Monday, March 28, 2011

"Have you ever been the victim of..." poll results.

Click to enlarge.
Kevin's Security Scrapbook has been running this poll for several months now. It is a follow-up to a similar poll we ran a few years ago. Time to look at the results.

Not much has changed. No one surveillance tactic is more popular than another. People will use any tool or tactic that does the job.
This parallels our corporate counterespionage field experience.

Thanks to all who shared their experience with us. ~Kevin


Export, eh... or, The PC is Smokin'

Dumpster diving isn't something Saskatchewan's privacy commissioner makes a habit of, but this time Gary Dickson says he was left with little choice.

Dickson and two assistants had to wade through a massive recycling dumpster this week to recover medical files. They sorted through paper more than 1 1/2 metres deep after getting a tip directing them to the container behind the Golden Mile Shopping Centre in Regina... "So we seized all of this stuff immediately and the only way we could do that was getting into the recycling bin."

It took a couple of hours to go through the dumpster. Dickson estimates they found more than 1,000 files that should have been shredded.

Whoever tossed the files had to know what they were, he said.

The commissioner said doctors, regional health authorities and other health professionals have long been told to follow Saskatchewan's Health Information Protection Act. The act says trustees have to safeguard personal health information in their custody.

There are fines of $50,000 for individuals and $500,000 for organizations for breaching the act. (more)

A shredder is beginning to look like a bargain, Doc.

Sunday, March 27, 2011

The Case of the Bugging Barrister

South Africa - A PIETERMARITZBURG advocate (attorney) who is already under investigation in connection with the alleged theft of a hard drive from the CCTV surveillance system at the Pietermaritzburg advocates’ chambers last year, is now being investigated by police in connection with a bugging device alleged to have been planted in chambers.

The Witness (newspaper) has reliably learnt that a listening device was discovered in a ceiling in the office of the bar administrator at the advocates’ chambers on Monday this week, after police obtained a warrant to search the premises.

It is believed police also seized the computer hard drive of the computer belonging to the advocate in question.

It was alleged that she instructed an employee of a local surveillance systems company to remove the hard drive and replace it with a new one on a pretext that he had been authorised to do so by another advocate. The motive for the alleged theft is not known. (Three guesses, the first two don't count.) (more)

It’s Tracking Your Every Move

As a German Green party politician, Malte Spitz, recently learned, we are already continually being tracked whether we volunteer to be or not. Cellphone companies do not typically divulge how much information they collect, so Mr. Spitz went to court to find out exactly what his cellphone company, Deutsche Telekom, knew about his whereabouts.

The results were astounding. In a six-month period — from Aug 31, 2009, to Feb. 28, 2010, Deutsche Telekom had recorded and saved his longitude and latitude coordinates more than 35,000 times. It traced him from a train on the way to Erlangen at the start through to that last night, when he was home in Berlin.

Mr. Spitz has provided a rare glimpse — an unprecedented one, privacy experts say — of what is being collected as we walk around with our phones. Unlike many online services and Web sites that must send “cookies” to a user’s computer to try to link its traffic to a specific person, cellphone companies simply have to sit back and hit “record.” (more)

Saturday, March 26, 2011

Let's hope it's also blue under the hotel carpeting...

via the BBC...
A rare photo, released by the White House, shows Barack Obama fielding calls from a tent in Brazil, to keep up with events in Libya. The tent is a mobile secure area known as a Sensitive Compartmented Information Facility, designed to allow officials to have top secret discussions on the move.

They are one of the safest places in the world to have a conversation.

Designed to withstand eavesdropping, phone tapping and computer hacking, Sensitive Compartmented Information Facilities - also known as SCIFs - are protected areas where classified conversations can be held...

A photo released by the White House showed the president and advisers gathered around a video phone, inside what looked like a standard blue tent, erected on the hotel's floral carpets. (more)

SMS-CB - A Cell Phone Feature that Could Save Your Life

The Brilliant Cell Phone Security Feature That We Still Don't Have.
via TechnologyReview.Com...
"Cell broadcast" technology is a largely dormant part of many cell-phone network standards.

Japanese who carry phones serviced by NTT Docomo, Japan's dominant cell phone carrier, can opt to have alerts about earthquakes pushed directly to their phones. The technology that makes this possible, the Area Mail Disaster Information Service, is designed to deliver detailed alerts as quickly as possible.

This service is uniquely enabled by a little-known technology known as Cell Broadcast, or SMS-CB. It's totally unlike traditional, point-to-point SMS, in that it can be broadcast directly from cell towers to every phone in range and does not use more bandwidth when sent to more users. In this way it's just like a over-the-air television or radio, where bandwidth requirements do not increase as more users receive a signal.

This is extremely important in the event of a disaster: According to Israeli SMS-CB company eViglio, cell broadcast has the potential to reach millions of users in seconds in an inherently geo-targeted fashion, whereas trying to reach the same number of users via traditional SMS would swamp the network, slowing the delivery of messages to a crawl.

Tsunami Alerts Not Yet Implemented

It appears that Japan's Area Mail Disaster Information Service has not yet been equipped to warn of tsunamis. The abstract of an eerily prescient paper from 2009, "A Proposal of Tsunami Warning System Using Area Mail Disaster Information Service on Mobile Phones" opens with the line:

The earthquake with the seismic center around the coast of Miyagi prefecture and the oceanic trench of southern Sanriku is expected to occur with high probability. [...] Consequently, a system is required that prefectures, cities, towns and villages collect swiftly and accurately the tsunami monitoring information that is necessary for evacuation behavior, relief and recovery activities, and deliver and share to the local residents.

Sendai, the city most profoundly devastated by last week's tsunami, is in Miyagi prefecture -- the same one mentioned in the abstract... (more)

So why don't we have it in the United States yet?
Tom Fahey of a company called CellCast Technologies... tells us that the United States is moving toward this capability with the system scheduled to go live in April of next year. This is after President Bush approved the plan in 2006. Fahey says that it has taken that long for wireless carriers to agree upon and implement a set of standards to make this happen. (more) (FCC Fact Sheet)

All right, who muttered "negligence".

SpyCam Story #605 - Attention K-Mart Shopper!

Police in Georgia said they arrested a man who allegedly followed a woman around a Kmart store while filming her backside.

Cobb County police said Alejandro Paniagua Pretega, 28, followed the woman around the Mableton Kmart for several minutes just after 1:30 p.m. EDT Tuesday while filming her rear...  A witness said Pretega attempted the film up the woman's skirt without her knowledge.

Pretega was arrested on a felony eavesdropping count and ordered held in the Cobb County jail without bond due to an immigration hold. (more)

Saturday, March 19, 2011

Hacker Wins on Technicality

The Netherlands - Breaking in to an encrypted router and using the WiFi connection is not an criminal offence, a Dutch court ruled. WiFi hackers can not be prosecuted for breaching router security.

A court in The Hague ruled earlier this month that it is legal to break WiFi security to use the internet connection. The court also decided that piggybacking on open WiFi networks in bars and hotels can not be prosecuted. In many countries both actions are illegal and often can be fined.

The ruling is linked to a case of a student who threatened to shoot down everyone at the Maerlant College in The Hague, a high school. He posted a threat on the internet message board 4chan.org using a WiFi connection that he broke into. The student was convicted for posting the message and sentenced to 20 hours of community service, but he was acquitted of the WiFi hacking charges.

The Judge reasoned that the student didn't gain access to the computer connected to the router, but only used the routers internet connection. Under Dutch law breaking in to a computer is forbidden. (more)

Spooks' secret TEMPEST-busting tech reinvented by US student

A mysterious secret technology, apparently in use by the British intelligence services in an undisclosed role, has been reinvented by a graduate student in America. Full details of the working principles are now available.

...If you had the through-metal technology now reinvented by Lawry, however, your intruder – inside mole or cleaner or pizza delivery, whatever – could stick an unobtrusive device to a suitable bit of structure inside the Faraday cage of shielding where it would be unlikely to be found. A surveillance team outside the cage could stick the other half of the kit to the same piece of metal (perhaps a structural I-beam, for instance, or the hull of a ship) and they would then have an electronic ear inside the opposition's unbreachable Faraday citadel, one which would need no battery changes and could potentially stay in operation for years.

Spooks might use such techniques even where there was no Faraday cage, simply to avoid the need for battery changes and detectable/jammable radio transmissions in ordinary audio or video bugs.

Naturally, if you knew how such equipment worked you might be able to detect or block it – hence the understandable plea from the British spooks to BAE to keep the details under wraps.

Unfortunately for the spooks, Lawry has now blown the gaff: his equipment works using ultrasound. His piezo-electric transducers send data at no less than 12 megabytes a second, plus 50 watts of power, through 2.5 inches of steel – and Lawry is confident that this could easily be improved upon. It seems certain that performance could be traded for range, to deal with the circumstances faced by surveillance operatives rather than submarine designers. (more) (video 1) (video 2)

Alert - APT Strikes EMC

The RSA Security division of the EMC Corporation said Thursday that it had suffered a sophisticated data breach, potentially compromising computer security products widely used by corporations and governments...

RSA, which is based in Bedford, Mass., posted an urgent message on its Web site on Thursday referring to an open letter from its chairman, Art Coviello. The letter acknowledged that the company had suffered from an intrusion Mr. Coviello described as an “advanced persistent threat.” (more)

The breach is serious, but more interesting is use of the term “advanced persistent threat.” Sounds like a genetically altered mosquito. Good analogy.

infoworld.com gives us their definition... 
"Intruders engaging in APT-style attacks represent well-organized, well-funded groups -- often located in a "safe harbor" country -- and they're out to steal a company's intellectual property. They aren't out for quick financial gain like cyber criminals; they're in it for the long haul. Their dream assignment is to essentially duplicate their victim's best ideas and products in their own homeland, or to sell the information they've purloined to the highest bidder."

In other words, foreign governments.

Computer hacking is only one technique in their bag of spy tricks. If you spot this type of hacker probing your defenses, better give us a call.

Friday, March 18, 2011

Security Director Alert - E-data Disposal

Stories like this one pop up with unusual regularity, but this one hits close to home...
There was a story today in the New York Times about New Jersey State Comptroller Matthew Boxer's discovery during an audit of surplus state computers slated for auction that 79% of them still had readily accessible information on their hard drives.

Information was found on 46 of the 58 computers scheduled to be sold, and on 32 of those 46, the information found was highly personal in nature that should have never been made public.

For instance, one computer - a laptop - had been used by a judge, and "contained confidential memos the judge had written about possible misconduct by two lawyers, and the emotional problems of a third," the Times article stated. Personal financial information about the judge, including tax returns, were also found on the laptop. (more) (video about photocopier drives)

Questions to ask...
What happens to my company's old hard drives? (sold, auctioned, recycled, returner to lessor, donated)
Do I even know where all of them are? (desktops, laptops, photocopy print centers, tablets)
What about other old media? (old floppies, CDs, DVDs, smart cell phones, x-rays, videotapes, product samples, prototypes, old promotional materials)

Tip: This is not the IT department's job. It's a security issue. It's security's job. "Erasing" "degaussing" and even "smashing" is not good enough to protect the most sensitive information. Keep your hard drives. Give the leasing company the money for a new one. Then crosscut shred your e-media. (Hey, you do it for your sensitive waste paper.)

I was talking to Kevin Kane and Jason Moorhouse, two sharp guys from the Shredit company, yesterday and learned that they operate globally and have shredders that can even handle old refrigerators! 

In case you need an additional reason to shred e-media, I also learned that non-compliance with HIPPA regulations, for example, can bring heavy fines and even jail time. So, gather your junkers and clunkers and find someone (I don't care who) to shred it. ~Kevin

Spying... A dirty job, but something has to do it...

Computer translated from Korean...
"Samsung Electronics, along with cleaning and video search feature in a robot vacuum cleaner with a home video 'taenggobyu (VC-RL87W)' introduced. Tango view when the cleaning is used for localization and imaging using a camera, and external cleaning can be monitored in the interior. Using a PC or a smartphone and a PC remote control from outside the voice over the microphone is also available. Equipped with lighting in a dark room is available in an emergency, you can always respond quickly." (more)

Apparently you can play Whack-A-Dust Bunny with this from work (or any Wi-Fi hot spot). Once you've cleaned up your OK-corral you can then creep up on your kids and see if they are really doing their homework. If not, use the 'voice over microphone' feature to Ra-parent the situation. FutureWatch... Someone will stash one under their boyfriend's couch for night patrol "is he cheating on me" reconnaissance. Why there? Because no guy ever cleans under their couch.

Thursday, March 17, 2011

The Case of the Managers Who Talked Too Much

IA - Some employees at a medical clinic in Iowa claimed a supervisor used a baby monitor to eavesdrop on them. According to a labor representative for the University of Iowa medical clinic employees, workers found the monitor sitting on a shelf near the reception area...

"If that monitor was there for even one day, that's the potential for 100 HIPPA violations if that thing was being monitored the whole time, and that's pretty egregious," said union rep Jon Stellmach.

Managers of the office say the monitor was used to see if staff members were talking too much. (D'oh!)

The supervisors say the monitor was removed after workers complained, and University of Iowa officials say the case is being handled by the human resources department. (more)

Disposable Endoscope - 1 Cubic MM - World's Tinest Spycam?

Germany - Tiny video cameras mounted on the end of long thin fiber optic cables, commonly known as endoscopes, have proven invaluable to doctors and researchers wishing to peer inside the human body. Endoscopes can be rather pricey, however, and like anything else that gets put inside peoples' bodies, need to be sanitized after each use. A newly-developed type of endoscope is claimed to address those drawbacks by being so inexpensive to produce that it can be thrown away after each use. Not only that, but it also features what is likely the world's smallest complete video camera, which is just one cubic millimeter in size.
 
The prototype endoscope was designed at Germany's Fraunhofer Institute for Reliability and Microintegration, in collaboration with Awaiba GmbH and the Fraunhofer Institute for Applied Optics and Precision Engineering. ...They hope to bring the device to market next year. (more)

Wednesday, March 16, 2011

U.S. 'may' enact a Privacy Bill of Rights

FutureWatch - The Obama administration plans to ask Congress Wednesday to pass a "privacy bill of rights" to protect Americans from intrusive data gathering, amid growing concern about the tracking and targeting of Internet users. (more)