Saturday, October 18, 2014
Friday, October 17, 2014
Even Good Spys Have a Bad Day Once in a While
The Australian Security Intelligence Organisation (Asio) inadvertently spied on its own employees,
in one of a series of surveillance breaches in the past 12 months compiled by Australia’s intelligence watchdog.
The Inspector General of Intelligence and Security (Igis) annual report was tabled in parliament on Thursday, and identified a series of breaches of Asio’s spying powers at a time when the federal government is granting the agency unprecedented new powers. (more)
The Inspector General of Intelligence and Security (Igis) annual report was tabled in parliament on Thursday, and identified a series of breaches of Asio’s spying powers at a time when the federal government is granting the agency unprecedented new powers. (more)
Binder Flaw Threatens to Blow Apart Android Security
Security researchers have warned of a serious security flaw in Android which could potentially leave every device open to attack.
The vulnerability is in the operating system’s ubiquitous inter-process communication (IPC) tool known as Binder, according to a Black Hat Europe presentation on Thursday by Check Point researchers Nitay Artenstein and Idan Revivo...
“Subverting this component allows an attacker to see and control almost all important data being transferred within the system,” the two say in their research paper. (more)
“Subverting this component allows an attacker to see and control almost all important data being transferred within the system,” the two say in their research paper. (more)
Hackers Target Hong Kong Protesters via iPhones
When the Hong Kong protests were at their height, activists using WhatsApp received messages advertising a program that promised to help them coordinate protests.
When the demonstrators downloaded the program through a link in the message, it turned out to be malicious software—most likely created by the Chinese government—that hacked their smartphones.
Lacoon Mobile Security, based in San Francisco, began to analyze the phony app after spotting unusual communication on the networks of its corporate clients, some of whose employees had downloaded it. In tracing the spyware’s path to the websites where it sent data, Lacoon’s researchers found a much rarer species of malware: a version that can steal information from iPhones. (more) (video)
When the demonstrators downloaded the program through a link in the message, it turned out to be malicious software—most likely created by the Chinese government—that hacked their smartphones.
Lacoon Mobile Security, based in San Francisco, began to analyze the phony app after spotting unusual communication on the networks of its corporate clients, some of whose employees had downloaded it. In tracing the spyware’s path to the websites where it sent data, Lacoon’s researchers found a much rarer species of malware: a version that can steal information from iPhones. (more) (video)
Thursday, October 16, 2014
FBI to Congress - More Power Please
The FBI is asking Congress to give it new powers to force technology companies to turn over private information on their customers.
FBI Director James Comey warned Thursday that new technologies are making it easy for criminals to hide incriminating information from police...
For several years, the FBI has been warning about the problem of new technologies allowing criminals to "go dark." But Comey explained that his new push was prompted by the decisions by Apple and Google to provide default encryption on their phones that will make it impossible to unlock them for police, even when faced with a court order. (more)
For several years, the FBI has been warning about the problem of new technologies allowing criminals to "go dark." But Comey explained that his new push was prompted by the decisions by Apple and Google to provide default encryption on their phones that will make it impossible to unlock them for police, even when faced with a court order. (more)
Tunnel Vision Focus on IT Security - The Biggest Mistake...
...companies make when securing sensitive data.
FACTS
• All pre-computer era information theft tactics still work, and are still used.
• Most “computerized” information is available long before it is put into a computer.
• Data theft is the low hanging fruit of the business espionage world. The real pros use ladders.
Murray's Holistic Approach to Information Security
1. Protect information while it is being generated (discussions, audio and video communications, strategy development). Conduct Technical Surveillance Countermeasures (TSCM) inspections of offices and conference rooms on a scheduled basis. Example: Ford Motors found voice recorders hidden in seven of their conference rooms this summer.
2. Protect information while it is in transit (phone, teleconference, Board meetings, off-site conferences). Wiretapping and Wi-Fi are still very effective spy tools. Check for wiretaps on a scheduled basis, and/or encrypt the transmissions. Conduct pre-meeting TSCM inspections. Tip: Never let presenters use old technology FM wireless microphones. The signal travels further than you think, and is easily intercepted.
3. Protect how information is stored. Unlocked offices, desk and file cabinets are a treasure trove of the freshest information. Print centers store a copy of all print jobs. Limit written distribution of sensitive information. Crosscut shred sensitive waste paper. All these vulnerabilities and more should be covered during the security survey portion of your TSCM inspection.
4. Educate the people to whom sensitive information is entrusted. Security briefings don’t have to be long and tedious. Establish basic rules and procedures. Explain the importance of information security in terms they can understand, e.g. “Information is business blood. If it stays healthy and in the system, your job, and chances for advancement, stay healthy.”
Effective information security requires a holistic protection plan. IT security is an important part of this plan, but it is only one door to your house of information.
There is more you need to know. Contact a TSCM specialist for further assistance. (counterespionage.com)
FACTS
• All pre-computer era information theft tactics still work, and are still used.
• Most “computerized” information is available long before it is put into a computer.
• Data theft is the low hanging fruit of the business espionage world. The real pros use ladders.
Murray's Holistic Approach to Information Security
1. Protect information while it is being generated (discussions, audio and video communications, strategy development). Conduct Technical Surveillance Countermeasures (TSCM) inspections of offices and conference rooms on a scheduled basis. Example: Ford Motors found voice recorders hidden in seven of their conference rooms this summer.
2. Protect information while it is in transit (phone, teleconference, Board meetings, off-site conferences). Wiretapping and Wi-Fi are still very effective spy tools. Check for wiretaps on a scheduled basis, and/or encrypt the transmissions. Conduct pre-meeting TSCM inspections. Tip: Never let presenters use old technology FM wireless microphones. The signal travels further than you think, and is easily intercepted.
3. Protect how information is stored. Unlocked offices, desk and file cabinets are a treasure trove of the freshest information. Print centers store a copy of all print jobs. Limit written distribution of sensitive information. Crosscut shred sensitive waste paper. All these vulnerabilities and more should be covered during the security survey portion of your TSCM inspection.
4. Educate the people to whom sensitive information is entrusted. Security briefings don’t have to be long and tedious. Establish basic rules and procedures. Explain the importance of information security in terms they can understand, e.g. “Information is business blood. If it stays healthy and in the system, your job, and chances for advancement, stay healthy.”
Effective information security requires a holistic protection plan. IT security is an important part of this plan, but it is only one door to your house of information.
There is more you need to know. Contact a TSCM specialist for further assistance. (counterespionage.com)
Cell Phone Eavesdropping Just Became Really Difficult
Scientists have invented a new method to encrypt telephone conversations that makes it very difficult to 'eavesdrop'.
Professor Lars Ramkilde Knudsen from Technical University of Denmark (DTU) has invented a new method called dynamic encryption to ensure that all telephone calls are encrypted and eavesdroppers are unable to decrypt information in order to obtain secrets...
The new method expands the AES algorithm with several layers which are never the same... The new system can prove hugely effective in combating industrial espionage, said Knudsen.
Industrial espionage occurs when different players discover and steal trade secrets such as business plans from companies, technical know-how and research results, budgets and secret plans using phone tapping. (more)
Professor Lars Ramkilde Knudsen from Technical University of Denmark (DTU) has invented a new method called dynamic encryption to ensure that all telephone calls are encrypted and eavesdroppers are unable to decrypt information in order to obtain secrets...
The new method expands the AES algorithm with several layers which are never the same... The new system can prove hugely effective in combating industrial espionage, said Knudsen.
Industrial espionage occurs when different players discover and steal trade secrets such as business plans from companies, technical know-how and research results, budgets and secret plans using phone tapping. (more)
Wednesday, October 15, 2014
Chinese Renovation Plan Creates Waldorf-Hysteria
Concerned about potential security risks, the U.S. government is taking a close look at last week's sale of New York's iconic Waldorf Astoria hotel to a Chinese insurance company.
U.S. officials said Monday they are reviewing the Oct. 6 purchase of the Waldorf by the Beijing-based Anbang Insurance Group, which bought the hotel from Hilton Worldwide for $1.95 billion. Terms of the sale allow Hilton to run the hotel for the next 100 years and call for "a major renovation" that officials say has raised eyebrows in Washington, where fears of Chinese eavesdropping and cyber espionage run high. (more)
U.S. officials said Monday they are reviewing the Oct. 6 purchase of the Waldorf by the Beijing-based Anbang Insurance Group, which bought the hotel from Hilton Worldwide for $1.95 billion. Terms of the sale allow Hilton to run the hotel for the next 100 years and call for "a major renovation" that officials say has raised eyebrows in Washington, where fears of Chinese eavesdropping and cyber espionage run high. (more)
Rogue Bank Security Department Buys Wiretaps
The accusations read like a pulp thriller: Citigroup employees in Mexico are suspected of pocketing millions of dollars in kickbacks from vendors. And bodyguards for bank executives bought audio recordings of personal phone calls and created shell companies to disguise their fraud...
The security unit’s primary purpose was to protect the Banamex leadership, but at some point, the unit started operating beyond its approved duties, according to the person briefed on the matter who was not authorized to speak publicly because of the criminal investigation. The security unit was also providing protection and security consulting services for people outside the bank, sometimes as a courtesy and at other times for money, the internal investigation found. The conduct spanned more than a decade, the investigation found, extending into last year...
Citigroup’s outside lawyers have turned over information to law enforcement officials in Mexico and the United States, but there are many things the bank doesn’t know about the rogue security unit. For example, the security team had purchased audio surveillance files from “third parties” that included cellphone and landline conversations of dozens of people — some of a highly personal nature, the person said. The Banamex unit then transcribed many of these files. It was unclear why the security team was amassing records of the personal conversations. The bank’s investigators are still working to determine why the security unit gathered the conversations, involving dozens of people, many of whom had nothing to do with the bank. (more)
The security unit’s primary purpose was to protect the Banamex leadership, but at some point, the unit started operating beyond its approved duties, according to the person briefed on the matter who was not authorized to speak publicly because of the criminal investigation. The security unit was also providing protection and security consulting services for people outside the bank, sometimes as a courtesy and at other times for money, the internal investigation found. The conduct spanned more than a decade, the investigation found, extending into last year...
Citigroup’s outside lawyers have turned over information to law enforcement officials in Mexico and the United States, but there are many things the bank doesn’t know about the rogue security unit. For example, the security team had purchased audio surveillance files from “third parties” that included cellphone and landline conversations of dozens of people — some of a highly personal nature, the person said. The Banamex unit then transcribed many of these files. It was unclear why the security team was amassing records of the personal conversations. The bank’s investigators are still working to determine why the security unit gathered the conversations, involving dozens of people, many of whom had nothing to do with the bank. (more)
Tuesday, October 14, 2014
Aaron's Settles Spy Software Installation Charges
Aaron's Inc., the nation's second-largest chain of rent-to-own appliance and furniture stores,
agreed to pay $28.4 million to settle allegations that it violated California consumer privacy and protection laws by allowing software that secretly monitored consumers to be installed on rental computers, according to regulators.
The Atlanta-based retailer allegedly overcharged customers, left out important contract disclosures and installed software that could track the keystrokes of people who rented computers and even activate webcams or microphones to record users. (more)
The Atlanta-based retailer allegedly overcharged customers, left out important contract disclosures and installed software that could track the keystrokes of people who rented computers and even activate webcams or microphones to record users. (more)
Monday, October 13, 2014
Word on the Street: Hertz has cameras in their cars!
...from an anonymous blog entry...
I am a regular renter from Hertz (President's Circle)... I got into a rental car at O'Hare airport.
I immediately noticed the new NeverLost and I was completely shocked to see a camera built into the device looking at me. The system can't be turned off from what could tell...
I know rental car companies have been tracking the speed and movements of their vehicles for years but putting a camera inside the cabin of the vehicle is taking their need for information a little TOO FAR. I find this to be completely UNACCEPTABLE. In fact, if I get another car from Hertz with a camera in it, I will move our business from Hertz completely.
I influence car rentals of many others and I don't think anyone would want to be on camera while they are driving around or sitting at a red light.
Given what Hertz has invested in this system, I wonder how much consumer pressure will make them to pull the plug on this. Business is built one customer at a time and they will no longer have me as a customer. What are your thoughts? (more)
Further investigations revealed...
...the Hertz NeverLost 6 platform will include an ARM Cortex-A9 architecture with quad cores running at 1GHz, a high-res TFT display, Bluetooth and Wi-Fi connectivity and a GPS module that engineers built around SiRFstarIV architecture. Also included are a keypad, camera module, accelerometers and a Gyros sensor board...
I am a regular renter from Hertz (President's Circle)... I got into a rental car at O'Hare airport.
I immediately noticed the new NeverLost and I was completely shocked to see a camera built into the device looking at me. The system can't be turned off from what could tell...
I know rental car companies have been tracking the speed and movements of their vehicles for years but putting a camera inside the cabin of the vehicle is taking their need for information a little TOO FAR. I find this to be completely UNACCEPTABLE. In fact, if I get another car from Hertz with a camera in it, I will move our business from Hertz completely.
I influence car rentals of many others and I don't think anyone would want to be on camera while they are driving around or sitting at a red light.
Given what Hertz has invested in this system, I wonder how much consumer pressure will make them to pull the plug on this. Business is built one customer at a time and they will no longer have me as a customer. What are your thoughts? (more)
Further investigations revealed...
...the Hertz NeverLost 6 platform will include an ARM Cortex-A9 architecture with quad cores running at 1GHz, a high-res TFT display, Bluetooth and Wi-Fi connectivity and a GPS module that engineers built around SiRFstarIV architecture. Also included are a keypad, camera module, accelerometers and a Gyros sensor board...
Huff Butt Dial Blues
If a person accidentally calls someone from their cell phone, do they have a right to privacy protecting any conversation heard on the other end? The courts don’t think so.
Jim Huff, then chairman of the Kenton County (Kentucky) Airport Board, which manages Cincinnati’s international airport, was at a conference in Italy on October 24, 2013, when he unintentionally dialed airport offices while his phone was in his pocket and reached Carol Spaw. Spaw listened to Huff’s conversation for 90 minutes, even writing down some of his remarks and passing them along to a third party.
Huff claimed Spaw’s actions violated his right to privacy, since he never intended to “pocket dial” her in the first place.
But a federal judge didn’t agree, ruling individuals don’t have a reasonable expectation of privacy due to the common problem of pocket dialing and “butt calls.” (more) (sing-a-long)
Jim Huff, then chairman of the Kenton County (Kentucky) Airport Board, which manages Cincinnati’s international airport, was at a conference in Italy on October 24, 2013, when he unintentionally dialed airport offices while his phone was in his pocket and reached Carol Spaw. Spaw listened to Huff’s conversation for 90 minutes, even writing down some of his remarks and passing them along to a third party. Huff claimed Spaw’s actions violated his right to privacy, since he never intended to “pocket dial” her in the first place.
But a federal judge didn’t agree, ruling individuals don’t have a reasonable expectation of privacy due to the common problem of pocket dialing and “butt calls.” (more) (sing-a-long)
Nixon Offered To Illegally Wiretap New York Mayor John Lindsay
The disclosure that Nixon offered to wiretap Lindsay comes via the detailed diaries of Dr. W. Kenneth Riland, who was Rockefeller’s osteopath and confidante.
He also treated Nixon and gained his confidence, too. (more)
Chinese Espionage Now Rampant in Taiwan
As relations improve between Beijing and Taipei, military morale still continues to fall as fewer Taiwan military officers see a future in an ever-shrinking armed forces. Many are beginning to cash in on their intimate knowledge of military secrets, including classified information on US military equipment.
Over the past several years, Taiwan military officers have sold China information on the E-2K Hawkeye airborne early warning aircraft, Patriot Advanced Capability-3 and PAC-2 anti-ballistic missile systems, Hawk air defense missile system, and the Raytheon Palm IR-500 radiometric infrared camera.
China uses retired Taiwan military officers to help recruit spies in the armed forces. Retired officers receive all-expense paid trips to China by the United Front Work Department, said a Taiwan security specialist. While there, they are lionized for returning to the “homeland” and given tours of their ancestral homes. Before they return, money is offered to help the “motherland” in the future, and “unfortunately many take it,” he said. (more)
China uses retired Taiwan military officers to help recruit spies in the armed forces. Retired officers receive all-expense paid trips to China by the United Front Work Department, said a Taiwan security specialist. While there, they are lionized for returning to the “homeland” and given tours of their ancestral homes. Before they return, money is offered to help the “motherland” in the future, and “unfortunately many take it,” he said. (more)
Saturday, October 11, 2014
The Case of the Eavesdropping Corvettes
General Motors may have to take the sting out of its new Stingray.
The 2015 Corvette offers a personal video recording option that lets owners surreptitiously record video and audio when the car is in the hands of other drivers — like parking attendants. But now the automaker is concerned that the so-called valet mode may run afoul of eavesdropping laws in some states.
The laws in question involve audio recording only, and require that both parties give consent to be recorded. The Corvette’s recorder not only stores video shot through the windshield, but also data on speed and acceleration as well as audio recordings from inside the car. (more)
The laws in question involve audio recording only, and require that both parties give consent to be recorded. The Corvette’s recorder not only stores video shot through the windshield, but also data on speed and acceleration as well as audio recordings from inside the car. (more)
Inside the Secret World of Corporate Espionage
Numbers on corporate espionage are hard to come by. The Germans recently estimated that they lose around $69 billion to foreign business spies every year, but—at best—that’s basically just a piece of well-informed speculation.
The main problem with getting an exact fix on these figures is that they’re impossible to prove, because the nature of espionage generally relies on keeping stuff secret. It’s difficult to track the exchange of information, for instance, when it involves murmuring something at the sauna, or handing over a USB stick in a multi-level parking garage. And like a rigged sports game or steroid usage, it’s not something we’re in the mood to wake up to until it’s 100 percent, incontrovertibly there—an arsenal of smoking guns right under our noses.
“[Worrying about corporate espionage] very quickly becomes a matter of paranoia,” says Crispin Sturrock, who’s been running WhiteRock—a firm of anti-espionage specialists—for more than 20 years. “There’s a very British tendency to want to shake it off. To say, ‘Oh, I must be being paranoid.’ And, of course, just to be paranoid doesn’t necessarily make you wrong.” (more)
The main problem with getting an exact fix on these figures is that they’re impossible to prove, because the nature of espionage generally relies on keeping stuff secret. It’s difficult to track the exchange of information, for instance, when it involves murmuring something at the sauna, or handing over a USB stick in a multi-level parking garage. And like a rigged sports game or steroid usage, it’s not something we’re in the mood to wake up to until it’s 100 percent, incontrovertibly there—an arsenal of smoking guns right under our noses.
Spy Bits
ISM Bugging Out
The revelation this week that the International Spy Museum would be once again hitting the pavement in search of a new home got us thinking: Where else in the District might work for the popular museum? (more)
ISIS Changing Name
During the premiere episode of the sixth season of Archer,
FX’s outrageously funny animated spy series, spy matriarch Malory
Archer is seen speaking on the phone with her juvenile,
coddled son. In the background, you can see two movers rolling out a
large, circular blue ISIS sign... for the past five seasons,
ISIS (International Secret Intelligence Service) has been the name for
the underground, non-government approved, New York City-based spy
organization at the heart of the show. In light of recent events,
however, creator Adam
Reed along with executive producers Matt Thompson and Casey Willis—made
a decision to quietly eliminate the acronym from their show. (more)
HHSC Wants Blimpies
Rep. Michael McCaul, chairman of the House Homeland Security Committee, said Friday that he wants to redeploy U.S. military spy blimps in Afghanistan to America’s southern border. (more) Poop on them if they don't know about this. (more)
Former NSA Head Said
“Our data’s in there (NSA databases), my data’s in there. If I talk to an Al Qaeda operative, the chances of my data being looked at is really good, so I try not to do that. If you don’t want to you shouldn’t either,” he told MIRcon delegates. (more)
The revelation this week that the International Spy Museum would be once again hitting the pavement in search of a new home got us thinking: Where else in the District might work for the popular museum? (more)
ISIS Changing Name
HHSC Wants Blimpies
Rep. Michael McCaul, chairman of the House Homeland Security Committee, said Friday that he wants to redeploy U.S. military spy blimps in Afghanistan to America’s southern border. (more) Poop on them if they don't know about this. (more)
Former NSA Head Said
“Our data’s in there (NSA databases), my data’s in there. If I talk to an Al Qaeda operative, the chances of my data being looked at is really good, so I try not to do that. If you don’t want to you shouldn’t either,” he told MIRcon delegates. (more)
GCHQ Director - Private Companies Snoop More Than Intelligence Agencies
Phone and internet users should be worried about big commercial companies, rather than intelligence agencies obtaining and sharing their private data, Government Communications Headquarters (GCHQ) Director Sir Iain Lobban said in an interview with the Telegraph.
"Look, who has the info on you? It's the commercial companies, not us, who know everything – a massive sharing of data," Lobban was quoted as saying by the newspaper on Friday.
"The other day I bought a watch for my wife. Soon there were lots of pop-up watches advertising themselves on our computer, and she complained," the GCHQ director added. (more)
"Look, who has the info on you? It's the commercial companies, not us, who know everything – a massive sharing of data," Lobban was quoted as saying by the newspaper on Friday. "The other day I bought a watch for my wife. Soon there were lots of pop-up watches advertising themselves on our computer, and she complained," the GCHQ director added. (more)
Tuesday, October 7, 2014
Microsoft's Windows 10 has permission to spy on you!
via Lauren Weinstein...
"Microsoft collects information about you, your devices, applications and networks, and your use of those devices, applications and networks. Examples of data we collect include your name, email address, preferences and interests; browsing, search and file history; phone call and SMS data; device configuration and sensor data; and application usage."
"If you open a file, we may collect information about the file, the application used to open the file, and how long it takes any use [of]it for purposes such as improving performance, or [if you]enter text, we may collect typed characters, we may collect typed characters and use them for purposes such as improving autocomplete and spell check features." (more)
"Such as" implies more than just two examples.
"Microsoft collects information about you, your devices, applications and networks, and your use of those devices, applications and networks. Examples of data we collect include your name, email address, preferences and interests; browsing, search and file history; phone call and SMS data; device configuration and sensor data; and application usage."
"If you open a file, we may collect information about the file, the application used to open the file, and how long it takes any use [of]it for purposes such as improving performance, or [if you]enter text, we may collect typed characters, we may collect typed characters and use them for purposes such as improving autocomplete and spell check features." (more)
"Such as" implies more than just two examples.
StealthGenie CEO Arrested
Federal officials announced the arrest of the maker of a popular smartphone app marketed as a tool for catching cheating spouses by eavesdropping on their calls and tracking their locations — a technology critics have dubbed “stalker apps.”
In the first prosecution of its kind, federal officials said that StealthGenie violated the law by offering the ability to secretly monitor phone calls and other communications in almost real time, something typically legal only for law enforcement. The arrest comes as the market for surveillance software has grown so big that Web sites rank such apps on their price, features and even customer service...
The chief executive of the company that makes StealthGenie, Hammad Akbar, 31, of Lahore, Pakistan, was arrested in Los Angeles on Saturday, according to a news release from the Justice Department...
Court filings suggest that Akbar has contended that any legal issues were limited to the users of SmartGenie, not its maker. “When the customer buys the product, they assume all responsibility,” he wrote in a 2011 e-mail, court filings show. “We do not need to describe the legal issues.”
Efforts to reach Akbar’s attorney, based in Los Angeles, were not successful. (more)
FutureWatch - Will he pull the "primarily useful" card from the deck? This is what many audio eavesdropping gadget manufacturers used in the past to evade the law.
"Hey, its a baby monitor."... that can hear through concrete walls.
In the first prosecution of its kind, federal officials said that StealthGenie violated the law by offering the ability to secretly monitor phone calls and other communications in almost real time, something typically legal only for law enforcement. The arrest comes as the market for surveillance software has grown so big that Web sites rank such apps on their price, features and even customer service...
The chief executive of the company that makes StealthGenie, Hammad Akbar, 31, of Lahore, Pakistan, was arrested in Los Angeles on Saturday, according to a news release from the Justice Department...
Court filings suggest that Akbar has contended that any legal issues were limited to the users of SmartGenie, not its maker. “When the customer buys the product, they assume all responsibility,” he wrote in a 2011 e-mail, court filings show. “We do not need to describe the legal issues.”
Efforts to reach Akbar’s attorney, based in Los Angeles, were not successful. (more)
FutureWatch - Will he pull the "primarily useful" card from the deck? This is what many audio eavesdropping gadget manufacturers used in the past to evade the law.
"Hey, its a baby monitor."... that can hear through concrete walls.
Thursday, October 2, 2014
The Unpatchable Malware That Infects USBs Is Now on the Loose
...two independent security researchers, who
declined to name their employer, say that publicly releasing the USB
attack code will allow penetration testers to use the technique, all the
better to prove to their clients that USBs are nearly impossible to
secure in their current form. And they also argue that making a working
exploit available is the only way to pressure USB makers to change the
tiny devices’ fundamentally broken security scheme. (more)
Monday, September 22, 2014
Watch Out: Your Innkeeper is Spying on You and Other Confessions of a B&B Owner
Plenty of people dream about quitting their day job, buying that fixer-upper farmhouse, and opening a bed-and-breakfast. Those B&B owners seem so happy. Well, everything isn’t quite as idyllic as it seems. We got one set of innkeepers — “Bob and Emily” — to anonymously spill the beans on what really happens behind those perfectly painted shutters.
This week. Bob and Emliy reveal the sordid side of running an inn. Here are some things you probably don’t want to know the next time you check into that seemingly quaint country B&B. (more)
This week. Bob and Emliy reveal the sordid side of running an inn. Here are some things you probably don’t want to know the next time you check into that seemingly quaint country B&B. (more)
Wednesday, September 17, 2014
FBI Seeks Expansion of Internet Investigation Powers
A Department of Justice proposal to amend Rule 41 of the Federal Rules of Criminal Procedure would make it easier for domestic law enforcement to hack into computers of people attempting to protect their anonymity on the Internet. The DOJ has explicitly stated that the amendment is not meant to give courts the power to issue warrants that authorize searches in foreign countries—but the practical reality of the underlying technology means doing so is almost unavoidable...
As for extraterritorial hacking, the DOJ commentary explicitly states that the proposal does not seek power to extend search authority beyond the United States:
The latter standard seems to be a significant loophole in the DOJ’s own formulation of the approach, particularly given the global nature of the Internet. For instance, over 85% of computers directly connecting to the Tor network are located outside the United States. (more)
As for extraterritorial hacking, the DOJ commentary explicitly states that the proposal does not seek power to extend search authority beyond the United States:
- In light of the presumption against international extraterritorial application, and consistent with the existing language of Rule 41(b)(3), this amendment does not purport to authorize courts to issue warrants that authorize the search of electronic storage media located in a foreign country or countries. AUSA Mythili Raman, Letter to Committee.
The latter standard seems to be a significant loophole in the DOJ’s own formulation of the approach, particularly given the global nature of the Internet. For instance, over 85% of computers directly connecting to the Tor network are located outside the United States. (more)
Beijing Bans All* Hidden Surveillance Equipment
Beijing authorities have initiated a ban on all secret surveillance equipment in the city amid increasing pressure from the central government to crack down on spying activities.
The decision was issued jointly by the city's Administration for Industry and Commerce, Beijing Municipal Public Security Bureau and Beijing National Security Bureau, which added that purchases of these devices–such as surreptitious cameras installed in glasses or walking sticks to secretly record photos or videos of people in bathrooms and changing rooms–could lead to serious criminal liability...
Chinese media outlets reported that the majority of buyers are private detectives and investigators, debt collectors and lawyers looking to collect evidence for their cases. There have so far been 91 official investigations into illegal surveillance in Beijing this year. (more)
* Except their own, we presume.
The decision was issued jointly by the city's Administration for Industry and Commerce, Beijing Municipal Public Security Bureau and Beijing National Security Bureau, which added that purchases of these devices–such as surreptitious cameras installed in glasses or walking sticks to secretly record photos or videos of people in bathrooms and changing rooms–could lead to serious criminal liability...
Chinese media outlets reported that the majority of buyers are private detectives and investigators, debt collectors and lawyers looking to collect evidence for their cases. There have so far been 91 official investigations into illegal surveillance in Beijing this year. (more)* Except their own, we presume.
Middle-School Dropout Codes Clever Chat Program That Foils NSA Spying
The National Security Agency has some of the brightest minds... But a new chat program designed by a middle-school dropout in his spare time may turn out to be one of the best solutions to thwart those efforts...
John Brooks, who is just 22 and a self-taught coder who dropped out of school at 13, was always concerned about privacy and civil liberties. Four years ago he began work on a program for encrypted instant messaging that uses Tor hidden services for the protected transmission of communications. The program, which he dubbed Ricochet, began as a hobby. But by the time he finished, he had a full-fledged desktop client...
“Ricochet is idiot-proof and anonymous.” (more)
“Ricochet is idiot-proof and anonymous.” (more)
Tuesday, September 16, 2014
FutureWatch: Ant-Sized Radio Swarms Will Net Everything
A team of researchers from Stanford University and the University of California, Berkeley, has created prototype radio-on-a-chip communications devices that are powered by ambient radio waves. Comprising receiving and transmitting antennas and a central processor, the completely self-contained ant-sized devices are very cheap to manufacture, don't require batteries to run and could give the "Internet of Things" (IoT) a serious kick start.
(more)
Let's just call it "Spy Dust".
Let's just call it "Spy Dust".
75% of Android Phones Vulnerable to Web Page Spy Bug
A Metasploit module has been developed to easily exploit a dangerous flaw in 75 percent of Android devices that allows attackers to hijack a users' open websites...
Tod Beardsley, a developer for the Metasploit security toolkit dubbed the "major" flaw a "privacy disaster".
"What this means is any arbitrary website - say, one controlled by a spammer or a spy - can peek into the contents of any other web page," Beardsley said.
"[If] you went to an attackers site while you had your web mail open in another window, the attacker could scrape your email data and see what your browser sees.
"Worse, he could snag a copy of your session cookie and hijack your session completely, and read and write web mail on your behalf." (more)
Solution: Use a Firefox or Chrome browser.
Tod Beardsley, a developer for the Metasploit security toolkit dubbed the "major" flaw a "privacy disaster".
"What this means is any arbitrary website - say, one controlled by a spammer or a spy - can peek into the contents of any other web page," Beardsley said.
"[If] you went to an attackers site while you had your web mail open in another window, the attacker could scrape your email data and see what your browser sees.
"Worse, he could snag a copy of your session cookie and hijack your session completely, and read and write web mail on your behalf." (more)
Solution: Use a Firefox or Chrome browser.
Monday, September 15, 2014
The Top Cyber Espionage Devices You Don't Want to See
... unless you are using them.
The Pwn Plug Academic Edition is the Industry’s First Enterprise Penetration Testing Drop Box
The MiniPwner
The MiniPwner
is described as a penetration testing “drop box”. You (or maybe a
cleaner you’ve bribed) needs to plug it into an Ethernet plug in
the target’s building, and then you can slurp all the data out of
their network via a wifi link.
The penetration tester uses stealth or social engineering techniques to plug the MiniPwner into an available network port. (common locations include conference rooms, unoccupied workstations, the back of IP Telephones, etc.)
Once it is plugged in, the penetration tester can log into the
MiniPwner and begin scanning and attacking the network. The MiniPwner can
simultaneously establish SSH tunnels through the target network,
and also allow the penetration tester to connect to the MiniPwner
via Wifi.
WiFi Pineapple Mark V
Slightly larger than a smartphone the WiFi Pine-apple Mark V is the “ultimate” cyber surveillance device. It uses an “intuitive” web interface to enable hackers to break into a corporate’s IT networks through its wifi connections. It costs $100.
USB Switchblade
The goal of the USB Switchblade is to silently recover information from a target Windows 2000 or higher computer, including password hashes, LSA secrets, IP information, etc.
A gadget that looks like a USB stick has a program that swings into action when it’s inserted into the USB drive and can then begin its naughty work without the user knowing it by exploiting a flaw in USB autorun settings. How about dropping it in the car park of your target’s offices, seeing if someone will pick it up and plug it in to see what’s on it…
USB 8GB Flash Drive Cufflinks
The thing
about these is that the bad guy can carry a load of malware, ready
for use at any time. These go for less than $50. Easy to smuggle
in.
The Rubber Ducky
The Rubber Ducky is becoming the “field-weapon of choice” for
cyber spies. It’s the size of a normal USB stick but when you plug
it in to a PC it pretends to be a keyboard and starts ‘typing’
away, possibly trying to break into systems or maybe stealing
passwords. If you get a few seconds alone with someone’s phone
you can get an adapter to plug it in and maybe hack that too. (The last five items courtesy of Financial News.)
The Pwn Plug Academic Edition is the Industry’s First Enterprise Penetration Testing Drop Box
- Wireless (802.11b/g/n) high gain Bluetooth & USB Ethernet adapters
- Fully-automated NAC/802.1x/Radius bypass
- One-click EvilAP, stealth mode & passive recon
The Pwn
Plug R3 is a next-generation penetration testing
device in a portable, shippable, “Plug-and-Pwn” form factor.
- Onboard high-gain 802.11a/b/g/n wireless
- Onboard Bluetooth
- External 4G/GSM cellular
- Greatly improved performance and reliability
The MiniPwner
The MiniPwner
is described as a penetration testing “drop box”. You (or maybe a
cleaner you’ve bribed) needs to plug it into an Ethernet plug in
the target’s building, and then you can slurp all the data out of
their network via a wifi link.
The penetration tester uses stealth or social engineering techniques to plug the MiniPwner into an available network port. (common locations include conference rooms, unoccupied workstations, the back of IP Telephones, etc.)
Once it is plugged in, the penetration tester can log into the
MiniPwner and begin scanning and attacking the network. The MiniPwner can
simultaneously establish SSH tunnels through the target network,
and also allow the penetration tester to connect to the MiniPwner
via Wifi. WiFi Pineapple Mark V
Slightly larger than a smartphone the WiFi Pine-apple Mark V is the “ultimate” cyber surveillance device. It uses an “intuitive” web interface to enable hackers to break into a corporate’s IT networks through its wifi connections. It costs $100.
USB Switchblade
The goal of the USB Switchblade is to silently recover information from a target Windows 2000 or higher computer, including password hashes, LSA secrets, IP information, etc.
A gadget that looks like a USB stick has a program that swings into action when it’s inserted into the USB drive and can then begin its naughty work without the user knowing it by exploiting a flaw in USB autorun settings. How about dropping it in the car park of your target’s offices, seeing if someone will pick it up and plug it in to see what’s on it…
USB 8GB Flash Drive Cufflinks
The thing
about these is that the bad guy can carry a load of malware, ready
for use at any time. These go for less than $50. Easy to smuggle
in. The Rubber Ducky
The Rubber Ducky is becoming the “field-weapon of choice” for
cyber spies. It’s the size of a normal USB stick but when you plug
it in to a PC it pretends to be a keyboard and starts ‘typing’
away, possibly trying to break into systems or maybe stealing
passwords. If you get a few seconds alone with someone’s phone
you can get an adapter to plug it in and maybe hack that too. (The last five items courtesy of Financial News.)
Yet Another Way Your Smartphone Can Bug You
MEMS gyroscopes found on modern smart phones are sufficiently sensitive to measure acoustic signals in the vicinity of the phone. The resulting signals contain only very low-frequency information (< 200 Hz). Nevertheless we show, using signal processing and machine learning, that this information is sufficient to identify speaker information and even parse speech.
Since iOS and Android require no special permissions to access the gyro, our results show that apps and active web content that cannot access the microphone can nevertheless eavesdrop on speech in the vicinity of the phone. (more)
Sunday, September 14, 2014
Information Security Management - Distance Learning Course
Your information assets have never been more crucial, more valuable, or more at risk. This is why information security is becoming a crucial business priority in many organizations. Moreover, complying with (international) information standards and guidelines (such as the NIST Handbook, ISO 17799, CobiT, and ITIL Security Management) is becoming a hot issue worldwide.
This unique distance learning course provides you with vital information for developing or reviewing your information security management framework. The course will help you determine the levels of risk your organization is facing and the steps you will need to take to provide adequate protection.
The course will be of particular benefit to:
This unique distance learning course provides you with vital information for developing or reviewing your information security management framework. The course will help you determine the levels of risk your organization is facing and the steps you will need to take to provide adequate protection.
The course will be of particular benefit to:
- CIOs, CISOs and anyone who has direct line responsibility for information security
- Business Continuity Planners, Asset Managers, Risk Managers
- Legal Advisors and Corporate Security Consultants
- Company Secretaries, Finance Directors and Auditors (more)
Saturday, September 13, 2014
Weird - Spies Strike
Soldiers from Israel's elite wire-tapping unit are refusing to spy on Palestinians in a rebuke to prime minister Benjamin Netanyahu.
More than 40 former soldiers and current army reservists have signed a letter refusing future service in the Israeli Defence Force (IDF) military intelligence wing, known as Unit 8200.
Unit 8200 is often compared to the United States National Security Agency. It uses sophisticated technology to monitor the lives of Palestinians, gathering information which is then used by Israel's military. It also carries out surveillance overseas. (more)
More than 40 former soldiers and current army reservists have signed a letter refusing future service in the Israeli Defence Force (IDF) military intelligence wing, known as Unit 8200.
Unit 8200 is often compared to the United States National Security Agency. It uses sophisticated technology to monitor the lives of Palestinians, gathering information which is then used by Israel's military. It also carries out surveillance overseas. (more)
Taylor Swift - Worried About Wiretaps
In a wide-ranging interview with Rolling Stone, Taylor Swift gets candid about her love life, her professional feuds and being very cautious about janitors and wiretapping.
1. She's pretty much always worried about privacy
Swift is acutely aware that people are out to invade her privacy. “There's someone whose entire job it is to figure out things that I don't want the world to see,” she told Rolling Stone. She's also paranoid about basically anyone she lets get too close... I have to stop myself from thinking about how many aspects of technology I don't understand.” (more)
Taylor, there are some nice professional privacy consultants who can help you.
1. She's pretty much always worried about privacy
Swift is acutely aware that people are out to invade her privacy. “There's someone whose entire job it is to figure out things that I don't want the world to see,” she told Rolling Stone. She's also paranoid about basically anyone she lets get too close... I have to stop myself from thinking about how many aspects of technology I don't understand.” (more)
Taylor, there are some nice professional privacy consultants who can help you.
Friday, September 12, 2014
Business Espionage - "Morticia, they've kidnapped Thing!"
T-Mobile US sued Huawei for corporate espionage, alleging that the vendor's employees illegally photographed and tried to steal parts of a robot it developed in its labs, called "Tappy," to test cell phones.
The lawsuit, filed last week in federal court in Seattle, claims that two Huawei employees gained illicit access to its lab in Bellevue, Wash., photographed the robotic arm, tried to smuggle parts of it out of the lab, and then tried to sneak back in after they were banned from the facility...
In 2012 and 2013, the suit claims, Huawei employees engaged in the subterfuge. At one point, the suit alleges, a Huawei engineer put one of the robot's simulated fingertips into his laptop bag. Huawei "ultimately admitted that its employees misappropriated parts and information about T-Mobile's robot," the suit says. (more)
 |
| Tappy's Grandfather |
In 2012 and 2013, the suit claims, Huawei employees engaged in the subterfuge. At one point, the suit alleges, a Huawei engineer put one of the robot's simulated fingertips into his laptop bag. Huawei "ultimately admitted that its employees misappropriated parts and information about T-Mobile's robot," the suit says. (more)
Yet Another Landlord Spying on Tenant Story
...also charged with having guns in his home which he's not allowed to have based on his criminal history.
Last year at this time (9/29/13) subject was sentenced to probation for a term of seven years with the condition that he have no contact with minors, and a fine of $2000, for the offense of Corruption of Minors. (more)
Last year at this time (9/29/13) subject was sentenced to probation for a term of seven years with the condition that he have no contact with minors, and a fine of $2000, for the offense of Corruption of Minors. (more)
Russia: Fireball Over Wyoming Wasn't Spy Satellite
Russia - The Defense Ministry has challenged reports that a Kobalt-M spy satellite reentered the Earth's atmosphere and burnt up over the U.S., potentially leaving Russian military intelligence photos lying in Colorado or Wyoming...
The satellite, launched from the Plesetsk Cosmodrome near Arkhangelsk on May 6, was not equipped to digitally transmit its photographs back to its handlers at Russia's military intelligence unit, the GRU. Instead, it was designed to drop its film in special canisters from space onto Russian territory.
Interfax reported Tuesday that the satellite may have been attempting to position itself to drop a canister back to Earth, when it moved into too low of an orbit — thereby falling back to earth over the U.S. It is possible that much of the satellite and its photos survived, and are now sitting somewhere in the U.S. midwest. (more)
Footage as it passed over Atyrau, Kazakhstan...
The satellite, launched from the Plesetsk Cosmodrome near Arkhangelsk on May 6, was not equipped to digitally transmit its photographs back to its handlers at Russia's military intelligence unit, the GRU. Instead, it was designed to drop its film in special canisters from space onto Russian territory.
Interfax reported Tuesday that the satellite may have been attempting to position itself to drop a canister back to Earth, when it moved into too low of an orbit — thereby falling back to earth over the U.S. It is possible that much of the satellite and its photos survived, and are now sitting somewhere in the U.S. midwest. (more)
Footage as it passed over Atyrau, Kazakhstan...
Subscribe to:
Posts (Atom)