Monday, May 30, 2011

CONTEST Alert

Another Security Scrapbook Contest is coming. 
(Hey, it has been a while.)
Here, Tuesday, May 31 at 12:01 PM, New York City time.
The first correct answer wins.

(This pre-contest announcement is made to give everyone who is interested 24-hours notice to get to the starting line at the same time.)

Saturday, May 28, 2011

Hold on to Your Wallet - Here Comes Google

"Your phone will be your wallet." That's what Google's promising with Google Wallet and Google Offers, which'll combine payments and deals in one neat package. And it's a pretty compelling little vision of the future of paying for stuff. (What could possibly go wrong?)

Google Wallet isn't really one thing, so much as a bundle things tied together in one package. It's an Android app. It's a way for you to pay for things with your credit or debit cards, using your phone. It's a coupon collector and loyalty card system. It's another way for merchants to let you pay and offer up deals. It hooks into other Google services, like Shopper (which shows you nearby deals) and Google Offers. And Google is planning for it to eventually store everything you'd keep in a wallet.

The core payment technology uses wireless NFC and more specifically, MasterCard's PayPass system, so you'll be able to use it anywhere that's hooked up with PayPass, which is at a lot of retailers already. (more)

FutureWatch: Your phone becomes your electronic ID and Passport. 

Hey, why are we still calling this do-it-all device a phone, anyway? 


Probably the same reason we still say "dialing the phone" when the dial is long gone, and "the phone is ringing" when a Lady Gaga singtone is belting out the request to connect.

On the plus side, "Hello, Central!" finally exited the lexicon, and "It's your nickle" rates made a come back.

Man Hacks 100+ Webcams and Makes Blackmail Videos

Many computers sold these days come with web cameras built right in. You may never use it, but hackers can spy on you and record things going on inside your home and even use it to blackmail you.

The FBI recently arrested Luis Mijangos for hacking into more than 100 homes by turning on the webcams in their home computers. "In some cases, he was able to turn on the web cameras that were on people's computers and, just by dumb luck, happen to catch them walking naked across the room," said an unidentified spokesman for the FBI.
 
Then, in a "sextortion" plot, Mijangos emailed those people and threatened to release the video unless they made more sexual videos. He also posed as the victims' boyfriend, asking women to send sexually explicit photos and videos and he told the FBI he's part of a big hacking group. (more)


Tip: Cover the camera when not in use.

And on his farm he had a cow, E-I-E-I-O With a "moo-moo" here and a... You're under arrest!

Iowa is on the verge of becoming the first state to criminalize recording sights and sounds at farms without permission from owners.

The hot-button issue surfaced in the waning days of the legislative session and pits environment and animal rights groups against farmers and agribusiness.

On one side are activists who surreptitiously record how animals are raised or slaughtered. On the other, owners who don't want what they see as interference.

The activists maintain their actions are protected under the First Amendment. Farmers counter the acts represent an invasion of privacy intentionally designed to damage their industry. (more)

Friday, May 27, 2011

Yipes Skypes! VoIP Phone Encryption - Busted.

A team of researchers and linguists have found a fatal flaw in supposedly encrypted internet phone calls that allow them to eavesdrop on conversations.

University of North Carolina scientists took a novel approach to 'listening in' on voice-over-internet-protocol (VoIP) conversations by analysing the 'encrypted' data packets used to transmit people's conversations.

VOIP services such as Skype transmit speech over the internet by encoding and the encrypting the conversation into individual data packets.

According to The New Scientist, Linguists noticed the size of each packet mirrored the composition of the original speech itself - allowing them to reconstruct words and phrases from the original voice.

By splitting the packet sequences into phonemes - the smallest sounds that make up a language - linguists were able to reconstruct the data into discernible words. (more)

Just for fun... The world's best web store display!

I love great promotion. A Dutch department store has the most clever home page I have ever seen. If you don't laugh, I'll return double the money you spent for your Security Scrapbook subscription.

What does this have to do with spying?

Tip: Humor is a great diversion and ice breaker. In this case, your resistance to buying products is eroded and your loyalty to a particular store is being reinforced. Spies use the same techniques when social engineering their marks. Be sensitive to this red flag. ~Kevin

Turkey Acknowledges Eavesdropping Concerns... and evidence.

Turkey - There are dead-serious problems concerning the “privacy of personal life and communication” in Ankara at the moment. Video tapes are pouring in as records of private phone conversations, obtained through wiretapping, are making the rounds. Cyber attacks targeting politicians are continuing incessantly. There are as many records that have been obtained illegally as there are records that have been obtained legally and leaked.

Video or audio tapes have both become evidence in court cases and have been used for blackmail. Some of the Nationalist Movement Party, or MHP, candidates have had to resign or withdraw due to sex tapes featuring them.

Since these are cyber attacks, everyone is trying to gain protection either through personal or corporate measures. While jammer-like equipment to stop the transfer of phone and video conversations are being used by political parties, parliamentary deputies are choosing similar equipment sold on the market.

There are concerns about being bugged even in top offices in the capital. (more)

Memorial Day Weekend in the USA

Monday is Memorial Day here in the USA. 

"Memorial Day is a United States federal holiday observed on the last Monday of May (May 30 in 2011). Formerly known as Decoration Day, it commemorates men and women who died while in military service to the United States (including its spies). First enacted to honor Union and Confederate soldiers following the American Civil War, it was extended after World War I to honor Americans who have died in all wars." (Wikipedia)

Many countries have national holidays like Memorial Day, and each takes theirs very seriously and solemnly. It is one holiday we wish we didn't have to have. 

Confucius never said this, but we all know it is true... "War does not determine who is right; it determines who is left." Maybe this is why it is also a three-day weekend of not just sad reflection and appreciation (in fact, there is never enough of this), but also a time of gathering and camaraderie. ~Kevin
 

Wednesday, May 25, 2011

Hedge Fund Head Sends Spy into Employees' Personal Life

In late November 2008, Tobin Gover, a top financial mathematician known to his friends as Sam, got a call through to his desk at work in Limassol, Cyprus.

The woman on the line – a new neighbour ... purporting to be Laura Maria van Egmond, scion of Dutch nobility convalescing in Cyprus following a motoring accident – was in fact, Mr Gover claims in a UK court case, “a security consultant involved in covert close protection and undercover investigations ... trained in Israel” and “trained in unarmed combat”...

Ms Van Egmond – who within months went from being a regular yoga-buddy of his wife to a close family friend who spent Christmas with them and would be left alone to look after their infant son – was, in fact, Laura Merts, a Dutch spy, hired by Elena Ambrosiadou, head of Ikos and one of the world’s wealthiest women.

The UK High Court has given judgment in Mr Gover’s favour.

Ms Ambrosiadou filed no defence and has agreed to pay damages.

The accusations levelled against her are now set to reverberate around the hedge fund world. (more)

ElcomSoft Breaks iPhone Encryption, Offers Forensic Access to File System Dumps

via ElcomSoft...
"Let’s make it very clear: no privacy purist should ever use an iPhone (or any other smartphone, probably). iPhone devices store or cache humungous amounts of information about how, when, and where the device has been used. 

The amount of sensitive information collected and stored in Apple smartphones is beyond what had previously been imaginable. Pictures, emails and text messages included deleted ones, calls placed and received are just a few things to mention. 

A comprehensive history of user’s locations complete with geographic coordinates and timestamps. Google maps and routes ever accessed. 

Web browsing history and browser cache, screen shots of applications being used, usernames, Web site passwords and the password to iPhone backups made with iTunes software, and just about everything typed on the iPhone is being cached by the device." (more)

Tuesday, May 24, 2011

The Most Secure Mobile Phone OS's - Ranked from Best to Worst

By Drew Turney, ZDNet.com.au
Smartphone security is fraught with peril. So few casual users realise they're carrying a complete personal computer in their pocket — one that's designed to connect to networks and transfer more data than their PC ever does.

Some commentators say that mobile vendors themselves aren't taking security seriously. Electronic Frontier Foundation technology director Chris Palmer, who was also a former Android security framework engineer, said in a January 2011 blog post that mobile systems "lag far behind the established industry standard" for security.

But some might lag farther behind than others. Today, five mobile operating systems dominate the market. We've done the heavy lifting for you by looking at the advantages and disadvantages of each OS, and then ranking the systems from best to worst. (more)

http://tinyurl.com/The-Best-iOS

World's Smallest GSM Cell Phone Eavesdropping Bug

A cousin to the ZombiePhone is the GSM micro-bug. These are miniaturized cell phones made specifically for covert eavesdropping! Like ZombiePhone bugs but without normal cell phone features, these are tiny, creepy, robotic, cell phone bugs often hidden in such everyday objects as power strips and lighting fixtures.
 
Their tiny size is possible because they do not have keypads, ringers, displays, or smart-phone features. When called from any other phone, they become eavesdropping bugs automatically.
 
Shown with wall charger and USB cable.
Groupe Spécial Mobile (GSM) is the name of the world’s most popular cellular telephone standard. GSM micro-bugs work on this standard, which means they can work in almost anywhere on Earth where there is cellular telephone service. Like normal cell phones whose features are set to Auto-Answer and No Ring, GSM bugs are equally hard to detect because they sleep most of the time. The thing that awakens them is the call from the eavesdropper. 

Some models also awaken when they hear sound being made near them. Some awaken when they sense vibration or light. Should you awaken one, it will silently call the eavesdropper.

If you feel you are being eavesdropped on and you are sure your cell phone is free of spyware, a GSM bug may be the culprit.
 
Bug microphones are much more sensitive than most people realize. The microphones in GSM micro-bugs are very sensitive and can capture sound from large areas like bedrooms, offices, and vehicles. Ideally, bugs are placed as close to the sound source as possible, but the rule of thumb when searching is: If your ear can hear it, so can the bug.

Ever wonder where all these bugs come from? This link is the first step to solving the mystery.

Monday, May 23, 2011

"Is My Cell Phone Bugged?" interview on KZSB – AM 1290

If you are in the Santa Barbara, CA area Tuesday, tune in to  KZSB – AM 1290. You will hear Mike Williams interview me about eavesdropping spyware on smartphones and other mobile communications privacy issues. This new book, Is My Cell Phone Bugged? Everything you need to know to keep your mobile communications private is the topic of the interview.

The program starts at 10:00 AM (PST) and will be rebroadcast Tuesday evening at 9:00 PM and again on Saturday at 1:00 PM. The feed is also available at newspress.com. Once the show has been recorded I will post the link. ~Kevin

Extortionography - Turkish Tacky Video Changes the Course of a Nation

Turkey - Just weeks before general elections in Turkey, six leading members of an opposition party were forced to resign from Parliament on Saturday after sexually explicit videos of one of them were posted on the Internet.

The Web site that posted the videos had threatened to release others that it said showed the five other members who resigned.

The resignations could severely weaken the Nationalist Movement Party, the second largest opposition group in Parliament, which is struggling to win the minimum of 10 percent of the vote required to be seated in Parliament.

Four members of Parliament from the same party resigned earlier this month after similar videos were posted on the same Web site.

The Web site, farkliulkuculer.com, has cast itself as part of a breakaway ultranationalist group aiming to cleanse and reform the nationalist movement in Turkey. The site’s administrators are anonymous. (more)

Sunday, May 22, 2011

Snidley Whiplash Visits the Home Security Store... by "Bob"

I know some pretty interesting people. Very talented. Very sharp. Very imaginative. I received the following from one of them this week. We'll call him "Bob". Bob's thought process is part Carnegie Mellon University's Computer Emergency Response Team (CERT) and part Snidely Whiplash. Enjoy... (emphasis below is mine)

"For about a year now I’ve been building this new office/shop/garage at my place. Being the engineer I am at heart I prewired it for video surveillance and alarm.

I found an online reseller with good prices and I purchased all the alarm components from them. www.homesecuritystore.com I installed each switch or sensor as a separate zone so later I can use this system as a whole house monitoring platform.

I decided it is time to add the video. They had good prices and I bought close to $2000 worth of quality cameras and a 16 Channel DVR.

Last weekend I started to bench test it and get familiar before I commit the installation. I noticed the box was repackaged.

Then I noticed it is still full of video. It was installed at a restaurant and then returned. Not sure if the restaurant did it themselves or they had a security professional help. In any case they gave me their weeks’ worth of video. Moreover Homesecuritystore.com didn’t verify the contents and in turn sold it to me.

I was hoping to find some incriminating footage or something to brag about. Fortunately for them it was pretty benign stuff.

Then I started to think of the possibilities of what could have happened and decided to write to them regarding their security practices.

See attached. I was surprised they just sent me a misspelled apology and are sending me a new unit. Totally dismissing my attempt to point out to them the underlying problem here.

I’m going to do a threat assessment of the linux kernel in this unit when I get a chance. These cheap DVR boxes with Dynamic DNS and internet reachability are a whole new potential platform for a hacker. A modern day Trojan horse even.

Take the following scenario for a moment:
1. I buy one of these units (or 100 each from a different internet vendor)

2. Change the linux kernel to add a few tools and backdoor username/passwords and maybe even a phone home daemon. Phone home would need to be a secure tunnel and internet proxy aware. So spoof the proxy on port 80 with ssl traffic embedded. Also use tools like Wireshark/tshark, or one of my all-time favorites


3. Return it to the vendor for a full refund.

4. In turn they sell the units to John Q Public or better yet a customer with other units already on premise just waiting to be exploited.

5. It gets installed and finds a routed path to the internet and updates its DNS record location dynamically.

6. Meanwhile back at the black hats cave: We see the DNS entries for these devices show up and / or our phone home packets arrived at home. The latter is riskier because it gives a deterministic home location, for that we run our APP in the cloud to obfuscate our location.

7. Login and start monitoring, gather content and exploit the target. Granted step 7 here is dependent on something good happening. I would beg to guess every video surveillance installation at one point in time or another captures illicit/illegal activity or some sort of blackmail material content.

8. The black hat could now also secure shell into the DVR over the phone home tunnel and use it as a spring board to then perform vulnerability scans internal to the video network thus finding other DVRs, IP cameras, and other trusted behind the firewall type devices. Once accessed install similar tool sets, rinse and repeat for all reachable devices.

9. Lastly a coordinated attack. You locate physical assets to steal. At a coordinated time perform a denial of service internal to their network and take out the security infrastructure. Use tools like NetCat or simple packet capture replays with tshark to confuse the lan devices and potentially crash them if not just deafen their abilities to report. ARP storms are great for this. Actually once an inventory of devise is determined fingerprint scan each and look for known vulnerabilities for those devie’s kernels. Move in and out all the while the systems are incapacitated. Ideally you want to have the devices perform self remediation on their own, avoid forcing a hang condition and do not require reboots for remediation to hide the existence that anything happened adding to the confusion of what happened and how.

Not far fetched to believe. And all from a simple buy and return to the store type activity.

"Bob, you got me thinking. All these items are made in China, right? Isn't it possible likely that secret code has already been planted in them for future use?"


On another subject:
Do you recall a police movie (maybe Beverly hill cop) where the cop submits into evidence a large permanent magnet and it takes out the surv. video evidence. Well take that same concept to data tape backups.

I recently toured an Iron Mountain Magnet tape vault and observed them picking and putting tapes in and out for customers. Much to my dismay not all customers co-locate their tapes next to their own. Many of the tapes are slotted into the next available slot intermingling them with other customer’s tapes.

They don’t even screen the boxes coming in and out for high levels of magnetic flux. So a passive magnet weighing similar to the tape that gets checked in and out over a long period of time could potentially be creating small magnet grenades to the data nearby. To be a bit more sexy make that an active magnetic device with a motion trigger. Wait for no movement with a 3d accelerometer also sense that it is not lying flat in the original box but upright as if it is in the library. I mocked up this accelerometer algorithm in a two chip device using a basic stamp.

Allow it to ‘Wake up’ and generate as large of an oscillating magnetic flux as possible and expend the batteries. If movement is sensed have it go dormant again. Cycle these rogue tapes in and out rapidly over time. To target an attack request your own tape vault location and try to steer it near your competitors location or just carpet bomb the library with multiple devices over time. Not as affective but very destructive in nature. Evil isn’t it.

Not that I would never ever do such a thing or advocate or assist anyone in this behavior. But, I can think of it and other ways to thwart simple best practices.

Just like when I was in college and I came up with the idea to use an IR laser to take out a security camera by shifting its AGC and blacking out the picture. Later in life I saw this applied in a movie. I was like HEY I thought of that a long time ago. The cameras I bought for my place have the Sony chip in them that knows how to black out bright objects selectively within the ccd field of view. Thus obsoleting this vulnerability a bit.

Well thank for your time. My mind wandered with possibilities when I realized I have that other customers video content handed to me.

Have a great day."

As you can see, "Bob" is smarter and more clever than I am. That's why I love hanging out with the "Bob's" of the world. Now I know what "Bob" knows... and now, so do you. ~Kevin

Are you thinking, "Gee, I wish I knew who this "Bob" guy was. I have a security consulting project for him. Does he do freelance work?" 

I don't know. You'll have to ask him. His name is Bob Blair and he is an engineer in Massachusetts.