Skip to content Skip to navigation

Friday Cyber News, September 15 2017

Cyber technology-related news and links from around the web, for the week of 9/9 - 9/15:

1. DHS has ordered US government agencies to begin to discontinue the use of any Kaspersky products they are using within 90 days. While not claiming to have found "smoking gun" evidence of Kaspersky products sending data back to the Russian government, White House cybersecurity coordinator Rob Joyce characterized the possibility as a risk the US government was unwilling to take. Interestingly, when actual evidence was found that Lenovo was shipping machines with adware that automatically installed and attempted to hide itself from the user, intelligence agencies and the State Department prevented the use of Lenovo machines on their networks, but the ban was not government-wide. This escalation in response may be pointing the way to stricter rules for where the government's IT products and devices can be made. Best Buy and Office Depot have also voluntarily stopped selling Kaspersky products; Office Depot is offering to replace Kaspersky products with McAfee and guarantee virus-free machines for one year. [Reuters; Baltimore Post-Examiner; Washington Post]

2. 75,000 Turkish citizens detained or fired from their jobs for downloading an encrypted messaging app had their human rights violated, according to a recent legal report. [Guardian]

3. The Treasury Department announced sanctions this week against seven Iranian nationals and an Iranian computer security company for performing coordinated DDoS attacks against US financial institutions between 2011 and 2013. [The Hill]

4. DHS official Christopher Krebs (no relation to infosec journalist Brian Krebs, as far as I can tell) noted that very few US businesses affected by WannaCry and NotPetya provided reports to the government about service disruptions related to the malware. This finding supports the talking point that companies need different and better incentives to share threat intelligence with the government. The House Homeland Security subcommittee also reprimanded DHS this week for failing to hire cybersecurity professionals quickly enough, and the first government-wide cybersecurity hiring event is planned for November in Maryland. [Cyberscoop; Federal Times; The Hill]

5. Following up on the Equifax hack of last week, higher-ups at the company have been called to testify before Congress and explain to the FTC and other organizations how they were hacked, what they are doing about it, and why their executives sold stock after they were hacked, but before the hack was publicized. The vulnerability exploited seems to be an Apache Struts flaw for which a patch was released in March--a patch that Equifax never installed. A group claiming to be the hackers have requested 600 BTC in return for not releasing the hacked data today. Meanwhile, the DoNotPay lawyerbot (a Stanford undergrad production!) is helping individual Equifax victims sue the company in small claims court for up to $25,000. [NY Times; Cyberscoop; Mashable; BBC] 

6.​ Controlling and removing hate speech online has proven problematic for Facebook and Twitter; Reddit has found that its strategy of removing the areas where hate speech congregates--subreddits devoted to racist and discriminatory themes--results in less hate speech on the platform overall, less hate speech by users who frequented the banned subreddits, and does not result in increased hate speech in other subreddits where users of the banned subreddits migrate. Many users responsible for hate speech leave the platform entirely. [TechCrunch]

7.  A Spanish data protection authority fined Facebook 1.2M euros for three incidents in which it collected information on Spanish Facebook users without informing them what the information would be used for. Though Facebook can appeal, the fine still represents a small amount for the company; new EU data protection rules (GDPR) will allow fines that are based on a percentage of the company's revenue, rather than a predetermined amount. Speaking of GDPR, 37% of global organizations are unsure whether they need to comply with the new rules, and almost a quarter of those polled misinterpreted the regulations, thinking they do not need to comply when they do, in fact, collect information on EU citizens. Tech companies are also facing increased taxes in Europe, as the EU bristles against being seen as a tax haven for Google, Facebook, and the like. [NextWeb; Watchguard; WSJ; Bloomberg]

8. One of China's largest bitcoin exchanges, BTC China, plans to cease trading at the end of the month, as China's crackdown on ICOs is now being interpreted as extending to trading any cryptocurrency on domestic exchanges. Optimists predict that exchanges will resume trading again later this year, as they will be able to apply for a limited number of licenses to operate. Meanwhile, FireEye found that North Korea is responsible for recent cyberattacks against South Korean cryptocurrency exchanges, indicating that North Korea is attempting to avoid the effects of sanctions by amassing bitcoin. Jamie Dimon predicts a Bitcoin crash but doesn't mention whether his prediction abilities have improved since 2012, when he presided over $6.2B in losses at JP Morgan from an incorrect derivatives position. [Bloomberg x2; Business Insider]

9. Tom Bossert, assistant to the President for Homeland Security and Counterterrorism, spoke out against the use of offensive cyber maneuvers this week, saying that such actions were unlikely to deter the US's cyber adversaries. [Cyberscoop]

10. As Facebook continues to push back against releasing the political ads purchased by Russian groups during the 2016 election, related evidence shows that Russian propagandists used Facebook events to organize anti-immigrant rallies in the US. [Daily Beast]

Thanks for reading,

Allison
Stanford Cyber Initiative

(To suggest an item for this list, please email aberke@stanford.edu. You can view news from past weeks, subscribe, and unsubscribe at https://tinyletter.com/CyberNewsBytes)