Sunday, June 25, 2017

Dumb Thought #1: Spying — Dumb Thought #2...

On June 22, Kevin Patrick Mallory was brought before a US federal judge for his first hearing on charges that he sold highly classified documents to a Chinese intelligence agent.

These documents, which are considered "National Defense Information," included at least one Top Secret document and three classified as Secret and were found on a phone Mallory had been provided by his Chinese contacts.

Mallory, a 60-year-old former Central Intelligence Agency employee had thought the documents were in messages that had been deleted automatically from the device. Mallory faces life in prison if convicted. more

Saturday, June 24, 2017

Things We See — Blue Bucket Blues

Not all information security issues are this obvious. 
Finding all of them requires an independent Technical Information Security Survey. more

Business Espionage: America's Cup Teams Spy

The definition of a spy is that he or she operates furtively. But there's been no secrecy around the blatant spying of Oracle and Team New Zealand on each other's boats during the five-day America's Cup break.

Both teams have dropped all pretense about their intelligence-gathering ahead of the final resuming in Bermuda this Sunday New Zealand time.

With Peter Burling and the red-hot Kiwis leading 3-0 in the first-to-seven-wins showdown, desperate Oracle spies went about their work today with the subtlety of a sledgehammer...

Team New Zealand has been doing the same thing, assiduously gaining as much information as possible... more

How a Calgary Woman Brought Down the CanadaCreep Account

Canada - The Twitter user who initially raised alarm about the 'CanadaCreep' is relieved to hear her actions may have taken a voyeur off the street.

Jeffrey Robert Williamson, 42, is accused of filming women without their knowledge and posting the images online under the Twitter handle ‘CanadaCreep.’

He was charged last week with three counts each of voyeurism and publication of voyeuristic recordings in relation to three alleged incidents and later released on bail, but freedom would be short-lived... more

Snapchat is Now Your New GPS Ankle Bracelet

Bored Snapchat users looking for something to do should update their apps today: they'll be greeted with a new map view that shows where exactly their friends are and what they're up to. 

Snap Map, as the company is calling it, can be activated by pinching your fingers together on the camera view when you first start the app. Once in map view, you'll see "Actionmoji" versions of your nearby friends, which include their names and profile photos in a configuration that vaguely resembles the tags you might find on plants for sale at the nursery.

When you tap on one of your friends' icons, you'll see stories they've posted recently...

What if none of your friends are around or they haven't posted anything interesting recently? Not to worry: the map view will also show a heat map based on the activity of other Snapchat users. more

Friday, June 23, 2017

TSCM Questions We Get - "How small is a bug's microphone?"

A. Very small.
You probably carry the one shown in the photo, in your cell phone.

In some cases, microphones are invisible. Before you say impossible, hear me out...

You are surrounded by items which can be commandeered for surveillance eavesdropping wherever you go. Solids and liquids conduct sound even better than air. Vibrations through these items may be picked up and amplified at some distance using: a piezoelectric contact microphone, a hydrophone, or light / sound beams (laser / ultrasonic).

Optimic1140 fiber optical microphone
There is also one esoteric microphone to consider—the fiber optic microphone. No wires. No electricity. Just connected to a clear glass thread.

It is so unusual, many people who claim to be technical surveillance countermeasures (TSCM) technicians don't know it exists.

So, when you add Technical Information Security Surveys to your organization's security program, ask the vendor what they know about fiber optic microphones. Good ones will tell you all about it, and how it works. They will also be impressed with you for asking.

Wednesday, June 21, 2017

Security Alert: If Your Phone Says Avaya... ask IT about this.

Internet telephony company Avaya has patched a high-severity vulnerability in its Aura Application Enablement Services product that put phone call and API data running through the server at risk for interception.

Researchers at Digital Defense found a vulnerability where an attacker could, without authentication, abuse Remote Procedure Calls (RPC) into the server and modify input in such a way that they would be granted remote administrative access...

“Anything that passes through that server [would be at risk],” said Mike Cotton, vice president of research and development... “An attacker could send malformed input at the interfaces and take control over the service and any voice data...  “Eventually you can get root command through remote compromise,” he said.

In an advisory updated June 14, Avaya said versions 6.3.1, 6.3.2, 6.3.3 and 7.x are affected. The company said that versions 6.3.1, 6.3.2 and 6.3.3 should install Super Patch 7 and apply AE Services security hotfix. Users on 7.0.x should upgrade to 7.0.1 and install Super Patch 4 and AE Services security hotfix as well. Users on 7.1 should apply AE Services Security Hotfix.

“Certainly for enterprises that use the product, this is a high-impact vulnerability,” Cotton said. “The ultimate severity is how many business-critical apps are attached to this thing and where it’s sitting within the network infrastructure. This is something I would prioritize and move to the top of patching lists.” more

Tuesday, June 20, 2017

Be Successful Like Apple - Get Serious About Information Security

A recording of an internal briefing at Apple earlier this month obtained by The Outline sheds new light on how far the most valuable company in the world will go to prevent leaks about new products.

The briefing, titled “Stopping Leakers - Keeping Confidential at Apple,” was led by Director of Global Security David Rice, Director of Worldwide Investigations Lee Freedman, and Jenny Hubbert, who works on the Global Security communications and training team...

The briefing, which offers a revealing window into the company’s obsession with secrecy, was the first of many Apple is planning to host for employees. In it, Rice and Freedman speak candidly about Apple’s efforts to prevent leaks...

Director of Global Security, David Rice...“We deal with very talented adversaries. They're very creative and so as good as we get on our security controls, they get just as clever.” more

If your security plan does not include Technical Information Security Surveys, contact me. ~Kevin

Friday, June 16, 2017

Why You Need a Technical Information Security Survey - Reason #413

Reason #413 - Yes, they are out to get you.

Here is a brief excerpt from an Entrepreneur Magazine article I read recently. It's entitled: 

3 Reasons You Should Spy on Your Competition 

"One of the best ways to thoroughly understand your market is to take a look at your competition. By not spying, you are at a significant disadvantage. 


Here are three reasons it’s a good idea to spy on your competition…
  1. Without spying, it’s impossible to know what you’re up against -- as a result, you can’t completely prepare.
  2. It’s easy to do. Don’t be discouraged from spying on your competition by assuming that it is daunting or resource intensive. 
  3. It would be wasteful to not spy. Speaking of wasted resources, without spying on your competition it’s very easy to waste time trying to find your ideal market and your reach."
Although the article does not advocate anything illegal, do you really think a budding entrepreneur ingesting this advice will stop after tasting (legal) low-hanging fruits of knowledge? No, forbidden fruit is even more nourishing. They will "ladder up."


There have always been industrial espionage spies and business espionage tricks. Heck, the Industrial Revolution in the U.S. began this way. The Chinese lost their secrets of silk this way. But, spying as a method of getting ahead in business, was not encouraged by the media of the day. Children were taught entrepreneurial ideals, like: hard work, independence, persistence, and inventiveness.

So, how did we get to the point of, "Screw it, let's just spy!”

Corrosion of societal mores is an evolutionary process. Some of you will remember the days when kids had heroes who exemplified moral codes: The Shadow ("The weed of crime bears bitter fruit. Crime does not pay."), Joe Friday (Dragnet), Dan Matthews (Highway Patrol), The Lone Ranger, etc. Others may remember the glamorization of the "good" spy from TV shows like: Secret Agent Man, The Man from U.N.C.L.E., Mission Impossible, and The Prisoner.

These radio and TV shows still languish deep in digital tombs like YouTube; as forgotten as the Greek Chorus. On the bright side, at least these morality plays still exist.

1960’s spy shows spawned a huge market for children’s spy toys. The market remains strong today, and much more technically advanced.

For decades, children have grown up with spy toys. Spy toy manufacturers blatantly promote spying as cool and fun.

The morally strong TV heroes children used to look up to have disappeared. Today’s “Super Hero” has little connection with reality. The good vs. evil dividing line in the plots has become fuzzy. The super heroes themselves are confusing. Dark sides and moral cracks have infected the genre. Several generations of children have been desensitized to spying, and now, as adults, their moral compasses look like Batman fidget spinners.

Today’s Reality

The workplace is now filled with former children who have no compunction about spying. Almost everyone has a spy tool in their pocket that Maxwell Smart could only dream about. And, if one needs a thumb-sized bug that can be listened in on via a cell phone, from anywhere in the world… it can be purchased on eBay for less than $25.00.

Analysis of Business Espionage Today
   • Risk level: Low.
   • Reward level: High.
   • Why people spy in the workplace:
          - Money.
          - Power.
          - Sex
   • Surveillance Tools:
          - Inexpensive.
          - Readily available in spy shops and 
on the Internet.
          - Untraceable when purchased from 
foreign countries.

Other Contributing Factors…
  • The mores about eavesdropping and espionage have changed.
  • Increased competitive pressures placed on employees, consultants and businesses force ethics bending.
  • Media glorification presents spying as sexy and justifiable.
  • Since the 60's, spy toys and games have been actively promoted to children as being fun and acceptable. Children grow up.
“We don’t need a Technical Information Security Survey. We’ve never had a spying issue here.”

How would you know?

Spy Rule #1 - Stay undetected. 
By definition, successful espionage goes undetected, only failures become known.

If you ignore business espionage, or decide to take a “risk-assessment” gamble, you will never know if you’re bleeding information. (Parasites don’t alert their hosts.)

Business espionage can be forced to fail.
Actively look for:
  • evidence of information loss,
  • evidence of electronic surveillance: audio, video and data,
  • information loss vulnerabilities in: the workplace, your transportation, your home office, and at off-site meeting venues,
  • loopholes in your perimeter security,
  • decaying or broken security hardware, upon which you rely,
  • information security policies employees no longer follow,
  • information security vulnerabilities inherent in normal office equipment,
  • and, an independent security consultant, whose specialty is the Technical Information Security Survey, to do this for you.
Vigilant organizations conduct these surveys during off-hours, on a quarterly basis. Diligent organizations tend to have their surveys conducted biannually. Negligent organizations, well, they just have their pockets picked. The point is re-inspections limit windows-of-vulnerability. They also cost less.

An independent consultant’s report is proof of the organization’s due diligence, and may be very helpful in showing enhanced duty of care for trade secrets and other sensitive information in legal settings.

Considering what is at stake, a Technical Information Security Survey is very economical insurance, even better than insurance… it can prevent losses in the first place. Add it to your security program.

Wiretapping in the Workplace

by Benjamin E. Widener - Stark & Stark

The recent turmoil, investigation and controversy surrounding President Donald Trump’s firing of former FBI Director James Comey has thrust the issue of wiretapping into the public and political spotlight. “James Comey better hope that there are no ‘tapes’ of our conversations before he starts leaking to the press!,” President Trump tweeted on May 12, 2017, suggesting that “tapes” of his private conversations with Director Comey might exist...

All of this commotion prompted me to think about wiretapping in the workplace and, specifically, the issue of audio recordings or, as President Trump has expressed, “tapes” of conversations secretly recorded by an employer of its employees. What types of audio or tape recordings are legally permitted in the employment environment? more

Extra Credit: Workplace Eavesdropping - Time to Consider a Recording in the Workplace Policy

Android Malware - Steals Personal Data, Then Covers its Tracks

A new variant of Android malware is making rounds in the Google Play store and it is bad news all around.

According to Trend Micro, a Trojan dubbed Xavier, which is embedded in more than 800 applications on Android’s app store, clandestinely steals and leaks personal data.

Mobile malware is not new to the Android platform, but Xavier is a little more clever. It downloads codes from a remote server, executes them, and uses a string encryption, Internet data encryption, emulator detection, and a self-protect mechanism to cover its tracks. more

Wednesday, June 14, 2017

Foscam Remote Control Video Cameras: Pull Plug for Now

A Chinese company warned Monday that some of its remote-controlled video cameras contain flaws that a security firm said could be used in cyber attacks and cyber espionage.

The notice sent by Foscam USA, a subsidiary of Foscam Intelligent Technology Co. Ltd. that sells internet-linked video cameras, said in an urgent notice that 12 models made by China-based Shenzhen Foscam contain security flaws.

The flaws could allow the cameras to be taken over and used in massive cyber strikes called distributed denial of service attacks.

"Foscam US has been notified of 18 security vulnerabilities that exist on cameras manufactured by Shenzhen Foscam which leave users vulnerable to hacks which allow attackers to remotely take-over cameras, live stream, download stored files, and even compromise other devices located on the local network," the company said.

The company urged users to disconnect the cameras from the internet until the security vulnerabilities can be patched. more

The hackability of these cameras was first reported here in 2013.

The models affected include the following:
C1 Lite

Monday, June 12, 2017

Ponder of the Week

Lawyers and manufacturers are also vulnerable to corporate espionage.  Months can go by before they even realize they've been hit. — Mandy Simpson, CEO, Cyber Toa

No Jail Time for Teacher who hid Camera in Washroom

Canada - A former Brantford-area teacher and school administrator was handed a conditional sentence Thursday for various voyeurism-related offences. 

Brent Hachborn will spend eight months under house arrest. He will also serve a two-year probation term.

Hachborn once worked as a teacher at James Hillier Public School in Brantford. After he moved to another school, a camera was discovered in the school’s staff washroom.

Investigators later learned that Hachborn used three different cameras in a rotation. They had been there for about a year before anybody noticed – containing dozens of videos and 1,300 photographs of adult men in total. more

Early Radio Head Gear

According to an August 1930 issue of Modern Mechanix, a Berlin engineer invented the hat, which allowed its wearer to “listen to the Sunday sermon while motoring or playing golf, get the stock market returns at the ball game, or get the benefit of the daily dozen while on the way to work by merely tuning in.”

This was not, however, the first radio hat. The technology appears to date back to the early 1920s; a Library of Congress photo taken “between 1921 and 1924” features a man with a radio hat similar to Pathetone Weekly’s. Ultimately, neither hat seems to have made much of a splash among the public—but a radio hat designed two decades later certainly did.

In 1949, a Brooklyn novelty store introduced what they called “The Man From Mars Radio Hat.” A flurry of articles promoting it followed, and as did a temporary buying frenzy.

In one article, LIFE Magazine called the Man From Mars Radio Hat “the latest and silliest contribution to listeners who feel compelled to hear everything on the air.” more

Sunday, June 11, 2017

NSA’s Leaked Bugging Devices - Reverse Engineered

Radio hackers have reverse-engineered some of the wireless spying gadgets used by the US National Security Agency. Using documents leaked by Edward Snowden, researchers have built simple but effective tools that can be attached to parts of a computer to gather private information in a host of intrusive ways.

The NSA’s Advanced Network Technology catalogue was part of the avalanche of classified documents leaked by Snowden, a former agency contractor. The catalogue lists and pictures devices that agents can use to spy on a target’s computer or phone. The technologies include fake base stations for hijacking and monitoring cellphone calls and radio-equipped USB sticks that transmit a computer’s contents.

But the catalogue also lists a number of mysterious computer-implantable devices called “retro reflectors” that boast a number of different surreptitious skills, including listening in on ambient sounds and harvesting keystrokes and on-screen images. more

Friday, June 9, 2017

Defamation Lawsuit Filed over Methodist Hospital Phone Bugging Claims

A Houston Methodist doctor has filed a lawsuit against the hospital claiming he was demoted for raising concerns about recording of conversations on hospital phone lines.

According to the lawsuit, Dr. Eric Haufrect MD was removed as vice chairman of Methodist's obstetrics and gynecology department after he raised concerns that the hospital was illegally recording conversations between staff and patients.

Haufrect learned of the alleged phone bugging in October 2016 after a nurse said a technician working on her phone explained it to her, according to the lawsuit.

When he alerted hospital administrators to the recording, they said his department could not opt out of recordings, the suit alleges. Haufrect said he raised concerns to several different parties in the hospital about potential HIPAA violations, including CEO Dr. Robert Phillips. more

Which is most secure: HomePod, Echo, or Google Home

Apple's HomePod, Google Home and Amazon Echo all encrypt the voice recordings sent to their respective servers. But there are varying degrees of how they keep the data secret...

"The recordings are securely stored in the [Amazon Web Services] cloud and tied to your account to allow the service to be personalized for each user," an Amazon spokeswoman said in an email.

Google Home 
Similarly, Google Home collects data from your apps, your search and location history, and your voice commands, which are all tied to your Google account... If a government agency requests data from Google or Amazon from a voice assistant, they can point to accounts associated with the user...

Home Pod
With anonymized IDs, Apple's speakers have a much more compelling argument for not handing over data: They can't find it. In the game of hide and seek with your voice data, the advantage -- for now -- goes to Apple. more

Wednesday, June 7, 2017

Yellow Printer Dots Nail Spy Agency Leaker

‘Colour printers spy on you’: Barely visible yellow dots lead to arrest of Reality Winner, alleged NSA leaker.

According to Rob Graham, who writes for the blog Errata Security, the Intercept’s scanned images of the intelligence report contained tracking dots – small, barely visible yellow dots that show “exactly when and where documents, any document, is printed.” Nearly all modern color printers feature such tracking markers, which are used to identify a printer’s serial number and the date and time a page was printed. 

“Because the NSA logs all printing jobs on its printers, it can use this to match up precisely who printed the document,” Graham wrote. more

Long term readers of the Security Scrapbook already knew about this.
From 10 years ago... Is Your Printer Spying on You? Good!

When Your Stuff Spies on You

What do a doll, a popular set of headphones, and a sex toy have in common? All three items allegedly spied on consumers, creating legal trouble for their manufacturers.

In the case of We-Vibe, which sells remote-control vibrators, the company agreed to pay $3.75 million in March to settle a class-action suit alleging that it used its app to secretly collect information about how customers used its products. The audio company Bose, meanwhile, is being sued for surreptitiously compiling data—including users’ music-listening histories—from headphones.

For consumers, such incidents can be unnerving. Almost any Internet-connected device—not just phones and computers—can collect data. It’s one thing to know that Google is tracking your queries, but quite another to know that mundane personal possessions may be surveilling you too.

So what’s driving the spate of spying? more

Wartime Spies Who Used Knitting as an Espionage Tool

During World War I, a grandmother in Belgium knitted at her window, watching the passing trains. As one train chugged by, she made a bumpy stitch in the fabric with her two needles. Another passed, and she dropped a stitch from the fabric, making an intentional hole. Later, she would risk her life by handing the fabric to a soldier—a fellow spy in the Belgian resistance, working to defeat the occupying German force.

Whether women knitted codes into fabric or used stereotypes of knitting women as a cover, there’s a history between knitting and espionage. “Spies have been known to work code messages into knitting, embroidery, hooked rugs, etc,” according to the 1942 book A Guide to Codes and Signals. During wartime, where there were knitters, there were often spies; a pair of eyes, watching between the click of two needles. more

You Already Bugged Your Own House Years Ago

If you're unnerved at the prospect of an always-on mic in your home, then take a second to consider the ones that are already there... more

Saturday, May 13, 2017

FutureWatch - Bugs That Know What You Are Up To

Modern day sensors have become so small and sophisticated that gathering the data from a single point has become easy. The difficult part involves figuring out what to do with the information. Lead researcher Gierad Laput... “The average user doesn’t care about a spectrogram of EMI emissions from their coffee maker,” he said. “They want to know when their coffee is brewed.”
Synthetic Sensors aren’t just limited to detecting one activity or device at a time. The suite of sensors allows it to detect a variety of inputs at once... more

This Week in Spycam News - Cautionary Tales for our Times

• Fired former London teacher pleads to 16 charges for secret videos shot in staff changeroom at school. more

• “Roger” is a security guard. He’s vague on the exact details, but his jobs afford him access to several rooftops in the downtown area of an unnamed city. One of these roofs has a view of a high-rise hotel across the street. The building’s windows are so high up that guests tend to feel safe leaving the curtains open. So, Roger climbs out onto a ledge on the roof, trains his handheld high-zoom camera on the uncovered windows, and hits record. Then, if he happens to catch an unsuspecting woman, especially a naked one, he posts the video on the Internet. more

• Deputies in Chester charged a man with voyeurism Sunday after receiving a report that he hid a cell phone in a teen girl’s bedroom that took footage of her as she left the shower naked, police said. more

Read more here:

• A Kingston man has been charged by the Ontario Provincial Police in Quinte West after a woman reported a camera taking her picture. She had been in the changing area of a Trenton business when she noticed a camera taking a picture of her. At that time the OPP charged the accused with one count of voyeurism. more

• A man is charged with video recording a 16-year-old girl without her knowledge while she was in the shower, according to the Pinellas County Sheriff’s Office. more

• An ex-finance director who hid spycams to secretly film almost 700 videos of colleagues has walked free from court. Mark Logan planted the cameras in digital clocks in a toilet at the Wheatley Group offices in Glasgow city centre. The shamed 48 year-old also carried out the crime while on business trips in Edinburgh and London. A sheriff heard how Logan could be seen in footage putting a device on the bedside table of one of his victims... The secret cameras had been hidden in a toilet. Logan was snared when bosses at Wheatley discovered three digital clocks which had recording equipment inside them. more

• Former Palm Beach Gardens High School's athletic director William Weed has turned in his resignation. Weed was arrested Monday after an investigation that started in February. A police report stated that he used a covert camera to obtain videos and images of a female juvenile. more

Businesses: Embarrassment, reputation damage and lawsuits are the end result of these incidents. Learn how to protect your employees, customers, visitors and yourself. more

North Korean Spy News

• In a nation as bizarre as North Korea is, it comes as no surprise that their broadcasting of secret spy codes over the airwaves would be equally as bizarre.

While no official explanation for North Korea’s coded broadcasts has been solidified, many believe that the seemingly random numbers and phrases are codes understood by North Korean spies living under the radar in South Korea. more numbers stations

• North Korean prosecutors Friday demanded the extradition of those they say plotted to assassinate leader Kim Jong Un, including South Korea's outgoing spy chief and unnamed "masterminds" in the US Central Intelligence Agency.

The demand comes a week after the North sensationally alleged it uncovered a US-South Korean plot to kill Kim with biochemical, radioactive or poisonous substances during a major event, such as a military parade. more

Uber Spying - Waymo than you know says Google

Uber is being sued by Waymo, the business unit developing self-driving vehicles at Google's parent company Alphabet, over allegations of technology theft.

The suit accuses former Google engineer Anthony Levandowski of stealing technology when he left the company to create a start-up called Otto, which was also building self-driving cars.

Uber acquired Otto for $680m (£540m) last year, at which point Mr Levandowski began to oversee Uber's work on developing autonomous cars. more

Corporate Espionage Countermeasures Tips

via – American Greed Report
Corporate espionage schemes can occur when people already working for someone else infiltrate a company, or employees who've already left a company leave behind co-conspirators who send them data.

Some important steps companies can take:
  • Install technology that monitors everything going into your email system to determine if it's a legitimate message or if it's phishing or malware.
  • Monitor for what's going out of your email system as well by installing leakage control systems. These can, for example, tell whether data is being sent to Dropbox or personal Google, Amazon or Microsoft cloud accounts. They can also monitor for documents or spreadsheets going out.
  • Use whitelisting, which lets you specify which applications are approved to run on a computer system. Anything not on the whitelist won't run, which protects the network from malware and other harmful applications.
  • Consult with labor employment counsel to make sure your agreements on who owns intellectual property and prohibiting misuse or removal of such property are up to date. more

Friday, May 12, 2017

The Unexpected Keystroke Logger on Some HP Laptops

The audio driver installed on some HP laptops includes a feature that could best be described as a keylogger, which records all the user's keystrokes and saves the information to a local file, accessible to anyone or any third-party software or malware that knows where to look.

Swiss cyber-security firm modzero discovered the keylogger on April 28 and made its findings public today.

According to researchers, the keylogger feature was discovered in the Conexant HD Audio Driver Package version and earlier.

This is an audio driver that is preinstalled on HP laptops. One of the files of this audio driver is MicTray64.exe (C:\windows\system32\mictray64.exe).

This file is registered to start via a Scheduled Task every time the user logs into his computer. According to modzero researchers, the file "monitors all keystrokes made by the user to capture and react to functions such as microphone mute/unmute keys/hotkeys."

This behavior, by itself, is not a problem, as many other apps work this way. The problem is that this file writes all keystrokes to a local file at: C:\users\public\MicTray.log more

Friday, May 5, 2017

Competitive Intelligence is a Euphemism for Business Espionage

How far would you go to figure out what the competition is up to? 

Test out their products and services to see how they work? Hire away their staff to learn their tricks? Monitor their job listings to glean insight about upcoming initiatives?

Such tactics are par for the course in the technology industry, in which companies go to great lengths to size up their competition.

The latest example is Uber, which according to a New York Times report employs what it calls a “competitive intelligence” team to study its rivals. That team bought anonymized data — including information on Lyft receipts gleaned from customer in-boxes — from analytics firm Slice Intelligence. more

Competitive Intelligence is a euphemism for Business Espionage. Smart businesses employ Business Counterespionage, which is a euphemism for companies like mine. ~Kevin

Sounds Like Spying - Ultrasonic Sounds

Your smartphone may have some apps that are continuously listening inaudible, high-frequency ultrasonic sounds from your surroundings and they know where you go, what you like and dislike — all without your knowledge.

Click to enlarge.
Ultrasonic Cross-Device Tracking is a new technology that some marketers and advertising companies are currently using to track users across multiple devices and have access to more information than ever before for ad targeting.

For example, retail stores you visit, a commercial on TV or an advertisement on a web page can emit a unique "ultrasonic audio beacon" that can be picked up by your device’s mobile application containing a receiver. more

I plan to run some tests on this. ~Kevin

Friday, April 28, 2017

FlexiSpy Spyware Hacked - Other Spyware is Next They Say

After blitzing FlexiSpy, hackers declare war on all stalkerware makers: 'We're coming for you'

A Brit biz selling surveillance tools that can be installed on phones to spy on spouses, kids, mates or employees has been comprehensively pwned by hackers – who promise similar stalkerware peddlers are next.

The miscreants, supposedly Brazilian and dubbing themselves the Decepticons, have explained how they, allegedly, easily infiltrated FlexiSpy before snatching its source code and other files, and wiping as many servers as they could. That code has now leaked online, and the gang say they are on the warpath.

"We're just, like, this group of guys, you know? We can hack these people, and we can expose their secrets, but it's up to everyone to make a difference," the team said on Monday.

"If you're a spouseware vendor, we're coming for you. Stop, rethink your life, kill your company, and be a better person."

FlexiSpy is one of a number of creepy outfits making a living selling borderline-legal code to people who are paranoid that their significant other is cheating on them, or that their kids or staff are up to no good. more

Thursday, April 27, 2017

Why TSCM is Important – Reason 294

Is he an employee coming to work? 
Is he a vendor attending a proposal meeting? 
Is he here to repair something? 

It doesn't matter. In all cases, he was allowed on your premises for a legitimate purpose.

Unfortunately for you, he will plant three electronic eavesdropping devices, in strategic areas, before he leaves. It will only take seconds. You will never see it happen. You will never know. This is only one industrial espionage spy trick. There are hundreds more.

Savvy corporations, government agencies and organizations conduct periodic Technical Surveillance Countermeasures (TSCM) bug sweeps to clear their sensitive areas of bugging, wiretapping and computer attack devices. You should too.

The Circle - A Surveillance Movie for Our Time

Our creepy times now have their own creepy movie.

“The Circle”, a film that debuts this week—about a privacy-flouting version of Google, Apple, and Facebook wrapped into one—makes you want to move to the woods. Is surveillance a worthwhile trade-off for any digital service? And is Silicon Valley prepared for the evils its technologies unleash?

In the film, a CEO played by Tom Hanks holds a Steve Jobs-style product launch that fills the globe with tiny constantly broadcasting webcams. His Orwellian mission statement: “If it happens, we’ll know.” (opens today)


Wednesday, April 26, 2017

Former Fox News Host Sues Network for Allegedly Spying on Her

Andrea Tantaros, once a long-time fixture at the Fox News Channel, filed a suit on Monday alleging that the cable news network spied on her private communications

and utilized information it gleaned via surveillance in an intimidation campaign after she began having disputes with network management.

According to the complaint, Fox News, primarily at the instigation of Ailes and others who formerly worked in his secret “black room” operation, snooped inside of Tantaros’ email and recorded her telephone conversations. They then allegedly provided the information back to Snyder and others who repeated it back to Tantators via anonymous social media accounts in order to dissuade her from taking legal action against the network.  more

They Always Blame the IT Guys and the Cops – Shocking

Malicious software bought by a London Police Officer can remotely hack users...

One of the officers of UK’s Metropolitan Police Service was caught in possession of a malicious software used for infecting computers and smartphones after gaining physical access to them.

It’s unclear as of yet whether this software was bought for official or personal use, but it does raise a question that why would an MPS’s officer need to buy a malware that can do things like intercepting phone calls, turning on microphones and taking pictures remotely via the infected device’s camera. Especially if the use of this malware wasn’t allowed, which would make it illegal. more

Former Expedia IT tech gets 15 months in jail for insider trading, stealing information from execs...

“This was not a one-time lapse in judgement – this defendant used his technology skills to repeatedly invade the email accounts of Expedia executives so that he could enrich himself at the expense of others,” U.S. Attorney Annette L. Hayes said in a statement. “Even after he moved on to a better paying position at a different technology firm he continued his crimes, all while trying to make it look like other employees were at fault...

As a “senior IT support technician” based in San Francisco, Ly routinely had access to Hotwire and Expedia employee login information and devices. Ly used those credentials to break into company files to get information he later used in stock transactions....

Ly tried to cover his tracks by using login credentials of other employees when using the service to look at sensitive information... Ly’s acts didn’t end when he left the company in April 2015. Ly kept a company-issued laptop that could connect to Expedia’s network, and he used other employees’ login information to continue breaking into Expedia files and emails. more

Install an Internet Connected Microphone and Camera in Your Bedroom?!?!

Amazon is giving Alexa eyes. 

And it's going to let her judge your outfits.

The newly announced Echo Look is a virtual assistant with a microphone and a camera that's designed to go somewhere in your bedroom, bathroom, or wherever the hell you get dressed. more

Amazon is betting you will. I'm taking bets on how long before the hackers over. ~Kevin

Monday, April 24, 2017

TSCM Questions We Get - "How often do you find a bug?"

Q. How often do you find a bug?

A. It depends on the type of sweep. We conduct Technical Information Security Surveys (enhanced TSCM) sweeps for bugs and surveillance devices in businesses and government (and occasionally residential or matrimonial type sweeps).

Business and Government TSCM Sweeps

Regularly scheduled, due-diligence, technical information security surveys rarely turn up devices. No surprise there. Typically, organizations using our services already have a high overall security profile. They are “hardened targets”. For those clients, the bug sweep bonus is... having a known window-of-opportunity when something is found.

Often, what we do find are other information vulnerabilities like: decayed security hardware; security policies no longer being followed; and other
unseen security issues.

Discovery statistics on our "emergency sweeps" (sweeps where
illegal electronic surveillance is suspected) varies from year to year, about 2%-5%. However, the rate of determining what happened and resolving the client's concerns is extremely high. (Isn't that the real point of the exercise?) More often than not, these info-loss cases can be traced back to the human element, or the poor security practices, which allowed the leak to occur some other way.

With organizations, the opposition's focus is on getting the information, in all its forms. Corporate espionage, industrial espionage, call it what you will. There is no one spy tool of choice here. It's electronic surveillance plus hundreds of other tradecraft techniques which may be employed. Solving these organizational emergency cases requires more than a simple TSCM bug sweep. Required add-on skills and experience include: corporate investigations, alarm system design, computer forensics, and information management to name a few.

Residential Bug Sweeps

When it comes to residential and matrimonial bug sweeps, the find rate for locating bugs and surveillance devices is quite high. This makes sense. The opposition's focus is narrow; they want to intercept communications and/or determine the location of a specific person. Electronic surveillance is the tool of choice. Personal privacy is the biggest loss.

Solving these cases is relatively easy for a number reasons:
·       The spy is usually a do-it-yourselfer, an amateur, or someone with limited tradecraft skills.
·       The victim has a good idea who is doing the spying.
·       Resources rarely permit the purchase of advanced bugging or tracking devices.
·       Surveillance devices adequate to accomplish the goal are inexpensive and easy to obtain.
·       Locations for placement of bugs, taps, spy cameras and trackers are limited.
·       Having a personal stake in this type of surveillance, spies often tip their hand to show power.

The Security Director’s Dilemma

Justifying cost to the bean counters.

Private investigators and people who handle residential and matrimonial bug sweep cases don’t charge very much for their services. Mainly because private individuals have limited budgets. But, also because their overhead is low. Their detection gadgets are often basic and inexpensive, insurance costs (if any) are not up to corporate standards, for example.

Professional security consultants who specialize in business and government-level TSCM are not a dime-a-dozen. They invest heavily, and continually in: sophisticated instrumentation, professional certifications, and advanced (and continuous) training. Their overhead includes: an office staff, trained Technical Investigators, licensing, insurance, instrument calibration, and an annual Carnet so they can travel Internationally for their clients.

Security directors know, it’s not all about the money. It’s all about the protection you get for your money. A cheap sweep is a mental band-aid, and a CYA move.

They are charged with protecting corporate assets. This type of information security requires a security consultant with a depth of experience and knowledge of: information management, corporate investigations, complex security systems, and yes… Technical Surveillance Countermeasures.

Benefits of Quality TSCM

Second to 'getting the goods', the goal of espionage and voyeurism is 'never be discovered'. Obviously, if you don't check, you won't know you’re under attack. Organizations don’t have a choice. They don’t want their pockets picked, so TSCM is an important element of their security.

The benefits of having a Technical Information Security Survey (enhanced TSCM) as part of an organization’s security program include:
·       Increased profitability.
·       Intellectual property protection.
·       A working environment secure from electronic surveillance invasions.
·       Advance warning of intelligence collection activities (spying).
·       Checks the effectiveness of current security measures and practices.
·       Document compliance with many privacy law requirements.
·       Discovery of new information security loopholes, before they can be used against them.
·       Help fulfill legal the requirement for "Business Secret" status in court.
·       Enhanced personal privacy and security.
·       Improved employee morale.
·       Reduction of consequential losses, e.g. information leak can spark a stockholder's lawsuit, activist wiretaps, and damage to “good will” and sales.
The benefit list is really longer, but you get the idea.

There are some excellent corporate-level TSCM consultants out there. Now that you know about the different levels of service, track one down to help solve your information security concerns.  You will look like a hero to all your colleagues, except perhaps, the near-sighted bean counters.

Contact me here if you would like to know more.  Kevin D. Murray, CPP, CISM, CFE

Saturday, April 22, 2017

Quote of the Week

"Corporate espionage is not an easy thing to detect; the whole point of a spy is to remain under the radar. In order to uncover this kind of behavior, you’ll need technical controls..." Dr Jamie Graves

When Industrial Espionage Spies were a Dime a Dozen

Industrial espionage - that staple of modern thrillers, new product development and getting a jump on the competition - is nothing new. 

Click to enlarge.
In the 18th century, so many new developments in industry and the arts happened at such a rapid pace, and trendsetting luxury goods were in such high demand that industrial spies were almost a dime a dozen.

So, it was in April 1754 that a Swedish industrial spy, Reinhold Angerstein, found himself in the English town of Bilston... more

New High Seas Spybot - Submaran S10

Part sailboat - part submarine, a new remarkable drone can patrol the oceans for months without stopping, powered by only the wind and the sun.

Developed by Ocean Aero, the Submaran S10 is autonomous, able to conduct missions on its own. This drone can sail on the surface of the ocean and then transform to dive beneath the surface traveling, similar to a submarine.

The hybrid drone can dive to depths of about 660 feet, which makes it useful not only for avoiding detection, but to discreetly conduct its own surveillance as well.

Along with protecting the US coastlines, technology like this could be used to quietly monitor, surveil and collect information for defense and intelligencemore

Bad Spy, Bad Spy

Nigeria's spy chief has been suspended amid reports that a $43 million stash seized in a widely trumpeted apartment raid belonged to his agency.

Nigerian President Muhammadu Buhari suspended Ayodele Oke, director-general of the National Intelligence Agency, over the April 12 raid, Buhari aide Femi Adesina said.

When Nigeria's anti-corruption agency raided an upscale apartment in Lagos, Nigeria's largest city, agents found more than $43 million as well as 23.2 million naira (Nigerian currency worth about $76,000) and £27,800 (about $35,000).

The Economic and Financial Crimes Commission said the funds were suspected to be linked to unlawful activity. more

Thursday, April 20, 2017

Cyber Security — How Much Your Company Should Budget

The board and executives of organizations must protect the assets of the business.

Seven out of ten Target board members were ousted and the CEO was fired — they had no visibility into the risk that cyber had on the business.

Cyber risk must be understood in dollars and cents to communicate in a language that the board and executives understand. Only then can senior executives have a cyber strategy that allows them to protect the assets properly...

The bottom line is organizations have to be in front of cyber, not behind. We must proactively bake security in — not bolt it on. We have to be strategic in our thinking and not reactive. more

400 Google Play Store Apps Have Been Compromised with BankBot

A new Malware has been spotted in the wild targeting Google Play Store apps.

The malware has been dubbed as “BankBot” by security researchers... So far at least 400 Google Play Store apps have been compromised. 

The attacking mechanism: Once downloaded, the malware tricks users into gaining administrative privileges before removing the icon of the app, letting the user think that the app has been deleted. In reality, however, the app continues to work in the background!

That’s not all; the Botnet is designed to display fake screens disguised as banking apps, encouraging the users to put credit card information and other login credentials. As soon as the app gets what it wants, the credentials are then passed on to the hacker through a control and command (C&C) server. more

Bose Knows... what you're listening to.

At least that's the claim of a proposed class-action lawsuit filed late Tuesday in Illinois that accuses the high-end audio equipment maker of spying on its users and selling information about their listening habits without permission.

The main plaintiff in the case is Kyle Zak, who bought a $350 pair of wireless Bose headphones last month. He registered the headphones, giving the company his name and email address, as well as the headphone serial number. And he download the Bose Connect app, which the company said would make the headphones more useful by adding functions such as the ability to customize the level of noise cancellation in the headphones.

But it turns out the app was also telling Bose a lot more about Zak than he bargained for. more

The Zak attack is a cautionary tale. Perhaps we should all create alter egos to nullify this type of privacy invasion. ~Kevin