Spying Using Phone Call Records – Study Says It's Easy

Stanford University researchers used call records to uncover heart problems, marijuana habits of volunteers. 

Phone metadata doesn’t reveal what people say, but such records of calls and text messages can help spy agencies, businesses or hackers discover private information about someone’s relationships, shopping interests and even health problems, according to a study published on Monday.

The research published in the journal Proceedings of the National Academy of Sciences showed that scans of call records help create detailed maps of not just the person being investigated, but also the lives of contacts in their phone history. Metadata is the term used for the receipt of a call or a text message included in the history of a phone, and these records are often maintained by a telecom service provider.

"Once a participant was labeled as in a relationship, we found that identifying the participant’s partner was trivial,” according to the researchers. “Our results suggest that, even without human review, a business or agency could draw sensitive inferences from a significant share of telephone records.” more

The End of "A Little Bird Told Me"

At Twitter’s behest, US intelligence agencies have lost access to Dataminr, a company that turns social media data into an advanced notification system, according to the Wall Street Journal. While that may sound like a win for privacy, it’s a bit more complicated in practice.

The move leaves government officials without a valuable tool. Somewhat less clear is what sort of stand, if any, Twitter is taking...

“From the government perspective, it’s a good tool, because it gives real-time alerts to things that are happening before anyone really knows what’s going on,” says Aki Peritz, a former CIA counterterrorism expert and current adjunct professor at American University. “We want to allow law enforcement and the intelligence services to know bad things are happening in real time.” more

Business Espionage: Employee's Steal Bends Steel Company With Her Bare Hands

Australia - On the day long-serving BlueScope software development manager Chinnari Sridevi "Sri" Somanchi was to be made redundant in June 2015, she was suddenly busy on the phone.

For the next two hours her redundancy meeting was delayed while Ms Somanchi was locked on the lengthy call, as her manager circled her desk trying to get her attention.

What the company did not know at the time, and now alleges, was Ms Somanchi was spending those precious hours downloading a cache of company secrets so financially important to BlueScope it has launched emergency legal action in the Federal Court of Australia and Singapore, where she is now based, to stop the information falling into the hands of its competitors.

The case of alleged international espionage has left the company reeling.

Ms Somanchi has been accused this week of downloading a trove of company documents – about 40 gigabytes – over a four-year period, including the codes she allegedly downloaded just before her redundancy meeting.

BlueScope is now trying desperately to retrieve "highly sensitive and commercially valuable" information allegedly stolen by Ms Somanchi, who it describes as a disgruntled former employee...

The case of alleged international espionage has left the company reeling and urgently seeking a judge's help to find and destroy trade secrets before they fall into the hands of competitors.

Losing its customized software to a rival firm would so badly damage BlueScope that it was not seeking penalties because "it is difficult to see how damages could adequately compensate BlueScope for the loss", a senior manager's affidavit said. The business unit at risk generates $US45 million in turnover each year. more

He's Back... The Air Gap Computer Hack

Researchers at the Ben-Gurion University of the Negev (BGU) Cyber Security Research Center have discovered that virtually any cellphone infected with a malicious code can use GSM phone frequencies to steal critical information from infected “air-gapped” computers.

Air-gapped computers are isolated -- separated both logically and physically from public networks -- ostensibly so they cannot be hacked over the Internet or within company networks.


Led by BGU Ph.D. student Mordechai Guri, the research team discovered how to turn an ordinary air-gapped computer into a cellular transmitting antenna using software that modifies the CPU firmware. GSMem malicious software uses the electromagnetic waves from phones to receive and exfiltrate small bits of data, such as security keys and passwords...

This is the third threat the BGU cyber team has uncovered related to what are supposed to be secure, air-gapped computers. Last year, the researchers created a method called Air-Hopper, which utilizes FM waves for data exfiltration. Another research initiative, BitWhisper, demonstrated a covert bi-directional communication channel between two close-by air-gapped computers using heat to communicate. more

Need A Secure Portable 1 or 2TB Hard Drive? (Yeah, you do.)

iStorage diskAshur Pro 1TB review: one of the most secure and encrypted portable hard drives you can buy...

If you use a portable drive for business, there's a very strong case for keeping that data secure with a hardware-encrypted drive. And when customer data is at stake, there's a legal obligation to button it down to keep it confidential in the event of the drive being lost or otherwise compromised.

Even home users may prefer to keep their files and data to themselves. Which is why encrypted portable drives like the iStorage diskAshur Pro can be such a great idea, with their built-in keypads that need a numerical PIN to be entered before they give up their secrets.

The diskAshur Pro follows a line of similar drives sold in this country (UK) by iStorage Limited, which are rebranded and renamed drives designed by and made for Apricorn Inc in the USA. This latest version is called the diskAshur Pro, otherwise known as the Apricorn Aegis Padlock Fortress, and has been given a FIPS 140-2 security rating.
(more)

A Guide to Electronically Stored Information Preservation Responsibilities

The litigation-related duty to preserve relevant evidence, including electronically stored information (ESI), is well established and widely known in the legal community and the business world...

In today’s legal climate, even a company’s seemingly innocent delay in implementing an appropriate method to preserve ESI may be catastrophic...

This white paper guides litigants through their responsibilities to preserve evidence and provides valuable information on implementing a defensible legal hold process. (more) (pdf)

FutureWatch: The Uber Hack Will Taxi In Soon

Imagine for a second that your job is to gather intelligence on government officials in Washington, or financiers in London, or entrepreneurs in San Francisco. Imagine further that there existed a database that collected daily travel information on such people with GPS-quality precision– where they went, when they went there and who else went to those same places at the same times.

Now add that all this location data was not held by a battle-hardened company with tons of lawyers and security experts, such as Google. Instead, this data was held by a start-up that was growing with viral exuberance – and with so few privacy protections that it created a “God View” to display the movements of riders in real-time and at least once projected such information on a screen for entertainment at a company party.

And let’s not forget that individual employees could access historical data on the movements of particular people without their permission, as an Uber executive in New York City reportedly did when he pulled the travel records of a Buzzfeed reporter who was working on a story about the company.

Wouldn’t that strike you as a hacking opportunity of remarkable awesomeness?

James A. Lewis, a cyber-security expert with the Center for Strategic and International Studies, said, “Most people have really bad operational security.” (more)

Staples Suspects Hackers - That Was Easy

Staples, the nation’s largest office supply retailer, said Monday it is investigating a "potential issue" involving credit card data at its stores.

Staples spokesman Mark Cautela said in an email that the retailer has contacted law enforcement to help with its investigation.

"We take the protection of customer information very seriously and are working to resolve the situation," Cautela said in an email. “If Staples discovers an issue, it is important to note that customers are not responsible for any fraudulent activity on their credit cards that is reported on a timely basis." (more) (now-hack-the button)

The Top Cyber Espionage Devices You Don't Want to See

... unless you are using them.

The Pwn Plug Academic Edition is the Industry’s First Enterprise Penetration Testing Drop Box

• Wireless (802.11b/g/n) high gain Bluetooth & USB Ethernet adapters
• Fully-automated NAC/802.1x/Radius bypass
• One-click EvilAP, stealth mode & passive recon

The Pwn Plug Academic Edition acts as a penetration testing drop box that covers most of a full-scale pentesting engagement, from physical-layer to application layer. The Pwn Plug Academic Edition is controlled through a simple web-based administration and comes preloaded with an array of penetration testing tools and Wireless, Bluetooth, and USB Ethernet adapters.
 

The Pwn Plug R3 is a next-generation penetration testing device in a portable, shippable, “Plug-and-Pwn” form factor.

• Onboard high-gain 802.11a/b/g/n wireless
• Onboard Bluetooth
• External 4G/GSM cellular
• Greatly improved performance and reliability

The Pwn Plug R3 is a next-generation penetration testing device in a portable, shippable, “Plug-and-Pwn” form factor. With onboard high-gain 802.11a/b/g/n wireless, onboard Bluetooth, external 4G/GSM cellular, ruggedized case design, and greatly improved performance and reliability, the Pwn Plug R3 is the enterprise penetration tester’s dream tool. 

The MiniPwner
The MiniPwner is described as a penetration testing “drop box”. You (or maybe a cleaner you’ve bribed) needs to plug it into an Ethernet plug in the target’s building, and then you can slurp all the data out of their network via a wifi link.

The penetration tester uses stealth or social engineering techniques to plug the MiniPwner into an available network port. (common locations include conference rooms, unoccupied workstations, the back of IP Telephones, etc.)
Once it is plugged in, the penetration tester can log into the MiniPwner and begin scanning and attacking the network. The MiniPwner can simultaneously establish SSH tunnels through the target network, and also allow the penetration tester to connect to the MiniPwner via Wifi. 


WiFi Pineapple Mark V
Slightly larger than a smartphone the WiFi Pine-apple Mark V is the “ultimate” cyber surveillance device. It uses an “intuitive” web interface to enable hackers to break into a corporate’s IT networks through its wifi connections. It costs $100. 

USB Switchblade
The goal of the USB Switchblade is to silently recover information from a target Windows 2000 or higher computer, including password hashes, LSA secrets, IP information, etc.

A gadget that looks like a USB stick has a program that swings into action when it’s inserted into the USB drive and can then begin its naughty work without the user knowing it by exploiting a flaw in USB autorun settings. How about dropping it in the car park of your target’s offices, seeing if someone will pick it up and plug it in to see what’s on it… 

USB 8GB Flash Drive Cufflinks

The thing about these is that the bad guy can carry a load of malware, ready for use at any time. These go for less than $50. Easy to smuggle in. 

The Rubber Ducky
The Rubber Ducky is becoming the “field-weapon of choice” for cyber spies. It’s the size of a normal USB stick but when you plug it in to a PC it pretends to be a keyboard and starts ‘typing’ away, possibly trying to break into systems or maybe stealing passwords.  If you get a few seconds alone with someone’s phone you can get an adapter to plug it in and maybe hack that too. (The last five items courtesy of Financial News.)

The Easy Fix to About 70% of Data Hacks

You never know when malware will bite. Even browsing an online restaurant menu can download malicious code, put there by hackers.

Much has been said that Target’s hackers accessed the giant’s records via its heating and cooling system. They’ve even infiltrated thermostats and printers among the “Internet of Things”.
 
It doesn’t help that swarms of third parties are routinely given access to corporate systems. A company relies upon software to control all sorts of things like A/C, heating, billing, graphics, health insurance providers, to name a few. If just one of these systems can be busted into, the hacker can crack ‘em all...

One way to strengthen security seems too simple: Keep the networks for vending machines, heating and cooling, printers, etc., separate from the networks leading to H.R. data, credit card information and other critical information. Access to sensitive data should require super strong passwords and be set up with a set of security protocols that can detect suspicious activity. (more)

Verizon's 2014 Data Breach Investigations Report

Gain fresh insight into cyber espionage and denial-of-service attacks in the 2014 Data Breach Investigations Report (DBIR). 

This year’s report features nine common incident patterns, bringing together insights from 50 global organizations, from around the globe, and more than 63,000 confirmed security incidents. 

Discover how attackers can affect your business, and learn the steps you need to take to counter threats and protect your reputation. (download)

NSA Issues "Best Practices for Keeping Your Home Network Secure"

All right. Stop giggling. 

If you can get past the double irony (recommendation #5 being the second), this 8-page pdf document is really quite good. (more)

How do the FBI and Secret Service know...

...your network has been breached before you do?
 
Knock, knock! Secret Service here. "Is this your customer payment card data?"

By all accounts, many of the massive data breaches in the news these days are first revealed to the victims by law enforcement, the Secret Service and Federal Bureau of Investigation (FBI). But how do the agencies figure it out before the companies know they have been breached, especially given the millions companies spend on security and their intense focus on compliance?

The agencies do the one thing companies don’t do. They attack the problem from the other end by looking for evidence that a crime has been committed. Agents go undercover in criminal forums where stolen payment cards, customer data and propriety information are sold. They monitor suspects and sometimes get court permission to break into password-protected enclaves where cyber-criminals lurk. 

They have informants, they do interviews with people already incarcerated for cybercrime, and they see clues in the massive data dumps of information stolen from companies whose networks have been breached. (more)

Supreme Court to Consider if Police Need Warrants to Search Cellphones

The Supreme Court on Friday agreed to hear a pair of cases about whether the police need a warrant to search the cellphones of people they arrest, presenting a major test of the meaning of the Fourth Amendment in the digital age.

The court has long allowed warrantless searches in connection with arrests, saying they are justified by the need to find weapons and to prevent the destruction of evidence.  

The question for the justices in the new cases is whether the potentially vast amounts of data held on smartphones warrant a different approach under the Fourth Amendment, which bars unreasonable searches.

The lower courts are divided. (more) (more) (GEICO Pig don't care.)

Your Automobile is Very Likely Spying on You

...but Republicans and Democrats in the U.S. Senate are uniting to put a stop to unfettered snooping via the "black boxes," or "event data recorders," placed in your car by automakers. 

Is your car spying on you? If the vehicle is a fairly new model it probably is, thanks to a "black box" that collects data about what’s going on in your car. And there’s no off switch or way to opt out. By September all new cars sold in the United States will be required to have black boxes, or as they’re more formally called, "event data recorders."

"The amount of data that they record is vast. And it's not capped," said Nate Cardozo, a staff attorney with the Electronic Frontier Foundation (EFF).

That’s just one way new technology installed in automobiles is invading our privacy. At the 2014 Consumer Electronics Show (CES) last week, Google and a handful of automobile manufacturers, including Audi, GM, Honda and Hyundai, announced a partnership designed to bring the Android mobile platform to vehicles. Those devices are capable of broadcasting your location, Web pages you may have looked at, stores you shopped in and much much more. Chevrolet, for example, showed off a camera mounted on the windshield that records the driver’s point of view and a microphone in the cabin records any noises made in the car.
 
...Consider what Ford’s top sales guy James Farley said at a CES event: "We know everyone who breaks the law. We know when you’re doing it. We have GPS in your car, so we know what you’re doing." Farley quickly retracted his impolitic remarks, but they give you insight into how seriously some automakers take your privacy. (more)

Is your car bugged?
See if you are on the list.
If so, read this. 
~Kevin

Snooping on Credit Cards with Shopping Carts

Researchers at the University of Surrey, UK have successfully used readily available and inexpensive electronic components, combined with a shopping cart antenna, to eavesdrop on NFC and HF RFID contactless communication.

The shopping cart did not perform as well as a small inductive loop antenna (that could be concealed with the electronics in a backpack) but neither are likely to arouse suspicion. 

The researchers say that the eavesdropping distance can be as much as 100cm but is dependant on the strength of the magnetic field generated by the victims device. 

Companies like VISA, Mastercard and Google who have already developed platforms for contactless payments can now add eavesdropping to the existing security threats of skimming and relay attacks. Original paper here (PDF).

New Mobile Survey Reveals 41% of Employees Are Deliberately Leaking Confidential Data

Congratulations and condolences to the nation’s CIOs for being responsible for data security. 

There’s now more job security but now there’s less information security too. Because, according to a new survey from uSamp, 41% of workers used an unsanctioned cloud service for document storage in the last 6 months, despite the fact that 87% of these workers knew their company had policies forbidding such practices.

Welcome to the mobile workplace. It’s less secure and loaded with risk.

And, according to the research, the estimated annual cost to remedy the data loss is about $1.8 billion. So what’s a CIO to do? On the one hand, it’s her job to help employees remain productive, but it’s also her job to secure the company’s confidential information.

Six IT experts were asked about their take on the matter, here are their suggestions... (more) 

Security Directors: FREE Security White Paper - "Surreptitious Workplace Recording ...and what you can do about it."   

World's Biggest Data Breaches - Infographic

A beautiful way to get the point across...

Be sure to visit the interactive original HERE.

Business Secrets Leak via Personal Devices

The smartphone revolution opened the floodgates to the BYOD (bring your own device) trend among workers... 

More than half of information workers own the devices they use for work, according to Forrester Research, which surveyed almost 10,000 people in 17 countries, and that proportion is likely to increase, says David Johnson, a senior analyst at Forrester.

The groundswell caused many IT directors to simply throw up their hands. A study published last November by Kaspersky Lab, a digital-security firm, found that one in three organizations allowed personal cellphones unrestricted access to corporate resources—with troubling consequences. One in five companies in the same survey admitted losing business data after personal devices were lost or stolen. (more)

The pressure is on manufacturers to come up with better security features. 
"Certified for Business Use" has a nice value-added ring to it.

Amazon Has Everything... Even CIA Documents Soon

You can now add “spymaster” to Amazon CEO Jeff Bezos’s various titles. On Friday June 14, a US Government Accountability Office (GAO) report elaborated on previous reports that Amazon had won a $600 million contract to build a “private cloud” for the CIA...[on their employment site,] Amazon is looking for engineers who already have a “Top Secret / Sensitive Compartmented Information” clearance, or are willing to go through the elaborate screening process required to get it. TS/SCI is the highest security clearance offered by the US government, and getting it requires having your background thoroughly vetted. (more)

I know what's going on my "Wish List". ~Kevin