An anonymous reader quotes a report from Motherboard: The IRS was able to query a database of location data quietly harvested from ordinary smartphone apps over 10,000 times, according to a copy of the contract between IRS and the data provider obtained by Motherboard. The document provides more insight into what exactly the IRS wanted to do with a tool purchased from Venntel, a government contractor that sells clients access to a database of smartphone movements. The Inspector General is currently investigating the IRS for using the data without a warrant to try to track the location of Americans. "This contract makes clear that the IRS intended to use Venntel's spying tool to identify specific smartphone users using data collected by apps and sold onwards to shady data brokers. The IRS would have needed a warrant to obtain this kind of sensitive information from AT&T or Google," Senator Ron Wyden told Motherboard in a statement after reviewing the contract. [...]

One of the new documents says Venntel sources the location information from its "advertising analytics network and other sources." Venntel is a subsidiary of advertising firm Gravy Analytics. The data is "global," according to a document obtained from CBP. Venntel then packages that data into a user interface and sells access to government agencies. A former Venntel worker previously told Motherboard that customers can use the product to search a specific area to see which devices were there, or follow a particular device across time. Venntel provides its own pseudonymous ID to each device, but the former worker said users could try to identify specific people. The new documents say that the IRS' purchase of an annual Venntel subscription granted the agency 12,000 queries of the dataset per year.

"In support of Internal Revenue Service (IRS) Criminal Investigation's (CI) law enforcement investigative mission, the Cyber Crimes Unit (CCU) requires one (1) Venntel Mobile Intelligence web-based subscription," one of the documents reads. "This allows tracing and pattern-of-life analysis on locations of interesting criminal investigations, allowing investigators to trace locations of mobile devices even if a target is using anonymizing technologies like a proxy server, which is common in cyber investigations," it adds.

Saturday saw 2020's virtual observation of the annual Aaron Swartz Day and International Hackathon, which the EFF describes as "a day dedicated to celebrating the continuing legacy of activist, programmer, and entrepreneur Aaron Swartz."

Its official web site notes the wide-ranging event includes "projects and ideas that are still bearing fruit to this day, such as SecureDrop, Open Library, and the Aaron Swartz Day Police Surveillance Project." The event even included a virtual session for the Atlas of Surveillance project which involved documenting instances of law enforcement using surveillance technologies like social media monitoring, automated license plate readers, and body-worn cameras. And EFF special advisor Cory Doctorow, director of strategy Danny O'Brien, and senior activist Elliot Harmon also spoke "about Aaron's legacy and how his work lives on today," according to the EFF's announcement: Aaron Swartz was a brilliant champion of digital rights, dedicated to ensuring the Internet remained a thriving ecosystem for open knowledge. EFF was proud to call him a close friend and collaborator. His life was cut short in 2013, after he was charged under the notoriously draconian Computer Fraud and Abuse Act for systematically downloading academic journal articles from the online database JSTOR.

Federal prosecutors stretch this law beyond its original purpose of stopping malicious computer break-ins, reserving the right to push for heavy penalties for any behavior they don't like that happens to involve a computer. This was the case for Aaron, who was charged with eleven counts under the CFAA. Facing decades in prison, Aaron died by suicide at the age of 26. He would have turned 34 this year, on November 8.

In addition to EFF projects, the hackathon will focus on projects including SecureDrop, Open Library, and the Aaron Swartz Day Police Surveillance Project. The full lineup of speakers includes Aaron Swartz Day co-founder Lisa Rein, SecureDrop lead Mickael E., researcher Mia Celine, Lucy Parsons Lab founder Freddy Martinez, and Brewster Kahle — co-founder of Aaron Swartz Day and the Internet Archive.
All of the presentations are now online.

"A widely used hotel reservation platform has exposed 10 million files related to guests at various hotels around the world, thanks to a misconfigured Amazon Web Services S3 bucket," reports Threatpost.

"The records include sensitive data, including credit-card details." Prestige Software's "Cloud Hospitality" is used by hotels to integrate their reservation systems with online booking websites like Expedia and Booking.com. The incident has affected 24.4 GB worth of data in total, according to the security team at Website Planet, which uncovered the bucket.

Many of the records contain data for multiple hotel guests that were grouped together on a single reservation; thus, the number of people exposed is likely well over the 10 million, researchers said. Some of the records go back to 2013, the team determined — but the bucket was still "live" and in use when it was discovered this month. "The company was storing years of credit-card data from hotel guests and travel agents without any protection in place, putting millions of people at risk of fraud and online attacks," according to the firm, in a recent notice on the issue. "The S3 bucket contained over 180,000 records from August 2020 alone...."

The records contain a raft of information, Website Planet said, including full names, email addresses, national ID numbers and phone numbers of hotel guests; card numbers, cardholder names, CVVs and expiration dates; and reservation details, such as the total cost of hotel reservations, reservation number, dates of a stay, special requests made by guests, number of people, guest names and more. The exposure affects a wide number of platforms, with data related to reservations made through Amadeus, Booking.com, Expedia, Hotels.com, Hotelbeds, Omnibees, Sabre and more....

A too-large percentage of cloud databases containing highly sensitive information are publicly available, an analysis in September found. The study from Comparitch showed that 6 percent of all Google Cloud buckets are misconfigured and left open to the public internet, for anyone to access their contents.

Mike Allen, reporting for Axios: President Trump has told friends he wants to start a digital media company to clobber Fox News and undermine the conservative-friendly network, sources tell Axios. The state of play: Some Trump advisers think Fox News made a mistake with an early call (seconded by AP) of President-elect Biden's win in Arizona. [...] Here's Trump's plan, according to the source: There's been lots of speculation about Trump starting a cable channel. But getting carried on cable systems would be expensive and time-consuming. Instead, Trump is considering a digital media channel that would stream online, which would be cheaper and quicker to start. Trump's digital offering would likely charge a monthly fee to MAGA fans. Many are Fox News viewers, and he'd aim to replace the network -- and the $5.99-a-month Fox Nation streaming service, which has an 85% conversion rate from free trials to paid subscribers -- as their top destination. Trump's database of email and cellphone contacts would be a huge head start. Trump's lists are among the most valuable in politics -- especially his extensive database of cellphone numbers for text messages.

Can algorithms identify unusual medication orders or profiles more accurately than humans? Not necessarily. From a report: A study coauthored by researchers at the Universite Laval and CHU Sainte-Justine in Montreal found that one model physicians used to screen patients performed poorly on some orders. The study offers a reminder that unvetted AI and machine learning may negatively impact outcomes in medicine. Pharmacists review lists of active medications -- i.e., pharmacological profiles -- for inpatients under their care. This process aims to identify medications that could be abused, but most medication orders don't show drug-related problems. Publications from over a decade ago illustrate technology's potential to help pharmacists streamline workflows by taking on tasks like reviewing orders. But while more recent research has investigated AI's potential in pharmacology, few studies have demonstrated its efficacy. The coauthors of this latest work looked at a model deployed in a tertiary-care mother-and-child academic hospital between April 2020 and August 2020. The model was trained on a dataset of 2,846,502 medication orders from 2005 to 2018. These had been extracted from a pharmacy database and preprocessed into 1,063,173 profiles. Prior to data collection, the model was retrained every month with 10 years of the most recent data from the database in order to minimize drift, which occurs when a model loses its predictive power.

At this time of year, agricultural burning adds to the air pollution problems across northern India and Pakistan. The region contains 16 of the 20 most polluted cities in the World Health Organization's global PM2.5 database. But are these the most polluted places ever recorded? Lack of measurements make historic comparisons difficult, but we have some clues. From a report: More than 200 years ago, Benjamin Franklin was famously among the first scientists to study electricity in the atmosphere. Lightning is the most obvious manifestation, but air pollution also changes the electrical properties of our air. Electrical measurements near Hyde Park in about 1790 suggest 18th-century London's particle pollution was perhaps half the annual average in the most polluted cities in modern India.

An anonymous reader quotes a report from ZDNet: GrowDiaries, an online community where marijuana growers can blog about their plants and interact with other farmers, has suffered a security breach in September this year. The breach occurred after the company left two Kibana apps exposed on the internet without administrative passwords. Kibana apps are normally used by a company's IT and development staff, as the app allows programmers to manage Elasticsearch databases via a simple web-based visual interface. Due to its native features, securing Kibana apps is just as important as securing the databases themselves.

But in a report published today on LinkedIn, Bob Diachenko, a security researcher known for discovering and reporting unsecured databases, said GrowDiaries failed to secure two of its Kibana apps, which appear to have been left exposed online without a password since September 22, 2020. Diachenko says these two Kibana apps granted attackers access to two sets of Elasticsearch databases, with one storing 1.4 million user records and the second holding more than two million user data points. The first exposed usernames, email addresses, and IP addresses, while the second database also exposed user articles posted on the GrowDiaries site and users' account passwords. While the passwords were stored in a hashed format, Diachenko said the format was MD5, a hashing function known to be insecure and crackable (allowing threat actors to determine the cleartext version of each password). The company secured its infrastructure five days after Diachenko reported the exposed Kibana apps on October 10. It's unknown if someone else accessed the databases to download user data.

More than 23,000 hacked databases have been made available for download on several hacking forums and Telegram channels in what threat intel analysts are calling the biggest leak of its kind. From a report: The database collection is said to have originated from Cit0Day.in, a private service advertised on hacking forums to other cybercriminals. Cit0day operated by collecting hacked databases and then providing access to usernames, emails, addresses, and even cleartext passwords to other hackers for a daily or monthly fee. Cybercriminals would then use the site to identify possible passwords for targeted users and then attempt to breach their accounts at other, more high-profile sites. The idea behind the site isn't unique, and Cit0Day could be considered a reincarnation of similar "data breach index" services such as LeakedSource and WeLeakInfo, both taken down by authorities in 2018 and 2020, respectively.

Scientists from MIT have developed a new AI model that can detect COVID-19 from a simple forced cough. ScienceAlert reports: Evidence shows that the AI can spot differences in coughing that can't be heard with the human ear, and if the detection system can be incorporated into a device like a smartphone, the research team thinks it could become a useful early screening tool. The work builds on research that was already happening into Alzheimer's detection through coughing and talking. Once the pandemic started to spread, the team turned its attention to COVID-19 instead, tapping into what had already been learned about how disease can cause very small changes to speech and the other noises we make.

The Alzheimer's research repurposed for COVID-19 involved a neural network known as ResNet50. It was trained on a thousand hours of human speech, then on a dataset of words spoken in different emotional states, and then on a database of coughs to spot changes in lung and respiratory performance. When the three models were combined, a layer of noise was used to filter out stronger coughs from weaker ones. Across around 2,500 captured cough recordings of people confirmed to have COVID-19, the AI correctly identified 97.1 percent of them -- and 100 percent of the asymptomatic cases.

That's an impressive result, but there's more work to do yet. The researchers emphasize that its main value lies in spotting the difference between healthy coughs and unhealthy coughs in asymptomatic people -- not in actually diagnosing COVID-19, which a proper test would be required for. In other words, it's an early warning system. The researchers now want to test the engine on a more diverse set of data, and see if there are other factors involved in reaching such an impressively high detection rate. If it does make it to the phone app stage, there are obviously going to be privacy implications too, as few of us will want our devices constantly listening out for signs of ill health. The research has been published in the IEEE Open Journal of Engineering in Medicine and Biology.

The man on the trail went by "Mostly Harmless." He was friendly and said he worked in tech. After he died in his tent, no one could figure out who he was. Wired: It's usually easy to to put a name to a corpse. There's an ID or a credit card. There's been a missing persons report in the area. There's a DNA match. But the investigators in Collier County couldn't find a thing. Mostly Harmless' fingerprints didn't show up in any law enforcement database. He hadn't served in the military, and his fingerprints didn't match those of anyone else on file. His DNA didn't match any in the Department of Justice's missing person database or in CODIS, the national DNA database run by the FBI. A picture of his face didn't turn up anything in a facial recognition database. The body had no distinguishing tattoos.

Nor could investigators understand how or why he died. There were no indications of foul play, and he had more than $3,500 cash in the tent. He had food nearby, but he was hollowed out, weighing just 83 pounds on a 5'8" frame. Investigators put his age in the vague range between 35 and 50, and they couldn't point to any abnormalities. The only substances he tested positive for were ibuprofen and an antihistamine. His cause of death, according to the autopsy report, was "undetermined." He had, in some sense, just wasted away. But why hadn't he tried to find help? Almost immediately, people compared Mostly Harmless to Chris McCandless, whose story was the subject of Into the Wild. McCandless, though, had been stranded in the Alaska bush, trapped by a raging river as he ran out of food. He died on a school bus, starving, desperate for help, 22 miles of wilderness separating him from a road. Mostly Harmless was just 5 miles from a major highway. He left no note, and there was no evidence that he had spent his last days calling out for help.

The investigators were stumped. To find out what had happened, they needed to learn who he was. So the Florida Department of Law Enforcement drew up an image of Mostly Harmless, and the Collier County investigators shared it with the public. In the sketch, his mouth is open wide, and his eyes too. He has a gray and black beard, with a bare patch of skin right below the mouth. His teeth, as noted in the autopsy, are perfect, suggesting he had good dental care as a child. He looks startled but also oddly pleased, as if he's just seen a clown jump out from behind a curtain. The image started to circulate online along with other pictures from his campsite, including his tent and his hiking poles.

"The Linux Foundation has formed a new group to provide public health authorities with free technology for tracking the spread of the coronavirus and future epidemics," writes Business Insider. Launched in July, the group has already released two apps "that notify users if they've been in contact with someone who has tested positive with COVID-19." Since these apps are open source, people can contribute code and customize them, allowing regions with similar needs to collaborate, general manager at Linux Foundation Public Health, Dan Kohn, told Business Insider. Developers that want to build an app off these projects can access or download the source code.

These apps take advantage of technology launched by Apple and Google, which can be integrated into any app, that uses Bluetooth on people's smartphones to track who a user has been in close proximity with, without identifying the specific people. If anyone tests positive for COVID-19 and uploads that information to a database run by a local public health authority, any user who has been in close contact with that person will get a notification through their app saying they may have been exposed — again, without identifying who has COVID-19. If someone knows that they may have been exposed, they can either self-quarantine or get tested.

"Essentially we think exposure notification could have a big impact on reducing the overall rate of exposure," Kohn said. An Oxford University study in April said that if about 60% of the population used a contact tracing app, it could grind the diseases spread to a halt. Researchers on the team also found that digital contact tracing can cut down spread even at much lower levels of usage.

Two restaurants have initiated a potential class-action lawsuit against GrubHub for allegedly listing 150,000 restaurants to its site without the businesses' permission. From a report: The Farmer's Wife in Sebastopol, California and Antonia's Restaurant in Hillsborough, NC filed the suit with Gibbs Law Group, accusing Grubhub of adding their restaurants to its site despite not entering into a partnership, which causes "significant damage to their hard-earned reputations, loss of control over their customers' dining experiences, loss of control over their online presence, and reduced consumer demand for their services." Grubhub has explicitly made this false partnership part of their business strategy. Last October, CEO Matt Maloney said the company would be piloting a new initiative of adding more restaurants to its searchable database without entering into an official partnership with them, so customers would believe they had more delivery options with Grubhub, and wouldn't switch to competitors.

It works like this: if you happened to order from a non-partnered restaurant, "the order doesn't go directly to the restaurant," says the lawsuit. "It goes instead to a Grubhub driver, who must first figure out how to contact the restaurant and place the order. Sometimes it's possible to place orders with the restaurant by phone, but other times the restaurant will only accept orders in person. The extra steps often lead to mistakes in customers' orders and often the restaurant won't receive the order at all." Grubhub also wouldn't warn restaurants before they were listed, which led to restaurants suddenly being inundated with Grubhub orders they never expected. Often, Grubhub would list outdated menus with the wrong prices, or include restaurants that don't even offer take-out, leading to canceled orders. The lawsuit includes screenshots from the pages Grubhub created for The Farmer's Wife and Antonia's, using their respective names and logos. The Farmer's Wife alleges the pages are "inaccurate and suggests that The Farmer's Wife is offering to make food that it does not actually make and has never made," which the lawsuit claims hurts the restaurant's reputation, and leads customers to become frustrated with service the restaurant never agreed to provide in the first place. And both restaurants say the language Grubhub uses suggests a partnership that doesn't exist, and in Antonia's case, was actively declined when Grubhub approached them. Further reading: Even If You're Trying To Avoid Grubhub By Calling Your Favorite Restaurant Directly, Grubhub Could Still Be Charging It A Fee; Meal-Delivery Company GrubHub is Buying Thousands of Restaurant Web Addresses, Preventing Mom and Pop From Owning Their Slice of Internet.

An anonymous reader quotes a report from Motherboard: U.S. Customs and Border Protection is refusing to tell Congress what legal authority the agency is following to use commercially bought location data to track Americans without a warrant, according to the office of Senator Ron Wyden. The agency is buying location data from Americans all over the country, not just in border areas. The lack of disclosure around why CBP believes it does not need a warrant to use the data, as well as the Department of Homeland Security not publishing a Privacy Impact Assessment on the use of such location information, has spurred Wyden and Senators Elizabeth Warren, Sherrod Brown, Ed Markey, and Brian Schatz on Friday to ask the DHS Office of the Inspector General (DHS OIG) to investigate CBP's warrantless domestic surveillance of phones, and determine if CBP is breaking the law or engaging in abusive practices.

The news highlights the increased use of app location data by U.S. government agencies. Various services take location data which is harvested from ordinary apps installed on peoples' phones around the world, repackages that, and sells access to law enforcement agencies so they can try to track groups of people or individuals. In this case, CBP has bought the location data from a firm called Venntel. "CBP officials confirmed to Senate staff that the agency is using Venntel's location database to search for information collected from phones in the United States without any kind of court order," the letter signed by Wyden and Warren, and addressed to the DHS OIG, reads. "CBP outrageously asserted that its legal analysis is privileged and therefore does not have to be shared with Congress. We disagree." As well as not obtaining court orders to query the data, CBP said it's not restricting its personnel to only using it near the border, the Wyden aide added. CBP is unable to tell what nationality a particular person is based only on the information provided by Venntel; but what the agency does know is that the Venntel data the agency is using includes the movements of people inside the United States, the Wyden aide said.

An anonymous reader quotes a report from The New York Times: In early September, the City Council in Portland, Ore., met virtually to consider sweeping legislation outlawing the use of facial recognition technology. The bills would not only bar the police from using it to unmask protesters and individuals captured in surveillance imagery; they would also prevent companies and a variety of other organizations from using the software to identify an unknown person. During the time for public comments, a local man, Christopher Howell, said he had concerns about a blanket ban. He gave a surprising reason. "I am involved with developing facial recognition to in fact use on Portland police officers, since they are not identifying themselves to the public," Mr. Howell said. Over the summer, with the city seized by demonstrations against police violence, leaders of the department had told uniformed officers that they could tape over their name. Mr. Howell wanted to know: Would his use of facial recognition technology become illegal?

Portland's mayor, Ted Wheeler, told Mr. Howell that his project was "a little creepy," but a lawyer for the city clarified that the bills would not apply to individuals. The Council then passed the legislation in a unanimous vote. Mr. Howell was offended by Mr. Wheeler's characterization of his project but relieved he could keep working on it. "There's a lot of excessive force here in Portland," he said in a phone interview. "Knowing who the officers are seems like a baseline." Mr. Howell, 42, is a lifelong protester and self-taught coder; in graduate school, he started working with neural net technology, an artificial intelligence that learns to make decisions from data it is fed, such as images. He said that the police had tear-gassed him during a midday protest in June, and that he had begun researching how to build a facial recognition product that could defeat officers' attempts to shield their identity. Mr. Howell is not alone in his pursuit. Law enforcement has used facial recognition to identify criminals, using photos from government databases or, through a company called Clearview AI, from the public internet. But now activists around the world are turning the process around and developing tools that can unmask law enforcement in cases of misconduct. The report also mentions a few other projects around the world that are using facial recognition tools against the police.

An online exhibit called "Capture," was created by artist Paolo Cirio and includes photos of 4,000 faces of French police officers. It's currently down because France's interior minister threatened legal action against Mr. Cirio but he hopes to republish them.

Andrew Maximov, a technologist from Belarus, uploaded a video to YouTube that demonstrated how facial recognition technology could be used to digitally strip away masks from police officers.

The report also notes that older attempts to identify police officers have relied on crowdsourcing. For example, news service ProPublica asks readers to identify officers in a series of videos of police violence. There's also the OpenOversight, a "public searchable database of law enforcement officers" that asks people to upload photos of uniformed officers and match them to the officers' names or badge numbers.

An anonymous reader quotes a report from The Guardian: Working with her Stanford colleague, Michal Kosinski, [Pin Pin Tea-makorn, a PhD student at Stanford] scoured Google, newspaper anniversary notices and genealogy websites for photos of couples taken at the start of their marriages and many years later. From these they compiled a database of pictures from 517 couples, taken within two years of tying the knot and between 20 and 69 years later. To test whether couples' faces grew alike over time, the researchers showed volunteers a photo of a "target" person accompanied by six other faces, one being their spouse, with the other five faces selected at random. The volunteers were then asked to rank how similar each of the six faces were to the target individual. The same task was then performed by cutting-edge facial recognition software.

In the original study in 1987, the late psychologist Robert Zajonc, at the University of Michigan, had volunteers rank the photos of only a dozen couples. He concluded that couples' faces became more alike as their marriages went on, with the effect being greater the happier they were. The explanation, psychologists have argued, is that sharing lives shapes people's faces, with diet, lifestyle, time outdoors, and laughter lines all having a part to play. However, writing in Scientific Reports, Tea-makorn and Kosinski describe how they found no evidence for couples looking more alike as time passed. They did, however, look more alike than random pairs of people at the start of their relationship. Tea-makorn said people may seek out similar-looking partners, just as they look for mates with matching values and personalities.

The Washington Post reports: In recent weeks, the U.S. military has mounted an operation to temporarily disrupt what is described as the world's largest botnet — one used also to drop ransomware, which officials say is one of the top threats to the 2020 election.

U.S. Cyber Command's campaign against the Trickbot botnet, an army of at least 1 million hijacked computers run by Russian-speaking criminals, is not expected to permanently dismantle the network, said four U.S. officials, who spoke on the condition of anonymity because of the matter's sensitivity. But it is one way to distract them at least for a while as they seek to restore operations.
U.S. Cyber Command also "stuffed millions of bogus records about new victims into the Trickbot database — apparently to confuse or stymie the botnet's operators," reports security researcher Brian Krebs: Alex Holden, chief information security officer and president of Milwaukee-based Hold Security, has been monitoring Trickbot activity before and after the 10-day operation. Holden said while the attack on Trickbot appears to have cut its operators off from a large number of victim computers, the bad guys still have passwords, financial data and reams of other sensitive information stolen from more than 2.7 million systems around the world. Holden said the Trickbot operators have begun rebuilding their botnet, and continue to engage in deploying ransomware at new targets. "They are running normally and their ransomware operations are pretty much back in full swing," Holden said. "They are not slowing down because they still have a great deal of stolen data."

Holden added that since news of the disruption first broke a week ago, the Russian-speaking cybercriminals behind Trickbot have been discussing how to recoup their losses, and have been toying with the idea of massively increasing the amount of money demanded from future ransomware victims.

Today, researchers at Columbia University launched the world's first database of carbon dioxide removal laws, providing an annotated bibliography of legal materials related to carbon dioxide removal and carbon sequestration and use. It is publicly available at cdrlaw.org. Phys.Org reports: The site has 530 resources on legal issues related to carbon dioxide removal, including such techniques as: direct air capture; enhanced weathering; afforestation/reforestation; bioenergy with carbon capture and storage; biochar; ocean and coastal carbon dioxide removal; ocean iron fertilization; and soil carbon sequestration. The database also includes 239 legal resources on carbon capture and storage, utilization, and transportation. New resources are constantly being added.

This site was created by the Sabin Center for Climate Change Law at Columbia Law School, in cooperation with the Carbon Management Research Initiative at the Center on Global Energy Policy at Columbia's School of International and Public Affairs. Generous financial support was provided by the ClimateWorks Foundation and the Earth Institute at Columbia University. The Sabin Center is also undertaking a series of white papers with in-depth examinations of the legal issues in particular carbon dioxide removal technologies. The first of these, "The Law of Enhanced Weathering for Carbon Dioxide Removal," by Romany M. Webb, has just been released.

An anonymous reader quotes a report from Motherboard: The Department of Homeland Security (DHS) finally acknowledged Wednesday that photos that were part of a facial recognition pilot program were hacked from a Customs and Border Control subcontractor and were leaked on the dark web last year. Among the data, which was collected by a company called Perceptics, was a trove of traveler's faces, license plates, and care information. The information made its way to the Dark Web, despite DHS claiming it hadn't. In a newly released report about the incident, the DHS Office of Inspector General admitted that 184,000 images were stolen and at least 19 of them were posted to the Dark Web.

"CBP did not adequately safeguard sensitive data on an unencrypted device used during its facial recognition technology pilot," the report found. "This incident may damage the public's trust in the Government's ability to safeguard biometric data and may result in travelers' reluctance to permit DHS to capture and use their biometrics at U.S. ports of entry." According to the new report, DHS's biometric database "contains the biometric data repository of more than 250 million people and can process more than 300,000 biometric transactions per day. It is the largest biometric repository in the Federal Government, and DHS shares this repository with the Department of Justice and the Department of Defense." "A subcontractor working on this effort, Perceptics, LLC, transferred copies of CBP's biometric data, such as traveler images, to its own company network," the report found. "The DHS OIG made several recommendations in its report that all boil down to 'tighten up security and make sure this doesn't happen again,'" the report adds.

Australia's national public broadcaster ABC reports: A Chinese company with links to Beijing's military and intelligence networks has been amassing a vast database of detailed personal information on thousands of Australians, including prominent and influential figures. A database of 2.4 million people, including more than 35,000 Australians, has been leaked from the Shenzhen company Zhenhua Data which is believed to be used by China's intelligence service, the Ministry of State Security. Zhenhua has the People's Liberation Army and the Chinese Communist Party among its main clients.

Information collected includes dates of birth, addresses, marital status, along with photographs, political associations, relatives and social media IDs. It collates Twitter, Facebook, LinkedIn, Instagram and even TikTok accounts, as well as news stories, criminal records and corporate misdemeanours. While much of the information has been "scraped," some profiles have information which appears to have been sourced from confidential bank records, job applications and psychological profiles.

The company is believed to have sourced some of its information from the so-called "dark web". One intelligence analyst said the database was "Cambridge Analytica on steroids", referring to the trove of personal information sourced from Facebook profiles in the lead up to the 2016 US election campaign. But this data dump goes much further, suggesting a complex global operation using artificial intelligence to trawl publicly available data to create intricate profiles of individuals and organisations, potentially probing for compromise opportunities.

Zhenhua Data's chief executive Wang Xuefeng, a former IBM employee, has used Chinese social media app WeChat to endorse waging "hybrid warfare" through manipulation of public opinion and "psychological warfare"....
The database was leaked to a US academic, who worked with Canberra cyber security company Internet 2.0 and "was able to restore 10 per cent of the 2.4 million records for individuals...

"Of the 250,000 records recovered, there are 52,000 on Americans, 35,000 Australians, 10,000 Indian, 9,700 British, 5,000 Canadians, 2,100 Indonesians, 1,400 Malaysia and 138 from Papua New Guinea."

If you've ever received a parcel from a shopping platform that you didn't order, and nobody you know seems to have bought it for you, you might have been caught up in a "brushing" scam. From a report: It has hit the headlines after thousands of Americans received unsolicited packets of seeds in the mail, but it is not new. It's an illicit way for sellers to get reviews for their products. And it doesn't mean your account has been hacked. Here's an example of how it works: let's say I set myself up as a seller on Amazon, for my product, Kleinman Candles, which cost $3 each. I then set up a load of fake accounts, and I find random names and addresses either from publicly available information or from a leaked database that's doing the rounds from a previous data breach. I order Kleinman Candles from my fake accounts and have them delivered to the addresses I have found, with no information about where they have been sent from. I then leave positive reviews for Kleinman Candles from each fake account -- which has genuinely made a purchase.

This way my candle shop page gets filled with glowing reviews (sorry), my sales figures give me an algorithmic popularity boost as a credible merchant -- and nobody knows that the only person buying and reviewing my candles is myself. It tends to happen with low-cost products, including cheap electronics. It's more a case of fake marketing than cyber-crime, but "brushing" and fake reviews are against Amazon's policies. Campaign group Which? advises that you inform the platform they are sent by of any unsolicited goods.