Monday, March 31, 2008

"But, IT said our data was secure."

Data Theft Carried Out On Network Thought Secure
Criminals involved in a massive data breach at the Hannaford Bros. and Sweetbay grocery chains stole the customer information from a part of a computer-network system that security experts had believed was secure.


As many as 4.2 million credit- and debit-card numbers were exposed in the breach.

The Hannaford data, which included customer account numbers and card expiration dates, was stolen between Dec. 7 and March 10. ...it has resulted in at least 1,800 cases of fraud.

A malicious software program, written by the thieves, intercepted the information as it went back and forth over a cable to a transaction processor in Denver. It was then transmitted to an Internet service provider somewhere outside the U.S. The software, known as malware, was planted on computer systems in every store in the two chains, the company says.

...it took a team of about 30 forensics experts and information technologists more than 10 days of round-the-clock troubleshooting to discover the malware. (more) (recent data theft list)

Investigative Techniques for the Trial Lawyer - Wiretapping: Part I

...we have probably all wondered if our conversations via phone were being taped.

There are federal and state (all 50 and DC) statutes governing the use of electronic recording equipment. The unlawful use of recording equipment may not only give authority for civil proceedings against the perpetrator of illegal taping, but may also give rise to criminal charges.

Today’s Bulletin gets right into the meat of how and where the taping of private telephone conversations is allowed...

Interesting exceptions to the rules...
In California, generally an all party consent state, one party alone can record if criminal activity (e.g. extortion) is anticipated or involved.

In Arizona, the subscriber to a telephone service can record telephone conversations with no party consent when criminal activity is involved. (more)

The Case of the Flacid Fob

Researchers from Ruhr University Bochum, Germany, presented a complete break of remote keyless entry systems based on the KeeLoq RFID technology. The shown vulnerability applies to all known car and building access control systems that rely on the KeeLoq cipher. "The security hole allows illegitimate parties to access buildings and cars after remote eavesdropping from a distance of up to 100 meters" says Prof. Christof Paar. "Eavesdropping on as little as two messages enables illegitimate parties to duplicate your key..."

A KeeLoq system consists of an active Radio Frequency Identification (RFID) transponders (e.g., embedded in a car key) and a receiver (e.g., embedded in the car door). Both the receiver and transponder use KeeLoq as encryption method for securing the over-the-air communication.

KeeLoq has been used for access control since the mid-1990s. By some estimates, it is the most popular of such systems in Europe and the US. Besides the frequent use of KeeLoq for garage door openers and other building access applications, it is also known that several automotive manufacturers like Toyota/Lexus (Chrysler, Daewoo, Fiat, GM, Honda, Volvo, VW, Clifford, Shurlok, Jaguar, etc.) base their anti-theft protection on assumed secure devices featuring KeeLoq.
(more)
(Hacker video explaining KeeLoq. Minutes: 36:18 - 41:35)
(How to Steal Cars - A Practical Attack on KeeLoq)

Sunday, March 30, 2008

Mama Hari

...a mother writes...
"It’s a tough call knowing when to spy and when to trust.
Though my own children, 4 and 7, are too young for me to be going through pockets looking for drugs, turning up mattresses looking for porno, etc., I plan on doing those things in their teen years.

In my own childhood, my parents were way too hands-off. Both of my brothers were doing serious drugs in high school and my parents didn’t find out until it was way too late. They wanted harmony in the house and took the path of least resistance. That meant my brothers were allowed privacy, didn’t have an enforced curfew, were given car keys before they could handle that responsibility. My parents prayed maturity would come soon.

With my own children, I’ve learned that I have to stay on top of things. On the computer, my son has tried to order things online. He even asked my mom for her credit card so he could buy a Ben 10 shirt. We’ve found that we need to set the rules for which Web sites he can look at. Anything not on the ‘Kids’ section of our Web browser’s bookmarks is off limits. Still, we walk by often while he’s online, and we remind him he needs to ask if it’s a new site." (more)

Money Talks - Cell Phones Squawk

Spying programs for mobile phones are likely to grow in sophistication and stealth as the business around selling the tools grows, according to a mobile analyst at the Black Hat conference on Friday.

Many of the spy programs on the market are powerful, but aren't very sophisticated code, said Jarno Niemela, a senior antivirus researchers for Finnish security vendor F-Secure, which makes security products for PCs and mobile phones...

One of the latest tools on the market is Mobile SpySuite, which Niemela believes is the first spy tool generator for mobiles. It sells for US$12,500 and would let a hacker custom-build a spy tool aimed at several models of Nokia phones, Niemela said. (more)

Money Talks - Spies Walk

UK - Thousands of Chinese spies are infiltrating Britain in the run-up to the Beijing Olympics.

They are hellbent on stealing scientific, military and industrial secrets in a bid to make China the world's No1 superpower. The spies are recruited from the 90,000 Chinese who visit Britain each year. Forty per cent of them are on business and a third are students.

A Whitehall source said: "They are told to hoover up everything they can get their hands on. "It can be anything from the results of university lab experiments to secret industrial technology." China's targets include banks, power and water companies, telecom firms and even Parliament.

But Foreign Secretary David Miliband fears any crackdown would upset China and jeopardise trade deals worth £20billion. (more)

Saturday, March 29, 2008

"Make a periscope" science class experiment gone horribly wrong?

Wales - A peeping Tom attached a mirror to the end of a piece of wood to spy on his next-door neighbour as she undressed, a court heard...

During the hearing, prosecutor Ian Kolvin produced the home-made spying device which consisted of a strip of wood with a broken piece of glass fastened to one end... "The defendant denied any sexual motivation," said Mr. Kolvin. (more)

"Whatever satisfies the soul is truth." W.W.

NJ/PA - The man who led police on a chase that eventually forced the closure of the Walt Whitman Bridge last Thursday was convinced that someone was bugging his phone and that his family was in danger, according to authorities. (more)

Thursday, March 27, 2008

Jury finds against Providence in wiretapping lawsuit

RI - A federal jury has returned a verdict against city of Providence authorities for illegally recording the phone calls of their employees at a public safety complex. City officials say the jury on Wednesday awarded compensatory and punitive damages of about $525,000... (more)

Wednesday, March 26, 2008

Details emerge about futuristic spy tech

The intelligence agencies have renamed their MASINT program and will now refer to the recondite spy discipline as the Advanced Technical Exploitation Program (ATEP). The name change surfaced in documents that describe a pending acquisition for contractor assistance in merging information from various types of sensors and systems to create cross-disciplinary intelligence...

The acquisition notice asked companies to describe their capabilities in working with the following types of sensors:
• Overhead non-imaging radar.
Synthetic aperture radar.
Spectral detectors.
Thermal infrared.
Ground-moving target indicator forensics.
Line-of-sight radar.
Over-the-horizon radar.
Airborne electro-optical sensors, known as Cobra Ball.
Laser intelligence.
Radio frequency MASINT.
(more)

Spybusters Selects Tektronix to Aid in Fight Against Corporate Espionage

Tektronix Inc., a provider of test, measurement and monitoring instrumentation, announced that Murray Associates, registered as Spybusters LLC, has selected a Tektronix Real-Time Spectrum Analyzer (RTSA) with DPX™ live RF display technology to help the security consultancy identify wireless eavesdropping devices that may be located in clients’ facilities including boardrooms and security trading floors. The RTSA instrument enables the firm to quickly and efficiently spot sophisticated listening devices, even in challenging environments where there are many competing signals.

Corporate espionage is on the rise due to such factors as globalization, decreased employee loyalty and the increasing value of information. In some parts of the world espionage is a common business practice in competitive industries. At the same time, new technologies are making it easier and more affordable than ever to steal information by tapping into private conversations. Given the potential reward, spies are employing increasingly sophisticated technology that can be difficult to detect.

To fight back against this espionage, companies as well as government agencies are turning to firms that specialize in detecting and removing eavesdropping and other surveillance devices. One of the leaders in the segment is Murray Associates. Based in Oldwick, New Jersey, the 30-year-old company, which is registered as Spybusters LLC, is seeing heightened demand for its services. The majority of the firm’s clients schedule regular inspections or sweeps for any form of electronic surveillance technology in sensitive areas such as executive suites, boardrooms, trading floors, vehicles and aircraft as well as executive homes and off-site meeting locations.

Tuesday, March 25, 2008

Make Caller ID Lie For You

Keep your phone number private whenever you make or receive calls. A new service called Vumber does it for you.

In addition to privacy you can get anonymity, too. Vumber is like Kleenex, disposable. Change numbers whenever you want. Be in any Area Code you like.

"It’s your anyphone, anytime, anywhere phone number that keeps your identity private – until you decide it not to be.

A Vumber is a number from any area code you want, linked to your home, cell, or work phone. When someone calls your Vumber, Vumber lets you control how you handle the call: you can a) answer it; b) send them to VumberMail; c) give them a busy signal; d) tell them the number is out of service; or e) play them a custom message you create.

It provides unequaled privacy protection when anyone calls your Vumber, and when you call anyone. And it’s not limited to a pre-defined one-to-one calling relationship like you sometimes see out there – it is as simple as having another phone number. Even simpler.

You can call “from” your Vumber, too..." (more)

The flip side... Your Caller ID display is no longer trustworthy. But hey, it never was anyway.

How to hack RFID-enabled credit cards for $8

...via tv.boingboing.net
A number of credit card companies now issue credit cards with embedded RFIDs (radio frequency ID tags), with promises of enhanced security and speedy transactions.

But on today's episode of Boing Boing tv, hacker and inventor Pablos Holman shows Xeni how you can use about $8 worth of gear bought on eBay to read personal data from those credit cards -- cardholder name, credit card number, and whatever else your bank embeds in this manner.

Fears over data leaks from RFID-enabled cards aren't new, and some argue they're overblown -- but this demo shows just how cheap and easy the "sniffing" can be.

Forget the tin foil hat.
Wrap it around your wallet and watch where you sit.
There may be an antenna under that chair.

"Bugging Device Found"

Ireland - "A sophisticated bugging and tracking device has been unearthed in the vehicle of a member of the Dublin 32 County Sovereignty Movement. The device was secreted internally into the dashboard of the vehicle and was equipped with its own self contained power supply. The manner by which the device was installed strongly suggests that those who planted it took considerable time to effect this and was obviously professionally done." (more)

A little research reveals that the top component is an old Ericsson radio-modem (M2050 Mobidem c.1996-97) made for the UK market (425-460 MHz). "a small low power radio modem that can be built into PC or other equipment. It has no power source of its own. It does not have its own antenna, which must be designed specifically for the host equipment. It has rated data transfer rates of 1200 to 9600 bps. It supports Mobitex MACS, AT and X.28 protocols."

According to a press release, "Ericsson has signed an order with Thorn Security Ltd., a leading provider of security services in the U.K. market, for 5,000 Mobidem M2050 radio modems to be used for the company's new Siteguard Smart Signaling alarm services. The new services will be available to Thorn's thousands of customers throughout the U.K. in mid-September.

With the announcement of its new Siteguard Smart Signaling alarm portfolio, Thorn Security has scored a first in the industry. The system uses a self-checking alarm signaling technique that provides intelligent mutual monitoring between wireless data links and landline communications at the customer site. This virtually eliminates line errors and guarantees that the alarm system is functional at all times."

The batteries are 4 "D" cells, rechargeable lead-acid type.

Given the age of the main component, identifying information was left on it (unusual for professional bugging devices) and that similar-looking auto alarm systems exist, its real purpose can be questioned. Is it a bug, or did someone buy a used car not knowing it was outfitted with an alarm system at one time?

Saturday, March 22, 2008

US State Department Warns of Chinese Bugging and Wiretapping

"Security personnel may at times place foreign visitors under surveillance. Hotel rooms, telephones, and fax machines may be monitored, and personal possessions in hotel rooms, including computers, may be searched without the consent or knowledge of the traveler. ... Foreign government officials, journalists, and business people with access to advanced proprietary technology are particularly likely to be under surveillance." (more)