Hillicon Valley: Twitter CEO Jack Dorsey's account hacked | Google found iPhone security bug | YouTube reportedly to pay up to $200M to settle child privacy investigation | DNC expected to nix Iowa virtual caucus plans

Hillicon Valley: Twitter CEO Jack Dorsey's account hacked | Google found iPhone security bug | YouTube reportedly to pay up to $200M to settle child privacy investigation | DNC expected to nix Iowa virtual caucus plans
© Greg Nash

Welcome to Hillicon Valley, The Hill's newsletter detailing all you need to know about the tech and cyber news from Capitol Hill to Silicon Valley. If you don't already, be sure to sign up for our newsletter with this LINK.

Welcome! Follow the cyber team, Maggie Miller (@magmill95), and the tech team, Harper Neidig (@hneidig) and Emily Birnbaum (@birnbaum_e).


JACK GOT HACKED: Twitter said that its CEO Jack Dorsey's account was hacked Friday afternoon as his page began posting a stream of racist and vile messages.

"We're aware that @jack was compromised and investigating what happened," an official Twitter corporate account tweeted.

The messages were all deleted within an hour of being posted.

Dorsey's account on Friday afternoon began posting racial slurs and other odd messages. He retweeted one user who wrote, "nazi germany did nothing wrong."


Dorsey has more than 4.2 million followers.

Twitter tweeted later Friday afternoon that Dorsey's account "is now secure," and that there is no indication its internal systems were breached.

Our story.


A BUG: Google researchers announced Thursday that they discovered security vulnerabilities that enabled multiple hacked websites to "exploit iPhones en masse."

Ian Beer of Google's Project Zero wrote in a blog post that the company's Threat Analysis Group (TAG) identified "a small collection of hacked websites" that were being used as "watering hole" sites to attack visitors using iPhones.

"There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant," Beer wrote. "We estimate that these sites receive thousands of visitors per week."

The implant installed in the iPhones would run in the background without users' knowledge and had access to all the files on infected phones, including messages sent on end-to-end encrypted apps such as WhatsApp, Telegram and iMessage.

Hackers were also able to copy any photos or contacts from the infected phone, access emails and track the user's GPS location.

Beer noted that while the implant could be stopped if a user rebooted their phone, if the user then visited the infected websites again, the implant would run again.

"Given the breadth of information stolen, the attackers may nevertheless be able to maintain persistent access to various accounts and services by using the stolen authentication tokens from the keychain, even after they lose access to the device," Beer wrote.

While Beer noted that this was a "failure case" for the attackers, there are likely other malicious campaigns against iPhones that have not yet been discovered.

Google's TAG found 14 vulnerabilities, with exploit chains found for every iPhone version from iOS 10 through iOS 12. Beer noted this likely meant a malicious group had been trying to hack iPhones that visited these websites for at least two years.

Google said it reported the vulnerabilities to its rival Apple in February, with Apple subsequently releasing an "out-of-band" release of iOS 12.1.7 less than a week later to address the vulnerabilities. Apple also publicly disclosed the security vulnerabilities.

Apple did not immediately respond to request for comment on Friday.

Read more here.


FOR THE KIDS: Google will pay up to $200 million in a settlement reached with the Federal Trade Commission (FTC) over charges that YouTube violated children's privacy laws, Politico reported on Friday.

The fine is reportedly between $150 million and $200 million, an amount that is already drawing ire from privacy advocates who believe it falls far short of making any sort of dent against such a massive company.

"Once again, this FTC appears to have let a powerful company off the hook with a nominal fine for violating users' privacy online," Sen. Ed MarkeyEdward (Ed) John MarkeyHillicon Valley — Presented by Philip Morris International — Bezos phone breach raises fears over Saudi hacking | Amazon seeks to halt Microsoft's work on 'war cloud' | Lawmakers unveil surveillance reform bill Twitter tells facial-recognition app maker to stop collecting its data Democratic senator presses facial recognition company after reports of law enforcement collaboration MORE (D-Mass.) said in a statement. "And in this case, intrusions on children's personal information are at issue."

"I look forward to reviewing the requirements placed upon Google in this settlement, but I am disappointed that the Commission appears poised to once again come out with a partisan settlement that that falls short of the Commission's responsibility to consumers and risks normalizing corporate bad behavior," he added.

Both Google and the FTC declined to comment.

Privacy groups have pushed the FTC to come down hard on YouTube, which is owned by Google, alleging that the site has systematically violated children's privacy over the years.

Read more here.


IT WASN'T ME!: President TrumpDonald John TrumpTrump says his advice to impeachment defense team is 'just be honest' Trump expands tariffs on steel and aluminum imports CNN's Axelrod says impeachment didn't come up until 80 minutes into focus group MORE on Friday denied that the U.S. played any role in Iran's failed attempt to launch a satellite into space, while appearing to sarcastically wish Tehran "good luck" in determining the cause.

"The United States of America was not involved in the catastrophic accident during final launch preparations for the Safir SLV Launch at Semnan Launch Site One in Iran," Trump tweeted, referring to Iran's Safir space launch vehicle. "I wish Iran best wishes and good luck in determining what happened at Site One."

The tweet came a day after NPR reported that satellite images showed an Iranian rocket had exploded on a launch pad. The incident marked Iran's third failed attempt this year to launch a rocket.

An Iranian official told Reuters the launch failed due to "technical issues."

The incident came the same week that The New York Times reported a cyberattack carried out by U.S. Cyber Command in June severely limited Iran's ability to target oil tankers in the Persian Gulf.

While Iran denied in June that the cyberattack had been successful, the country is still working to get all its servers back online and recover data that was lost, the Times reported.

The cyberattack took place the same day Trump called off a military attack on Iran amid tensions between the two nations after Tehran shot down an American surveillance drone.

Read more here.


AT&T WORKERS END STRIKE: AT&T and a union representing its workers in the southeastern United States have reached a five-year tentative agreement after a four-day strike, according to the Communications Workers of America (CWA).

The agreement includes wage increases of 13.25 percent, pension and 401(k) plan enhancements, better job security and the creation of additional customer service positions, CWA said in a statement. Employees will also have the ability to contribute to a Health Savings Account through payroll deductions.

"This agreement provides substantial improvements for working people at AT&T Southeast," said Richard Honeycutt, the vice president of CWA's District 3, which covers workers in the Southeast region.

"The strike showed AT&T that our members were united. Once the company returned to the table with negotiators with decision-making authority, we were able to resolve the outstanding issues quickly," he added.  

AT&T confirmed in a statement to The Hill that it had reached an agreement with the workers.

"We're pleased to have reached a tentative agreement with Communications Workers of America District 3 in Southeast wireline contract negotiations," AT&T spokesman Jim Kimberly told The Hill.

Read more here.


LENDING A HAND: Rep. John KatkoJohn Michael KatkoDCCC to run ads tying 11 House Republicans to Trump remarks on entitlements Bezos phone breach escalates fears over Saudi hacking House Democrats request briefings on Iranian cyber threats from DHS, FCC MORE (R-N.Y.) introduced legislation Friday designed to help state and local governments defend against cyberattacks on the heels of debilitating ransomware attacks across the country.

The State and Local Government Cybersecurity Improvement Act would direct the Department of Homeland Security's (DHS) cybersecurity agency to create a "resource guide" to assist state and local government officials in preparing for, defending against and recovering from a cyberattack. 

The legislation would also create grant programs to make funds available for officials to bolster cybersecurity of state and local government entities. 

Katko, who serves as the ranking member of the House Homeland Security Committee's cybersecurity subcommittee, said in a statement that "ransomware attacks on state and local governments continue to increase nationwide, leaving municipalities vulnerable and facing massive costs."

"Many cities have outdated information technology, limited budgets, and lack of cybersecurity training which can make it easier for hackers to infiltrate networks. With recent attacks on the City of Syracuse School District and the Onondaga County Public Library System, it's clear our community is no exception," Katko added.

The Syracuse School District and the Onondaga County Public Library System were victims of ransomware attacks last month.

Read more here. 


CAUCUS 404 ERROR: The Democratic National Committee (DNC) will reportedly recommend throwing out plans to hold virtual, telephone-based caucuses in Iowa and Nevada, citing security concerns surrounding online registration.

Sources told the Associated Press that the committee's leadership opposes the plan, making it unlikely that the virtual caucuses will happen, but that the decision would be ultimately made by the DNC's Rules and Bylaws Committee.

Two sources told the Des Moines Register that the DNC will reject Iowa's virtual caucus plan after a committee meeting last week where members expressed concerns about election security and the possibility of hacking.

The state parties announced earlier this year that some voters would be able to vote over the phone in the February caucuses instead of going to neighborhood meetings in an attempt to increase participation.

Voters would need to register online in advance and would receive a PIN number to enter when they call in. They would also have to use multifactor authentication to confirm their identities.

Read more here.


LIGHTER CLICK: Looking for a new Podcast…?


AN OP-ED TO CHEW ON: Privacy law needs privacy harm.



Self-driving carmakers urge regulators to whiff the steering wheel out the window. (The Verge)

Ring gave stats about users who said no to law enforcement requests. (Gizmodo)

Comcast, beware: New city-run broadband offers 1Gbps for $60 a month. (Ars Technica)