Tuesday, March 29, 2011

High School Hacking Nets Great Grades... for a while

CA - Omar Khan worked the school like it was a movie, installing spyware, stealing passwords and breaking into administrator offices.

A former Tesoro High School senior was convicted Monday of breaking into his high school on multiple occasions to steal advanced placement (AP) tests from classrooms, alter test scores and change official college transcript grades.

Omar Shahid Khan, 21, of Coto de Caza, pleaded guilty to two felony counts of commercial burglary and one felony count each of altering public records, stealing or removing public records, and attempting to steal or remove public records. He is expected to be sentenced Aug. 26 to 30 days in jail, three years of probation, 500 hours of community service and more than $14,900 in restitution. 

A subsequent search by the Orange County Sheriff’s Department revealed that Khan had installed spyware devices on the computers of several teachers and school administrators throughout his senior year, according to the D.A. The devices were used to obtain passwords to access teacher computers in classrooms and school administrative offices. (more)

Oh, one more thing...

One security feature I would like to see on my future cell phone is the option of not using a password.

Think of this... all business-level cell phones have camera capability; all have (or could easily be designed to have) touch screen capability; and of course a microphone. The next logical step is adding facial, fingerprint or voice recognition to replace the access PIN code. 

In addition to the security benefit, it would sure make using the phone while driving safer. (Just kidding. I would never do that. Well... not often, anyway.) ~Kevin

Your Next Cell Phone May Seem Like a James Bond Gadget

10 Things Your Phone Will Soon Do 
via onlinedegree.net...
(more

Aston Martin teams with Mobiado for transparent touchscreen concept phone
British car maker Aston Martin is looking to leverage its luxury brand into the world of consumer electronics by teaming up with Canadian mobile phone manufacturer Mobiado to produce a line of high-end handsets to be launched in May of this year. Until then, the company has provided a tantalizing peek at possible future designs with the CPT002 Aston Martin Concept Phone that takes the 'slab of glass' design of many current smartphones to the next level. With a solid sapphire crystal capacitive touchscreen, the CPT002 is completely transparent. (more)

How to Put Out an Electrical Fire, or... Fight Fire With Fire?

It's certainly an established fact that electricity can cause fires, but today a group of Harvard scientists presented their research on the use of electricity for fighting fires. In a presentation at the 241st National Meeting & Exposition of the American Chemical Society, Dr. Ludovico Cademartiri told of how they used a unique device to shoot beams of electricity at an open flame over one foot tall. Almost immediately, he said, the flame was extinguished... Apparently, it has been known for over 200 years that electricity affects fire – it can cause flames to change in character, or even stop burning altogether. 

It turns out that soot particles within flames can easily become charged, and therefore can cause flames to lose stability when the local electrical fields are altered.

The Harvard device consists of a 600-watt amplifier hooked up to a wand-like probe, which is what delivers the electrical beams. The researchers believe that a much lower-powered amplifier should deliver similar results, which could allow the system to be worn as a backpack, by firefighters. It could also be mounted on ceilings, like current sprinkler systems, or be remotely-controlled. (more)
Bill, don't cross the beams. ~Kevin

Monday, March 28, 2011

"Have you ever been the victim of..." poll results.

Click to enlarge.
Kevin's Security Scrapbook has been running this poll for several months now. It is a follow-up to a similar poll we ran a few years ago. Time to look at the results.

Not much has changed. No one surveillance tactic is more popular than another. People will use any tool or tactic that does the job.
This parallels our corporate counterespionage field experience.

Thanks to all who shared their experience with us. ~Kevin


Export, eh... or, The PC is Smokin'

Dumpster diving isn't something Saskatchewan's privacy commissioner makes a habit of, but this time Gary Dickson says he was left with little choice.

Dickson and two assistants had to wade through a massive recycling dumpster this week to recover medical files. They sorted through paper more than 1 1/2 metres deep after getting a tip directing them to the container behind the Golden Mile Shopping Centre in Regina... "So we seized all of this stuff immediately and the only way we could do that was getting into the recycling bin."

It took a couple of hours to go through the dumpster. Dickson estimates they found more than 1,000 files that should have been shredded.

Whoever tossed the files had to know what they were, he said.

The commissioner said doctors, regional health authorities and other health professionals have long been told to follow Saskatchewan's Health Information Protection Act. The act says trustees have to safeguard personal health information in their custody.

There are fines of $50,000 for individuals and $500,000 for organizations for breaching the act. (more)

A shredder is beginning to look like a bargain, Doc.

Sunday, March 27, 2011

The Case of the Bugging Barrister

South Africa - A PIETERMARITZBURG advocate (attorney) who is already under investigation in connection with the alleged theft of a hard drive from the CCTV surveillance system at the Pietermaritzburg advocates’ chambers last year, is now being investigated by police in connection with a bugging device alleged to have been planted in chambers.

The Witness (newspaper) has reliably learnt that a listening device was discovered in a ceiling in the office of the bar administrator at the advocates’ chambers on Monday this week, after police obtained a warrant to search the premises.

It is believed police also seized the computer hard drive of the computer belonging to the advocate in question.

It was alleged that she instructed an employee of a local surveillance systems company to remove the hard drive and replace it with a new one on a pretext that he had been authorised to do so by another advocate. The motive for the alleged theft is not known. (Three guesses, the first two don't count.) (more)

It’s Tracking Your Every Move

As a German Green party politician, Malte Spitz, recently learned, we are already continually being tracked whether we volunteer to be or not. Cellphone companies do not typically divulge how much information they collect, so Mr. Spitz went to court to find out exactly what his cellphone company, Deutsche Telekom, knew about his whereabouts.

The results were astounding. In a six-month period — from Aug 31, 2009, to Feb. 28, 2010, Deutsche Telekom had recorded and saved his longitude and latitude coordinates more than 35,000 times. It traced him from a train on the way to Erlangen at the start through to that last night, when he was home in Berlin.

Mr. Spitz has provided a rare glimpse — an unprecedented one, privacy experts say — of what is being collected as we walk around with our phones. Unlike many online services and Web sites that must send “cookies” to a user’s computer to try to link its traffic to a specific person, cellphone companies simply have to sit back and hit “record.” (more)

Saturday, March 26, 2011

Let's hope it's also blue under the hotel carpeting...

via the BBC...
A rare photo, released by the White House, shows Barack Obama fielding calls from a tent in Brazil, to keep up with events in Libya. The tent is a mobile secure area known as a Sensitive Compartmented Information Facility, designed to allow officials to have top secret discussions on the move.

They are one of the safest places in the world to have a conversation.

Designed to withstand eavesdropping, phone tapping and computer hacking, Sensitive Compartmented Information Facilities - also known as SCIFs - are protected areas where classified conversations can be held...

A photo released by the White House showed the president and advisers gathered around a video phone, inside what looked like a standard blue tent, erected on the hotel's floral carpets. (more)

SMS-CB - A Cell Phone Feature that Could Save Your Life

The Brilliant Cell Phone Security Feature That We Still Don't Have.
via TechnologyReview.Com...
"Cell broadcast" technology is a largely dormant part of many cell-phone network standards.

Japanese who carry phones serviced by NTT Docomo, Japan's dominant cell phone carrier, can opt to have alerts about earthquakes pushed directly to their phones. The technology that makes this possible, the Area Mail Disaster Information Service, is designed to deliver detailed alerts as quickly as possible.

This service is uniquely enabled by a little-known technology known as Cell Broadcast, or SMS-CB. It's totally unlike traditional, point-to-point SMS, in that it can be broadcast directly from cell towers to every phone in range and does not use more bandwidth when sent to more users. In this way it's just like a over-the-air television or radio, where bandwidth requirements do not increase as more users receive a signal.

This is extremely important in the event of a disaster: According to Israeli SMS-CB company eViglio, cell broadcast has the potential to reach millions of users in seconds in an inherently geo-targeted fashion, whereas trying to reach the same number of users via traditional SMS would swamp the network, slowing the delivery of messages to a crawl.

Tsunami Alerts Not Yet Implemented

It appears that Japan's Area Mail Disaster Information Service has not yet been equipped to warn of tsunamis. The abstract of an eerily prescient paper from 2009, "A Proposal of Tsunami Warning System Using Area Mail Disaster Information Service on Mobile Phones" opens with the line:

The earthquake with the seismic center around the coast of Miyagi prefecture and the oceanic trench of southern Sanriku is expected to occur with high probability. [...] Consequently, a system is required that prefectures, cities, towns and villages collect swiftly and accurately the tsunami monitoring information that is necessary for evacuation behavior, relief and recovery activities, and deliver and share to the local residents.

Sendai, the city most profoundly devastated by last week's tsunami, is in Miyagi prefecture -- the same one mentioned in the abstract... (more)

So why don't we have it in the United States yet?
Tom Fahey of a company called CellCast Technologies... tells us that the United States is moving toward this capability with the system scheduled to go live in April of next year. This is after President Bush approved the plan in 2006. Fahey says that it has taken that long for wireless carriers to agree upon and implement a set of standards to make this happen. (more) (FCC Fact Sheet)

All right, who muttered "negligence".

SpyCam Story #605 - Attention K-Mart Shopper!

Police in Georgia said they arrested a man who allegedly followed a woman around a Kmart store while filming her backside.

Cobb County police said Alejandro Paniagua Pretega, 28, followed the woman around the Mableton Kmart for several minutes just after 1:30 p.m. EDT Tuesday while filming her rear...  A witness said Pretega attempted the film up the woman's skirt without her knowledge.

Pretega was arrested on a felony eavesdropping count and ordered held in the Cobb County jail without bond due to an immigration hold. (more)

Saturday, March 19, 2011

Hacker Wins on Technicality

The Netherlands - Breaking in to an encrypted router and using the WiFi connection is not an criminal offence, a Dutch court ruled. WiFi hackers can not be prosecuted for breaching router security.

A court in The Hague ruled earlier this month that it is legal to break WiFi security to use the internet connection. The court also decided that piggybacking on open WiFi networks in bars and hotels can not be prosecuted. In many countries both actions are illegal and often can be fined.

The ruling is linked to a case of a student who threatened to shoot down everyone at the Maerlant College in The Hague, a high school. He posted a threat on the internet message board 4chan.org using a WiFi connection that he broke into. The student was convicted for posting the message and sentenced to 20 hours of community service, but he was acquitted of the WiFi hacking charges.

The Judge reasoned that the student didn't gain access to the computer connected to the router, but only used the routers internet connection. Under Dutch law breaking in to a computer is forbidden. (more)

Spooks' secret TEMPEST-busting tech reinvented by US student

A mysterious secret technology, apparently in use by the British intelligence services in an undisclosed role, has been reinvented by a graduate student in America. Full details of the working principles are now available.

...If you had the through-metal technology now reinvented by Lawry, however, your intruder – inside mole or cleaner or pizza delivery, whatever – could stick an unobtrusive device to a suitable bit of structure inside the Faraday cage of shielding where it would be unlikely to be found. A surveillance team outside the cage could stick the other half of the kit to the same piece of metal (perhaps a structural I-beam, for instance, or the hull of a ship) and they would then have an electronic ear inside the opposition's unbreachable Faraday citadel, one which would need no battery changes and could potentially stay in operation for years.

Spooks might use such techniques even where there was no Faraday cage, simply to avoid the need for battery changes and detectable/jammable radio transmissions in ordinary audio or video bugs.

Naturally, if you knew how such equipment worked you might be able to detect or block it – hence the understandable plea from the British spooks to BAE to keep the details under wraps.

Unfortunately for the spooks, Lawry has now blown the gaff: his equipment works using ultrasound. His piezo-electric transducers send data at no less than 12 megabytes a second, plus 50 watts of power, through 2.5 inches of steel – and Lawry is confident that this could easily be improved upon. It seems certain that performance could be traded for range, to deal with the circumstances faced by surveillance operatives rather than submarine designers. (more) (video 1) (video 2)

Alert - APT Strikes EMC

The RSA Security division of the EMC Corporation said Thursday that it had suffered a sophisticated data breach, potentially compromising computer security products widely used by corporations and governments...

RSA, which is based in Bedford, Mass., posted an urgent message on its Web site on Thursday referring to an open letter from its chairman, Art Coviello. The letter acknowledged that the company had suffered from an intrusion Mr. Coviello described as an “advanced persistent threat.” (more)

The breach is serious, but more interesting is use of the term “advanced persistent threat.” Sounds like a genetically altered mosquito. Good analogy.

infoworld.com gives us their definition... 
"Intruders engaging in APT-style attacks represent well-organized, well-funded groups -- often located in a "safe harbor" country -- and they're out to steal a company's intellectual property. They aren't out for quick financial gain like cyber criminals; they're in it for the long haul. Their dream assignment is to essentially duplicate their victim's best ideas and products in their own homeland, or to sell the information they've purloined to the highest bidder."

In other words, foreign governments.

Computer hacking is only one technique in their bag of spy tricks. If you spot this type of hacker probing your defenses, better give us a call.

Friday, March 18, 2011

Security Director Alert - E-data Disposal

Stories like this one pop up with unusual regularity, but this one hits close to home...
There was a story today in the New York Times about New Jersey State Comptroller Matthew Boxer's discovery during an audit of surplus state computers slated for auction that 79% of them still had readily accessible information on their hard drives.

Information was found on 46 of the 58 computers scheduled to be sold, and on 32 of those 46, the information found was highly personal in nature that should have never been made public.

For instance, one computer - a laptop - had been used by a judge, and "contained confidential memos the judge had written about possible misconduct by two lawyers, and the emotional problems of a third," the Times article stated. Personal financial information about the judge, including tax returns, were also found on the laptop. (more) (video about photocopier drives)

Questions to ask...
What happens to my company's old hard drives? (sold, auctioned, recycled, returner to lessor, donated)
Do I even know where all of them are? (desktops, laptops, photocopy print centers, tablets)
What about other old media? (old floppies, CDs, DVDs, smart cell phones, x-rays, videotapes, product samples, prototypes, old promotional materials)

Tip: This is not the IT department's job. It's a security issue. It's security's job. "Erasing" "degaussing" and even "smashing" is not good enough to protect the most sensitive information. Keep your hard drives. Give the leasing company the money for a new one. Then crosscut shred your e-media. (Hey, you do it for your sensitive waste paper.)

I was talking to Kevin Kane and Jason Moorhouse, two sharp guys from the Shredit company, yesterday and learned that they operate globally and have shredders that can even handle old refrigerators! 

In case you need an additional reason to shred e-media, I also learned that non-compliance with HIPPA regulations, for example, can bring heavy fines and even jail time. So, gather your junkers and clunkers and find someone (I don't care who) to shred it. ~Kevin