Skip to content Skip to navigation

Friday Cyber News, October 6 2017

Cyber technology-related news and links from around the web, for the week of 9/30 - 10/6:

1. "Hackers working for the Russian government stole details of how the U.S. penetrates foreign computer networks and defends against cyberattacks after a National Security Agency contractor removed the highly classified material and put it on his home computer." The contractor was identified through his use of Kaspersky's antivirus software. The theft would have allowed Russian intelligence to protect its own networks against the NSA's tools, and to use the NSA's methods to infiltrate other networks. There are a couple of options here; Kaspersky could have knowingly allowed its product to be backdoored or to send information to Russian hackers, or the hackers could have breached Kaspersky's software without their knowledge. Either way, information related to this incident likely prompted the government-wide ban on Kaspersky products (which were already not in use at NSA facilities at the time this contractor was employed). This hack could also be where the Shadow Brokers got their material. [WSJ] 

2. White House cybersecurity coordinator Rob Joyce called the use of SSNs for identification "horrific", and cautioned the public against viewing massive breaches, like those of Equifax and Yahoo, as normal. Joyce also noted, separately, that allowing foreign governments to perform code reviews of software products is "problematic". HP Enterprises allowed the Russian government to review the code of ArcSight, cybersecurity software used by the Pentagon, and is now facing questions about intellectual property risks and cyber espionage. [CNBC; Reuters x2] 

3. Former DNI Clapper reveals that when DDoS attacks against US financial institutions were traced back to Iranian hackers, the US considered cyber attacks against the hackers as a response, but eventually decided against it because they were afraid the banks wouldn't be able to withstand the hackers' retaliation to those cyber attacks. Similar cyber attacks against North Korea that were carried out, partially in response to North Korean hackers' activities, were aimed at removing those hackers' access to the internet, and led to discussion over whether China, which provided internet access to some North Koreans, would object to US action against its networks. [Cyberscoop; Washington Post]

4. Christine Lagarde, managing director of the IMF, is bullish on cryptocurrencies, noting that they could be more stable and safer than physical currencies in countries with unstable institutions and weak native currencies. Finland is also finding blockchain useful for providing identification and bank account-like services to refugees and asylum seekers, who often arrive without reliable identification. [FEE; IMF; Technology Review] 

5. More on Equifax, from its ex-CEO's congressional testimony: the Apache Struts vulnerability in question wasn't patched either because one employee responsible for notifying the IT department didn't notify them (a single, human point of failure?) or because their vulnerability scanning software didn't identify it (relying on a vuln scanner to find published, patched vulnerabilities on the web framework used by the majority of your business?). Equifax was also storing sensitive personal information in plaintext (not encrypted), and was recently awarded a no-bid $7.25M contract to verify taxpayer identities by the IRS (?!). [Wired; The Hill]

6.​ New research out of Princeton finds that email tracking is pervasive, follows users across the internet even after they stop reading their email, and leaks information, including email addresses, to third parties such as marketing analytics firms. [CSO Online]

7. Both Google and Facebook promoted inaccurate news stories and groups in response to users' queries about the Las Vegas shooting. In other Facebook news, Russian-linked Facebook ads specifically targeted Michigan and Wisconsin voters. Research from Harvard's Berkman Klein center details how voters were individually profiled with more generic issue-focused post, then targeted specifically to affect voting behavior. [Atlantic; CNN; Washington Post] 

8. The Senate Homeland Security and Governmental Affairs committee approved a bill directing DHS to establish a bug bounty program, after the success of the Pentagon's "hack the Pentagon" bug bounty program. DHS will soon be using a dashboard that allows it to see what software other governmental agencies are running, and what known vulnerabilities exist in that software. The dashboard will hopefully help DHS strongly encourage that agencies apply patches quickly. [The Hill; Nextgov]

9. The SEC is charging two companies with defrauding investors through ICOs that promised business models and personnel structures that didn't exist. [The Hill]

10. A recent case in the US District Court for the Northern District of California, hiQ Labs vs. LinkedIn, outlines criteria concerning whether scraping data from a website violates the CFAA, including whether the scraped data is copyrightable, and whether a password is required to log in to the site being scraped to access the data. [Galkin Law]

Thanks for reading,

Allison
Stanford Cyber Initiative

(To suggest an item for this list, please email aberke@stanford.edu. You can view news from past weeks, subscribe, and unsubscribe at https://tinyletter.com/CyberNewsBytes)