Vero Beach Museum of Art’s
2009 Distinguished Professor Lecture Series
Feb. 18: George H. Gilliam, University of Virginia,
“Electronic Eavesdropping on the Presidents — and Living to Tell About It”
Wednesday, December 31, 2008
Budget Booster #493 - Economic Espionage, UP
"The Cold War is not over. It has merely moved into a new arena: the global marketplace." -- The U.S. Federal Bureau of Investigation
The U.S. Federal Bureau of Investigation also notes that foreign competitors try to find economic intelligence in three ways:
1. Aggressively targeting and recruiting susceptible people, often from the same national background, working for domestic companies and research institutions.
2. Hiring or bribing people to steal information, search through dumpsters and tap telephones.
3. Setting up seemingly innocent business relationships between foreign companies and domestic enterprises to gather economic intelligence including classified information.
During a recession, expect external and internal problem to increase...
Twelve Internal Spybusting Tips...
1. Recognize the threat. Economic espionage is more likely to happen if your business isn't prepared. Once the risk is acknowledged, management must take an active role in ensuring that the company puts into place tactics to effectively combat theft. Prime example.
2. Know the criminals' methods. Confidential information is often stolen, concealed or carried away. Data can be copied, duplicated, sketched, drawn, photographed, downloaded, uploaded, altered, destroyed, replicated, transmitted, delivered, mailed, communicated, or conveyed.
(Electronic eavesdropping is also common and very effective. Fortunately, you can discover it easily.)
3. Monitor database access logs. Many fraud detection engines can be used to keep an eye on the number of times a database is accessed, as well as the number of documents that are printed by each user.
4. Encrypt electronic files so that they cannot be read or taken off the premises.
5. Mark as confidential any sensitive documents, photographs and sketches.
6. Prohibit photocopying of trade secrets and other sensitive company information. Consider forbidding cameras on the premises, including those included in cell phones.
7. Remind departing employees during exit interviews of their obligations and your company's trade secret protection policies.
8. Warn all staff to change their passwords if there is the slightest chance they may have shared them with a former employee. Colleagues often share passwords even when that practice violates an enterprise's policy.
9. Coordinate denial to both the building and computer accounts as soon as an employee leaves the business. Let colleagues know a person has left the company. Otherwise, they might unwittingly allow a former employee on the premises.
10. Maintain logs of employees in the company who have rights to access trade secrets.
11. Review technical literature, service manuals, press releases and other material distributed outside the company. Similar reviews should be made of regulatory filings and patent applications. Watch what employees disclose at industry trade shows.
12. Consult with a forensic specialist to help your business set up the appropriate infrastructure to detect, classify and protect the intellectual property. Trade secrets are the core of your company. (more)
The U.S. Federal Bureau of Investigation also notes that foreign competitors try to find economic intelligence in three ways:
1. Aggressively targeting and recruiting susceptible people, often from the same national background, working for domestic companies and research institutions.
2. Hiring or bribing people to steal information, search through dumpsters and tap telephones.
3. Setting up seemingly innocent business relationships between foreign companies and domestic enterprises to gather economic intelligence including classified information.
During a recession, expect external and internal problem to increase...
Twelve Internal Spybusting Tips...
1. Recognize the threat. Economic espionage is more likely to happen if your business isn't prepared. Once the risk is acknowledged, management must take an active role in ensuring that the company puts into place tactics to effectively combat theft. Prime example.
2. Know the criminals' methods. Confidential information is often stolen, concealed or carried away. Data can be copied, duplicated, sketched, drawn, photographed, downloaded, uploaded, altered, destroyed, replicated, transmitted, delivered, mailed, communicated, or conveyed.
(Electronic eavesdropping is also common and very effective. Fortunately, you can discover it easily.)
3. Monitor database access logs. Many fraud detection engines can be used to keep an eye on the number of times a database is accessed, as well as the number of documents that are printed by each user.
4. Encrypt electronic files so that they cannot be read or taken off the premises.
5. Mark as confidential any sensitive documents, photographs and sketches.
6. Prohibit photocopying of trade secrets and other sensitive company information. Consider forbidding cameras on the premises, including those included in cell phones.
7. Remind departing employees during exit interviews of their obligations and your company's trade secret protection policies.
8. Warn all staff to change their passwords if there is the slightest chance they may have shared them with a former employee. Colleagues often share passwords even when that practice violates an enterprise's policy.
9. Coordinate denial to both the building and computer accounts as soon as an employee leaves the business. Let colleagues know a person has left the company. Otherwise, they might unwittingly allow a former employee on the premises.
10. Maintain logs of employees in the company who have rights to access trade secrets.
11. Review technical literature, service manuals, press releases and other material distributed outside the company. Similar reviews should be made of regulatory filings and patent applications. Watch what employees disclose at industry trade shows.
12. Consult with a forensic specialist to help your business set up the appropriate infrastructure to detect, classify and protect the intellectual property. Trade secrets are the core of your company. (more)
Occam's razor & TSCM
Occam's razor - a 14th Century principle which states that the explanation of any phenomenon should make as few assumptions as possible. Good advice.
These days Occam's razor is often - incorrectly - paraphrased as, "All things being equal, the simplest solution is the best." Wrong, because a simple phenomenon - like information loss - may be complex in structure.
Occam's razor is more correctly interpreted as, "Simplify. Consider just essential and relevant elements. Exclude assumptions."
This is the basis of Murray Associates security consulting philosophy.
Historically...
1. Most information losses are caused by people - insiders, not spies.
2. Some information losses are caused by poor security - unlocked desks, not picked locks.
3. A few information losses (the worst, and easiest to discover) are technical - bugs in rooms, not laser beams bounced off windows.
Practical prioritization...
1. Before you accuse people, eliminate the eavesdropping possibility.
2. While doing this, conduct an information security audit.
Upon completion, pin-pointing problem people and bolstering defenses is easy.
It pays to think before acting; plan before spending money.
Let's plan.
~Kevin
These days Occam's razor is often - incorrectly - paraphrased as, "All things being equal, the simplest solution is the best." Wrong, because a simple phenomenon - like information loss - may be complex in structure.
Occam's razor is more correctly interpreted as, "Simplify. Consider just essential and relevant elements. Exclude assumptions."
This is the basis of Murray Associates security consulting philosophy.
Historically...
1. Most information losses are caused by people - insiders, not spies.
2. Some information losses are caused by poor security - unlocked desks, not picked locks.
3. A few information losses (the worst, and easiest to discover) are technical - bugs in rooms, not laser beams bounced off windows.
Practical prioritization...
1. Before you accuse people, eliminate the eavesdropping possibility.
2. While doing this, conduct an information security audit.
Upon completion, pin-pointing problem people and bolstering defenses is easy.
It pays to think before acting; plan before spending money.
Let's plan.
~Kevin
NSA patents a way to spot network snoops
The U.S. National Security Agency has patented a technique for figuring out whether someone is tampering with network communication.
The NSA's software does this by measuring the amount of time the network takes to send different types of data from one computer to another and raising a red flag if something takes too long, according to the patent filing. (more)
The first thing that everyone asks is, "If this was developed with taxpayer money..."
Calm down, your two cents were taken into consideration.
If you are an American taxpayer, you own a piece of this...
Assignee: The United States of America as represented by the Director, National Security Agency (Washington, DC)
The NSA's software does this by measuring the amount of time the network takes to send different types of data from one computer to another and raising a red flag if something takes too long, according to the patent filing. (more)
The first thing that everyone asks is, "If this was developed with taxpayer money..."
Calm down, your two cents were taken into consideration.
If you are an American taxpayer, you own a piece of this...
Assignee: The United States of America as represented by the Director, National Security Agency (Washington, DC)
"Are there any entry-level TSCM jobs?"
Not very many,
but here is one...
PRINCIPAL DUTIES AND RESPONSIBILITIES
The Technical Security Specialist responsibilities including, but not limited to:
• Review and make recommendations for technical security upgrades design based on counter-threat plans, physical security and technical security policies.
• Providing support services for a comprehensive technical security program designed to protect facilities and employees. Assists in developing and reviewing technical security designs for facilities. Providing input/review of proposed policies.
• Working under the direction of a Sr. TSCM specialist, to advise, and assist program office personnel on matters of technical security policy, procedures, and regulations.
• Conducting technical security needs surveys for preventing unauthorized access to facilities and possible loss of life or classified information. Providing a report of findings for each survey conducted...
REQUIREMENTS
The Technical Security Specialist shall possess the following background, knowledge, and skills... (more)
but here is one...
PRINCIPAL DUTIES AND RESPONSIBILITIES
The Technical Security Specialist responsibilities including, but not limited to:
• Review and make recommendations for technical security upgrades design based on counter-threat plans, physical security and technical security policies.
• Providing support services for a comprehensive technical security program designed to protect facilities and employees. Assists in developing and reviewing technical security designs for facilities. Providing input/review of proposed policies.
• Working under the direction of a Sr. TSCM specialist, to advise, and assist program office personnel on matters of technical security policy, procedures, and regulations.
• Conducting technical security needs surveys for preventing unauthorized access to facilities and possible loss of life or classified information. Providing a report of findings for each survey conducted...
REQUIREMENTS
The Technical Security Specialist shall possess the following background, knowledge, and skills... (more)
Tuesday, December 30, 2008
1957 - How To Tap A Phone
Over 50 years ago, Mechanix Illustrated magazine promised us flying cars and ways to tap phones.
Guess which one people-of-the-21st-Century are doing today...
"There are many ways to tap a phone... used to great advantage at home or in the office." (more)
Guess which one people-of-the-21st-Century are doing today...
"There are many ways to tap a phone... used to great advantage at home or in the office." (more)
Alert: DECT Hacked
Heise Security is reporting that... researchers in Europe's dedected.org group have published an article (pdf) showing how to eavesdrop on DECT transmissions, using a PC-Card costing only EUR 23. The DECT protocol is the world's most popular wireless telephony protocol. The standard is also used in baby monitors, emergency call and door opening systems, wireless debit card readers and even traffic management systems. There are hundreds of millions of terminals using the DECT standard. Also announced, the next version of the WLAN sniffer, Kismet, will support DECT, thereby rendering tricks with laptop cards superfluous. (more)
Labels:
data,
DECT,
eavesdropping,
Hack,
product,
wireless,
wiretapping
Rare: A Bugger Speaks Out About His Craft
Today, the technologies for communications monitoring and recording conversations are so advanced, practically unnoticeable, and easily available...
An electronics technician from Skopje (Macedonia) who is selling these devices has had a very unpleasant experience with the victims of his clients. He insisted that we do not publish his name.
I’m only making these devices, and I am not responsible for how people are using them. My “bug” has a range of 50 meters, and the recording can also be heard on a mobile phone. It is recording excellent on an FM-radio frequency, except when waves from the radio stations in Skopje are causing interference – he says, while showing us the small transmitter...
“A professor from a gymnasium in Skopje called me. I could feel the anger in his voice. He caught his students cheating during an exam by using my “bug”. What can I say; I am not encouraging children to do this. I also explained to him that there are also other young electronics technicians, who are manufacturing transmitters” he said.
Let me be clear, I am not selling these devices so that they could be abused. Some people are using my “bugs” to discover marital infidelities. Sometimes people are calling me, as if I had placed the device. I want these devices to be used for noble purposes, so that mothers could hear their babies crying, for instance. I am even prepared to give one of my bugs to each mother with twins, he added.
The devices of the Macedonian electronics technician are just part of the technological array of devices that can be used for eavesdropping. Almost all of the mobile phones have voice recorders. The new voice recorders are so small that they can be hidden in one’s sleeve. Online store “e-Bay” and other websites are selling mobile phones worth up to 1,000 euros that can be used to eavesdrop on other mobile phones. Hacker websites on the Internet are offering small programs for free, that can be sent via e-mail, that are afterwards sending back usernames and passwords of the email’s user to the original sender. The list is quite long. There are even so called “spy shops” in the USA. (more)
An electronics technician from Skopje (Macedonia) who is selling these devices has had a very unpleasant experience with the victims of his clients. He insisted that we do not publish his name.
I’m only making these devices, and I am not responsible for how people are using them. My “bug” has a range of 50 meters, and the recording can also be heard on a mobile phone. It is recording excellent on an FM-radio frequency, except when waves from the radio stations in Skopje are causing interference – he says, while showing us the small transmitter...
“A professor from a gymnasium in Skopje called me. I could feel the anger in his voice. He caught his students cheating during an exam by using my “bug”. What can I say; I am not encouraging children to do this. I also explained to him that there are also other young electronics technicians, who are manufacturing transmitters” he said.
Let me be clear, I am not selling these devices so that they could be abused. Some people are using my “bugs” to discover marital infidelities. Sometimes people are calling me, as if I had placed the device. I want these devices to be used for noble purposes, so that mothers could hear their babies crying, for instance. I am even prepared to give one of my bugs to each mother with twins, he added.
The devices of the Macedonian electronics technician are just part of the technological array of devices that can be used for eavesdropping. Almost all of the mobile phones have voice recorders. The new voice recorders are so small that they can be hidden in one’s sleeve. Online store “e-Bay” and other websites are selling mobile phones worth up to 1,000 euros that can be used to eavesdrop on other mobile phones. Hacker websites on the Internet are offering small programs for free, that can be sent via e-mail, that are afterwards sending back usernames and passwords of the email’s user to the original sender. The list is quite long. There are even so called “spy shops” in the USA. (more)
Monday, December 29, 2008
Security Budget Cuts Cost More Than They Save
• "If it were to become manifest just how routinely hugely sensitive corporate and governmental data is being hacked, I can guarantee that none of us would rest easy in our beds again."
• "Sixty percent of office workers faced with redundancy or the sack admit they will take valuable data with them, if they could get away with it! 40% are downloading sensitive company secrets right now under their bosses nose in anticipation that they could lose their job."
• "Sixty-two percent of workers admitted it was easy to sneak company information out of the office."
• "In the wake of the recession, more businesses are facing a growing financial threat: employee theft. New research shows that employers are seeing an increase in internal crimes..."
• "More than half the workers surveyed who admitted to already downloading competitive corporate data said they would use it as a negotiating tool to secure their next post because they know the information will be useful to future employers."
To read the whole story behind each of these quotes, visit: interopsgroup.com
• "Sixty percent of office workers faced with redundancy or the sack admit they will take valuable data with them, if they could get away with it! 40% are downloading sensitive company secrets right now under their bosses nose in anticipation that they could lose their job."
• "Sixty-two percent of workers admitted it was easy to sneak company information out of the office."
• "In the wake of the recession, more businesses are facing a growing financial threat: employee theft. New research shows that employers are seeing an increase in internal crimes..."
• "More than half the workers surveyed who admitted to already downloading competitive corporate data said they would use it as a negotiating tool to secure their next post because they know the information will be useful to future employers."
To read the whole story behind each of these quotes, visit: interopsgroup.com
Thus proving, if they can read, they can spy...
"Password guessing is hard work. Why not just sniff credentials off the wire as users log in to a server and then replay them to gain access? If an attacker is able to eavesdrop on Windows login exchanges, this approach can spare a lot of random guesswork. There are three flavors of eavesdropping attacks against Windows: LM, NTLM, and Kerberos.
The most capable of these programs is Cain, which seamlessly integrates password sniffing and cracking of all available Windows dialects (including LM, NTLM, and Kerberos) via brute force, dictionary, and Rainbow cracking techniques..." (more)
Excerpt from the 10th anniversary (6th edition) of Hacking Exposed, published by McGraw-Hill/Osborne, "The World's Best Selling Computer Security Book." That's a lot of spy potential.
The most capable of these programs is Cain, which seamlessly integrates password sniffing and cracking of all available Windows dialects (including LM, NTLM, and Kerberos) via brute force, dictionary, and Rainbow cracking techniques..." (more)
Excerpt from the 10th anniversary (6th edition) of Hacking Exposed, published by McGraw-Hill/Osborne, "The World's Best Selling Computer Security Book." That's a lot of spy potential.
iPhone Warning
report via the33tv.com...
It seems the Apple iPhone is everywhere. However, an iPhone can become a Spyphone allowing others to secretly monitor the user's calling, web browsing and texting. Mobile Spy is iPhone monitoring software that can now be downloaded...
An attorney has some fears about it.
Clint David said,"What it's really for is monitoring spouses and girlfriends. That's fine, there's only one problem. If you use this product improperly it's a federal and state criminal offense. It's called wiretapping. ... If that special someone gives you an iPhone you want to make sure that it's not booby trapped and if you want to want to make sure that iPhone it's really a spyphone." (more)
Although iPhone was discussed here, the same applies to other smart cell phones as well.
Spybusters Tip #387
Keep in mind that this only for 2nd generation iPhones (3G), and it only let's the spy see a log of calls and SMS text messages. There is no eavesdropping on the call itself. Installation requires "jailbreaking" the iPhone first.
The manufacturer's spyware removal instructions.
(Not yet updated to include iPhone, but should be soon.)
~ Kevin
It seems the Apple iPhone is everywhere. However, an iPhone can become a Spyphone allowing others to secretly monitor the user's calling, web browsing and texting. Mobile Spy is iPhone monitoring software that can now be downloaded...
An attorney has some fears about it.
Clint David said,"What it's really for is monitoring spouses and girlfriends. That's fine, there's only one problem. If you use this product improperly it's a federal and state criminal offense. It's called wiretapping. ... If that special someone gives you an iPhone you want to make sure that it's not booby trapped and if you want to want to make sure that iPhone it's really a spyphone." (more)
Although iPhone was discussed here, the same applies to other smart cell phones as well.
Spybusters Tip #387
Keep in mind that this only for 2nd generation iPhones (3G), and it only let's the spy see a log of calls and SMS text messages. There is no eavesdropping on the call itself. Installation requires "jailbreaking" the iPhone first.
The manufacturer's spyware removal instructions.
(Not yet updated to include iPhone, but should be soon.)
~ Kevin
Travel Alert: Bugs & Wiretaps in Turkey
Turkey - Head of the Computer Engineering Department of Gazi University, Professor Şeref Sağıroğlu, warned against the high risk of being bugged in Turkey and the abundance of wiretapping programs used to this end.
"Wiretapping programs are ordered over the Internet in Turkey. They are sent to your address for $45. Anybody may find computer keyboards used for bugging purposes for YTL 800. Wiretapping earphones are only YTL 1,200. There are more than 500 wiretapping programs in Internet and can be downloaded for free," Sağıroğlu claimed while briefing a parliamentary commission established to examine allegations that a top Republican People's Party (CHP) member had been bugged. (more)
"Wiretapping programs are ordered over the Internet in Turkey. They are sent to your address for $45. Anybody may find computer keyboards used for bugging purposes for YTL 800. Wiretapping earphones are only YTL 1,200. There are more than 500 wiretapping programs in Internet and can be downloaded for free," Sağıroğlu claimed while briefing a parliamentary commission established to examine allegations that a top Republican People's Party (CHP) member had been bugged. (more)
Saturday, December 27, 2008
On spying on teenagers:
via the Washington Post...
On spying on teenagers: The sooner children learn that electronic communications are not private, the better off they will be... I tell my children that I will review their computer and cellphone communications routinely, as may school administrators, coaches, employers, potential employers, college admissions officers and law enforcement officials. If my kids don't want me to read it, then they shouldn't type it. If they don't want their grandmother to see it, then they shouldn't write it. Or, if they don't want 46 million people to see a message, they shouldn't post it on a Web site... It's not spying. It's raising your children to act responsibly in our electronic world. Teach children not to expect privacy on the computer or their cellphones. (more)
On spying on teenagers: The sooner children learn that electronic communications are not private, the better off they will be... I tell my children that I will review their computer and cellphone communications routinely, as may school administrators, coaches, employers, potential employers, college admissions officers and law enforcement officials. If my kids don't want me to read it, then they shouldn't type it. If they don't want their grandmother to see it, then they shouldn't write it. Or, if they don't want 46 million people to see a message, they shouldn't post it on a Web site... It's not spying. It's raising your children to act responsibly in our electronic world. Teach children not to expect privacy on the computer or their cellphones. (more)
Confession: Police Admit Mistake
Police acknowledge bugging minister
UK - Police in England are accused of overstepping their bounds by detaining Member of Parliament Damian Green, a shadow immigration minister. Officers were investigating a leak from the Home Office... The Metropolitan Police confirmed that Green's interview was tape recorded without his knowledge but with the best of intentions. (more)
UK - Police in England are accused of overstepping their bounds by detaining Member of Parliament Damian Green, a shadow immigration minister. Officers were investigating a leak from the Home Office... The Metropolitan Police confirmed that Green's interview was tape recorded without his knowledge but with the best of intentions. (more)
Confession: Police Admit Mistake II
UK - Police have admitted they acted wrongly during an operation... Officers set up spy cameras in a convenience in New Brighton last year after attendants reported concerns about the behaviour of some men using it. After a series of high-visibility patrols, police hid the two tiny cameras in the urinal area of the toilets, one at head and one at waist height. Cameras were also set up outside the Harrison Drive block to detect car registration numbers. ...chiefs said things would be done differently next time. (more)
Subscribe to:
Posts (Atom)