Know About HTTPS Today is now live on Pluralsight!