Skip to content Skip to navigation

Friday Cyber News, August 4 2017

Cyber technology-related news and links from around the web, for the week of 7/29 - 8/4:

1. The DIGIT act, which creates a working group to improve interagency coordination on IoT regulation and identifies the spectrum needs of current and future IoT devices, passed the Senate this week. The Internet of Things Cybersecurity Improvement Act was also introduced, which would improve IoT security by requiring that devices accept patches, and not use hard-coded passwords. The bill, which Inside Privacy is calling the "teddy bear and toaster act" and who am I to question a cute legislation nickname, would also require notice and consent when devices collect user information and redistribute or sell it. [Congress.gov; Scribd; Inside Privacy]

2. Security researcher Marcus Hutchins was detained in the US after DEF CON and charged with helping a second unnamed defendant sell the Kronos banking trojan. Hutchins gained recent fame for stopping the WannaCry attack by registering a domain the malware was using as a sandbox check. [Documentcloud]

3. Stanford economist and Cyber Initiative researcher Susan Athey is quantifying the privacy paradox, by which people express strong theoretical preferences for digital privacy, but are actually willing to relinquish private information for convenience or, in an example in Athey's paper, free pizza. [Stanford News]

4. Previous court decisions have indicated that the bar for suing over a breach is actual financial harm, but a recent DC Circuit Court of Appeals decision found that victims of the CareFirst breach can sue as a result of their increased vulnerability to fraud and identity theft resulting from the breach, without showing direct financial damages. [Cyberscoop]

5. On August 1, Bitcoin split into BTC and BCH, or Bitcoin Cash. The price of BCH is currently far below that of BTC, but interesting accounting practices that differ between exchanges have led some to arbitrage short and long positions on BTC to generate free BCH. Amidst the cryptocurrency shakeup, The WannaCry ransomware profits are being cashed out via a mixer, ShapeShift, and converted into the more-anonymous Monero. [Business Insider; Bloomberg; Gizmodo]

6.​ Apple has removed apps from its Chinese app store that would allow users to circumvent VPN restrictions, in what some call a step back from the company's pro-privacy stance. [NY Times] 

7. HBO was hacked, and the exfiltrated 1.5T of data include Game of Thrones scripts, video, and unreleased material from other popular shows. No ransom demands were made, and investigators note the hack appears to have been coordinated across multiple points of entry. [Gothamist]

8. With physical access to the Amazon Echo, it can be turned into an always-on wiretap that covertly streams audio to a hacker's chosen device. [Wired]

9. The best of Black Hat and DEF CON. Two favorites: proof-of-concept spoofed YubiKeys and RSA tokens, and voting machine hacks. Also: a CPU fuzzer uncovers secret processor instructions and previously undiscovered bugs in x86 chips. [Wired; Motherboard; The Hill; Github]

10. Twitter suspended a popular user and lawyer for posting on Twitter about threats he received on Twitter and, crucially, an email follow-up to one of those threats. Twitter's whac-a-mole abuse prevention strategy could still use some tweaking. Not wanting to be left out, Facebook suspended the account of writer Ijeoma Oluo when she began posting screenshots on Facebook of abuse she was receiving via Facebook messages. [Techdirt; Techcrunch]

Thanks for reading,

Allison
Stanford Cyber Initiative

(To suggest an item for this list, please email aberke@stanford.edu. You can view news from past weeks, subscribe, and unsubscribe at https://tinyletter.com/CyberNewsBytes)