Skip to content Skip to navigation

Friday Cyber News: May 17 2019

Cyber technology-related news and links from around the web, for the week of 5/11 - 5/17:

1. Huawait a minute--a new Executive Order allows the Department of Commerce to block transactions with foreign tech companies deemed to pose a threat to US national security. While the order doesn't call any companies out by name, there's one in particular that may be affected. In response, China is increasing scrutiny of foreign tech companies operating in the country, in accordance with its "multilevel protection scheme" cyber rules for data localization and oversight of equipment development. [The Hill; FT]

2. ICE has spent $1.2M on iPhone hacking services from Grayshift, and after the discovery of an iOS vulnerability tied to a WhatsApp flaw, researchers are complaining that it's too hard for iPhone users to tell whether their phone has been hacked (without jailbreaking it first). [Forbes; Vice]

3. Nearing 2020, election-related disinformation detection on social media platforms is ramping up. Mike Pompeo told Sergey Lavrov that the US would not tolerate future Russian election interference (but that 2016 stuff, that was ok?) This week Facebook banned an Israeli political consulting firm called Archimedes Group for spreading disinformation related to African elections. Facebook has introduced new livestreaming rules, mostly around banning users from streaming if they break any of the platform's rules, and the US has refused to sign on to a pledge to crack down on terrorist content online (one argument against: taking down these videos hampers citizen-journalist investigations of war crimes, which have actually been useful at uncovering and providing evidence for the prosecution of war crimes). Meanwhile, the White House has decided that social media platforms should protect freedom of speech (or, to use the formatting of their reporting form, "SOCIAL MEDIA PLATFORMS should advance FREEDOM OF SPEECH") and is soliciting users' stories of being banned for expressing political views. (We're using Typeform.com to collect information on behalf of the federal government now?) [The Hill; Cyberscoop; CNN; The Hill; The Atlantic; The Hill; Whitehouse Typeform]

4. Cisco hardware vulnerabilities discovered this week allow attackers to bypass the Trust Anchor module and allow remote code execution as root, but most disturbingly, the researchers who discovered the flaw have branded it with three scowling cat emojis and are asking us to call it "thrangrycat". Re-securing the secure enclave may require hardware changes, not just a software patch, due to how the vulnerability was reverse-engineered. Google's Project Zero is opening up their spreadsheet of zero-day exploits discovered "in the wild" to assist research on how zero-days are found (the spreadsheet uses CVE numbers, not emoji names, thank you). [Thrangrycat; Wired; Project Zero]

5. Klobuchar, Lankford, Johnson, and Peters have introduced bipartisan legislation to add DHS’s Cybersecurity and Infrastructure Agency to the Election Assistance Commission’s committee that creates cybersecurity guidelines [Senate.gov]

6. Longstanding debates over how effective election-related misinformation on social media can be in the face of an impeding election are not stopping "copycat" groups from using Russia's 2016 tactics to confuse debates and push controversial opinions related to European elections on social media. [NY Times]

7. Exclusions for acts of war, silent coverage baked into liability policies, and GDPR penalties are all affecting the cyber insurance market, according to an NAIC forum earlier this week. Mounting breach costs that can be incurred for years after a breach are also a concern, as exemplified by recent large breaches; Equifax has paid almost $1.4B in breach costs thus far. Ransomware, also a growing concern for cyber insurers, turns out to be harder to defeat than several data recovery firms promised; rather than offering bespoke solutions, an investigation shows the firms usually just paid the ransom, and then charged clients extra. [Business Insurance; Infosecurity; ProPublica]

8. You won't leave your...face...in San Francisco; the city has passed a ban on the use of facial recognition technologies by local authorities. [WSJ]

9. Journalists and human rights organizations targeted by NSO Group's spyware are petitioning Israeli courts to revoke the company's export license. [Cyberscoop]

10. Russian hackers gained access to voter information from two Florida counties during the 2016 election, according to Florida's governor, who won't say which counties those were. [The Hill]

Thanks for reading,

Allison
Stanford Cyber Initiative
fsi.stanford.edu/cyber

(To suggest an item for this list, please email aberke@stanford.edu. You can view news from past weeks, subscribe, and unsubscribe at https://tinyletter.com/CyberNewsBytes)