Skip to content Skip to navigation

Friday Cyber News, March 30 2018

Cyber technology-related news and links from around the web, for the week of 3/24 - 3/30:

1. Here's all the data Google and Facebook have on you, how to find it, where to download it, and what you can do to stop the collection of some of it. (Deleting Facebook is a partial personal solution, but doesn't fix the whole problem. In an article exploring ways to fix Facebook, Nathan Heller suggests "What if Facebook convened a cabinet of unfriendly social economists, media scholars, data historians, whatever—people who think systemically in other frames—and let them kick tires and raise a fuss?" I think that's a great idea, and I volunteer). [Guardian; NY Times; New Yorker]

2. A DOJ OIG report released this week finds that insufficient communication within the FBI led to its failure to contact the operational technology division to determine whether the FBI, or one of its usual vendors, had the technical capability to unlock the San Bernardino shooter's iPhone, before going to court to obtain Apple's assistance. In response, the FBI has formed another unit, the Operational Technology Division, specifically to address encryption issues. Hopefully they're all in the same WhatsApp group. [Federal Times; Cyberscoop]

3. Cyber Command's newly released "command vision" document notes that malicious cyber activity that falls below the threshold of war, or of justifying a kinetic response, is popular for exactly that reason; there is nowhere to retreat in cyberspace; alignment of protections between industry and the public sector will create a stronger overall defense; and cyber operations contribute to US diplomatic power, bolstering the effect and reach of sanctions. [Lawfare]

4. Security analytics company Vectra finds that 60% of cryptocurrency mining identified by their software occurs on higher education-affiliated networks (obviously this isn't 60% of overall cryptocurrency mining, but more like 60% of the cryptocurrency mining that's happening where it's not supposed to). Vectra also found that the volume of attacker behavior on higher education-affiliated networks is 25% higher than in the engineering industry (which had the second highest volume); behavior linked to command-and-control botnet networks was also five times higher on education networks than the industry average. [Dark Reading]

5. BIMI is a new email standard that wants to link DMARC public records with a database of logos and a logo verification authority to allow email recipients to visually verify that an email does come from, e.g., Bank of America by the display of a logo to the left of the email subject line in a user's inbox, before the email is opened. That display is controlled by the mail service provider--Gmail, or Yahoo Mail--not by the email sender, meaning spammers wouldn't be able to add the logo to the email itself to confuse the system. [Cyberscoop]

6.​ The Global Commission on the Stability of Cyberspace is pursuing a definition of a cyber non-aggression pact that nations could sign on to, and a delineation of what should not be attacked in a cyber operation, or what parts of the internet infrastructure should be designated off-limits for combatants. [The Register]

7. China plans to use facial recognition technology and crosswalk cameras to automatically identify, billboard-shame, and fine (via mobile device notification) jaywalkers. [NY Post] 

8. After a few of its machines were infected with malware, Boeing brought almost all of its VPs together to quarantine and remediate the machines, and avoid a Maersk-like situation. [Sophos]

9. If you run, you might not be hidden: 150 million UnderArmour MyFitnessPal accounts were breached. And if you run Drupal, update it; the most recent update fixes a security flaw that allowed sites to be exploited just by accessing a URL. [Under Armour; Bleeping Computer]

10. "We connect people. That can be good if they make it positive. Maybe someone finds love. Maybe it even saves the life of someone on the brink of suicide. So we connect more people. That can be bad if they make it negative. Maybe it costs a life by exposing someone to bullies. Maybe someone dies in a terrorist attack coordinated on our tools. And still we connect people. The ugly truth is that we believe in connecting people so deeply that anything that allows us to connect more people more often is *de facto* good." A leaked internal memo by Facebook VP Andrew Bosworth has been roundly criticized for promoting an insular and tone-deaf view of corporate responsibility, and is probably underscoring the basic techie advice of "stop writing 'controversial' internal memos", but can it also spur a discussion over what qualifies as good corporate communication, whether internal or external, and how to write an effective persuasive memo that doesn't read like first-draft Cormac McCarthy dialogue? ("We want to make a point. So we write a memo. It could be good. Maybe someone reads it. Maybe it changes their mind. That could be bad. They could take away the wrong message. Maybe it makes them less sympathetic to people negatively affected by their tool. And still we write the memo.") [Buzzfeed News]

Thanks for reading,

Allison
Stanford Cyber Initiative

(To suggest an item for this list, please email aberke@stanford.edu. You can view news from past weeks, subscribe, and unsubscribe at https://tinyletter.com/CyberNewsBytes)