Skip to content Skip to navigation

Friday Cyber News, April 27 2018

Cyber technology-related news and links from around the web, for the week of 4/21 - 4/27:

1. Facebook reported this week as news that it removed more ISIS content--1.9 million "pieces of content" in Q1 2018--by actively looking for it! Great job, everyone, truly a sign of functional business leadership that "actively looking for terrorist content to remove" is a new priority. Facebook also made hay this week of publishing its community standards guidelines, with detail on what types of hate speech, bare breasts, and cannibalism content will and won't be taken down, and of clarifying what information from individuals' Facebook accounts is provided to advertisers--although their claim that "we don’t share information that personally identifies you" seems hard to verify, given how easy it is to personally identify someone with relatively few pieces of information, as Latanya Sweeney and others have shown. Facebook's delayed or absent responses to hate speech and fearmongering in Sri Lanka, where false reports of anti-Buddhist and anti-Muslim crimes have spread on Facebook and spurred actual beatings and murders. Facebook also hasn't provided the promised responses to those of Congress' questions that Mark Zuckerberg was unable to answer in his testimony two weeks ago, despite Congresswoman Dingell's request that Facebook provide answers within 72 hours. Senators Klobuchar and Kennedy introduced a bipartisan social media privacy bill following Zuckerberg's testimony, with provisions similar to some of those in the EU's GDPR--which smaller ad tech companies say strengthens Google's and Facebook's online ad duopoly--including the right to receive a copy of one's data, the right to opt out of data collection, and the right to demand deletion of one's data. [Bloomberg; Wired; FB Newsroom; Data Privacy Lab; NY Times; The Verge; The Hill; WSJ]

2. Android's new messenger, Chat, is being criticized for not being end-to-end encrypted, while its decision to be open-source flies under the radar. In other encryption news, a new key escrow proposal penned by a former Microsoft executive looks a lot like previous key escrow proposals, and remains vulnerable to hardware tampering of the type that has already defeated the iPhone's secure enclave (among other weaknesses). [Stratechery; Wired]

3. The SEC is fining Altaba--formerly Yahoo--$35M for waiting two years to reveal a massive data breach, and for adding language to its securities disclosures after being breached (but years before revealing it) noting how hypothetically terrible it would be if their data had been breached, not that it had, but that they had some nice data here and it would be a shame if something were to happen to it, when the described hypothetical breach had actually already happened. [Law360]

4. Congress received a classified report this week outlining US policy for deterring and responding to cyber attacks. Two American University researchers who studied the use of offensive cyber weapons in a war-game scenario involving 800 Mechanical Turk participants found that cyber operations have a de-escalating effect, and that states are unlikely to use cyber weapons to enact "doomsday scenarios". If true, great, and the Korean peace deal reported this week is a similarly positive sign that the accumulation of cyber weapons can actually put countries in more accommodating frames of mind, but the problem with using crowdsourcing to approximate the actions of heads of state and military leaders is that the incentives, experiences, and knowledge of these two groups--Presidents and mTurkers--are so vastly different, that extrapolating from one to the other on the basis of "we're all humans" seems inadvisable. [The Hill; Washington Post]

5. China's proposed social credit system is already being red-teamed, as internet-savvy theorists are posting ways to game the system through clickfarming, creating fake networks of friends, and automating fake financial activity that can increase scores. [New Republic] 

6.​ The newly identified hacking group Orangeworm is specifically targeting medical hardware, healthcare organizations, and pharmaceutical companies, including leaving malware on MRIs and x-ray machines. [The Hill]

7. A DNS server was hijacked to redirect visitors to MyEtherWallet to a fake version of the page that acted as a phishing hole, leading to the theft of approximately $152,000 in Ether. [CyberScoop]

8. The Department of Defense's new CIO, Dana Deasy, has three priorities: cloud security, Cybercom as a unified combatant command by October, and increasing the cyber workforce. [CSO Online]

9. Ransomware attackers only want money, and don't want to deal with fencing stolen data, even when sensitive data is available to them while they're encrypting your files. [Trustwave]

10. Attention physical systems hackers: a high-decibel whistle from a fire-prevention system caused vibrations that sent Nasdaq’s servers offline at a Swedish data center. This shut down trading in stock markets in Sweden, Denmark, Finland, Latvia, Estonia, and Lithuania. Would the CFTC consider this a market manipulation? Nasdaq's CEO also said this week that they would consider adding cryptocurrencies to their exchange offerings as volatility decreases. [Quartz; CNBC]

Thanks for reading,

Allison
Stanford Cyber Initiative

(To suggest an item for this list, please email aberke@stanford.edu. You can view news from past weeks, subscribe, and unsubscribe at https://tinyletter.com/CyberNewsBytes)