QR Codes - Taking Candy from Strangers

QR codes, part of popular marketing strategies created to engage mobile device users, have become a vector for malware that hackers could use to remotely access all of the data in a person’s phone and record their every move through pictures and audio, according to cybersecurity researchers. And there’s no way to know once a device is infected.

In an interview on Tuesday with Security Management, Nicholas Percoco, senior vice president and head of Trustwave SpiderLabs, a group of ethical hackers at a data security firm with expertise in investigations, research, and application security, said that most attacks that happen on mobile platforms occur when a user goes to malicious URL or they’re redirected to a Web site containing malicious code. Hackers are using QR codes as a tool to direct mobile phone users to those Web sites and infect mobile devices with malware. (more)

Foreign Spies Stealing US Economic Secrets Report Released (FREE)

The Office of the National Counterintelligence Executive (ONCIX) Report: "Foreign Spies Stealing US Economic Secrets in Cyberspace - Report to Congress on Foreign Economic Collection and Industrial Espionage, 2009-2011" has been released.
Foreign economic collection and industrial espionage against the United States represent significant and growing threats to the nation's prosperity and security. Cyberspace—where most business activity and development of new ideas now takes place—amplifies these threats by making it possible for malicious actors, whether they are corrupted insiders or foreign intelligence services (FIS), to quickly steal and transfer massive quantities of data while remaining anonymous and hard to detect.

Pervasive Threat from Adversaries and Partners:
Sensitive US economic information and technology are targeted by the intelligence services, private sector companies, academic and research institutions, and citizens of dozens of countries.

• Chinese actors are the world’s most active and persistent perpetrators of economic espionage. US private sector firms and cybersecurity specialists have reported an onslaught of computer network intrusions that have originated in China, but the IC cannot confirm who was responsible.

• Russia’s intelligence services are conducting a range of activities to collect economic information and technology from US targets.

• Some US allies and partners use their broad access to US institutions to acquire sensitive US economic and technology information, primarily through aggressive elicitation and other human intelligence (HUMINT) tactics. Some of these states have advanced cyber capabilities.

Outlook:
Because the United States is a leader in the development of new technologies and a central player in global financial and trade networks, foreign attempts to collect US technological and economic information will continue at a high level and will represent a growing and persistent threat to US economic security. The nature of the cyber threat will evolve with continuing technological advances in the global information environment.

"You're only a stranger here once!" ~Tampa, FL

Do you recall my prediction about Tampa?
FutureWatch (September 2008) - Although facial recognition and tracking didn't catch on the first go-around (the Tampa, Florida experiment), it is ripe for a come-back. 5 years from now, this will be commonplace – along with automatic license plate readers and motion-intention evaluators.

August 2003 - Tampa police have scrapped their controversial security camera system that scanned city streets for criminals, citing its failure over two years to recognize anyone wanted by authorities.

History...
July 2001 - The Tampa City Council took a fully-informed look at Ybor City's controversial high-tech face-scanning software. When the dust settled, the council split down the middle with a 3-3 vote on whether or not to do away with the face-scanning software.

Fast Forward... 2011 - via National Motorists Association...

The request reads like a shopping list for a counter-terrorism strike: low-light cameras to identify people and vehicles at 100 meters, helmet-mounted cameras, cameras for "use around high-risk activities" and cameras that can read license plates across three lanes of traffic.

In reality, it’s part of a plan proposed by Tampa city officials to provide security for next year’s Republican National Convention. Funds to buy or lease the gear are expected to come from federal taxpayers in the form of a $55 million congressional appropriation.

The surveillance will target convention protestors (as many as 10,000, according to convention organizers), but, given the sweeping nature of the plan, many bystanders and motorists are likely to be ensnared as well.

And while police officials admit they may not get all 238 cameras on the original request, critics are already reacting. A spokesperson for the American Civil Liberties Union of Florida likens the approach to "hitting a gnat with a sledgehammer." (To be fair, officials canceled a request for two aerial surveillance drones due to cost concerns.)

FutureWatch - Drones are already in some state and local police toy chests. Tampa will eventually get one, too.

"Anyone who feels they were hacked, please raise your hand."

News Corporation has begun a voluntary program that allows people who believe they have been the victims of phone hacking to apply online for compensation.

A statement issued Friday by the company’s British publishing unit, News International, urged possible victims to take advantage of the settlement plan, calling it a “speedy, cost-effective alternative to litigation.” Charles Gray, a former High Court judge and arbitration specialist, will assess the applications and serve as an independent adjudicator, News International said. There is no limit on how much the company might have to pay. (more)

"Come on, Joey. Halloween is over."

MA - Police arrested a Framingham man at gunpoint yesterday after he chased two women with a sharp lawn-edging tool, a prosecutor said yesterday in Framingham District Court.

Joseph Kenney, 48, is also charged with trying to illegally record police with his cellphone, prosecutor Christopher Baker said during Kenney's arraignment.

Police went to Elm Street yesterday around 1 a.m. to check on a large gathering in the street. There, they found Kenney chasing two women with a lawn edger, Baker said.

"The officers ordered him to drop it, and he didn't until the officers drew their weapons," Baker said.

Kenney complained that "those kids are always in my parking lot" so he confronted them, Baker said.

Police arrested Kenney, who lives at 10 Elm St., and initially charged him with assault with a dangerous weapon and disorderly conduct.

On the way to the police station, the officer noticed Kenney was using his phone, Baker said. Kenney told the officer he was recording him.

The officer said Kenney did not have permission to record his voice, but Kenney refused to stop. As a result, police charged Kenney with illegal wiretapping. (more)

True story. Only the street name has been changed to protect the innocent.

"Wake up, Nguyen. Time to spy on the submarine races."

When foreign spies set their sights on America's secrets, many times they're not looking underground for secret bunkers or in the sky for massive spy blimps, but under the sea at the nation's low-profile underwater drone fleet.

According to some of the military's top counterintelligence analysts, in recent years there has been a significant increase in both old school spying and cyber operations, especially by unnamed East Asian nations, directed at gaining classified information on America's autonomous underwater vehicles (AUVs) in hopes of undercutting the U.S.'s "underseas battlespace dominance." (more)

Must be a Saturday Night Live skit that didn't get used...

Croatian businessman Vladimir Selebaj, who has been jailed over malversations with his production company Core Media, speaks to his parents only in French due to fears of wiretapping.

A French citizen, Selebaj allegedly talks only in French during his parents visits because he thinks he is being targeted by the police chief, Oliver Grbic.  

Grbic is currently in a relationship with Selebaj’s wife, Dijana Culjak.

Selebaj has been detained in Zagreb Remetinec prison while the investigation is underway, daily Vecernji List writes. (more)

BlackBerry / India Ink Surveillance Contract - RIM shot

 Remember when India was threatening to shut down BlackBerry service unless it could tap user's communications? Reports have RIM operating a wiretapping facility in Mumbai to help with that.

Back in 2010, the Indian government set multiple deadlines for RIM to provide the government with access to encrypted BlackBerry communication or face a shutdown of BlackBerry services in the country. Those deadlines came and went, with RIM insisting that it has no back door that would let government authorities (or anybody else) decrypt and access communications on its BlackBerry Enterprise services. 

However, by the beginning of 2011 RIM had been working with the Indian government to provide access to consumer-level BlackBerry Messenger and BlackBerry Internet Services (BIS) email—and now the Wall Street Journal reports RIM is operating a small surveillance facility in Mumbai to process government requests for access to BlackBerry user communications. (more)

Spy Train Tracks Wirey Thieves

Using a thermal camera to track copper cable thieves.

UK - Network Rail said covert spy train patrols to deter metal thieves from the rail network are having an effect.

In the last year the price of copper has doubled and this year alone in the east there have been 72 serious incidents of cable theft, causing delays to more than 2,500 trains and costing the company more than £1m.

Look East joined Network Rail and the British Transport Police on a special spy train as they went on the hunt for thieves in Essex and Hertfordshire. (video)

A Simple Three Question Spy Movie Quiz

Go here. 

I got 2 of three. 

See what you can do.

Here is one from me...

What is the name of this famous spy story town?

What is its real name?

Did I live there for a week?

Answers later next week.

Enjoy your weekend!

~Kevin

Security Alert: Easy Bypass of iPad2 Passcode Screen (w/ fix)

PROBLEM...
Apple's Smart Covers are pretty cool--they attach magnetically to your iPad 2, and you can lock your iPad's screen simply by "closing" the cover. Lift the cover off the screen, and your iPad wakes right up. Unfortunately, members of the German forum Apfeltalk ("Apple Talk") discovered a bug in how iOS handles the Smart Cover that makes it possible to bypass the iPad's passcode screen. Yikes.

To trigger this glitch, hold down the power button and wait for the iPad to ask to power off. When that happens, place the smart cover over the tablet. Next, take the cover off again, cancel the power down, and you're in--no passcode required.

SOLUTION...
Apple is aware of the issue and is working on a fix. And for the time being, you can make it so your iPad doesn't automatically unlock when you open your Smart Cover; that way, even if someone uses this bypass trick, they'll only be greeted with the passcode screen. To change this setting, Open the Settings app, tap General, and change the setting for "iPad Cover Lock/Unlock" to "Off". (more)

Gang Members Are Coming For Your Info. What's Your Counterespionage Strategy?

The Federal Bureau of Investigation on Friday estimated there are some 1.4 million gang members in the United States and they are turning to white-collar crimes as more lucrative enterprises. 

Gangs like the Bloods and the Crips are engaging in crimes such as identity theft, counterfeiting, selling stolen goods and even bank, credit card and mortgage fraud, said a new FBI gangs threat assessment.

"We've seen it, but we've seen them doing it even more now and we attribute to the fact that the likelihood of being caught is less, the sentences once you are caught are less, and the actual monetary gain is much higher," said Diedre Butler, a unit chief at the National Gang Intelligence Center. (more)

Search Engine Encrypts Your Secret Yearnings, Lusts and Thirsts... for Knowledge

Click to enlarge.

Flash - "As of this week, Startpage, by Ixquick, the "world's most private search engine," automatically encrypts ALL searches. Startpage was the first search engine to offer SSL encryption in 2009, and today it again breaks new ground by making SSL encryption the default." (more)

Kevin's Security Scrapbook exclusive! Motion picture footage of the inside of a search engine's encryption kernel.

"Dude, Scientology has an Office of Special Affairs?!?! I didn't know scientists even had affairs!"

The Village Voice is reporting that the Church of Scientology attempted to investigate Parker and Stone after a controversial 2005 episode of “South Park” titled “Trapped in a Closet.” The Emmy-nominated episode, airing on Comedy Central, satirized such figures as Scientology founder L. Ron Hubbard and Scientology member Tom Cruise. 

According to the Voice, former Scientology executive Marty Rathbun “revealed at his blog that in 2006, Scientology's Office of Special Affairs — the church's intelligence and covert operations wing — was actively investigating” Parker and Stone.

The Voice reports Monday: “We have more leaked OSA documents which give some idea of the extent of the spying operation on the ‘South Park’ offices and the people who worked there.” (more)

Chat and...ZAP. Your address book is stolen!

If you use Skype on an iPhone or iPod touch, Phil Purviance can steal your device's address book simply by sending you a chat message.

In a video posted over the weekend, the security researcher makes the attack look like child's play. Type some JavaScript commands into the user name of a Skype account, use it to send a chat message to someone using the latest version of Skype on an iPhone or iPod touch, and load a small program onto a webserver. Within minutes, you'll have a fully-searchable copy of the victim's address book. (more)