Wednesday, April 27, 2016

CBRE Made the Forbes Best Employers List - Partly with Good Infosec

via Forbes, April 19, 2016...
Cone of Silence chairs + a Clear Desk Policy = Security, and a competitive advantage in the eyes of their customers. Smart.

CBRE Group, Inc. is an American commercial real estate company with headquarters in Los Angeles, California. As of its successful 2011 bid to acquire part of ING, CBRE was the world's largest real estate investment manager. Wikipedia

Monday, April 25, 2016

Please tell us that You Didn't Sign a "Monitoring Consent Form"


"We will look at an app called xnspy that is used for spying on Android phones since a lot of businesses are starting to focus on employee productivity during office hours, more and more companies have implemented signing of monitoring consent forms as a part of their hiring process. They then give their employees company-owned smartphones/tablets with a pre-installed monitoring app. 

When it comes to tracking and monitoring for use by businesses and for spying on Android phones, we found xnspy to be the torch bearer. It has all the fundamental features that such an app should have, it has a small footprint, it’s discrete, does not use up resources. All these factors count a lot when it comes to monitoring and tracking, it would be a nightmare for the device user if the app slowed down the device and drained the battery.

Xnspy works in the background providing the app user with data such as call records and recordings, text messages from SMS, IM Chats and emails, a complete list of Contacts stored on the device along with a list of all installed apps. Besides these functions the app provides the browsing history and bookmarks of the device user; it also gives the location history of where the device has been. 

All of this is made accessible through a web-based dashboard that can be virtually accessed from anywhere in the world. The app user can use a single dashboard to control multiple devices. Xnspy offers two packages a Basic Edition and a Premium Edition." more

Edward Snowden Will Sue Norway

Edward Snowden will sue Norway in an attempt to secure free travel to the country, a Norwegian law firm representing him told Reuters Thursday.

The ex-contractor at the U.S. National Security Agency (NSA) has been invited to Norway to receive an award for his work defending free speech, but his attorneys said he is worried that traveling there would allow the Norwegian government to extradite him to the U.S., where he is wanted on charges of espionage.

The Norwegian branch of the global organization of writers PEN International, which hopes to give Snowden the free speech award, said in a statement that “we will do our utmost to ensure that Snowden may receive the prize in person.” more

Finally, an American Spy is Honored – Show Us the Money

It took nearly a century to get a woman on the front of the $20 bill, but only about a year for a small New Jersey company to contribute a vital two cents to the effort.

Since April 2015, Montclair-based Mosaic Strategies Group has helped manage a website for Women on 20s to make the country's currency co-ed — one that finally paid off big last week when the U.S. Treasury announced Harriet Tubman would replace Andrew Jackson on the $20 bill.

Gov. Chris Christie...
"As long as the $20 bill still works when I hand it to somebody, I quite frankly don't really care who's on it," Christie said Friday. more

True to its nature, Comedy Central’s Drunk History, shed some light on a lesser-known chapter of Tubman’s life in a September 2015 episode entitled “Spies.”

In one segment, ... a slightly inebriated Crissle West relates Tubman’s less-heralded exploits. “Harriet Tubman does not get her just due,” West explains. “You hear her name and think she led the slaves to freedom. But you most certainly do not know that she was a spy for the Union.” more

Did Edison Also Invent Corporate Spying?

He's known for the light bulb, recordings, motions pictures and discoveries too numerous to mention. But did Thomas Edison also condone corporate spying on his enemies? Did he help create corporate espionage? 

While he may not have invented it ... information from one of his employees can certainly be interpreted that way.

McCoy is on the left.
That employee was Joseph F. McCoy, who was hired at 20 years of age to work for the Edison Company. Not much is known about him except some basic details, but as Sloat-Olsen told the story of his jobs over the years, McCoy emerges as a shadowy figure, but influential in numerous ways...

In electric light dealings, companies like American Electric, U.S. Electric Company and Westinghouse were all on Edison's radar, so Sloat-Olsen says McCoy was sent to work at each of those companies, without their knowing he was an Edison employee, to find out about their plans or if they could be bought out. more

DIY - Tiny FM Spy Bug for Under $20.

from the creator...
"I wanted to know how small a FM spy bug could be build when manually assembled.

This is what I came up with, it measures about 0.05 square inches and is powered by a single 1.55V silver oxide battery.

Frankly, this is just a fun object, I don`t have a practical use for it.

I`m sure professionally made spy bugs could even be smaller and work at higher frequencies which allows the antenna to be made smaller." more

The complete instructions and Gerber files (for PCB manufacturing) for this FM spy bug are available on Gumroad and Payhip:

Thursday, April 21, 2016

Every Goverment Has These Spy Warnings... but love is blind.

via boingboing...
In this Chinese government comic book, women are warned that mysterious foreign strangers who pitch woo at them are secretly Western spies trying to get at their government secrets.

The reader is warned that they could go to jail for 10 years if they are foolish enough to let these Lotharios trick them into revealing state secrets.

It's a charmingly sexist and xenophobic piece of work, with shades of Jack Chick. More interesting is the parallels to the materials that the US Government has produced for their own employees to warn them about the spies who might use breached data from the Office of Personnel Management to chat them up at conferences and trick them out of America's state secrets. more

You can see the full comic here. ~Kevin

Information Security and Cryptography Seminar - Zurich, Switzerland

Time to make your travel plans...

As a friendly reminder, we are pleased to announce our seminar in Information Security and Cryptography. A full description of the seminar, including a detailed listing of topics covered, is available at


This seminar provides an in-depth coverage of Information Security and Cryptography. Concepts are explained in a way understandable to a wide audience, as well as mathematical, algorithmic, protocol-specific, and system-oriented aspects.

The topics covered include cryptography and its foundations, system and network security, PKIs and key management, authentication and access control, privacy and data protection, and advanced topics in cryptography.

The seminar takes place in Zurich, Switzerland. The lectures and all course material are in English.

With kind regards,
Ueli Maurer and David Basin
Advanced Technology Group

FutureWatch: Your Brain Will Replace Your Fingerprints for ID

Psychologists and engineers at Binghamton University in New York have hit a milestone in the quest to use the unassailable inner workings of your brain as a form of biometric identification. They came up with an electroencephalograph system that proved 100 percent accurate at identifying individuals by the way their brains responded to a series of images.

“It's a big deal going from 97 to 100 percent because we imagine the applications for this technology being for high-security situations,” says Sarah Lazlo, assistant professor of psychology at Binghamton who led the research with electrical engineering professor Zhanpeng Jin.

Perhaps only one other such experiment in the long quest for this ultimate biometric has hit the 100 percent mark, and the Binghamton system has some advantages over even that one. For one it proved itself with less complex equipment and in a larger group, identifying 50 people. But perhaps more importantly this new form of ID can do something fingerprints and retinal scans can’t: It can be “cancelled.” That’s important because hackers have shown that fingerprints can be stolen and faked. more

Tuesday, April 19, 2016

"I've got your number," The Telephone Wiretap Hack

A US Congressman has learned first-hand just how vulnerable cellphones are to eavesdropping and geographic tracking after hackers were able to record his calls and monitor his movements using nothing more than the public ten-digit phone number associated with the handset he used.

The stalking of US Representative Ted Lieu's smartphone was carried out with his permission for a piece broadcast Sunday night by 60 Minutes. Karsten Nohl of Germany-based Security Research Labs was able to record any call made to or from the phone and to track its precise location in real-time as the California congressman traveled to various points in the southern part of the state. At one point, 60 minutes played for Lieu a crystal-clear recording Nohl made of one call that discussed data collection practices by the US National Security Agency. While SR Labs had permission to carry out the surveillance, there's nothing stopping malicious hackers from doing the same thing.

The representative said he had two reactions: "First it's really creepy," he said. "And second it makes me angry. They could hear any call. Pretty much anyone has a cell phone. It could be stock trades you want someone to execute. It could be a call with a bank." more

Why Blackberry is No Apple

BlackBerry appeared Monday, April 18, to acknowledge it helped Canadian federal police crack a Montreal crime syndicate that had been using its messaging system,

while insisting its smartphone security remains impenetrable.

In a blog post, BlackBerry chief executive John Chen reiterated the company's long-held stance "that tech companies as good corporate citizens should comply with reasonable lawful access requests."  more

Chinese Spy Sentenced to Death... by China

A Chinese man has been sentenced to death for leaking more than 150,000 classified documents to an unidentified foreign power, state television said on Tuesday, offering unusual details of a kind of case rarely mentioned in public.

The man, a computer technician from Sichuan named as Huang Yu, worked for a government department which handled state secrets, but he was a bad employee and was sacked, the report said. more

Monday, April 18, 2016

Spycam Lawsuit: Employee Known Video Voyeur - Store Manager Did Nothing

A Colorado Springs woman is suing Reebok International, a Reebok Outlet Store, and a teenage store employee over a Peeping Tom incident... Christina Selvig said she caught a glimpse of Austin Kyle Baker looking over the top of the wall into her changing room...

She immediately informed the store manager who did nothing more than take her name and number and promised to get back with her the next day, which didn’t happen.

Selvig wasn’t sitting around waiting for action on the store’s part, she had already informed the police, who also didn’t take her complaint that seriously initially, chalking the incident up to an accident.

...three days later, Baker confessed to spying on Christina, in addition to several more women. An investigation revealed that at least one other employee was aware that Baker was a video voyeur, and continued to allow the behavior.

Law enforcement told her that he had turned over his phone... Forensics came back with footage of her, as well as deleted videos of other women. more

Here comes another big pockets settlement. If your company offers employees, visitors and/or customers "expectation of privacy" areas, you better begin doing your due diligence. Start here.

Thursday, April 14, 2016

FutureWatch – If Walls Have Ears, Why Not Eyes?

Researchers have developed a sheet camera with a flexible lens array which could be wrapped around everyday objects, turning them into cameras. The project, which uses elastic optics, could also see the development of credit card-thin cameras which a photographer simply bends to change the field of view.

While we've previously seen researchers miniaturizing cameras and lenses so they can be used in new situations, the team from Columbia University has taken a different approach. Led by Shree K. Nayar, T.C. Chang Professor of Computer Science at Columbia Engineering, it looked at producing a sheet camera which would enable any surface to capture visual information.

Using traditional fixed focal length lenses in such a lens array would mean that as the array sheet is bent, gaps are formed between the lenses' fields of view, meaning information is missing. As such, the researchers set about designing a flexible lens array which also adapts its optical properties when the sheet camera is bent. more

The C-Suite CRO – Chief Risk Officer

A growing number of organizations are adding a new member to the C-suite—the chief risk officer (CRO)—and the rise of these executives is having a direct impact on the security programs at enterprises. 

Corporate espionage, terrorism and cyber attacks are ratcheting up the need for senior executives who understand all aspects of risk management and security,” says Jeremy King, president of Benchmark Executive Search, a provider of technology executive search services.

“Many companies are finally awakening to how destructive security breaches of all types can be—from physical damage and real costs to reputation loss and customer recovery,” King says. “Previously siloed risk-management functions must be reinvented, strengthened, and funded more aggressively. Industry must re-evaluate its approach to risk management, and success will require unprecedented cooperation from board directors and those in the C-suite.” more

The Defend Trade Secrets Act

The Defend Trade Secrets Act, co-sponsored by Sen. Orrin Hatch, R-Utah, and Chris Coons, D-Delaware, passed the Senate with an 87-0 vote, and is expected to go to the House of Representatives within the next couple of months...

The Defend Trade Secrets Act, if passed, would allow companies who are victims of trade theft to go straight to federal court with the case. more

Demonstrations Continue In Macedonia After Presidential ‘Pardon' In Wiretapping Scandal

Protesters in Macedonia, angry about President Gjorge Ivanov's decision to halt prosecutions of officials linked to a wiretapping scandal, have broken into one of the president's offices.

The demonstrators on April 13 broke windows of the street-level office in central Skopje that is occasionally used by Ivanov, storming into the building and ransacking rooms inside.

Demonstrators also broke windows and clashed with police at the nearby Ministry of Justice, while another group of protesters clashed with police at blockades that were erected around the parliament building.

Thousands of demonstrators were on the streets for a second night on April 13. Some threw eggs and stones at government buildings while others set off flares before police used batons to disperse the crowd.

Ivanov has faced harsh criticism at home and abroad for his decision to halt all criminal proceedings against politicians and government officials suspected of involvement in a wiretapping scandal involving thousands of people. more video

Monday, April 11, 2016

Video and Audio Surveillance: Trains... Planes and Automobiles Next?!?

Casual commuter conversations on light rail trains have an unexpected eavesdropper — NJ Transit.

Video and audio surveillance systems designed to make riders more secure are also recording the conversations of light rail passengers at all times.
NJ Transit officials say the on-board cameras and audio surveillance systems are needed to fight crime and maintain security.

But does on-board surveillance go too far when the agency records everything passengers are saying, without telling customers how long they keep or who has access to the recordings? more

Thursday, April 7, 2016

Quantum Cryptography Breakthrough - FutureWatch: Ultra-Secure Communications

Researchers at the University of Cambridge and Toshiba's European research branch have found a way to speed up the rate at which data can be securely transmitted using quantum cryptography. It's a development that could pave the way to faster, ultra-secure communications that are impossible to spy on.

Many of the encryption methods that keep our online data safe rely on a digital key which is very hard for computers to crack – for instance, requiring the identification of two very large prime numbers, which standard computers are very poor at. But if a powerful quantum computer were to be built, it could crack these types of code with ease and jeopardize the safety of our digital communications.

The only encryption method that has been proven to be completely secure if applied correctly – quantum computers or not – is the so-called "one-time pad." Here's how it works: first, a secret digital key is created consisting of a completely random sequence of bits. The key is then securely sent to the receiver, and kept private. Now, the sender can encrypt his message by adding the message's bits to the random bits of the key. Under these conditions, the code is deemed truly uncrackable. more

Google Reports: Kevin's Security Scrapbook has Just Passed 900,000 Pageviews!

Proof Almost 50% of People are Computer Security Morons

In what’s perhaps the most enthralling episode of the hacker drama Mr. Robot, one of F-Society’s hackers drops a bunch of USB sticks in the parking lot of a prison in the hopes somebody will pick one up and plug it into their work computer, giving the hackers a foothold in the network. Of course, eventually, one of the prison employees takes the bait.

Using booby-trapped USB flash drives is a classic hacker technique. But how effective is it really? A group of researchers at the University of Illinois decided to find out, dropping 297 USB sticks on the school’s Urbana-Champaign campus last year.

As it turns out, it really works. In a new study, the researchers estimate that at least 48 percent of people will pick up a random USB stick, plug it into their computers, and open files contained in them. Moreover, practically all of the drives (98 percent) were picked up or moved from their original drop location. Very few people said they were concerned about their security. Sixty-eight percent of people said they took no precautions... more

The Voyeur Who Bought A Hotel To Spy On His Guests

A historically interesting essay in The New Yorker, and a cautionary tale.

Erin Andrews was not the first victim of hotel voyeurism, and she won't be the last. more

Wednesday, April 6, 2016

A Wi-Fi that Knows Where You Are

There's a lot of buzz around "smart home" products and the convenience of advanced automation and mobile connectivity. However, new research may soon be able to add extra emphasis on "smart" by enhancing wireless technology with greater awareness. A team at MIT's Computer Science and Artificial Intelligence Laboratory (CSAIL) has developed a system that enables a single wireless access point to accurately locate users down to a tenth of a meter, without any added sensors.

Wireless networks are good at quickly identifying devices that come within range. Once you link several access points together, it becomes possible to zero in on someone's position by triangulation. But this new wireless technology – dubbed "Chronos" – is capable of 20 times the accuracy of existing localization methods. Through experiments led by Professor Dina Katabi, Chronos has been shown to correctly distinguish individuals inside a store from those outside up to 97 percent of the time, which would make it easier for free Wi-Fi in coffee shops to be a customer-only affair, for example.

A paper on the research was recently presented at the USENIX Symposium on Networked Systems Design and Implementation (NSDI '16).  more

Monday, April 4, 2016

A $40 Attack that Steals Police Drones from 2km Away

Black Hat Asia IBM security guy Nils Rodday says thieves can hijack expensive professional drones used widely across the law enforcement, emergency, and private sectors thanks to absent encryption in on-board chips.

Rodday says the €25,000 (US$28,463, £19,816, AU$37,048) quadcopters can be hijacked with less than $40 of hardware, and some basic knowledge of radio communications.

With that in hand attackers can commandeer radio links to the drones from up to two kilometres away, and block operators from reconnecting to the craft.

The drone is often used by emergency services across Europe, but the exposure could be much worse; the targeted Xbee chip is common in drones everywhere and Rodday says it is likely many more aircraft are open to compromise. more

Sunday, April 3, 2016

19 Years Ago: Economic Espionage in America - Booknotes Interview on C-Span

A fascinating video interview with the author of Economic Espionage in America.
As relevant today as it was in 1997. description: "Industrial espionage, economic espionage or corporate espionage is a form of espionage conducted for commercial purposes instead of purely national security. Economic espionage is conducted or orchestrated by governments and is international in scope, while industrial or corporate espionage is more often national and occurs between companies or corporations." more

UK Launches National Cyber Security Centre

UK - Setting out in stark terms that the UK faces a growing threat of cyber-attacks from “states, serious crime gangs, hacking groups as well as terrorists”, 

Cabinet Office Minister Matthew Hancock announced the launch of the National Cyber Security Centre (NCSC)...

Led by current Director General for Cyber at GCHQ, Ciaran Martin, the NCSC has been set up to ensure that people, public and private sector organisations and the critical national infrastructure of the UK are safer online. It will bring the UK’s cyber expertise together to transform how the UK tackles cyber security issues and seeks to establish itself as the authoritative voice on information security in the UK. more

Dating Deck Stacked with Secret Eavesdrop Feature

Boompi works like most other dating apps...

Here’s the catch: If you’re a girl, you can invite your female friends to secretly join your private conversations, without your potential suitors ever knowing. 

If you’re a girl on Boompi and you start a chat with someone, you can invite your girl friend to eavesdrop on that conversation at any time. 

Your friend will be able to see every message sent since the beginning of the chat, and leave their own comments in the conversation, which only you will be able to see. And if you aren’t interested in finding a date and only want to read your friends’ chats, you can do that too—Boompi allows female users to use “Ghost Mode,” which makes sure guys never see their profile. more

Corporate Espionage: Move to Zap Zillo for $2 Billion

One of the most contentious fights in the history of real estate listings is going nuclear, thanks to a “staggering” claim of damages from Move in its trade secret theft lawsuit against Zillow.

According to legal documents obtained by HousingWire, Move, which operates for the National Association of Realtors, is claiming that Zillow owes the company $2 billion in damages over allegations of trade secret theft involving Errol Samuelson, who was once Move's chief strategy officer...

Move filed suit against Zillow after Samuelson left, alleging that Samuelson and Zillow stole trade secrets and proprietary information, and that they then made efforts to cover up the alleged theft...

The original lawsuit alleged breach of contract, breach of fiduciary duty and misappropriation of trade secrets and accused Samuelson of misappropriating trade secret information by acquiring it using improper means, and by copying it without authorization.

“Plaintiffs (Move) have asserted a huge case,” Zillow notes in the legal filing. “They claim $2 billion in damages, assert 46 separate trade secrets (not including the 1000-plus documents claimed as trade secrets in their entirety) and have assigned at least 29 different lawyers to prosecute their claims.”  more

Spy Agency Few Know Gets Free Land for HQ

A US spy agency's new $1.7 billion western headquarters will be constructed in St Louis, Missouri...

NGA Campus East, the headquarters of the agency
The National Geospatial-Intelligence Agency (NGA) hopes to build its new western HQ in north St Louis, where it was offered free land...

So what exactly is the NGA?

The NGA is part of the Department of Defense and works with the CIA and the Air Force to provide intelligence that is largely geographical in nature...

According to the NGA, "anyone who sails a U.S. ship, flies a U.S. aircraft, makes national policy decisions, fights wars, locates targets, responds to natural disasters, or even navigates with a cellphone relies on NGA." more

Saturday, April 2, 2016

The Erin Andrews $55,000,000 verdict: Can it happen to your property?

by David C. Tryon - Porter Wright Morris & Arthur LLC

If you own or manage a hotel or inn, the Erin Andrews $55,000,000 verdict probably caught your attention. You wonder, “could that happen to my hotel?” Yes it can...

One fact which has not been widely reported is that Andrews’ room was allegedly on a “secure floor” – a designation which likely has varying meanings to property owners and guests. Barrett was able to use his immediate proximity to tamper with the peep hole on Andrews door at an ideal time – allowing him to see from the outside in. A disturbing reality is that anyone can do this with a readily available $60 (or $12.99) device. Barrett then videoed Andrews nude in her room without being detected by the hotel staff. He later posted the video on the Internet, which subsequently went viral...

So, what steps can you take to prevent something like this from happening to your property? Start by having a very direct conversation with your staff about your security measures. Assess what efforts you have in place and if those efforts should be enhanced. Ask yourself these questions... more

PS - Hotels are not the only vulnerable targets. The term "property" easily expands to include: country clubs, gyms, schools, hospitals, and more. In fact, all corporate locations offering rest room / maternity room / changing room / shower and locker room facilities to their employees and visitors is at risk. 

The best first steps to protecting yourself and your company:
1. Have a written Recording in the Workplace Policy in place.
2. Train security and facilities employees how to conduct inspections for spycams.
3. Conduct in-house spy camera inspections periodically, and document your efforts.

Friday, April 1, 2016

Spycam Lawsuit: Female Oil Rig Worker Sues for $1 Million

It looked like a normal clothing hook -- small and unsuspecting, mounted on the back door of her sleeping quarters on the Transocean Deepwater oil rig.

But to her, for some reason it just didn't feel right.

"The rooms are pretty bare and minimum, so when you notice something that's different, it kind of sticks out to you."

Though 26, she'd been on plenty of rigs before. In fact, she'd spent much of her life dedicated to working offshore in the Gulf of Mexico. But she says she'd never seen something like this.
"It was out of place."

She dismissed the weird feeling and thought to herself, "Well, it must just be extra storage."
That was a Friday in August 2015. Four days later, the hook was gone. more