They Know Who You Are... and it ain't the NSA!

Many Internet advertisers rely on cookies, digital code stored on your browser. Some websites place multiple cookies when you visit, allowing them to track some of your activity over time (you can see who is tracking you by installing an application such as Ghostery or Abine’s “DoNotTrackMe”).

The problem for marketers is that some users set their browsers to reject cookies or quickly extinguish them. And mobile phones, which are taking an increasing chunk of the Web usage, do not use cookies.

To combat the cookie’s flaws, advertisers and publishers are increasingly turning to something called fingerprinting. This technique allows a web site to look at the characteristics of a computer such as what plugins and software you have installed, the size of the screen, the time zone, fonts and other features of any particular machine. These form a unique signature just like random skin patterns on a finger...

Fingerprinting may prove a more robust tracking technology than cookies because the user’s identify endures even if they erase their cookies. Making changes to your software and settings only makes you more identifiable, not less. An EFF study several years ago found that it is easy to track when someone changes their profiles by adding software updates, for example. You can see what details your computer is transmitting right now by visiting this site. (more)

Try it. You'll be amazed. ~Kevin

Guess Who Else is Scared of PRISM

Business and the advertising industry!

via... AdAge
Privacy legislation has been brewing in congress for years now, but a combination of public apathy and strong industry opposition has kept it at bay. Could the Prism data surveillance scandal become the watershed moment that propels it forward?

It's too soon to tell how revelations that the U.S. government has been mining web communications and phone logs will impact public opinion, but none of what the government has been implicated in doing would be possible if corporations weren't mining and storing consumer data, often for advertising purposes...

Of course, many in the ad industry hope this government data-gate serves as a foil to commercial data practices, resulting in less focus on how marketers gather and use consumer information. (more)

Big Data - The End of Privacy. The End of Chance.

FutureWatch - BIG Data Knows All

• "Scientists have figured out that, with the help of our mobile phone geolocation and address book data, they can predict with some certainty where we will be tomorrow or at a certain time a year from now."

• "Some cities even predict the probability of crimes in certain neighborhoods. The method, known as "predictive policing," seems like something straight out of a Hollywood film, and in fact it is. In Steven Spielberg's "Minority Report," perpetrators were arrested for crimes they hadn't even committed yet."

• "Google predicted a wave of flu outbreaks on the basis of user searches."

• "American data specialist Nate Silver predicted the outcome of the last US presidential election well in advance and more precisely than all demographers."

• "TomTom, a Dutch manufacturer of GPS navigation equipment, had sold its data to the Dutch government. It then passed on the data to the police, which used the information to set up speed traps in places where they were most likely to generate revenue -- that is, locations where especially large numbers of TomTom users were speeding."

• "The more data is in circulation and available for analysis, the more likely it is that anonymity becomes "algorithmically impossible," says Princeton computer scientist Arvind Narayanan. In his blog, Narayanan writes that only 33 bits of information are sufficient to identify a person."

• "Is it truly desirable for cultural assets like TV series or music albums to be tailored to our predicted tastes by means of data-driven analyses? What happens to creativity, intuition and the element of surprise in this totally calculated world?"

• "A dominant Big Data giant once inadvertently revealed how overdue a broad social and political debate on the subject is. Google Executive Chairman Eric Schmidt says that in 2010, the company toyed with the idea of predicting stock prices by means of incoming search requests. But, he said, the idea was discarded when Google executives concluded that it was probably illegal. He didn't, however, say that it was impossible." (more)

Verizon's Tilt-Shift-Focus on Espionage

Ninety-six percent of cyber espionage cases targeting intellectual property and business trade secrets were attributed to “threat actors in China,” while the remaining four percent were unknown, according to the “2013 Data Breach Investigations Report," which is issued by Verizon, a large U.S. telecom firm...

“Verizon doesn't explain how they determine that an event is state-sponsored, nor how they distinguish between legitimate attacks originating from China and those which use compromised servers in Chinese IP space,” said Jeffrey Carr, CEO of Taia Group, a cyber-security firm. “Hence, any conclusion that they try to draw about the government of China has to be taken with a great degree of skepticism.”
Carr said he believes a lot of the espionage originating in China could “actually be the work of non-state actors working in the Chinese IP space.” (more) 

Keep in mind this report is from a telecommunications company. It is a tilt-shift-focus photo. The center of attention is their product – data-motion. Non-IT methods of espionage are out of focus. 

The result is a distorted reality field with micro-bickering over "who" is to blame, instead of what can be done about it.

Wake up. Pockets are being picked. "Who" doesn't matter. Keeping your intellectual wallet safe matters. 

Successful counterespionage requires a clear, sharp, holistic vision. Beware the tilt-shift folks who focus on IT alone. They miss all the end runs. Budget for a 360º lens. ~Kevin

There is a Magazine for Everything... Even Penetration Testing

Kamil Sobieraj, editor of PenTest Magazine introduced me to his publication this week. It was an eye-opener. If you have anything to do with protecting information, you will find this as interesting as I did... 

 PenTest Magazine is a weekly downloadable IT security magazine, devoted exclusively to penetration testing. It features articles by penetration testing specialists and enthusiasts, experts in vulnerability assessment and management. All aspects of pen testing, from theory to practice, from methodologies and standards to tools and real-life solutions are covered.

48 issues per year (4 issues in a month).

A different title is published every week of the month:
• PenTest Regular – 1st Monday
• Auditing & Standards PenTest – 2nd Monday
• PenTest Extra – 3rd Monday
• Web App Pentesting – 4th Monday

...about 200 pages of content per month.

Each issue contains...
• News
• Tools testing and reviews
• Articles – advanced technical articles showing techniques in practice
• Book review
• Interviews with IT security experts
(more)

Nice to know there is a smart way to keep up with the bad guys.

Apple's iMessage has DEA Tongue Tied

Encryption used in Apple's iMessage chat service has stymied attempts by federal drug enforcement agents to eavesdrop on suspects' conversations, an internal government document reveals.

Click to enlarge.

An internal Drug Enforcement Administration document seen by CNET discusses a February 2013 criminal investigation and warns that because of the use of encryption, "it is impossible to intercept iMessages between two Apple devices" even with a court order approved by a federal judge...

When Apple's iMessage was announced in mid-2011, Cupertino said it would use "secure end-to-end encryption." It quickly became the most popular encrypted chat program in history: Apple CEO Tim Cook said last fall that 300 billion messages have been sent so far, which are transmitted through the Internet rather than as more costly SMS messages carried by wireless providers. (more)

But... if messages are exchanged between an Apple device and a non-Apple device, they "can sometimes be intercepted, depending on where the intercept is placed." (more)

Pwn Pad - Use it IT, Before it is used against IT

The folks at security tools company Pwnie Express have built a tablet that can bash the heck out of corporate networks. - Wired Magazine

The Pwn Pad - a commercial grade penetration testing tablet which provides professionals an unprecedented ease of use in evaluating wired and wireless networks.

The sleek form factor of the Pwn Pad makes it an ideal product choice when on the road or conducting a company or agency walk-through. This highspeed, lightweight device, featuring extended battery life and 7” of screen real estate offers pentesters an alternative never known before. (more)

TOOLKIT INCLUDES:
Wireless Tools
Aircrack-ng
Kismet
Wifite-2
Reaver
MDK3
EAPeak
Asleap-2.2
FreeRADIUS-WPE
Hostapd
Bluetooth Tools:
bluez-utils
btscanner
bluelog
Ubertooth tools Web Tools
Nikto
Wa3f Network Tools
NET-SNMP
Nmap
Netcat
Cryptcat
Hping3
Macchanger
Tcpdump
Tshark
Ngrep
Dsniff
Ettercap-ng 7.5.3
SSLstrip v9
Hamster and Ferret
Metasploit 4
SET
Easy-Creds v3.7.3
John (JTR)
Hydra
Medusa 2.1.1
Pyrit
Scapy

Mechanic Hits Emails at Rival Limo Firm

A Las Vegas limousine company executive was convicted Friday of hacking into the emails of his former employer. 

John Sinagra, vice president and general manager of VIP Limousines of Nevada, was indicted last year on charges of obtaining information from a protected computer and aggravated identity theft.
 
Federal prosecutors alleged that Sinagra, who once was charged as a mob hitman in a sensational New York murder case, hacked into the emails of rival Las Vegas Limousines, owned by Frias Transportation, and stole key information. (more) (The Mechanic)

Groundbreaking Encryption App is a Fed Freaker

For the past few months, some of the world’s leading cryptographers have been keeping a closely guarded secret about a pioneering new invention. Today, they’ve decided it’s time to tell all. 

Back in October, the startup tech firm Silent Circle ruffled governments’ feathers with a “surveillance-proof” smartphone app to allow people to make secure phone calls and send texts easily. Now, the company is pushing things even further—with a groundbreaking encrypted data transfer app that will enable people to send files securely from a smartphone or tablet at the touch of a button. (For now, it’s just being released for iPhones and iPads, though Android versions should come soon.) That means photographs, videos, spreadsheets, you name it—sent scrambled from one person to another in a matter of seconds. 

Click to enlarge.

“This has never been done before,” boasts Mike Janke, Silent Circle’s CEO. “It’s going to revolutionize the ease of privacy and security.” 

The sender of the file can set it on a timer so that it will automatically “burn”—deleting it from both devices after a set period of, say, seven minutes. Until now, sending encrypted documents has been frustratingly difficult for anyone who isn’t a sophisticated technology user, requiring knowledge of how to use and install various kinds of specialist software. 

What Silent Circle has done is to remove these hurdles, essentially democratizing encryption. It’s a game-changer that will almost certainly make life easier and safer for journalists, dissidents, diplomats, and companies trying to evade state surveillance or corporate espionage. Governments pushing for more snooping powers, however, will not be pleased. (more)

Free Stuff Alert: Encryption / Compression Program

Sophos Free Encryption
reviewed by Matthew Nawrocki
 
Product Information:
Title: Sophos Free Encryption
Company: Sophos Ltd.
Product URL: http://www.sophos.com/en-us/products/free-tools/sophos-free-encryption.aspx
Supported OS: Windows 2000, XP, Vista, 7 and 8
Price: Free
Rating: 5 out of 5
Bottom Line: Sophos delivers an excellent freeware utility for securing document files with sensitive data inside AES encrypted archives. The software is easy to use and offers nice features to boot.

Sophos Free Encryption is a tool that works like a zip program, but with the added aforementioned encryption, which is AES-256-bit for good measure. Digging a bit into this product, I noticed a few niceties that the competition doesn’t really have in the security department, namely in how it handles passwords and the self-extracting archive feature. For a free tool, this beats its competitor SecureZIP by PKWare, which actually costs money to do the same thing. (more)

Also available... FREE Data Security Toolkit ~Kevin

Van Eck Grown Up - Time to look at eavesdropping on computer emissions again.

1985 - Van Eck phreaking is the process of eavesdropping on the contents of a CRT or LCD display by detecting its electromagnetic emissions. It is named after Dutch computer researcher Wim van Eck, who in 1985 published the first paper on it, including proof of concept.[1] Phreaking is the process of exploiting telephone networks, used here because of its connection to eavesdropping.

2009 - A simple experiment showing how to intercept computer keyboard emissions. 

It is notable that there is: 
• no connection to the Internet; 
• no connection to power lines (battery operation); 
• no computer screen in use (eliminates the screen emissions possibility); 
• and no wireless keyboard or mouse. 
Intercepted emissions are solely from the hard-wired keyboard.

The interception antenna is located about one meter away. (This is why we look for antenna wires under desks, and metal parts on desks to which wiring is attached.) 
(video 1) (video 2)

The point is, if one can get an antenna withing close proximity of your computer, what you type belongs to them.
 
December 2012 - Not satisfied with pulling information from your keyboard, injecting information becomes a concern (pay attention investment firms).

"The roughly half-dozen objectives of the Tactical Electromagnetic Cyber Warfare Demonstrator program are classified, but the source said the program is designed to demonstrate ready-made boxes that can perform a variety of tasks, including inserting and extracting data from sealed, wired networks.

Being able to jump the gap provides all kinds of opportunities, since an operator (spy) doesn’t need to compromise the physical security of a facility to reach networks not connected to the Internet. Proximity remains an issue, experts said, but if a vehicle can be brought within range of a network, both insertion and eavesdropping are possible." (more)

2013 is going to be an interesting year. ~Kevin

Christmas, and another phone company Pontius Pilate's spyware

Vietnam - Mobile phone subscribers have become worried stiff when hearing that their phone conversations would be tapped at any time, as the software pieces and devices allowing to bug phone calls have been selling everywhere.

There are a lot of bug device suppliers. Especially, the ad pieces on supplying tapping software pieces and devices can be found on websites as well. The advertisers affirm that all the latest generation software pieces like Spyphone, Copyphone, PokerSpyphone, Spy Mobile, Mobile Phone Spy would be delivered right after buyers make payment.

Clients have been told that it’ll take them some minutes only to install the software or bug devices into the targeted phones to record all the conversations and messages. Especially, the devices are dirt cheap, just about one million dong, which makes nothing to the people who can afford the smart phones running on iOS or Android.

In reply, network operators have affirmed that they have no involvement in the wiretapping operation and that in principle, all the personal information of subscribers has been kept confidential. (more)

But, we don't hear them complaining about the extra revenue they earn from spyware data transfers. ~Kevin

Police Strip Cut Shreds Used as Parade Confetti

Ethan Finkelstein, was at the NYC Thanksgiving Day Parade and noticed something weird about the confetti... "and it says 'SSN' and it's written like a social security number, and we're like, 'That's really bizarre.'

"There are phone numbers, addresses, more social security numbers, license plate numbers and then we find all these incident reports from police."

One confetti strip indicates that it's from an arrest record, and other strips offer more detail. "This is really shocking," Finkelstein said. "It says, 'At 4:30 A.M. a pipe bomb was thrown at a house in the Kings Grant' area."

A closer look shows that the documents are from the Nassau County Police Department. The papers were shredded, but clearly not well enough.

They even contain information about Mitt Romney's motorcade, apparently from the final presidential debate, which took place at Hofstra University in Nassau County last month. (more)

UPDATE: ...Sources close to the investigation into the incident told PIX11 News that an employee of the Nassau County Police Department was watching the parade near 65th Street and Central Park West, along the parade route. He had brought shredded NCPD documents with him for his family and friends to use as confetti... (more) (video)

Is Your Cell Phone Protected by the 4th Amendment?

Judges and lawmakers across the country are wrangling over whether and when law enforcement authorities can peer into suspects’ cellphones, and the cornucopia of evidence they provide.

A Rhode Island judge threw out cellphone evidence that led to a man being charged with the murder of a 6-year-old boy, saying the police needed a search warrant. A court in Washington compared text messages to voice mail messages that can be overheard by anyone in a room and are therefore not protected by state privacy laws.

In Louisiana, a federal appeals court is weighing whether location records stored in smartphones deserve privacy protection, or whether they are “business records” that belong to the phone companies.

“The courts are all over the place,” said Hanni Fakhoury, a criminal lawyer with the Electronic Frontier Foundation, a San Francisco-based civil liberties group. “They can’t even agree if there’s a reasonable expectation of privacy in text messages that would trigger Fourth Amendment protection.”

The issue will attract attention on Thursday when a Senate committee considers limited changes to the Electronic Communications Privacy Act, a 1986 law that regulates how the government can monitor digital communications. Courts have used it to permit warrantless surveillance of certain kinds of cellphone data. (more)

FBI Issues Warning Regarding Android Malware

The FBI's Internet Crime Complaint Center has issued a warning alerting users about malware that targets the Android mobile operating system. 

The intelligence note from the IC3 was issued last week, and highlighted on Monday by Apple 2.0. It noted there are various forms of malware out in the wild that attack Android devices.

Two forms of malware cited byt he IC3 are Loozfon, which steals information from users, and FinFisher, which can give nefarious hackers control over a user's device. 

Loozfon can lure in victims by promising users a work-at-home opportunity in exchange for sending out an e-mail. Visiting a link in the e-mail will push Loozfon to the user's device, allowing the malware to steal contact details from the device's address book.

The FinFisher spyware highlighted by the IC3 allows for a mobile device to be remotely controlled and monitored from anywhere. FinFisher is installed by simply visiting a Web link or opening a text message that disguises itself as a system update. (more)

New Burglar Alarm... not for you, for the burglar.

Criminals no longer need to stake out a home or a business to monitor the inhabitants' comings and goings. Now they can simply pick up wireless signals broadcast by the building's utility meters.

In the US, analogue meters that measure water, gas and electricity consumption are being replaced by automated meter reading (AMR) technology. Nearly a third of the country's meters - more than 40 million - have already been changed. The new time-saving devices broadcast readings by radio every 30 seconds for utility company employees to read as they walk or drive around with a receiver. But they are not the only ones who can tune in, says Ishtiaq Rouf at the University of South Carolina in Columbia, and his colleagues.

The team picked up transmissions from AMR meters - operated by companies that they did not name in their paper - and reverse-engineered the broadcasts to monitor the readings. To do this they needed about $1000 worth of open-source radio equipment and information available through online tutorials. (more)

Bad guy logic leap: When you are not home, you are not using much electricity.

See What 6 Months of Your Phone Data Reveals

Green party politician Malte Spitz sued to have German telecoms giant Deutsche Telekom hand over six months of his phone data that he then made available to ZEIT ONLINE. We combined this geolocation data with information relating to his life as a politician, such as Twitter feeds, blog entries and websites, all of which is all freely available on the internet.

Click to enlarge.

By pushing the play button, you will set off on a trip through Malte Spitz's life. The speed controller allows you to adjust how fast you travel, the pause button will let you stop at interesting points. In addition, a calendar at the bottom shows when he was in a particular location and can be used to jump to a specific time period. Each column corresponds to one day. (more)

Mobile Phones and Privacy

Mobile phones are a rich source of personal information about individuals. Both private and public sector actors seek to collect this information. 

Facebook, among other companies, recently ignited a controversy by collecting contact lists from users’ mobile phones via its mobile app. A recent Congressional investigation found that law enforcement agencies sought access to wireless phone records over one million times in 2011. As these developments receive greater attention in the media, a public policy debate has started concerning the collection and use of information by private and public actors.

To inform this debate and to better understand Americans’ attitudes towards privacy in data generated by or stored on mobile phones, we commissioned a nationwide, telephonic (both wireline and wireless) survey of 1,200 households focusing upon mobile privacy issues. (more) (download Mobile Phones and Privacy)

Security Alert for Yahoo Voice users.

Hackers posted what appear to be login credentials for more than 453,000 user accounts that they said they retrieved in plaintext from an unidentified service on Yahoo. 

To support their claim, the hackers posted what they said were the plaintext credentials for 453,492 Yahoo accounts, more than 2,700 database table or column names, and 298 MySQL variables, all of which they claim to have obtained in the exploit. "We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat," a brief note at the end of the dump stated. (more)

Check here to see if you are on the list. Use your browser's search tool. If so, it's time to change your password... at every place you use it. ~ Kevin

Data Diarrhea - Cell Tower Dumps

If you secretly suspected that nifty mobile device in your pocket was spying on you, your paranoia has just been richly rewarded.

As the New York Times reports, a Congressional inquiry into cell phone surveillance reveals that U.S. law enforcement agencies requested data from wireless carriers more than 1.3 million times last year -- or nearly 500 times the number of wiretaps approved over the same period.

That number is way larger than anyone expected. But the actual number of people spied on might be even higher, says the Times:

"Because of incomplete record-keeping, the total number of law enforcement requests last year was almost certainly much higher than the 1.3 million the carriers reported to [Senator] Markey. Also, the total number of people whose customer information was turned over could be several times higher than the number of requests because a single request often involves multiple callers. For instance, when a police agency asks for a cell tower "dump" for data on subscribers who were near a tower during a certain period of time, it may get back hundreds or even thousands of names." (more)