U.S. prosecutors probing Facebook's data deals: New York Times

(Reuters) – U.S. federal prosecutors are conducting a criminal investigation into data deals Facebook Inc struck with some of the world’s largest technology companies, the New York Times reported on Wednesday.

A grand jury in New York has subpoenaed records from at least two prominent makers of smartphones and other devices, the newspaper reported, citing people familiar with the requests and without naming the companies.

Both companies are among the more than 150, including Amazon.com Inc, Apple Inc and Microsoft Corp, that have entered into partnerships with Facebook for access to the personal information of hundreds of millions of its users, according to the report.

Facebook is facing a slew of lawsuits and regulatory inquiries over its privacy practices, including ongoing investigations by the U.S. Federal Trade Commission, the Securities and Exchange Commission and two state agencies in New York.

In addition to looking at the data deals, the probes focus on disclosures that the company shared the user data of 87 million people with Cambridge Analytica, a British consulting firm that worked with U.S. President Donald Trump’s campaign.

Facebook said it was cooperating with investigators in multiple federal probes, without addressing the grand jury inquiry specifically.

“We’ve provided public testimony, answered questions, and pledged that we will continue to do so,” Facebook said in a statement.

Facebook has defended the data-sharing deals, first reported in December, saying none of the partnerships gave companies access to information without people’s permission.

A spokesman for the United States attorney’s office for the Eastern District of New York, which The New York Times reported is overseeing the inquiry, said he could not confirm or deny the probe.

Reporting by Ismail Shakil in Bengaluru and Katie Paul in San Francisco; Editing by Richard Chang and Leslie Adler

Instagram back up after several hours; Facebook still down for some

(Reuters) – Instagram is back up after suffering a partial outage for over several hours, the photo-sharing social network platform said in a tweet, but its parent Facebook Inc’s app still seemed to be down for some users across the globe.

FILE PHOTO: Silhouettes of mobile users are seen next to a screen projection of Facebook logo in this picture illustration taken March 28, 2018. REUTERS/Dado Ruvic/File Photo

Certain users around the world were facing trouble in accessing widely used Instagram, Whatsapp and Facebook apps earlier on Wednesday, in one of the longest outages faced by the company in the recent past.

“Anddddd… we’re back,” Instagram tweeted here along with GIF image of Oprah Winfrey screaming in excitement. Facebook did not provide an update.

Social media users in parts of United States, Japan and some parts Europe were affected by the outage, according to DownDetector’s live outage map here

Facebook users, including brand marketers, expressed their outrage on Twitter with the #facebookdown hashtag.

“Ya’ll, I haven’t gotten my daily dosage of dank memes and I think that’s why I’m cranky. #FacebookDown,” a user Mayra Mesina tweeted. bit.ly/2TDCYDK

The Menlo Park, California-based company, which gets a vast majority of its revenue from advertising, told Bloomberg that it was still investigating the overall impact “including the possibility of refunds for advertisers.”

A Facebook spokesman confirmed the partial outage, but did not provide an update. The social networking site is having issues since over 12 hours, according to its developer’s page.

Facebook took to Twitter to inform users that it was working to resolve the issue as soon as possible and confirmed that the matter was not related to a distributed denial of service (DDoS)

attack.

In a DDoS attack, hackers use computer networks they control to send such a large number of requests for information from websites that servers that host them can no longer handle the traffic and the sites become unreachable.

Reporting by Mekhla Raina in Bengaluru; Editing by Gopakumar Warrier and Rashmi Aich

How the FAA Decides When to Ground a Jet Like Boeing’s 737 MAX 8

When an Ethiopian Airlines Boeing 737 MAX 8 jet crashed shortly after takeoff from Addis Ababa on Sunday morning, killing all 157 people aboard, observers quickly noted that the circumstances resembled those of another flight. In October, Lion Air Flight 610 crashed into the Java Sea, killing all 181 passengers and eight crew. Both flights plummeted a few minutes after takeoff, in good weather. And both were on 737 MAX 8 jets, the plane Boeing started delivering in 2017 to replace the outgoing 737 as the workhorse of the skies. Since 2017, Boeing has delivered 387 MAX 8s and 9s. It has taken orders for 4,400 more, from more than 100 customers.

As of Tuesday evening, various foreign aviation regulators and airlines had decided that after the two crashes, the plane shouldn’t be in the air. Officials in the European Union, China, Indonesia, Singapore, Australia, and the United Arab Emirates have all grounded the planes. Of the 59 operators that fly the new 737, at least 30 have parked it.

In the US, though, Boeing’s plane is free to fly. American Airlines, Southwest Airlines, and United Airlines are still putting their 737 MAX jets—74 in total—in the air. (So is Air Canada.) And the Federal Aviation Administration—the agency that oversees American airspace—says that’s just fine.

Which might seem strange, since the FAA is notoriously safety-conscious. Planes in search of an airworthiness certificate must meet stringent standards; the certification process usually takes years. And it gets results: Just one person has died in American airspace on a commercial airplane since 2009. But, it seems, the agency has not yet found reason to ground the new 737.

In a statement Tuesday, acting FAA administrator Daniel Elwell said the agency is looking at all the available data from 737 operators around the world, and that the review “thus far shows no systematic performance issues and provides no basis to order grounding aircraft.” Elwell said the FAA “would take immediate appropriate action” should such problems be identified. The FAA and the National Transportation Safety Board both have teams at the crash site outside Addis Ababa to investigate and collect data.

The agency did note in a directive published Monday that it would probably mandate flight control system enhancements that Boeing is already working on, come April. And after the Lion Air crash, the FAA made a Boeing safety warning mandatory for US airlines.

“We have full confidence in the safety of the 737 MAX,” Boeing said in its own statement Tuesday. “Based on the information currently available, we do not have any basis to issue new guidance to operators.”

A number of senators, including Ted Cruz of Texas, Elizabeth Warren of Massachusetts, and Dianne Feinstein of California, have called for the US to ground the aircraft. But it’s the FAA chief who has final say. (Elwell has been the acting administrator since January 2018, though Politico reports that the Trump Administration is close to nominating Delta Air Lines executive Steve Dickson as administrator.) He doesn’t make that decision alone, says Clint Balog, a flight test pilot and human factors expert with the College of Aeronautics at Embry-Riddle University. Any grounding goes through a “semi-formal” process, full of discussions with experts on the specific aircraft and crash situation, both in- and outside the federal government.

“The FAA looks at all of this information and decides, ‘OK, if it’s just likely that there’s a significant problem here, it doesn’t matter what the cost to the traveling public is—we have to put safety first and ground this aircraft,’” Balog says. “However, if they look and say, ‘Well, jeez, grounding this aircraft is going to be a monumental cost to the world and we simply don’t have enough information to know what the risk really is with this aircraft, do we really want to ground it at this point in time?’”

The FAA has grounded aircraft before. In 1979, the FAA grounded all McDonnell Douglas DC-10s (and forbid the aircraft from US airspace) after a crash in Chicago killed 273 people. An investigation found the problem was maintenance issues, not the aircraft design, the FAA lifted the prohibition just over a month later.

In early 2013, the FAA grounded Boeing’s 787 Dreamliner, after two lithium ion-battery related fires in the aircraft. “We are issuing this [directive] because we evaluated all the relevant information and determined the unsafe condition described previously is likely to exist or develop in other products of the same type design,” the FAA wrote in its emergency airworthiness directive. It didn’t let the jet take to the sky again until Boeing found and corrected its design issues. (That happened in April.)

So far, though, we have little concrete information on whatever might be going on with the 737 MAX. The investigation into the Ethiopia crash is in its earliest stages. Indonesia’s civil aviation authority has released a preliminary report on the Lion Air crash, but has not issued any findings on what caused it.

Based on its directives, the FAA hasn’t “seen any red flags that are significant enough” to ground the aircraft, Balog says. So he’d have no problem getting on a 737 MAX-8. “More importantly, I would have no problem having my family get on a 737 MAX-8 at this point.”


More Great WIRED Stories

Elon Musk Says Tweeting Is Free Speech in His SEC Battle

Elon Musk will not go quietly. On Monday night, lawyers representing the Tesla CEO submitted a filing to a federal judge in New York arguing that she should deny the Securities and Exchange Commission’s request to hold Musk in contempt of court for—what else?—a tweet. Musk’s legal team argued the SEC overreached in its request, and claimed the agency is trying to violate his First Amendment right to free speech.

If the judge, Alison Nathan of the Southern District Court of New York, does hold Musk in contempt of court, she would decide the penalty. “If the SEC prevails, there is a good likelihood that the District Court will fine Mr. Musk and that it will put him on a short leash, with a strong warning that further violations could result in Mr. Musk being banned for some period of time as an officer or director of a public company,” Peter Haveles, a trial lawyer with the law firm Pepper Hamilton, told WIRED last month.

This latest chapter in Musk’s ongoing legal spat with the SEC dates back to the evening of February 19, 7:15 pm Eastern Time to be exact, when Musk wrote on Twitter, “Tesla made 0 cars in 2011, but will make around 500k in 2019.” About four and a half hours later—at 11:41 pm ET—Musk corrected himself, tweeting, “Meant to say annualized production rate at the end of 2019 probably around 500k, i.e. 10k cars/week. Deliveries for the year still estimated to be around 400k.”

Musk is the head of a publicly traded company, so making a mistake about his business on Twitter—which investors treat as a valid source of news like any other—is already less than ideal. But Musk and Tesla also reached a settlement with the SEC in September over another tweet containing misinformation about the electric carmarker’s operations. That was after Musk tweeted that he planned on taking Tesla private, and that he had the “funding secured.” He soon revealed he did not have that funding secured, and Tesla announced it would stay public.

In the ensuing deal with the SEC, Musk gave up his role as Tesla’s chairman for at least three years. He and Tesla each paid a $20 million fine. And Musk and Tesla agreed that the CEO’s tweets about the carmaker would be truthful, and reviewed by a team of Tesla lawyers before sending. According to the filing, Tesla’s general counsel and an assigned “disclosure counsel” are in charge of approving Musk’s Tesla tweets. The lawyers write that “the disclosure counsel and other members of Tesla’s legal department have reviewed the updated controls and procedures with Musk on multiple occasions.”

In December, Musk said on CBS’s 60 Minutes that he does not respect the SEC, and that the only tweets of his that require pre-approval are those that can affect Tesla’s stock price. Asked how Tesla could know which tweets would do that, Musk said, “Well, I guess we might make some mistakes. Who knows?” The SEC cited that interview in its motion for a contempt of court charge, writing that “Musk has not made a diligent or good faith effort to comply” with the terms of his settlement.

Now, though, Musk and the SEC are debating what that “pre-approval” actually means. Tesla’s lawyers say nobody pre-approved the tweet in question, but that it shouldn’t matter, because it had already made public the information about those production numbers: in an earnings call, in end-of-year financial results, and in an SEC filing submitted on the day Musk sent out the tweets in question. Musk did not receive pre-approval before sending that tweet because it “was simply Musk’s shorthand gloss on and entirely consistent with prior public disclosures detailing Tesla’s anticipated production volume,” according to the filing.

Moreover, the Musk team argues, the SEC’s attempt to limit Musk’s tweeting is a violation of his First Amendment rights to free speech.

The Musk legal team also argues that the CEO has really worked very hard since the SEC settlement to be careful about his tweeting behavior. It wrote that Musk’s less frequent tweeting about Tesla “is a reflection of his commitment to adhering the Order and avoiding unnecessary disputes with the SEC.” In fact, it says the correction tweet, the one sent four-and-a-half hours later, “is precisely the kind of diligence that one would expect from someone who is endeavoring to comply with the Order.”


More Great WIRED Stories

An Email Marketing Company Left 809 Million Records Exposed Online

By this point, you’ve hopefully gotten the message that your personal data can end up exposed in all sorts of unexpected internet backwaters. But increased awareness hasn’t slowed the problem. In fact, it’s only grown bigger—and more confounding.

Last week, security researchers Bob Diachenko and Vinny Troia discovered an unprotected, publicly accessible MongoDB database containing 150 gigabytes-worth of detailed, plaintext marketing data—including 763 million unique email addresses. The pair are going public with their findings today. The trove is not only massive but also unusual; it contains data about individual consumers as well as what appears to be “business intelligence data,” like employee and revenue figures from various companies. This diversity may stem from the information’s source. The database, owned by the “email validation” firm Verifications.io, was taken offline the same day Diachenko reported it to the company.

While you’ve likely never heard of them, validators play a crucial role in the email marketing industry. They don’t send out marketing emails on their own behalf, or facilitate automated mass email campaigns. Instead, they vet a customer’s mailing list to ensure that the email addresses in it are valid and won’t bounce back. Some email marketing firms offer this mechanism in-house. But fully verifying that an email address works involves sending a message to the address and confirming that it was delivered—essentially spamming people. That means evading protections of internet service providers and platforms like Gmail. (There are less invasive ways to validate email addresses, but they have a tradeoff of false positives.) Mainstream email marketing firms often outsource this work rather than take on the risk of having their infrastructure blacklisted by spam filters, or lowering their online reputation scores.

“Companies have email lists and want to start emailing them, but they’re not sure how valid they are,” says Troia, who founded the firm Night Lion Security. “So they go to a company that will essentially send out spam.” Troia speculates, but has not confirmed, that the database may be so large and varied because it comprises all of Verification.io’s customers’ data. WIRED was unable over the course of several days to contact the company or CEO Vlad Strelkov. On Monday, the entire Verifications.io website went offline and has not been restored since.

Record Setter

In general, the 809 million total records in the Verifications.io trove include standard information like names, email addresses, phone numbers, and physical addresses. But many also include things like gender, date of birth, personal mortgage amount, interest rate, Facebook, LinkedIn, and Instagram accounts associated with email addresses, and characterizations of people’s credit scores (like average, above average, and so on). Meanwhile, other records in the collection seem related to generating sales leads at businesses, including company names, annual revenue figures, fax numbers, company websites, and industry identifiers for categorizing companies called “SIC” and “NAIC” codes.

The data doesn’t contain Social Security numbers or credit card numbers, and the only passwords in the database are for Verifications.io’s own infrastructure. Overall, most of the data is publicly available from various sources, but when criminals can get their hands on troves of aggregated data, it makes it much easier for them to run new social engineering scams, or expand their target pool.

In the exposed database, the researchers also found some of what appear to be Verifications.io’s own internal tools like test email accounts, hundreds of SMTP (email sending) servers, the text of emails, anti-spam evasion infrastructure, keywords to avoid, and IP addresses to blacklist. Diachenko suggests that in the Verifications.io work flow, customers would upload an Excel spreadsheet listing the email addresses to validate, and then Verifications.io would run their tests and return lists of clean addresses and ones that bounced back. It’s possible, given the piecemeal nature of the data and evidence that it was imported from numerous different Excel files, that Verifications.io also retained some or all of the data it received from customers after concluding its email address checks.

The researchers validated samples of the data with companies listed as Verifications.io customers. Troia says his own information appears in the database. WIRED spoke to the proprietor of an email marketing firm who confirmed the validity of a segment of the data. WIRED also checked for four individuals, but did not find them listed. Diachenko and Troia also note that they have no way to know whether anyone discovered and downloaded the Verifications.io data while it was publicly available and fully exposed.

“I have no idea if anyone else accessed this besides us,” Troia says. “But it was definitely out there for anyone to grab.”

‘Another Day on the Internet’

Much remains unknown about the database and Verifications.io, because the company is difficult to track. When the researchers initially contacted the company through a messaging portal on its site to disclose the database exposure, someone responded with an unsigned note. “Thank you for reporting the issue. We appreciate you reaching out and informing us,” the reply said. “This is our company database built with public information, not client data. We were able to quickly secure the database. Goes to show, even with 12 years of experience you can’t let your guard down.”

Much of the data in the database is publicly available, though it’s not clear that all of it is. When the researchers asked in the portal for the name of the owner of the company and the legal name of the company, someone wrote back declining to answer.

It is also unclear where Verifications.io is based. Most of its materials list Boca Raton, Florida, but some of its web assets are registered in California and Delaware. The Verifications.io website lists addresses in Estonia, but some of those matched up with what appear to be a museum and a government building.

Security researcher Troy Hunt is adding the Verifications.io data to his service HaveIBeenPwned, which helps people check whether their data has been compromised in data exposures and breaches. He says that 35 percent of the trove’s 763 million email addresses are new to the HaveIBeenPwned database. The Verifications.io data dump is also the second-largest ever added to HaveIBeenPwned in terms of number of email addresses, after the 773 million in the repository known as Collection 1, which was added earlier this year. Hunt says some of his own information is included in the Verifications.io exposure.

“The main takeaway for me is that this is just another case where someone has my data, and hundreds of millions of other people’s data, and I’ve absolutely no idea how they got it,” Hunt says. “I’d never heard of the company until now and I certainly can’t ever recall consenting to their use of my data. Of course, it’s entirely possible that buried in some other service’s terms and conditions it says they’re allowed to pass my data around in this fashion, but that’s not really consistent with my expectations of how my data should be used.”

As with recent data exposures from the business data aggregator Apollo and the marketing firm Exactis, there’s not a lot you can do to individually protect yourself when vast repositories of data compiled from both public and private sources leak. Check HaveIBeenPwned to see if your data was in the Verifications.io exposure, and continue your general vigilance about using strong, unique passwords, monitoring your financial statements, and giving out your Social Security number as infrequently as possible. But also know that none of those measures provide a full solution to this society-scale problem.

The disjointed nature of the exposed Verifications.io data speaks to the chaotic state of the data industry overall. People’s personal information is shared by massive companies like Facebook, bought and sold by shady marketers, or stolen from data giants and doomed to circulate endlessly in the purgatory of criminal forums. The churn makes it difficult for consumers to control who has their data and where it ends up. As Hunt puts it, “Sadly, it’s just another day on the internet.”


More Great WIRED Stories

Amazon to close U.S. pop-up stores, focus on opening more book stores

FILE PHOTO: The logo of Amazon is seen at the company logistics centre in Boves, France, August 8, 2018. REUTERS/Pascal Rossignol

(Reuters) – Amazon.com Inc will close all of its U.S. pop-up stores and focus instead on opening more book stores, a company spokesperson said on Wednesday.

The company’s shares closed down 1.4 percent, while shares of bookseller Barnes & Noble Inc ended 8.9 percent lower.

Amazon’s 87 pop-up stores in the United States are expected to close by the end of April, the Wall Street Journal reported earlier on Wednesday, citing some of the employees at the stores.

The news underscores how the online retailer is still working out its brick-and-mortar strategy.

Pop-up stores for years helped Amazon showcase novel products like its voice-controlled Echo speakers, but the company is now able to market those products and more at its larger chain of Whole Foods stores, acquired in 2017, and cashierless Amazon Go stores, which opened to the public last year.

The online retail giant will also open more “4-star stores” – stores that sell items rated 4-stars or higher by Amazon customers, the spokesperson added.

“After much review, we came to the decision to discontinue our pop-up kiosk program, and are instead expanding Amazon Books and Amazon 4-star, where we provide a more comprehensive customer experience and broader selection.”

Reporting by Uday Sampath in Bengaluru; Editing by Maju Samuel

Britain's Hunt promises 'doctrine of deterrence' against cyberattacks on democracy

LONDON (Reuters) – British foreign minister Jeremy Hunt will set out on Thursday a “doctrine of deterrence”, including economic and diplomatic counter-measures, to prevent cyberattacks that threaten to turn elections into “tainted exercises”.

Britain’s Foreign Secretary Jeremy Hunt is seen outside of Downing Street in London, Britain, March 5, 2019. REUTERS/Peter Nicholls

Britain will try to prosecute those responsible for cyber crimes, part of a growing response by the West against countries that hope to influence elections through disinformation and voter manipulation, he will say in a speech in Glasgow.

“We will always seek to discover which state or other actor was behind any malign cyber activity, overcoming any efforts to conceal their tracks,” Hunt will say, according to pre-released extracts of his speech.

Western countries issued coordinated denunciations of Russia in October for running what they described as a global hacking campaign. Russia has denied the allegations.

In the United States, a federal special counsel is investigating Russian interference in the 2016 presidential election and possible collusion with Donald Trump’s campaign. Moscow has denied any meddling and the U.S. president has said there was no collusion.

Hunt will say there has been no evidence that foreign states have interfered with British votes but that unnamed hostile states are intent on using cyberspace to undermine Western democracies.

“Events have demonstrated how our adversaries regard free elections – and the very openness of a democratic system – as key vulnerabilities to be exploited … authoritarian regimes possess ways of undermining free societies that yesterday’s dictators would have envied,” he will say.

The British response could include the public naming and shaming of any perpetrator together with allies, exposing how the action was carried out and prosecuting those responsible to show they are not above the law.

Hunt will also say that Britain, as part of the European Union, agreed last year to impose sanctions to stiffen its response to cyberattacks and to rush through new curbs on online campaigning by political parties.

“After Brexit, the UK will be able to impose cyber-related sanctions on a national basis,” he will say.

Reporting by Elizabeth Piper; Editing by Frances Kerry

Microsoft expands political security service to 12 European countries

Silhouettes of laptop users are seen next to a screen projection of Microsoft logo in this picture illustration taken March 28, 2018. REUTERS/Dado Ruvic/Illustration

(Reuters) – Microsoft Corp on Wednesday said it will offer its cyber security service AccountGuard to 12 new markets in Europe including Germany, France and Spain, to close security gaps and protect customers in political space from hacking.

Microsoft had recently detected attacks, which occurred between September and December 2018, targeting employees of the German Council on Foreign Relations and European offices of The Aspen Institute and The German Marshall Fund, the company said here in a blog post.

The attacks, which targeted 104 employee accounts in Belgium, France, Germany, Poland, Romania, and Serbia, are believed to have originated from a group called Strontium, the company added.

The AccountGuard service will also be available in Sweden, Denmark, Netherlands, Finland, Estonia, Latvia, Lithuania, Portugal and Slovakia.

Ahead of a critical European Parliament election in May, German officials are trying to bolster cyber security after a far-reaching data breach by a 20-year-old student laid bare the vulnerability of Europe’s largest economy.

Reporting by Shubham Kalia in Bengaluru, Editing by Sherry Jacob-Phillips