The DNC Hack — Worse than Watergate

A foreign government has hacked a political party’s computers—and possibly an election. It has stolen documents and timed their release to explode with maximum damage. It is a strike against our civic infrastructure. And though nobody died—and there was no economic toll exacted—the Russians were aiming for a tender spot, a central node of our democracy...

What’s galling about the WikiLeaks dump is the way in which the organization has blurred the distinction between leaks and hacks. Leaks are an important tool of journalism and accountability. When an insider uncovers malfeasance, he brings information to the public in order to stop the wrongdoing. That’s not what happened here.

The better analogy for these hacks is Watergate. To help win an election, the Russians broke into the virtual headquarters of the Democratic Party. The hackers installed the cyber-version of the bugging equipment that Nixon’s goons used—sitting on the DNC computers for a year, eavesdropping on everything, collecting as many scraps as possible.

This is trespassing, it’s thievery, it’s a breathtaking transgression of privacy. more

IT Security Alert - Got Juniper Equipment? Better get the patch.

Juniper Networks patched a crypto bug tied to its public key infrastructure that could have allowed hackers to access the company’s routers, switches and security devices and eavesdrop on sensitive communications. The flaw was tied to Juniper products and platforms running Junos, the Juniper Network Operating System.

The bug (CVE-2016-1280) was reported and patched by Juniper on Wednesday, with public disclosure Friday. Juniper also posted its own information on the security vulnerability, which was found internally.

...The vulnerability allowed attackers to create specially crafted self-signed certificates that can bypass certificate validation within Juniper hardware running the Junos OS. If exploited, the vulnerability could have allowed an attacker in a man-in-the-middle position on the victim’s network to read supposedly secure communications. more

Privacy Scarf Foils Paparazzi Pics

There's a stylish way to keep paparazzi at bay — the anti-flash scarf.

The ISHU scarf, created by 28-year-old Saif Siddiqui, is made from a special fabric that reflects light.

Siddiqui, who runs the London and Amsterdam-based company, told BuzzFeed that the scarf's purpose is to provide some privacy.

"The main intention is to make people aware of how important privacy actually is," he said. "Everyone has a 'brand' online, and with the ISHU Scarf, people are back in control of their privacy." more

How a YouTube Video Could Infect Your Phone with Spyware

Researchers from Georgetown University and the University of California, Berkeley say cybercriminals could use hidden voice commands via popular YouTube videos to infect Androids and iPhones with malware.


Micah Sherr, a computer science department professor at Georgetown, says the research was inspired by the proliferation of voice-controlled systems. "Amazon Echo was coming out when we started this work," Sherr notes.

Since then, Google has launched Google Home, a similar always-listening device, and electronic devices lost in a messy bedroom can now be recovered by speaking “Okay Google” or “Hey Siri.”

The new research shows how keeping such devices on always-listen mode could lead to a cyberattack. Sherr says a cybercriminal could attempt to plant malware on the device using a hidden voice command. more

Court: Using a Shared Password is Deemed Hacking.

A federal appeals court has affirmed the computer-hacking conviction of a former executive at a recruiting firm accused of using a shared password to steal headhunting leads from the company’s internal network after he left his job to launch a rival business. more

Spy Alert #734: The Olympic Games Warning

If Zika, political instability and contaminated water weren’t enough,

U.S. intelligence officials are warning Americans traveling to the August Olympic Games in Rio and other destinations abroad that proprietary information stored on electronic devices is at high risk for theft by spies and cyber criminals who are increasingly targeting global events as troughs rich in valuable intelligence.

Bill Evanina, the nation’s chief counter-intelligence executive, is urging travelers to carry “clean’’ devices, free of potentially valuable archives that could be tapped for economic advantage, personal data or security information.

Just as the Olympics draw the world’s most talented athletes, Evanina said the games and other international events represent a "great playground’’ for government intelligence services and criminals, if only because of the “sheer number of devices.’’ more

Not the World's Smallest "Camera" but... Possibly the World's Smallest Camera Lens

Tiny 3D-printed medical camera could be deployed from inside a syringe.

Getting inside the human body to have a look around is always going to be invasive, but that doesn't mean more can't be done to make things a little more comfortable. With this goal in mind, German researchers have developed a complex lens system no bigger than a grain of salt that fits inside a syringe. The imaging tool could make for not just more productive medical imaging, but tiny cameras for everything from drones to slimmer smartphones.

Scientists from the University of Stuttgart built their three-lens camera using a new 3D printing technique. They say their new approach offers sub-micrometer accuracy that makes it possible to 3D print optical lens systems with two or more lenses for the first time. Their resulting multi-lens system opens up the possibility of correcting for aberration (where a lens cannot bring all wavelengths of color to the same focal plane), which could enable higher image quality from smaller devices. more

Mark Zuckerberg Tapes Over His Laptop Camera - You can do better!

Mark Zuckerberg is one of the most powerful men in the world...

On Tuesday, observers were reminded that Mr. Zuckerberg, 32, is not just a normal guy... his laptop camera and microphone jack appeared to be covered with tape...

The taped-over camera... usually a signal that someone is concerned... about hackers’ gaining access to his or her devices by using remote-access trojans — a process called “ratting.” (Remote access is not limited to ratters: According to a cache of National Security Agency documents leaked by Edward J. Snowden, at least two government-designed programs were devised to take over computer cameras and microphones.)

Security experts supported the taping, for a few good reasons... more
---
Murray Associates provided our clients with a more elegant solution—a year ago. 
(free)

Spybuster Tip #812 
Protect your privacy with just two disk magnets.

1. Affix one magnet to your laptop—adjacent to the camera lens.
2. Let the second magnet attach itself to the first one. It will orbit the first magnet.
3. Orbit the second magnet over the camera lens to eclipse the view.
4. Rotate it out of the way to use the camera.

Simple. Elegant. Effective.
Tape is tawdry.

You are now very cool! More cool than Zuck with his yuck tape.

Our ahead-of-the-curve mailing to our clients. Consider becoming one.

Godless Android Malware - Secretly Roots Phone, Installs Programs

Android users beware: a new type of malware has been found in legitimate-looking apps that can “root” your phone and secretly install unwanted programs.

The malware, dubbed Godless, has been found lurking on app stores including Google Play, and it targets devices running Android 5.1 (Lollipop) and earlier, which accounts for more than 90 percent of Android devices, Trend Micro said Tuesday in a blog post.

Godless hides inside an app and uses exploits to try to root the OS on your phone. This basically creates admin access to a device, allowing unauthorized apps to be installed.

Godless contains various exploits to ensure it can root a device, and it can even install spyware, Trend Micro said...

Trend recommends you buy some mobile security software. more

My solution. ~Kevin

Security Director Alert: Check the Settings on your Video Teleconferencing Equipment

Closed-door meetings by Canada's Quebec Liberal Party were exposed to trivial eavesdropping thanks to flaws in its video conferencing software.

The flaws, found and reported by a resident white hat researcher, are being fixed.

The researcher speaking on the condition of anonymity told local tabloid Le Journal de Montreal (French) he accessed the video streams using a vulnerability and the default password which was in use.

They were able to gain on-demand access to two meeting rooms in Quebec and Montreal, and supplied screen captures as evidence of the exploit.

"It was just too easy," the researcher told the paper. "It is as if they had stuck their PIN on their credit card."

Party communications director Maxime Roy says nothing relating to national security was discussed at the meetings... "We are working with our supplier." more

Need help? 
Call me.

New Old News - Official Warning - Wall Wart Eavesdropping Device

(My clients received their warning on January 14, 2015. ~Kevin)

FBI officials are warning private industry partners to be on the lookout for highly stealthy keystroke loggers that surreptitiously sniff passwords and other input typed into wireless keyboards.

FURTHER READING

MEET KEYSWEEPER, THE $10 USB CHARGER THAT STEALS MS KEYBOARD STROKES

Always-on sniffer remotely uploads all input typed into Microsoft Wireless keyboards.

The FBI's Private Industry Notification is dated April 29, more than 15 months after whitehat hacker Samy Kamkar released a KeySweeper, a proof-of-concept attack platform that covertly logged and decrypted keystrokes from many Microsoft-branded wireless keyboards and transmitted the data over cellular networks.

To lower the chances the sniffing device might be discovered by a target, Kamkar designed it to look almost identical to USB phone chargers that are nearly ubiquitous in homes and offices.

"If placed strategically in an office or other location where individuals might use wireless devices, a malicious cyber actor could potentially harvest personally identifiable information, intellectual property, trade secrets, passwords, or other sensitive information," FBI officials wrote in last month's advisory. "Since the data is intercepted prior to reaching the CPU, security managers may not have insight into how sensitive information is being stolen." more

10 Ways Law Firms Can Make Life Difficult for Hackers

1. More (and better) employee training.
2. Keep backups disconnected from the network and the Internet.
3. Install all patches and updates.
4. Update software – especially when it is no longer supported.
5. Block executable files, compressed archives and unidentified users.
6. If you use cloud storage, make sure your firm controls the encryption key.
7. Make your cybersecurity program meet the needs of potential clients.
8. Have clear, effective restrictions on remote access and mobile devices.
9. Set systems to capture log data, for forensic purposes if a breach occurs.
10. Share threat information. more

These basic tips apply to all hacker-target businesses. ~Kevin

Spying Using Phone Call Records – Study Says It's Easy

Stanford University researchers used call records to uncover heart problems, marijuana habits of volunteers. 

Phone metadata doesn’t reveal what people say, but such records of calls and text messages can help spy agencies, businesses or hackers discover private information about someone’s relationships, shopping interests and even health problems, according to a study published on Monday.

The research published in the journal Proceedings of the National Academy of Sciences showed that scans of call records help create detailed maps of not just the person being investigated, but also the lives of contacts in their phone history. Metadata is the term used for the receipt of a call or a text message included in the history of a phone, and these records are often maintained by a telecom service provider.

"Once a participant was labeled as in a relationship, we found that identifying the participant’s partner was trivial,” according to the researchers. “Our results suggest that, even without human review, a business or agency could draw sensitive inferences from a significant share of telephone records.” more

Alarming Security Defects in SS7, the Global Cellular Network—and How to Fix Them

The global network that transfers calls between mobile phone carriers has security defects that permit hackers and governments to monitor users’ locations and eavesdrop on conversations.

Courtesy ESD America

As more reports of these activities surface, carriers are scrambling to protect customers from a few specific types of attacks.

The network, called Signaling System 7, or SS7, is a digital signaling protocol that mobile phone carriers including AT&T, T-Mobile, and Sprint use to send messages to each other about who is a subscriber, where subscribers are located, and how calls should be routed to reach them.

SS7 began as a closed network shared among a few major mobile phone carriers, but grew porous as more carriers joined. Hackers and governments can now gain access by purchasing rights from a carrier (which many are willing to provide for the right price) or infiltrating computers that already have permission. more

One security firm advises:
"...we have two products that represent the world’s first comprehensive solution against
SS7 attacks: ESD Oversight Protect & ESD Oversight Detect. SS7 Network Penetration testing is
also available to carriers around the world who recognize the need to ensure their networks and their
subscribers are protected from the potential damaged these vulnerabilities expose."

Extra Credit — Ghosts in the Network: SS7 and RF Vulnerabilities in Cellular Networks — a presentation given at RSA Conference 2016

Med Students Caught Cheating with Spycams & Smart Watches

A top Thai medical college has caught students using spy cameras linked to smartwatches to cheat during exams in what some social media users have compared to a plot straight out of a Mission: Impossible movie.

Key points:

• Thai students caught using spyglasses to send images of exam questions to accomplices
• Accomplices sent answers back to students' smartwatches
• Students paid 800,000 baht ($31,000) for equipment, answers

Arthit Ourairat, the rector of Rangsit University, posted pictures of the hi-tech cheating equipment on his Facebook page, announcing that the entrance exam in question had been cancelled after the plot was discovered.

Three students used glasses with wireless cameras embedded in their frames to transmit images to a group of as yet unnamed people, who then sent the answers to the smartwatches.

Mr Arthit said the trio had paid 800,000 baht ($31,000) each to the tutor group for the equipment and the answers.

"The team did it in real-time," Mr Arthit wrote. more

DIY - Tiny FM Spy Bug for Under $20.

from the creator...
"I wanted to know how small a FM spy bug could be build when manually assembled.

This is what I came up with, it measures about 0.05 square inches and is powered by a single 1.55V silver oxide battery.

Frankly, this is just a fun object, I don`t have a practical use for it.

I`m sure professionally made spy bugs could even be smaller and work at higher frequencies which allows the antenna to be made smaller." more

The complete instructions and Gerber files (for PCB manufacturing) for this FM spy bug are available on Gumroad and Payhip:
https://gum.co/GRouL
https://payhip.com/b/YXVd

"I've got your number," The Telephone Wiretap Hack

A US Congressman has learned first-hand just how vulnerable cellphones are to eavesdropping and geographic tracking after hackers were able to record his calls and monitor his movements using nothing more than the public ten-digit phone number associated with the handset he used.

The stalking of US Representative Ted Lieu's smartphone was carried out with his permission for a piece broadcast Sunday night by 60 Minutes. Karsten Nohl of Germany-based Security Research Labs was able to record any call made to or from the phone and to track its precise location in real-time as the California congressman traveled to various points in the southern part of the state. At one point, 60 minutes played for Lieu a crystal-clear recording Nohl made of one call that discussed data collection practices by the US National Security Agency. While SR Labs had permission to carry out the surveillance, there's nothing stopping malicious hackers from doing the same thing.

The representative said he had two reactions: "First it's really creepy," he said. "And second it makes me angry. They could hear any call. Pretty much anyone has a cell phone. It could be stock trades you want someone to execute. It could be a call with a bank." more

Proof Almost 50% of People are Computer Security Morons

In what’s perhaps the most enthralling episode of the hacker drama Mr. Robot, one of F-Society’s hackers drops a bunch of USB sticks in the parking lot of a prison in the hopes somebody will pick one up and plug it into their work computer, giving the hackers a foothold in the network. Of course, eventually, one of the prison employees takes the bait.

Using booby-trapped USB flash drives is a classic hacker technique. But how effective is it really? A group of researchers at the University of Illinois decided to find out, dropping 297 USB sticks on the school’s Urbana-Champaign campus last year.

As it turns out, it really works. In a new study, the researchers estimate that at least 48 percent of people will pick up a random USB stick, plug it into their computers, and open files contained in them. Moreover, practically all of the drives (98 percent) were picked up or moved from their original drop location. Very few people said they were concerned about their security. Sixty-eight percent of people said they took no precautions... more

A $40 Attack that Steals Police Drones from 2km Away

Black Hat Asia IBM security guy Nils Rodday says thieves can hijack expensive professional drones used widely across the law enforcement, emergency, and private sectors thanks to absent encryption in on-board chips.

Rodday says the €25,000 (US$28,463, £19,816, AU$37,048) quadcopters can be hijacked with less than $40 of hardware, and some basic knowledge of radio communications.

With that in hand attackers can commandeer radio links to the drones from up to two kilometres away, and block operators from reconnecting to the craft.

The drone is often used by emergency services across Europe, but the exposure could be much worse; the targeted Xbee chip is common in drones everywhere and Rodday says it is likely many more aircraft are open to compromise. more

Apple Concerned About Spy Tech Being Added to Servers

Apple's huge success with services like iTunes, the App Store, and iCloud has a dark side.

Apple hasn't been able to build the all the data centers it needs to run these enormous photo storage and internet services on its own. And it worries that some of the equipment and cloud services it buys has been compromised by vendors who have agreed to put "back door" technology for government spying... more