Kushner Used WhatsApp, a Very Bad Database Leak, and More Security News This Week

Nothing much happened this week except, oh yeah, special counsel Robert Mueller filed his report on Friday night. Though attorney general William Barr now has the report in hand, the American people will still have to wait to see how much of it he decides to make public.

In anticipation of the report, Mueller expert Garrett Graff laid out what information it could contain that would get Trump impeached.

Beyond Mueller, it was actually already a news-packed week. In fact, as the Mueller news was breaking, the Office of the Inspector General also dropped a bombshell report revealing that FEMA failed to safeguard the personal data of 2.3 million disaster survivors.

The week started with the lesson that most Android antivirus apps are garbage. Then we gave you an in-depth look into fallout from the massive Exactis [...]  read more

The Mueller Report Is Done. Now Comes the Hard Part

Continuing a now time-honored tradition of creating explosive news late on a Friday afternoon, special counsel Robert Mueller has delivered his final report to attorney general William Barr. The Mueller probe, which began not quite two years ago, has come to its conclusion. Time for the fallout—in whatever form that takes.

There are certain basic procedural facts that govern what happens next. The report that Mueller submitted to Barr is confidential; there’s no guarantee that the public will ever lay eyes on it. After reading Mueller’s findings, Barr will submit his own report to Congress, which could contain as much or as little information as he chooses. The only disclosure he’s required to make at this point: whether the Justice Department stopped the special counsel from taking “inappropriate or unwarranted” action during the course of the investigation. Barr says that didn’t happen.

Beyond that, it’s still anybody’s guess what happens next.

Related Stories

Garrett M. Graff

[...]  read more

FEMA Leaked Data From 2.3 Million Disaster Survivors

After being displaced by a natural disaster, survivors have a lot of pressing concerns. They may be dealing with health impacts, displacement, loss of property, and even grieving the deaths of loved ones. Through all of this, though, one worry that is probably not in their minds is the question of whether their personal data is safe with the Federal Emergency Management Agency. Unfortunately, what should be a given is apparently another burden to add to an already painfully long list.

On Friday, FEMA publicly acknowledged a Homeland Security Department Office of the Inspector General report that the emergency response agency wrongly shared personal data from 2.3 million disaster survivors with a temporary-housing-related contractor. In doing so, the agency violated the Privacy Act of 1974 and Department of Homeland Security policy, and exposed survivors to identity theft.

The Hack

Just to clarify, it’s not a hack per se. No one had to. The data, collected for the Transitional [...]  read more

The Mueller Report Is Here, Apple’s Big Event, and More News

Tech news you can use, in two minutes or less:

The Mueller Report, Finally

After nearly two years of work, special counsel Robert Mueller has turned in his final report to the nation’s attorney general, William Barr. But what happens next is anyone’s guess. For now the report will be for Barr’s eyes only, who at some point will submit his own report to Congress with as much, or as little, information as he chooses to share. So for now, we wait. Again.

What to Expect from Apple’s Upcoming Event

Just because Apple released new iPads, new iMacs, and new AirPods this week, that doesn’t mean the party’s over. The company has an event scheduled for 10 am Pacific Monday, where executives are expected to launch some new subscription services, such as the following:

  • a news app that will aggregate your subscription news services on one platform for one price;
  • a streaming service of some kind that should give us all a better understanding of Apple’s video strategy.

The Midwest to Stay Wet

Floodwaters in Nebraska have forced tens of thousands of people to evacuate, but that might [...]  read more

Your Facebook Password Isn’t Safe. Neither Is Your Android Phone

Tech news you can use, in two minutes or less:

Change your Facebook password

Facebook acknowledged a bug that caused hundreds of millions of user passwords (dating back to 2012) for both Facebook and Instagram to be stored as readable text internally. This basically means that thousands of Facebook employees could have searched for and found them. Facebook says they weren’t accessible outside of the company, and that there’s no evidence employees did in fact abuse or improperly access them. We say, change it anyway.

Airbnb may be beloved by you, but not by local governments

Our own Paris Martineau spoke to nearly two dozen city officials, hosts, and experts about their interactions with Airbnb, and the picture they painted was bleak: Millions in uncollected taxes. Intimidating lawsuits. Misinformation campaigns. Take a peek inside the “guerrilla war” Airbnb is waging against local governments.

Have an Android phone? Hackers have been able to spy on you for years

[...]  read more

Facebook Stored Millions of Passwords in Plaintext—Change Yours Now

At this point, it’s difficult to summarize all of Facebook’s privacy, misuse, and security missteps in one neat description. And it just got even harder. On Thursday, following a report by Krebs on Security, Facebook acknowledged a bug in its password management systems that caused hundreds of millions of user passwords for Facebook, Facebook Lite, and Instagram to be stored as plaintext in an internal platform. This means that thousands of Facebook employees could have searched for and found them. Krebs reports that the passwords stretched back to those created in 2012.

Organizations can store account passwords securely by scrambling them with a cryptographic process known as hashing before saving them to their servers. This way, even if someone compromises those passwords, they won’t be able to read them, and a computer would find it difficult—even functionally impossible—to unscramble them. As [...]  read more

An Android Vulnerability Went Unfixed For Over Five Years

With more than 2 billion users, Android has a staggering number of devices to protect. But a “high-severity” bug that went undetected for more than five years—that attackers could exploit to spy on a user and gain access to their accounts—serves as a reminder that Android’s impressive open source reach also creates challenges for defending a decentralized ecosystem.

Discovered by Sergey Toshin, a mobile security researcher at the threat detection firm Positive Technologies, the bug originated in Chromium, the open-source project that underlies Chrome and many other browsers. As a result, an attacker could target not only mobile Chrome, but other popular mobile browsers built on Chromium. Even more specifically, Chromium powers an Android has a feature called WebView, which works behind [...]  read more

Beto O’Rourke Was Part of an Infamous ’90s Hacker Group

This week ended with terror, as a shooting in New Zealand took the lives of at least 49 people at two mosques in Christchurch, New Zealand. A video of the attack, livestreamed by the shooter on Facebook, quickly spread across all major internet platforms, which demonstrated a general inability to stop it.

Separately, we took a look at how ICE leans on cozy relationships with local law enforcement to access license plate location data it wouldn’t otherwise be allowed to. We explained why it’s so hard to restart a power grid from scratch under the best of circumstances, much less in the chaos of current-day Venezuela. And we showed how a team of patient hackers took Mexican banks for around $20 million in a series of cyber heists last year.

Remember when Facebook went down for a full day this week? That was crazy! It also wasn’t hackers, as usual, so please set that conspiracy theory [...]  read more

Most Android Antivirus Apps Are Garbage

The world of antivirus is already fraught. You’re basically inviting all-seeing, all-knowing software onto your device, trusting that it’ll keep the bad guys out and not abuse its own access in the process. On Android, that problem is compounded by dozens of apps that aren’t just ineffective—they’re outright phony.

That’s the finding of newly published research from AV-Comparatives, a European company that, as its name suggests, tests antivirus products. In a survey of 250 antivirus apps found in the Google Play Store, only 80 demonstrated basic competence at their jobs by detecting 30 percent or more of the 2,000 malicious apps AV-Comparatives threw at them. The remainder either failed to meet that benchmark, frequently mistook benign apps for malware, or have been pulled from the Play Store altogether. In other words, they stunk.

“In the past we and others found malicious apps, non-working apps, so it is not really a surprise to find some bogus AV apps as [...]  read more

When Facebook Goes Down, Don’t Blame Hackers

It happened again. Facebook went down in pockets around the world for several hours Wednesday, as did Facebook-owned Instagram and WhatsApp. The outage inspired the usual existential jokes—and rush to news sites to fill the void—but it also gave rise to conspiracy theories that hackers were the cause. As is almost always the case, those theories are wrong.

Facebook confirmed as much in a tweet, saying that while it was still investigating the root cause of its woes, it had ruled out a distributed denial of service attack. On the surface, DDoS makes for a reasonable enough suspect; as a class of attack, its whole purpose is to bring sites down. But assumptions that hackers would hobble not just Facebook but also Instagram and WhatsApp with a DDoS attack rely on a shaky grasp of what that would entail and how prepared companies are to stop them.

For its part, Facebook has provided vague guidance as to what actually did happen. “We are currently experiencing issues that [...]  read more