Skip to content Skip to navigation

Friday Cyber News, September 28 2018

Cyber technology-related news and links from around the web, for the week of 9/22 - 9/28:

1. Did we learn anything from Russia's information operations during the 2016 elections? The new Russian propaganda efforts look a lot like the old ones. [NY Times]

2. Facebook, no: when you give the social network a phone number for two-factor authentication, they turn it over to advertisers within a few weeks. They'll also provide that number to advertisers if it's part of an address book that a friend uploads, and even if you don't maintain a Facebook account--your "shadow profile" of information that Facebook infers about you from your friends who do use the platform is fair game for advertisers. [Gizmodo]

3. Google, ok: Criticized over the automatic sign-ins in the latest version of Chrome, the security team has made those sign-ins optional in the next version, coming up next month. An HBS study shows that we value privacy less when we have to acquire it, so opt-in is the way to go. [NY Times; HBR]

4. Cisco patched a critical vulnerability in its video surveillance software, which involved a complex method by which memory values could be inferred based on the timing of responses to--wait, no, that's a different one. This one was hardcoded credentials. Static credentials for the root account. Luckily, Cisco is patching this before California implements its IoT security bill in 2020, the only specific measure of which is to prevent hardcoded credentials. [Cyberscoop]

5. Take a second now and think about the router you have at home. Would you say it's secure and regularly updated? (Um, is it a Cisco router?) That's right: 83 percent of routers are 'inadequately updated for known security flaws, leaving connected devices open to cyber attacks that can compromise consumer privacy and lead to financial loss,' according to a report by the American Consumer Institute Center for Citizen Research. [Cyberscoop]

6.​  Secretary of Defense Jim Mattis, probably the former Theranos board member with the most trustworthy current position, predicts that the DoD will offer cybersecurity protection to the private sector: "[The DoD is] probably going to have to offer to banks, to public utilities, electrical generation plants and that sort of thing, the opportunity to be inside a government protected domain." [Fifth Domain]

7. This week in breaches new and old: DoorDash customers have reported that their accounts have been breached. The United Nations accidentally published passwords and internal documents after misconfiguring their Google Docs and Jira accounts. Uber finally reached a settlement over its 2016 breach, in which it will pay $148M to all 50 states and DC. [TechCrunch; The Intercept; Cyberscoop]

8. The black market for zero-day vulnerabilities is in decline, partially because law enforcement has conducted some successful arrests, and partially because bug bounty programs are more common and more remunerative than in years past. [Fifth Domain]

9. The Bitmain IPO is here! If you're interested in how the company that controls 85% of the mining ASIC market projects the growth of that market, and how it manages its $886.9M cryptocurrency holdings, both for internal accounting and to offset those ASIC COGS, here's a prospectus we can read together. [WSJ; HKexNews]

10. How do you create cybersecurity training curricula that will work for Disney? (Let's get down to business, to defeat, the vulns...) [New America]

Thanks for reading,

Stanford Cyber Initiative

(To suggest an item for this list, please email You can view news from past weeks, subscribe, and unsubscribe at