Sunday, August 17, 2008

The Dick Van Dyke Show - All About Eavesdropping

"An eavesdropper never hears anything good about themselves."

More UC Warnings

...from The Financial Express...
"Virtually, every company seems to be in a rush to merge email, fax and voice communications. IT, BPO, media, telecom, banking and retail enterprises are embracing Unified Communications (UC).


However, the risks associated with UC security are now beginning to surface as companies start merging their various channels of communications.

Eavesdropping, unauthorised access of messages, unauthorised handsets connecting to the network and disruption of phone network are some of the threats, faced by enterprises.

"According to Jayesh Kotak, vice-president, product management, D-Link India, denial of service, spoofing, eavesdropping, signaling and media manipulation are few security threats to the UC. (more)

Ebay Your Plasma. Laser Is Coming!

Laser televisions have an image produced by three lasers that are each less than one cubic centimeter in size and that are a million times brighter than current state-of-the-art light-emitting diodes (LEDs). They provide sharper, crisper, more brilliant pictures than you have ever seen. And this new television costs less to produce than the television you own now.

Novalux of Sunnyvale, CA has developed the Novalux extended-cavity surface-emitting laser (NECSEL™) for use in high-definition (HD) rear-projection televisions (RPTVs).

Laser televisions will provide speckle-free images that have more contrast and better color coverage than their unwieldy, expensive counterparts. They also use 60% less power and have a lifespan more than 10 times as long as lamp televisions. And unlike LED televisions, laser televisions have incredible longevity without giving way to distracting color shifts over time.
Projection and illumination optics for laser televisions will cost less than those of either lamps or LEDs, resulting in a lower price for the entire system. Novalux estimates that a 50" laser television will cost significantly less than $1,000. (more) (follow the action)

Saturday, August 16, 2008

SpyCam Story #458 - CCTV Tee

From artist Ross Robinson...
"Your government is watching you. All. The. Time."

...now buy my tee-shirt.

Water Manager's Wiretap Leaked

TX - Bexar County District Attorney Susan Reed announced Friday that Gilbert Olivares, General Manager of Bexar Metropolitan Water District, has been indicted for wiretapping, misapplication of funds, and sexual harassment.

The indictment includes 12 counts of Illegally Intercepting Oral Communications, 1 count of Misapplication of Fiduciary Property, 1 count Abuse of Official Capacity, and two counts of Official Oppression.

...the indictment alleges Olivares ordered the monitoring and recording of phone conversations of four Bexar Met employees' who were viewed as critics of his leadership. The recordings allegedly took place over a 8-month period and without the knowledge or consent of any of the parties to the conversations. (more) (video)

Confessions of a Corporate Spy

Ira Winkler offers chilling accounts of espionage...
A former National Security Agency analyst who is now an expert on corporate espionage offered chilling accounts yesterday of his easy penetration into a variety of U.S. companies. In one case, in just a few hours he was able to make off with product plans and specifications worth billions of dollars.

Ira Winkler, global security strategist at CSC Consulting, spoke at Computerworld's Premier 100 IT Leaders Conference here and punctured several popular misconceptions about information security...

At one large company, for example, he persuaded a guard to admit him by saying he had lost
his badge and presenting a business card as a substitute. He'd stolen the card -- which belonged to an employee who worked at the plant -- from a local restaurant that collected business cards in a jar for prize awards. Winkler went on to exploit a number of security weaknesses, from doors he found unlocked to using forged signatures to using simple computer hacks. The result: Designs for nuclear reactors and other technologies were compromised, possibly with national security implications.

"Never measure security budgets by IT," said Winkler, author of Spies Among Us: How to Stop the Spies, Terrorists, Hackers and Criminals You Don't Even Know You Encounter Every Day. (more)

Someone finally asked, "Dude, doesn't spying precede attacking?"

Homeland Security setting up counterspy unit...
Concerns about foreign spies and terrorists have prompted the Homeland Security Department to set up its own counterintelligence division and require strict reporting from employees about foreign travel, according to a memo obtained by The Associated Press. (more)

SpyCam Story #457 - Kite Flight Sight

...from the seller's web site...
"Now here's a nifty way of popping your head over the fence to ogle the chapess next door without being spotted or otherwise denounced as a pervy interloper. Instead of popping your head over the fence from a height of 1.8 metres, pop it over the fence in the virtual sense, from a height of up to 25 metres.

Permit us to explain and expound. In all our years of deconstructing fiendishly complex gadgetry here in the lab, deep underground at gadgetshop HQ, we've never before come across a fusion of technologies so inspired as a high performance kite with a remotely-controlled digital camera slung underneath it." (more)

SpyCam Story #456 - "Save Money. Live Better"

FL - A mysterious box with an antenna found hidden inside a Wal-Mart was a planted spy camera set up to beam customer credit card numbers to thieves in the parking lot, police said. (more) (video)

Friday, August 15, 2008

Industrial Espionage, Reverse Engineering or Just A Crappy Cheap Knockoff? You decide.

Over the years the Security Scrapbook has brought several blatant examples of industrial espionage to your attention. Take, for example, the...
• Space Shuttle (USA, Russia)
iPhone
Nokia phones
Pocket cameras (pick any of them)
Twin Magazine Covers

And remember?
• 9/30/02 - Nokia, the world's largest cell phone maker, on Thursday unveiled its first "third-generation" handset, which has a camera so users can view and edit video clips and send them to another phone or an e-mail address. ... Minutes after Nokia's announcement Thursday, rival manufacturer Motorola unveiled new details about its own equivalent handset.

• "The World's Smallest Camcorder." Sony DCR-IP1 MICROMV released. Tuesday, September 02 @ 11:15:00 PDT. Panasonic SV-AV100 camcorder debuted. Friday, September 05 @ 15:30:00 PDT

• 12/2/01 - Two major rivals announce look-alike products.
Same size ad, same magazine - 4 pages away from each other - products offered the same benefits... "drug and explosive" detection, in one instrument.

What is the difference between espionage and a rip-off? Industrial espionage products hit the market at approximately the same time. There is a time-lag with reverse engineering and knockoffs.

See more!
See more! See more!
Visit The Plagiarius Competitions and the Museum Plagiarius.

ID Theft News - 8% ?!?! (seems high, or are high)

...and this is just in the past two weeks...

Eleven people from at least five different countries are facing charges for their involvement in a wide-ranging scheme to hack into nine US companies and steal and sell more than 40 million credit and debit card numbers.
"As far as we know, this is the single largest and most complex identity theft case that's ever been charged in this country," Attorney General Michael Mukasey said. Officials said the ring had stolen hundreds of millions of dollars. (more) ...when federal prosecutors disclosed that computer hackers swiped more than 40 million credit-card numbers from nine retailers in the biggest such heist ever, it was the first time that many shoppers had heard about it. That's because only four of the chains clearly alerted their customers to breaches. (more)

• About 150,000 people in the US have been affected by the theft of laptops with personal information about current and former employees of brewing giant Anheuser-Busch. (more)

• A new report from the California Department of Public Health discovered that 127 UCLA Medical Center employees viewed celebrities' medical re
cords without permission between January 2004 and June 2006, which is nearly double the number first reported earlier this year. (more)

• UK - Data protection experts have called for hospitals to use more effective encryption techniques after a laptop containing the personal data of thousands of patients was stolen. An unnamed manager at Colchester Hospital in Essex has been sacked as a result of the theft... (more)


• Security researcher Joe Stewart has identified a Russian gang that infected 378,000 computers with malware over a 16-month period in an effort to ste
al passwords and other information. (more)

• Ireland - The loss of a laptop containing 380,000 records of social welfare and pension recipients is a wake-up call for the Government and public and private sector bodies to ensure all staff are trained properly in data protection and use of encryption. (more)


• The Transportation Security Administration suspended Verified Identity Pass from enrolling travelers in its pre-screening program after a laptop computer containing the records of 33,000 people went missing.

The company, based in New York, lost possession of the laptop at San Francisco International Airport. The laptop contai
ned unencrypted pre-enrollment records of individuals... (more) UPDATES: ...unencrypted laptop was found in the same office from which it was reported missing. (more) The U.S. Transportation Security Administration has cleared Verified Identity Pass to resume enrollments in its Registered Traveler program... (more) The laptop had been stolen, but was returned, according to the Sheriff's Department.

• The University of Michigan Credit Union in Ann Arbor confirmed that a data theft has resulted in some of its members becoming identity theft victims. The credit union said that so far, "less than 100" people have had their identities stolen -- mostly to open fraudulent credit card accounts. The theft, involving documents that were supposed to have been shredded... (more)

• Greece - Hundreds of bank clients in Greece and other E
uropean countries have turned into hostages because of actions of groups that steal data from bankcards and do uncontrolled drawings, the Greek To Bhma daily reports. (more)

UK - The BBC has apologised after a memory stick containing details of hundreds of children who applied to take part in a TV show was stolen. (more)

• Wells Fargo & Co. is notifying some 5,000 people that their personal information might have been seen by someone using a bank access code illegally. (more)

Only an average of eight percent of Americans say they are very confident in the ability of U.S. retailers, government and banks to protect their personal information, according to a national survey commissioned by CA, Inc. (more)

Tuesday, August 12, 2008

Wiretap Act - The Loco Motion Law?

"Everybody's doin' a brand-new dance, now"
A federal appeals court in California is reviewing a lower court's definition of "interception" in the digital age... The case, Bunnell v. Motion Picture Association of America, involves a hacker who broke into TorrentSpy's company server and obtained copies of company e-mails as they were being transmitted. He then e-mailed 34 pages of the documents to an MPAA executive, who paid the hacker $15,000 for the job, according to court docuWiretapments.

"I know you'll get to like it if you give it a chance now"
The issue boils down to the judicial definition of an intercept in the electronic age, in which packets of data move from server to server, alighting for milliseconds before speeding onward. The ruling applies only to the 9th District, which includes California and other Western states, but could influence other courts around the country.

"Jump up. Jump back. Well, now, I think you've got the knack."

In August 2007, Judge Florence-Marie Cooper, in the Central District of California, ruled that the alleged hacker, Rob Anderson, had not intercepted the e-mails in violation of the 1968 Wiretap Act because they were technically in storage, if only for a few instants, instead of in transmission.

"Now that you can do it, let's make a chain, now."
"The case is alarming because its implications will reach far beyond a single civil case," wrote Kevin Bankston, a senior attorney for the Electronic Frontier Foundation in a friend-of-the-court brief filed Friday. If upheld, the foundation argued, "law enforcement officers could engage in the contemporaneous acquisition of e-mails just as Anderson did, without having to comply with the Wiretap Act's requirements."

"Do it nice and easy, now, don't lose control"
Cooper's ruling also has implications for non-government access to e-mail, wrote Bankston and University of Colorado law professor Paul Ohm in EFF's brief. "Without the threat of liability under the Wiretap Act," they wrote, "Internet service providers could intercept and use the private communications of their customers, with no concern about liability" under the Stored Communications Act, which grants blanket immunity to communications service providers where they authorize the access.

"Move around the floor in a Loco-motion"

Individuals could monitor others' e-mail for criminal or corporate espionage "without running afoul of the Wiretap Act," they wrote.

"There's never been a dance that's so easy to do."
"It could really gut the wiretapping laws," said Orin S. Kerr, a George Washington University law professor and expert on surveillance law. "The government could go to your Internet service provider and say, 'Copy all of your e-mail, but make the copy a millisecond after the email arrives,' and it would not be a wiretap." (more)

...It even makes you legal when they're feeling screwed,
So come on, come on, do the Loco Motion with me.

"Next stop!
Voicemails, ISPs, and bucket brigading of phone calls.
All aboard!"

Monday, August 11, 2008

WiFi / WLAN / 802.11 Spying Instructions

The following information is available to the public at blackhatlibrary.com. Excerpts reprinted below highlight the need for adding WLAN Security Audits to corporate TSCM inspection programs.


"Wireless Network Hacking and Spying Made Simple"


Here’s a quick and simple guide on how to get on to so called “secure” networks as well as a few things you can do to amuse yourself after you are in. Enjoy!

Finding the network
Most wireless networks are configured to broadcast their SSID (Service Set Identifier), when looking for a network to have some fun with I like to start with these if they are available....
If you know that a network exists but you don’t see a SSID in your available networks, or are just curious to see if any are out there, there are a few tools that will get this job done for you.

For Linux users I recommend:
AirJack- A lightweight program.

Kismet- Unquestionably the most powerful wireless program.

For Windows users I recommend:
AirSnort

AirMagnet


Bypassing WEP or WPA

Let me start this section by saying that WEP encryption is a joke. The only thing turning on WEP does is add some extra information to the packets.
Aircrack is a free Windows/Linux tool that can break both WEP and WPA-PSK.

Modifying the network
It never fails to surprise me how many routers are left configured to the default admin password and username- if this is the case you can easily hijack an entire network.
If the default credentials work, you can easily change the passphrase, SSID or completely turn off the router.

Spying on Connected Users
On a wireless network, the router effectively screams out requested information from any computer to the whole broadcast radius. This means that you can use a program to eavesdrop on other users on the network. (more)

sixteen-love

LA - Tai Shen Kuo, 58, long-time restaurateur and former tennis pro who pleaded guilty three months ago to spying for China was sentenced Friday to nearly 16 years in prison by a federal judge. “We had hoped to do a little bit better,” said John Hundley, of the Washington, D.C., law firm Trout-Cacheris. (more)

The Geek Chorus Wails Again...

Hackers at the DefCon conference were demonstrating these and other novel techniques for infiltrating facilities...
Want to break into the computer network in an ultra-secure building? Ship a hacked iPhone there to a nonexistent employee and hope the device sits in the mailroom, scanning for nearby wireless connections. (which makes our 24/7 rogue cellphone and wifi location service all the more valuable to you)
How about stealing someone's computer passwords? Forget trying to fool the person into downloading a malicious program that logs keystrokes. A tiny microphone hidden near the keyboard could do the same thing, since each keystroke emits slightly different sounds that can be used to reconstruct the words the target is typing.

As technology gets cheaper and more powerful, from cellphones that act as personal computers to minuscule digital bugging devices, it's enabling a new wave of clever attacks that, if pulled off properly, can be as effective and less risky for thieves than traditional computer-intrusion tactics. (more)