A secretive United States intelligence organization has organized a conference to find firms capable of creating computer algorithms that learn in a similar manner to the human brain...
The July 17 conference in College Park, Maryland, gives prospective companies time to deliver presentations and slide shows of their existing research.
IARPA says it is involved in "high-payoff research programs to tackle some of the most difficult challenges of the agencies and disciplines in the intelligence community".
It undertakes research for more than a dozen organizations, including the Pentagon, the CIA and the National Security Agency. (more)
Apple has patched versions of its iOS and OS X operating systems to fix yet another extremely critical cryptography vulnerability that leaves some users open to surreptitious eavesdropping. Readers are urged to install the updates immediately. (more)
According to The New York Times, anti-spyware apps don't work very well.
The reason...
Most "spyware detection" apps only scan for known spyware. New and well hidden spyware goes unnoticed, and detecting baseband eavesdropping (very serious) isn't even considered.
SPYWARN™ IS DIFFERENT
(patent pending)
SpyWarn™ 2.0 is a new and unique forensic methodology. It provides the functionality to detect all active spyware by monitoring what the infection is doing, and... ALL spyware is doing something.
Plus, SpyWarn™ 2.0 detects both spyware and baseband eavesdropping in real-time.
Not just spyware detection...
This forensic app also contains an eBook version of, "Is My Cell Phone Bugged?" at no extra charge. This informative eBook is about regaining your overall communications privacy, and keeping snoops out of your life.
A forensic examination by a specialist generally costs between $200.00 - $300.00 per inspection, and the end result is not as informative as SpyWarn™.
SpyWarn™ 2.0 is priced to help everyone, only $2.99.
Don't wait until you have a spyware problem. Get SpyWarn™ on your phone now. Start conducting benchmark tests and saving them to SpyWarn's History file. When you do get a spyware infection it will be very apparent.
Privacy Policy - We are serious about privacy. Only you get to see the data SpyWarn™ collects; it never leaves your phone.
100% Satisfaction Guarantee
Try SpyWarn™ for 7 days. If you are not satisfied with its performance, tell me why so I can improve it, and I will refund the full purchase price to you. You keep the app and eBook.
If SpyWarn™ helps you, help others regain their privacy by writing a positive review on Google Play.
Thank you,
Kevin D. Murray CPP, CISM, CFE, MPSC
and The SpyWarn™ Team
A security blogger has discovered a flaw in Google Chrome that allows attackers to turn any victim's machine into a listening post.
A blogger named Guya explained that a deprecated speech API known as "x-webkit-speech" can be harnessed to run in the background without any indication to the end user that their microphone is on. His blog post includes a video that demonstrates the flaw, which you can view below.
A developer simply needs to add a single line of code to a website to exploit the bug and gain access to an audio feed of the victim's environment. (more)
A new Android malware toolkit called Dendroid is being offered for sale by its creators, and at least one of the malicious APKs created with it has managed to fool Google Play's Bouncer...
The malicious APKs can purportedly intercept, block, and send out SMSes; record ongoing phone calls; take pictures, record video and audio by using the device's camera and microphone; download pictures the device owner has already made, as well as his or her browser history and bookmarks; and extract saved login credentials and passwords for a variety of accounts.
"Dendroid also comes bundled with a universal 'binder application.' This is a point-and-click tool that a customer can use to inject (or bind) Dendroid into any innocent target application that they choose with minimal effort," the researchers added.
"This means that all a wannabee malware author needs in order to start pumping out infected applications is to choose a carrier app, download it and then let Dendroid’s toolkit take care of the rest."
Sold for $300 (in crypto currencies), the toolkit comes with a warranty that the malware created with it will remain undetected.
The researchers have discovered one app created with Dendroid that managed to get included and offered on Google Play by leveraging anti-emulation detection code that fools Google Play's Bouncer, the automated app scanning service that analyzes apps by running them on Google’s cloud infrastructure and simulating how they will run on an Android device. The app has since been removed from the market. (more)
Why this is important...
It means that any jerk with $300 and some computer skills can turn any other app into your worst nightmare. BTW, it can be detected. q.v. SpyWarn™ — coming soon.
The following Foscam MJPEG based video cameras (firmware version .54) can be accessed without a password: FI8904W, FI8905E, FI8905W, FI8906W, FI8907W, FI8909W, FI8910E, FI8910W, FI8916W, FI8918W, FI8919W
Foscam will be posting a firmware upgrade on their website to fix this issue. Unfortunately, most users will never know about it.
Test Your Camera - A quick way to verify and confirm if your camera has this
issue:
1. Enter your camera's IP address in your web browser. Example: 192.168.1.101
2. When you see the password screen do not enter a User Id and
Password. Simply click the OK button. If you see your camera, you have the problem.
Use this work-around for temporary protection (here), and be sure to upgrade the firmware when it becomes available (here).
Michael Kassner via TechRepublic.com...
With all the recent industrial espionage, it was only a matter of time before malware developers would take a look at Computer-Aided Design (CAD) programs as a way to ex-filtrate proprietary documents and drawings from engineering firms...
The first time I read about an AutoCAD malware was last year when ESET.com reported a strange anomaly on their LiveGrid network. It was strange because the malware attacked AutoCAD, but only in Peru of all places.
After some investigation, it was determined the malware ACAD/Medre.A was a worm programmed to send AutoCAD drawings via email to an account (you guessed it) in China. The experts at ESET had this to say:
ACAD/Medre.A is a serious example of suspected industrial espionage. Every new design created by a victim is sent automatically to the authors of this malware...
Something else that ESET pointed out bothered one of my clients when I told them about ACAD/Medre.A: “The attacker may even go so far as to get patents on the product before the inventor has registered it at the patent office. The inventor may not know of the security breach until his patent claim is denied due to prior art.”
...a new trojan popped up on Trend Micro’s radar—ACM_SHENZ.A, and it was targeting AutoCAD programs. But with a twist, the malware was benign. Like most trojans, its job was to gain a foothold on the victim’s computer.
Once safely entrenched, ACM_SHENZ.A obtains administrative rights which make it simple for the malware to create network shares for all drives. The malware also opens ports: 137, 138, 139, and 445. Doing so allows access to files, printers, and serial ports.
Obtaining administrative rights also allows the attacker to plant additional malware. It’s this additional malware, experts at Trend Micro suspect will be used to steal drawings and engineering documents...
CAD drawings are now a valid attack vector. (more)
I came across a new smartphone security app the other day which caught my eye. It promised...
- Free and secure phone calls.
- Send self-destructing messages.
- Recall or remotely wipe sent messages.
- Safely share private photos and videos.
- Photo vault to hide photos and videos.
- Hide text messages, contacts, call logs.
- Private vault for documents, notes and diary.
Just load the app on your phone (and the people you want to communicate with), and you're good to go. It sounded like something which my readers would like to know about. I downloaded it with the thought of giving it a try. But then, I thought again.
In my mind, I could hear my father saying, "there is no free lunch, if it looks too good to be true..." The years have always proven him correct.
The app's web site had a foreign country URL. Not a big issue. Perhaps it was the only place where the site's name was available. A little more digging and I came up with a company address here in the United States; a residential address. Again, not a big issue. The company is just over a year old, they have no other products, and software development from home is common. Both the Chairman and CEO of the company have names normally associated with a foreign country. I am still not phased. The United States is the world's melting pot.
A question on their FAQ page was the first red flag. "Why do you need my cell phone number to activate the service?" The answer, "we need the number so we can send you the activation code." My question is, why does a free encryption product need an activation code? It sounds like a ploy to identify users. Apparently, enough people felt this was an invasion of their privacy. The next part of the company's answer was that the code would no longer be needed after version x.xx.
The next FAQ was, "Why do you upload my contact book to your servers?" The answer smelled like more dung. Apparently, everything the app does goes through their servers.
On to the fine print.
The product is specifically not guaranteed: not the encryption, not the self-destruction of the messages, photos or videos, nothing. They accept no liability. The are held harmless in the event transmissions are decrypted, deleted, copied, hacked, or intercepted.
Apps cost money to develop. Even allowing for ads, as these folks do, that is not enough money to justify an app this fancy (assuming it fulfills all its claims). There must be another payoff. What's worth money here?
Information.
People who use encryption are a select group; easy to target. For whatever reason, they feel their information is valuable. Hummm, a free security app could be great espionage tool. Let's see what information the company admits to collecting...
"We have the right to monitor..." Boom! What!?!?
And, they collect: IP addresses, email addresses, phone numbers, address books, mobile device ID numbers, device names, OS names and versions. They can know who you are, where you are, and information about everyone you know. Even if you never use this app, if you are in the address book of someone who does, you're now coin of their realm.
"Photos and videos are cashed on servers..." and you can't delete them. They claim they will do this for you after, "a period of time."
Throughout all of this, the user's fire-of-fear is dowsed with, don't worry, it's all encrypted, no one but you can see it, trust me. Right... how about a little trust, but verify. Other security software companies allow vetting. I saw no claims that their code was independently vetted for bugs, back doors, or spyware. And, what about that "We have the right to monitor..." clause? How is that accomplished without a back door?
They, "May collect statistics about the behavior of users and transmit it to employees, contractors and affiliated organizations outside your home country." Yikes. Who are you affiliated with anyway? Please don't tell me, "if I tell you, I will have to kill you."
Here's another kicker. If they sell the company, "user information is one of the assets which would be transferred or acquired by the third party."
This may be a perfectly legitimate app. Maybe I'm paranoid. But, money, power, politics, espionage and blackmail all come to mind. Any government intelligence service, business espionage agent, or organized crime boss could have come up with this as a ruse.
Which brings me to the moral of this story...
Before you trust any security service, vet it thoroughly.
If your OTHBD needle starts to tremble, don't rationalize, move on. ~Kevin
Our Mission - To bring the world our unique end-to-end encrypted protocol and architecture that is the 'next-generation' of private and secure email.
As founding partners of The Dark Mail Alliance, both Silent Circle and Lavabit will work to bring other members into the alliance, assist them in implementing the new protocol and jointly work to proliferate the worlds first end-to-end encrypted 'Email 3.0' throughout the world's email providers.
Our goal is to open source the protocol and architecture and help others implement this new technology to address privacy concerns against surveillance and back door threats of any kind. (more)
A technique has been developed to bypass elaborate physical protections and siphon data off the most secure chips potentially including those used to protect military secrets.
The proof-of-concept technique demonstrated by researchers at Berlin's Technical University and security consultancy IOActive was successfully applied to a low-security Atmel chip commonly used in TiVo video recording devices. But the research team found that their complex and expensive attack could be applied to successfully pry data from highly-secure chips.
The attack used a polishing machine to mill down the silicon on the target chip until it was 30 micrometers thin.
The chip was then placed under a laser microscope fitted with an infrared camera to observe heat emanating from where encryption algorithms were running.
A focused ion-beam was then shot at the chip which dug a series of two micrometer -deep trenches in which wiretap probes were inserted.
Together, the elaborate techniques if bolstered by the use of more expensive equipment not available to the researchers could potentially bypass the most advanced chip security mechanisms. (more)
iSpy (64-bit) uses your webcams and microphones to detect and record movement or sound and provides security, surveillance, monitoring and alerting services. You can Control cameras with PTZ, one-click or auto upload to YouTube, auto FTP to any servers, Listen to and monitor audio live over the network, connect and monitor as many cameras and microphones as you like, import and export object lists to share with colleagues, connect multiple computers in a group and manage over the web. FREE Download. (free warning sticker - download and print)
Of course, you can see how this could be used against you, and there is no free lunch. The software download is free, but there are $ enhancements ~Kevin
Vulnerability in the security key that protects the card could allow eavesdropping on phone conversations, fraudulent purchases, or impersonation of the handset's owner, a security researcher warns.
Karsten Nohl, founder of Security Research Labs in Berlin, told The New York Times that he has identified a flaw in SIM encryption technology that could allow an attacker to obtain a SIM card's digital key, the 56-digit sequence that allows modification of the card. The flaw, which may affect as many as 750 million mobile phones, could allow eavesdropping on phone conversations, fraudulent purchases, or impersonation of the handset's owner, Nohl warned.
 |
| Can you decode the code? |
"We can remotely install software on a handset that operates completely independently from your phone," warned Nohl, who said he managed the entire operation in less than two minutes using a standard PC. "We can spy on you. We know your encryption keys for calls. We can read your SMSs. More than just spying, we can steal data from the SIM card, your mobile identity, and charge to your account." (more)
The U.N.'s Geneva-based International
Telecommunications Union, which has reviewed the research, described it
as "hugely significant."
Cracking SIM cards has long been the Holy Grail
of hackers because the tiny devices are located in phones and allow
operators to identify and authenticate subscribers as they use networks. (more)
One of several surveillance-related games at E3, "Watch Dogs" casts players as Aiden Pearce, a vigilante who can tap into security cameras and listen in on phone calls across a virtual rendition of an automated Chicago...
The timing of "Watch Dogs" is remarkable in light of recent revelations about the National Security Agency's controversial data-collection programs. They were revealed in media stories by The Guardian and The Washington Post, leaked by former NSA contractor Edward Snowden.
Is "Watch Dogs" a case of a video game imitating life — or the other way around? (more)
Call for Papers NOW OPEN!
CareerFair
Events (Capture the Flag, Battlebots, Lockpick Village, and more)
AppSec USA is a software security conference for technologists, auditors, risk managers, and entrepreneurs, gathering the world's top practitioner, to share the latest research and practices at the Marriott, NYC. It is hosted by OWASP. (Why you would want to attend.)
What is OWASP?
The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software. Their mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks.
Everyone is free to participate in OWASP and all of their materials are available under a free and open software license.
You'll find everything about OWASP here on or linked from our wiki and current information on our OWASP Blog.
OWASP does not endorse or recommend commercial products or services, allowing our community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide.
OWASP is a global group of volunteers with over 36,000 participants. (more)
Murray Associates warns clients that VoIP phones are inherently less secure than the older style phones. It is one reason they advise disconnecting phones in meeting rooms until they are needed.
Ang Cui, through his extensive research, has moved this threat from theoretical to very real.
For in-depth information we recommend viewing his presentation. (video)
High-tech telephones common on many workplace desks in the U.S. can be hacked and turned into eavesdropping devices, researchers at Columbia University have discovered.
The hack, demonstrated for NBC News, allows the researchers to turn on a telephone's microphone and listen in on conversations from anywhere around the globe. The only requirement, they say, is an Internet connection.
Doctoral candidate Ang Cui and Columbia Professor Sal Stolfo, who discovered the flaw while working on a grant from the U.S. Defense Department, say they can remotely order a hacked telephone to do anything they want and use software
to hide their tracks. For example, they said they could turn on a webcam on a phone equipped with one or instruct the phone's LED light to stay dark when the phone's microphone has been turned on, so an eavesdropping subject wouldn’t be alerted that their phone has been hacked. (more)
via Gary Sims, Spybusters and SpyWarn...
Tip #1 – Never leave your phone laying around where uninvited guests can access it.
Tip #2 – Use a lock screen.
Tip #3 – Set a PIN to protect purchases on Google Play.
Tip #4 – Install a phone location app / security app with an anti-theft component.
Tip #5 – Don’t install apps from dodgy third party sites.
Tip #6 – Always read the reviews of apps before installing them.
Tip #7 – Check the permissions. Does the "game" really need to send SMS messages?
Tip #8 – Never follow links in unsolicited emails or text messages to install an app.
Tip #9 – Use an anti-virus / anti-malware app.
Tip #10 – Don’t root your phone unless absolutely necessary.
Tip #11 – If your device has valuable data on it, use encryption.
Tip #12 – Use a VPN on unsecured Wi-Fi connection.
Tip #13 – Read "Is My Cell Phone Bugged?"
Tip #14 – Use SpyWarn (freemium) periodically to help determine if your phone has been infected with spyware.
(more)
Samsung printers contain a hardcoded backdoor account that could allow remote network access exploitation and device control via SNMP. (Yes, your print job may be stolen before the paper hits the tray.) Details of the exploit have been published... Samsung has stated that models released after October 31, 2012 are not affected by this vulnerability. Samsung has also indicated that they will be releasing a patch tool later this year to address vulnerable devices. (more)
via techhive.com...
What Maltego does is quickly and succinctly draws on public data sources to put together a graphical digital footprint...
 |
| Click to enlarge. |
Maltego is highly efficient at quickly assembling digital crumbs and linking those pieces together, which would be tedious work otherwise.
Roelof Temmingh (co-creator) used Maltego to search Twitter with coordinates for the vicinity of the NSA's parking lot...
Temmingh pulled up a web of scattered tweets in Maltego. He picked out one person...
Then Maltego combed social networking sites, checking sources such as Facebook, MySpace, and LinkedIn. An identical photo linked the person's Facebook and MySpace page. From there, Maltego spotted more information. After a day of searching, Maltego discovered the person's email address, date of birth, travel history, employment, and education history.
"This is about a day's worth of digging around," Temmingh said. "It's not weeks and weeks."
Other interesting information can come from EXIF (exchangeable image file) data, which is information often embedded in a photograph... (more)
An investigative tool, and vulnerability assessment tool. For cutting-edge PIs, a competitive advantage. For the average security director, a mini FBICIANSA. ~Kevin
A federal court in May 2012 hit Facebook with a $15 billion lawsuit after it was found that the social network was tracking customers after they logged out of its system. The court filing claims that Facebook is violating federal wiretap laws.
The Menlo Park company is now asking that the case be dismissed because the defendants behind the case have failed to specify how they were harmed by the error in Facebook’s judgement. (more)
Between Q1 2011 and Q2 2012 ABI Research found that unique malware variants grew by 2,180 percent reaching 17,439.
And these threats are set to increase significantly.
"With the increasing popularity of smartphones, mobile threats are on the rise. This has implications for security at the corporate level as well as for individual privacy," says Michela Menting, senior cyber security analyst.
"The mobile application security market is rife with vendors offering
their wares. The priority now for end-users is understanding
the issue at hand and finding the right offering that best suits
their needs," said Menting.
(more) (SpyWarn)
.png)
