The First Digital Security Rule of Traveling

(We know our clients already know this, but reminders help.)

The first digital security rule of traveling is to leave your usual personal devices at home. Go on your trip with “burner” travel devices instead.

Aside from the potential for compromise or seizure by authorities, you also run the gamut of risks ranging from having your devices lost or stolen during your trip. It’s typically way less dangerous to just leave your usual devices behind, and to bring along devices you only use when traveling. This doesn’t need to be cost prohibitive: You can buy cheap laptops and either inexpensive new phones or refurbished versions of pricier models. (And also get privacy screens for your new phones and laptops, to reduce the information that’s visible to any onlookers.)

Your travel devices should not have anything sensitive on them. If you’re ever coerced to provide passwords or at risk of otherwise having the devices be taken away from you, you can readily hand over the credentials without compromising anything important. more

Hackers Can Open Nexx Garage Doors Remotely...

...and there's no fix!

Multiple vulnerabilities discovered Nexx smart devices can be exploited to control garage doors, disable home alarms, or smart plugs.

There are five security issues disclosed publicly, with severity scores ranging from medium to critical that the vendor has yet to acknowledge and fix. more

Why More Businesses Are Not Conducting Periodic TSCM Inspections

IT & Security Pros Pressured to Keep Quiet About Data Breaches

Organizations globally are under tremendous pressure to address evolving threats like ransomware, zero-day vulnerabilities, and espionage, and they face challenges in extending security coverage across multiple environments and dealing with an ongoing skills shortage, according to Bitdefender.

Alarmingly, more than 42% of the total IT/security professionals surveyed said they have been told to keep a breach confidential when they knew it should be reported and 30% said they have kept a breach confidential.

43% of IT/security professionals surveyed said extending capabilities across multiple environments (on-premises, cloud, and hybrid) is the greatest challenge they face which tied with complexity of security solutions also at 43%.

Not having the security skill set to drive full value came in as a strong second at 36%. more

This is an old phenomenon. We call it The Ostrich Effect.

Prosecutors: Veteran Deputy was Listening in on Jury Deliberations

NY - An Ontario County Sheriff’s Office veteran, Adam Broadwell, pleaded not guilty on Monday to felony charges of eavesdropping, possession of an eavesdropping device, and official misconduct. 

Broadwell is accused of listening in on a jury deliberation by using a device specifically designed for eavesdropping.

According to Assistant District Attorney Kelly Wolford, the jury was deliberating a felony case when Broadwell listened in on the conversation. The eavesdropping charges brought against Broadwell relate to his use of a device to enhance the sound of people talking in his area. 

However, Broadwell’s defense attorney, Clark Zimmermann, argued that the device used was a Bluetooth earbud set linked to an Android phone, which does not match the definition of an eavesdropping device. more

Our previous reports on Bluetooth earbud eavesdropping.

Inaudible Ultrasound Attack Can Control Phones and Smart Speakers

American university researchers have developed a novel attack called "Near-Ultrasound Inaudible Trojan" (NUIT) that can launch silent attacks against devices powered by voice assistants, like smartphones, smart speakers, and other IoTs.

The team demonstrated NUIT attacks against modern voice assistants found inside millions of devices, including Apple's Siri, Google's Assistant, Microsoft's Cortana, and Amazon's Alexa, showing the ability to send malicious commands to those devices.

The main principle that makes NUIT effective and dangerous is that microphones in smart devices can respond to near-ultrasound waves that the human ear cannot, thus performing the attack with minimal risk of exposure while still using conventional speaker technology. more

Journalist Plugs in Unknown USB Drive Mailed to Him

...it exploded in his face

Although these are just a few examples, they should be enough to preclude one from inserting a mysterious, unsolicited USB drive mailed to them into a computer. Unfortunately, one Ecuadorian journalist didn't get the memos. more

In case you missed our memo...

USB Memory Security Recommendations

• Block ports with a mechanical port block lock.
• Place security tape over that.
• Create a “no USB sticks unless pre-approved” rule.
• Warn employees that a gift USB stick could be a Trojan Horse gift.
• Warn employees that one easy espionage tactic involves leaving a few USB sticks scattered in the company parking lot. The opposition knows that someone will pick one up and plug it in. The infection begins the second they plug it in.
• Don’t let visitors stick you. Extend the “no USB sticks unless pre-approved” rule to them as well. Their sticks may be infected.

Trending… IBM Takes The USB Memory Security Lead

“IBM has allegedly issued a worldwide ban against the the use of removable drives, including Flash, USB, and SD cards, to transfer data.

This new policy is being instituted to prevent confidential and sensitive information from being leaked due to misplaced or unsecured storage devices.

According to a report by The Register, IBM’s global chief Information security officer Shamla Naidoo issued an advisory stating that the company “is expanding the practice of prohibiting data transfer to all removable portable storage devices (eg: USB, SD card, flash drive).” This advisory further stated that this policy is already in effect for some departments, but will be further enforced throughout the entire company.” more

From Phone Bugging to Kidnapping...

 ...these are the biggest security concerns of the super-rich...

Armed burglaries, kidnapping, offshore bank account hacking - when it comes to security risks of the super-rich, nothing is off the cards.

‘UHNWs often have unique security concerns due to their wealth and high profile’, says David Webb, Managing Director at Valkyrie, a specialist security consultancy firm. ‘These issues are not just specific to them but can also involve their families and close friends...

In addition to the investigation we conducted a TSCM sweep (Technical Surveillance Counter Measures aka bug search), cyber review and device compromise check, as it was believed the blackmailer had access to the clients systems and possibly had planted eavesdropping devices in his house and office – which ultimately proved true.’ more

KamiKakaBot: Corporate Espionage & Eavesdropping Tool

Suspected government-backed hackers are attacking...with malware called KamiKakaBot that is designed to steal sensitive information. Researchers from Amsterdam-based cybersecurity firm EclecticIQ attributed the attacks to the advanced persistent threat (APT) group Dark Pink...

Dark Pink's main goals were to conduct corporate espionage, steal documents, capture sound from microphones of infected devices, and exfiltrate messaging data, according to research by cybersecurity firm Group-IB. more

Sophos 2023 Threat Report

The Sophos 2023 Threat Report uncovers the latest cyberthreat trends and provides the insights you need to defend against evolving attacks.

Based on the research and real-world experiences of Sophos X-Ops – a new cross-operational unit that links Sophos' threat, incident response and AI cybersecurity experts, the report covers:

• The lasting cyber impact of the war in Ukraine

• The maturity of the “as-a-service” industry and how it has put advanced threat tactics into the hands of nearly any criminal

• How ransomware operators have evolved their activities and mechanisms, both to evade detection and to incorporate novel techniques

• A deep dive into the abuse of legitimate security tools by criminals to execute attacks

• An analysis of the threats facing Linux, Mac, and mobile systems

Pegasus Spyware Maker NSO Avoiding a TKO

Will spyware maker NSO Group's struggles reduce use of its eavesdropping tech? Critics doubt it.

Embattled Israeli spyware vendor NSO Group announced a major reorganization Sunday — replacing its longtime CEO and laying off roughly 100 of its 700 employees — but experts who track the growing trade in surveillance technology say that’s unlikely to curtail deployment of the company’s technology designed to secretly monitor its targets...

More broadly, however, NSO may serve as a cautionary tale for the myriad other spyware vendors around the world hawking their wares. “Spyware tech is a risky investment,” Scott-Railton said. “Investors don’t usually line up to get wiped out.” more

In Other Corporate Spy News...

Enterprise giant Oracle is facing a fresh privacy class action claim in the U.S.

The suit, which was filed Friday as a 66-page complaint in the Northern District of California, alleges the tech giant's "worldwide surveillance machine" has amassed detailed dossiers on some five billion people, accusing the company and its adtech and advertising subsidiaries of violating the privacy of the majority of the people on Earth. more

A Warning Worth Repeating — iPhone's Spying Feature

iPhone’s ‘spying’ feature lets you eavesdrop on conversations without people knowing...

The Apple iPhone is packed full of secret tools and tricks. But one feature is possibly the sneakiest of them all.

The iPhone's 'Live Listen' feature was originally intended to help people with hearing difficulties better manage conversations in noisy environments.

It lets you listen to a live audio feed through your AirPod earphones using the iPhone's microphone from a distance.

However, if used correctly, it means you could listen in on any conversation from outside a room without anybody else knowing. All you'd have to do is hide your iPhone somewhere in the room. more

FutureWatch: Preventing Microphones from Capturing a Target Speaker’s Voice

Over the decades, there have been many attempts at preventing electronic eavesdropping. The most popular methods employ "white noise" sound masking and ultrasonic jamming. These techniques are aimed at nullifying microphones. While these techniques have their pros and cons, they all share one trait. They target all sounds to all microphones in the area. Not helpful if only one person desires privacy while allowing others to continue communicating using their smartphones, Internet-of Things devices, or hearing aids.

The Department of Computer Science and Engineering, Michigan State University is working on a solution...

We propose NEC (Neural Enhanced Cancellation), a defense mechanism, which prevents unauthorized microphones from capturing a target speaker’s voice. Compared with the existing scrambling-based audio cancellation approaches, NEC can selectively remove a target speaker’s voice from a mixed speech without causing interference to others. ...The results show that NEC effectively mutes the target speaker at a microphone without interfering with other users’ normal conversations. more

Researchers Develop Anti-Eavesdropping Algorithm for Smartphone Mics

At Columbia University, a team of researchers has successfully created a program that can block out audio spying through microphones found in smartphones and connected audio devices that require voice use.

This algorithm works by using predictive voice technology: that is, it can recognize human speech and instinctively generate audible background noise like muffling or whispers in order to camouflage the user’s words.

The technology works in real-time as the algorithm is able to create the obstruction while a person is speaking to a voice-controlled device or conversing with a friend.

But why create such an algorithm in the first place?

The problem stems from advertiser eavesdropping. While this is an issue that has not been proved or disproved, there is plenty of anecdotal evidence that backs it up. more

New Countermeasure Against Unwanted Wireless Surveillance

Smart devices are supposed to make our everyday lives easier. At the same time, however, they are a gateway for passive eavesdropping. 

To prevent possible surveillance of the movement profile within one’s home, researchers from the Max Planck Institute for Security and Privacy, the Horst Görtz Institute for IT Security at Ruhr-Universität Bochum and the Cologne University of Applied Sciences have developed a novel system for protecting privacy in wireless communication.

Almost all Internet-of-Things devices, such as voice assistants, locks and cameras, rely on wireless connections based on high-frequency radio signals... passive eavesdroppers can still exploit sensitive information from intercepted radio frequency signals... Attackers can perceive such effects from a distance and, by applying simple statistical methods, conclude, for example, that a person is currently moving in the monitored room... this method known as “adversarial wireless sensing”...

With their approach, the researchers are the first in the world to propose IRS as a practical countermeasure against passive wireless eavesdropping attacks. more

Researchers Developing Anti-Eavesdropping Quantum Network

While quantum computers offer many novel possibilities, they also pose a threat to internet security since these supercomputers make common encryption methods vulnerable. Based on the so-called quantum key distribution, researchers at TU Darmstadt have developed a new, tap-proof communication network.

The new system is used to exchange symmetric keys between parties in order to encrypt messages so that they cannot be read by third parties. In cooperation with Deutsche Telekom, the researchers led by physics professor Thomas Walther succeeded in operating a quantum network that is scalable in terms of the number of users and at the same time robust without the need for trusted nodes. 

In the future, such systems could protect critical infrastructure from the growing danger of cyberattacks. In addition, tap-proof connections could be installed between different government sites in larger cities. more

KeyTap3 Exploit Knows What You Type Keyboard Eavesdropping

A new KeyTap3 exploit might explain how some websites are able to track and offer recommendations for an item you just searched for. 

Programmer Georgi Gerganov doesn’t use any Bluetooth, WiFi, or RF-based methods to eavesdrop on your keyboards, but rather a normal microphone. That’s right, it essentially captures audio of you typing before using that information to generate a cluster map of clicks with similar sounds.

It then analyzes those clusters and utilizes statistical information about the frequency of the letter n-grams in the supposed language of the text. 

The algorithm realizes that some of these letter combinations are used more frequently in certain languages, like English, and then begins guessing. 

Try it out here if you have a clicky mechanical keyboard. This exploit would most likely not fare well against Samsung’s SelfieType, an AI-powered keyboard. more

New Algorithm to Shield Conversations from Eavesdropping AI

The thought that our gadgets are spying on us isn't a pleasant one, which is why a group of Columbia University researchers have created what they call "neural voice camouflage." 

This technology won't necessarily stop a human listener from understanding someone if they're snooping (you can give recordings a listen and view the source code at the link above). Rather, this is a system designed to stop devices equipped with microphones from transmitting automatically transcribed recordings. It's quiet – just above a whisper – but can generate sound specifically modeled to obscure speech in real time so that conversations can't be transcribed by software and acted upon or the text sent back to some remote server for processing...

According to Vondrick, the algorithm his team developed can stop a microphone-equipped AI model from interpreting speech 80 percent of the time, all without having to hear a whole recording, or knowing anything about the gadget doing the listening. more

Videoconferencing Apps May Listen Even When Mic is Off

Kassem Fawaz's brother was on a videoconference with the microphone muted when he noticed that the microphone light was still on—indicating, inexplicably, that his microphone was being accessed...

Fawaz and graduate student Yucheng Yang investigated whether this "mic-off-light-on" phenomenon was more widespread. They tried out many different videoconferencing applications on major operating systems, including iOS, Android, Windows and Mac, checking to see if the apps still accessed the microphone when it was muted.

"It turns out, in the vast majority of cases, when you mute yourself, these apps do not give up access to the microphone," says Fawaz. "And that's a problem. When you're muted, people don't expect these apps to collect data."...

Turning off a microphone is possible in most device operating systems, but it usually means navigating through several menus. Instead, the team suggests the solution might lie in developing easily accessible software "switches" or even hardware switches that allow users to manually enable and disable their microphones. more

Some Thoughts on Mobile Spyware

It really is a great time to be a mobile threat. As mobile devices become ever more critical in our daily lives, hackers are seizing on a vulnerable blindspot in the enterprise attack surface...

Mobile threats often emanate from app stores, where many types of mobile malware hide as legitimate apps...

As Sun Tzu once said, “There is no place where espionage is not possible.” Spyware exemplifies that statement perfectly. Spyware turns a personal mobile device into a corporate espionage bug just by entering an office, nestled in someone’s pocket...

To secure this largely-unrecognized vector, enterprises can look to mobile threat defense. When incorporated as part of a zero trust approach, MTD technology can examine the security of individual mobile devices, alerting the enterprise to threats and blocking access. It can ensure the device hasn’t been infected, jailbroken or compromised and act to protect corporate data if a threat arises. more

How Apple's FaceTime Glitch Allowed Eavesdropping

It's the bug taking a bite out of Apple. A flaw in the FaceTime app allowed eavesdropping. Here's how the glitch worked:

Users swiped up while calling someone then tapped add person. By adding their own number, it created a group FaceTime call and then...

"Just like magic that other phone number picked up automatically and you're able at that point to hear everything that's acquirable from an audio perspective from that phone without the other person picking up,” said Jonathan S. Weissman, Senior Lecturer in the Department of Computing Security at RIT.

Weissman says the glitch went even further... more