Skip to content Skip to navigation

Friday Cyber News, October 5 2018

Cyber technology-related news and links from around the web, for the week of 9/29 - 10/5:

1. Huge if true: Bloomberg reports that manufacturing contractors in China have covertly inserted microchips into hardware used at Apple, Amazon, a large bank, and several other US companies, for the purpose of providing access to data center servers. The scope of this type of supply chain hack calls into question the security of servers used at multiple governmental agencies and corporations. The article relies on detailed accounts from anonymous sources; Supermicro, Apple and Amazon have denied the claims in the report, with similarly detailed and forceful language, leaving the security community insanely curious about the veracity of the story. [Bloomberg; Yahoo Finance; Macrumors]

2. Seven GRU officers have been indicted on charges of hacking into US and international anti-doping agencies, sports testing laboratories, Westinghouse Electric Corporation, the Organization for the Prohibition of Chemical Weapons, and a lab testing the Novichok agent used in the Skripal poisonings. Should it become necessary to, e.g., protect the OPCW, the US is willing to use its cyber warfare capabilities on behalf of NATO. [NPR; CNBC]

3. Problems with voting machine security--the result of proprietary software, fragmented state-by-state deployment of a variety of machines, and insufficient funding for fixes--means that we're heading into the midterm elections with known vulnerabilities in place, and no clear plan to address potential digital interference in the election. [NY Times] 

4. Facebook skeptics with weekly newsletters shouldn't publish too early on Fridays, because the company will wait until then to announce a credential token breach affecting 50 million users, with 40 million more potentially affected and logged out as a precaution. The timing of the notification was linked to GDPR's 72-hour requirement, though that deadline is of course too early for a thorough investigation. [FB Newsroom; The Hill; Wired]

5. FireEye has identified a new North Korean hacking group, APT38, which is linked to the Bangladeshi central bank hack of 2016 and is focusing its efforts on financial institutions. [Cyberscoop]

6.​ Speaking of which, large US banks have seen increased numbers of attempted cyber attacks in the past few weeks, information about which was shared through FS-ISAC. Finance is already an industry that devotes an average of 12% of its IT budget to security, but more spending is not the answer: a Deloitte survey of financial services CISOs found no correlation between spending on cybersecurity and risk posture. A complementary McKinsey study--you know how consultants love to work together--shows that the strategy of increasing security budgets fails by treating the problem as one of compliance, with a checklist of security measures that often lag in implementation, rather than one of risk management that includes third parties like vendors. [WSJ; Dark Reading; McKinsey] 

7. In August, law enforcement had the opportunity to compel a suspect to unlock a phone with his face, thanks to Apple's Face ID, and the well-known distinction between the provision of biometric factors, like fingerprints, and passcodes. (If this is part of your threat model, use an alphanumeric password, not a Guy Fawkes mask.) [Forbes]

8. According to legal documents filed by a Republican fundraiser, Qatar has been conducting cyber espionage against 1,200 Americans since 2014. [Al Arabiya] 

9. Travelers to New Zealand who refuse to turn over passwords and encryption keys when requested will face a $5,000 fine under new customs rules. (Meanwhile, we all know the password down there is Mellon). [Washington Post]

10. Look, I'm surprised it's taken this long to get an op-ed analyzing social media propaganda through the lens of Clausewitz (we've already seen hot takes on cyber propaganda through the lenses of Sun Tzu and Thucydides, and like Clausewitz and his military career, most meme creators start at 12). [Foreign Affairs; Infosecurity Magazine; Strategy Bridge]

Thanks for reading,

Allison
Stanford Cyber Initiative
fsi.stanford.edu/cyber

(To suggest an item for this list, please email aberke@stanford.edu. You can view news from past weeks, subscribe, and unsubscribe at https://tinyletter.com/CyberNewsBytes)