Skip to content Skip to navigation

Friday Cyber News, March 22 2019

Cyber technology-related news and links from around the web, for the week of 3/16 - 3/22:

1. Health cybersecurity had several news stories this week, most notably Kaiser Health's long-form expose of the failures of electronic health records, from physician burnout to alarm fatigue and errors facilitated by opaque UI rules, like deleting all text input between {curly braces}. A database of more than six million electronic faxes, including prescription orders, medical records, and doctors' notes, was unsecured for the past year; the FDA found cybersecurity vulnerabilities in several Medtronic devices, which are not being disclosed while the company works to fix them; adversarial attacks against medical AI include rotating images to fool skin cancer detection systems, using synonyms to bypass opioid prescription risk-scoring tools, and structuring medical billing codes to avoid automated fraud detection. [KHN; Techcrunch; Reuters; Science]

2. Espionage services, such as those sold by NSO Group and DarkMatter, are leveling the digital surveillance playing field, making it easier for small countries to compete against the NSA and the Mossad in initiating cyber attacks. [NY Times]

3. Your weekly Facebook news: hundreds of millions of users' passwords were stored in plaintext internally, making them readable to FB employees. The company's disclosure of this security lapse is titled "Keeping Passwords Secure". Facebook also settled this week with civil rights groups alleging advertising discrimination on the platform, and has agreed that "Facebook will no longer allow advertisers selling housing, credit or employment opportunities to target users based on their age, gender or zip code" with an accompanying post that I assume was originally titled "protecting users against advertising discrimination" and is now, with added spin, titled "Doing More to Protect Against Discrimination in Housing, Employment and Credit Advertising." Google, meanwhile, was fined $1.7B in the EU for limiting how rival vendors' ads could be displayed. [Facebook; The Hill; WSJ]

4. Legislators in Germany's Bundesrat have introduced legislation that would criminalize the provision of infrastructure used to create dark web marketplaces, and calls out Tor by name as an example of a service provider that would be responsible under the law. [ZDnet]

5. I come to bury cybersecurity, not to praise it: Andrew Odlyzko, a math professor at the University of Minnesota argues, entertainingly, that cybersecurity is not very important. "Adaptations to cyberspace of techniques that worked to protect the traditional physical world have been the main means of mitigating the problems that occurred. This ”chewing gum and baling wire” approach is likely to continue to be the basic method of handling problems that arise, and to provide adequate levels of security." [UMN] 

6. New Russian internet speech laws ban "fake news" and make insulting public officials illegal (with fines of up to $4,700 and 15 days in jail, for the latter.) [Ars Technica]

7. Competition in cyberspace among nation-states has been so strategically proscribed that "Following the shift in strategic thinking documented in the 2018 Department of Defense Cyber Strategy, the U.S. now increasingly faces a new challenge: There are too many red lines." [Lawfare]

8. Open-access data from Rapid7's internet-wide scans of HTTP and DNS responses are available to researchers. [Rapid7]

9. Led by JP Morgan, more banks are considering introducing stablecoins tied to the US dollar, to reduce settlement times and facilitate international and interbank transfers. [Bloomberg]

10. New polling of 2,500 European adults shows that a quarter of them would prefer that political decisions were made by AI rather than politicians. As an intermediate measure, Brexit decisions are currently being made by The Clash. [Quartz; Youtube]

Thanks for reading,

Stanford Cyber Initiative

(To suggest an item for this list, please email You can view news from past weeks, subscribe, and unsubscribe at