Cyber Week in Review: May 20, 2016

Here is a quick round-up of this week’s technology headlines and related stories you may have missed:

1. More SWIFT-related heists and a possible North Korea connection? It turns out that Bangladesh’s central bank may not have been the only victim of a cyber-enabled bank heist using the SWIFT network banks use to wire money around the globe. Last week, BAE Systems reported that a Vietnamese bank suffered a similar incident, but did not specify which bank was targeted, nor identify the amount stolen. This morning, the Wall Street Journal reported that an Ecuadorian bank was hit with a similar incident. Attackers in Bangladesh and Vietnam incidents appear to have the same modus operandi: the attackers compromise the bank’s network, obtain valid SWIFT credentials, make fraudulent requests for transfers, and delete compromising evidence once the transfer completes. Surprisingly, BAE found striking similarities to the malware used in these cases to that used in the Sony Pictures Entertainment compromise, which the United States attributed to North Korea. It is not uncommon for hackers to reuse known malware to obfuscate attribution, so the fact that some of the same code was used in both cases doesn’t mean that North Korea is behind the SWIFT incidents. Nevertheless, North Korea is the most heavily sanctioned country on the planet and is desperate for hard currency to keep Kim Jong-un’s elite happy and to pay for the country’s nuclear and missile program. Given the hermit kingdom’s past experience with money laundering and counterfeiting, it’s not unreasonable that BAE would suspect that it could also be behind these SWIFT heists.

2. U.S. government takes issue with Chinese domain name rules. In a blog post this week, Deputy Assistant Secretary of State for International Communications and Information Policy Daniel Sepulveda and Assistant Secretary of Commerce for Communications and Information Lawrence E. Strickling criticized proposed revisions to China’s domain name management law, saying the new rules “would undermine some of the most fundamental aspects of the Internet—openness, reliability, and interoperability.” The measures would require the domains of websites hosted on servers located in China to be registered with a Chinese registrar, and to have a real name (and presumably a government ID to verify the name) filed with the registrar. This is contrary to earlier reports that the regulations would prevent foreign domains from being accessed within China. While the Chinese Ministry of Industry and Information Technology clarified that this is not the case, Sepulveda and Strickling expressed concern that the draft regulations are still overly vague. Following the comment period, the final version of the regulations may be revised to reflect such concerns.

3. Google appeals French fine. Google lawyers have filed an appeal with France’s highest administrative tribunal protesting a fine for failure to comply with a French data protection authority (DPA) ruling on the “right to be forgotten.” European privacy regulators have ordered search engines to comply with requests from individuals to remove content from search listings that is “inadequate, irrelevant or no longer relevant, or excessive.” The French DPA took this mandate to heart, requesting that Google remove links on all of its search properties, not only the European versions of its search engine or when pages are accessed from European IP addresses. Earlier this year, Google refused to comply, prompting the French DPA to levy a €100,000 fine. While sum is paltry compared to Google’s total revenue, the company has said it is taking a stand on principle, saying the right to be forgotten “could lead to a global race to the bottom” and extraterritorial application of French law.

4. In other Google news, the search giant launches a messaging app that provides end-to-end encryption, though not by default. Google launched Allo (the French word for "hello"), a new messaging service that provides end-to-end encryption, at its developer conference this week. Google now joins Facebook’s WhatsApp and Apple’s iMessage in providing messaging apps that draw the ire of law enforcement, who are unable to decrypt the messages sent via the tech companies’ respective offerings. Privacy activists, however, gave Allo a chilly reception because it doesn’t provide encryption by default. Users would have to turn on the feature, and that extra step generally leads to lower adoption.