Skip to content Skip to navigation

Friday Cyber News, February 19 2016

Cyber technology-related news and links from around the web, for the week of 2/13 - 2/19:

1. An Apple a day keeps the FBI at bay: earlier this week a US magistrate ordered Apple to provide a software update to the FBI that would remove incorrect login repercussions on an iPhone belonging to a San Bernardino terrorism suspect. Apple issued an open letter to its customers explaining why it was refusing the order, pushing the matter back to the courts to decide whether the All Writs Act allows the FBI to compel Apple to weaken its product through unpaid software development. Meanwhile, John McAfee volunteered to decrypt the iPhone for free, without involving Apple. He says it'll take him three weeks, and he'll use social engineering, so presumably not the "extract the flash memory and power cycle after every password attempt" solution, or others proposed by armchair techies. [Apple; Business Insider]

2. And the FBI doesn't win every time: a judge in a separate case has ruled that the FBI must reveal all of the code it used to hack 1,000 computers involved in a child pornography website bust. Security researchers are waiting to see whether this includes an exploit to identify Tor users. [Vice]

3. If diplomatic measures had failed with Iran, the US had purportedly developed a cyber attack plan code-named Nitro Zeus (makes sense) to disable Iran's air defenses, power grid, and communications systems. A separate cyber plan would have targeted the Fordo enrichment site, as a follow-up to Olympic Games/Stuxnet. It's unclear whether Nitro Zeus would have worked as planned, or why this information is being released now (partially due to the release of a movie, Zero Days, that mentions the plan; partially for deterrence?) but the existence of the plan demonstrates the scope and commitment of US cyber offense development. [NY Times]

4. This Tuesday, the CA Attorney General's office joined us to unveil their 2015 CA Data Breach Report. Among the findings: 3/5 Californians had records breached this year; breaches sometimes take a year to discover and report, which limits the effectiveness of consumer protection measures. [Oag.ca.gov]

5. An LA-area hospital was hit with ransomware--randomly, they suspect--and after 10 days of being locked out of patient records and health monitoring systems, they paid up. The ransom, originally set at millions, was apparently negotiated down to 40 bitcoin (~$17,000). A relatively small price to pay for restored operations, but a worrying precedent. Also, apparently going 10 days without the hospital's electronic health records system didn't compromise patient safety. [LA Times]

6. Employers are hiring outside firms to evaluate the big data they collect on employee health. Some of the outcomes will be good, like determining which interventions actually help with back pain. Others, well: "Castlight recently launched a new product that scans insurance claims to find women who have stopped filling birth-control prescriptions, as well as women who have made fertility-related searches on Castlight’s health app. That data is matched with the woman’s age, and if applicable, the ages of her children to compute the likelihood of an impending pregnancy." [Wall Street Journal]

7. The DHS issued guidelines this week on how to share cyber threat intelligence, which some fault for explicitly allowing the sharing of consumer information that could then be used for purposes beyond cybersecurity. On the other hand, threat information sharing can help companies and government agencies patch their systems faster and more effectively. [GovInfoSecurity]

8. You have a chip in your credit card for additional security; what's next? Visa is expanding VEPTS in Europe, a tokenization payment service that allows transaction information to be stored more securely, by transmitting a token based on a combination of the card number and details related to the vendor at which the card was used. The actual card number is not stored. Then, even if the token is stolen, attempts to use it at a different vendor will be thwarted. [eWeek]

9. Unsurprisingly, 57% of classifiable dark web sites are used for crime, say researchers from Kings College London. [Vice]

10. Another factor making internet security hard: TMZ doesn't need to hack into hotel camera systems to get recordings of celebrities. It pays employees to consider themselves insider threats in the making. [NYTimes]

Thanks,

Allison
Stanford Cyber Initiative

(To suggest an item for this list, subscribe, or unsubscribe, please email aberke@stanford.edu. This email contains links that may not work if HTML is not supported in your mailbox. You can also subscribe or view news from past weeks at https://tinyletter.com/CyberNewsBytes)