Wednesday, August 11, 2010

Tire Pressure Sensor Surveillance - A Re-Tread

Researchers from Rutgers University and University of South Carolina have found that wireless communications between new cars and their tires can be intercepted or even forged...

The researchers will present their findings at the Usenix Security Symposium, being held this week in Washington D.C.

 The tire pressure monitoring systems (TPMS) consist of battery-powered radio frequency identification (RFID) tags on each tire, which can respond with the air pressure readings of the tire when wirelessly queried by an electronic control unit (ECU).

The researchers had found that each sensor has a unique 32-bit ID and that communication between the tag and the control unit was unencrypted, meaning it could be intercepted by third parties from as far away as forty meters. (more)

Readers of Kevin's Security Scrapbook were advised of this back in 2008. See Track My Treads - TPMS Privacy Blowout.

Sexting, Speeding Teens Beware the Ra-Parents

Parents Are Listening Services Inc., (has) developed a program to better allow parents to monitor the contents coming into their children's cellphones. (Launching in September.)

It's one of many companies developing software designed to alert parents when children and teenagers exchange lewd text messages, communicate with predatory adults or taunt each other via social-networking websites. Another feature aims to curb texting and driving by disabling the messaging feature in a moving vehicle...

WebSafety Inc., based in Irving, Texas, offers a similar monitoring program that's been available for five months. The company's software draws from a unique library of 6,000 phrases deemed inappropriate, including slang and online abbreviations.

The program can monitor text messages, emails, instant messages and updates to social-networking sites such as Facebook. By using the phone's Global Positioning System, or GPS, features, parents can also set up no-text zones, such as on school grounds, to prevent students from using their phones to cheat on tests or taunt classmates.

Both Kid Phone Advocate and WebSafety's application send alerts as emails or text messages to the parent's computer and phones. The programs typically run in the background, so children don't know the alerts are being sent out.

GoGoStat, from Schakra Inc. of Redmond, Wash., was created by a team of former Microsoft Corp. employees. Like the other mobile parental apps, GoGoStat monitors the messages children send and receive to each other on Facebook, as well as photos that are exchanged. The program, however, doesn't have to be installed on the computer or cellphone; the app runs within Facebook. (more)

Monday, August 9, 2010

Industrial espionage in the 500's shapes the world.

Industrial espionage can alter the wealth of a nation and thus its capacity to compete commercially and wage war. A great example of this took place around 550 CE, when Justinian I, leader of the Byzantine empire wanted to undo China’s historic domination of the silk trade and, at the same time, end the Persian control of this valuable commodity as the middlemen.

Justinian I was undeterred in wresting this information from China, which they protected under penalty of death. So he sent two Nestorian monks into China with the specific intent of conducting industrial espionage. While in China they observed how silk was produced and what the key ingredients were used in silk production. The monks took two hollowed out walking sticks with them (“concealment devices” in intelligence talk) and hid silk worms and mulberry bush seeds inside them — both essential for silk production.

The monks were stopped and searched repeatedly on their journey home. Nevertheless, they were successful in their quest: they single-handedly transferred the technology for silk production to the West and within a short period of time, the silk trade had been completely upended. Byzantium, and thus the Roman Empire, became the world leader in silk production, which is probably why my ties are made in Milan and not in Beijing.

This act of espionage changed trade throughout the world. (more)

Do not make the mistake of thinking industrial espionage is of little consequence. Call me, or the counterespionage specialist who sponsors Kevin's Security Scrapbook.

History also presents second version of this great espionage story. It is called "The Legend of the Silk Princess." You can listen to it here.

Industrial espionage in the 1700 & 1800's shapes the world.

Sarah Rose is the author of For All the Tea in China, which tells the true story of how tea and industrial espionage fueled the great expansion of the British Empire and the East India Company in the 1800s. The book focuses on one central character, Robert Fortune, who was a scientist sent by the British government to literally steal the secret of tea production from China, plant the Chinese tea in Darjeeling, and thus make the British Empire less reliant on trade with the Chinese and more self-sufficient by harvesting its own tea in colonial India. (more)

Britain and Europe were the leading industrial nations in 18th-century Europe. This text examines the rivalry which existed between the two nations and the methods used by France to obtain the skilled manpower and technology which had given Britain the edge, particularly in the new coal-based technologies. Despite the British Act of 1719 which outlawed industrial espionage and technology transfer, France continued to bring key industrial workers from Britain and to acquire British machinery and production methods. Drawing on archival material, John Harris investigates the nature and application of British laws and the attitudes of some major British industrialists to these issues. He also discusses the extent to which French espionage had any real success.

Lieven Bauwens (June 14, 1769, Ghent – March 17, 1822, Paris) was a Belgian entrepreneur industrial spy and who was sent to Great Britain at a young age and brought a spinning mule and skilled workers to the European continent. (more)

Smuggling or abduction were not the style of the pious Thomas Whitty of Axminster, although he was not averse to a spot of industrial espionage. Enthused by an entrepreneur's desire to produce faster, wider and cheaper, he visited London in 1755 and took lodgings at the Golden Lion in Fulham. There, he made the acquaintance of a weaver from the factory of Parisot and inveigled a tour of the premises. The knowledge he gleaned enabled him to start making similar carpet in Devon. Increasing competition wiped out Parisot. (more)

Francis Cabot Lowell saw an opportunity in cotton. On the advice of his doctor, in 1810 he took a trip to England to recuperate from his stress. Over the next two years, Lowell visited textile mills in booming Lancashire County and in Scotland, where he saw machines for weaving cloth that were technologically superior to those in America. The British knew this too; they'd made it illegal to let proprietary loom technology out of the country. Undeterred, Lowell memorized the design of the textile machines, and when he returned to New England in 1812, he began work on recreating them in Waltham, Mass. (more) Thanks to a combination of immigrant British technicians, patent infringements, industrial espionage, and local innovations, American power looms were on a par with the English machines by the end of the 1810s. (more)

Derby Industrial Museum, also known as The Silk Mill brothers, beside the, is a museum of industry and history in Derby, England. Between 1717 and 1721 George Sorocold built Britain’s first mill for the LombeRiver Derwent. This mill was built to house machines for "doubling" or twisting silk into thread. John Lombe copied the design for the machines used for spinning large quantities of silk, during a period spent in Italy, working within the Italian Silk Industry. This was possibly the first example of industrial espionage. (more)

Samuel Slater left England after serving as an apprentice at a “state-of-the-art” cotton mill. In the United States, Slater found eager buyers for the technology he had regarding the most modern techniques in use in England for wool and cotton production. With the information Slater brought, America became the world’s leading manufacturer of cotton which shifted wool and cotton production from Europe to the Americas, thus kick starting America’s Industrial Revolution. This single act of industrial espionage elevated this new country to international economic eminence in less than 50 years. (more)

According to presumptions the Chinese manufactured porcelain, which was filmy, yet outstandingly hard, as early as in the 7th century. Porcelain reached Europe only by the end of the 13th century and rapidly spread in the centuries to come without anyone knowing the secret of its production. It decorated the tables of sovereigns and noblemen, since they were the only ones who could afford it. The Chinese tried to mystify the secret even more by legends and myths. Since they enjoyed a monopoly in manufacturing porcelain, the price of china was very high for a very long time. The mystery of porcelain manufacturing was uncovered in Europe only in the 18th century. The secret reached Paris with the assistance of a Catholic priest, d'Entrecolles, who had served as a Jesuit missionary in China. The priest paid a visit to the centre of the royal porcelain manufacture (Kin Te-chen) where he carefully observed everything, then passed on his information to Europe in the form of letters. He gave minute accounts of his visit to the "secret city". He described the location of the city, the life of the potter families living there, and the security measures introduced, in detail. He carefully observed the process of porcelain production. In spite of the distrust of the Chinese authorities and the stringent security measures the priest managed to send a sample of china clay, (also called porcelain clay, or kaolin) one of the main basic raw materials of porcelain to Europe. (more)

Do not make the mistake of thinking industrial espionage is of little consequence. Call me, or the counterespionage specialist who sponsors Kevin's Security Scrapbook.

"We all prisoners, chickee-baby. We all locked in."

...the position of the Chinese leaders was that China can do no wrong. If Chinese espionage agents abroad were caught in the act, Beijing’s retort would claim false accusations to denigrate China. They would leave it to public memory to fade and forget about it. (more)

The public's memory does fade. Remember silk, gunpowder, porcelain, cloisonne enamel, the compass, Xuan paper, movable type, ink and tea? All became products of the world with the help of a little industrial espionage. All taken from China. What went around, is now going around. You know, "For the loser now will be later to win..." Espionage is just another of life's mandalas.

If you think you know who your competition is (or isn't), you'll be surprised. The winners keep proactively protective. The smug get their pockets picked.

Friday, August 6, 2010

GPS = Global Phone Snitch

via The Wall Street Journal...
Phone companies know where their customers' cellphones are, often within a radius of less than 100 feet. That tracking technology has rescued lost drivers, helped authorities find kidnap victims and let parents keep tabs on their kids.

But the technology isn't always used the way the phone company intends.

Technology is enhancing the reach of stalkers, allowing them to take advantage of location-based social networking applications. WSJ's Andy Jordan reports.

The allegations are a stark reminder of a largely hidden cost from the proliferation of sophisticated tracking technology in everyday life—a loss of privacy.

Global-positioning systems, called GPS, and other technologies used by phone companies have unexpectedly made it easier for abusers to track their victims. A U.S. Justice Department report last year estimated that more than 25,000 adults in the U.S. are victims of GPS stalking annually, including by cellphone.  

A spokesman for AT&T Inc. says it notifies all phone users when tracking functions are activated. (They send a text message upon initial activation. Useless if the stalker has the phone at that moment.) But users don't have the right to refuse to be tracked by the account holder. Turning off the phone stops the tracking. 

Courtesy Executrac Mobile GPS Tracker

Earlier this year, researchers with iSec Partners, a cyber-security firm, described in a report how anyone could track a phone within a tight radius. All that is required is the target person's cellphone number, a computer and some knowledge of how cellular networks work, said the report, which aimed to spotlight a security vulnerability.

...an unintended consequence of federal regulations that require cellphone makers to install GPS chips or other location technology in nearly all phones. The Federal Communications Commission required U.S. cellular providers to make at least 95% of the phones in their networks traceable by satellite or other technologies by the end of 2005. The agency's intention was to make it easier for people in emergencies to get help. GPS chips send signals to satellites that enable police and rescue workers to locate a person.

Craig Thompson, Retina-X's operations director, says the software (cell phone spyware) is meant to allow parents to track their kids and companies to keep tabs on phones their employees use. He says the company has sold 60,000 copies of MobileSpy. The company sometimes gets calls from people who complain they are being improperly tracked, he says, but it hasn't been able to verify any of the complaints. (Think they tried very hard?)

GPS-tracking systems provided by cellular carriers such as AT&T and Verizon Communications Inc. are activated remotely, by the carriers. (more)

Thursday, August 5, 2010

iAppalling

Several versions of Apple's iPhone, iPad, and iPod Touch have potentially serious security problems, a German government agency said in an official warning Wednesday.

Apple's iOS operating system has "two critical weak points for which no patch exists," the Federal Office for Information Security said.

Opening a manipulated website or a PDF file could allow criminals to spy on passwords, planners, photos, text messages, e-mails and even listen in to phone conversations, the agency said in a statement. "This allows potential attackers access to the complete system, including administrator rights," it added, urging users not to open PDF files on their mobile devices and only use trustworthy websites until Apple Inc. publishes a software update.

"It has to be expected that hackers will soon use the weak spots for attacks," it said, noting that the devices' popularity could lead to attacks within the corporate world — possibly facilitating industrial espionage. (more)

Wednesday, August 4, 2010

BlackBerry Squeezing Season

Indonesia considers joining a growing list of countries, including India, Saudi Arabia and the UAE in banning BlackBerry devices; Research in Motion is receiving increasing pressure to allow government access to data generated by the hand-held devices. (more)

Treat it Like a Social Disease - Don't Trust

Social engineering hackers -- people who trick employees into doing and saying things that they shouldn't -- took their best shot at the Fortune 500 during a contest at Defcon Friday and showed how easy it is to get people to talk, if only you tell the right lie. 

Contestants got IT staffers at major corporations, including Microsoft, Cisco Systems, Apple and Shell, to give up all sorts of information that could be used in a computer attack... The first two contestants made it look easy.

Wayne, a security consultant from Australia who wouldn't give his last name, was first up Friday morning. His mission: Get data from a major U.S. company.

Sitting behind a sound-proof booth before an audience, he connected with an IT call center and got an employee named Ledoi talking. Pretending to be a KPMG consultant doing an audit under deadline pressure, Wayne got Ledoi to spill details, big time... (more)

Security DIrector's Tip: This topic should be part of every employee's security briefing. (instant education)

Tuesday, August 3, 2010

The $1,500.00 Cell Phone Call Interceptor Demo'ed

Researcher Chris Paget pulled off a stunt at the Defcon security conference Saturday that required as much legal maneuvering as technical wizardry: eavesdropping on the cell phone calls of AT&T subscribers in front of thousands of admiring hackers.

With about $1,500 worth of hardware and open source software, Paget turned two on-stage antennas into a setup capable of spoofing the base stations that connect the GSM cell phone signals used by AT&T and T-Mobile. Paget set his hardware to impersonate an AT&T signal, and dozens of phones in the room connected to his fake base station. "As far as your cell phones are concerned, I'm now indistinguishable from AT&T," he told the crowd.

Paget invited anyone with an AT&T phone to make a call, and using his GSM hijacking trick, routed their calls through a voice-over-Internet system that connected their calls even while recording the audio to a USB stick--which he promptly destroyed with a pair of scissors to make sure he hadn't violated any privacy laws. The hack, after all, was intended to show the fundamental insecurity of GSM cell signals--not spy on callers. (more)

P.S. This works on G2 protocol systems, not G3.

The GSM Association responded in a statement that lists the limitations to Paget's method: the eavesdropper would have difficulties identifying or targeting any specific user, the interception only works within a certain range, in some cases, the call's encryption could prevent eavesdropping, and GSM phones are designed to alert users when encryption is removed by a base station. (Paget said in his talk that no device he's tested--including iPhone and Android phones--has had this option enabled.)

In summary, the GSM Association spokeswoman writes, "The overall advice for GSM calls and fixed line calls is the same. Neither has ever offered a guarantee of secure communications.  The great majority of users will make calls with no reason to fear that anyone might be listening.  However users with especially high security requirements should consider adding extra, end to end security features over the top of both their fixed line calls and their mobile calls."

Free CIA / Google App Tells Future

Google and the CIA are both investing in a company that monitors the web in real time.

The company is called Recorded Future, and it scours tens of thousands of websites, blogs and Twitter accounts to find the relationships between people, organizations, actions and incidents — both present and still-to-come. In a white paper, the company says its temporal analytics engine "goes beyond search" by "looking at the 'invisible links' between documents that talk about the same, or related, entities and events."

The idea is to figure out for each incident who was involved, where it happened and when it might go down. Recorded Future then plots that chatter, showing online "momentum" for any given event.

"The cool thing is, you can actually predict the curve, in many cases," says company CEO Christopher Ahlberg, a former Swedish Army Ranger with a PhD in computer science. (more

Want to see the future? Recorded Future will let you sign up for a free account ...but they already knew you would.

"Berry discriminating."

The BlackBerry -- renown for the security of its messaging -- doesn't offer 100 percent protection from eavesdropping. At least not in the United States.

U.S. law enforcement officials said they can tap into emails and other conversations made using the device, made by Research in Motion, as long as they have proper court orders.

RIM's willingness to grant authorities access to the messages of its clients is a hot-button issue. The United Arab Emirates claims it does not have the same kind of surveillance rights to BlackBerry messages as officials in the United States. It has threatened to clamp down on some services unless they get more access.

The exact details of the dispute remain unclear, but security experts say that many governments around the world enjoy the ability to monitor BlackBerry conversations as they do communications involving most types of mobile devices. (more)

Monday, August 2, 2010

...and the mouse was turned over to the ASPCA

MS — Two Mississippi men are facing charges after allegedly wrapping blocks of wood in duct tape and bubble wrap, attaching Toshiba labels to them and trying to pass them off as laptops. No one actually bought the fakes, but authorities in Hinds County have charged the men with trademark infringement and selling goods with counterfeit labels. (more)

Bugging, spy scandal rocks Safa leadership

South Africa - World Cup kingpin Danny Jordaan and three other soccer bosses have been having their movements tracked over the last few months without their knowledge.

Jordaan, who is the Local Organising Committee’s CEO; former SA Football Association (Safa) president Molefi Oliphant; vice-president Mandla Mazibuko; and CEO Leslie Sedibe discovered this month that monitoring devices had been secretly fitted to their cars...

Sedibe has commissioned an investigation to be conducted by an independent security expert...

Oliphant revealed to City Press that his phone had been bugged while he was still the Safa president. (more)

Sunday, August 1, 2010

Night of the living CrackBerry's

The United Arab Emirates said Sunday it will suspend some BlackBerry smartphone services from Oct. 11 amid an ongoing dispute with Canada's Research In Motion Ltd., the maker of the device, over the monitoring of data.

"With no solution available and in the public interest, in order to affect resolution of this issue, as of October 11, 2010, BlackBerry Messenger, BlackBerry Email and BlackBerry Web-browsing services will be suspended until an acceptable solution can be developed and applied," said Telecommunications Regulatory Authority Chief Mohamed Al Ghanim, according the emirates news agency, or WAM.

The U.A.E. government last week said Research in Motion's BlackBerry was a potential threat to national security, while an Indian government official said Indian security agencies have raised unspecified concerns about BlackBerry services.

Messages sent to and from a BlackBerry are processed at RIM's network operating center in Canada. They are encrypted on the device before being sent and remain encrypted until they reach their destination. 

A person familiar with the matter said a key problem is that the messenger service on BlackBerry is untraceable. (more)