Skip to content Skip to navigation

Friday Cyber News, March 31 2017

Cyber technology-related news and links from around the web, for the week of 3/25 - 3/31:

1. 90% of spending on federal cyber programs goes toward offensive operations, and the responsibility of the government to protect US corporations' technology--or even to inform them of potential weaknesses--is unclear. Wikileaks' recent release of CIA vulnerabilities affecting Cisco's internet switches, among other products, led to a scramble to fix the products' security. [Reuters]

2. Compared to Japan and the UK, a greater share of US jobs are at risk of being lost to automation, in part due to the US's geographical spread; US financial jobs are more likely to be bank teller jobs in small communities, for example, which can be more easily replaced than investment banking. But automation is going to hit developing economies the hardest, with 2/3 of jobs predicted to be vulnerable to automation. [CNN; The Outline]

3. North Korea has been running several fake businesses out of Malaysia, including a cybersecurity startup, to evade sanctions and gain access to global financial networks. What were they using that access for? Those attacks on the SWIFT routing system that we heard about last year, for one. [Cyberscoop; NY Times]

4. Wall Street is using WhatsApp and Signal to skirt financial communications records laws, and to facilitate insider trading. [Bloomberg]

5. We're not going to be able to stop fake news because we can't define it, and we can't expect tech to build tools that meet everyone's expectations. But without a means of removing false and vitriolic online content, a Pew poll of academic and tech leaders reveals expectations that online discourse will become more fractious before it gets better, as tools to corral speech and enforce community norms are neither profitable nor value-neutral, and may lead to increased levels of unwelcome surveillance. [Backchannel; Pew]

6.​ Former government officials and academics agree that we need more cyber policy: clarifications around liability related to hacked devices; rules on what constitutes active defense for companies; more funding for state and local agencies; and a cyber deterrence policy. [Washington Examiner]

7. Canadian researchers are developing an operating system, called Subgraph, with built-in security features like a firewall, application sandboxing, and notifications when apps attempt to access the internet. Even a calculator app, they've found, attempted to access the internet to download currency exchange values. The OS doesn't support printing yet, though, due to concerns over authenticating external hardware. [CS Monitor]

8.  Yuval Elovici's research group is a veritable Wonka's factory of intricate, delightful, and impractical attacks. They have elevated the hack to an art form, and their latest involves sending malware to an air-gapped computer by means of the airflow from an air conditioner. They have previously achieved computer compromise through flatbed scanners (and not in the way you'd think), LEDs, and hard drive noise. The group of people for whom Elovici-level attacks is a real threat model must be vanishingly small, and may already have resigned themselves to only operating their computers in panic-room-style opaque, soundproof, heat-resistant cells, but for the rest of us, reading Elovici's papers is like watching a modernist chef prepare a dish: I didn't know you could do that to a hard drive, or when you'd want to, but it's quite creative, and it gets results. [ArXiv x2]

9. With the repeal of FCC privacy rules for ISPs heading to the president and expected to be signed, consumers are investigating VPNs; however, as Brian Krebs points out, many VPNs also store customer data, and may not be fast enough for streaming video. [Krebs]

10. This week in FBI missteps: The FBI's facial recognition database was roundly criticized at a recent House oversight committee hearing; the database contains images of more than half of all American adults (without their consent), has a misidentification rate of 15% (higher for black faces), and has attracted calls for regulation. The FBI's InfraGard threat-sharing program failed to register InfraGard.com--they have the .org domain--and that, predictably, led to stolen credentials. And the FBI's director, Jim Comey, who is still trying to make backdoors happen, had his hidden Twitter account exposed. [The Guardian; CyberScoop; CSO Online; Gizmodo]

Thanks for reading,

Allison
Stanford Cyber Initiative

(To suggest an item for this list, please email aberke@stanford.edu. You can view news from past weeks, subscribe, and unsubscribe at https://tinyletter.com/CyberNewsBytes)