Friday Five: 2/5/16 Edition
Happy Friday! Here is our weekly roundup of popular cyber security news.
European and U.S. lawmakers made a last minute resolution on Monday to allow data transmissions between Europe and the U.S. to continue legally. After fifteen years in the running, the Safe Harbor agreement was struck down in court last October. The new agreement, called Privacy Shield, is already under scrutiny; some fear the U.S. laws are not commensurate with European laws and that they may be too broad. Read the article for more on Privacy Shield.
As of now eBay has no intentions to remediate a “severe” vulnerability that attackers can exploit to distribute “malicious code and phishing pages” through the eBay website. By using a programming style known as JSF**K, attackers can bypass eBay’s controls that aim to prevent users from posting content that can execute malicious code on visitors’ devices. Despite having known about the vulnerability since December, eBay has stated that they “have not found any fraudulent activity stemming from this incident” and seemingly do not intend to fix the flaw. Read the Ars Technica article to learn more.
3. Russia to Spend a Whopping $250m to Strengthen Its Cyber-Offensive Capabilities by Eugene Gerden
Seemingly not thrilled by the U.S.’s cyber efforts, Russia announced plans for its own advances in offensive cyber-technology this week. Claiming to have access to top hacking talent, Russia plans to spend $200-250 million (USD) per year developing offensive technology targeting opposing militaries’ command and control systems and other critical infrastructure. A Russian Federal Security Service spokesperson told SC Magazine UK that Russia’s plan is “in response to similar plans announced by the US at the beginning of 2015.” Read the full article for more on Russia's plan.
A new report released by the U.S. Government Accountability Office (GAO) this week exposed some security issues in EINSTEIN, the Department of Homeland Security’s National Cybersecurity Protection System (NCPS). Since 2003, the DHS has used EINSTEIN secure federal agency network traffic through intrusion prevention and detection as well as security analytics and information sharing. Despite having an allocated budget of $5.7 billion through 2018, the GAO audit found that EINSTEIN is lacking in its defenses against zero-day attacks as well as its traffic monitoring capabilities, among others. For more on the security issues relating to EINSTEIN, read the article.
The week started off with hacking group Anonsec claiming on Sunday that it had successfully hacked a NASA drone to take “semi-partial control” mid-flight. The group also released roughly 250 GB of data – including drone logs and employee information – it claimed to have stolen after hacking NASA’s networks. On Monday, NASA denied Anonsec’s claims in a statement to Forbes that “Control of our Global Hawk aircraft was not compromised. NASA has no evidence to indicate the alleged hacked data are anything other than already publicly available data.” NASA’s investigation is still underway. Read the full article for more.