Business Espionage in America - We Lose More Than We Take in Taxes

The United States has known for sometime that it has been victimized by economic espionage mounted by other countries, especially China and Russia. According to a counterintelligence expert hired by companies to help them counter this threat, the toll for these crimes is far, far higher than what has been officially reported.

Economic espionage represents “the greatest transfer of wealth in history,” said General Keith Alexander, NSA director and commander of U.S. Cyber Command, at the American Enterprise Institute in 2012...

Due to the nature of the business, it is often difficult to place solid numbers on the cost of economic espionage. To protect their investors, companies rarely want to announce breaches by spies or hackers to the public, and government agents often find gathering enough evidence to charge an insider with espionage difficult.

The lack of transparency on economic espionage makes it a difficult problem to tackle.

The FBI estimates that economic espionage costs the U.S. $13 billion a year, yet their numbers are based only on current FBI cases where spies have been caught and charged. It does not include the majority of theft that was not reported, or the scale of breaches that are unknown to the companies...

During his speech, General Alexander said investigations by the FBI and other agencies find that for every company that detects a cyberattack there are 100 others that are unknowingly being hacked...

Nonetheless, U.S. companies are still largely on their own when it comes to defending against economic espionage, and the threat is very real. When the “Economic Espionage Penalty Enhancement Act of 2011″ was passed, former U.S. Senator Herb Kohl said in a press release “As much as 80 percent of the assets of today’s companies are intangible trade secrets.” (more)

You don't have to be on your own. Help is available. Call me.

Millions of Android Users Vulnerable to Security Threats, Say Feds

According to a new document obtained by Public Intelligence, the U.S. Dept. of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) are increasingly aware of the threats its law enforcement users and officials face at a federal, state, and local level in using older versions of the Android mobile platform.

According to the roll call release — marked as unclassified but "for official use only," and designed for police, fire, emergency medical services (EMS) and security personnel — upwards of 44 percent of Android users worldwide are still using Android versions 2.3.3 to 2.3.7, which still contain security vulnerabilities fixed in later versions. (more)

Spybusters Tip #492 - The latest version of Android is 4.3. Time to upgrade.

Your Boss Won't Stop Spying on You (Because It Works)

No one likes the idea of a workplace in which managers keep a constant eye on employees. Workers find it creepy, and it’s not as if ambitious managers clawed their way up the ladder just to snoop on their underlings all day. Still, much of the surveillance now takes place electronically—in theory, freeing bosses to focus on other matters while monitoring software keeps everyone in line. So office spying isn’t going away.

A study published over the weekend by researchers suggests that electronic surveillance in the workplace is strikingly effective (PDF). An examination of data provided by NCR (NCR), which makes software that examines all activity on restaurants’ point-of-sale systems while looking for suspect patterns, found lower levels of theft under workplace surveillance. NCR even says that employees seem to become more productive in other ways. (more)

World's Biggest Data Breaches - Infographic

A beautiful way to get the point across...

Be sure to visit the interactive original HERE.

And, the winner of Who's Got the Biggest Electronic Ear is...

"According to the Max Planck Institute, you're 100 times more likely to be surveilled by your own government if you live in the Netherlands or you live in Italy," Baker said. 

"You're 30 to 50 times more likely to be surveilled if you're a French or a German national than in the United States." (more)

Business Secrets Leak via Personal Devices

The smartphone revolution opened the floodgates to the BYOD (bring your own device) trend among workers... 

More than half of information workers own the devices they use for work, according to Forrester Research, which surveyed almost 10,000 people in 17 countries, and that proportion is likely to increase, says David Johnson, a senior analyst at Forrester.

The groundswell caused many IT directors to simply throw up their hands. A study published last November by Kaspersky Lab, a digital-security firm, found that one in three organizations allowed personal cellphones unrestricted access to corporate resources—with troubling consequences. One in five companies in the same survey admitted losing business data after personal devices were lost or stolen. (more)

The pressure is on manufacturers to come up with better security features. 
"Certified for Business Use" has a nice value-added ring to it.

Android Phones - The New Corporate Espionage Tool

Alcatel-Lucent’s Kindsight subsidiary has released figures that show an increase in malicious software (malware) used by hackers to gain access to devices for corporate espionage, spying on individuals, theft of personal information, generating spam, denial of service attacks on business and governments and millions of dollars in fraudulent banking and advertising scams.

“Malware and cybersecurity threats continue to be a growing problem for home networks and mobile devices, particularly for Android smartphones and tablets which are increasingly targeted,” said Kevin McNamee, security architect and director of Alcatel-Lucent’s Kindsight Security Labs.

“A third of the top 15 security threats are now spyware related, up from only two spyware instances the last quarter,” said McNamee. “MobileSpy and FlexiSpy were already in the top 15 list, but SpyBubble moved up to take the 4th spot, while SpyMob and PhoneRecon appeared for the first time, ranking 5th and 7th respectively.

“Mobile spyware in the BYOD context poses a threat to enterprises because it can be installed surreptitiously on an employee’s phone and used for industrial or corporate espionage.”

McNamee said it is “surprisingly easy” to add a command and control interface to allow the attacker to control the device remotely, activating the phone’s camera and microphone without the user’s knowledge.

“This enables the attacker to monitor and record business meetings from a remote location. The attacker can even send text messages, make calls or retrieve and modify information stored on the device – all without the user’s knowledge.

“The mobile phone is a fully functional network device. When connected to the company’s Wi-Fi, the infected phone provides backdoor access to the network and the ability to probe for vulnerabilities and assets. (more)

Security Directors: FREE Security White Paper - "Surreptitious Workplace Recording ...and what you can do about it."  

Mobile Security Apps Perform Dismally Against Spyware

via Josh Kirschner at Techlicious...

Mobile spyware can have a devastating effect on your life; the constant fear that a spouse, significant other or even employer is following your every move, knows everything about your life and has completely removed any vestige of privacy...

And spyware is not as rare as you may think. According to mobile security company Lookout, .24% of Android phones they scanned in the U.S. had surveillance-ware installed intended to target a specific individual. Sophos reports a similar .2% infection rate from spyware. If those numbers hold true for Android users in general, that would mean tens of thousands could be infected.

I set out to test the leading Android anti-malware vendors to see how they fared at protecting us against the threat of spyware...

The results, generally speaking, were dismal. Of twelve products I tested, none was able to detect more than two-thirds of the samples. Many missed half or more of the spyware apps. And, surprisingly, the potential spyware apps least likely to be detected were those widely available in Google Play. (more)

Josh did an excellent job researching this topic and we thank him for publicly exposing the flaws. 

Now, what can be done about really detecting spyware?

Murray Associates was approached by two clients several years ago who had come to the same conclusion as Josh via their own research. They asked us to develop a solution – based on the following conditions:
  1. The solution must make quick and reasonable spyware evaluations. 
  2. No special forensic tools should be required. 
  3. No special skills should be necessary.
  4. No assistance should be necessary once the initial training is over. The phone owner must be able to conduct the test him- or herself—anytime, anyplace.
  5. Advancements in spyware software and cell phone hardware should not render the test ineffective.

The results of this project are published in the book, "Is My Cell Phone Bugged?", and are used in SpyWarn 2.0, a unique Android spyware detection app.

Number of federal wiretaps rose 71 percent in 2012

The number of wiretaps secured in federal criminal investigations jumped 71 percent in 2012 over the previous year, according to newly released figures.

Federal courts authorized 1,354 interception orders for wire, oral and electronic communications, up from 792 the previous year, according to the figures, released Friday by the Administrative Office of the United States Courts. There was a 5 percent increase in state and local use of wiretaps in the same period. (more)

Small Business Espionage Attacks Up 42%

Smaller companies, their websites and their intellectual property are increasingly being targeted by cyberattacks, a new report on IT security trends says.

Targeted attacks were up 42 per cent in 2012 compared to the year before, and businesses with fewer than 250 employees are the fastest growing segment being targeted, according to the annual internet security threat report issued Tuesday by Symantec...

The type of information being targeted by attackers is also changing — financial information is now losing ground to other kinds of competitive data, the report found. (more)

Cell Phone Fingerprinting - GPS Tells WHO You Are

Can you be identified only by where you take your phone? Yes, according to a new study, which finds it's not very hard at all.

While most of us are free to go wherever we want, our daily and weekly movement patterns are pretty predictable. We go to work, to school, to church, to our neighborhood gym, grocery store or coffee shop, and we come home -- all quietly tracked by the GPS in our phone.

Click to enlarge.

And with nothing more than this anonymous location data, someone who wanted to badly enough could easily figure out who you are by tracking your smartphone. Patterns of our movements, when traced on a map, create something akin to a fingerprint that is unique to every person.
 
"Four randomly chosen points are enough to uniquely characterize 95% of the users (ε > .95), whereas two randomly chosen points still uniquely characterize more than 50% of the users (ε > .5). This shows that mobility traces are highly unique, and can therefore be re-identified using little outside information."

Those are the findings of a report by researchers from MIT and elsewhere, published this week in the journal Scientific Reports. (more)

What Happens When You Lose A Cell Phone?

Vodaphone wondered too...
In The Lost Phone Experiment, Vodaphone planted 100 phones throughout the Netherlands, and tracked their fortunes via a web site.  

They came up with some interesting data about how many are returned, where they traveled to, what they were used for, and by who. Open the site up using Chrome and hit "Translate" so you can read it in English. (more)

Spoiler Alert: About 30% were returned to their owners.

NCTC Scope "Breathtaking" - "Pre-Cogs" - fiction to fact in 10 years

via The Wall Street Journal...
Counterterrorism officials wanted to create a government dragnet, sweeping up millions of records about U.S. citizens—even people suspected of no crime...

 

The rules now allow the little-known National Counterterrorism Center to examine the government files of U.S. citizens for possible criminal behavior, even if there is no reason to suspect them. That is a departure from past practice, which barred the agency from storing information about ordinary Americans unless a person was a terror suspect or related to an investigation.

Now, NCTC can copy entire government databases—flight records, casino-employee lists, the names of Americans hosting foreign-exchange students and many others. The agency has new authority to keep data about innocent U.S. citizens for up to five years, and to analyze it for suspicious patterns of behavior. Previously, both were prohibited. Data about Americans "reasonably believed to constitute terrorism information" may be permanently retained...

The changes also allow databases of U.S. civilian information to be given to foreign governments for analysis of their own. In effect, U.S. and foreign governments would be using the information to look for clues that people might commit future crimes.

"It's breathtaking" in its scope, said a former senior administration official familiar with the White House debate. (more)

2012 - Targeting U.S. Technologies Report Out

Targeting U.S. Technologies: A Trend Analysis of Reporting from Defense Industry", presents DSS' analysis of industry reports submitted in 2011.

 

Although the report is geared for Facility Security Officers at Cleared Defense Contractors (CDC), it is a valuable reference for law enforcement, public and private sector executives and security officials responsible for protecting intellectual property, trade secrets and sensitive corporate information as the trends in collection directed against CDCs are important in understanding foreign collection directed against economic and corporate data in all business and government sectors. The 2012 DSS Full Report, containing information on 2011 incidents can be downloaded here.

Cyber Espionage Infographic

Click or download to enlarge.

Infographic courtesy F-Secure

Meet the Superheroes Fighting for Your Right to Mobile Privacy

Five years into the smartphone era, the threats to user privacy have never been higher.  

The complex and mostly unregulated privacy concerns of the mobile ecosystem have driven many users to take their privacy into their own hands, whether that means deleting apps that ask for too much information or turning off location services.

However, the fight over mobile privacy is just really starting to take shape. We wanted to get a beat on where that fight is now, and about what – if truly anything – privacy advocates think will change the future of mobile towards a more user controlled experience... (more)

Mobile malware up 2,180% - Threats to mobile devices rocket and set to rise further.

Between Q1 2011 and Q2 2012 ABI Research found that unique malware variants grew by 2,180 percent reaching 17,439. 

And these threats are set to increase significantly.

"With the increasing popularity of smartphones, mobile threats are on the rise. This has implications for security at the corporate level as well as for individual privacy," says Michela Menting, senior cyber security analyst. 

"The mobile application security market is rife with vendors offering their wares. The priority now for end-users is understanding the issue at hand and finding the right offering that best suits their needs," said Menting. (more) (SpyWarn)

Historical Earthquake Map - Interesting & Sobering

Guess what can trigger your business continuity plan faster than a spy stealing your trade secrets?

Phil's blog has a link to an enlarged version.

That's right. Mother Nature!

My friend and colleague, Phil Rothstein, Rothstein Associates, Inc., is an expert on keeping businesses running. Today, he posted some astounding historical maps on earthquakes and tornadoes. Have a look.

What!?!? You don't have a business continuity plan! Talk to Phil. Now.

Data Diarrhea - Cell Tower Dumps

If you secretly suspected that nifty mobile device in your pocket was spying on you, your paranoia has just been richly rewarded.

As the New York Times reports, a Congressional inquiry into cell phone surveillance reveals that U.S. law enforcement agencies requested data from wireless carriers more than 1.3 million times last year -- or nearly 500 times the number of wiretaps approved over the same period.

That number is way larger than anyone expected. But the actual number of people spied on might be even higher, says the Times:

"Because of incomplete record-keeping, the total number of law enforcement requests last year was almost certainly much higher than the 1.3 million the carriers reported to [Senator] Markey. Also, the total number of people whose customer information was turned over could be several times higher than the number of requests because a single request often involves multiple callers. For instance, when a police agency asks for a cell tower "dump" for data on subscribers who were near a tower during a certain period of time, it may get back hundreds or even thousands of names." (more)

Fun Fact: Private Investigations on the Rise in India

India's Assn. of Private Detectives and Investigators has 1,200 members, up from 13 in 2005. Much of the industry's business involves premarital investigations. Growing demand spurred the recent opening of Kolkata's Anapol Institute, said to be India's first private-detective school. (more)

"We do Private Investigation either in Kitchen or in Bedroom or anywhere with evidence. We use all available modern Electronic Gadgets." Quote from a local agency.

FutureWatch: The rise of TSCM services.