10Fold – Security Never Sleeps – 40

Your daily digest of “All Things Security” gathered, collected and researched by your very own 10Fold Security Practice team.

Big items to consider: An EU watchdog said on Wednesday it needed time to study a new EU-U.S. agreement on data transfers to determine whether the United States was committed to limiting intelligence surveillance of Europeans. Charles Harvey Eccleston, a former employee of the U.S. Department of Energy and the U.S. Nuclear Regulatory Commission (NRC), pled guilty Tuesday to charges of attempting to extract sensitive, nuclear weapon-related information by hacking into his former colleagues’ computers. Developers of the Socat networking tool have fixed a cryptographic flaw that left communications open to eavesdropping for over a year. Hacking group AnonSec claims to have breached NASA’s network and to have temporarily gained partial control of a NASA Global Hawk drone. 

EU watchdog says needs time to study data deal with United States – Publication: Reuters – Reporter name: Philip Blenkinsop

An EU watchdog said on Wednesday it needed time to study a new EU-U.S. agreement on data transfers to determine whether the United States was committed to limiting intelligence surveillance of Europeans. Negotiators from the European Union and the United States agreed the data pact on Tuesday. It will replace the Safe Harbor framework, which a top EU court ruled illegal last year amid concerns over mass U.S. government snooping. Under the new Privacy Shield, the Commission said U.S. companies would face stronger obligations to protect Europeans’ personal data, including limitations to U.S. surveillance programs. There are concerns on the transfer regarding the scope of surveillance and particularly the remedies. The question is whether the new arrangement answers these concerns or not.


Former US Energy Department Employee Accused of Trying To Steal and Sell Nuclear Secrets Pleads Guilty – Publication: International Business Times – Reporter name: Avaneesh Pandey

Charles Harvey Eccleston, a former employee of the U.S. Department of Energy and the U.S. Nuclear Regulatory Commission (NRC), pled guilty Tuesday to charges of attempting to extract sensitive, nuclear weapon-related information by hacking into his former colleagues’ computers. The 62-year-old tried to information from computers at the Department of Energy through “spear-phishing” emails with the intent of selling this information to an unnamed foreign government. Thanks to the work of the FBI, this former federal employee was arrested before he could do any damage and he now is being held accountable for actions that could have threatened our national security.


Socat vulnerability shows that crypto backdoors can be hard to spot – Publication: PC World – Reporter name: Lucian Constantin

Developers of the Socat networking tool have fixed a cryptographic flaw that left communications open to eavesdropping for over a year. The error is so serious that members of the security community believe it could be an intentional backdoor. Socat can create encrypted connections using the Diffie-Hellman (DH) key exchange mechanism, which fundamentally relies on a prime number to derive the shared secrets for key exchanges. It turns out that the 1024-bit DH parameter used by Socat was not actually a prime number. Whether the flaw was intentional or not, its existence does highlight the ease with which cryptographic backdoors can be introduced into projects without maintainers noticing.


NASA Denies Hackers Hijacked Its Drone – Publication: InformationWeek – Reporter name: Thomas Claburn

Hacking group AnonSec claims to have breached NASA’s network and to have temporarily gained partial control of a NASA Global Hawk drone. To support its claim, AnonSec says it has posted 250GB of data exfiltrated from NASA servers. Allard Beutel, acting director of NASA’s news and multimedia division, in an email denied the group’s assertions about the drone, and said the alleged breach is being investigated. AnonSec acknowledges that at least some of the data posted is public, but the group claims it “wanted access to the raw data, straight from the backend servers, to see if they [NASA] were not publishing some of the data or possibly tampering with the data.” NASA does offer an online directory but only to authorized NASA personnel. While it’s plausible that AnonSec could have scraped websites for email addresses and phone numbers in order to present them as purloined data, a hack seems more likely, particularly in light of other details provided, like the use of weak passwords.