Daily Digest (7/10)

Google, Microsoft, Amazon Have Thousands of Previously Unreported Military and Police Contracts; More Embedded Malware Found in Budget US Smartphones; Police Surveilled George Floyd Protests With Help From Twitter-Affiliated Startup Dataminr; Police Buying Access to Hacked Website Data. Click “Continue reading” below.

Google, Microsoft, Amazon Have Thousands of Previously Unreported Military and Police Contracts

New research shows that Silicon Valley companies have thousands of subcontracts that have not been previously reported publicly with the U.S. military and federal law enforcement, including ICE and the FBI.

The subcontracts were discovered through Freedom of Information Act (FOIA) requests filed by Jack Paulson, a former Google researcher who joined coworkers to pressure the company not to work with the Pentagon, Business Insider reports.

He left the company in 2018.

Microsoft has more than 5,000 previously unreported subcontracts with the Defense Department and federal law enforcement. Amazon and Google each have hundreds of similar subcontracts, records show.

Rank-and-file tech employees have pressured employers to drop military contracts in recent years. Google dropped a Pentagon subcontract, dubbed Project Maven, after employee uproar in 2018.

Workers at Amazon and Microsoft have petitioned both companies to drop their contracts with ICE and the military, but neither company has caved to the demands.

The discovered subcontracts, published Tuesday by Tech Inquiry, show that the companies’ connections to the Pentagon run deeper than many employees were previously aware.

“Often the high-level contract description between tech companies and the military looks very vanilla and mundane,” Poulson told NBC News.

“But only when you look at the details of the contract, which you can only get through Freedom of Information (Act) requests, do you see the workings of how the customization from a tech company would actually be involved.”

A Microsoft spokesperson declined to comment, while representatives for Google and Amazon did not immediately respond to requests for comment.

Sources (external link):

More Embedded Malware Found in Budget US Smartphones

Pre-installed malware has been discovered in another budget handset connected to Assurance Wireless by Virgin Mobile. 

In January, cybersecurity researchers from Malwarebytes discovered unremovable malware bundled with the Android operating systems on the Unimax (UMX) U686CL, a low-end handset sold by Assurance Wireless as part of the Lifeline Assistance program, a 1985 U.S. initiative that subsidizes telephone services for low-income families. 

Two apps on the handset could not be removed, ZDNet.com reports. The apps installed other software on the devices without the user’s knowledge. 

Malwarebytes now has uncovered another budget handset with similar security issues: the American Network Solutions (ANS) UL40, which runs Android OS 7.1.1. 

Malwarebytes researcher Nathan Collier said Wednesday that after January’s report, followers of the company said that a variety of ANS phone models were subject to the same problems.

The team eventually obtained an UL40 for investigation, according to ZDNet.

While it was not clear if the device was still directly on sale by Assurance Wireless, the user manual was listed on the vendor’s website — inaccessible at the time of writing — and the handset could still be purchased via other online stores and marketplaces.

Source (external link):

Police Surveilled George Floyd Protests With Help From Twitter-Affiliated Startup Dataminr

Leveraging close ties to Twitter, artificial intelligence start-up firm Dataminr helped law enforcement digitally monitor the protests that swept the country following the May killing of George Floyd by Minneapolis police.

The monitoring tipped police to social-media posts with the latest locations and actions of demonstrators, according to documents reviewed by The Intercept and a source with direct knowledge of the matter.

The activity appeared to be at odds with claims from both Twitter and Dataminr that neither company would engage in or facilitate domestic surveillance following a string of 2016 controversies.

Twitter, up until recently a longtime Dataminr investor alongside the CIA, provides the company with full access to a content stream known as the “firehose” — a rare privilege among tech firms and one that lets Dataminr, recently valued at over $1.8 billion, scan every public tweet as soon as its author hits “send.”

Both companies denied that the protest monitoring met the definition of surveillance.

Dataminr helps newsrooms, corporations and governments around the world track crises with superhuman speed as they unfold across social media and the wider web.

Through people and software, the company alerts organizations to chatter around global crises — wars, shootings, riots, disasters, for instance — so they’ll have a competitive edge as news is breaking.

In 2016, Twitter was forced to address multiple reports that its platform was being used to enable domestic surveillance, including a report in The Wall Street Journal on Dataminr’s collaboration with American spy agencies in May; an American Civil Liberties Union report on Geofeedia, a Dataminr competitor, in October, and another ACLU investigation into Dataminr’s federal police surveillance work in December.

The company sought to assure the public that attempts to monitor its users for purposes of surveillance were forbidden under its rules, and that violators would be kicked off the platform.

But based on interviews, public-records requests and company documents reviewed by the Intercept, Dataminr continues to enable what is essentially surveillance by U.S. law enforcement entities, contradicting earlier assurances to the contrary, even if it remains within some of the narrow technical boundaries it recently outlined four years ago.

Those include not providing direct firehose access, tweet geolocations or certain access to fusion centers.

Dataminr relayed tweets and other social-media content about the Floyd and Black Lives Matter protests directly to police, apparently across the country, the Intercept reports.

“Dataminr is providing information for local police, including (many) metropolitan police departments in cities facing protests,” one source said. “They are some of Dataminr’s biggest clients and they set the agenda.”

Dataminr spokesperson Kerry McGee declined to comment.

Source (external link):

Police Buying Access to Hacked Website Data

Law enforcement agencies have become the latest customers for breached data, Vice.com’s Motherboard site reported Thursday.

Some companies are selling government agencies access to data stolen from websites in hopes of generating investigative leads, with the data including passwords, email addresses, IP addresses and more.

Vice’s Motherboard operation obtained webinar slides from a company called SpyCloud that was presented to prospective customers.

The company claimed in the session to “empower investigators from law enforcement agencies and enterprises around the world to more quickly and efficiently bring malicious actors to justice.”

The slides were shared by “a source who was concerned about law-enforcement agencies buying access to hacked data,” Motherboard reports, and SpyCloud confirmed that the slides were authentic.

“We’re turning the criminals’ data against them, or at least we’re empowering law enforcement to do that,” said Dave Endler, co-founder and chief product officer of SpyCloud.

The sale highlights a somewhat novel use of breached data, and signals how data ordinarily associated with the commercial sector can be repurposed by law enforcement too.

But it also raises questions about whether authorities should be leveraging information originally stolen by hackers.

In buying products from SpyCloud, authorities also would be obtaining access to hacked data on people who are not associated with any crimes — the vast majority of people affected by data breaches are not criminals — and would not need to follow the usual mechanisms of sending a legal request to a company to obtain user data.

“It’s disturbing that law enforcement can simply buy their way into obtaining vast amounts of account information, even passwords, without having to obtain any legal process,” said Riana Pfefferkorn, associate director of surveillance and cybersecurity at the Stanford Center for Internet and Society.

Source (external link):

— By DPN Staff