Security related News for week ending 2020 06 30

This was a busy week in security: Clipboard issues on your phones and devices mean until we get our next updates, you may want to immediately copy something innocuous after you finish your online banking. We have a Roblox hack that encourages you to tell your parents to vote for Trump, the big stumbling block for the Apple and Google Covid-19 tracking apps. and a scary story about Oracle’s BlueKai.

One of our fav stories this week is Cern’s plans to create a new particle collider 100K (62 miles) around the Geneva basin. If you got excited by the validation of the Higgs boson, this one will have you trembling with excitement. How did we tie it in with security? Read on to find out!

US/UK: AWS Facial Recognition Platform Misidentified Over 100 Politicians As Criminals

Lindsey O’Donnell: Facial recognition technology is still misidentifying people at an alarming rate – even as it’s being used by police departments to make arrests. In fact, Paul Bischoff, a consumer privacy expert with Comparitech, found that Amazon’s face recognition platform incorrectly misidentified more than 100 photos of US and UK lawmakers as criminals.

Rekognition, Amazon’s cloud-based facial recognition platform that was first launched in 2016, has been sold and used by a number of United States government agencies, including ICE and Orlando, Florida police, as well as private entities. In comparing photos of a total of 1,959 US and UK lawmakers to subjects in an arrest database, Bischoff found that Rekognition misidentified an average of 32 members of Congress. Bischoff also found that the platform was racially biased, misidentifying non-white people at a higher rate than white people.

These findings have disturbing real-life implications…

US: Wrongfully Arrested Because Face Recognition Can’t Tell Black People Apart

American Civil Liberties Union (ACLU): Earlier this year, Detroit police arrested Robert Williams — a Black man living in a Detroit suburb — on his front lawn in front of his wife and two little daughters (ages 2 and 5). Robert was hauled off and locked up for nearly 30 hours. His crime? Face recognition software owned by Michigan State Police told the cops that Robert Williams was the watch thief they were on the hunt for. The ACLU says “Face recognition technology can’t tell Black people apart. That includes Robert Williams, whose only thing in common with the suspect caught by the watch shop’s surveillance feed is that they are both large-framed Black men.”

IN: Government Bans TikTok and 50+ Chinese Apps
India: A government statement noted that the decision was taken due to fears that the apps were “prejudicial to sovereignty and integrity of India, defense of India, the security of the state and public order.”

These concerns were linked to fears over users’ data security and privacy. “The Ministry of Information Technology has received many complaints from various sources including several reports about the misuse of some mobile apps available on Android and iOS platforms for stealing and surreptitiously transmitting users’ data in an unauthorized manner to servers which have locations outside India,” it said.

Although the concerns may be genuine, the timing appears to be deliberate, coinciding with a period of heightened tensions between the two Asian giants after recent border clashes left 20 Indian soldiers dead.

According to the BBC, India is TikTok’s biggest foreign market with an estimated 120 million users.

iOS 14 flags TikTok, 53 other apps spying on iPhone clipboards

Lisa Vaas: In March, researchers Talal Haj Bakry and Tommy Mysk revealed that Android and iOS apps – including the mind-bogglingly popular, China-owned, video-sharing/often in privacy hot water TikTok – could silently, automatically read anything you copy into your mobile device’s clipboard.

Selfies? Passwords copied from your password manager? Bank account information? Bitcoin addresses? Yes, yes, yes and… yes. Anything you’ve copied recently, they’ll paste it into themselves. Such data is typically used for advertising and tracking purposes.

The covert content copying is possible not only for a device’s local data but also on nearby devices, as long as the devices share the same Apple ID and are within about 10 feet of each other. That’s enabled by Apple’s universal clipboard: a clipboard that enables content to be copied on one device and then pasted into an app running on a separate device.

Mysk: “These apps are reading clipboards, and there’s no reason to do this. An app that doesn’t have a text field to enter text has no reason to read clipboard text.” There are some big names on the list of apps that are doing this:

– ABC News
– Al Jazeera English
– CBC News
– CBS News
– Fox News
– News Break
– New York Times
– ntv Nachricten
– Reuters
– Russia Today
– Stern Nachrichten
– The Economist
– The Huffington Post
– The Wall Street Journal
– Vice News

– 8 Ball Pool
– AMAZE!!!
– Bejeweled
– Block Puzzle
– Classic Bejeweled
– Classic Bejeweled HD
– FlipTheGun
– Fruit Ninja
– Golfmasters
– Letter Soup
– Love Nikki
– My Emma
– Plants vs Zombies Heroes
– Pooking – Billiards City
– PUBG Mobile
– Tomb of the Mask
– Tomb of the Mask: Color
– Total Party Killer
– Watermarbling

– TikTok
– ToTalk
– Truecaller
– Viber
– Weibo
– Zoosk

– 10% Happier: Meditation
– 5-0 Radio Police Scanner
– Accuweather
– AliExpress Shopping App
– Bed Bath & Beyond
– Dazn
– Hotel Tonight
– Overstock
– Pigment – Adult Coloring Book to Color
– Sky Ticket
– The Weather Network

… and, Mysk said, TikTok has failed to stop, in spite of having promised that it would.

First, TikTok owner Bytedance said the problem wasn’t its fault. Rather, it blamed an outdated Google Ads software development kit (SDK) that was due to be replaced.

But as the clipboard warning in iOS 14 has made clear, ByteDance didn’t stop the invasive practice back in April, as it had promised. Now, the iOS 14 warning has caught the company “red-handed,” Zak Doffman writes, “still doing something they shouldn’t.” Now that Apple’s flagging the behavior, Apple users will benefit from the TikTok update as soon as it ships, but until then, please do keep in mind that the app is reading your clipboard data. To stay on the safe side, you can flush your clipboard by copying an innocuous piece of data.

Android is another issue entirely. Mysk told Ars that the scenario is worse on Android than it is on iOS, given that Android APIs are far more lenient. For example, Android allowed apps running in the background to read the clipboard up until Version 10, as opposed to iOS apps, which can do so only when they’re active, as in, running in the foreground.

Be careful of what you copy on your mobile device. Unfortunately, as the researchers said, we don’t really know what these apps are doing with our content.

Roblox ‘Vote Trump’ Hackers Compromise Accounts On World’s 51st Most Visited Website

Davey Winder: A pro-Trump hacking campaign is targeting kids on a hugely popular social gaming platform to spread a ‘Vote for Trump’ message to their parents.

Roblox is one of the most visited sites in the world, ranking at number 51 and with 91,671,735 monthly users according to the latest Ahrefs data. If you haven’t heard of Roblox, then you probably are neither a parent nor a gamer. Not only can members play online games, but they can also create them for others to play as well. The social gaming platform is hugely popular with children and teenagers alike, and now it looks like you can add hackers to the Roblox fanbase.

A Google site search for “Ask your parents to vote for Trump” returned 1,340 compromised user profiles. This is the messaging that the hackers are using to replace the original account profile “About” section with. A #MAGA2020 hashtag is also added. As mentioned, the hackers even dress the account avatar in such a way as to represent a Trump supporter. They purchase a red baseball cap with a “RUNNING OF THE BULLS” slogan in white lettering that looks somewhat like a Trump MAGA (Make America Great Again) cap, especially when teamed up with the t-shirt depicting an American eagle against a U.S. flag.

Assuming you don’t want your avatar to look like it is attending a Trump rally, you can return your avatar to whatever you want it to look like and remove the vote Trump messaging. But first, if your account has been compromised, change your password and follow the simple instructions at Roblox to enable two-step verification. This will add an additional layer of security to the login process and prevent a hacker from accessing your account even if they do have your email and password.

Poor password hygiene likely behind Roblox account compromises

According to the Bleeping Computer reporting, the hackers are using the relatively simple method of brute-forcing passwords to access accounts with weak passwords. It’s just as likely that credential stuffing is being used, where instead of bombarding the account log in with lists of commonly used passwords the attacker uses credential pairs that are shared across sites and services. If you use the same email address and password to access multiple services, then it only takes one of them to suffer a data breach for all the rest to be put at risk.

*** US Cyber Command: Foreign Advanced Persistent Threats (APTs) Likely to Exploit New Palo Alto Networks Flaw***

“When Security Assertion Markup Language (SAML) authentication is enabled and the ‘Validate Identity Provider Certificate’ option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability,” Palo Alto Networks explained in an advisory.

While Palo Alto Networks’ advisory says the company is not aware of malicious attempts to exploit CVE-2020-2021, USCYBERCOM warned on Twitter that “foreign APTs will likely attempt exploit soon.”

University of California San Francisco pays Ransomware Hackers $1.14 Million to Salvage Medical Research

The university was struck on June 1, where malware was found in the UCSF School of Medicine’s IT systems. Administrators quickly attempted to isolate the infection and ring-fence a number of systems that prevented the ransomware from traveling to the core UCSF network and causing further damage.

While the school says the cyberattack did not affect “our patient care delivery operations, overall campus network, or COVID-19 work,” UCSF servers used by the school of medicine were encrypted.

“The attackers obtained some data as proof of their action, to use in their demand for a ransom payment,” the university said in a statement. “We are continuing our investigation, but we do not currently believe patient medical records were exposed.”

The BBC was able to follow the negotiation, made in the Dark Web, between Netwalker and the university. The threat actors first demanded $3 million which was countered by the UCSF with a $780,000 offer, together with a plea that the novel coronavirus pandemic had been “financially devastating” to the academic institution.

This offer, however, was dismissed, and a back-and-forth eventually led to the agreed figure of $1,140,895, made in Bitcoin (BTC). In return for payment, the threat actors provided a decryption tool and said they would delete data stolen from the servers. At the time of writing, servers are still down.

Google removes 25 Android apps caught stealing Facebook credentials

By Catalin Cimpanu: Google has removed 25 Android applications from the Google Play Store this month that were caught stealing Facebook credentials. Before being taken down, the 25 apps were collectively downloaded more than 2.34 million times.

According to a report from French cyber-security firm Evina, the apps posed as step counters, image editors, video editors, wallpaper apps, flashlight applications, file managers, and mobile games. Evina said it found the malicious code that stole Facebook credentials in 25 apps they reported to Google at the end of May. Google removed the apps earlier this month, after verifying the French security firm’s findings. Some of the apps had been available on the Play Store for more than a year before they were removed.

The US Suspends Sensitive Tech Exports to Hong Kong

The US government has said it will suspend export of sensitive defense technologies to Hong Kong after China passed a controversial national security law in the Special Administrative Region (SAR).

In a brief statement on Monday, commerce secretary Wilbur Ross argued that the new law meant that sensitive US tech may find its way into the hands of the People’s Liberation Army (PLA) or the fearsome Ministry of State Security (MSS), both of which are prolific sources of cyber-attacks on foreign targets.

“Commerce Department regulations affording preferential treatment to Hong Kong over China, including the availability of export license exceptions, are suspended,” he continued.

“Further actions to eliminate differential treatment are also being evaluated. We urge Beijing to immediately reverse course and fulfill the promises it has made to the people of Hong Kong and the world.”

UK: #COVID19 HMRC Phishing Scams Persist, Begin Targeting Passport Details

Uncovered by Griffin Law, the latest variation of this attack is now targeting the passport details of self-employed people, along with other information including personal and bank details.

According to Griffin Law, the scam begins with a text message purporting to be from HMRC informing the recipient they are due a tax refund which can be applied for online via an official-looking site that uses HMRC branding and is entitled “Coronavirus (COVID-19) guidance and support.” The site asks for several pieces of the user’s sensitive information before also requesting their passport number as ‘verification’.

Australia Ramps Up Cyber Spending After State-Backed Attacks

Australia unveiled the “largest-ever” boost in cybersecurity spending Tuesday, days after Prime Minister Scott Morrison spoke out about a wave of state-sponsored attacks suspected to have been carried out by China.

Morrison and government officials said the country would spend an additional Aus$1.35 billion ($928 million) on cybersecurity, around a 10 percent hike, taking the budget for the next decade to Aus$15 billion.

The largest chunk of the new money will help create 500 jobs within the Australian Signals Directorate, the government’s communications intelligence agency.

US: Eight cities using Click2Gov targeted in Magecart skimming attacks

Since April 10, eight cities in three states using the Click2Gov web-based platform to collect payments for services have been hit with Magecart card-skimming attacks that still appear active.

Credit card information including card number, expiration date, and CVV, as well as personal information such as name and contact address, was being exfiltrated from the municipalities, which were not named.

Local governments typically use Click2Gov to allow residents to pay for such services as utilities, as well as provide an online platform for community engagement and issues reporting.

JavaScript code is injected when victims browse the online payment page on the compromised Click2Gov website. After grabbing data from various columns, the skimmer then sends the information to a remote server via a HTTP POST request. The Javascript-based attack is devoid of obfuscation or anti-debugging techniques, which a more sophisticated skimmer would feature.

Central Square Technologies developed Click2Gov and, as of June 29, had not responded on its website about the reported compromise.

RU: Russian Cybercriminal Behind CardPlanet Sentenced to 9 Years

Russian national Alexei Yurievich Burkov has been sentenced to nine years in federal prison for his operation of two websites, CardPlanet and Direct Connection, dedicated to payment card fraud, computer hacking, and other crimes, the Department of Justice said late last week.

CardPlanet was a so-called “carding” website built to sell credit and debit card numbers stolen through computer hacking. Many of the card numbers sold belonged to US citizens, and more than 150,000 stolen payment card numbers were sold on CardPlanet, resulting in at least $20 million in fraudulent purchases made with US payment card accounts.

The price of stolen payment cards ranged from $2.50 to $60 on CardPlanet depending on the card type, country of origin, and availability of cardholder data like name and address.

CN: Tax software used by Chinese bank clients installs GoldenSpy backdoor

In a company blog post and more detailed threat report, Trustwave and its SpiderLabs team identified the accounting software as Intelligent Tax, which was reportedly developed by the Golden Tax Department of IT and information security company Aisino Corporation, and digitally signed by a second company, Chenkuo Network Technology.

While the software is functional and used to pay local taxes, Trustwave says adversaries can leverage the GoldenSpy malware within to execute an array of Windows commands or upload and execute additional malicious code, including ransomware and trojans. The malware beacons and communicates with the attackers’ command-and-control server, which operates separately from the tax software’s network infrastructure. This server was found to reside at the domain ningzhidata[dot]com domain, which was registered on Sept. 22, 2019.

To gain a strong foothold within infected systems, the malware downloads and executes a file called svminstaller.exe that installs two identical executables — svm.exe and svmm.exe — as persistent autostart services. “If either stops running, it will respawn its counterpart,” writes Hussey. “Furthermore, it utilizes an exeprotector module that monitors for the deletion of either iteration of itself. If deleted, it will download and execute a new version. Effectively, this triple-layer protection makes it exceedingly difficult to remove this file from an infected system.”

When victims install the tax software, the malware waits two hours before it is also secretly downloaded and installed, with no notification. If users attempt to dispense with the program, the uninstall feature allows the malware to continue running silently as a backdoor, even after functioning tax software is fully removed. Additionally, the aforementioned beaconing process is randomized to elude anti-beaconing protections.

A hacker gang is wiping Lenovo NAS devices and asking for ransoms

Catalin Cimpanu: A hacker group going by the name of ‘Cl0ud SecuritY’ is breaking into old LenovoEMC (formerly Iomega) network-attached storage (NAS) devices, wiping files, and leaving ransom notes behind asking owners to pay between $200 and $275 to get their data back. Attacks have been happening for at least a month, according to entries on BitcoinAbuse, a web portal where users can report Bitcoin addresses abused in ransomware, extortions, cybercrime, and other online scams. Attacks appear to have targeted only LenovoEMC/Iomega NAS devices that are exposing their management interface on the internet without a password. All ransom notes were signed with the ‘Cl0ud SecuritY’ monicker and used the same “cloud@mail2pay(dot)com” email address as the point of contact.

Files Stolen from 945 Websites Discovered on Dark Web

All websites were breached by different attackers, according to researchers, who found two databases containing approximately 150 GB of unpacked SQL files. One of these databases was released on June 1, 2020 and the other on June 10. The information within them, now publicly available, includes usernames, full names, phone numbers, hashed and non-hashed passwords, IP addresses, email addresses, and physical addresses. Up to 14 million people may be affected. Affected websites include 14 governmental sites belonging to Ukraine, Israel, United Kingdom, Belarus, Russia, Lebanon, Rwanda, Pakistan, and Kyrgyzstan. The SQL files taken from these websites are dated between 2017 and 2020.

Apple/Google COVID-19 Tracking Is Now On Your Phone—Here’s The Problem

When Apple and Google updated their operating systems to include an exposure notification API, they mandated a privacy-first approach for any governments that wanted to access the framework. If you’re a virologist or epidemiologist arguing that you need data to fight the spread of infection inside your country, you’re out of luck. Apple and Google have said no.

Australia has now rejected the Apple and Google framework embedded in the latest versions of Android and iOS, deciding to keep its COVIDSafe app independent. The reason is simple, the Apple/Google model “fundamentally changes the locus of control and takes out the middle person,” Australia’s Deputy Chief Medical Officer Nick Coatsworth complains. That middle person is critical—it’s the manual contact tracer, the expert, “the people who have kept us safe,” as Coatsworth puts it.

Earlier this month, the U.K. government made headlines when it seemed to be abandoning its own digital contact tracing app for the Apple/Google alternative. But that’s not what happened at all. The U.K. has rejected the privacy-first approach mandated by the U.S. tech giants, it wants a more expansive Australia-style system. But with Apple and Google restrictions it cannot make this work. And so it has essentially de-prioritized its tracing app in favor of manual alternatives.

France has always insisted on a sovereign contact tracing app, snubbing the Apple and Google alternative. It claims to have made the technology work, despite the decision to go it alone. Unfortunately, just as France has snubbed Apple and Google, so the French population have snubbed the app. Take-up is always a challenge for apps that need a WhatsApp-size install base to be effective. But in France, the take-up is woeful, and, worse, many of those that have installed the app are now deleting it.

Apple and Google may have safeguarded the world’s population from the theoretical risk of COVID-19 surveillance, but have provided an alternative that doesn’t quite fit the bill for anyone, it seems.

Microsoft to permanently close all of its retail stores

By Chris Welch: Microsoft is giving up on physical retail. Today the company announced plans to permanently close all Microsoft Store locations in the United States and around the world, except for four locations that will be “reimagined” as experience centers that no longer sell products.

Those locations are New York City (Fifth Ave), London (Oxford Circus), Sydney (Westfield Sydney), and the Redmond campus location. The London store only just opened about a year ago. All other Microsoft Store locations across the United States and globally will be closing, and the company will concentrate on digital retail moving forward.

And no, this was not a security story……

CERN approves plans for a $23 billion, 62-mile long super-collider

Steve Dent: CERN has approved plans to build a $23 billion super-collider 100 km in circumference (62 miles) that would make the current 27 km 16 teraelectron volt (TeV) Large Hadron Collider (LHC) look tiny in comparison. The so-called Future Circular Collider (FCC) would smash particles together with over 100 TeV of energy to create many more of the elusive Higgs bosons first detected by CERN in 2012. This “Higgs factory” would be key to helping physicists learn more about dark matter and other mysteries of the Standard Model of physics.

If they can raise the money, new construction would start in 2038 and would be used to extend the work with elusive Higgs bosons, named after Peter Higgs to explain why particles have mass, learn more about dark matter and answer more questions about the 17 particles in the standard model of physics, however you will need to use CERN issued SSO credentials with 2fa to access the results until they are published publicly.

Let’s see what Zuck does with this one.

The #StopHateForProfit advertising boycott of Facebook by civil rights groups continues to gather steam with over 100 companies joining in North Face, REI, Patagonia, Starbucks, Coca Cola, Unilever, Hershey, Verizon, Proctor & Gamble. The list of boycotting companies was at 184 when we put this article together. “Let’s send Facebook a powerful message: Your profits will never be worth promoting hate, bigotry, racism, antisemitism and violence,” the website reads. Facebook stock is down $30 a share over the last 5 days.

We have not been big proponents of Facebook’s security or privacy over the years, so at least for those who continue to use this high-risk social media platform, you may get some fact-checking in amongst the more controversial stories.

Oracle’s BlueKai tracks you across the web. That data spilled online. Billions of records exposed.

“real people’s lives get scooped up along the way. Each one of those little details has the potential to put somebody at risk.”

Zack Whittaker: Have you ever wondered why online ads appear for things that you were just thinking about?

There’s no big conspiracy. Ad tech can be creepily accurate.

Tech giant Oracle is one of a few companies in Silicon Valley that has near-perfected the art of tracking people across the internet. The company has spent a decade and billions of dollars buying startups to build its very own panopticon of users’ web browsing data.

One of those startups, BlueKai, which Oracle bought for a little over $400 million in 2014, is barely known outside marketing circles, but it amassed one of the largest banks of web tracking data outside of the federal government.

BlueKai uses website cookies and other tracking tech to follow you around the web. By knowing which websites you visit and which emails you open, marketers can use this vast amount of tracking data to infer as much about you as possible — your income, education, political views, and interests to name a few — in order to target you with ads that should match your apparent tastes. If you click, the advertisers make money.

But for a time, that web tracking data was spilling out onto the open internet because a server was left unsecured and without a password, exposing billions of records for anyone to find.

Security researcher Anurag Sen found the database and reported his finding to Oracle. TechCrunch reviewed the data shared by Sen and found names, home addresses, email addresses and other identifiable data in the database. The data also revealed sensitive users’ web browsing activity — from purchases to newsletter unsubscribes.

“There’s really no telling how revealing some of this data can be,” said Bennett Cyphers, a staff technologist at the Electronic Frontier Foundation, told TechCrunch.

BlueKai relies on vacuuming up a never-ending supply of data from a variety of sources to understand trends to deliver the most precise ads to a person’s interests.

Marketers can either tap into Oracle’s enormous bank of data, which it pulls in from credit agencies, analytics firms, and other sources of consumer data including billions of daily location data points, in order to target their ads. Or marketers can upload their own data obtained directly from consumers, such as the information you hand over when you register an account on a website or when you sign up for a company’s newsletter.

But BlueKai also uses more covert tactics like allowing websites to embed invisible pixel-sized images to collect information about you as soon as you open the page — hardware, operating system, browser, and any information about the network connection.

This data — known as a web browser’s “user agent” — may not seem sensitive, but when fused together it can create a unique “fingerprint” of a person’s device, which can be used to track that person as they browse the internet.

BlueKai can also tie your mobile web browsing habits to your desktop activity, allowing it to follow you across the internet no matter which device you use.

Say a marketer wants to run a campaign trying to sell a new car model. In BlueKai’s case, it already has a category of “car enthusiasts” — and many other, more specific categories — that the marketer can use to target with ads. Anyone who’s visited a car maker’s website or a blog that includes a BlueKai tracking pixel might be categorized as a “car enthusiast.” Over time that person will be siloed into different categories under a profile that learns as much about you to target you with those ads.

Behind the scenes, BlueKai continuously ingests and matches as much raw personal data as it can against each person’s profile, constantly enriching that profile data to make sure it’s up to date and relevant.

But it was that raw data spilling out of the exposed database.

TechCrunch found records containing details of private purchases. One record detailed how a German man, whose name we’re withholding, used a prepaid debit card to place a €10 bet on an esports betting site on April 19. The record also contained the man’s address, phone number, and email address.

Another record revealed how one of the largest investment holding companies in Turkey used BlueKai to track users on its website. The record detailed how one person, who lives in Istanbul, ordered $899 worth of furniture online from a homeware store. We know because the record contained all of these details, including the buyer’s name, email address and the direct web address for the buyer’s order, no login needed.

We also reviewed a record detailing how one person unsubscribed from an email newsletter run by an electronics consumer, sent to his iCloud address. The record showed that the person may have been interested in a specific model of car dash-cam. We can even tell based on his user agent that his iPhone was out of date and needed a software update.

“Fine-grained records of people’s web-browsing habits can reveal hobbies, political affiliation, income bracket, health conditions, sexual preferences, and — as evident here — gambling habits,” said the EFF’s Cyphers. “As we live more of our lives online, this kind of data accounts for a larger and larger portion of how we spend our time.”

The data went back to August 2019. “Whenever databases like this exist, there’s always a risk the data will end up in the wrong hands and in a position to hurt someone,” said Cyphers. “It also makes a valuable target for law enforcement and government agencies who want to piggyback on the data gathering that Oracle already does."

“Everyone has different things they want to keep private, and different people they want to keep them private from. When companies collect raw web browsing or purchase data, thousands of little details about

IRS Used Cell phone Location Data to Try to Find Suspects

The unsuccessful effort shows how anonymized information sold by marketers is increasingly being used by law enforcement to identify suspects. The Internal Revenue Service attempted to identify and track potential criminal suspects by purchasing access to a commercial database that records the locations of millions of American cell-phones.

The IRS Criminal Investigation unit, or IRS CI, had a subscription to access the data in 2017 and 2018, sold by a Virginia-based government contractor called Venntel Inc. Venntel obtains anonymized location data from the marketing industry and resells it to governments.

IRS CI pursues the most serious and flagrant violations of tax law, and it said it used the Venntel database in “significant money-laundering, cyber, drug and organized-crime cases.” “The tool provided information as to where a phone with an anonymized identifier (created by Venntel) is located at different times,” Mr. Cole said. “For example, if we know that a suspicious ATM deposit was made at a specific time and at a specific location, and we have one or more other data points for the same scheme, we can cross-reference the data from each event to see if one or more devices were present at multiple transactions. This would then allow us to identify the device used by a potential suspect and attempt to follow that particular movement.”

1,600 Google Employees Demand No Tech for Police

At least 1,666 Google employees are demanding the company stop selling technology to police departments, according to a letter shared with Motherboard.

“We’re disappointed to know that Google is still selling to police forces, and advertises its connection with police forces as somehow progressive, and seeks more expansive sales rather than severing ties with police and joining the millions who want to defang and defund these institutions,” reads the letter. “Why help the institutions responsible for the knee on George Floyd’s neck to be more effective organizationally?”