Skip to content Skip to navigation

Friday Cyber News, May 5 2017

Cyber technology-related news and links from around the web, for the week of 4/29 - 5/5:

1. WeChat has monopolized Chinese mobile users' activities, from payments to texting to social media, giving it a leg up in natural language processing and a tremendous amount of correlated data to analyze. The dominance of WeChat has created a problem for Apple, as the app runs just as well on Android as on iOS, making it easier to switch phone hardware and maintain the same experience. The app also forms a convenient bottleneck for regulation, and the latest such restriction is the requirement of a government license for companies that publish, share, or edit news, and government training of senior staff at such companies. [Quartz; Stratechery; BBC]

2. Did US sanctions on Russia after the DNC hack have any effect on the pace or thoroughness of subsequent Russian hacking? No, and analysts argue that cyber deterrence requires a much stronger response aimed at exposing Russian corruption, a topic that can embarrass leadership. [Wired]

3. A phishing attack circulating through Gmail on Wednesday took advantage of a loophole in the OAuth authentication system to call its credential-stealer "Google Docs". It wasn't. IBM shipped malware-infected USB sticks to customers ordering storage products. Flaws in the SS7 routing protocol are still being used to bypass 2FA and drain bank accounts, as well as intercept text messages and track locations. A hacking group released ten episodes of the upcoming season of Orange is the New Black, after Netflix ignored ransom demands for the files stolen from a production company server. The impact on Netflix's business is thought to be minimal; fans of the show were either already Netflix subscribers and are unlikely to cancel, or were already downloading the show illegally anyway. [CyberScoop; Graham Cluley; Ars Technica; WeLiveSecurity]

4. The ethical responsibilities of platforms is a topic we usually discuss with reference to Facebook, but this week the hot seat was reserved for Hacker One. The host of bug bounty contests and a thriving community of bug-finders was approached by FlexiSpy, which you'll remember as the spyware company Motherboard profiled last week after its shady tactics and a database of victims' and users' information was leaked. Hacker One was initially planning to run a bug bounty for FlexiSpy, but industry outcry that the company was facilitating illegal wiretapping and abusive surveillance led Hacker One to decide not to offer their services to FlexiSpy. These ethical questions shouldn't be treated as anomalous or rare, and more platforms should discuss with their communities how to handle similar situations, even before they arise. [Hacker One]

5. The Echo Look will use machine learning to judge your fashion sense--and, presumably, to better advertise to you (not just clothes, but health and beauty products, food, etc.) As silly as the product sounds to me, a person whose criterion for dressing is "is it black or grey", it is only available by invitation, and presumably purchasers of the device know what they're getting into. I'm more concerned about surveillance we can't opt out of, or don't even know is occurring. And speaking of surveillance we don't know about, Stanford researchers and friends of the Initiative were in court this week asking for sealed surveillance records to be unsealed in cases not involving an ongoing investigation or pending charges. These records will give us insight into law enforcement surveillance, not consumer shopping surveillance, but the principle of more knowledge leading to better choices is attractive in both cases. [Amazon; Ars Technica]

6.​ Not all jobs are being automated: Facebook is adding three thousand additional content monitors to scour user-uploaded video and images for offensive content. Moderators report, unsurprisingly, that seeking out vile images is traumatizing and the necessary distinctions between art and obscenity are as difficult for the Zuckerberg Court to define as they were for the Warren Court. [Motherboard]

7. Fake IDs are a booming business for Chinese sellers who accept Bitcoin, and have to outwit not bouncers and bartenders but apps and "box scanners" that automatically check for all of the security features of legitimate IDs. This raises the question of how securely those apps and box scanners are storing the data from all of those real IDs they end up capturing over the course of a night. [Mel]

8. Last Friday, the NSA halted the collection of communications between Americans and foreigners that contain specific search terms. The decision should save them some storage space; in 2016 the NSA collected 151 million phone records, which were supposed to have been limited to calls to and from individuals suspected of terrorism, though only 42 such suspects were identified in 2016. [NY Times; The Hill]

9. The internet's hottest botnet taking over from Mirai is Bondnet, and this one has everything: it mines $1,000 worth of Bitcoin a day, can be weaponized for DDoS attacks, and it has reached more than 15,000 machines. [Guardicore]

10. Still no cyber executive order, but in its place, an executive order to create the American Technology Council to advise the government on how to use technology. The council includes the DNI, secretaries of Defense, Homeland Security, and Commerce, and the as-yet-unappointed CTO and OSTP director. Perhaps there's also space for Michael Pollan, who could offer a trademark simplification: "store data, not too much, mostly encrypted." Until then, the Preserving Government Data Act of 2017 will have to suffice; it forces government agencies to give an explanation and six months' notice before removing data from public view. [Politico; Wired]

Special note: Work with the Cyber Initiative! The Stanford Cyber Initiative is seeking candidates for a full-time one-year fixed-term research position to produce original research and writing on policy-relevant issues that arise from the study of computer security, with a particular focus on either labor and the workforce, financial systems and risk, democracy, internet governance, or the tension between individual security and state security. Learn more and apply here: 
https://stanfordcareers.stanford.edu/job-search?jobId=74870

Thanks for reading,

Allison
Stanford Cyber Initiative

(To suggest an item for this list, please email aberke@stanford.edu. You can view news from past weeks, subscribe, and unsubscribe at https://tinyletter.com/CyberNewsBytes)