Tuesday, February 28, 2017

Las Vegas Constable Gambles—Pleading Not Guilty to Wiretapping

Former Las Vegas Township Constable John Bonaventura pleaded not guilty Tuesday to theft and wiretapping charges.

An indictment accuses Bonaventura, 54, of wrongfully increasing an employee’s salary to repay a personal debt. It also accuses him of secretly recording phone calls from newspaper reporters, lawyers, a judge and at least one Clark County commissioner. Along with one count of theft, Bonaventura faces one count of misconduct of a public officer and four counts of unlawful interception of wire communications, all felonies. more

Background: In March 2013, the Clark County Commission unanimously voted to abolish the Las Vegas constable’s office... Bonaventura told others that he wanted to bleed the office dry of all its assets before it was abolished in January 2015.

Macbook Anti-Spyware App - Reveals Video & Audio Spying

After reading about how hackers have taken control of a MacBook's iSight camera to spy on the person sitting in front of it, you might start to get a feeling that someone is watching you... Making matters worse, hackers have been able to spy on people without triggering the little green light that tells you your iSight camera is active...
...monitor your iSight camera so you know when it's being used. MacOS doesn't let you do this natively, so you'll need to turn to a third-party app: OverSight.

OverSight is a free app that installs quickly and places an icon in your menu bar to let you know it's running. more  Other security apps from the same developer.

A Solution to Dog-With-A-Bone Phoneaddicts

Dog-With-A-Bone Phoneaddicts are everywhere: at corporate meetings/events, concerts, expensive social gatherings, movie theaters, classrooms, lecture halls, even family dinner tables. The list is endless, others become furious, and speaking out could be injurious.

Temporary separation of the bonephone from the addict results in growling and snarling.

The only way to unlock Yondr's phone case 
is to tap it on the unlocking station.  
Photo: Jarrard Cole / The Wall Street Journal
There is a better solution... Yondr.

"As people enter the venue, their phones will be placed in Yondr cases. Once they enter the phone-free zone, the cases will lock. Attendees maintain possession of their phones and are now free to enjoy the experience without distraction... If at any point attendees need to use their phones, they simply step outside of the phone-free zone to unlock the case."

It's a good compromise.
Simple. Easy. Effective.

Security Director Alert: The USB Leach

If you see this, call us...

"The LAN Turtle is a covert Systems Administration and Penetration Testing tool providing stealth remote access, network intelligence gathering, and man-in-the-middle monitoring capabilities.

Housed within a generic "USB Ethernet Adapter" case, the LAN Turtle’s covert appearance allows it to blend into many IT environments."
"This is insane. No one at my work would notice this!"
-Pentest with Hak5 Student

Talking Doll Hack Exposes 2.2 Million Voice Recordings...

...thus busting the old proverb that children should be seen but not heard.

A security vulnerability allowed anyone to view personal information, photos and recordings of children's voices from CloudPets (A Message You Can Hug™) toys. And at one point, some people tried to hold all of that information for ransom.

According to a report compiled by security researcher Troy Hunt, over 820,000 user accounts were exposed. That includes 2.2 million voice recordings.

"I suspect one of the things that will shock people is that they probably didn't think through the fact that when you connect the teddy bear, your kids voices are sitting on an Amazon server," Hunt said. more  Plus: A brief history of creepy talking toys!

Friday, February 24, 2017

Optical Spying Through Office Windows

With talented hackers able to break into just about any device that's connected to the internet, from a computer to a car, the best way to keep sensitive data safe is to cut the cord completely.

Keeping an "air gap" between a hard drive and other devices forces any would-be thief to physically go to the machine ... or so you might think. Cyber security researchers have shown that hackers could hijack the innocent flashing LED on the outside of a computer, and use it to beam a steady stream of data to a waiting drone.

...digital criminals can be extremely crafty, using acoustic signals to jump the air gap between devices from a distance or untangling typed text by listening via Skype to the clickety-clack of a keyboard.

Now, a team at the Ben-Gurion University Cyber Security Research Center has demonstrated a new way that creative crooks could crack that isolated data. A piece of malware infecting an air-gapped computer could harness the hard drive's LED, making it flash in a very controlled and very fast manner. Flickering thousands of times a second, the virus could blink out a binary code of the desired data, at a rate that a human sitting at that computer wouldn't even notice. Special cameras or light sensors – say from a drone hovering at the window, with a line of sight to the LED – could then receive and record that information. more

Spybusters Tip #792: External visual surveillance through windows is easy using high-powered optics, or even cameras on drones. Keep computer screens, and their blinky lights, away from external line-of-sight. 

Spybusters Tip #793: Enforce a "Clear Desk Policy" when sensitive information is not actively being used. ~Kevin

Wednesday, February 22, 2017

Flexi Morality - Expanded Cell Phone Spyware Laws Introduced

On three occasions this week, I asked a FlexiSpy salesperson a simple question: If I wanted to, could I use their spyware to snoop on my wife's cellphone without her knowing? The answer each time was yes. 

When asked if it was legal, they responded with a canned disclaimer explaining it was necessary to get the permission of the target. But what if I didn't want my wife to know? They could help me anyway...

Detect phone warming caused by spyware. (for clients only)
Even though I started each conversation telling the FlexiSpy salesperson I was a FORBES reporter, they were happy to offer suggestions about how one could install the app without permission of the target. One said I could "sneak to get her phone" and then install, a process that FlexiSpy would guide me through. He sought to allay any fears about getting caught, noting there was no icon and it would operate silently...

Meanwhile, lawmakers are seeking to expand laws that punish unwarranted, secret surveillance. Last week, Senators Ron Wyden, Jason Chaffetz and John Conyers introduced The Geolocation Privacy and Surveillance (GPS) Act. Specifically, it creates criminal penalties for "surreptitiously using an electronic device to track a person's movements that parallel the penalties that exist for illegal wiretapping." more  other cell phone spy gadgets

Howard Stern Sued for Eavesdropping on IRS Phone Call

Howard Stern is being sued for airing live a phone call that a woman thought she was having privately with an IRS agent. 

Stern was sued by Judith Barrigas on Monday for airing a 45-minute conversation that she had with IRS Agent Jimmy Forsythe, according to The Hollywood Reporter...

Before Barrigas was connected to Forsythe, though, the agent was on another line with Stern's show. He put the Stern show on hold to take the call with Barrigas.

Someone on Stern’s show was able to listen in on the Barrigas-Forsythe phone conversation and was apparently so intrigued by it that they decided to air the dialogue live on the radio show. 

The show, which has 30 million subscribers, shared Barrigas’ phone number on the air.. more full lawsuit

Tuesday, February 21, 2017

Business Espionage: Operation BugDrop - Major Eavesdropping Operation Using PC Microphones to Bug Targets

Researchers have uncovered an advanced malware-based operation that siphoned more than 600 gigabytes from about 70 targets in a broad range of industries, including critical infrastructure, news media, and scientific research.

The operation uses malware to capture audio recordings of conversations, screen shots, documents, and passwords, according to a blog post published last week by security firm CyberX.

Targets are initially infected using malicious Microsoft Word documents sent in phishing e-mails. Once compromised, infected machines upload the pilfered audio and data to Dropbox, where it's retrieved by the attackers. The researchers have dubbed the campaign Operation BugDrop because of its use of PC microphones to bug targets and send the audio and other data to Dropbox.

"Operation BugDrop is a well-organized operation that employs sophisticated malware and appears to be backed by an organization with substantial resources," the CyberX researchers wrote. more (Heads up. This hasn't hit hard in the Western Hemisphere yet, but be prepared.) 

Spybusters Tip #832: First line of defense... Disable macros on your Word software. Don't turn it back on if prompted to do so by something arriving in your email. ~Kevin

Monday, February 20, 2017

Revenge of the IT Guy (Case #254)

A sacked system administrator has been jailed...

after hacking the control systems of his ex-employer – and causing over a million dollars in damage. 

Brian Johnson, 44, of Baton Rouge, Louisiana, US, had worked at paper maker Georgia-Pacific for years, but on Valentine's Day 2014 he was let go.

He didn't take that lying down, and spent the next two weeks rifling through the firm's systems and wreaking havoc from his home. 

Johnson was still able to connect into Georgia-Pacific servers via VPN even after his employment was terminated.

Once back inside the corporate network, he installed his own software, and monkeyed around with the industrial control systems.

Artist's conception.
His target was the firm's Port Hudson, Louisiana, factory, which produces paper towels and tissues 24 hours a day. In a two-week campaign, he caused an estimated $1.1m in lost or spoiled production. more

Mr. Johnson's emotions imagined as music inside his head.

Czech Mate, or Here's Looking at You Id

Forty-foot statue of David Black Trifot is part of a new multi-genre space outside the city Photo Czech Centre, which is now open to the public. more

Friday, February 17, 2017

Security Director Alert: USB Killer Stick II

Remember the USB Killer stick that indiscriminately and immediately fries about 95 percent of devices? (See the Security Scrapbook warning about it from last September.)

Well, now the company has released a new version that is even more lethal! And you can also buy an adapter pack, which lets you kill test devices with USB-C, Micro USB, and Lightning ports.

Further Reading: USB Killer, yours for £50, lets you easily fry almost every device

If you haven't heard of the USB Killer before, it's essentially a USB stick with a bunch of capacitors hidden within. When you plug it into a host device (a smartphone, a PC, an in-car or in-plane entertainment system), those capacitors charge up—and then a split second later, the stick dumps a huge surge of electricity into the host device, at least frying the port, but usually disabling the whole thing...

The new USB Killer V3, which costs about £50/$50, is apparently 1.5 times more powerful than its predecessor, is more lethal (it pumps out eight to 12 surges per second), and is itself more resistant to setups that might cause the USB Killer to fry itself. more

Spybusters Tip #783 - Block your USB ports with a USB lock and security tape. Aside from Killer Stick sabotage, USB ports are virus injection portals.