Thursday, August 29, 2019

A Golf Ball Right Out of Spy vs. Spy

Nissan Motor Co. has developed a golf ball that will help you make a putt with your eyes closed.

As a proof of concept, the carmaker unveiled a video on Tuesday, whereby a toddler taps a ball with his club and makes a putt that would make Tiger Woods’ jaw drop. Here’s how it works... more

The Scarlet Letter: 2019 - Old Spy Tool. New Use.

Ultraviolet ink has been used by spies (secret writing) and TSCM technicians (as tamper detection) for over a century. And now, to brand sexual assailants for groping.

Anti-groping stamp lets victims mark assailants.

The Japanese device is paired with a special lamp that lets its otherwise invisible ink be seen...

The Tokyo Metropolitan Police said 2,620 sexual crimes were reported in 2017, including 1,750 cases of groping, mostly on trains or at stations.

A limited run of 500 devices, which retailed at 2,500 yen (£19.30), sold out within 30 minutes on Tuesday... more

FutureWatch: Additional tech will continue to enhance citizen crime fighting. New technologies will be appropriated. Old technologies, like ultraviolet, will find new uses. 

Just think of what internet search engines, smartphone videos, video doorbells, and covert spy cameras have already accomplished in recent decades. 

I wonder why Gentian Violet in mini spray bottles wasn't thought of first. Instant ID. No UV light necessary.

Has Your Doctor (or other Professional) Downloaded Apps With Microphone Access?

via Robinson & Cole LLP - Linn Foster Freedman

As I always do when talking to people about their phones, I asked them to go into their privacy settings and into the microphone section and see how many apps they have downloaded that asked permission to access the microphone. How many green dots are there? Almost all of them looked up at me with wide eyes and their lips formed a big “O.”...

I am not picking on them—I do the same thing with lawyers, financial advisors and CPAs, and any other professional that has access to sensitive information.

When a professional downloads an app that allows access to the microphone, all of the conversations that you believe are private and confidential are now not private and confidential if that phone is in the room with you. more

Tuesday, August 27, 2019

Just Another Week in the World of Spies

China - Yang Hengjun, a well-known Australian writer and democracy activist detained by the Chinese authorities in January, has been formally charged with spying... more

Russia - A Moscow court has ruled to keep an American man and Marine veteran suspected of spying in prison for two more months. The court ruled on Friday to keep Paul Whelan behind bars at least until late October. more 

WWW - Freelance site Fiverr offers illegal private spying services... more

UAE - Why the CIA doesn't spy on the UAE... more

Israel shouldn’t let a little spying undo its economic ties with China, ex-chief analyst argues... more

Iran has sentenced a British-Iranian national to 10 years in jail for spying for Israel... more

China’s spies are waging an intensifying espionage offensive against the United States. more

USA - Patrick Byrne resigned suddenly as CEO of last Thursday, after mounting controversy surrounding his past romantic relationship with alleged Russian agent Maria Butina. Butina is now serving an 18 month prison sentence for conspiring to promote Russian interests through conservative U.S. political groups. more

Australia - Intelligence agencies warn of 'unprecedented scale' of foreign spying within Australia. more

Iran - Environmentalists filming Iran’s endangered cheetahs could be executed for spying. more

India sending spying devices to Pakistan via balloons... more

USA - The spy in your wallet: Credit cards have a privacy problem... In a privacy experiment, we bought one banana with the new Apple Card — and another with the Amazon Prime Rewards Visa from Chase. Here’s who tracked, mined and shared our data. more

Book - The Secret World: A History of Intelligence

via By , The New Yorker
The history of espionage is a lesson in paradox: the better your intelligence, the dumber your conduct; the more you know, the less you anticipate.

Is intelligence intelligent? This is the question that runs or, rather, leaps through the mind of the reader struggling with Christopher Andrew’s encyclopedic work “The Secret World: A History of Intelligence” (Yale).

Andrew, who is a longtime history don at Cambridge, begins his book...with one of the most appealing opening lines in recent nonfiction: “The first major figure in world literature to emphasize the importance of good intelligence was God.

The Israelites’ reconnaissance mission to the promised land of Canaan is the first stop in Andrew’s tour of four thousand years of spying; the last is the American failure to anticipate 9/11.

For anyone with a taste for wide-ranging and shrewdly gossipy history—or, for that matter, for anyone with a taste for spy stories—Andrew’s is one of the most entertaining books of the past few years. more

'Complete Control' Hack Allows Audio / Video Spying and More

All Windows users should update immediately as ‘Complete Control’ hack is confirmed.

In case you were underestimating the tool, it can allow a hacker to remoting shutdown or reboot the system, remotely browse files, access and control the Task Manager, Registry Editor, and even the mouse.

Not only that, but the attacker can also open web pages, disable the webcam activity light to spy on the victim unnoticed and capture audio and video.

Since the attacker has full access to the computer, they can also recover passwords and obtain login credentials using a keylogger as well as lock the computer with custom encryption that can act like ransomware. more

Friday, August 23, 2019

Whistle-Blower Charged with Industrial Espionage, or No Good Deed Goes...

A whistle-blower responsible for uncovering one of the biggest cases of tax avoidance in Germany is now prosecuted by Swiss authorities for industrial espionage...

Echart Seith is a lawyer that contributed to uncovering a Swiss bank mechanism that deprived German taxpayer of €12bn...

The 61-year old Seith has now been charged with industrial espionage and his case goes to trial on March 26. If found guilty, he is facing three-and-a-half years in prison. His testimony closed the tax loophole exploited by the Swiss banking industry in 2011...

The question at hand is how Seith got internal bank documents that allowed him to make the case against the Swiss banking system. more

How Music Has Made Auditory Surveillance Possible

An interesting article on the history of electronic eavesdropping...
For as long as we’ve been able to transmit sound through the ether, it seems, someone has been listening in... more

FutureWatch: Eavesdropping on REALLY Tiny Sounds

Researchers have developed a microphone so sensitive it’s capable of picking up individual particles of sound.

OK, we knew light has particles, and gravity has particles. Now even sound has particles? Well, not quite. A phonon is what’s called a quasiparticle — basically, an emergent phenomenon that occurs when a microscopically complicated system behaves as if it were a particle...

 The quantum microphone consists of a series of supercooled nanomechanical resonators, so small that they are visible only through an electron microscope.

The resonators are connected to a superconducting circuit which contains electron pairs that move around without resistance. The circuit forms a qubit — a system that can exist in two states at once and has a natural frequency, which can be read electronically. more

Spycam Man Gets Life +150 Years — Skips on Castration

A workman accused of hiding cameras in several homes to spy on young girls was sentenced Wednesday to life in prison plus nearly 150 years by a judge who said she would have him castrated if the law allowed.

"We're here because of the choices that you and you alone made," Oklahoma County District Judge Amy Palumbo told Ryan Aaron Alden. "The devastation that you caused these families may never be known."

Alden, 39, of The Village, pleaded guilty in June to 28 felonies that included aggravated possession of obscene material involving minors, manufacturing child pornography and using video equipment in a clandestine manner.

Prosecutors alleged that Alden placed hidden cameras in the ceiling vents of four homes in Edmond, Nichols Hills and Oklahoma City. He reportedly placed the cameras in the bedrooms, bathrooms and closets of the homes while performing electrical work.

Alden was also accused of taking clandestine photos of girls in numerous public places, including gyms, schools, stores, mall changing rooms and a high school football game. more

Fighting Corporate Espionage — by a Counterintelligence Agent

Corporate executives must bear the responsibility... No longer is “Security” to the facility and personnel all that is required. Many foreign countries and interests take short cuts to becoming competitive through the theft of trade secrets, products and overt and covert espionage of all sorts...

Many of the tactics utilized in private sector counterintelligence have much in common with the secrets and information the government does its best to safeguard from theft... 

 There are open and legal methods of collection open that are harmful and a good counterintelligence program should target this as well as illegal activities such as electronic eavesdropping, hacking, etc.

Passive counterintelligence tries to curtail what a collector may do through countermeasures, and awareness training. Active counterintelligence will prove beneficial to identify and detect a threat, and will conduct operations including eliminating threats or ongoing targeting... The leaders in the private sector need to be proactive and realize that it is no longer only local threats they face. The threats can be global and may not only be an economic threat but also a threat to national security. more

The O.MG Cable™ — The Smartphone Electro-Leach

via Blue Blaze irregular C.G.
The O.MG Cable™ is the result of months of work that has resulted in a highly covert malicious USB cable. As soon as the cable is plugged in, it can be controlled through the wireless network interface that lives inside the cable.
The O.MG Cable allows new payloads to be created, saved, and transmitted entirely remotely. 
The cable is built with Red Teams in mind with features like additional boot payloads, no USB enumeration until payload execution, and the ability to forensically erase the firmware, which causes the cable to fall entirely back to an innocuous state. And these are just the features that have been revealed so far. more 
Their other "interesting" products of which you should be aware.

Tuesday, August 20, 2019

Wiretap Found at Office of Deputy Prosecutor General of Ukraine

Nazar Kholodnytsky
The Head of the SAPO* claimed a “device similar to a tapping device has been found”, adding that he did not know whom it belonged to...

Ukrainska Pravda wrote that the “bugs” had been planted on the acquiarium (sic) in Kholodnytsky’s office and reminded of rumors regarding the possible voluntary resignation “due to health reasons”.

Ukrainski Novyny, citing sources in the Prosecutor General’s Office, said that Kholodnytsky may be detained and arrested as the result of “the wiretapping case”.

Reacting to the resignation rumors, the SAPO head encouraged “not to count on it.” more

Extra Credit: Ukraine's Security Service denies allegations of wiretapping presidential candidates. more

*Ukraine's Specialized Anti-Corruption Prosecutor's Office

How to Drive Artificial Intelligence Surveillance Cameras Nuts

In order to deceive surveillance cameras, a fashion designer and hacker has developed a new clothing line that allows people camouflage themselves as a car in the recordings.

The garments are also covered with license plate images that trigger automated license plate readers, or ALPRs, to inject junk data into systems used to monitor and track civilians. more

Phone Phreaking - The Next Frontier - Elevator Eavesdropping

Next time you’re in an elevator, be advised that someone – besides building security and fellow elevator riders – might be listening.
A recent Wired article exposed the hidden world of elevator phreaking. By calling an unsecured elevator phone, a third party can expose a person, and potentially an enterprise, to a major security and privacy risk. 
Since elevator phones don’t require anyone to pick up the phone to open the circuit, a third party can make a call and be connected – allowing them to eavesdrop on conversations happening inside the elevator. 
Given the competitive nature of industries like banking and technology, it isn’t completely unthinkable for a hacker to eavesdrop this way. more

I know of a hotel in Miami which has bugged elevator—the one nearest the Boardroom; located on the Conference Floor level.

But, if bugged elevators aren't freaky enough, eavesdrop on elevators that talk! ~Kevin

Eye Spy

Spectacles are a camera that you wear on your face. Tap a record button near the temple, and they capture video in intervals of 10 seconds, which automatically uploads to the Snapchat app. The first two generations of the sunglasses, released in 2016 and 2018 respectively, were bulky, plastic, and multicolored—almost toylike.

Spectacles 3, to be released later this fall, are a much more appealing species. Sleeker, slimmer, and made in lightweight stainless steel, they signal the company’s move into elevated design. The style—exaggerated round lenses with a brow bar across the top—comes in just two minimal hues: matte black (the Carbon) and rose gold (the Mineral). more

The Peregrination of a Childhood Promise

Finally, another childhood fantasy becomes reality. Hard on the heals of wall screen TVs; Dick Tracy's wrist radio.

  • The now iconic 2-way wrist radio premiered in 1946 and was replaced with a 2-way wrist TV in 1964.
  • 1952 prototype wrist radio.
  • 1960's wrist radio.
  • Apple watch Walkie-Talkie.
  • FutureWatch: A "Real" Dick Tracy wrist radio watch. (Bluetooth)
  • Wrist radios on ebay.
  • Wrist radios on Amazon.
  • In June of 1954, the radio was upgraded to increase the range from 500 miles to 1,000 miles, then again in 1956 to 2,500 miles. 
Chester Gould’s idea of Tracy wearing something like this on his wrist in the comic strip was actually turned down by his employer because it was thought to be too much of a cheat, so-to-speak, an easy way out for the detective who had been written into a scene where he was held captive with no possible way of escaping from the criminals.

It was then that Gould decided to call an inventor he had met, Al Gross (pictured above).

Al Gross was a man way ahead of his time with inventions such as the walkie-talkie. When Gross was just 16 years old, he already had an amateur radio operator's license and had built a ham radio going on to invent the first telephone pager in 1949.

When Gould stopped by, Al Gross had just recently invented a two-way radio that people could wear on their wrists, just like a watch. Gould asked Gross if he could use his idea and that’s where Dick Tracy’s wrist watch radio came into being. Gould was so appreciative that as a Thank You, he gave Gross the first four panels of the cartoon where Tracy is seen wearing and using the soon-to-be infamous gadget. The device proved to be the exact answer for Dick Tracy to rescue himself from the seemingly impossible situation.

Still on my list...
  UPDATE - 8/27/19
Apple reportedly kills project to turn iPhone into 'walkie talkie'

Monday, August 12, 2019

Ultrasound Talk Gives a Whole New Meaning to Defcon

Researchers have long known that commercial speakers are also physically able to emit frequencies outside of audible range for humans. At the Defcon security conference in Las Vegas on Sunday, one researcher is warning that this capability has the potential to be weaponized...

Matt Wixey, cybersecurity research lead at the technology consulting firm PWC UK, says that it’s surprisingly easy to write custom malware that can induce all sorts of embedded speakers to emit inaudible frequencies at high intensity, or blast out audible sounds at high volume.

Those aural barrages can potentially harm human hearing, cause tinnitus, or even possibly have psychological effects.

And while it is still unclear whether acoustic weapons played a role in the attack on United States diplomats in Cuba, there are certainly other devices that intentionally use loud or intense acoustic emanations as a deterrent weapon... more

Sunday, August 11, 2019

Tesla Mod Creates a Mobile Surveillance Station - Possible Bad News for PIs on Surveillance

At the Defcon hacker conference today, security researcher Truman Kain debuted what he calls the Surveillance Detection Scout. The DIY computer fits into the middle console of a Tesla Model S or Model 3, plugs into its dashboard USB port, and turns the car's built-in cameras—the same dash and rearview cameras providing a 360-degree view used for Tesla's Autopilot and Sentry features—into a system that spots, tracks, and stores license plates and faces over time.

The tool uses open source image recognition software to automatically put an alert on the Tesla's display and the user's phone if it repeatedly sees the same license plate. When the car is parked, it can track nearby faces to see which ones repeatedly appear.

Kain says the intent is to offer a warning that someone might be preparing to steal the car, tamper with it, or break into the driver's nearby home. more

FutureWatch: Your Voice Can Give Away What You Look Like

Spying is multifaceted. It includes everything from plain old audio eavesdropping, to spycams (thus adding the visual element), to aggregating all the telltale data about us. Once science fiction, even facial recognition is coming to airports. Is it possible to squeeze more from a spy's cornucopia of tricks?

What if you want to know what a person is thinking, or what they look like?
These two challenges are the future of spying, and they are being worked on today.

We started covering mind reading advancements in 2006. And now, how to tell what a person looks like—and even their environment... just from the sound of their voice.

Friday, August 9, 2019

Warshipping - The Next Corporate Espionage Headache

Hackers looking to gain access to your Wi-Fi network don’t necessarily have to lurk around your home or office, warns IBM X-Force Red.

Instead, writes Charles Henderson, global head of that security unit, they could simply ship you a package with a tiny, concealed device they can remotely control.

“In fact, they could ship multiple devices to their target location thanks to low build cost,” Henderson writes. “The device, a 3G-enabled, remotely controlled system, can be tucked into the bottom of a packaging box or stuffed in a toy (a device no bigger than the palm of your hand) and delivered right into the hands or desk of an intended victim.”...

Scheduled TSCM inspections find electronic surveillance items like this. Dead or alive.
Such a device could even set up a rogue wireless network of its own to sniff login credentials to use on the real target network, according to the post. Devices made for the technique, which IBM has dubbed warshipping, can be built for under $100, the company says.

To avoid such attacks, Henderson’s team recommends companies set up policies to inspect and isolate packages and potentially discourage employees from getting personal shipments at work. more

How to Desensitize the World to Spying — Start Young

(For children ages 4 to 6.)

iPhone iMessage iHacked

When you think about how hackers could break into your smartphone, you probably imagine it would start with clicking a malicious link in a text, downloading a fraudulent app, or some other way you accidentally let them in.

It turns out that's not necessarily so—not even on the iPhone, where simply receiving an iMessage could be enough to get yourself hacked.

At the Black Hat security conference in Las Vegas on Wednesday, Google Project Zero researcher Natalie Silvanovich is presenting multiple so-called “interaction-less” bugs in Apple’s iOS iMessage client that could be exploited to gain control of a user’s device. And while Apple has already patched six of them, a few have yet to be patched...

The six vulnerabilities Silvanovich found—with more yet to be announced—would potentially be worth millions or even tens of millions of dollars on the exploit market. more

Our 41 Smartphone Security Tips.

The Avaya Phone Bug – Back From the Dead

Experts at McAfee Advanced Threat Research say they were just doing general studies of Avaya desk phone security when they stumbled on the reincarnated bug.

An attacker could exploit it to take over the phone’s operations, extract audio from calls, and even essentially bug the phone to spy on its surroundings.
“It was kind of a holy crap moment,” says Steve Povolny, McAfee's head of advanced threat research...

Though a fix is now available (again), the McAfee researchers note that it will take time for the patch to distribute out to all the corporate and institutional environments where vulnerable phones are lurking on every desk. more

My past posts about Avaya eavesdropping vulnerabilities. 

Update: Avaya is second only to Cisco in the enterprise VoIP market, and is used by almost all of the Fortune 100. The company's response and advisory notice can be found here.

Wednesday, August 7, 2019

Security Director Alert: Check for Unsecured Wi-Fi Printers

A group of hackers linked to Russian spy agencies are using "internet of things" devices like printers and internet-connected phones to break into corporate networks, Microsoft announced on Monday. more

We see this vulnerability at approximately a third of the corporations where we conduct inspections. It is a very common issue. Very dangerous. 

Q. "So, why does this happen so often?"

A. When initially outfitting the office the IT Department usually does a good job of turning on encryption for Wi-Fi Access Points, and the things connecting to them. 

Later, someone decides they need their own printer. It arrives. It is plugged in. Nobody thinks about turning on the encryption.

Often, the Wi-Fi feature of the printer is not even used, but it's on by default. The company network is now subject to compromise.

The only way to know if you have this issue is to look for it. Have your IT Department check periodically, or have us do it, but do it. ~Kevin

Business Security Trend: Proactive Information Security... Legislated by law!

via Brian G. Cesaratto, Epstein Becker Green
New York is the latest state to adopt a law that requires businesses that collect private information on its residents to implement reasonable cybersecurity safeguards to protect that information.

New York now joins California, Massachusetts and Colorado in setting these standards. New York’s law mandates the implementation of a data security program, including measures such as risk assessments, workforce training and incident response planning and testing. 

Businesses should immediately begin the process to comply with the Act’s requirements effective March 21, 2020.

Notably, New York’s law covers all employers, individuals or organizations, regardless of size or location, which collect private information on New York State residents.

In order to achieve compliance, an organization must implement a data security program that includes:
  • reasonable physical safeguards that may include detection, prevention and response to intrusions, and protections against unauthorized access to or use of private information during or after collection, transportation and destruction or disposal of the information.

AT&T Employees Took Bribes to Plant Malware

 One AT&T employee made $428,500.

AT&T employees took bribes to unlock millions of smartphones, and to install malware and unauthorized hardware on the company's network, the Department of Justice said yesterday...

The bribery scheme lasted from at least April 2012 until September 2017...

The two recruited AT&T employees by approaching them in private via telephone or Facebook messages. Employees who agreed, received lists of IMEI phone codes which they had to unlock for sums of money. more

Remember this survey from 2016? "One in five employees said they would sell their passwords."

The Point: Quarterly Technical Information Security Surveys mitigate this risk, and prove due diligence.

Monday, August 5, 2019

Spy Tip: How to Break Out of Automated Phone Trees

Tired of Talking to a Voice Robot?
Want to Talk with a Human?
Skip the cue.
  1. Dial O, or try multiple zeros.
  2. You can add the # key or the * key before and after a 0.
  3. Dial multiples of other numbers 1111, 2222, 3333, 4444, etc.
  4. Being silent sometimes works (believe it or not some people still have rotary phones).
  5. Speak non-sensible phrases to confuse computer.
  6. Try speaking and repeating "Operator" or "Customer Service".
  7. If there is a company directory, press just one letter and then try to connect to that person and then may transfer you or give you an inside phone number.
  8. Make sure once you get a human, ask for the direct line to call.
 More listings here.

Wallet, Keys, Bag Packed... Ooopps, Forgot the Post-it Notes

When airline seatback entertainment systems started to come bundled with little webcams, airlines were quick to disavow their usage, promising that the cameras were only installed for potential future videoconferencing or gaming apps, and not to allow the crew or airline to spy on passengers in their seats.

Enter Hong Kong's Cathay Pacific, the country's flagship airline, which has just amended its privacy policy to reveal that it is recording its passengers as they fly, as well as gathering data on how individual passengers spend time in airport terminals, and even brokered data on their use of rivals' hotel and airplane loyalty programs.

But don't worry, the company promises it will take "commercially reasonable" cybersecurity measures to keep all that data from leaking. more

Amazon Alexa's New Dump the Human Eavesdropping Switch

Alexa users who don’t want their recordings reviewed by third-party contractors finally have an option to opt-out...

Unfortunately, Amazon has never made opting-out of data collection on its devices particularly easy, and this new policy doesn’t buck that trend.

According to Bloomberg, users need to dig into their settings menu, then navigate to “Alexa Privacy,” and finally tap “Manage How Your Data Improves Alexa” to see the following text: “With this setting on, your voice recordings may be used to develop new features and manually reviewed to help improve our services. Only an extremely small fraction of voice recordings are manually reviewed.” more

A Brief History of Surveillance in America

For the last several years, Brian Hochman has been studying electronic surveillance—both the technological developments that have made eavesdropping possible and the cultural and political realities that have made it a part of American life for more than 150 years...

How far back do we have to go to find the origins of wiretapping?
It starts long before the telephone. The earliest statute prohibiting wiretapping was written in California in 1862, just after the Pacific Telegraph Company reached the West Coast, and the first person convicted was a stock broker named D.C. Williams in 1864. His scheme was ingenious: He listened in on corporate telegraph lines and sold the information he overheard to stock traders...

It’s only in the 1920s that ordinary Americans start to take notice of wiretapping and it's not really until the 1950s that it's seen as a national problem...

The House Intelligence Committee looked into illegal wiretapping in 1975 as part of its investigation of risks of U.S. intelligence operations. Michael Hershman (holding a 'plug bug') explaining surveillance and counter-surveillance technology. (AP Photo/Charles Gorry)
Historians are not in the business of prognostication, but the one thing that I can say with some certainty is that electronic surveillance and dataveillance are going to scale. They will be more global and more instantaneous. I can say with much more certainty that that public attention to these issues will wax and wane. more

Millions Of Chinese-Made Cameras Can Be Hacked To Spy On Users

Despite more awareness of the risks associated with Chinese surveillance equipment, the news this week that cameras from the world's second-largest manufacturer of such devices can be used to secretly listen in to users still comes as a shock.

Put simply, the newly disclosed backdoor vulnerability means that millions of cameras have been carrying the potential to be used as eavesdropping devices—even when the audio on the camera is disabled.

"Essentially," warned Jacob Baines, the researcher who first disclosed the vulnerability with cameras used by both consumers and enterprises, "if this thing is connected directly to the internet, it’s anyone’s listening device."...

Baines initially shared this latest issue with Dahua OEM Armcrest two months ago, reporting that he could "remotely listen" to a tested camera "over HTTP without authentication." The vulnerability can be seen in action in a video shared by Baines on YouTube. more