Monday, September 22, 2014

Watch Out: Your Innkeeper is Spying on You and Other Confessions of a B&B Owner

Plenty of people dream about quitting their day job, buying that fixer-upper farmhouse, and opening a bed-and-breakfast. Those B&B owners seem so happy. Well, everything isn’t quite as idyllic as it seems. We got one set of innkeepers — “Bob and Emily” — to anonymously spill the beans on what really happens behind those perfectly painted shutters.

This week. Bob and Emliy reveal the sordid side of running an inn. Here are some things you probably don’t want to know the next time you check into that seemingly quaint country B&B.  (more)

Wednesday, September 17, 2014

FBI Seeks Expansion of Internet Investigation Powers

A Department of Justice proposal to amend Rule 41 of the Federal Rules of Criminal Procedure would make it easier for domestic law enforcement to hack into computers of people attempting to protect their anonymity on the Internet. The DOJ has explicitly stated that the amendment is not meant to give courts the power to issue warrants that authorize searches in foreign countries—but the practical reality of the underlying technology means doing so is almost unavoidable...

As for extraterritorial hacking, the DOJ commentary explicitly states that the proposal does not seek power to extend search authority beyond the United States: 
  • In light of the presumption against international extraterritorial application, and consistent with the existing language of Rule 41(b)(3), this amendment does not purport to authorize courts to issue warrants that authorize the search of electronic storage media located in a foreign country or countries. AUSA Mythili Raman, Letter to Committee.
Yet the commentary also articulates a standard of searches that “are within the United States or where the location of the electronic media is unknown....

The latter standard seems to be a significant loophole in the DOJ’s own formulation of the approach, particularly given the global nature of the Internet. For instance, over 85% of computers directly connecting to the Tor network are located outside the United States. (more)

Beijing Bans All* Hidden Surveillance Equipment

Beijing authorities have initiated a ban on all secret surveillance equipment in the city amid increasing pressure from the central government to crack down on spying activities.

The decision was issued jointly by the city's Administration for Industry and Commerce, Beijing Municipal Public Security Bureau and Beijing National Security Bureau, which added that purchases of these devices–such as surreptitious cameras installed in glasses or walking sticks to secretly record photos or videos of people in bathrooms and changing rooms–could lead to serious criminal liability...

Chinese media outlets reported that the majority of buyers are private detectives and investigators, debt collectors and lawyers looking to collect evidence for their cases. There have so far been 91 official investigations into illegal surveillance in Beijing this year. (more)

* Except their own, we presume.

Middle-School Dropout Codes Clever Chat Program That Foils NSA Spying

The National Security Agency has some of the brightest minds... But a new chat program designed by a middle-school dropout in his spare time may turn out to be one of the best solutions to thwart those efforts... 

John Brooks, who is just 22 and a self-taught coder who dropped out of school at 13, was always concerned about privacy and civil liberties. Four years ago he began work on a program for encrypted instant messaging that uses Tor hidden services for the protected transmission of communications. The program, which he dubbed Ricochet, began as a hobby. But by the time he finished, he had a full-fledged desktop client...

“Ricochet is idiot-proof and anonymous.” (more)

Tuesday, September 16, 2014

FutureWatch: Ant-Sized Radio Swarms Will Net Everything

A team of researchers from Stanford University and the University of California, Berkeley, has created prototype radio-on-a-chip communications devices that are powered by ambient radio waves. Comprising receiving and transmitting antennas and a central processor, the completely self-contained ant-sized devices are very cheap to manufacture, don't require batteries to run and could give the "Internet of Things" (IoT) a serious kick start. (more)

Let's just call it "Spy Dust".

75% of Android Phones Vulnerable to Web Page Spy Bug

A Metasploit module has been developed to easily exploit a dangerous flaw in 75 percent of Android devices that allows attackers to hijack a users' open websites...
Tod Beardsley, a developer for the Metasploit security toolkit dubbed the "major" flaw a "privacy disaster".

"What this means is any arbitrary website - say, one controlled by a spammer or a spy - can peek into the contents of any other web page," Beardsley said.

"[If] you went to an attackers site while you had your web mail open in another window, the attacker could scrape your email data and see what your browser sees.

"Worse, he could snag a copy of your session cookie and hijack your session completely, and read and write web mail on your behalf." (more)

Solution: Use a Firefox or Chrome browser.

Monday, September 15, 2014

The Top Cyber Espionage Devices You Don't Want to See

... unless you are using them.

The Pwn Plug Academic Edition is the Industry’s First Enterprise Penetration Testing Drop Box

  • Wireless (802.11b/g/n) high gain Bluetooth & USB Ethernet adapters
  • Fully-automated NAC/802.1x/Radius bypass
  • One-click EvilAP, stealth mode & passive recon
The Pwn Plug Academic Edition acts as a penetration testing drop box that covers most of a full-scale pentesting engagement, from physical-layer to application layer. The Pwn Plug Academic Edition is controlled through a simple web-based administration and comes preloaded with an array of penetration testing tools and Wireless, Bluetooth, and USB Ethernet adapters.
The Pwn Plug R3 is a next-generation penetration testing device in a portable, shippable, “Plug-and-Pwn” form factor.

  • Onboard high-gain 802.11a/b/g/n wireless
  • Onboard Bluetooth
  • External 4G/GSM cellular
  • Greatly improved performance and reliability
The Pwn Plug R3 is a next-generation penetration testing device in a portable, shippable, “Plug-and-Pwn” form factor. With onboard high-gain 802.11a/b/g/n wireless, onboard Bluetooth, external 4G/GSM cellular, ruggedized case design, and greatly improved performance and reliability, the Pwn Plug R3 is the enterprise penetration tester’s dream tool. 

The MiniPwner
The MiniPwner is described as a penetration testing “drop box”. You (or maybe a cleaner you’ve bribed) needs to plug it into an Ethernet plug in the target’s building, and then you can slurp all the data out of their network via a wifi link.

The penetration tester uses stealth or social engineering techniques to plug the MiniPwner into an available network port. (common locations include conference rooms, unoccupied workstations, the back of IP Telephones, etc.)
Once it is plugged in, the penetration tester can log into the MiniPwner and begin scanning and attacking the network. The MiniPwner can simultaneously establish SSH tunnels through the target network, and also allow the penetration tester to connect to the MiniPwner via Wifi. 

WiFi Pineapple Mark V
Slightly larger than a smartphone the WiFi Pine-apple Mark V is the “ultimate” cyber surveillance device. It uses an “intuitive” web interface to enable hackers to break into a corporate’s IT networks through its wifi connections. It costs $100. 

USB Switchblade
The goal of the USB Switchblade is to silently recover information from a target Windows 2000 or higher computer, including password hashes, LSA secrets, IP information, etc.

A gadget that looks like a USB stick has a program that swings into action when it’s inserted into the USB drive and can then begin its naughty work without the user knowing it by exploiting a flaw in USB autorun settings. How about dropping it in the car park of your target’s offices, seeing if someone will pick it up and plug it in to see what’s on it… 

USB 8GB Flash Drive Cufflinks

The thing about these is that the bad guy can carry a load of malware, ready for use at any time. These go for less than $50. Easy to smuggle in. 

The Rubber Ducky
The Rubber Ducky is becoming the “field-weapon of choice” for cyber spies. It’s the size of a normal USB stick but when you plug it in to a PC it pretends to be a keyboard and starts ‘typing’ away, possibly trying to break into systems or maybe stealing passwords.  If you get a few seconds alone with someone’s phone you can get an adapter to plug it in and maybe hack that too. (The last five items courtesy of Financial News.)

Yet Another Way Your Smartphone Can Bug You

MEMS gyroscopes found on modern smart phones are sufficiently sensitive to measure acoustic signals in the vicinity of the phone. The resulting signals contain only very low-frequency information (< 200 Hz). Nevertheless we show, using signal processing and machine learning, that this information is sufficient to identify speaker information and even parse speech. 

Since iOS and Android require no special permissions to access the gyro, our results show that apps and active web content that cannot access the microphone can nevertheless eavesdrop on speech in the vicinity of the phone. (more)

Sunday, September 14, 2014

Information Security Management - Distance Learning Course

Your information assets have never been more crucial, more valuable, or more at risk. This is why information security is becoming a crucial business priority in many organizations. Moreover, complying with (international) information standards and guidelines (such as the NIST Handbook, ISO 17799, CobiT, and ITIL Security Management) is becoming a hot issue worldwide.
This unique distance learning course provides you with vital information for developing or reviewing your information security management framework. The course will help you determine the levels of risk your organization is facing and the steps you will need to take to provide adequate protection.

The course will be of particular benefit to:
  • CIOs, CISOs and anyone who has direct line responsibility for information security
  • Business Continuity Planners, Asset Managers, Risk Managers
  • Legal Advisors and Corporate Security Consultants
  • Company Secretaries, Finance Directors and Auditors (more)

Saturday, September 13, 2014

Weird - Spies Strike

Soldiers from Israel's elite wire-tapping unit are refusing to spy on Palestinians in a rebuke to prime minister Benjamin Netanyahu.

More than 40 former soldiers and current army reservists have signed a letter refusing future service in the Israeli Defence Force (IDF) military intelligence wing, known as Unit 8200.

Unit 8200 is often compared to the United States National Security Agency. It uses sophisticated technology to monitor the lives of Palestinians, gathering information which is then used by Israel's military. It also carries out surveillance overseas. (more)

Taylor Swift - Worried About Wiretaps

In a wide-ranging interview with Rolling Stone, Taylor Swift gets candid about her love life, her professional feuds and being very cautious about janitors and wiretapping.

1. She's pretty much always worried about privacy
Swift is acutely aware that people are out to invade her privacy. “There's someone whose entire job it is to figure out things that I don't want the world to see,” she told Rolling Stone. She's also paranoid about basically anyone she lets get too close... I have to stop myself from thinking about how many aspects of technology I don't understand.” (more)

Taylor, there are some nice professional privacy consultants who can help you.

Friday, September 12, 2014

Business Espionage - "Morticia, they've kidnapped Thing!"

T-Mobile US sued Huawei for corporate espionage, alleging that the vendor's employees illegally photographed and tried to steal parts of a robot it developed in its labs, called "Tappy," to test cell phones.

Tappy's Grandfather
The lawsuit, filed last week in federal court in Seattle, claims that two Huawei employees gained illicit access to its lab in Bellevue, Wash., photographed the robotic arm, tried to smuggle parts of it out of the lab, and then tried to sneak back in after they were banned from the facility...

In 2012 and 2013, the suit claims, Huawei employees engaged in the subterfuge. At one point, the suit alleges, a Huawei engineer put one of the robot's simulated fingertips into his laptop bag. Huawei "ultimately admitted that its employees misappropriated parts and information about T-Mobile's robot," the suit says. (more)

Yet Another Landlord Spying on Tenant Story

...also charged with having guns in his home which he's not allowed to have based on his criminal history.

Last year at this time (9/29/13) subject was sentenced to probation for a term of seven years with the condition that he have no contact with minors, and a fine of $2000, for the offense of Corruption of Minors. (more)

Russia: Fireball Over Wyoming Wasn't Spy Satellite

Russia - The Defense Ministry has challenged reports that a Kobalt-M spy satellite reentered the Earth's atmosphere and burnt up over the U.S., potentially leaving Russian military intelligence photos lying in Colorado or Wyoming...

The satellite, launched from the Plesetsk Cosmodrome near Arkhangelsk on May 6, was not equipped to digitally transmit its photographs back to its handlers at Russia's military intelligence unit, the GRU. Instead, it was designed to drop its film in special canisters from space onto Russian territory.

Interfax reported Tuesday that the satellite may have been attempting to position itself to drop a canister back to Earth, when it moved into too low of an orbit — thereby falling back to earth over the U.S. It is possible that much of the satellite and its photos survived, and are now sitting somewhere in the U.S. midwest. (more)

Footage as it passed over Atyrau, Kazakhstan...

Industrial Espionage Becomes a Booming Trade

Namibia - A new crime trend has emerged in Windhoek, where confidential business information is stolen and sold to the victim’s competitors...

City Police Senior Superintendent Gerry Shikesho told Namibian Sun that so far three cases of theft of business secrets have been opened - one last month and two this month.

He explained that people are being sent to steal documentation that contains company strategies or business plans.

He said a Windhoek company had information stolen that was valued at N$300 000 ($27,242.00 USD). (more)

Note: In Namibia, that is a lot of money for a business to lose.

Join Us for Our Next Exciting Adventure... Google Toggle... or, Pain in the Glass

Not a fan of Google Glass’s ability to turn ordinary humans into invisibly recording surveillance cyborgs? Now you can create your own “glasshole-free zone.”

Berlin artist Julian Oliver has written a simple program called that detects any Glass device attempting to connect to a Wi-Fi network based on a unique character string that he says he’s found in the MAC addresses of Google’s augmented reality headsets.

Install Oliver’s program on a Raspberry Pi or Beaglebone mini-computer and plug it into a USB network antenna, and the gadget becomes a Google Glass detector, sniffing the local network for signs of Glass users.  

When it detects Glass, it uses the program Aircrack-NG to impersonate the network and send a “deauthorization” command, cutting the headset’s Wi-Fi connection. It can also emit a beep to signal the Glass-wearer’s presence to anyone nearby. (more)

Thursday, September 11, 2014

Lawmaker Lunacy Comes Off Half Cox'ed

The son-in-law of the late President Richard Nixon gave a lesson during a visit to Syracuse Wednesday on the difference between Watergate and the New York Republican Party's recent bugging scandal. One tactic was legal. The other was not, said Ed Cox, the chairman of the New York State Republican Party and the husband of former first daughter Tricia Nixon...

It was exposed recently that Assembly Republicans, led by Oswego County's Assemblyman Will Barclay, had a private investigator put a GPS tracking device on a car driven by Assemblyman Edward Hennessey, D-Suffolk County to track his whereabouts.

They admitted to it in court...

Cox, who was in Syracuse Wednesday, said the two investigations are not the same.
First of all, Assembly Republicans admitted to bugging the car. 

Secondly, it was legal, he said (although he admits he doesn't know any more about the law than what he's been told by a reporter.)

He talked about bugging the car as if it was the Republican Party's responsibility. He said it is part of the "self-policing, democratic process" for one party to investigate the other party's candidate before the election.

"Watergate was using illegal means - breaking and entering and illegal bugging - in order to find out what was legal political conversation. It's just the opposite," he said.

Cox said politics in New York is a competitive sport. "It ain't bean bag," he said...

What would he say if someone bugged his car?

Under the same circumstances, he said, "Sure that would be fine with me." (more)

You Like Business Class. Trade Secrets Like USB Class.

TX - A state district judge has dismissed a lawsuit brought by Houston-based Schlumberger Ltd. against a former employee who had left the company for a vice president job at a rival oilfield services company, Baker Hughes Inc.

Schlumberger had accused former employee Humair Shaikh of allegedly stealing trade secrets, but the two parties have reached a settlement...

The initial lawsuit alleged that Shaikh had violated confidentiality and noncompete agreements by taking trade secrets on four different USB drives when he left. (more

Business espionage goes undiscovered, ignored, swept under the carpet, and settled out of court all the time. 

Espionage is difficult to stop without a real commitment to protection. 

The common thread is that the stolen digital data often travels via USB memory sticks, and this is preventable. We can show you how.

Dyre Malware Branches out from Banking, adds Corporate Espionage

A variant of the infamous banking trojan Zeus has gone beyond targeting financial accounts, instead striving to collect another type of sensitive business data: customer information.

The variant, known as Dyre, is a banking trojan that first came to light in June when security companies warned that the Zeus knockoff found a way to bypass Web encryption, known as secure sockets layer (SSL). At the time, it targeted some of the largest global banks, such as Bank of America, Citibank, Natwest, RBS, and Ulsterbank. A recent version of Dyre, however, has begun targeting Salesforce, a popular cloud service for storing customer information, according to analyses.

Other cloud services could just as easily be targeted, according to security firm Adallom. (more)

15 Million Devices Infected With Mobile Malware

Sixty percent of the infected devices run Android. 

Fifteen million mobile devices are infected with malware, and most of those run Android, according to a new report by Alcatel-Lucent's Kindsight Security Labs.

Researchers found that "increasingly applications are spying on device owners, stealing their personal information and pirating their data minutes, causing bill shock." Mobile spyware, in particular, is on the rise. Four of the 10 top threats are spyware, including SMSTracker, which allows the attacker to remotely track and monitor all calls, SMS/MMS messages, GPS locations, and browser histories of an Android device...

About sixty percent of the infected devices are Android smartphones. About 40 percent are Windows PCs connecting through mobile networks. Windows Mobile, iPhones, Blackberrys, and Symbian devices combine for less than 1 percent. (more)

Tuesday, September 9, 2014

Graphene-Based, Ultra-Thin Light Detector - T-Ray Vision

A new prototype light detector uses graphene's light-absorbing properties to see in a broad band of light wavelengths that includes terahertz waves. These fall between the microwave and infrared bands, thereby making it possible to look just beneath the surface of opaque objects such as skin and plastic... 

So where might such a detector be used? In security scanners, for example, it could identify concealed weapons without invading bodily privacy. It could also make medical imaging safer and more effective.

Other applications include chemical sensing, remote bomb detection, night vision goggles/cameras, high-altitude telecommunications, manufacturing quality control (as terahertz waves penetrate cardboard and plastic), preventing premature car rusting, and even 3D printing.

A paper describing the research was published recently in the journal Nature. (more) (Get the T-shirt)

I see TSCM applications, too. ~Kevin

14 Security Tips for Mobile Phone Users

As smartphone usage grows in the business, many users still don’t understand proper security practices. If not addressed, this problem could put their (and your company’s) sensitive data at risk. Learn how your users can better protect themselves from mobile security threats. (7 Tips) (7 more Tips, including one from us!)

Sunday, September 7, 2014

Is High Tech Spying On Your Spouse Legal?

via the Weinberger Law Group...
It’s a common situation we hear about when adultery (either actual or suspected) is involved in the demise of a marriage: one spouse decides to spy on the other. While in years past, snooping on a spouse usually entailed rifling through purses or pockets (or hiring a private investigator to catch cheaters in the act), in this day and age, spousal snooping more often involves hacking into email accounts and installing tracer apps on smartphones. 

Beyond the moral issues any form of spying raises, are these high tech forms of snooping even legal? 

As the law on “inter-spousal spying” stands right now, it depends on the type of snooping and spying you’re engaged in. According to the federal wiretapping laws and the New Jersey Wiretapping and Electronic Surveillance Control Act (N.J.S.A. 2A:156A), activities that may be illegal or constitute a violation of privacy include the following... (more)

Also... Learn how to protect yourself from high tech snooping (and learn when spying can be considered stalking) at the Weinberger Law Group companion blog, Spying on Your Spouse During Divorce: How Far is Too Far?

Spy Rule 1 - If you find a bug, don't touch it.

Israel remotely detonated a spying device planted in south Lebanon, killing a member of the Lebanese militant Hezbollah in the explosion, the group said Friday.

Hezbollah Al-Manar TV said Hassan Ali Haidar was killed after army intelligence spotted a "strange device" in the village of Adloun. A jet detonated the device remotely after it was discovered, killing Haidar, it said.

The device was planted on the militant group's telecommunications network. (more)

From the If You Can't Beat Them, Join Them File...

When disclosures from National Security Agency whistleblower Edward Snowden were first published by journalists, government officials in the United States insisted that US intelligence agencies do not engage in economic espionage. But, as the revelations continued to trickle out and expose the duplicity of this assertion, officials shifted to suggesting that any economic espionage is not done to benefit the bottom lines of US corporations.

Now, a copy of a secret 2009 report [PDF], the Quadrennial Intelligence Community Review, from the Office of Director for National Intelligence (ODNI), which is headed by James Clapper, has been published by The Intercept. It was provided by Snowden and shows “intelligence community” plans to acquire “proprietary information” from companies around the world and assess whether and how “findings would be useful to US industry.” (more)

Wouldn't we just be 
ge, ge, ge, getting
our own secrets back? Hah!

You Know Spying Paranoia Has Gone Too Far When...

...a neighbors' spying fears may sink young seadog's pirate ship.

UK - When his parents built a play pirate ship in his back garden, four-year-old Joseph Bailey was thrilled.

The wooden ship, crafted from recycled timber, became his pride and joy and the ‘labour of love’ was admired by everyone who saw it.

But then a neighbor complained to the council that Joseph was invading their privacy, claiming he could spy on them over the fence.

And despite his parents erecting a bamboo screen to solve any privacy issues, the 19ft by 8ft ship, complete with Jolly Roger, now faces demolition. (more)

P.S. The "pirate" doesn't appear to own a spyglass.

Thursday, September 4, 2014

College of Security and Intelligence Opens for Business

Embry-Riddle University - The College of Security and Intelligence was kicked off last spring and the Doherty center was unveiled, but this fall marks the time when activities have begun in earnest.

The College of Security and Intelligence welcomed the first incoming students for the Masters program in Security and Intelligence Studies...

This semester, the college brought in more than 100 new incoming students in its different programs. The Cyber program will double in size, and just in time, the new Cyber Lab is taking shape next to the Eagle Operations Center. It will house 24 workstations, a rack of servers, and an area for forensics activities. (more)

Wednesday, September 3, 2014

Customs Foils Bid to Smuggle Spying, Eavesdropping Items

KUWAIT - Customs inspectors at the Air Cargo section recently foiled an attempt by Kuwaitis to smuggle into the country sophisticated spying, eavesdropping and photography items, reports Al-Shahed daily. The confiscated items include cigarette lighters, pens and stationery. The cargo reportedly arrived from one of the Asian countries and the bill of lading listed the contents as stationery items. Police are investigating. (more)

98-Year-Old NJ Woman Seeks to Erase Atomic Spy Case Conviction

A 98-year-old New Jersey woman convicted of conspiracy in the run-up to the atomic spy trial of Julius and Ethel Rosenberg has come back to a New York court to clear her name.

Miriam Moskowitz said after a brief court hearing Monday that she needs an official vindication that she was wrongly convicted in 1950. She was sentenced to two years in prison after she was convicted on a charge that she conspired with two men to lie to a grand jury investigating atomic espionage...

She filed the request two weeks ago, saying documents now prove the government withheld evidence that would have exonerated her. (more)

28-year-old Spying Woman Run Over by Boyfriend’s Car

UAE - A 28-year-old woman sustained serious injuries after she was run over by her boyfriend’s car in Sharjah on Monday evening... A day before the incident, she said, she had a talk with him about their future, during which her boyfriend remained non committal. This prompted the woman to follow and spy on her boyfriend... She claimed that when she confronted him, he ran over her with his car twice. (more)

37 Industrial Espionage Tactics that Threaten to Kill Your International Business

By Santiago A. Cueto
Industrial Espionage is the biggest threat to U.S. business interests. No other threat even comes close. It’s the fastest and least expensive way for our foreign competitors to bridge the innovation gap with the U.S. Using cutting-edge technology and age-old techniques of deceit and manipulation, corporate spies are the greatest post-cold war threat to international business. 

Today’s international conflicts are not limited to nation to nation disputes. Increasingly, they include corporation versus corporation. (The 37 Tactics)

NSA Quits Spying on Americans Out of Disgust

Citing an endless river of filth, vacuous conversations, idiotic Tweets and endless cat videos, the NSA announced it is “freaking done” with spying on Americans.

The NSA decision came only hours after thousands of analysts, following similar threats at CIA, said they planned to quit and apply for jobs as Apple Geniuses and Best Buy Geek Squad Support workers. 

Speaking on background, one disgruntled NSA employee said “Go ahead, throw me in jail for an Espionage Act violation, that would be better than doing this job." (more)