...how to suck the brains out of a PC in 3 minutes or less – via sharp-ideas.net
The Scenario
An unauthorized visitor shows up after work hours disguised as a janitor and carrying an iPod (or similar portable storage device). He walks from computer to computer and "slurps" up all of the Microsoft Office files from each system. Within an hour he has acquired 20,000 files from over a dozen workstations. He returns home and uploads the files from his iPod to his PC. Using his handy desktop search program, he quickly finds the proprietary information that he was looking for.
Sound far fetched?
An experiment
I conducted an experiment to quantify approximately how long it takes to copy files from a PC to a removable storage device (iPod, thumbdrive, et cetera) if you have physical access. The quick answer: not very long.
I wrote a quick python application (slurp) to help automate the file copy process. Slurp searches for the "C:Documents and Settings" directory on local hard drives, recurses through all of the subdirectories, and copies all document files.
Using slurp.exe on my iPod, it took me 65 seconds to copy all document files (*.doc, *.xls, *.htm, *.url, *.xml, *.txt, etc.) off of my computer as a logged in user. Without a username and password I was able to use a boot CDROM to bypass the login password and copy the document files from my hard drive to my iPod in about 3 minutes 15 seconds. (more... including a free "pod slurping" program you can try yourself!) (much more)
Monday, November 3, 2008
"What's that slurping sound I hear?"
India - A Bangalore-based construction company lost a multi-core tender by a thin margin. Baffled company officials vowed there was no way the rival firm could have come so near to their bid...
Computer forensic tests revealed somebody had accessed the Universal Serial Bus (USB) port to download the tender documents. What surprised the company's top heads was that one of their employees had used his iPod to download the data.
The data was then passed to the rival company for a price and to evade detection, the file was promptly deleted from the iPod. Investigators, however, retrieved it using advanced data-recovery software. (more) (how "pod slurping" is done)
This "pod slurp" didn't have to happen. Computers with especially sensitive data should have their ports and drives locked down. Don't know how? Call me, or any of my Geek Chorus Colleagues. Any of us can save you from going through an iPod high-jack.
More about "pod slurping", and an even scarier USB story. ~ Kevin
Computer forensic tests revealed somebody had accessed the Universal Serial Bus (USB) port to download the tender documents. What surprised the company's top heads was that one of their employees had used his iPod to download the data.
The data was then passed to the rival company for a price and to evade detection, the file was promptly deleted from the iPod. Investigators, however, retrieved it using advanced data-recovery software. (more) (how "pod slurping" is done)
This "pod slurp" didn't have to happen. Computers with especially sensitive data should have their ports and drives locked down. Don't know how? Call me, or any of my Geek Chorus Colleagues. Any of us can save you from going through an iPod high-jack.
More about "pod slurping", and an even scarier USB story. ~ Kevin
Dr. No, Goldfinger and Blofeld Are Now Real
via sciencedaily.com
Professor Richard J. Aldrich, Professor of International Security at University of Warwick, who has just been awarded a £447,000 grant from UK's Art and Humanities Research Council to examine 'Landscapes of Secrecy' says that the once improbable seeming villains in the Bond movies have become close to the real threats faced by modern security services.
"Remarkably, the Bond villains - including Dr. No, Goldfinger and Blofeld - have always been post-Cold War figures. Bond's enemies are in fact very close the real enemies of the last two decades - part master criminal - part arms smuggler - part terrorist - part warlord. They are always the miscreants of globalization, they endanger not only the security of single country, but the safety of the whole world. Like our modern enemies, they thrive on the gaps between sovereign states and thrive on secrecy." (more)
Food for thought. Corporate espionage attacks by freelance spies are now commonplace, too. If you sense problems in your company, or just have a few questions, give me a call. ~Kevin
Professor Richard J. Aldrich, Professor of International Security at University of Warwick, who has just been awarded a £447,000 grant from UK's Art and Humanities Research Council to examine 'Landscapes of Secrecy' says that the once improbable seeming villains in the Bond movies have become close to the real threats faced by modern security services.
"Remarkably, the Bond villains - including Dr. No, Goldfinger and Blofeld - have always been post-Cold War figures. Bond's enemies are in fact very close the real enemies of the last two decades - part master criminal - part arms smuggler - part terrorist - part warlord. They are always the miscreants of globalization, they endanger not only the security of single country, but the safety of the whole world. Like our modern enemies, they thrive on the gaps between sovereign states and thrive on secrecy." (more)
Food for thought. Corporate espionage attacks by freelance spies are now commonplace, too. If you sense problems in your company, or just have a few questions, give me a call. ~Kevin
Police Chief Accused of Tapping and Bugging
LA - Monroe Police Chief Ron Schleuter said Thursday he has not yet been served with a federal lawsuit filed against him by retired officer Paul Brown and officer Danny Pringle claiming the chief violated their privacy rights by using an illegal wiretap.
The lawsuit, filed Oct. 15, states that Schleuter "used electronic devices to surreptitiously intercept both the oral and wire communications to (the officers') co-employee ... at the Monroe Police Department." (more)
The lawsuit, filed Oct. 15, states that Schleuter "used electronic devices to surreptitiously intercept both the oral and wire communications to (the officers') co-employee ... at the Monroe Police Department." (more)
Spycam Story #489 - The Commish
PA - A former Cumberland County Commissioner has been charged in connection with the use of hidden surveillance throughout his home to videotape sexual encounters with young men, Attorney General Tom Corbett said.
Bruce Barclay, 49, of Mechanicsburg, served as a Cumberland County Commissioner from January 2004 to April 2008. (more) (video)
1/14/09 - UPDATE - A Brecknock Township man pleaded guilty Tuesday to falsely accusing a former Cumberland County commissioner of raping him.
William M. McCurdy, 21, of the 1100 block of Alleghenyville Road entered his plea to making false reports and unsworn falsification in Cumberland County Court.
McCurdy is free on bail pending sentencing in March by Judge Edward E. Guido. The charges carry penalties of up to three years in prison...
State police investigating the accusation uncovered hidden video-recording equipment in Barclay's home. Investigators said Barclay hired male prostitutes on a weekly basis and used the hidden cameras to secretly record more than 100 sexual encounters inside his house.
The videotapes refuted McCurdy's rape accusation, investigators said, but led to Barclay's arrest on charges of wiretapping and related offenses. (more)
Bruce Barclay, 49, of Mechanicsburg, served as a Cumberland County Commissioner from January 2004 to April 2008. (more) (video)
1/14/09 - UPDATE - A Brecknock Township man pleaded guilty Tuesday to falsely accusing a former Cumberland County commissioner of raping him.
William M. McCurdy, 21, of the 1100 block of Alleghenyville Road entered his plea to making false reports and unsworn falsification in Cumberland County Court.
McCurdy is free on bail pending sentencing in March by Judge Edward E. Guido. The charges carry penalties of up to three years in prison...
State police investigating the accusation uncovered hidden video-recording equipment in Barclay's home. Investigators said Barclay hired male prostitutes on a weekly basis and used the hidden cameras to secretly record more than 100 sexual encounters inside his house.
The videotapes refuted McCurdy's rape accusation, investigators said, but led to Barclay's arrest on charges of wiretapping and related offenses. (more)
Sunday, November 2, 2008
Spycam Story #488 - The Annoyed Ex
As always, there is more to this story, much more.
Guilty or innocent?
You decide.
New Zealand - An Auckland man has described a failed court case involving allegations of spying on his ex-wife with secret cameras as a joke and waste of taxpayer money.
The case against the man was dismissed last week after a judge ruled police had not been able to prove the charge of attempting to make an intimate visual recording.
The million-dollar home the man had shared with his wife was found to have small, infra-red surveillance cameras in the ceiling above the woman's bed when searched by a security firm.
The Herald on Sunday reported that the woman had hired the firm after suspecting someone was spying on her. (more)
Guilty or innocent?
You decide.
New Zealand - An Auckland man has described a failed court case involving allegations of spying on his ex-wife with secret cameras as a joke and waste of taxpayer money.
The case against the man was dismissed last week after a judge ruled police had not been able to prove the charge of attempting to make an intimate visual recording.
The million-dollar home the man had shared with his wife was found to have small, infra-red surveillance cameras in the ceiling above the woman's bed when searched by a security firm.
The Herald on Sunday reported that the woman had hired the firm after suspecting someone was spying on her. (more)
If they can 'see' your key, they can duplicate it!
High powered optics and a computer program is all that is needed to duplicate your keys according to three people at the University of California, San Diego...
"Our SNEAKEY system correctly decoded the keys shown in the above image that was taken from the rooftop of a four floor building. The inlay shows the image that was used for decoding while the background provides a context for the extreme distances that our system can operate from. In this case the image was taken from 195 feet. This demonstration shows that a motivated attacker can covertly steal a victim's keys without fear of detection. The SNEAKEY system provides a compelling example of how digital computing techniques can breach the security of even physical analog systems in the real-world. (their paper)
Moral: Don't leave your keys where others can "see" them. But, you already knew that.
"Our SNEAKEY system correctly decoded the keys shown in the above image that was taken from the rooftop of a four floor building. The inlay shows the image that was used for decoding while the background provides a context for the extreme distances that our system can operate from. In this case the image was taken from 195 feet. This demonstration shows that a motivated attacker can covertly steal a victim's keys without fear of detection. The SNEAKEY system provides a compelling example of how digital computing techniques can breach the security of even physical analog systems in the real-world. (their paper)
Moral: Don't leave your keys where others can "see" them. But, you already knew that.
Saturday, November 1, 2008
SpyCam Story #487 - Families vs. Carers
UK - A carer has been spared jail despite admitting the 'despicable' theft of cash from the home of a 77-year-old widow with Alzheimer's Disease. Michelle Bradshaw, aged 40, was caught after relatives of the pensioner marked notes in her purse with ultraviolet pen and set up a covert video camera. (more)
FutureWatch – This is the second story like this within two months. Carer steals from patient. Patient's family gets suspicious and installs hidden camera. Carer gets nailed. We see fewer bad nanny stories these days. Maybe spycams have them scared straight. Let's hope professional care givers get the message as well.
FutureWatch – This is the second story like this within two months. Carer steals from patient. Patient's family gets suspicious and installs hidden camera. Carer gets nailed. We see fewer bad nanny stories these days. Maybe spycams have them scared straight. Let's hope professional care givers get the message as well.
Thursday, October 30, 2008
Quote of the Day - Corporate Espionage
"...the episode serves as a reminder of just how extensive, sophisticated and sometimes ruthless corporate 'snooping' operations can become." ~Mike Hamilton, talking about the Dell - HP incident. (more)
Snooping on a Spouse's Emails - Crime or Tort?
via Martha L. Arias, Director, Internet Business Law Services...
We may not need scientific data to prove that with the increasing use of the Internet, men and women have eavesdropped, or considered eavesdropping, their spouse's e-mails.
Eavesdropping spouses' e-mails may constitute a crime under both federal and state law but careful factual analysis is required. For instance, the United States Code (U.S.C.), title 18- crimes related to interception of wire and electronic communications, may apply to e-mail eavesdropping but there must be an actual "interception" within the meaning of the statute. Also, most U.S. states have criminal statutes penalizing the interception or eavesdropping of electronic or telephonic communications; analysis of technical terms is also required in these cases.
Lastly, some state tort claims may apply to these snoopy conducts; it seems that these claims are easier to win.
18 U.S.C § 2512 makes it a crime to possess, manufacture, distribute, and advertise wire, oral, or electronic communication intercepting devices... A Michigan case illustrates how this federal statute and these state tort claims have been used in spouse cases involving e-mail eavesdropping. In Bailey v. Bailey (2008 U.S. Dist. LEXIS 8565), husband eavesdropped his wife's yahoo e-mail and found compromising information.
As the Bailey's case shows, typifying eavesdropping of e-mails within title 18 of the U.S.C. is not an easy task. Factual analysis and careful review of the term "interception" as interpreted by state law is required. If the spouse's conduct does not qualify as actual "interception," a claim under title 18 may not be successful. Torts claims of invasion of privacy may prove to be more victorious in e-mail eavesdropping cases. (more) (background) (18 U.S.C.)
We may not need scientific data to prove that with the increasing use of the Internet, men and women have eavesdropped, or considered eavesdropping, their spouse's e-mails.
Eavesdropping spouses' e-mails may constitute a crime under both federal and state law but careful factual analysis is required. For instance, the United States Code (U.S.C.), title 18- crimes related to interception of wire and electronic communications, may apply to e-mail eavesdropping but there must be an actual "interception" within the meaning of the statute. Also, most U.S. states have criminal statutes penalizing the interception or eavesdropping of electronic or telephonic communications; analysis of technical terms is also required in these cases.
Lastly, some state tort claims may apply to these snoopy conducts; it seems that these claims are easier to win.
18 U.S.C § 2512 makes it a crime to possess, manufacture, distribute, and advertise wire, oral, or electronic communication intercepting devices... A Michigan case illustrates how this federal statute and these state tort claims have been used in spouse cases involving e-mail eavesdropping. In Bailey v. Bailey (2008 U.S. Dist. LEXIS 8565), husband eavesdropped his wife's yahoo e-mail and found compromising information.
As the Bailey's case shows, typifying eavesdropping of e-mails within title 18 of the U.S.C. is not an easy task. Factual analysis and careful review of the term "interception" as interpreted by state law is required. If the spouse's conduct does not qualify as actual "interception," a claim under title 18 may not be successful. Torts claims of invasion of privacy may prove to be more victorious in e-mail eavesdropping cases. (more) (background) (18 U.S.C.)
Three Basics of Successful Security Policies
1. Unambiguous Rules – Put the policy in writing. Send out reminders. Make compliance easy.
Examples:
• Block off-limit web sites.
• Place shredders where they are needed.
• Configure Wi-Fi systems automatically force compliance.
2. Consequences – Educate employees about the consequences of poor security practice. Explain how it affects the company's stability, and consequently, their jobs. Establish consequences for not following the policy.
3. Unobtrusiveness – Do not establish a security policy which either hinders productivity, or is ultimately unenforceable. Find a better way to achieve the security goal. Work with employees and they will work with you. ~Kevin
Examples:
• Block off-limit web sites.
• Place shredders where they are needed.
• Configure Wi-Fi systems automatically force compliance.
2. Consequences – Educate employees about the consequences of poor security practice. Explain how it affects the company's stability, and consequently, their jobs. Establish consequences for not following the policy.
3. Unobtrusiveness – Do not establish a security policy which either hinders productivity, or is ultimately unenforceable. Find a better way to achieve the security goal. Work with employees and they will work with you. ~Kevin
When Private Conference Calls Go Public
The New York Times – and others – will listen to your private conference calls... if you let them.
Published in The New York Times this week...
"In point of fact, the dirty little secret of the banking industry is that it has no intention of using the money to make new loans. But this executive was the first insider who’s been indiscreet enough to say it within earshot of a journalist. (He didn’t mean to, of course, but I obtained the call-in number and listened to a recording.)" ~Joe Nocera, The New York Times (more)
When a corporate eavesdropping detection specialist tells you...
• Give each participant their own – one-time – passcode.
• Distribute conference call numbers and passcodes discretely.
• Do not send them via mass emails.
• Do not let admins post passcodes on their cubicle walls.
• Do advise all participants to keep the codes secret.
• Change the passcodes for reoccurring calls.
• Assign passcode distribution responsibility to one person.
Please listen.
...or, skip the call and buy The Times.
Next steps:
• Consider encryption for the call itself.
• Have the rooms/offices checked for bugs. (Sources: 1, 2)
Published in The New York Times this week...
"In point of fact, the dirty little secret of the banking industry is that it has no intention of using the money to make new loans. But this executive was the first insider who’s been indiscreet enough to say it within earshot of a journalist. (He didn’t mean to, of course, but I obtained the call-in number and listened to a recording.)" ~Joe Nocera, The New York Times (more)
When a corporate eavesdropping detection specialist tells you...
• Give each participant their own – one-time – passcode.
• Distribute conference call numbers and passcodes discretely.
• Do not send them via mass emails.
• Do not let admins post passcodes on their cubicle walls.
• Do advise all participants to keep the codes secret.
• Change the passcodes for reoccurring calls.
• Assign passcode distribution responsibility to one person.
Please listen.
...or, skip the call and buy The Times.
Next steps:
• Consider encryption for the call itself.
• Have the rooms/offices checked for bugs. (Sources: 1, 2)
Need a holiday present for a young one?
"50 Rules Kids Won't Learn in School: Real-World Antidotes to Feel-Good Education"
A sneak peek at Sykes’ sage advice:
1. Life is not fair. Get used to it.
7. If you think your teacher is tough, wait until you get a boss. He doesn’t have tenure, so he tends to be a bit edgier. When you screw up, he’s not going to ask you how you FEEL about it.
15. Flipping burgers is not beneath your dignity. Your grandparents had a different word for burger flipping. They called it “opportunity.”
42. Change the oil.
43. Don’t let the success of others depress you.
48. Tell yourself the story of your life. Have a point.
9. Your school may have done away with winners and losers. Life hasn’t.
14. Looking like a slut does not empower you.
29. Learn to deal with hypocrisy.
32. Television is not real life.
38. Look people in the eye when you meet them.
47. You are not perfect, and you don’t have to be.
50. Enjoy this while you can.
Sykes says the rules are a "blunt contrast to the thumb sucking, feel good infantilism that has become so common in American education and culture." (more) (more books by Sykes)
A sneak peek at Sykes’ sage advice:
1. Life is not fair. Get used to it.
7. If you think your teacher is tough, wait until you get a boss. He doesn’t have tenure, so he tends to be a bit edgier. When you screw up, he’s not going to ask you how you FEEL about it.
15. Flipping burgers is not beneath your dignity. Your grandparents had a different word for burger flipping. They called it “opportunity.”
42. Change the oil.
43. Don’t let the success of others depress you.
48. Tell yourself the story of your life. Have a point.
9. Your school may have done away with winners and losers. Life hasn’t.
14. Looking like a slut does not empower you.
29. Learn to deal with hypocrisy.
32. Television is not real life.
38. Look people in the eye when you meet them.
47. You are not perfect, and you don’t have to be.
50. Enjoy this while you can.
Sykes says the rules are a "blunt contrast to the thumb sucking, feel good infantilism that has become so common in American education and culture." (more) (more books by Sykes)
Tuesday, October 28, 2008
Enterprise Trade Secret Theft - Fight Back
Enterprises are stepping up efforts to counter spying operations that aim to steal their trade secrets, according to a former U.S. Federal Bureau of Investigation agent who now works for Xerox.
Companies such as Wal-Mart, DirecTV and Motorola have in recent years been victimized by employees or others who stole sensitive data, said David Drab, a principal in Xerox's information and content security services section. Drab spent 27 years in the FBI fighting organized crime and economic espionage.
"The payoffs are high and the risks of getting caught are low," Drab said.
A study by PricewaterhouseCoopers found that economic espionage costs the world's top 1,000 companies £22.4 billion (US$34.7 billion) annually, Drab said. Another study by the Society for Competitive Intelligence Professionals found companies spent $2 billion on spying activities in 2004. (more) (fight back)
Companies such as Wal-Mart, DirecTV and Motorola have in recent years been victimized by employees or others who stole sensitive data, said David Drab, a principal in Xerox's information and content security services section. Drab spent 27 years in the FBI fighting organized crime and economic espionage.
"The payoffs are high and the risks of getting caught are low," Drab said.
A study by PricewaterhouseCoopers found that economic espionage costs the world's top 1,000 companies £22.4 billion (US$34.7 billion) annually, Drab said. Another study by the Society for Competitive Intelligence Professionals found companies spent $2 billion on spying activities in 2004. (more) (fight back)
Monday, October 27, 2008
Charlie Can Now "Get Off Of That Train"
"Let me tell you the story
Of a man named Charlie
On a tragic and fateful day
He put ten cents in his pocket,
Kissed his wife and family
Went to ride on the MTA"
© Jacqueline Steiner, and B. Lomax-Hawes
The MBTA, Massachusetts Bay Transportation Authority (Boston subways and street trains) - made famous in this song for their fare increase - is on the hot seat again.
From our Esoteric Files... Back in early August, the Massachussetts Bay Transit Authority successfully prevented a small group of students from giving a presentation at DEFCON that would have highlighted failures in the CharlieCard RFID system that the MBTA currently uses. Although eventually overturned, the injunction and corresponding gag order that the MBTA was temporarily granted did prevent the students from giving their original presentation.
Now, ironically, it turns out that all the MBTA's effort was for nothing, as researchers based in the Netherlands have successfully cracked the MIFARE Classic crypotographic cipher that's currently used in multiple mass transit systems across the globe. (more) (presentation)
Of a man named Charlie
On a tragic and fateful day
He put ten cents in his pocket,
Kissed his wife and family
Went to ride on the MTA"
© Jacqueline Steiner, and B. Lomax-Hawes
The MBTA, Massachusetts Bay Transportation Authority (Boston subways and street trains) - made famous in this song for their fare increase - is on the hot seat again.
From our Esoteric Files... Back in early August, the Massachussetts Bay Transit Authority successfully prevented a small group of students from giving a presentation at DEFCON that would have highlighted failures in the CharlieCard RFID system that the MBTA currently uses. Although eventually overturned, the injunction and corresponding gag order that the MBTA was temporarily granted did prevent the students from giving their original presentation.
Now, ironically, it turns out that all the MBTA's effort was for nothing, as researchers based in the Netherlands have successfully cracked the MIFARE Classic crypotographic cipher that's currently used in multiple mass transit systems across the globe. (more) (presentation)
Subscribe to:
Posts (Atom)