Business Espionage: Operation BugDrop - Major Eavesdropping Operation Using PC Microphones to Bug Targets

Researchers have uncovered an advanced malware-based operation that siphoned more than 600 gigabytes from about 70 targets in a broad range of industries, including critical infrastructure, news media, and scientific research.

The operation uses malware to capture audio recordings of conversations, screen shots, documents, and passwords, according to a blog post published last week by security firm CyberX.

Targets are initially infected using malicious Microsoft Word documents sent in phishing e-mails. Once compromised, infected machines upload the pilfered audio and data to Dropbox, where it's retrieved by the attackers. The researchers have dubbed the campaign Operation BugDrop because of its use of PC microphones to bug targets and send the audio and other data to Dropbox.

"Operation BugDrop is a well-organized operation that employs sophisticated malware and appears to be backed by an organization with substantial resources," the CyberX researchers wrote. more (Heads up. This hasn't hit hard in the Western Hemisphere yet, but be prepared.) 

Spybusters Tip #832: First line of defense... Disable macros on your Word software. Don't turn it back on if prompted to do so by something arriving in your email. ~Kevin

Revenge of the IT Guy (Case #254)

A sacked system administrator has been jailed...

after hacking the control systems of his ex-employer – and causing over a million dollars in damage. 

Brian Johnson, 44, of Baton Rouge, Louisiana, US, had worked at paper maker Georgia-Pacific for years, but on Valentine's Day 2014 he was let go.

He didn't take that lying down, and spent the next two weeks rifling through the firm's systems and wreaking havoc from his home. 

Johnson was still able to connect into Georgia-Pacific servers via VPN even after his employment was terminated.

Once back inside the corporate network, he installed his own software, and monkeyed around with the industrial control systems.

Artist's conception.

His target was the firm's Port Hudson, Louisiana, factory, which produces paper towels and tissues 24 hours a day. In a two-week campaign, he caused an estimated $1.1m in lost or spoiled production. more

Mr. Johnson's emotions imagined as music inside his head.

Ticketmaster Allegedly Hacked Start-up to Steal Trade Secrets

A startup ticketing company alleged in a legal filing that Live Nation Entertainment Inc., the country’s biggest concert promoter, hacked into its computer systems and stole trade secrets.

The allegations, included in an amended antitrust lawsuit that was originally filed by Brooklyn-based Songkick in 2015, are based on information that the company said came to light in the discovery process.

Filed in U.S. District Court in Los Angeles Wednesday, the complaint alleges that Live Nation’s Ticketmaster unit obtained unauthorized access to Songkick’s computers with the help of an executive who has worked at both companies. more

Spybuster Tip #512 — Change all passwords whenever an employee is terminated or quits. ~Kevin

Security Director Alert - Check the Security of Your Networked Printers

Following recent research that showed many printer models are vulnerable to attacks, a hacker decided to prove the point and forced thousands of publicly exposed printers to spew out rogue messages.

Stackoverflowin claims to be a high-school student from the U.K. who is interested in security research...

The issue of publicly exposed printers is not new and has been exploited before to print rogue and sometimes offensive messages. However, the issue was renewed last week when researchers from Ruhr-University Bochum in Germany published a paper on different attacks against network printers and an assessment of 20 printer models. The researchers also released a Printer Exploitation Toolkit and published a printer hacking wiki.

Users should make sure that their printers can't be accessed through a public Internet Protocol address at all, Stackoverflowin said. However, if they need to do this, they should enforce access rules in their routers and only whitelist certain IP addresses, or set up a virtual private network, he said. more

I occasionally find networked printers are a back door to company networks. The most common issue is unsecured WiFi access. Have your IT department review this post and then double-check the security of the printers. Or, contact me for a complete technical information security inspection (TSCM). ~Kevin

The Obama Cybersecurity Report Card

by Taylor Armerding
President Obama is only a couple of weeks out of office, but his legacy on cybersecurity is already getting reviews – mixed reviews.

According to a number of experts, Obama said a lot of good things, did a lot of good things and devoted considerable energy to making cybersecurity a priority, but ultimately didn't accomplish the goal of making either government or the private sector more secure...

As Kevin Murray, director of Murray Associates, a counterespionage consultancy, put it, “government can make as many policies as it wants, but if it doesn’t solve the problem, what good is it?”

Or, as Paul Rosenzweig, founder of Red Branch Consulting, former Department of Homeland Security (DHS) official under President George W. Bush and frequent contributor to the Lawfare blog, put it, “they had the tools, they just chose not to use them when the chips were down. I don’t know why.”...

Finally, Murray said government needs to focus not just on those who hack or steal data, but also on those who let it happen. He said government won’t get better results until it demands accountability. In virtually every case of a failure, including the OPM breach, those in charge are allowed to resign, which means they keep their pension and all other government benefits.

“There’s a lot of hand wringing, but not enough action,” Murray said. “You have to make the people in charge of holding this information accountable. Somebody should get paid a lot of money, but then told, ‘You are going to be held responsible if it leaks out on your watch.’

“You start doing that, and people will start taking it (information security) seriously,” he said.  more

Odd-Ball - Anti Facial Recognition to Debut at Sundance Film Festival

HyperFace is a new kind of camouflage that aims to reduce the confidence score of facial detection and recognition by providing false faces that distract computer vision algorithms...

HyperFace will launch as a textile print at Sundance Film Festival on January 16, 2017.

Prototype

HyperFace works by providing maximally activated false faces based on ideal algorithmic representations of a human face. These maximal activations are targeted for specific algorithms. The prototype is specific to OpenCV’s default frontalface profile. Other patterns target convolutional nueral networks and HoG/SVM detectors... HyperFace reduces the confidence score of the true face (figure) by redirecting more attention to the nearby false face regions (ground).

Conceptually, HyperFace recognizes that completely concealing a face to facial detection algorithms remains a technical and aesthetic challenge. Instead of seeking computer vision anonymity through minimizing the confidence score of a true face, HyperFace offers a higher confidence score for a nearby false face by exploiting a common algorithmic preference for the highest confidence facial region.

In other words, if a computer vision algorithm is expecting a face, give it what it wants. more

Spybuster Tip #715: How to Prevent Hacker Wi-Fi Attacks

If your Wi-Fi name (SSID) is on this list, you're at risk. 
If you ever used a Wi-Fi whose name (SSID) is on this list, you're at risk.

The list consists of approximately the 5000 most common SSIDs.

If a hacker uses this list to broadcast SSIDs, your laptop or phone may automatically connect to them. At that point, they see everything you do; user names, passwords, etc.

In a nutshell, program your device so that it does not automatically connect to a Wi-Fi SSID to which it has previously connected. Purge your previous connections list just to be sure.

Turn Any Computer Into an Eavesdropping Device

Researchers at Israel’s Ben-Gurion University of the Negev have devised a way to turn any computer into an eavesdropping device by surreptitiously getting connected headphones or earphones to function like microphones.

In a paper titled "SPEAKE(a)R: Turn Speakers to Microphones for Fun and Profit," the researchers this week described malware they have developed for re-configuring a headphone jack from a line-out configuration to a line-in jack, thereby enabling connected headphones to work as microphones.

The exploit works with most off-the-shelf headphones and even when the computer doesn’t have a connected microphone or has a microphone that has been disabled, according to the researchers. more

 Spoiler Alert: It ain't easy to do, or likely to happen to you. ~Kevin

Hackers Infect Army of Cameras, DVRs for Massive Internet Attacks

Attackers used an army of hijacked security cameras and video recorders to launch several massive internet attacks last week, prompting fresh concern about the vulnerability of millions of “smart” devices​in homes and businesses connected to the internet.
The assaults raised eyebrows among security experts both for their size and for the machines that made them happen. The attackers used as many as one million Chinese-made security cameras, digital video recorders and other infected devices to generate webpage requests and data that knocked their targets offline, security experts said. It is unclear whether the attackers had access to video feeds from the devices.

Click to enlarge.

more

"The Cone of Silence" ...as invented at MIT

Once heralded as an ingenious design strategy for saving money and fostering collaboration, the open-plan office has fallen from grace. 
It's increasingly viewed by employees as a stressful, noisy nuisance, but with real estate prices soaring, it's not an easy trend for many companies to reverse. That's why some of the best solutions have been small-scale interventions that reconfigure existing open-plan spaces to fit employees' needs in the moment.
But ask Skylar Tibbits to design a reconfigurable space for your open office and you're going to get a whole different animal. That's what happened after Drew Wenzel, a civil and environmental engineer who is part of the campus development team at Google, met Tibbits and started collaborating with him earlier this year...

The original Cone of Silence.

The lab's latest project brings its wild material experimentation to the everyday office: a wooden pod that lowers down from the ceiling and expands into a temporary work space. Born out of a conversation Tibbits had with Wenzel and others at Google, the transformable workspace offers a real-world application of the lab's future-focused work. more
Could also be used to secure open-area desks and cubicles from after-hours snoops. ~Kevin

Spy Chip Implants - Common Complaint - Best handled with an X-ray

United Kingdom-based NRI (A Non-Resident Indian is a citizen of India who holds an Indian passport and has temporarily emigrated to another country for six months or more...) who claims ‘spying chips’ were installed in his body would be examined at Jalandhar’s Army hospital after the Ministry of Home Affairs forwarded his plea requesting their removal to the Punjab government.

Harinder Pal Singh, who returned from the UK three years ago, claimed British police had installed chips in his body for spying...

Narrating his bizarre-sounding story... “I went to UK in 1987 at the age of 15 with my grandmom. One day, I was sleeping in my room and some plainclothes policemen made me unconscious and got instruments installed in my body.”

“In 1996, my nearly four-year-old daughter died in an accident, which was changed into murder. I was convicted for it and sentenced to 15 years. After completing my jail term on February 13, 2013, I was deported,’’ he claimed. more

Hey Kids - Learn How to Operate a Stingray IMSI-Catcher!

Using mass surveillance software without a warrant is almost as easy as installing Skype, according to leaked footage and instruction manuals for Harris Corp. stingray devices.

The footage, obtained by the Intercept, shows Harris Corp.'s Gemini software being used on a personal computer demonstrating how accessible the program is with a noticeable lack of any registration keys, proof of ownership, or safety measures to ensure the software was only used for authorized purposes.

The manuals include instructions for several Harris surveillance boxes, including the Hailstorm, ArrowHead, AmberJack, KingFish and other products in the RayFish Product Family.

Some features mentioned in the manuals are the ability to impersonate four cellular communication towers at once, monitor up to four cellular provider networks at once, and the ability to knock a targets devices down to an inferior network, such as from LTE to 2G.

The manual also details how to set up a target or “subscriber” and how to set up bulk surveillance, according to a Gemini device “Quick Start Guide” that was leaked on DocumentCloud. more

CNN Report: How is the US / China Cyber Theft Agreement Working Out?

About a year ago, China and the United States formally agreed not to conduct or knowingly support the cyber theft of each other's intellectual property.

So, how is that agreement working out?

Not great, said Adm. Mike Rogers, head of US Cyber Command.

"Cyber operations from China are still targeting and exploiting US government, defense industry, academic and private computer networks," Rogers said last April during testimony before a US Senate committee.

Cyber theft of US trade secrets can easily ruin American businesses and result in higher prices for consumers. Even more worrisome, stolen American military secrets could put US servicemen and women at risk during combat. more with video

See the dramatic story of how the United States caught and convicted an American who was spying for China. Watch CNN's "Declassified," Sunday at 10 p.m. ET/PT.

Banksy Spy Art Destroyed

This famous Banksy artwork showing "snooping" in Cheltenham has been removed. 

Spy Booth depicts three 1950s-style agents, wearing brown trench coats and trilby hats, using devices to tap into conversations at a telephone box.

On April 13, 2014 the mural first appeared on the house in Fairview Road, Cheltenham.

The graffiti street art - which highlights the issue of Government surveillance - is located on the Grade II listed building near GCHQ, where the UK's surveillance network is based.

Spy Booth was granted listed status by Cheltenham Borough Council but the house itself has been put up for sale in January this year.

A social media post yesterday appeared to show the mural being cut down behind a tarpaulin. more

Mom Alerted - Daughters' Bedroom Nanny Cam Streaming on Internet

A mother from Texas was horrified to learn that the cameras she used to keep watch on her 8-year-old girls had been hacked and were being live streamed on the internet.

She made the appalling discovery after she found a screenshot posted by another woman on a Facebook group for Houston Mothers, who was trying to alert mothers after stumbling across a free app ‘Live Camera Viewer.’ ...

According to security experts, her private cameras had been hacked by accessing the household’s IP address through her daughter’s iPad whilst she was playing a video game, and was consequently live streamed to an online feed.

The feed, which is sorted according to the number of ‘likes’ that users give, had been available since July, and had 571 ‘likes,’ meaning at least that many people had been watching it over the course of the stream.  more

Here's What Eavesdropper See When You Use Unsecured Wi-Fi Hotspots

You’ve probably read at least one story with warnings about using unsecure public Wi-Fi hotspots, so you know that eavesdroppers can capture information traveling over those networks. But nothing gets the point across as effectively as seeing the snooping in action. So I parked myself at my local coffee shop the other day to soak up the airwaves and see what I could see.

My intent wasn't to hack anyone's computer or device—that's illegal—but just to listen. It’s similar to listening in on someone’s CB or walkie-talkie radio conversation. Like CBs and walkie-talkies, Wi-Fi networks operate on public airwaves that anyone nearby can tune into.

As you'll see, it’s relatively easy to capture sensitive communication at the vast majority of public hotspots—locations like cafes, restaurants, airports, hotels, and other public places. You can snag emails, passwords, and unencrypted instant messages, and you can hijack unsecured logins to popular websites. Fortunately, ways exist to protect your online activity while you’re out-and-about with your laptop, tablet, and other Wi-Fi gadgets. I'll touch on those, too. more

PS - The author, Eric Geier, also provides a very good "How to use Wi-Fi hotspots securely" checklist. ~Kevin

Does dropping malicious USB sticks really work?

Of course it does.
Common sense.  
I warned about this years ago. 
Now, we have empirical evidence!



Research presented this week at BlackHat by Elie Bursztein of Google’s anti-abuse research team shows that the danger is alarmingly real:

• …we dropped nearly 300 USB sticks on the University of Illinois Urbana-Champaign campus and measured who plugged in the drives. And Oh boy how effective that was! Of the drives we dropped, 98% were picked up and for 45% of the drives, someone not only plugged in the drive but also clicked on files.

It seems folks just can’t resist picking up a USB stick that they see lying around – Bursztein says that it only took six minutes for the first device that he “lost” to be picked up.One would like to imagine that people are less likely to plug in a USB drive if it is clearly labelled with the owner’s contact details, and that appears to be borne out by the statistics.
On each type of drive, files consistent with the USB stick’s appearance were added. So, “private” files were added to USB sticks that were unlabelled or were attached to keys or a return label, “business” files to sticks marked confidential, etc.

However, in reality each of the files was actually an HTML file containing an embedded image hosted on the researcher’s server. In this way they were able to track when files were accessed. more

Smartphone Security Alert - "Juice Jacking" or... Getting your phone's brain drained at the airport,

“Juice-jacking” as the new travel scam is called, targets desperate travelers in need of a charge. Daniel Smith, a security researcher at Radware explains how this works.

“Attackers can use fake charging stations to trick unsuspecting users into plugging in their device. Once the device is plugged in the user’s data and photos could be downloaded or malware can be written onto the device.”

Hackers can download anything that is on your phone since the charging port is doubling as a data port. We’re talking passwords, emails, photos, messages, and even banking and other personal information via apps.

How to Prevent Juice-Jacking 
“Don’t use public charging stations. more

Solutions...

• This is a tiny and lightweight external battery that is easy to travel with: Amazon.com

• Plug into your laptop to charge your phone if you’re traveling with one and don’t have an external charger. 

• If you absolutely need to use public charging stations you can block the data transfer using SyncStop ($19.99).

Stormy Weather, or Subterranean Homesick Blues at the National Weather Service

If it’s on Facebook, can it be secret?

Members of the National Weather Service Employees Organization (NWSEO) thought they had a secret Facebook page that was available only to them.

But not only did National Weather Service (NWS) management officials know about the page, they accessed it and made scornful comments about the postings, according to the union.

That amounts to “illegal surveillance” of union activities, according to the labor organization’s complaint filed Wednesday with the Federal Labor Relations Authority.

In the past six months, Weather Service officials “engaged in the surveillance of internal union communications about and discussions of protected activities” on the labor organization’s “ ‘secret’ (that is, ‘members only’) Facebook page,” according to the complaint. more sing-a-long

Brand-Name Wireless Keyboards Open to Silent Eavesdropping

Wireless keyboards from popular hardware vendors are wide open to silent interception at long distances, researchers have found, without users being aware that attackers can see everything they type.

Bastille Research said the keyboards transmit keystrokes across unencrypted radio signals in the 2.4 GHz band, unlike high-end and Bluetooth protocol keyboards, which transmit data in an encrypted format, making it more difficult for attackers to intercept the scrambled keystrokes.

It means attackers armed with cheap eavesdropping devices can silently intercept what users type at distances of 50 to 100 metres away.

Such interception could reveal users' passwords, credit card numbers, security question replies and other personally sensitive information, Bastille said. Users would have no indication that the traffic between the keyboard and the host computer was intercepted.

Furthermore, attackers could inject keystrokes of their own into the signals, and type directly onto users' computers. Again, the attack would be unnoticeable to users in most cases.

Bastille tested eight keyboards from well-known vendors... more

Longtime Security Scrapbook readers may remember my warnings about this beginning in 2007...
https://spybusters.blogspot.com/2007/12/wireless-keyboard-interception.html  
https://spybusters.blogspot.com/2007/12/program-discovers-at-risk-wireless.html
https://spybusters.blogspot.com/2009/01/old-news-still-scary-bugged-keyboards.html