Skip to content Skip to navigation

Friday Cyber News, September 22 2017

Cyber technology-related news and links from around the web, for the week of 9/16 - 9/22:

1. The SEC revealed that a database of financial reports was breached last year, and that the breach was detected last year, but was recently suspected of having led to insider trading. The database in question stored corporate disclosures not available to the public, but not personal information. Failing to report the breach in a timely fashion undermines the SEC's own breach notification guidance. [Cyberscoop] 

2. Large tech companies are finding it harder to avoid regulation and stay out of legislation, and are turning instead to larger lobbying forces and more negotiations with Senators and Representatives to make changes to bills rather than defeat them outright. One bill in particular, drafted to punish sites that enable sex trafficking, faces opposition from Facebook and Google over the difficulty of quickly policing users' actions across their platforms, but is still considered likely to move forward, leading Google toward diplomacy: “We’ll continue to engage members of Congress, anti-trafficking organizations and the industry to try and get to a resolution that addresses the problem without creating unintended side effects,” said Google's VP of public policy. [NY Times]

3. Canada, the Netherlands, and the UK are developing their own versions of what in the US is called the Vulnerability Equities Process, the means by which the government determines which vulnerabilities to disclose to the companies whose products are affected. The next step could be a cross-border process, particularly useful as most of the companies involved will operate in multiple countries and share this information among business units by default. [Cyberscoop]

4. Hacking back, or "active defense", may be a violation of the Computer Fraud and Abuse Act and other international computer crime legislation. It's also occurring at many companies, in the US, Israel, and the UK, and authorizing the process could improve it by allowing regulators to understand how it is practiced. [Daily Beast]

5. "What's the right framework for thinking about the underlying failings of Facebook? ... it's not so good at producing social context." Tyler Cowen argues that because Facebook obscures social context--the cues that would tell us that the guy on a corner handing out leaflets claiming that immigrants are taking our jobs isn't worth listening to--it has caused its own problem with fake news, by selling its platform to the loudest voices and making their content look as legitimate as any other post. Perhaps Facebook needs to start red-teaming its system, and allowing academic researchers access to its methods, before regulators decide its platform must be broken up. Meanwhile, Zuckerberg, back from parental leave, issued a statement in favor of democratic values and election integrity and has committed Facebook to greater political advertising transparency, including the ability for users to see all the ads that a page is showing, even if those ads are targeted to different interest groups or demographics. It might just be me, but the way the statement itself is written seems to have some political cadences; Zuckerberg has repeatedly said he's not running for office, but his editing team might have some experience there. [Bloomberg; Wired; Facebook]

6.​ The NSA's previous manipulation of encryption standards, such as Dual EC, has led the International Organization for Standardization to be skeptical of two NSA-produced encryption tools, named Simon and Speck. Germany, Japan, and Israel questioned the security of the tools, and a final vote on whether to adopt them for international use is planned for February. Side note, is anyone else annoyed by the fact that the International Organization for Standardization uses the abbreviation ISO, ostensibly to avoid differences in language-specific abbreviations, but could also have adopted the English name International Standardization Organization? [Reuters] 

7.  Worried about credit card skimmers at the ATM or the gas pump? The newly released open-source Skimmer Scanner app analyzes Bluetooth signals and tells you whether you should suspect a fraudulent card reader. [Cyberscoop]

8. The president of the European Commission announced new cybersecurity plans for Europe this week, including incident reporting and security requirements for digital service providers, a European cybersecurity framework for ICT products and services, and an intention to facilitate cross-border access to digital evidence. [Inside Privacy]

9. China is cracking down further on Bitcoin, halting yuan-based trading activity at exchanges in the country and advising mining executives not to leave the country. Speculation has arisen that China will next block peer-to-peer trading and access to internationally-based exchanges from within the mainland. [Wall Street Journal]

10. Some good news, perhaps, from Cyber Initiative researcher Matthew Gentzkow: Greater internet use is not associated with increased political polarization. [PNAS]

Thanks for reading,

Stanford Cyber Initiative

(To suggest an item for this list, please email You can view news from past weeks, subscribe, and unsubscribe at