Friday, September 30, 2011

When Brain Sucking Smartphone Spiders Meet Badges

You may have heard about the Cellebrite cell phone extraction device (UFED) in the news lately. It gives law enforcement officials the ability to access all the information on your cell phone within a few short minutes.

When it became known that Michigan State Police had been using the tool to access cell phones during traffic stops, it raised concern with the ACLU... You'd be surprised to see just how much data today's smartphones can store -- and police can access...

What's up for grabs?

"...all of our contacts, call logs, voicemails, text messages (deleted ones too), all our notes, recent map searches, Facebook contacts, all locations (WiFi and Cellular), and current and deleted photos." (more)

Tip: You can give up your phone voluntarily, or hold out for a search warrant.

Insanely Great Battery Volt Jolt

Researchers from the National University of Singapore's Nanoscience and Nanotechnology Initiative (NUSNNI) have created what they claim is the world's first energy-storage membrane. Not only is the material soft and foldable, but it doesn't incorporate liquid electrolytes that can spill out if it's damaged, it's more cost-effective than capacitors or traditional batteries, and it's reportedly capable of storing more energy.

The membrane is made from a polystyrene-based polymer, which is sandwiched between two metal plates. When charged by those plates, it can store the energy at a rate of 0.2 farads per square centimeter - standard capacitors, by contrast, can typically only manage an upper limit of 1 microfarad per square centimeter.

Due in part to the membrane's low fabrication costs, the cost of storing energy in it reportedly works out to 72 cents US per farad. According to the researchers, the cost for standard liquid electrolyte-based batteries is more like US$7 per farad. This in turn translates to an energy cost of 2.5 watt-hours per US dollar for lithium-ion batteries, whereas the membrane comes in at 10-20 watt-hours per dollar. (more) (sing-a-long)

FutureWatch: If this is true, our world is going to take an interesting twist.

Thursday, September 29, 2011

6 Real World Spy Gadgets Straight Out of the Movies

#1. Hidden Guns
It's the most obvious spy gadget of them all: A gun that doesn't look like a gun. But while you've probably seen the odd shotgun cane or rifle umbrella (hopefully before it was too late), the sheer depth and breadth of tiny guns hidden in mundane objects might surprise you...

#2. U.S. Embassy Seal
Presented to the U.S. Ambassador by Soviet schoolchildren, this Great Seal of the United States hung proudly in the man's office in Spaso House from 1946 to 1952. Well, after a good bug scan, of course, which turned up nothing. The ambassador wasn't a fool: He knew the Soviets were desperately trying to bug everything they could get their hands on...

#3. Compass Buttons
If one of your soldiers is captured and placed in a POW camp, you want to make sure he's as well-prepared for escape as possible. After all, breaking out of prison is just the first step...

#4. Martini Olive
Budding mad scientist Hal Lipset specialized in inserting audio devices into seriously inappropriate places...

#5. Poop
In the Vietnam War, it was common for U.S. soldiers to litter the Vietnamese countryside with mounds of fake tiger shit. Why? To demoralize the enemy? To attract other tigers to their position? Just because it was funny? Nope: Because they had...

#6. Umbrella Dart Gun
Georgi Markov was a pair of freedom-loving bohemian testicles resting gently on the forehead of communist Bulgaria. His writing was winning all sorts of awards and stirring anti-communist movements all across Europe. Clearly, they had to get those balls off their face, and stat. So... 

You would have to be mad not to love how of cracked.com wrote this up! Thanks for including us, Eric! (more)

Beware the Cell Sucking Spiders

...a gray hat app developer has released into the wild five tools purportedly for "study purposes" that can clean out all the data on an Android smartphone in less than a minute.

Based on information from virus researchers at BitDefender, here's how the tools work.

When any of the apps is loaded on a victim's phone, they can be activated remotely by a cyber thief. Once activated, it sends a five digit pass code to the phone's intruder and secretly uploads the device's contacts, messages, recent calls, and browser history into the developer's space in the Android Cloud. After copying the data from the phone, the apps uninstall themselves so a target won't know they were even on their mobile...

This latest attack on Android phones is just one of many this year. In fact, the phones are seen as a ripe target for mobile miscreants. According to a report released by a cybersecurity software maker in August, attacks on Android by malware writers jumped 76 percent over the previous three months, making it the most assaulted mobile operating system on the planet.

Some of that malware has been devilishly clever. For example, a bad app called Soundminer listens to conversations on an Android phone and is able to recognize when a credit card is spoken. After identifying such a number, it snips it from the conversation it has been recording and sends it to a Web baddie. (more) (further advice)

Trumped by KickButtTakeNames.com...

A web proxy service has come under fire after a federal indictment revealed that the company cooperated with U.S. authorities in their investigation into the hacking of SonyPictures.com.

HideMyAss.com, a VPN service that encrypts one's traffic to enable users to surf the web anonymously, was ordered by a U.K. judge, at the request of FBI agents, to release log information about an Arizona man (Cody Kretsinger) who was arrested Thursday for his role in the Sony intrusion...

But now, as Kretsinger awaits prosecution, HideMyAss.com faces criticism from privacy advocates and users who believe the service went back on its promise. (more)

Circuit Court Judge David Frankland - Privacy Hero

2009 - Michael Allison brought a digital recorder to the Crawford County Courthouse in Downstate Robinson (Illinois), where he was contesting a citation, because he had been told there would be no official transcript of the proceedings. He was immediately confronted by Circuit Judge Kimbara Harrell, who accused him of violating her privacy and charged him with eavesdropping, a felony punishable by up to 15 years in prison.

Because Allison had recorded conversations about his legal situation with police and other local officials, he soon faced four more eavesdropping charges, raising his possible sentence to 75 years. The case against Allison vividly shows how the Illinois Eavesdropping Act, the target of a constitutional challenge that was recently heard by a federal appeals court, undermines transparency, civil liberties and legal equality. (more)


2011 - Michael Allison, an Illinois man who faced a potential sentence of 75 years in prison for recording police officers and attempting to tape his own trial, caught a break last week when a state judge declared the charges unconstitutional. "A statute intended to prevent unwarranted intrusions into a citizen’s privacy cannot be used as a shield for public officials who cannot assert a comparable right of privacy in their public duties," wrote Circuit Court Judge David Frankland. "Such action impedes the free flow of information concerning public officials and violates the First Amendment right to gather such information." (more)

How Long are Your Cell Phone Records Kept?

Find out here.

The nation’s major mobile-phone providers are keeping a treasure trove of sensitive data on their customers, according to newly-released Justice Department internal memo that for the first time reveals the data retention policies of America’s largest telecoms.

The biggest difference in retention surrounds so-called cell-site data. That is information detailing a phone’s movement history via its connections to mobile phone towers while its traveling.

Verizon keeps that data on a one-year rolling basis; T-Mobile for “a year or more;” Sprint up to two years, and AT&T indefinitely, from July 2008.
(more)

Wednesday, September 28, 2011

Reading Recommendations from Privacy Journal

Query: I am a subscriber to your journal. Very informative. Could you please suggest a couple good references (journal articles, books, etc.) that discuss privacy and information retrieval?
 
From Privacy Journal's staff...
Publisher Robert Ellis Smith makes these recommendations:
“Principles for Government Data Mining” by The Constitution Project
Need an expert witness on privacy? Smith is your man. Privacy Journal, has a world-wide subscriber audience and is based in Providence RI. Their address is P.O. Box 28577, Providence RI 02908, Phone: 401/-274-7861

Free Likejacking Prevention — Plug-In for Firefox, Google Chrome and Safari

ThreatLabZ, the research arm of Zscaler, released a free tool to combat the biggest threat on Facebook -- Likejacking.

Called Zscaler Likejacking Prevention, it was developed for the sole purpose of helping consumers stop being further victimized.

This popular attack leverages clickjacking to trick users into "Liking" a fake video, survey or web link, propagating the scam further as it spreads virally from one person to their network, and on to their networks’ networks, and so on. (download) (more)

Citizen Shame

S. Korea - With his debts mounting and his wages barely enough to cover the interest, Im Hyun-seok decided he needed a new job. The mild-mannered former English tutor joined South Korea’s growing ranks of camera-toting bounty hunters.

Known here sarcastically as paparazzi, people like Mr. Im stalk their prey and capture them on film. But it is not celebrities, politicians or even hardened criminals they pursue. Rather, they roam cities secretly videotaping fellow citizens breaking the law, deliver the evidence to government officials and collect the rewards.

“Some people hate us,” said Mr. Im. “But we’re only doing what the law encourages.” (more)

P.S. “I’m making three times what I made as an English tutor,” said Mr. Im, 39, who began his new line of work around seven years ago and says he makes about $85,000 a year.

Business Espionage Alert: Embedded Web Servers

Many types of Web-connected photocopiers, scanners, and VoIP servers have no default passwords or other security enabled to stop remote eavesdropping.

Numerous models of printers, photocopiers, and voice over IP (VoIP) systems are Internet-connected. But their embedded Web servers often use well-known default passwords or firmware that has known vulnerabilities, either of which could be used by remote eavesdroppers to intercept internal communications...

Web-accessible photocopiers and the like are essentially repositories of any recent documents or communications of interest, and thus could serve as a competitive intelligence treasure trove

Some devices even offer would-be attackers time-saving shortcuts. Certain models of Sharp photocopiers, for example, can be set to upload all scanned or copied documents to an external site via FTP, or email them to an outside email address. Meanwhile, some HP all-in-one printers have a feature called Webscan, which allows anyone with a browser to scan and download whatever is on the scanner bed. (more)

Tuesday, September 27, 2011

New York’s senior senator Charles Schumer wants the feds to investigate OnStar’s controversial new privacy policy, and demanded the Detroit navigation-and-emergency company refrain from monitoring vehicles after customers cancel service.

“By tracking drivers even after they’ve cancelled their service, OnStar is attempting one of the most brazen invasions of privacy in recent memory,” Schumer, a Democrat, said in a statement Monday. “I urge OnStar to abandon this policy and for the Federal Trade Commission to immediately launch a full investigation to determine whether the company’s actions constitute an unfair trade practice.”

OnStar last week began e-mailing customers about its update to the privacy policy, which grants OnStar the right to sell GPS-derived and other data in an anonymized format. That data might include a vehicle’s location, speed, odometer reading and seatbelt usage. Schumer also asked the company, a General Motors subsidiary, not to sell that data. (more)

Search in Secret

Startpage.com now offers Google search results in complete privacy!

"When you perform a web search through Startpage, we remove all identifying information from your query and submit it to Google anonymously through our own servers. We obtain Google's search results and serve them to you in total privacy. Then we delete all records of your visit.

Your IP address is not recorded, your visit is not logged, and no tracking cookies are placed on your browser. In fact, Startpage does not record any information about its users. Nothing. Nada. Zilch. And Google never sees you at all."

In China, business travelers take extreme precautions to avoid cyber-espionage

Packing for business in China? Bring your passport and business cards, but maybe (definitely) not that laptop loaded with contacts and corporate memos.

China’s massive market beckons to American businesses — the nation is the United States’ second-largest trading partner — but many are increasingly concerned about working amid electronic surveillance that is sophisticated and pervasive.

Security experts also warn about Russia, Israel and even France, which in the 1990s reportedly bugged first-class airplane cabins to capture business travelers’ conversations...

But China’s brazen use of ­cyber-espionage stands out because the focus is often corporate, part of a broader government strategy to help develop the country’s economy, according to experts who advise American businesses and government agencies.

“I’ve been told that if you use an iPhone or BlackBerry, everything on it — contacts, calendar, e-mails — can be downloaded in a second. All it takes is someone sitting near you on a subway waiting for you to turn it on, and they’ve got it,” said Kenneth Lieberthal, a former senior White House official for Asia who is at the Brookings Institution. (more)

Want to increase the level of information security in your offices in China? We've been there. We can help.

Tuesday, September 20, 2011

World's First Concept Wireless Phone?

1922 - The umbrella is being used as the antenna. The fire hydrant is the ground. Good concept so far, but where is the battery?

From British Pathé - "The world's finest news and entertainment video film archive."
You can view and buy films and still photographs from the entire archive of 90,000 videos covering newsreel, sports footage, social history documentaries, entertainment and music stories from 1896 to 1976. (more)

Security Letter Book Review - "Is My Cell Phone Bugged?"


RECOMMENDED BOOK: IS MY CELL PHONE BUGGED?  Savvy readers have known for decades that cell phones are two-way radios. That means that someone else who hones in on the transmission can listen to everything that’s being said. But the matter is a quantum more serious when the cell phone itself has been rigged so that a third party can listen anytime, anywhere without discovery.
            Kevin D. Murray has been a well regarded consultant for over three decades in electronic eaves-dropping detection and countermeasures. He has a knack of explaining problem and controls of them in simple language, as this book reflects. While the focus is on cell phone vulnerabilities, other electronic communications risks are discussed as well.
            “We’ve got a problem with communications.” Many security practitioners face on-going frustrations in limiting confidential information from being discussed over cell phones. This book reveals the fragility of cell phone communications. It also offers other tips to protect cell phone communications.
            Murray is like an anti-eavesdropping missionary. His book is a real value. It also comes with a free SpyWarn Mobile™ to help conduct your own cell phone diagnosis. Pub. by: Emerald Book Co., www.ismycellphonebugged.com 158 pp. includes the SpyWarn Mobile token; $17.95. 

Thank you!

Friday, September 16, 2011

Annual Espionage Research Institute Meeting in DC

The world's top technical surveillance countermeasures specialists are meeting today through Sunday. If you're planning on planting a bug, now would be a good time. The cats are away.

Here is what they will be learning today...
• Blocking Competitive and State Sponsored Threats
• The Future of TSCM
• GSM Cell Phone Bug Detection using AirPatrol
• GSM and Hybrid Devices
• TSCM Product Demos
• Kestrel TSCM Software
• TSCM Inside Out

Oh, and that bug you planted. These cats will be back.


Thursday, September 15, 2011

Where Can You Buy A Bug in Washington, DC?

...at the International Spy Museum, of course...
Audio Bug
Price: $25.00
Code: 17039
Product Facts: The walls have ears…and now, thanks to Audio Bug, so can tables, windows, bookshelves, and lockers! Use the attached suction cup to stick this clever bug where it won’t be seen. With the voice-activation feature, it will start recording when your adversaries start talking or if they make noise when snooping in your headquarters. A hidden speaker records the audio — play it back at the touch of a button. Save your files and upload the evidence to your computer with the secret USB connector. Then start bugging again!

Technical Data: Ages 8 and up. Plastic and metal. Black/silver/orange. 3-1/2” x 1” x 1”. Requires 1 AAA battery, not included. (more)

Next question...
How can you find a bug in Washington, DC? (more)

Wednesday, September 14, 2011

Tip: Remove the Secret Stuff From Your Smartphone Today

Back in March, Scarlett Johansson's name popped up on a list of celebrities who found themselves the target of hackers that broke into their cell phones and leaked some nude photos and video.

With sultry X-rated pics of the sex symbol surfacing today on various gossip sites, ScarJo's fighting back by reaching out to the feds to find the perpetrators. (more)

Tuesday, September 13, 2011

Jackie, oh!

According to interviews, Jackie Kennedy gives "tart commentary on former presidents, heads of state, her husband's aides, powerful women, women reporters, even her mother-in-law." 

(She also said.) Martin Luther King Jr is "a phony" whom electronic eavesdropping has found arranging encounters with women. (more)
She also admits to eavesdropping on her husband and his advisers one morning when the emergency committee in charge of the crisis gathered in the Oval Room, unbeknownst to the press.

"So then, I went in the Treaty Room where I well, just to fiddle through some mail or something, but I could hear them talking through the door. And I went up and listened and eavesdropped," she confided. (more)

The News of the World Phone Hacking Scandal Continues

UK - As the UK parliament's inquiry into News of the World phone-hacking scandal continues, there's a lot of back-and-forth going on with regards to who knew what was happening - and when.

Immediately after the major players testified in July, it appeared that a bit of a calm before the storm was on the horizon. Things went silent for a bit. But that's changed now as new allegations, arrests and concerns have brought about new questions and evidence in the case.

To start with, a former lawyer for News of the World testified that News Corp. executive James Murdoch must have known that illegal phone hacking at the News of the World newspaper was not confined to the single journalist who was imprisoned for it. Tom Crone, who was legal manager of the paper, said Murdoch would only have given Crone authority to settle a lawsuit against News of the World if he had understood that there had been more illegal eavesdropping. (more)

Friday, September 9, 2011

They are very busy. That's why they're called busybodies.

UK - Millions of adults are self confessed computer hackers with more than one in 10 (13%) admitting they have accessed someone else's online account details without their permission.

According to research by life assistance company CPPGroup Plc (CPP), the most common 'casual' hacking takes place on Facebook and other social network sites. And while this will often be viewed as harmless spying, many admitted to accessing personal and work emails, money transaction portals such as PayPal and online banking sites.

Many people (32%) casually dismissed their hacking as something they did 'just for fun' while others admitted they did it to check up on their other half (29%) or a work colleague (8%). But it wasn't all passive spying - two per cent had very different motives admitting they did it for financial gain. (more)

Missing Email? Maybe it was Doppelganged!

Two researchers who set up doppelganger domains to mimic legitimate domains belonging to Fortune 500 companies say they managed to vacuum up 20 gigabytes of misaddressed e-mail over six months.

The intercepted correspondence included employee usernames and passwords, sensitive security information about the configuration of corporate network architecture that would be useful to hackers, affidavits and other documents related to litigation in which the companies were embroiled, and trade secrets, such as contracts for business transactions.

Sample of Info Netted - Click to Enlarge
Twenty gigs of data is a lot of data in six months of really doing nothing,” said researcher Peter Kim from the Godai Group. “And nobody knows this is happening.

Doppelganger domains are ones that are spelled almost identically to legitimate domains, but differ slightly, such as a missing period separating a subdomain name from a primary domain name – as in the case of seibm.com as opposed to the real se.ibm.com domain that IBM uses for its division in Sweden. (more)

If you use mobile devices, malware will come

IT people who try to secure mobile devices in a big company face three big conceptual problems.

First, many, if not most, of the smartphones and tablets are from Apple. Both veteran and rookie users tend to believe Apple devices aren't vulnerable to malware and hacks, so users don't need to take any precautions.

Second, even non-Mac users tend to think security is already built in to their smartphones or tablets, so they also resist efforts to install antivirus, firewall, or other additional security on what are often their own systems.

Third, the fastest-growing malware segment targets Adobe applications rather than the traditional browser or operating system, doing an end run around the expectations of both users and many IT security people, according to analysts at the security vendors McAfee and Commtouch. (more)

Thursday, September 8, 2011

Sick of Snooki? Tired of Trump? Fab-a-dab-a-Zap Shutdafacesup!

MAKE video producer Matt Richardson from Brooklyn shows you how to use an Arduino microcontroller to mute your television based on keywords found in the broadcast's closed captioning transcription. You can rest easy knowing that you'll never have to hear about Kim Kardashian—or whoever you're sick of—again! 

"A while ago it was Charlie Sheen. And then it was Sarah Palin. And then it was Donald Trump," said Richardson, who is a video producer for Make Magazine. "And after a while I realized there's sort of always someone who I don't really want to hear about."

Like any good hacker, Richardson decided to come up with a fix: He developed a do-it-yourself TV remote control that will automatically mute the television when certain celebrity names are mentioned.

He plans to debut and explain the hack at the upcoming Maker Faire event in New York. The name of his talk is "Enough Already: Silencing Celebs with Arduino." (more) (Wanna go?)

University Senior Management Bugging Confirmed

South Africa - The offices of senior management at Tshwane University of Technology (TUT) had been bugged, acting director-general of the Department of Higher Education and Training Gwebinkundla Qonde confirmed. The bugging was discovered by newly appointed administrator Prof Themba Mosia, Mr Qonde said. (more)

Blackern’ a blacksmith’s apron or Bum Steer?

TX - An emergency city council meeting in Bandera turned into a showdown with the police chief Wednesday night. Council member Maggie Schumacher publicly accused a police lieutenant of bugging the municipal building, an allegation Chief Jim Eigner denies.

"He (Lt. Neil McLean) said, 'we tape everything in this building.' He said this is a public building and we tape everything,'" Schumacher said.

Schumacher was referring to a conversation she had with Lt. McLean earlier today at the police department. A computer tech was there to make a backup of the entire police department computer system and Schumacher says Lt. McLean resisted. She called the Bandera County Sheriff's Office to step in. (more)

You decide.

Libyan spy files detail Gadhafi regime's collapse

As the uprising grew against Moammar Gadhafi, secret reports from his vaunted intelligence service flowed back to Tripoli. Some were mundane — how agents erased anti-regime graffiti. Others were more deadly — a spy volunteered to poison rebel leaders' food and drink.

The reports grew more desperate as the Libyan rebellion veered into civil war: Military leaders in the western mountains were disregarding orders; troops in the city of Misrata ran out of ammunition, turning the situation into "every man for himself."

These reports and hundreds of other intelligence documents seen by The Associated Press in Tripoli trace how the tide shifted in the six-month uprising that ended Gadhafi's 42-year reign. They show how an authoritarian regime using all its means failed to quash an armed rebellion largely fueled by hatred of its tools of control. (more) (sing-a-long CD found in spy HQ)

SpyCam Story #623 - Gumshoe the Cable Guy

Spy Camera Designed to Look Like a Cable TV Box
MI - An Addison Township man said Accident Fund Insurance Company of America had a spy camera placed on his property illegally.

Rob Guzanek said a private investigation firm placed the camera to spy on a his neighbor, Dana Fredericks, who has filed a disability claim at work for a bad back. However, Guzanek said the company illegally installed the battery-operated surveillance camera in a clearing where workers cut into his hedgerow." (more)

The Suite Life of (names withheld due to age and stupidity)

Vanessa Hudgens was left furious when she found out teenage boys had been spying on her sunbathing topless.

The former High School Musical star was laying topless in the garden of her Hollywood home when she heard the dreaded sound of giggly teenage boys.

"Vanessa's yard is very private, except for a small area that apparently affords a bird’s-eye view from the balcony of the house just above her, and that’s where three teen boys were peeking down at her, laughing and whistling," a source said. (more)

Wednesday, September 7, 2011

Wireless Microphone Eavesdropping at Business Hotel Conference Centers


Wireless presenter's microphones are commonly used in corporate boardrooms, auditoriums, and hotel conference centers. I have even found them being used as desk microphones in "secure" government conference rooms when running wires was not desired. 

Big mistake. The vast majority of wireless microphones use analog frequency modulation (FM) as their method of transmission. Eavesdropping on these transmissions is easy.

I created this video to quickly explain the problem.

There are secondary problems as well...
• Microphones left accidentally left 'on' from previous meetings.
• Just having these microphones around makes them available for eavesdroppers to use as bugs. Even if discovered there is plausible deniability. Who is to say it was not left 'on' accidentally?

Solution.
• The first step is to remove all analog FM wireless microphones from areas where sensitive discussions will be held; make them totally unavailable (sell or trash them).
Develop a business counterespionage strategy with a security consultant who specializes in electronic eavesdropping detection and business counterespionage consulting. They will be able to provide alternate solutions to using analog FM wireless microphones, and similar security vulnerabilities.
• Incorporate periodic inspections for illegal electronic eavesdropping devices into your security program. These inspections are also know as Technical Surveillance Countermeasures, or TSCM.
(more)

Internal Office Snoops and Spies - 50% of the problem

Marie McIntyre, Ph.D., is an office coach. She has more than 20 years experience as a manager, business owner and the HR director at a Fortune 500 company. Here is an office eavesdropping question she recently fielded...

Question: A co-worker told me that he brings a voice recorder to work to catch people talking behind his back. He will tape it underneath a desk or hide it behind a picture. We used to be friends, but I now seem to be on the list of people that he hates. I’ve started searching my work area every morning to be sure his recorder isn’t there. Although this guy’s weird behavior makes me sick, I’m not sure what to do about it. Should I bring this to the attention of human resources? —Nervous in Indiana

Answer: Yes, you should immediately have a confidential talk with your HR manager. Your colleague’s devious behavior is both appalling and a little frightening.

His suspiciousness, combined with a growing “enemies list,” may indicate paranoid tendencies. If he feels betrayed, he could decide to seek revenge. So when you report his clandestine activities, ask the HR manager not to reveal your name.

If you fear that HR may fail to protect your identity, describe the situation in an anonymous note. Although unsigned complaints are often disregarded, management is unlikely to ignore this one. 

I can add to her answer...  
About 50% of electronic eavesdropping in the business environment is caused by employees. The reasons range from office romance, job insecurity, promotion competition, and on up to conducting espionage for outsiders – either for money, ideology or under pressure from blackmail.

We hope the HR director in this particular case will realize that hiding a recorder for eavesdropping purposes is a criminal offense and takes the proper steps to protect the employee and the employer. A good first step would be contacting a security consultant who specializes in illegal electronic surveillance matters.

Tip: All types of security consultants are listed in the IAPSC.org Security Consultant Directory.

Tuesday, September 6, 2011

Tips for Securing VoIP Phones in the Cloud

Click to enlarge.
South Africa - ...accepting an unprotected Internet Protocol (IP) connection from your VOIP partner is not the safest tactic. “Besides inviting eavesdropping on your most sensitive business dealings”, says Rob Lith, Director of Connection Telecom, “It also puts you at risk of sponsoring thousands of rands ($) in phone calls made on your account.”

What can be done?
So what can be done to keep your PBX safe from spilling your trade secrets and bleeding out your cash resources? The good news is that both VOIP providers and customers can pitch in. Here are some ways to safeguard your telephony:

Customer-side
· Password generators – Cloud PBX customers should use only securely-generated random passwords. Passwords chosen by humans are often the weakest link in a company’s security posture, so invest in tools that manage and retrieve passwords easily and securely. 1password from AgileBits is a good example.
· Strong access policies – It can be as basic as allowing only known IP address ranges access to the voice platform. But this approach, while highly secure, sacrifices flexibility – for instance the ability to access the voice server while roaming overseas.
· Cloud customers can also load tools that monitor VOIP accounts for repeated failed password attempts, and block the IP address from which the attempts are coming pending administrator investigation. Fail2ban is one such tool.

Provider-side
· Tools like Zabbix monitor unusual call patterns, destinations, numbers of live calls and account balances, and trigger alarms when certain values are exceeded (too many calls, a sharp drop in account balance, unusual international prefixes being dialed etc). Anything out of place is picked up long before too much harm can come to the user enterprise.
· VPN tunneling used in an enterprise VOIP service shields calls from eavesdropping and line-jacking, making it as secure as line encryption. An MPLS network and VPN technology like ViBE are among the applications that enable secure VPN tunnelling.
· Private cloud solutions are shielded from the public Internet by virtue of the customer’s ownership of the hosted domain.

Conclusion
VOIP hacking, while not an everyday occurrence, is very possible. However, with the right tools and a few basic security habits, this form of communication can be highly secure. (more)

Monday, September 5, 2011

Spycam Story #622 - Solved Faster Than A Clapboard Slap

Australia - Queensland Police are investigating how security footage of public sex and bar fights at a Cairns casino made it onto YouTube.

The CCTV footage of patrons was the subject of an investigation last year but were removed from the Reef Hotel Casino and posted on the internet.

Detective Senior Sergeant Ed Kinbacher says the footage appears to have been stolen by a former staff member. (more)

Are Your Passwords Sardonic Humor Fodder? II

After reading the original post about easy to guess passwords, another BB Irregular checked in with this excellent password tip.  

Brilliant, David. 
Thank you!
Via Randall Munroe at xkcd.com. Click to enlarge.

Walter Mitty Goes Shopping... for Spy Gadgets

Australia -  Anyone who has ever fancied themselves as a secret agent, Maxwell Smart style, now has the chance to purchase some nifty spying gadgets locally. The Frankston franchise of OzSpy opened recently and stocks everything from bug detection devices to hidden cameras.

"We get a lot of people who come in because they think their spouse is cheating," he said. "We also have businesses wanting to check up on employees. Some people want to leave listening devices around as evidence if there is something they are concerned about. This is probably the only store of its type in the area." Mr Dodd said there were a few customers who thought of themselves as investigators. The shop definitely has a bit of a secret agent appeal to it."  But he said some people just buy the equipment for fun. (more)

Other fun things you can do, but probably not in Australia...

Saturday, September 3, 2011

Hounded by Eavesdropping, Berlusconi Snaps (Can you blame him?)

Italy - Embattled Italian Prime Minister Silvio Berlusconi, under withering scrutiny for his high-profile sex life, was caught on a police wire saying he wanted to flee his "s---y" country.

Berlusconi's shocking remarks were recorded in July as part of an investigation into claims he is being blackmailed about his sex life, according to The Guardian. 

"They can say about me that I s--w. It's the only thing they can say about me. Is that clear?" the frustrated Prime Minister said to one of the men allegedly extorting him. "They can put listening devices where they like. I don't give a f--k."

"In a few months, I'm getting out to mind my own f---ing business, from somewhere else," he continued, "and so I'm leaving this s---y country of which I'm sickened." (more)

Not knowing if you have privacy is universally stressful and personally debilitating. It is especially bad in business and government where there is the added stress of not being able to conduct business in confidence. These are some of the reasons why periodic inspections to detect electronic surveillance are a basic element of most organization's security program.

Greece Won't Let Wiretapping Slip

A Greek prosecutor Friday reopened a probe into wire-tapping of government mobile phones at the time of the Athens 2004 Games, indicating that US embassy staff were involved, a judicial official said.

Without naming specific suspects, Athens prosecutor Dimitris Dassoulas filed an action for "a major case of attempted espionage" after a preliminary investigation identified three suspects working at the US embassy at the time.

The investigation found that calls had been placed to embassy telephones from a mobile phone used in the wire-tapping network, the source said. (more)

Spycam App... "What could possibly go wrong?"

"With iZON, you can stream live video and audio to your iPod, iPhone or iPad, activate motion or noise detection and receive alerts by push notification.



Keep a loving eye on your your baby, your puppy, your other baby and her lover. Screech!!! What other baby. What lover?!?!

"Enjoy peace of mind on the go with the iZON Remote Room Monitor. This innovative and elegant video camera enables you to view and listen to activity in your home or office from anywhere in the world on your iPod touch, iPhone or iPad."

The Pitch.
FutureWatch.
Remember the old "listen through concrete" ads for bugging devices... "useful for detecting baby sleeping and locating mice in walls?" Welcome to the 21st Century where electronic eavesdropping laws continue to be circumvented by that galactic loophole - "primarily useful for". In this case, it appears that this will be "primarily useful for" spying on those without rights, babies and puppies. Heck, what are the chances that someone will hide one of these things for voyeuristic reasons? 

And, if an app store approves it for sale, it must be legal, right? 
Keep your eye on our SpyCam Story posts to see what happens.

From the Party that Brought You, "The Buck Stops Here."


NY - Democratic congressional candidate David Weprin isn't denying accusations that his campaign volunteers tried to spy on his rival's headquarters to send back intel.

In an interview with NBC New York, Weprin tried to change the subject, saying the story is a "distraction" and that he can't be responsible for all the actions of his campaign workers.

"I don't know," Weprin said. "I'm the candidate. I can't control who goes to everything." (more)

Thursday, September 1, 2011

Some of the meanest, ulgiest, HD CCTV video you'll ever see.

SD - Every August half a million bikers descend on a small town in South Dakota for the country’s largest motorcycle rally.

The Full Throttle Saloon, at the heart of the week-long rally, caters to roughly 30,000 bikers a day and handles millions of dollars in cash over the course of the rally. This is not your average bar. The Full Throttle has 15 acres of bar space and more than 100 bartenders working at any one time during the rally, according to Chris Donahue, the bar’s spokesman. The bar’s website claims it is “the world’s largest biker bar.”

Part of managing that crowd is video surveillance. Over the past five years, the Full Throttle has spent roughly $40,000 on beefing up its security system, including 20 new HD megapixel cameras from IQinVision. Donahue likes to tout the claim that the Full Throttle has a more robust security system than some Las Vegas casinos. (more)

How AT&T Tapped the Trunk Lines for the NSA

via wikipedia.com...
Click to enlarge.
Room 641A is an intercept facility operated by AT&T for the U.S. National Security Agency, beginning in 2003. Room 641A is located in the SBC Communications building at 611 Folsom Street, San Francisco, three floors of which were occupied by AT&T before SBC purchased AT&T. The room was referred to in internal AT&T documents as the SG3 [Study Group 3] Secure Room. It is fed by fiber optic lines from beam splitters installed in fiber optic trunks carrying Internet backbone traffic and, therefore, presumably has access to all Internet traffic that passes through the building.

The room measures about 24 by 48 feet (7.3 by 15 m) and contains several racks of equipment, including a Narus STA 6400, a device designed to intercept and analyze Internet communications at very high speeds.



The existence of the room was revealed by a former AT&T technician, Mark Klein, and was the subject of a 2006 class action lawsuit by the Electronic Frontier Foundation against AT&T. Klein claims he was told that similar black rooms are operated at other facilities around the country. 
Click to enlarge.
Room 641A and the controversies surrounding it were subjects of an episode of Frontline, the current affairs documentary program on PBS. It was originally broadcast on May 15, 2007. It was also featured on PBS's NOW on March 14, 2008.

The Electronic Frontier Foundation (EFF) filed a class-action lawsuit against AT&T on January 31, 2006, accusing the telecommunication company of violating the law and the privacy of its customers by collaborating with the National Security Agency (NSA) in a massive, illegal program to wiretap and data-mine Americans' communications. On July 20, 2006, a federal judge denied the government's and AT&T's motions to dismiss the case, chiefly on the ground of the States Secrets Privilege, allowing the lawsuit to go forward. On August 15, 2007, the case was heard by the Ninth Circuit Court of Appeals.

An additional case by the EFF was created on September 18, 2008, titled Jewel v. NSA.

Watergate II in America

AT&T building in downtown San Francisco
 Lawyers for civil liberties groups asked a federal appeals court Wednesday to revive two groups of lawsuits claiming the government has monitored the communications of millions of Americans without warrants since 9/11.

The cases involve the federal government's widely expanded efforts to track down terrorists following the attack a decade ago - efforts that included, at minimum, the interception of international communications that could include members of al-Qaida or other extremist groups.

The San Francisco-based Electronic Frontier Foundation, the American Civil Liberties Union and other critics allege that the surveillance was much broader than that. They cite among other things a declaration from a longtime AT&T worker that the company had allowed the National Security Agency to build a room in one of the company's buildings and route copies of customers' communications there. (more)

History
Secret NSA Room 641A - Note ladder and open ceiling tile. Oops.
1/21/10 - A federal judge has dismissed Jewel v. NSA, a case from the Electronic Frontier Foundation (EFF) on behalf of AT&T customers challenging the National Security Agency's mass surveillance of millions of ordinary Americans' phone calls and emails. (more) 


7/9/09 -  Wiring Up The Big Brother Machine...And Fighting It by Mark Klein and James Bamford

8/15/07 - Spectators lined up outside the 9th Circuit Court of Appeals in San Francisco starting at noon to guarantee a seat at a much-anticipated legal showdown over the government’s secret wiretapping program. 

The hearing involves two cases: one aimed at AT&T for allegedly helping the government with a widespread datamining program allegedly involving domestic and international phone calls and internet use; the other a direct challenge to the government’s admitted warrantless wiretapping of overseas phone calls. (more)