Skip to content Skip to navigation

Friday Cyber News, March 16 2018

Cyber technology-related news and links from around the web, for the week of 3/10 - 3/16:

1. The US has announced new sanctions against 19 Russian individuals and 5 entities, in response to online election interference, NotPetya, and cyber operations targeting US critical infrastructure. In the UK, 23 Russian diplomats have been expelled in response to the use of a chemical weapon to poison a former Russian spy and his daughter in Salisbury; the Russian embassy responded to unnamed sources' proposal of a cyber attack as a further response by calling the potential use of cyber weapons "reckless". Alongside economic sanctions and offensive cyber attacks, the US has many options in its policy toolkit for addressing bad actors online; using the example of Kaspersky Labs and NotPetya, Cyber Initiative fellow Andrew Grotto explains some of those options. [The Hill; BBC; Russian Embassy; Lawfare]

2. In August, a Saudi Arabian chemical company was targeted by a cyber attack that attempted to physically damage machinery and cause an explosion. Errors in the code prevented this from happening, but the discovery of a series of earlier attacks against similar targets show the hackers learning from their mistakes and experimenting with different methods of entry. Formal attribution has not been made, but the profiles of the targets chosen point to Iran as the culprit. [NY Times]

3. On the occasion of the internet's 29th birthday, Tim Berners-Lee calls for a legal or regulatory framework to combat the centralization of internet platforms and the accompanying concentration of decision-making power over the experience of using the web. [VentureBeat]

4. An Israeli cybersecurity company, CTS Labs, released a paper this week describing 13 vulnerabilities in AMD chips; AMD is still investigating the vulnerabilities, because CTS Labs published with less than 24 hours' notice to AMD, and may have financial interests in AMD or its partners. [Cyberscoop]

5. Facebook removed pages touting "success stories" about the use of Facebook to influence elections, such as Rick Scott's campaign for Florida governor, as scrutiny of the negative aspects of election influence on Facebook continues. YouTube is also under increased scrutiny this week, as informal studies of its recommendation algorithm show a bias toward inflammatory and conspiratorial content, independent of the initial videos watched to seed the recommendation process. Elsewhere, Reddit's transparency about the process by which it bans subreddits (people sitting around a table making individual decisions; starting with racist- and bestiality-themed subreddits and expanding from there) demonstrates a model for testing and iterating on a definition of a civil internet that still respects free speech; the relative inscrutability of Facebook's newsfeed changes and YouTube's delisting and de-monetizing makes their decisions harder to understand, and their processes harder to support. [Intercept; NY Times; New Yorker] 

6.​ Circuit courts of appeals differ over whether the threat of future identity theft or financial fraud is sufficient damage to establish standing in data breach litigation. In the absence of a Supreme Court ruling, the split is likely to make the determination of data breach costs more difficult, as class-action plaintiffs will seek jurisdictions where they are able to use the threat of future financial harm to establish standing. [JD Supra]

7. At a G20 meeting next week, Japan plans to call for international regulatory efforts to combat the use of cryptocurrencies for money laundering. [Coindesk]

8. The UK's Information Commissioner's Office has decided that WhatsApp cannot share user data with parent company Facebook until GDPR regulations are enacted May 25th, and that the necessary protections for the privacy of this data would require processing that would contradict disclosures made by WhatsApp about why the data was initially collected. Another effect of GDPR will be a tightening of ICANN's privacy protections for data about who owns and operates websites, which law enforcement worry will limit their ability to use this data to track cyber criminals. [Guardian; WSJ]

9. The Industrial Internet Consortium has released a guidance document summarizing and combining NIST, IEC, and other security frameworks for industrial IoT devices (sensors, actuators, pumps, and other industrial control system components; connected medical devices; vehicle control systems; and communications gateways). [Securityweek]

10. An Equifax executive was charged with insider trading after realizing the breach-response project he was working on for a "client" was actually for his own firm. He then googled the effects of Experian's 2015 breach on its stock price, and sold his shares, further violating the civil "don't google your crimes before committing them" statute. [The Hill]

Thanks for reading,

Allison
Stanford Cyber Initiative

(To suggest an item for this list, please email aberke@stanford.edu. You can view news from past weeks, subscribe, and unsubscribe at https://tinyletter.com/CyberNewsBytes)