Skip to content Skip to navigation

Friday Cyber News, February 1 2019

Cyber technology-related news and links from around the web, for the week of 1/26 - 2/1:

1. On Wednesday, if you work at Facebook, you may have had trouble communicating with your coworkers on internal apps or your company-provided phone: Apple revoked Facebook's Enterprise Developer Credentials, which allow it to build and run employee-only apps and bypass the App Store approval process, after the discovery on Tuesday that a Facebook-authored app was paying teens to provide all of their iPhone activity, with insufficient user education and consent (Google ran a similar program and app, though those between the ages of 13 and 18 could only enroll as part of a family group). Meanwhile, Facebook has blocked third-party tools that explained to user why certain ads were shown to them and how that targeting was categorized. Mark Zuckerberg took to the Wall Street Journal op-ed page to present "the facts about Facebook" (setting aside that Facebook itself has found that readers are convinced more by emotion than by facts, and that many of the 'facts'--such as the idea that users want Facebook to show them targeted ads and prefer 'relevant' ads--are belied by other data on users' discomfort with tracking and general ambivalence toward ads as a whole.) Facebook also announced some high-profile privacy and security hires on Tuesday, including Facebook critics from the EFF and the Open Technology Institute. (Yours truly, a frequent Facebook critic in this newsletter, is open to discussions). [Guardian; Techcrunch; ProPublica; WSJ; EFF; Cyberscoop]  

2. Not content with Collection #1 being the sole entry in the series, the 773 million-record dump of usernames and passwords has now been joined by Collections #2-5, encompassing 25 billion unique hacked records available for download. [Wired]

3. Economists at Stanford and NYU found that users paid $100 to turn off their Facebook accounts for four weeks were willing to accept a smaller payment to take another four-week break, and experienced other beneficial effects, including "spending less time online overall and more time engaged in a broad range of offline activities, including being with friends and family; reporting small but significant improvements in their levels of happiness, life satisfaction, depression, and anxiety, becoming significantly less politically polarized, and using Facebook 23 percent less" after the four-week hiatus was over. Users were also less informed about the news and current events, and did not substitute their previous Facebook time with time on another social media app. [Stanford SIEPR]

4. Deploying a pen-testing operation against an entire country is an ambitious project for Japan's National Institute of Information and Communications Technology, which is planning, starting in mid-February, to test default credentials and password dictionaries against 200 million devices. The owners of those devices found to be vulnerable will be contacted and advised on how to how to improve their security. [Technology Review]

5. Although last week it seemed that Yahoo's data breach settlement would be a new record, a judge has blocked the payout, citing disagreements including dissatisfaction that it released Yahoo from having to make further payouts related to breaches prior to 2013, a failure to disclose the total size of the settlement fund, concerns that the settlement was too large and that public declarations of affected users greatly outnumbered the number claimed under seal, and that Yahoo had made only vague statements about its remedial efforts. [BBC]

6. Your weekly health data security update: The Healthcare and Public Health Sector Coordinating Council Joint Cybersecurity Working Group (guys, guys, what about just the Coordinating Council for Cybersecurity Protection? The CCCP? Oh, wait...) released a medical device and health IT joint security plan that includes a "product lifecycle reference guide to developing, deploying and supporting cyber secure technology solutions in the healthcare environment." IARPA is developing machine-learning algorithms to identify common patterns in the sequences of known toxins and pathogens that are present in novel DNA synthesis requests received by companies that provide the service (a group at LLNL was working on a similar project back in 2007, but at the time the availability of synthesis on-demand was restricted by price and market supply). So-called "shadow health records" skirt existing data privacy laws when they include data collected not by healthcare providers but by, for example, your phone or consumer genetic-testing services. [Health Sector Council; Nature; Science]

7. A bug discovered in Apple's Group FaceTime allowed malicious FaceTimers to hear audio before a call connected, and receive video feed even if the intended recipient rejected or disconnected the call. Apple has temporarily disabled the group feature in advance of a bug fix. [The Next Web]

8. Warning of the threat posed by insecure control systems running oil and natural gas pipelines, "Senators John Cornyn (R-TX) and Martin Heinrich (D-NM) today introduced the Pipeline and LNG Facility Cybersecurity Preparedness Act" to prepare, via the Secretary of Energy, a program that would improve the physical and cybersecurity of pipelines, and to "coordinate response and recovery to physical and cyber incidents impacting the energy sector". [Senate.gov]

9. An American deported from Singapore leaked confidential information from the previously-hacked Singaporean health ministry on 14,200 people living in Singapore and diagnosed with HIV. [Reuters]

10. Your weekly cyber dystopia: ex-government hackers were hired by a UAE cybersecurity firm and asked to spy on Americans. [Reuters]

Thanks for reading,

Allison
Stanford Cyber Initiative
fsi.stanford.edu/cyber

(To suggest an item for this list, please email aberke@stanford.edu. You can view news from past weeks, subscribe, and unsubscribe at https://tinyletter.com/CyberNewsBytes)