Skip to content Skip to navigation

Friday Cyber News, June 30 2017

Cyber technology-related news and links from around the web, for the week of 6/24 - 6/30:

1. A virus initially thought to be Petya (but that was not Petya) temporarily shut down international businesses from Merck to Mondelez to Maersk this week. Using a form of the EternalBlue exploit, the Nyetya attack resembled ransomware but actually deleted data rather than encrypting it. Of note to Merck et al., some security companies are offering warranties to companies using their products who still end up as hacking victims. In one example, SentinelOne offers $1,000,000 in compensation to any of its customers who fall prey to ransomware.[Bloomberg; Motherboard; Technology Review] 

2. A bill currently wending its way through the US House of Representatives would expand the role of NIST to include auditing the cybersecurity postures of other governmental agencies. NIST is officially neutral on the bill, but some within NIST are concerned about expanding the agency's purview while reports required by the cyber executive order are being compiled. (Presumably, adding NIST scrutiny would require those compiling reports to check the suitability of their systems against additional NIST criteria). [Nextogv] 

3. The European Commission fined Google $2.73B for promoting its own shopping results over other comparison shopping services. But those results are ads, and if Google's monopoly-like control over search isn't a crime, why is it being punished for displaying ads? And why should Google pay more for potentially showing unfair shopping results than Anthem has paid ($115M) to settle its class-action data breach lawsuit after patients' personal information was lost? In another court loss for Google this week, a Canadian court ruled in a case focusing on a version of right to be forgotten that Google must remove offending search results not only in the Canadian market, but everywhere, raising questions of what rights internet users have to information. [Stratechery; CNet; Stanford CIS] 

4. Vulnerabilities developed by the NSA have fallen into foreign hands and have been used twice this year in widespread attacks against Ukraine and through WannaCrypt. The NSA itself, though, has been silent on its role in these attacks, and has no way to contain them. [NY Times] 

5. A review of online obfuscation techniques to generate fake web traffic, user profiles, and search queries. [Nautilus]

6.​ Facebook is hiring an additional 3,000 staffers to find and cull hate speech on the platform. Who does Facebook deem worthy of protection against hate speech, though? White men, and not black children, says a leaked internal training document. [Washington Examiner; Propublica]

7. Hope you're reading this on your laptop: the mere presence of one's own smartphone reduces cognitive capacity. [Journal of the Association for Consumer Research]

8. Australia will be presenting a request to the Five Eyes alliance next week that member states compel "service providers to ensure reasonable assistance is provided to law enforcement and security agencies" particularly with regard to encrypted messages. The steps needed to enforce such an assurance would be comically broad--no Github, no foreign cell phones, deep packet inspection of all web traffic--making the proposal unlikely to be accepted. The continual circling back of government officials to a fundamentally unworkable idea, banning encryption, belies their lack of imagination. They must know it won't work; they have been told repeatedly, by messengers inside and outside their governments, that it won't work. Yet here is their only streetlight, and here they are looking for their backdoor keys. [Boingboing] 

9. In what is surely not an Australian reference, Wikileaks has published descriptions of the CIA-developed exploit "Brutal Kangaroo", which uses infected USB drives to spread malware to airgapped computers, similar to Stuxnet's MO. Want government-approved tools you can use at home? Be sure to fork the NSA on Github. [Wikileaks; NSA on Github]

10. The new Amazon Echo Show is made for eavesdropping; the "drop-in" feature lets pre-selected contacts remotely turn on your device's camera and microphone to see what you're up to. David Foster Wallace predicted it 21 years ago. [Buzzfeed; Infinite Jest excerpt]

Thanks for reading,

Allison
Stanford Cyber Initiative

(To suggest an item for this list, please email aberke@stanford.edu. You can view news from past weeks, subscribe, and unsubscribe at https://tinyletter.com/CyberNewsBytes)