Skip to content Skip to navigation

Friday Cyber News, March 23 2018

Cyber technology-related news and links from around the web, for the week of 3/17 - 3/23:

1. Data-mining firm Cambridge Analytica used Facebook's app API and a less-than-scrupulous researcher to pull data on 270,000 app users, who may have been aware their data was being collected through the app, and 50 million of their friends, who weren't. Cambridge Analytica lied about having the data, and likely lied about where the data had come from, which may have led Facebook into a false sense of security. Facebook was picky about terminology, calling the incident not a data breach but a "breach of trust", and Mark Zuckerberg indicated he would be willing to testify before Congress about Facebook's data protection measures, which Congress indicated they would like him to do. The FTC is also investigating whether Facebook violated a consent decree, and whether assuming that companies will use and share data collected through Facebook's APIs ethically and legally is sufficient in the absence of an actual audit over how that data is being used. Despite many repetitions of "if you're not paying for it, you're the product" and the growing knowledge that Facebook profits off of selling ads based on profile data, perhaps realizing that Facebook users aren't only selling out themselves, they're selling out their friends, will lead to more pro-social policies on the platform. [Techcrunch; Guardian CNN; CNBC; Bloomberg]

2. A self-driving Uber killed a pedestrian in Arizona, and while the video shows a very dark road and a person wheeling a bicycle who appears out of the shadows, locals have driven that road at night and taken their own videos, which show a much better-lighted thoroughfare. Besides, the car's LIDAR should perform just as well under daytime and nighttime lighting conditions, and whether the person was recognized as a person or not, braking for an unidentified shape moving across the road should be standard procedure. As someone who discusses the trolley problem and self-driving vehicles with computer science undergraduates, I hope additional safety measures are added--"move slowly and brake for things," maybe--before fully self-driving cars--without humans inside--are approved for testing on California roads in April. [Bloomberg; Reuters; Ars Technica; PDX; Wired]

3. Two op-eds this week encourage the US to take a stronger position on hacking, through the use of offensive cyber strategies--leveraging foreign ISPs to kick hackers off the internet, and remotely erasing and disabling machines used by hackers--and through strengthening protections on the electric grid. Both proposals are driven by the assessment that current measures of deterrence and sanctions against foreign hackers, and particularly Russian-linked groups, are not effective. [Foreign Affairs; CNN]

4. Kaspersky research recently exposed an active, JSCOC and SOCOM-led counterterrorism cyber-espionage operation named Slingshot that was used to target ISIS and Al-Qaeda in the middle east and Africa. The publicized report of this operation increases tensions between the US government and Kaspersky, who are currently engaged in a lawsuit over the use of Kaspersky software to provide data to Russian intelligence. [Cyberscoop]

5. Law enforcement are using Google's location tracking to create custom dragnets, in several cases asking Google for device ID information on any device running location-enabled apps within a 17-acre radius (which is .02 square miles or, for the British, the size of Windsor Castle). [WRAL]

6.​ The US Justice Department charged 9 Iranians for their participation in a state-backed cyber theft campaign targeting 140 universities in the U.S., 30 American companies, five government agencies and 176 international universities. [DOJ]

7. Puerto Rico's power utility, PREPA, was hacked over the weekend (which is probably not the worst of their worries as they continue to rebuild), and the city of Atlanta fell victim to ransomware this week. [Reuters; Ars Technica]

8. NIST released an update to its systems engineering guide with advice on protecting legacy IT systems from hackers, focusing not on penetration resistance but on limiting post-penetration damage. [Cyberscoop]

9. Facing an influx of cryptocurrency miners, the New York State Public Service Commission decided that municipal power companies can charge extra to customers who exceed demand and load density thresholds, to avoid increasing rates for residential customers who benefit from cheap hydroelectric power. Venezuela, on the other hand, has an official program to encourage citizens to set up cryptocurrency mining operations, with an eye toward propagating its petro token. [Ars Technica; Bitcoin News]

10. A group of Carnegie Mellon researchers did the math on claims that cryptocurrencies are fueling illegal drug and arms trading--while US drug transactions alone totaled $100B in 2010, drug transactions conducted in bitcoin were estimated at $31.6B globally, and sales of guns on dark web marketplaces were miniscule. [Coin Telegraph]

Thanks for reading,

Stanford Cyber Initiative

(To suggest an item for this list, please email You can view news from past weeks, subscribe, and unsubscribe at