Friday, April 28, 2017

FlexiSpy Spyware Hacked - Other Spyware is Next They Say

After blitzing FlexiSpy, hackers declare war on all stalkerware makers: 'We're coming for you'

A Brit biz selling surveillance tools that can be installed on phones to spy on spouses, kids, mates or employees has been comprehensively pwned by hackers – who promise similar stalkerware peddlers are next.

The miscreants, supposedly Brazilian and dubbing themselves the Decepticons, have explained how they, allegedly, easily infiltrated FlexiSpy before snatching its source code and other files, and wiping as many servers as they could. That code has now leaked online, and the gang say they are on the warpath.

"We're just, like, this group of guys, you know? We can hack these people, and we can expose their secrets, but it's up to everyone to make a difference," the team said on Monday.

"If you're a spouseware vendor, we're coming for you. Stop, rethink your life, kill your company, and be a better person."

FlexiSpy is one of a number of creepy outfits making a living selling borderline-legal code to people who are paranoid that their significant other is cheating on them, or that their kids or staff are up to no good. more

Thursday, April 27, 2017

Why TSCM is Important – Reason 294

Is he here to repair something?
Is he an employee coming to work? 
Is he a vendor attending a proposal meeting? 

Does it matter? In each case, he was allowed on your premises.

Unfortunately, he will plant electronic eavesdropping devices, in strategic areas. It will only take seconds. You won't see it happen. You won't know. And, this is only one industrial espionage spy trick. Hundreds more are available to him.

Savvy corporations, organizations and governments conduct periodic Technical Surveillance Countermeasures (TSCM) bug sweeps to clean their sensitive areas of bugs, wiretaps and computer attack devices. You should too.

The Circle - A Surveillance Movie for Our Time

Our creepy times now have their own creepy movie.

“The Circle”, a film that debuts this week—about a privacy-flouting version of Google, Apple, and Facebook wrapped into one—makes you want to move to the woods. Is surveillance a worthwhile trade-off for any digital service? And is Silicon Valley prepared for the evils its technologies unleash?

In the film, a CEO played by Tom Hanks holds a Steve Jobs-style product launch that fills the globe with tiny constantly broadcasting webcams. His Orwellian mission statement: “If it happens, we’ll know.” (opens today)


Wednesday, April 26, 2017

Former Fox News Host Sues Network for Allegedly Spying on Her

Andrea Tantaros, once a long-time fixture at the Fox News Channel, filed a suit on Monday alleging that the cable news network spied on her private communications

and utilized information it gleaned via surveillance in an intimidation campaign after she began having disputes with network management.

According to the complaint, Fox News, primarily at the instigation of Ailes and others who formerly worked in his secret “black room” operation, snooped inside of Tantaros’ email and recorded her telephone conversations. They then allegedly provided the information back to Snyder and others who repeated it back to Tantators via anonymous social media accounts in order to dissuade her from taking legal action against the network.  more

They Always Blame the IT Guys and the Cops – Shocking

Malicious software bought by a London Police Officer can remotely hack users...

One of the officers of UK’s Metropolitan Police Service was caught in possession of a malicious software used for infecting computers and smartphones after gaining physical access to them.

It’s unclear as of yet whether this software was bought for official or personal use, but it does raise a question that why would an MPS’s officer need to buy a malware that can do things like intercepting phone calls, turning on microphones and taking pictures remotely via the infected device’s camera. Especially if the use of this malware wasn’t allowed, which would make it illegal. more

Former Expedia IT tech gets 15 months in jail for insider trading, stealing information from execs...

“This was not a one-time lapse in judgement – this defendant used his technology skills to repeatedly invade the email accounts of Expedia executives so that he could enrich himself at the expense of others,” U.S. Attorney Annette L. Hayes said in a statement. “Even after he moved on to a better paying position at a different technology firm he continued his crimes, all while trying to make it look like other employees were at fault...

As a “senior IT support technician” based in San Francisco, Ly routinely had access to Hotwire and Expedia employee login information and devices. Ly used those credentials to break into company files to get information he later used in stock transactions....

Ly tried to cover his tracks by using login credentials of other employees when using the service to look at sensitive information... Ly’s acts didn’t end when he left the company in April 2015. Ly kept a company-issued laptop that could connect to Expedia’s network, and he used other employees’ login information to continue breaking into Expedia files and emails. more

Install an Internet Connected Microphone and Camera in Your Bedroom?!?!

Amazon is giving Alexa eyes. 

And it's going to let her judge your outfits.

The newly announced Echo Look is a virtual assistant with a microphone and a camera that's designed to go somewhere in your bedroom, bathroom, or wherever the hell you get dressed. more

Amazon is betting you will. I'm taking bets on how long before the hackers over. ~Kevin

Monday, April 24, 2017

TSCM Questions We Get - "How often do you find a bug?"

Q. How often do you find a bug?

A. It depends on the type of sweep. We conduct Technical Information Security Surveys (enhanced TSCM) sweeps for bugs and surveillance devices in businesses and government (and occasionally residential or matrimonial type sweeps).

Business and Government TSCM Sweeps

Regularly scheduled, due-diligence, technical information security surveys rarely turn up devices. No surprise there. Typically, organizations using our services already have a high overall security profile. They are “hardened targets”. For those clients, the bug sweep bonus is... having a known window-of-opportunity when something is found.

Often, what we do find are other information vulnerabilities like: decayed security hardware; security policies no longer being followed; and other
unseen security issues (scroll down).

Discovery statistics on our "emergency sweeps" (sweeps where
illegal electronic surveillance is suspected) varies from year to year, about 2%-5%. However, the rate of determining what happened and resolving the client's concerns is extremely high. (Isn't that the real point of the exercise?) More often than not, these info-loss cases can be traced back to the human element, or the poor security practices, which allowed the leak to occur some other way.

With organizations, the opposition's focus is on getting the information, in all its forms. Corporate espionage, industrial espionage, call it what you will. There is no one spy tool of choice here. It's electronic surveillance plus hundreds of other tradecraft techniques which may be employed. Solving these organizational emergency cases requires more than a simple TSCM bug sweep. Required add-on skills and experience include: corporate investigations, alarm system design, computer forensics, and information management to name a few.

Residential Bug Sweeps

When it comes to residential and matrimonial bug sweeps, the find rate for locating bugs and surveillance devices is quite high. This makes sense. The opposition's focus is narrow; they want to intercept communications and/or determine the location of a specific person. Electronic surveillance is the tool of choice. Personal privacy is the biggest loss.

Solving these cases is relatively easy for a number reasons:
·       The spy is usually a do-it-yourselfer, an amateur, or someone with limited tradecraft skills.
·       The victim has a good idea who is doing the spying.
·       Resources rarely permit the purchase of advanced bugging or tracking devices.
·       Surveillance devices adequate to accomplish the goal are inexpensive and easy to obtain.
·       Locations for placement of bugs, taps, spy cameras and trackers are limited.
·       Having a personal stake in this type of surveillance, spies often tip their hand to show power.

The Security Director’s Dilemma

Justifying cost to the bean counters.

Private investigators and people who handle residential and matrimonial bug sweep cases don’t charge very much for their services. Mainly because private individuals have limited budgets. But, also because their overhead is low. Their detection gadgets are often basic and inexpensive, insurance costs (if any) are not up to corporate standards, for example.

Professional security consultants who specialize in business and government-level TSCM are not a dime-a-dozen. They invest heavily, and continually in: sophisticated instrumentation, professional certifications, and advanced (and continuous) training. Their overhead includes: an office staff, trained Technical Investigators, licensing, insurance, instrument calibration, and an annual Carnet so they can travel Internationally for their clients.

Security directors know, it’s not all about the money. It’s all about the protection you get for your money. A cheap sweep is a mental band-aid, and a CYA move.

They are charged with protecting corporate assets. This type of information security requires a security consultant with a depth of experience and knowledge of: information management, corporate investigations, complex security systems, and yes… Technical Surveillance Countermeasures.

Benefits of Quality TSCM

Second to 'getting the goods', the goal of espionage and voyeurism is 'never be discovered'. Obviously, if you don't check, you won't know you’re under attack. Organizations don’t have a choice. They don’t want their pockets picked, so TSCM is an important element of their security.

The benefits of having a Technical Information Security Survey (enhanced TSCM) as part of an organization’s security program include:
·       Increased profitability.
·       Intellectual property protection.
·       A working environment secure from electronic surveillance invasions.
·       Advance warning of intelligence collection activities (spying).
·       Checks the effectiveness of current security measures and practices.
·       Document compliance with many privacy law requirements.
·       Discovery of new information security loopholes, before they can be used against them.
·       Help fulfill legal the requirement for "Business Secret" status in court.
·       Enhanced personal privacy and security.
·       Improved employee morale.
·       Reduction of consequential losses, e.g. information leak can spark a stockholder's lawsuit, activist wiretaps, and damage to “good will” and sales.
The benefit list is really longer, but you get the idea.

There are some excellent corporate-level TSCM consultants out there. Now that you know about the different levels of service, track one down to help solve your information security concerns.  You will look like a hero to all your colleagues, except perhaps, the near-sighted bean counters.

Contact me here if you would like to know more.  Kevin D. Murray, CPP, CISM, CFE

Saturday, April 22, 2017

Quote of the Week

"Corporate espionage is not an easy thing to detect; the whole point of a spy is to remain under the radar. In order to uncover this kind of behavior, you’ll need technical controls..." Dr Jamie Graves

When Industrial Espionage Spies were a Dime a Dozen

Industrial espionage - that staple of modern thrillers, new product development and getting a jump on the competition - is nothing new. 

Click to enlarge.
In the 18th century, so many new developments in industry and the arts happened at such a rapid pace, and trendsetting luxury goods were in such high demand that industrial spies were almost a dime a dozen.

So, it was in April 1754 that a Swedish industrial spy, Reinhold Angerstein, found himself in the English town of Bilston... more

New High Seas Spybot - Submaran S10

Part sailboat - part submarine, a new remarkable drone can patrol the oceans for months without stopping, powered by only the wind and the sun.

Developed by Ocean Aero, the Submaran S10 is autonomous, able to conduct missions on its own. This drone can sail on the surface of the ocean and then transform to dive beneath the surface traveling, similar to a submarine.

The hybrid drone can dive to depths of about 660 feet, which makes it useful not only for avoiding detection, but to discreetly conduct its own surveillance as well.

Along with protecting the US coastlines, technology like this could be used to quietly monitor, surveil and collect information for defense and intelligencemore

Bad Spy, Bad Spy

Nigeria's spy chief has been suspended amid reports that a $43 million stash seized in a widely trumpeted apartment raid belonged to his agency.

Nigerian President Muhammadu Buhari suspended Ayodele Oke, director-general of the National Intelligence Agency, over the April 12 raid, Buhari aide Femi Adesina said.

When Nigeria's anti-corruption agency raided an upscale apartment in Lagos, Nigeria's largest city, agents found more than $43 million as well as 23.2 million naira (Nigerian currency worth about $76,000) and £27,800 (about $35,000).

The Economic and Financial Crimes Commission said the funds were suspected to be linked to unlawful activity. more

Thursday, April 20, 2017

Cyber Security — How Much Your Company Should Budget

The board and executives of organizations must protect the assets of the business.

Seven out of ten Target board members were ousted and the CEO was fired — they had no visibility into the risk that cyber had on the business.

Cyber risk must be understood in dollars and cents to communicate in a language that the board and executives understand. Only then can senior executives have a cyber strategy that allows them to protect the assets properly...

The bottom line is organizations have to be in front of cyber, not behind. We must proactively bake security in — not bolt it on. We have to be strategic in our thinking and not reactive. more

400 Google Play Store Apps Have Been Compromised with BankBot

A new Malware has been spotted in the wild targeting Google Play Store apps.

The malware has been dubbed as “BankBot” by security researchers... So far at least 400 Google Play Store apps have been compromised. 

The attacking mechanism: Once downloaded, the malware tricks users into gaining administrative privileges before removing the icon of the app, letting the user think that the app has been deleted. In reality, however, the app continues to work in the background!

That’s not all; the Botnet is designed to display fake screens disguised as banking apps, encouraging the users to put credit card information and other login credentials. As soon as the app gets what it wants, the credentials are then passed on to the hacker through a control and command (C&C) server. more

Bose Knows... what you're listening to.

At least that's the claim of a proposed class-action lawsuit filed late Tuesday in Illinois that accuses the high-end audio equipment maker of spying on its users and selling information about their listening habits without permission.

The main plaintiff in the case is Kyle Zak, who bought a $350 pair of wireless Bose headphones last month. He registered the headphones, giving the company his name and email address, as well as the headphone serial number. And he download the Bose Connect app, which the company said would make the headphones more useful by adding functions such as the ability to customize the level of noise cancellation in the headphones.

But it turns out the app was also telling Bose a lot more about Zak than he bargained for. more

The Zak attack is a cautionary tale. Perhaps we should all create alter egos to nullify this type of privacy invasion. ~Kevin

Wednesday, April 19, 2017

Printer Wi-Fi Security - Your Network's Achilles Heel

Ben Vivoda, director of printing systems for HP, has warned that the threat to a business via a printer is more important than ever...

In 2016, over 70 percent of successful hacking events started with an endpoint device, Vivoda said, noting that endpoint devices are no longer restricted to PCs and notebooks...

"Typically, we're seeing the printer gets left out and overlooked and left exposed. Businesses can no longer afford to overlook print when it comes to their overall IT cybersecurity strategy." more

Spybuster Tip #523 - If the printer can be accessed without Wi-Fi, turn that feature off. If you need the Wi-Fi connection, turn the encryption feature on. If you can't tell if it is on or off, or you have too many printers to check one-by-one, call a TSCM specialist. They can quickly conduct a Wi-Fi Security and Compliance Analysis for you.

Tuesday, April 18, 2017

Corporate Boards Still Unprepared for Challenge of Cybersecurity

Tom Ridge, the former Homeland Security secretary and Pennsylvania governor, says the majority of corporate boards and CEOs are unprepared for the challenges posed by rising cyber risk.

In fact, 59% of directors report that their boards find it challenging to oversee cyber risk, and only 19% report that their boards possess a high level of knowledge about cybersecurity, he said, citing a study released in March by the National Association of Corporate Directors...

“Most board members don’t want to be technologists. We didn’t design these 16 hours for them to be technologists. We designed it for them to be better educated and to meet their fiduciary responsibilities,” Mr. Ridge said during a meeting with CIO Journal. "It’s top down. This is the CEO saying ‘we are changing now.'" more

Raising awareness comes not a moment too soon. The next step is integrating this into the corporate security program. Learn how, now.

Common Bugs

Spy tools are no longer esoteric, expensive and difficult to obtain. 

Some bugs are built into everyday objects - like pens, power strips and key fobs.

The result...
The average person can engage in eavesdropping and spying cheaply; doing it better than the professionals did only ten years ago - with less chance of being discovered. So they do!

Spy Trick Awareness

1. Digital audio/video recorders are very small, and absolutely silent. No moving parts. Inexpensive. Some are smartphone apps, others are built into wristwatches and key fobs.

The trick...
These devices are easily hidden on-the-body, or look like everyday objects. They can be activated by a timer, or when they hear sound, or see movement. Some devices can even stream live video.

In adversarial meetings, the other party may leave the room to make a call, or go to the restroom, and leave one of these behind in a coat, briefcase or notepad.

Assume you are being recorded. 

2. GSM bugs are designed to be bugs and nothing else. They are basically one-way, dumb cell phones. No keypad. No display. No speaker. They are available on the Internet for less than $20.

The trick...
The snoop plugs in a SIM card and hides the device. From then on, they can call-to-listen, from anywhere.

Some devices might have to be retrieved periodically to refresh the battery, or retrieve the recording. Other devices might be wired to the mains and transmit their data via LAN, Wi-Fi, light or radio waves.

Spybuster Tips: