Monday, April 24, 2017

TSCM Questions We Get - "How often do you find..."

A. It depends on the type of sweep. We conduct Technical Surveillance Countermeasures (TSCM) sweeps for business and government, and rarely residential or matrimonial type sweeps. More on them later.

Our regularly scheduled, due diligence, technical information security surveys rarely turn up devices. No surprise. Organizations using our services already have a high overall security profile. They are hardened targets. For them, the bug sweep bonus is... having a known window-of-opportunity when something is found.

What we do find are other information vulnerabilities like: decayed security hardware; security policies no longer being followed; and other unseen security issues.

Discovery statistics on our "emergency sweeps" (sweeps where electronic surveillance is suspected) varies from year to year, about 2%-5%. However, the rate of determining what happened and resolving the client's concerns is extremely high. (Isn't that the real point of the exercise?) More often than not, these info-loss cases can be traced back to the human element, or the poor security practices—which allowed the leak to occur some other way.

The benefits of a TSCM sweep—with either type of sweep—make the task worthwhile.

When it comes to the residential and matrimonial sweeps, The find rate is quite high. This makes sense. The opposition's focus is narrow; they want to intercept communications and/or determine location. Electronic surveillance is the tool of choice. Solving these cases is relatively easy.

With organizations, the opposition's focus is information, in all its forms. Corporate espionage, industrial espionage, call it what you will. There is no one spy tool of choice here. It's electronic surveillance plus hundreds of other tradecraft techniques. Solving organizational emergency cases requires more than a simple TSCM bug sweep. Add-on skills include: corporate investigations, alarm system design, computer forensics, and information management to name a few.

Second to 'getting the goods', the goal of espionage and voyeurism is 'never be discovered'. Obviously, if you don't check, you won't know. The big losers are the folks who don't check.

Saturday, April 22, 2017

Quote of the Week

"Corporate espionage is not an easy thing to detect; the whole point of a spy is to remain under the radar. In order to uncover this kind of behavior, you’ll need technical controls..." Dr Jamie Graves

When Industrial Espionage Spies were a Dime a Dozen

Industrial espionage - that staple of modern thrillers, new product development and getting a jump on the competition - is nothing new. 

Click to enlarge.
In the 18th century, so many new developments in industry and the arts happened at such a rapid pace, and trendsetting luxury goods were in such high demand that industrial spies were almost a dime a dozen.

So, it was in April 1754 that a Swedish industrial spy, Reinhold Angerstein, found himself in the English town of Bilston... more

New High Seas Spybot - Submaran S10

Part sailboat - part submarine, a new remarkable drone can patrol the oceans for months without stopping, powered by only the wind and the sun.

Developed by Ocean Aero, the Submaran S10 is autonomous, able to conduct missions on its own. This drone can sail on the surface of the ocean and then transform to dive beneath the surface traveling, similar to a submarine.

The hybrid drone can dive to depths of about 660 feet, which makes it useful not only for avoiding detection, but to discreetly conduct its own surveillance as well.

Along with protecting the US coastlines, technology like this could be used to quietly monitor, surveil and collect information for defense and intelligencemore

Bad Spy, Bad Spy

Nigeria's spy chief has been suspended amid reports that a $43 million stash seized in a widely trumpeted apartment raid belonged to his agency.

Nigerian President Muhammadu Buhari suspended Ayodele Oke, director-general of the National Intelligence Agency, over the April 12 raid, Buhari aide Femi Adesina said.

When Nigeria's anti-corruption agency raided an upscale apartment in Lagos, Nigeria's largest city, agents found more than $43 million as well as 23.2 million naira (Nigerian currency worth about $76,000) and £27,800 (about $35,000).

The Economic and Financial Crimes Commission said the funds were suspected to be linked to unlawful activity. more

Thursday, April 20, 2017

Cyber Security — How Much Your Company Should Budget

The board and executives of organizations must protect the assets of the business.

Seven out of ten Target board members were ousted and the CEO was fired — they had no visibility into the risk that cyber had on the business.

Cyber risk must be understood in dollars and cents to communicate in a language that the board and executives understand. Only then can senior executives have a cyber strategy that allows them to protect the assets properly...

The bottom line is organizations have to be in front of cyber, not behind. We must proactively bake security in — not bolt it on. We have to be strategic in our thinking and not reactive. more

400 Google Play Store Apps Have Been Compromised with BankBot

A new Malware has been spotted in the wild targeting Google Play Store apps.

The malware has been dubbed as “BankBot” by security researchers... So far at least 400 Google Play Store apps have been compromised. 

The attacking mechanism: Once downloaded, the malware tricks users into gaining administrative privileges before removing the icon of the app, letting the user think that the app has been deleted. In reality, however, the app continues to work in the background!

That’s not all; the Botnet is designed to display fake screens disguised as banking apps, encouraging the users to put credit card information and other login credentials. As soon as the app gets what it wants, the credentials are then passed on to the hacker through a control and command (C&C) server. more

Bose Knows... what you're listening to.

At least that's the claim of a proposed class-action lawsuit filed late Tuesday in Illinois that accuses the high-end audio equipment maker of spying on its users and selling information about their listening habits without permission.

The main plaintiff in the case is Kyle Zak, who bought a $350 pair of wireless Bose headphones last month. He registered the headphones, giving the company his name and email address, as well as the headphone serial number. And he download the Bose Connect app, which the company said would make the headphones more useful by adding functions such as the ability to customize the level of noise cancellation in the headphones.

But it turns out the app was also telling Bose a lot more about Zak than he bargained for. more

The Zak attack is a cautionary tale. Perhaps we should all create alter egos to nullify this type of privacy invasion. ~Kevin

Wednesday, April 19, 2017

Printer Wi-Fi Security - Your Network's Achilles Heel

Ben Vivoda, director of printing systems for HP, has warned that the threat to a business via a printer is more important than ever...

In 2016, over 70 percent of successful hacking events started with an endpoint device, Vivoda said, noting that endpoint devices are no longer restricted to PCs and notebooks...

"Typically, we're seeing the printer gets left out and overlooked and left exposed. Businesses can no longer afford to overlook print when it comes to their overall IT cybersecurity strategy." more

Spybuster Tip #523 - If the printer can be accessed without Wi-Fi, turn that feature off. If you need the Wi-Fi connection, turn the encryption feature on. If you can't tell if it is on or off, or you have too many printers to check one-by-one, call a TSCM specialist. They can quickly conduct a Wi-Fi Security and Compliance Analysis for you.

Tuesday, April 18, 2017

Corporate Boards Still Unprepared for Challenge of Cybersecurity

Tom Ridge, the former Homeland Security secretary and Pennsylvania governor, says the majority of corporate boards and CEOs are unprepared for the challenges posed by rising cyber risk.

In fact, 59% of directors report that their boards find it challenging to oversee cyber risk, and only 19% report that their boards possess a high level of knowledge about cybersecurity, he said, citing a study released in March by the National Association of Corporate Directors...

“Most board members don’t want to be technologists. We didn’t design these 16 hours for them to be technologists. We designed it for them to be better educated and to meet their fiduciary responsibilities,” Mr. Ridge said during a meeting with CIO Journal. "It’s top down. This is the CEO saying ‘we are changing now.'" more

Raising awareness comes not a moment too soon. The next step is integrating this into the corporate security program. Learn how, now.

Common Bugs

Spy tools are no longer esoteric, expensive and difficult to obtain. 

Some bugs are built into everyday objects - like pens, power strips and key fobs.

The result...
The average person can engage in eavesdropping and spying cheaply; doing it better than the professionals did only ten years ago - with less chance of being discovered. So they do!

Spy Trick Awareness

1. Digital audio/video recorders are very small, and absolutely silent. No moving parts. Inexpensive. Some are smartphone apps, others are built into wristwatches and key fobs.

The trick...
These devices are easily hidden on-the-body, or look like everyday objects. They can be activated by a timer, or when they hear sound, or see movement. Some devices can even stream live video.

In adversarial meetings, the other party may leave the room to make a call, or go to the restroom, and leave one of these behind in a coat, briefcase or notepad.

Assume you are being recorded. 

2. GSM bugs are designed to be bugs and nothing else. They are basically one-way, dumb cell phones. No keypad. No display. No speaker. They are available on the Internet for less than $20.

The trick...
The snoop plugs in a SIM card and hides the device. From then on, they can call-to-listen, from anywhere.

Some devices might have to be retrieved periodically to refresh the battery, or retrieve the recording. Other devices might be wired to the mains and transmit their data via LAN, Wi-Fi, light or radio waves.

Spybuster Tips: