Thursday, November 21, 2019

"Electronic Device" Found in Mayor's Office

MI - Flint Police are investigating after an electronic surveillance device was found inside Flint City Hall.

The device was found in the mayor's office, Interim Police Chief Phil Hart said.

Hart said he cannot speak as to what the capabilities of the electronic surveillance device are at this time.

No other information has been released because it is still under investigation. more

Former Flint Police Chief Timothy Johnson believed the device could've been in City Hall when Former Mayor Karen Weaver was in office. 

He said she was concerned when she moved into City Hall that it had been bugged with recording devices. So Johnson said they checked her office, even removing ceiling tiles.* But, he explained, Weaver's was the only office they checked. more

* A professional technical surveillance countermeasures inspection is quite a bit more thorough.

Spybuster Tip #734: Don't Store Incriminating Photos on Your Android Phone

This time around, a team of security researchers found a terrifying flaw with the Android camera apps that could let malicious apps completely take control over a phone’s camera to spy on users without their knowledge.

It doesn’t take a genius to know that photos and videos can contain extremely sensitive information, and therefore, you should think twice about giving an app permission to use a camera...

Android camera apps often store photos and videos to an SD card, granting an app permission to storage gives it access to the entire contents of that card, according to the researchers. And the truly terrifying thing is that attackers wouldn’t even need to request access to the camera.

To demonstrate the vulnerability, the team at Checkmarx recorded a proof-of-concept video. Using a mockup Weather app, the team was able to not only take photo and video from a Pixel 2 XL and Pixel 3, it also was able to glean GPS data from those photos.


The team was able to detect when the phone was face down and could then remotely direct the rear camera to take photos and video. Another creepy bit is that attackers could potentially enact a “stealth mode,” where camera shutter noises are silenced and after taking photos, return the phone to its lock screen like nothing happened.

But perhaps most disturbingly, the video demonstrates a scenario where attackers could start recording a video while someone was in the middle of call, record two-way audio, and take photos or video of the victim’s surroundings—all without the target knowing. more

Tuesday, November 19, 2019

WhatsApp? Eavesdropping. That's WhatsApp.

WhatsApp parent company Facebook has issued a warning about a new vulnerability on its hugely-popular chat app, which could let hackers take control of their device remotely and eavesdrop on your every conversation.

Facebook has warned users about a potential vulnerability within its WhatsApp chat app that allows cyber-criminals to take control of your device remotely. The security flaw could also allow them to eavesdrop on your conversations.

And if that wasn’t worrying enough, all you’d have to do to let the hackers access your handset is watch a single video... This security flaw affects all versions of WhatsApp, from Windows Phone to iOS. It even includes the enterprise-focused WhatsApp Business. That suggests the issue was found in the underlying code that powers all versions of the chat app...

WhatsApp has closed the loophole with the latest updates to WhatsApp. If you haven’t already got automatic app updates set on your smartphone, you should head to your respective app store and download the latest software to make sure you’re sa

According to Facebook, the potential issue only impacts the following versions of WhatsApp:
fe from attack.
  • Android versions of WhatsApp before 2.19.274
  • iOS versions of WhatsApp before 2.19.100
  • Enterprise Client versions of WhatsApp before 2.25.3
  • Windows Phone versions of WhatsApp before and including 2.18.368
  • Business for Android versions of WhatsApp before 2.19.104
  • Business for iOS versions of WhatsApp before 2.19.100

Beginner's Guide to Small Business Cyber Security

Cyber Essentials is a guide for leaders of small businesses as well as leaders of small and local government agencies to develop an actionable understanding of where to start implementing organizational cybersecurity practices.

Consistent with the NIST Cybersecurity Framework and other standards, the Cyber Essentials are the starting point to cyber readiness...

Managing cyber risks requires building a Culture of Cyber Readiness. The Culture of Cyber Readiness has six Essential Elements... more

Eavesdropping Vulnerability: Cisco SPA100 - Update Firmware

While setting up a VoIP service in their home, security researchers at Tenable Research discovered a total of 19 vulnerabilities in VoIP adapters from Cisco's SPA100 Series.

If exploited, these vulnerabilities could allow an attacker to eavesdrop on a user's conversations, initiate fraudulent phone calls and even pivot further into their internal network.

Tenable Research informed Cisco PSIRT of the 19 vulnerabilities they discovered across seven Cisco security advisories and the networking giant has since addressed these flaws with a new 1.4.1 SR5 firmware release for their SPA 100 series devices.

...if you're using a Cisco SPA 100 series VoIP adapter, it is highly recommended that you update to the latest firmware before these flaws are exploited in the wild. more

Monday, November 18, 2019

Hot Wheels - Part I

A Multimillionaire Surveillance Dealer Steps Out Of The Shadows . . .
And His $9 Million WhatsApp Hacking Van



On a wildflower-lined gravel track off a quiet thoroughfare in Larnaca, Cyprus, Tal Dillian is ensconced in a blacked-out truck. It’s a converted GMC ambulance, pimped out with millions of dollars of surveillance kit, antennas on top reaching out to learn what it can from any smartphone within a 1-kilometer radius and, at the click of a button, empty them of all the content within.

WhatsApp messages, Facebook chats, texts, calls, contacts?
Everything?

“Exactly,” says Dilian, a 24-year Israeli intelligence veteran and multimillionaire spy-tech dealer, though he doesn’t look it; imagine a shabbier, more hirsute George Clooney...

He’s dialing up the charm offensive over the two days he gives Forbes unprecedented access to the normally hidden, clandestine spy-tech industry, estimated to be worth $12 billion and rising. more

Hot Wheels - Part II

Cypriot police have confiscated a van reportedly loaded with sophisticated surveillance equipment and have questioned its Israeli owner following media reports that the vehicle was being hired out to spy on people...

The police probe was initiated after local media highlighted an earlier Forbes report on the Israeli it identified as a former intelligence officer who showed off the $9 million van’s spying capabilities. more

The Invisible Man - 122 Years in the Making

“Quantum Stealth” (Light Bending material) non-powered adaptive camouflage which portrays what is behind the user in-front of the user bending the light around the target. The cost is inexpensive, very lightweight and there are no power requirements.

It even blocks thermal imaging! more

Sunday, November 17, 2019

Venezuela's Ex-spy Chief Disappears on Eve of Extradition to U.S. (shocking, just shocking)

Hugo Carvajal, nicknamed "El Pollo," or "The Chicken," was the military-intelligence chief for Presidents Hugo Chavez and Nicholas Maduro, and some experts have said he could be a source of incriminating intelligence on Maduro and his regime...

In written answers to questions by The Associated Press, Carvajal said he wanted to share secret information on drug trafficking and corruption. more | sing-a-long

More Pirates of The Caribbean

Russia’s underwater spy ship recently traveled across the Atlantic Ocean and is currently sailing in America’s backyard. 

Yantar, allegedly a ship meant to research the deep ocean, has an odd habit of skulking around sunken military equipment—and undersea telecommunications cables. 

The ship has suddenly popped up in the Caribbean, prompting military watchers to wonder what the strange ship is up to. 

Yantar is a Russian Navy vessel, but one that lacks a single weapon. The ship was commissioned in 2015 and officially is known as a "special purpose ship" or "oceanographic vessel." It is operated by the Russian Navy's Main Directorate of Underwater Research, which Russian military watchers believe controls Russia’s undersea spying efforts. more

69 Cops Get Body-Cam'ed - Clerk Gets Slammer

A former police records clerk in Southern California was sentenced to six years in jail Friday after he was charged with secretly recording dozens of coworkers as they used the bathroom. 

 
The sentencing for 29-year-old Sergio Nieto came after he pleaded no contest to dozens of invasion of privacy charges in October for spying on 69 coworkers (stop snickering) during his time working at the Long Beach Police Department’s downtown headquarters, the Long Beach Post reports. more

The New York Times Reports: "Bugging Epidemic"

With surveillance gear cheaper and easier to use, security experts say checking your environment for cameras and microphones is not a crazy idea...

A growing array of so-called smart surveillance products have made it easy to secretly live-stream or record what other people are saying or doing. Consumer spending on surveillance cameras in the United States will reach $4 billion in 2023, up from $2.1 billion in 2018, according to the technology market research firm Strategy Analytics. Unit sales of consumer surveillance devices are expected to more than double from last year.

The problem is all that gear is not necessarily being used to fight burglars or keep an eye on the dog while she’s home alone. Tiny cameras have been found in places where they shouldn’t be, like Airbnb rentals, public bathrooms and gym locker rooms. So often, in fact, that security experts warn that we are in the throes of a “bugging epidemic.” more

Spybuster Tip #621: Conduct your own sweeps for covert spycams. Learn how.

Thursday, November 14, 2019

Espionage Concerns Change Hiring Policy

The recent resignation of a compliance director at GitLab Inc. illustrates anxiety in the tech industry about foreign espionage...

GitLab’s vice president of engineering, Eric Johnson, said in GitLab’s public discussion forum in October that the firm would no longer hire people living in Russia and China—countries that U.S. authorities have linked to major data security breaches—for some roles where they would be handling sensitive customer data...

The decision was prompted by “the expressed concern of several enterprise customers,” Mr. Johnson wrote on the forum... more

Thursday, November 7, 2019

How People Turn iPhones into Bluetooth Bugs

With iOS 12, Apple added a feature, called Live Listen, which essentially turns your AirPods into on-demand hearing aids. 

There's a bit of setup you'll need to do, but once it's done, you can place your phone on a table closer to the person you're talking to and it will send audio to your AirPods.

On your iPhone go to Settings > Control Center > Customize Controls and tap on the green "+" symbol next to the Hearing option. Then, when you need to use the feature put in your AirPods and open Control Center on your iPhone and select the Hearing icon followed by Live Listen. Turn off the feature by repeating those final steps in Control Center. more

Corporate Espionage Alert: If a person excuses themselves from a business meeting to go to the restroom (or other excuse)... NEVER continue the discussion thinking they won't know. They may be using this trick to listen in to what you are saying. More sage corporate counterespionage advice here.

Tuesday, November 5, 2019

With a Laser, Researchers Say They Can Hack Alexa and Other Assistants

Since voice-controlled digital assistants were introduced a few years ago, security experts have fretted that systems like Apple’s Siri and Amazon’s Alexa were a privacy threat and could be easily hacked.

But the risk presented by a cleverly pointed light was probably not on anyone’s radar.

Researchers in Japan and at the University of Michigan said Monday that they had found a way to take over Google Home, Amazon’s Alexa or Apple’s Siri devices from hundreds of feet away by shining laser pointers, and even flashlights, at the devices’ microphones
. more

Thursday, October 31, 2019

This Week's News About Spies

 Busy, as always...

Drones: An Increasing Business Espionage Concern Worldwide

South Africa - The increased use of unmanned aerial vehicles, or drones, in SA over the last few years has opened local organisations to a significant and evolving scope of threat in areas such as cyber espionage, illegal surveillance, electronic snooping and reconnaissance.

Security experts warn that while drone technology is increasingly being harnessed to carry out a host of commercial tasks faster, safer and more efficiently across industries including agriculture, media, health and defence, it is also increasingly being exploited by criminals as a tool to usher in a new era of physical and IT security threats. more

• Our other Security Scrapbook drone coverage.
• Researching anti-drone technology for your corporate security department? Contact us for our free Anti-Drone Research Paper.

Wednesday, October 30, 2019

Southwest Airlines Flight Attendant Says Pilots Streamed Secret Bathroom Live Feed into Cockpit

A Phoenix-based flight attendant has sued Southwest Airlines for retaliation after she reported two pilots for live streaming secret lavatory video onto an iPad in the cockpit. 

Renee Steinaker says...she saw an iPad mounted to the jet’s windshield where she could see the pilot in the restroom. She says the co-pilot then told her that the cameras were a new “top secret security measure” which Steinmaker later determined was not true.

She claims that the pilots also left the aircraft unattended after landing the flight, and “left a loaded firearm unattended in the cockpit” which violates FAA regulations. more

The two pilots, both based near Southwest's Dallas headquarters, have denied the allegations in court documents. So has the airline, which dismissed the incident as an "inappropriate attempt at humor" in a statement. more

UPDATE:  A statement by the Southwest Airlines Pilots Association this week:
"Southwest Airlines has never placed cameras and never videoed anyone in any lavatory, and the pilots on Flight 1088 did not video anyone. The incident, which occurred over two years ago, was a poor attempt at humor where the pilot took a selfie video from the chest up, fully clothed, in the lavatory of a completely different airplane months before Flight 1088 and then replayed the exact same selfie video on his iPad when Ms. Steinaker came into the cockpit." more

Kettle Gets Called Black... or, Who's Zoomin' Who

Facebook launched a new front in the battle over encryption yesterday by suing the Israeli spyware firm NSO Group for allegedly hacking WhatsApp, its encrypted messaging service, and helping government customers snoop on about 1,400 victims...


The lawsuit marks the first time a messaging service has sued a spyware company for undermining its encryption and it could prompt a slew of suits against companies that have developed encryption workarounds bolstering governments' ability to spy on their citizens. more

More People Searching for Technical Surveillance Countermeasures (TSCM)

Analysis: More organizations are hardening their defenses against electronic surveillance and information theft.  With TSCM information security surveys becoming mainstream attacks will shift toward the defenseless...

Defenseless equals lunch in the Infowar Jungle.

Friday, October 25, 2019

Espionage Weekend Movie: "The Current War"

Don't let the fancy attire and the Gilded Age setting fool you, there is nasty business afoot in "The Current War."

It's a power struggle, both literal and societal, with Benedict Cumberbatch as inventor Thomas Edison on one side, Michael Shannon as industrialist George Westinghouse on the other, Nicholas Hoult as eccentric visionary Nikola Tesla in the middle and the future of electricity in America hanging in the balance.



In theaters Friday, Oct. 25, the film is a tale of innovation advanced via moral compromise. There are dead animals, corporate espionage, even the invention of the electric chair all deployed in the battle to determine whether Edison's direct current or Westinghouse's alternating current would light up the nation.

It's a story rife with tragedy and squandered potential. more

Spy Doc Dropped

The doctor accused of corporate espionage and stealing trade secrets from blood giant CSL to further his career and to land a job at rival group Pharming has been sacked from his job.

Dutch pharmaceutical company Pharming announced on Thursday that it had permanently terminated Joseph Chiao's employment.

Dr Chiao had been subject to a US court injunction preventing him from starting work at Pharming in October so that CSL and Pharming could investigate CSL's allegations that Dr Chiao had stolen 1,000,000 documents from CSL. more

Hacker Physically Plants Keylogger Devices on Company Systems

A hacker admitted to planting hardware keyloggers on computers belonging to two companies to get unauthorized to their networks and steal proprietary data. He now faces 12 years of prison time.

It appears that the individual was after data relating to an "emerging technology" that both targeted companies were developing.

In February 2017, 45-year old Ankur Agarwal of Montville, New Jersey, trespassed the premises of one of the two tech companies and installed keylogging devices on its computers to capture employee usernames and passwords. He also added his laptop and a hard drive to the company's computer network. more

A Technical Information Security Survey could have prevented this in the first place. ~Kevin

Racoon Steals Data for $200. per Month - Cute

A new kind of easy to use trojan malware is gaining popularity among cyber criminals, providing them with simple means of stealing credit card data, passwords and cryptocurrency -- and it has already infected hundreds of thousands of Windows users around the world.

Raccoon Stealer first appeared in April this year and has quickly risen to become one of the most talked-about malware services in underground forums.

Researchers at Cybereason have been monitoring Raccoon since it first emerged, and note that while not sophisticated, it is aggressively marketed to potential criminal users, providing them with an easy-to-use back end, along with bulletproof hosting and 24/7 support -- all for $200 a month. more

Thursday, October 24, 2019

Turning Amazon and Google Smart Speakers into Smart Spies

Researchers at Germany’s SRLabs found two hacking scenarios — eavesdropping and phishing — for both Amazon Alexa and Google Home/Nest devices. They created eight voice apps (Skills for Alexa and Actions for Google Home) to demonstrate the hacks that turns these smart speakers into smart spies. The malicious voice apps created by SRLabs easily passed through Amazon and Google’s individual screening processes...

For eavesdropping, the researchers used the same horoscope app for Amazon’s smart speaker. The app tricks the user into believing that it has been stopped while it silently listens in the background. more

Google Accused of Spying with New Tool

Google employees have accused their employer of creating a surveillance tool disguised as a calendar extension designed to monitor gatherings of more than 100 people, a signal that those employees may be planning protests or discussing union organizing. Google parent company Alphabet “categorically” denies the accusation. 

The accusation, outlined in a memo obtained by Bloomberg News, claims severe unethical conduct from high-ranking Google employees, who they say allegedly ordered a team to develop a Chrome browser extension that would be installed on all employee machines and used primarily to monitor internal employee activity.  

Employees are claiming the tool reports anyone who creates a calendar invite and sends it to more than 100 others, alleging that it is an attempt to crackdown on organizing and employee activism. more

Hospital Bathroom Video Voyeur had 1 Million Images

FL - Authorities have arrested a 41-year-old man who they say hid a small camera in bathrooms at three Florida medical facilities...
 
Police began investigating on Oct. 3 when a hidden camera was found inside an employee bathroom at St. Mary's Medical Center. 
 
Investigators found more than a million still and video images.
 
(The suspect) was a technician who took CT scans at the hospital and PET scans at medical facilities in Delray Beach and Boca Raton. more

Toga! Toga! Toga! ...SCIF Fight!

SCIF fight shows lawmakers can be their own biggest cybersecurity vulnerability.

About two dozen House Republicans enter a sensitive compartmented information facility (SCIF) where a closed session before the House Intelligence, Foreign Affairs and Oversight committees took place.

A group of House Republicans could have created a field day for Russian and Chinese intelligence agencies when they stormed into a secure Capitol Hill room where their colleagues were taking impeachment testimony yesterday with their cellphones in tow. more

"You're all worthless and weak!" ~Doug Neidermeyer

Wednesday, October 23, 2019

CNN - In 1999 a listening device was planted inside the State Department...

After a suspicious rise in Russian diplomats visiting the State Department in 1999, the FBI worked with the Diplomatic Security Service to follow mysterious radio frequencies. For more, watch "Declassified" Sunday at 11 p.m. ET/PT. more

Thanks to our Blue Blase Irregular at Big T for spotting this one for us.

Free Ransomware Decryption Tool

Emsisoft Decryptor for STOP Djvu

The STOP Djvu ransomware encrypts victim's files with Salsa20, and appends one of dozens of extensions to filenames; for example, ".djvu", ".rumba", ".radman", ".gero", etc.

Please note: There are limitations on what files can be decrypted. more

Of course, put all the safeguards in place first so you won't need this tool. ~Kevin

Friday, October 18, 2019

IT / Security Director Alert: Cisco Aironet Wi-Fi High-Severity Vulnerability Patch Available

Cisco has issued patches for critical and high-severity vulnerabilities in its Aironet access point devices.

It also issued a slew of additional patches addressing other flaws in its products.

“An exploit could allow the attacker to gain access to the device with elevated privileges,” said Cisco in a Wednesday advisory.

“An exploit could allow the attacker to gain access to the device with elevated privileges,” said Cisco in a Wednesday advisory. "...it could allow the attacker to view sensitive information and replace some options with values of their choosing, including wireless network configuration. It would also allow the attacker to disable the [access point], creating a denial of service (DoS) condition for clients associated with the [access point].” more

Thursday, October 17, 2019

Why Do CIA Spies Stop at Every Yellow Light?

After spending years in the CIA fighting to prevent nuclear terrorism and other catastrophes, some old habits just will not go away for the ex-spy Amaryllis Fox...

...a former CIA clandestine-service officer and author of the new book "Life Undercover: Coming of Age in the CIA"...

...CIA spies learn to master skills regular people do not, and they stick with you...

...But there is one old habit, she said, that drives her husband a little bit crazy — stopping at every yellow light when she drives. more

Welcome to our home. Your visit may be recorded for no apparent reason. Would you like a glass of wine?

The privacy backlash against AI-powered digital assistants has just taken an interesting twist, with a senior exec from one of the core proponents of the technology admitting that he has his own privacy concerns over the tech.

Google hardware chief Rick Osterloh told the BBC that guests visiting a home where smart speakers are stored should be warned that their conversations might be overheard and recorded. more

Calling All Ears - Calling All Ears

“EAVESDROPPING,” COMEDY CENTRAL DIGITAL SKETCH
Comedy Central is casting talent for “Eavesdropping,” a digital sketch. The production needs talent, aged 20–40, to play cute families, tourists, creepy men, and more. Two of the roles require the ability to cry on command. Filming will take place on Oct. 23 in New York City. Pay is $100 per day with meals provided on set. Apply here for the general background roles and apply here for the crying background roles!

Massive Corporate Espionage Attack: 'One million pages stolen'

Australian blood giant CSL has been rocked by an alleged corporate espionage attack, with a former "high level" employee accused of stealing tens of thousands of its documents - including trade secrets - in order to land a job at a key competitor...
CSL’s allegations are expected to reverberate through the highly competitive global drug making industry where trade secrets are the most prized possession of the companies. more
It's never this obvious.

Any pharmaceutical company without: 
  • a robust Information Security Policy, 
  • Recording in the Workplace Policy
  • IT Compliance and Surveillance program, 
  • regularly scheduled Technical Surveillance Countermeasures (TSCM) inspections (with an Information Security Survey component)
is an easy target. Sadly, they won't even know they have had their brains picked until the damage is done.

CSL had protection measures in place. Thus, this discovery, and recovery. ~Kevin

Iranian President's Brother Claims Presidential Office was Bugged

Iran - After surrendering to serve his five-year term in prison, the younger brother of Iran’s president, Hossein Fereydoun claimed in a statement October 16 that the judge had convicted him based on eavesdropping on the presidential office.

A close advisor to Hassan Rouhani, Fereydoun did not name the body or persons responsible for the eavesdropping. Nevertheless, it is public knowledge that the Islamic Revolution Guards Corps Intelligence Organization had been behind the lawsuit against him. more

Holy Crap: IT Folks Fear the Internet Connected Toilet

IT security professionals are nervous people.

This seems clear from a new survey perpetrated on the part of the hardware security company nCipher...

The surveyors asked 1,800 IT security professionals in 14 countries about vital elements...

Thirty-six percent confessed they were afraid they'd be spied upon by an internet-connected device. The same number feared they'd have money stolen.

Twenty-four percent fear personal embarrassment as unholy information about them would be leaked.

I, though, feel a particular empathy for the 21% who are afraid that pranksters will hack their connected toilets. more

Friday, October 11, 2019

Spy Camera Detectors – Do they work? How do they work?

Covert cameras have been around since the 1800’s. Interestingly, as soon as photography developed, people wanted to surreptitiously take photos. From voyeurs to private eyes, a spycam was the gadget to have.

In 1900, movie maker, George Albert Smith, glamorized optical voyeurism in his movie, As Seen Through a Telescope. We will take a historical shortcut here and leave the discovery of these early film spy cameras to auctioneers and collectors.

Our spy camera detection history begins with the advent of CCD and CMOS behind the lens. These are the electronic sensors within modern digital spy cameras which capture images.

With a little knowledge—aided by some inexpensive gadgets—you can detect spycams! Continued here.

Planting Spy Chips in Routers - Proof of Concept

More than a year has passed since Bloomberg Businessweek grabbed the lapels of the cybersecurity world with a bombshell claim: that Supermicro motherboards in servers used by major tech firms, including Apple and Amazon, had been stealthily implanted with a chip the size of a rice grain that allowed Chinese hackers to spy deep into those networks...

But even as the facts of that story remain unconfirmed...

Now researchers have gone further, showing just how easily and cheaply a tiny, tough-to-detect spy chip could be planted in a company's hardware supply chain. And one of them has demonstrated that it doesn't even require a state-sponsored spy agency to pull it off—just a motivated hardware hacker with the right access and as little as $200 worth of equipment... more
5 Cheap Things to Beef Up Your Security
by Rob Kleeger,
Digital4nx Group

Here are a few simple things to prevent and keep most of your private information as safe as possible from hacks or negligence.
  1. Invest in a Password Manager:  If you are like me, most people can’t remember the login details for the dozens of online services they use, so many people end up using the same password — or some variation of one — everywhere. If you are one of those people, this means that if just one site on which you use your password gets hacked, someone could gain access to all your accounts.
  2.  Use a virtual private network (VPN) service: When connected to any internet-connected device, it helps to keep most of your browsing private from your internet service provider; it reduces some online tracking; and it secures your connections when you use public Wi-Fi.
  3. Turn on MFA (2FA) on everything: Two-factor authentication adds an additional layer of security to the authentication process by making it harder for attackers to gain access to a person's devices or online accounts because knowing the victim's password alone is not enough to pass the authentication check. Two-factor authentication doesn’t guarantee security, and it is vulnerable to hacking attacks like phishing attempts that spoof a login page.
  4. Backup: Have a backup plan. All too often, SMB leadership says they backup, but the backup is saved on the server, which if gets encrypted, serves no purpose...neither does attaching a NAS to the same network. Have a cloud-based or offline based backup plan. Confirm backups run regularly and periodically test those backups to do a full restore. 
  5. Don't forget about the paper:  In many ways, people are so focused on cybersecurity, they forget about the basics. Use a cross-cutting paper shredder.  Wirecutter recommends the AmazonBasics 15-Sheet Cross-Cut Shredder for most people, though serious privacy mavens should step up to the AmazonBasics 12-Sheet High-Security Micro-Cut Shredder, which runs a little slower but produces confetti half the size of a cross-cut shredder’s pieces.

Thursday, October 10, 2019

LaFollette Councilwoman Indicted - 34 counts of Wiretapping and Electronic Surveillance

TN - A LaFollette city councilwoman was indicted Thursday on wiretapping and official misconduct charges after a nearly eight-month investigation by the Tennessee Bureau of Investigation...


Campbell County District Attorney Jared Effler requested the TBI investigate after a recording device was found in the LaFollette City Hall Conference Room. Investigators later determined that Thompson was responsible for placing the device in the conference room.

On October 2nd, the Campbell County Grand Jury returned indictments charging Thompson with 34 counts of Wiretapping and Electronic Surveillance and two counts of Official Misconduct.  more

Julian Assange’s Hideout May Have Been Bugged

A Spanish security firm that worked for the Ecuadorean embassy in London is being investigated on suspicion it spied on WikiLeaks founder Julian Assange for US secret services.

Spain’s National Court says it is investigating whether David Morales and his Undercover Global SL security agency invaded Assange’s privacy and that of his lawyers by installing hidden microphones and other devices in the embassy.

It said the information gathered appeared to have been passed on to Ecuadorean and US bodies. more

UPDATE - Director of Spanish security company that spied on Julian Assange arrested.

Cop Dropped for Electronic Eavesdropping - Nothing Further to Report

CA - The Roseville Police Department arrested an officer of Folsom’s police force Wednesday on suspicion of stalking, electronic eavesdropping and illegally using monitoring equipment...

The Roseville Police Department said it would not be releasing any further information regarding the investigation. more

Read more here: https://www.sacbee.com/news/local/crime/article235979622.html#storylink=cpy

Read more here: https://www.sacbee.com/news/local/crime/article235979622.html#storylink=cpy

Don't Get Struck by Lightning by Borrowing a Cable

Bad news: A hacker has created a rogue Lightning cable that lets bad guys take over your computer. Worse news: Now it’s being mass-produced.

... from now on, asking a stranger to borrow a Lightning cable, or accepting an offer by a stranger to give you one, is the last thing you’ll want to do if you’re scrupulous about protecting your data.

That’s because a hacker has created the first Lightning cable that, when plugged into your Mac or PC, will allow someone to remotely take over your computer.

Worse, this hacked Lightning cable, called the O.MG Cable, isn’t a bespoke one-off. It’s being mass-produced in factories so anyone can buy and use them to target your datamore

Japan Ninja Student - Writes Essay in Invisible Ink - Gets A+

Japanese student of ninja history who handed in a blank paper was given top marks - after her professor realised the essay was written in invisible ink.

Eimi Haga followed the ninja technique of "aburidashi", spending hours soaking and crushing soybeans to make the ink.

The words appeared when her professor heated the paper over his gas stove.

"It is something I learned through a book when I was little," Ms Haga told the BBC. more

Tuesday, October 8, 2019

A Blue Blaze Irregular Asks About RFID Money Detectors

Hi Kevin, 

I would love it if you did a report on the RFID in currency and the "detectors" that are used to identify the exact amount of cash in a car, suitcase, etc. 

For example, a husband and wife were driving with $14,000 cash to buy a car when an automobile from Homeland Security pulled alongside them for a minute to scan their car. When they realized the car had $14,000 in it, they informed the local law enforcement which then proceeded to pull the car over to confiscate the money. Or the sheriff in Northern California who uses a similar "detector" to pull over people who are bringing cash to Nor Cal to buy cannabis during harvest season. From what I've read, wrapping anything that has the RFID in it with aluminum foil or a Faraday cage-like material is enough to block any signals. I think your readers would find this very interesting. 

Thanks Kevin I appreciate it. 

FutureWatch: I looked into it and found some interesting articles. It appears the U.S. Treasury department is looking into it. They currently have a Request for Information (RFI) out to develop this technology. Answers due by January, 24, 2020.

Technical papers on this technology include...
Banknote Validation through an Embedded RFID Chip and an NFC-Enabled Smartphone
A Comparison Survey Study on RFID Based Anti-Counterfeiting Systems
RFID banknotes

Apparently, this technology has been explored since at least 2001. I couldn't find that it has been implemented anywhere... yet. It appears it may be coming, however.

Our BBI is correct. RFID readers can be easily blocked by Faraday Cage techniques.

All this reminds me weapons of war; evolutionary stair-step escalation through the ages.

Double FutureWatch: RFID tracking of currency may become a moot point if governments leap-frog into cryptocurrencies.

Monday, October 7, 2019

Signal Users - Time to Patch

A security flaw in the privacy-focused encrypted messaging service Signal could enable a threat actor to listen to the audio stream recorded by the Android device of another Signal user, without their knowledge...

The attack does not work with Signal video calls.

The issue was discovered last month by a researcher with Google Project Zero. Signal has already released a patch. more

GPS Cyberstalking of Girlfriend Brings Indictment for Alleged Mobster

20 supposed wiseguys charged because one was possessive...

Joseph Amato's attempt to surveil his girlfriend by attaching a hidden GPS device to her car led authorities to surveil the alleged mobster, and ultimately to his indictment by a grand jury...

"In November 2016, a GPS tracking device was found on an MTA bus in Staten Island during a routine maintenance inspection: it had been hidden in an oil pan," the government's detention memo states. "In fact, Joseph Amato had purchased the device to place a girlfriend, identified herein as Jane Doe, under close surveillance and used the tracking device in an attempt to maintain control over her."...

...after Jane Doe discovered the GPS tracker on her car and removed it. The detention memo suggests she placed it on an MTA bus to thwart Amato's surveillance. more

Women Snooping on Boyfriends Help Topple Dictator Instead

It all started in 2015 with a frantic message from a woman in Sudan who was having cold feet ten days before her wedding. The woman had a nagging feeling her husband-to-be was cheating on her, and she was desperate to find out the truth before she went through with the marriage.

She decided to reach out to her friend Rania Omer, who had won a lottery visa to become a U.S. citizen five years earlier.

Now Omer was 24 and studying at a college in Nebraska, but she still fancied herself an anti-matchmaker among her close-knit community back home in Khartoum. The friend wanted Omer’s help. Would she mind posting a photo of the potential husband to Facebook to see if other women could dig up information on him?

A few hours later, Omer had her answer: one commenter posted to say she was his wife. more

Friday, October 4, 2019

Dissinformation as a Service (DaaS)

While disinformation campaigns are often associated with governments, new research indicates there is a robust, easy-to-navigate market for anyone looking to buy their own propaganda arms.

It is “alarmingly simple and inexpensive” to launch a sophisticated disinformation campaign, analysts from threat-intelligence company Recorded Future concluded after studying the issue. “Disinformation services are highly customizable in scope, costing anywhere from several hundreds of dollars to hundreds of thousands of dollars, or more depending on the client’s needs.”...

“If the ease of this experience is any indication, we predict that disinformation-as-a-service will soon spread from a nation-state tool to one increasingly used by individuals and organizations,” the Recorded Future analysts said. more

As Technical Information Security Consultants, this caught our attention. 

The best disinformation always adds in some correct information. The sum is verisimilitude, the ring of truth. 

So, where will the best correct information come from? Inside, of course.

Another very good reason to conduct regularly scheduled Technical Information Security surveys at your organization.

Tuesday, October 1, 2019

U.S. Tour Guide Accused as Spy for China's Security Service


Watch Surveillance Video of Alleged Spy’s ‘Dead Drop’ at Hotel 

The U.S. arrested a California man accused of spying for China’s security service while working as a tour guide in the San Francisco area. U.S. agents secretly monitored drop-offs of packages at a hotel in Newark, California, that were traced to Peng, according to the complaint.

China’s Ministry of State Security schemed “to use an American citizen to remove classified security information to the PRC,” U.S. Attorney David Anderson said at a press conference.

Peng’s activities for the company where he worked, U.S. Tour and Travel, “went far beyond innocent sight-seeing,” Anderson said. more

Husband Ordered to Pay Almost $500K After Bugging Wife’s iPhone

The chairman of a performing arts school in Brooklyn has to pay an almost $500,000 verdict after he installed spying software in his estranged tobacco-heiress wife’s iPhone...

Jurors ordered Crocker Coulson, Brooklyn Music School chairman, to pay Anne Resnik $200,000 in compensatory damages, $200,000 in punitive damages, and $41,500 in statutory damages—or $100 for each of the 415 days he accessed her phone between 2012 and 2014.

Coulson was also ordered to pay $10,000 to Resnik’s mom, sister, and psychiatrist because he also intercepted their communications by spying on his wife. more

Credit Suisse’s C.O.O. Quits Over a Spying Scandal

Chief Operating Officer Pierre-Olivier Bouee, who worked as the CEO’s chief lieutenant at three companies for more than 10 years, stepped down after ordering detectives to shadow former wealth-management head Iqbal Khan to ensure he didn’t poach clients and brokers for his new post at UBS Group AG. The bank said that he acted alone...

Chairman Urs Rohner is seeking to contain a scandal that erupted in Swiss tabloids a week ago and escalated into a threat for the bank’s top leadership after a confrontation in downtown Zurich between Khan and the private detectives sent to spy on him.

Events took on an even more dramatic turn just before the bank’s announcement, when it emerged that a contractor hired by the bank to recruit the investigative agency took his own life. more

Uber’s Next Big Safety Feature... Eavesdropping

Uber users have raised their share safety concerns with the company, and now it seems that a new feature that could help allay some of those concerns is on the way.  

Uber is apparently testing a feature that will allow riders to record audio through the app when they feel unsafe during a ride.

There are a lot of details we don’t know about this feature yet, as Uber hasn’t said anything official about it. more

Legit-Looking iPhone Cable That Hacks

Soon it may be easier to get your hands on a cable that looks just like a legitimate Apple lightning cable, but which actually lets you remotely take over a computer. The security researcher behind the recently developed tool announced over the weekend that the cable has been successfully made in a factory...
 
MG is the creator of the O.MG Cable. It charges phones and transfers data in the same way an Apple cable does, but it also contains a wireless hotspot that a hacker can connect to. Once they've done that, a hacker can run commands on the computer, potentially rummaging through a victim's files, for instance. more - background

Tuesday, September 10, 2019

GPS Tracker Bugs Kids... about 600,000 of them.

Serious security flaws in GPS trackers manufactured by a Chinese company have been found to expose location data of nearly 600,000 children and elderly, according to researchers from cybersecurity firm Avast.

T8 Mini GPS Tracker Locator
The researchers spotted the vulnerabilities in the T8 Mini GPS tracker and nearly 30 other models by the same manufacturer, Shenzhen i365 Tech.

...these devices expose all data sent to the Cloud, including exact real-time GPS coordinates, showed the findings revealed last week.

Further, design flaws can enable unwanted third-parties to spoof the location or access the microphone for eavesdropping.

The researchers estimate that there are about 600,000 of these unprotected trackers in use globally that are using the very generic default password of "123456". more

FutureWatch - Non-Public 5G Networks - Network Security via Isolation

The concept of non-public networks is nothing new -- yet the rise of the internet of things (IoT) and connected assets is driving more and more companies to investigate the opportunities that non-public 5G networks could offer them...  

Non-public 5G networks offer protection against industrial espionage. Data in non-public 5G networks is segregated and processed separately from public 5G networks. This ensures complete privacy protection of process -- and production-related data. more