Headlines 

‘Exodus’ Spyware Posed as a Legit iOS App

Private companies around the world have evolved a gray industry supplying digital surveillance and hacking tools to governments and local law enforcement. As the once little-known practice has grown, so too has the resulting malware. Researchers have now found that one of these spyware products, which had previously been found on the Google Play Store, also targeted iOS. At the Kaspersky Security Analyst Summit in Singapore this week, researchers from the mobile security firm Lookout will present findings on the iOS version of the spyware known as Exodus. The nonprofit…

Read More
Headlines 

Huawei’s Problem Isn’t Chinese Backdoors. It’s Buggy Software

A report on Thursday from a British government oversight group found that Chinese telecom-equipment maker Huawei has basic but deeply problematic flaws in its product code that create security risks. The shortcomings, many of which Huawei had previously promised to improve, stem from issues with its software development processes, according to the report. The findings come amid a concerted Trump administration effort to ban Huawei products around the world (particularly in 5G wireless networks), because of concerns that Huawei devices are controlled by the Chinese government or that Huawei would…

Read More
Headlines 

Hack Brief: FEMA Leaked the Data of 2.3 Million Disaster Survivors

After being displaced by a natural disaster, survivors have a lot of pressing concerns. They may be dealing with health impacts, displacement, loss of property, and even grieving the deaths of loved ones. Through all of this, though, one worry that is probably not in their minds is the question of whether their personal data is safe with the Federal Emergency Management Agency. Unfortunately, what should be a given is apparently another burden to add to an already painfully long list. On Friday, FEMA publicly acknowledged a Homeland Security Department…

Read More
Headlines 

Your Facebook Password Isnt Safe. Neither Is Your Android Phone

Tech news you can use, in two minutes or less: Change your Facebook password Facebook acknowledged a bug that caused hundreds of millions of user passwords (dating back to 2012) for both Facebook and Instagram to be stored as readable text internally. This basically means that thousands of Facebook employees could have searched for and found them. Facebook says they weren't accessible outside of the company, and that there's no evidence employees did in fact abuse or improperly access them. We say, change it anyway. Airbnb may be beloved by…

Read More
Headlines 

Facebook Stored Millions of Passwords in PlaintextChange Yours Now

By now, it’s difficult to summarize all of Facebook’s privacy, misuse, and security missteps in one neat description. It just got even harder: On Thursday, following a report by Krebs on Security, Facebook acknowledged a bug in its password management systems that caused hundreds of millions of user passwords for Facebook, Facebook Lite, and Instagram to be stored as plaintext in an internal platform. This means that thousands of Facebook employees could have searched for and found them. Krebs reports that the passwords stretched back to those created in 2012.…

Read More
Headlines 

An Android Vulnerability Went Unfixed for Over Five Years

With more than 2 billion users, Android has a staggering number of devices to protect. But a "high-severity" bug that went undetected for more than five years—that attackers could exploit to spy on a user and gain access to their accounts—serves as a reminder that Android's impressive open source reach also creates challenges for defending a decentralized ecosystem. Discovered by Sergey Toshin, a mobile security researcher at the threat detection firm Positive Technologies, the bug originated in Chromium, the open-source project that underlies Chrome and many other browsers. As a…

Read More
Headlines 

Here’s What It’s Like to Accidentally Expose the Data of 230M People

Steve Hardigree hadn't even gotten to the office yet and his day was already a waking nightmare. As he Googled his company's name that morning last June, Hardigree found a growing list of headlines pointing to the 10-person marketing firm he'd founded three years earlier, Exactis, as the source of a leak of the personal records of nearly everyone in the United States. A friend in an office adjacent to the one he rented as the company's headquarters in Palm Coast, Florida, had warned him that TV news reporters were…

Read More
Headlines 

Most Android Antivirus Apps Are Garbage

The world of antivirus is already fraught. You’re basically inviting all-seeing, all-knowing software onto your device, trusting that it’ll keep the bad guys out and not abuse its own access in the process. On Android, that problem is compounded by dozens of apps that aren’t just ineffective—they’re outright phony. That’s the finding of newly published research from AV-Comparatives, a European company that, as its name suggests, tests antivirus products. In a survey of 250 antivirus apps found in the Google Play Store, only 80 demonstrated basic competence at their jobs…

Read More
Headlines 

New Film Shows How Bellingcat Cracks the Web’s Toughest Cases

Aric Toler’s face is illuminated only by the glow of the video playing on his laptop. It’s dashcam footage, supposedly captured by a driver in the town of Makiivka in eastern Ukraine, showing a Russian military convoy on its way to shoot down Malaysia Airlines flight 17 on July 17, 2014. At least, that’s the theory. Toler just has to prove it. To the untrained eye, the video is awfully dull. But to Toler, who’s part of a global team of digital detectives known as Bellingcat, it’s a goldmine. He…

Read More
Odds and Ends 

Today in brighter crypto news: SEC says tokens are securities

Crypto news got a little boost last week after a dark month of crashes, stablecoins and birthdays. The SEC ruled that two ICO issuers, CarrierEQ Inc. and Paragon Coin Inc., were in fact selling securities instead of so-called utility tokens. “Both companies have agreed to return funds to harmed investors, register the tokens as securities, file periodic reports with the Commission, and pay penalties,” wrote Pamela Sawhney of the SEC. “These are the Commission’s first cases imposing civil penalties solely for ICO securities offering registration violations.” From the release: Airfox,…

Read More
Headlines 

Trump’s New Executive Order Slaps a Bandaid on Election Interference Problems

On Wednesday, President Donald Trump signed an executive order that would automatically impose sanctions against any person or group attempting to interfere in United States elections. "The proliferation of digital devices and internet-based communications has created significant vulnerabilities and magnified the scope and intensity of the threat of foreign interference [to elections]," Trump writes in the order. "I hereby declare a national emergency to deal with this threat." The order covers attacks not just on vote integrity and election infrastructure, but also disinformation campaigns, information leaking, propaganda, and other types…

Read More
Headlines 

Phone Numbers Were Never Meant as ID. Now Were All At Risk

On Thursday, T-Mobile confirmed that some of its customer data was breached in an attack the company discovered on Monday. It's a snappy disclosure timeframe, and the carrier said that no financial data or Social Security numbers were compromised in the breach. A relief, right? The problem is the customer data that was potentially exposed: name, billing zip code, email address, some hashed passwords, account number, account type, and phone number. Pay close attention to that last one. The cumulative danger of all of these data points becoming exposed—not just…

Read More
Headlines 

Security News This Week: A Devastating Report on the CIA’s Deadly Mistakes in China

There's no such thing as summer vacation in security, and researchers started off this week by disclosing a problematic flaw in Intel processors that undermines the company's so-called secure enclave offering, and potentially other capabilities like virtual machines. A different group of analysts realized that they could potentially take a power grid down by conscripting air conditioners, water heaters, and other devices into a botnet and coordinating a massive power draw. And yet another research team exposed risks in how developers manage app storage on Android. Plus, an analysis of…

Read More
Headlines 

Taking Away John Brennan’s Clearance Threatens National Security

In a move that has shocked career national security officials, President Trump stripped former CIA Director John Brennan of his security clearance this week, and announced he was considering doing so for a host of others. The move so enraged retired Navy Admiral William McRaven—the man who oversaw the killing of Osama Bin Laden—that he wrote an op-ed telling Trump to revoke his clearance too, in solidarity with Brennan. But what the general public might not realize is that cutting off Brennan and others has more than just symbolic cost.…

Read More
Odds and Ends 

Google acquires GraphicsFuzz, a service that tests Android graphics drivers

Google has acquired GraphicsFuzz, a company that builds a framework for testing the security and reliability of Android graphics drivers. The news, which was first spotted by XDA Developers, comes on the same day Google announced the release of Android 9 Pie. A Google spokesperson confirmed the news to us but declined to provide any further information. The companies also declined to provide any details about the price of the acquisition. The GraphicsFuzz team, which consists of co-founders Alastair Donaldson, Hugues Evrard and Paul Thomson, will join the Android graphics team to…

Read More