Beware the Cell Sucking Spiders

...a gray hat app developer has released into the wild five tools purportedly for "study purposes" that can clean out all the data on an Android smartphone in less than a minute.

Based on information from virus researchers at BitDefender, here's how the tools work.

When any of the apps is loaded on a victim's phone, they can be activated remotely by a cyber thief. Once activated, it sends a five digit pass code to the phone's intruder and secretly uploads the device's contacts, messages, recent calls, and browser history into the developer's space in the Android Cloud. After copying the data from the phone, the apps uninstall themselves so a target won't know they were even on their mobile...

This latest attack on Android phones is just one of many this year. In fact, the phones are seen as a ripe target for mobile miscreants. According to a report released by a cybersecurity software maker in August, attacks on Android by malware writers jumped 76 percent over the previous three months, making it the most assaulted mobile operating system on the planet.

Some of that malware has been devilishly clever. For example, a bad app called Soundminer listens to conversations on an Android phone and is able to recognize when a credit card is spoken. After identifying such a number, it snips it from the conversation it has been recording and sends it to a Web baddie. (more) (further advice)

Trumped by KickButtTakeNames.com...

A web proxy service has come under fire after a federal indictment revealed that the company cooperated with U.S. authorities in their investigation into the hacking of SonyPictures.com.

HideMyAss.com, a VPN service that encrypts one's traffic to enable users to surf the web anonymously, was ordered by a U.K. judge, at the request of FBI agents, to release log information about an Arizona man (Cody Kretsinger) who was arrested Thursday for his role in the Sony intrusion...

But now, as Kretsinger awaits prosecution, HideMyAss.com faces criticism from privacy advocates and users who believe the service went back on its promise. (more)

Circuit Court Judge David Frankland - Privacy Hero

2009 - Michael Allison brought a digital recorder to the Crawford County Courthouse in Downstate Robinson (Illinois), where he was contesting a citation, because he had been told there would be no official transcript of the proceedings. He was immediately confronted by Circuit Judge Kimbara Harrell, who accused him of violating her privacy and charged him with eavesdropping, a felony punishable by up to 15 years in prison.

Because Allison had recorded conversations about his legal situation with police and other local officials, he soon faced four more eavesdropping charges, raising his possible sentence to 75 years. The case against Allison vividly shows how the Illinois Eavesdropping Act, the target of a constitutional challenge that was recently heard by a federal appeals court, undermines transparency, civil liberties and legal equality. (more)

2011 - Michael Allison, an Illinois man who faced a potential sentence of 75 years in prison for recording police officers and attempting to tape his own trial, caught a break last week when a state judge declared the charges unconstitutional. "A statute intended to prevent unwarranted intrusions into a citizen’s privacy cannot be used as a shield for public officials who cannot assert a comparable right of privacy in their public duties," wrote Circuit Court Judge David Frankland. "Such action impedes the free flow of information concerning public officials and violates the First Amendment right to gather such information." (more)

How Long are Your Cell Phone Records Kept?

Find out here.

The nation’s major mobile-phone providers are keeping a treasure trove of sensitive data on their customers, according to newly-released Justice Department internal memo that for the first time reveals the data retention policies of America’s largest telecoms.

The biggest difference in retention surrounds so-called cell-site data. That is information detailing a phone’s movement history via its connections to mobile phone towers while its traveling.

Verizon keeps that data on a one-year rolling basis; T-Mobile for “a year or more;” Sprint up to two years, and AT&T indefinitely, from July 2008.

(more)

Reading Recommendations from Privacy Journal

Query: I am a subscriber to your journal. Very informative. Could you please suggest a couple good references (journal articles, books, etc.) that discuss privacy and information retrieval?
 

From Privacy Journal's staff...

Publisher Robert Ellis Smith makes these recommendations:

“Alone Together” by Sherry Turkle

“Is My Cell Phone Bugged?” by Kevin D. Murray

Popular Mechanics: “Concerned About Your Digital Privacy?”

“Facebook Tracks Everyone” by Arnold Roosendaal

“Privacy Leakage vs. Protection Measures” by Krishnamurthy, Naryshkin and Wills

“Principles for Government Data Mining” by The Constitution Project
Need an expert witness on privacy? Smith is your man. Privacy Journal, has a world-wide subscriber audience and is based in Providence RI. Their address is P.O. Box 28577, Providence RI 02908, Phone: 401/-274-7861

Free Likejacking Prevention — Plug-In for Firefox, Google Chrome and Safari

ThreatLabZ, the research arm of Zscaler, released a free tool to combat the biggest threat on Facebook -- Likejacking.

Called Zscaler Likejacking Prevention, it was developed for the sole purpose of helping consumers stop being further victimized.

This popular attack leverages clickjacking to trick users into "Liking" a fake video, survey or web link, propagating the scam further as it spreads virally from one person to their network, and on to their networks’ networks, and so on. (download) (more)

Citizen Shame

S. Korea - With his debts mounting and his wages barely enough to cover the interest, Im Hyun-seok decided he needed a new job. The mild-mannered former English tutor joined South Korea’s growing ranks of camera-toting bounty hunters.

Known here sarcastically as paparazzi, people like Mr. Im stalk their prey and capture them on film. But it is not celebrities, politicians or even hardened criminals they pursue. Rather, they roam cities secretly videotaping fellow citizens breaking the law, deliver the evidence to government officials and collect the rewards.

“Some people hate us,” said Mr. Im. “But we’re only doing what the law encourages.” (more)

P.S. “I’m making three times what I made as an English tutor,” said Mr. Im, 39, who began his new line of work around seven years ago and says he makes about $85,000 a year.

Business Espionage Alert: Embedded Web Servers

Many types of Web-connected photocopiers, scanners, and VoIP servers have no default passwords or other security enabled to stop remote eavesdropping.

Numerous models of printers, photocopiers, and voice over IP (VoIP) systems are Internet-connected. But their embedded Web servers often use well-known default passwords or firmware that has known vulnerabilities, either of which could be used by remote eavesdroppers to intercept internal communications...

Web-accessible photocopiers and the like are essentially repositories of any recent documents or communications of interest, and thus could serve as a competitive intelligence treasure trove. 

Some devices even offer would-be attackers time-saving shortcuts. Certain models of Sharp photocopiers, for example, can be set to upload all scanned or copied documents to an external site via FTP, or email them to an outside email address. Meanwhile, some HP all-in-one printers have a feature called Webscan, which allows anyone with a browser to scan and download whatever is on the scanner bed. (more)

New York’s senior senator Charles Schumer wants the feds to investigate OnStar’s controversial new privacy policy, and demanded the Detroit navigation-and-emergency company refrain from monitoring vehicles after customers cancel service.

“By tracking drivers even after they’ve cancelled their service, OnStar is attempting one of the most brazen invasions of privacy in recent memory,” Schumer, a Democrat, said in a statement Monday. “I urge OnStar to abandon this policy and for the Federal Trade Commission to immediately launch a full investigation to determine whether the company’s actions constitute an unfair trade practice.”

OnStar last week began e-mailing customers about its update to the privacy policy, which grants OnStar the right to sell GPS-derived and other data in an anonymized format. That data might include a vehicle’s location, speed, odometer reading and seatbelt usage. Schumer also asked the company, a General Motors subsidiary, not to sell that data. (more)

Search in Secret

Startpage.com now offers Google search results in complete privacy!

"When you perform a web search through Startpage, we remove all identifying information from your query and submit it to Google anonymously through our own servers. We obtain Google's search results and serve them to you in total privacy. Then we delete all records of your visit.

Your IP address is not recorded, your visit is not logged, and no tracking cookies are placed on your browser. In fact, Startpage does not record any information about its users. Nothing. Nada. Zilch. And Google never sees you at all."

In China, business travelers take extreme precautions to avoid cyber-espionage

Packing for business in China? Bring your passport and business cards, but maybe (definitely) not that laptop loaded with contacts and corporate memos.

China’s massive market beckons to American businesses — the nation is the United States’ second-largest trading partner — but many are increasingly concerned about working amid electronic surveillance that is sophisticated and pervasive.

Security experts also warn about Russia, Israel and even France, which in the 1990s reportedly bugged first-class airplane cabins to capture business travelers’ conversations...

But China’s brazen use of ­cyber-espionage stands out because the focus is often corporate, part of a broader government strategy to help develop the country’s economy, according to experts who advise American businesses and government agencies.

“I’ve been told that if you use an iPhone or BlackBerry, everything on it — contacts, calendar, e-mails — can be downloaded in a second. All it takes is someone sitting near you on a subway waiting for you to turn it on, and they’ve got it,” said Kenneth Lieberthal, a former senior White House official for Asia who is at the Brookings Institution. (more)

Want to increase the level of information security in your offices in China? We've been there. We can help.

World's First Concept Wireless Phone?

1922 - The umbrella is being used as the antenna. The fire hydrant is the ground. Good concept so far, but where is the battery?

From British Pathé - "The world's finest news and entertainment video film archive."
You can view and buy films and still photographs from the entire archive of 90,000 videos covering newsreel, sports footage, social history documentaries, entertainment and music stories from 1896 to 1976. (more)

Security Letter Book Review - "Is My Cell Phone Bugged?"

RECOMMENDED BOOK: IS MY CELL PHONE BUGGED?  Savvy readers have known for decades that cell phones are two-way radios. That means that someone else who hones in on the transmission can listen to everything that’s being said. But the matter is a quantum more serious when the cell phone itself has been rigged so that a third party can listen anytime, anywhere without discovery.

            Kevin D. Murray has been a well regarded consultant for over three decades in electronic eaves-dropping detection and countermeasures. He has a knack of explaining problem and controls of them in simple language, as this book reflects. While the focus is on cell phone vulnerabilities, other electronic communications risks are discussed as well.

            “We’ve got a problem with communications.” Many security practitioners face on-going frustrations in limiting confidential information from being discussed over cell phones. This book reveals the fragility of cell phone communications. It also offers other tips to protect cell phone communications.

            Murray is like an anti-eavesdropping missionary. His book is a real value. It also comes with a free SpyWarn Mobile™ to help conduct your own cell phone diagnosis. Pub. by: Emerald Book Co., www.ismycellphonebugged.com 158 pp. includes the SpyWarn Mobile token; $17.95. 

Thank you!

Annual Espionage Research Institute Meeting in DC

The world's top technical surveillance countermeasures specialists are meeting today through Sunday. If you're planning on planting a bug, now would be a good time. The cats are away.

Here is what they will be learning today...

• Blocking Competitive and State Sponsored Threats

• The Future of TSCM

• GSM Cell Phone Bug Detection using AirPatrol

• GSM and Hybrid Devices

• TSCM Product Demos

• Kestrel TSCM Software

• TSCM Inside Out

Oh, and that bug you planted. These cats will be back.

Where Can You Buy A Bug in Washington, DC?

...at the International Spy Museum, of course...

Audio Bug
Price: $25.00

Code: 17039

Product Facts: The walls have ears…and now, thanks to Audio Bug, so can tables, windows, bookshelves, and lockers! Use the attached suction cup to stick this clever bug where it won’t be seen. With the voice-activation feature, it will start recording when your adversaries start talking or if they make noise when snooping in your headquarters. A hidden speaker records the audio — play it back at the touch of a button. Save your files and upload the evidence to your computer with the secret USB connector. Then start bugging again!

Technical Data: Ages 8 and up. Plastic and metal. Black/silver/orange. 3-1/2” x 1” x 1”. Requires 1 AAA battery, not included. (more)

Next question...

How can you find a bug in Washington, DC? (more)