Thursday, November 8, 2012

Security Quote of the Day

"Protecting classified information depends, today more than ever, on the security awareness of employees. They can literally make or break your security program." NSI, Security NewsWatch

How to Surf the Web in Secret


via Brad Chacos...

They say no one can hear you scream in space, but if you so much as whisper on the Web, you can be tracked by a dozen different organizations and recorded for posterity. 

Simply visiting a website can allow its operators to figure out your general physical location, identify details about your device information, and install advertising cookies that can track your movements around the web. (Don't believe me? Check this out.)

Not everyone likes the idea of having his or her entire digital lives scraped, analyzed and (in countries with restrictive regimes) controlled outright by third parties. 


So please consider the following tools and tips, which will hide your IP address and have you surfing the web in blissful anonymity in no time. (more)

Checklist...
• Use a second web browser.
• Set it to anonymous / private mode.
• Have it wipe all cookies when closed.
• Use a web-based proxy. (Proxify, Anonymouse, Hide My Ass, or one from Proxy.org)
• Better... Use a virtual private network (VPN) like The Onion Router (aka TOR).
• Send your email anonymously via
Anonymouse or Hide My Ass.

Monday, October 29, 2012

Seeing Through Shower Curtains and Other Light Scattering Materials

via Gizmodo.com...
Taking a shower while secure in the knowledge that no one can see through the curtains may soon be a thing of the past. Researchers Ori Katz, Eran Small and Yaron Silberberg of the Weizmann Institute of Science, Rehovot, Israel, have developed a method for de-scattering light to form coherent images in real time. 
In other words, they have found a way to look through shower curtains, frosted glass and other image-blurring materials. The technique may one day aid scientists in seeing through living tissue or around corners. (more)

And, I have found their research. ~Kevin

Thursday, October 25, 2012

Maltego - For the PI and Security Director of the Future

via techhive.com...
What Maltego does is quickly and succinctly draws on public data sources to put together a graphical digital footprint...

Click to enlarge.
Maltego is highly efficient at quickly assembling digital crumbs and linking those pieces together, which would be tedious work otherwise. 

Roelof Temmingh (co-creator) used Maltego to search Twitter with coordinates for the vicinity of the NSA's parking lot...

Temmingh pulled up a web of scattered tweets in Maltego. He picked out one person...

Then Maltego combed social networking sites, checking sources such as Facebook, MySpace, and LinkedIn. An identical photo linked the person's Facebook and MySpace page. From there, Maltego spotted more information. After a day of searching, Maltego discovered the person's email address, date of birth, travel history, employment, and education history.

"This is about a day's worth of digging around," Temmingh said. "It's not weeks and weeks."

Other interesting information can come from EXIF (exchangeable image file) data, which is information often embedded in a photograph... (more)


An investigative tool, and vulnerability assessment tool. For cutting-edge PIs, a  competitive advantage. For the average security director, a mini FBICIANSA. ~Kevin

FBI Issues Warning Regarding Android Malware

The FBI's Internet Crime Complaint Center has issued a warning alerting users about malware that targets the Android mobile operating system. 

The intelligence note from the IC3 was issued last week, and highlighted on Monday by Apple 2.0. It noted there are various forms of malware out in the wild that attack Android devices.

Two forms of malware cited byt he IC3 are Loozfon, which steals information from users, and FinFisher, which can give nefarious hackers control over a user's device. 


Loozfon can lure in victims by promising users a work-at-home opportunity in exchange for sending out an e-mail. Visiting a link in the e-mail will push Loozfon to the user's device, allowing the malware to steal contact details from the device's address book.

The FinFisher spyware highlighted by the IC3 allows for a mobile device to be remotely controlled and monitored from anywhere. FinFisher is installed by simply visiting a Web link or opening a text message that disguises itself as a system update. (more)

Sunday, October 21, 2012

New Burglar Alarm... not for you, for the burglar.

Criminals no longer need to stake out a home or a business to monitor the inhabitants' comings and goings. Now they can simply pick up wireless signals broadcast by the building's utility meters.

In the US, analogue meters that measure water, gas and electricity consumption are being replaced by automated meter reading (AMR) technology. Nearly a third of the country's meters - more than 40 million - have already been changed. The new time-saving devices broadcast readings by radio every 30 seconds for utility company employees to read as they walk or drive around with a receiver. But they are not the only ones who can tune in, says Ishtiaq Rouf at the University of South Carolina in Columbia, and his colleagues.

The team picked up transmissions from AMR meters - operated by companies that they did not name in their paper - and reverse-engineered the broadcasts to monitor the readings. To do this they needed about $1000 worth of open-source radio equipment and information available through online tutorials. (more)


Bad guy logic leap: When you are not home, you are not using much electricity.

Bike Race Dopes - Another DIY TSCM Failure

via a Blue Blaze Irregular...
On page 218 of the new book, "The Secret Race: Inside the Hidden World of the Tour de France: Doping, Cover-ups, and Winning at All Costs" by Tyler Hamilton and Daniel Coyle, is a description of the TSCM techniques allegedly used by the U.S. Postal Service cycling team against covert audio and video surveillance:

"According to Landis, Postal performed two transfusions to the entire team during the 2004 Tour de France. The first was after the first rest day in a hotel in Limoges. Riders were taken in small groups to a room and told not to speak. For safety, team staffers were stationed at each end of the hallway. To guard against the possibility of hidden cameras, the air conditioner, light switches, smoke detector, and even the toilet were covered with dark plastic and taped off.


Fun Facts: 
• Many types of "dark plastic" – garbage bags, for example – do not block near-IR light. 
• Many cameras are sensitive to near-IR light.
• Putting dark plastic over camera hiding spots is no guarantee you blinded the camera.
• (more about seeing through black plastic)
~Kevin 

$89.99 Wi-Fi Bug You Control With Your iPhone... from anywhere!

"WeMo Baby conveniently turns your iPad, iPhone, or iPod touch into a baby monitor so you don't have to carry an extra device to keep in touch with your baby. 

It works with your existing Wi-Fi router to wirelessly stream audio from your baby's room to your mobile device." (more)

Why is this scary?
• It will be repackaged into a covert listening device.
• Unlike previous baby-mon mods, this one is digital.
• Its signal hides among legitimate Wi-Fi signals.
• Listen in from anywhere via the Internet.
• Digitally clear audio.
• Pair with a voice activated recorder for "TiVO" spying.
• It can send text messages when it hears audio.

P.S. Although this product hasn't launched yet, Murray Associates has a detection solution ready. ~Kevin

Common Problem - Technology Outpaces Spies

Australia's domestic spy agency has revealed there have been intelligence failures in recent years because of changing technology. 

Speaking exclusively to Radio National's Background Briefing program, Australian Security Intelligence Organisation (ASIO) director-general David Irvine says new ways of communicating electronically are white-anting* his agency's surveillance powers.

"We have had not near misses, we have had misses," he said.

"In recent years there have been instances where devices have been used or devices have been used that we didn't know about, and we have missed information. (more) (Audio: Law expert George Williams talks to PM (PM) )


* - An Australian term for the process of internal erosion of a foundation.

Saturday, October 20, 2012

Today in Eavesdropping History

On Oct. 20, 1973, in the so-called Saturday Night Massacre, President Nixon abolished the office of special Watergate prosecutor Archibald Cox, accepted the resignation of Attorney General Elliot L. Richardson and fired Deputy Attorney General William B. Ruckelshaus. (more)

Wednesday, October 17, 2012

Chinese Communications Equipment Maker ZTE Cuts Connection with Surveillance Equipment Maker ZTEsec

Chinese telecoms kit maker ZTE has sold its majority stake in ZTE Special Equipment (ZTEsec) – a company that sells surveillance systems.

The under-fire Shenzhen-based firm said in a little-publicized filing with the Hong Kong Stock Exchange at the end of September that it would “dispose of its 68 per cent equity interests” in ZTEsec. (more)

Apparently not in time to impress Congress. (pdf of report)

Tuesday, October 16, 2012

Silent Circle Has Launched - An Affordable Secure Communications Package

Their opening salvo...
"We want to fight for your right to privacy. We are pushing back against the tide of surveillance. We don’t like oppressive regimes, indiscriminate wiretapping, big brother, data criminals, intellectual property theft, identity thieves or governments that persecute their citizens for saying or writing their opinions." Silent Circle


Services:
Silent Phone
Silent Text (with a self-destructing feature)
Silent Eyes (video call encryption)
Silent Mail (coming soon)
All sold together as Silent Suite for $20.00 per month.


Coming Soon...

"Worldwide Secure Communications with the Secure Business Package brings together the entire Silent Circle suite of products. Not only is this an Encrypted Secure Calling Plan – it's also extremely cost effective compared to today's un-secure VoIP calling plans. The average large domestic carrier basic cell phone plan is about $40 a month with low minutes, low data and un-secure calls. With our Secure Business Package you can have peace of mind that you are communicating securely without worrying about your minutes. In today's market, unlimited calling and data plans with the major cell carriers cost over $120 a month – with our Secure Business Package at $49 per month, on top of a basic carrier plan of around $40 per month, is still much cheaper than today's unlimited carrier plans – and it's SECURE."

ENTERPRISE SOLUTIONS
"In today’s highly-connected International business realm, even small to moderate sized businesses have international employees, offices and partners. Silent Circle was developed and designed to help stop the theft of personal and corporate Intellectual Property, to defeat a critical piece of the Bring Your Own Device (BYOD) issue and to provide a true commercial Software-as-a-Service model for secure communications."

FutureWatch: Like the telephone itself, having one is useless, having two useful. Having millions of subscribers makes it an imperative.


If and when this product scales up, will there be any reason to communicate insecurely? Will the word wiretap join the lexicon graveyard along with galoshes, spitoon and fedora? The answer may depend upon two live-wire words... government regulation

For now, anyway, this is great progress. ~Kevin

Monday, October 15, 2012

Future Room Lighting to Double as Light "Wi-Fi"... or eavesdropping device.

VLC transmits data wirelessly using visible light as its medium instead of radio waves... Harold Haas, professor of Mobile Communications at the University of Edinburgh, successfully demonstrated the VLC technology at a TED conference. He streamed a HD video to a screen using a LED light bulb as transmitter.

Haas co-founded PureVLC, a corporate spin-off of the university’s research project, to turn the technology into commercially viable devices. The company is now beta-testing its first product: the Smart Lighting Development Kit (SLDK)...
 
Because the light changes superfast it is invisible to the human eye and can still function as normal lighting.

A standard Ethernet port connects the ceiling unit to a data network. The unit encodes the data onto the current feeding the LEDs. The desktop unit receives the data, decodes it and transfers it to a laptop or desktop computer. It can also send data to the ceiling unit. (more)

Privacy Tip: Turn OFF Advertiser Tracking in iPhone iOS6

In iOS6, tracking for advertisers has been turned ON by default.

The new "features" are called:
  • identifierForAdvertising (IDFA) which is a cross-app/publisher identifier
  • identifierForVendor (IDFV) which is a publisher-specific identifier
You can read more about it here, but this is what you want to know if you don't want to be tracked...

In Settings, navigate to General / About / Advertising, then... flip the switch to ON. 

This is not listed under Privacy. It is tucked away in an unlikely corner. It is ON by default. And, to turn it OFF, you have to turn it ON. Weird, huh? Smell a rat? ~Kevin

Experimental App Sends 3D Photos of Your Office to Spies, Your Home to Burglars*

via MIT Technology Review...
...smartphones are increasingly targeted by malware designed to exploit this newfound power. Examples include software that listens for spoken credit card numbers (
Soundminer malware) or uses the on-board accelerometers to monitor credit card details entered as keystrokes (steal keystrokes).

Today Robert Templeman at the Naval Surface Warfare Center in Crane, Indiana, and a few pals at Indiana University reveal an entirely new class of 'visual malware' capable of recording and reconstructing a user's environment in 3D. This then allows the theft of virtual objects such as financial information, data on computer screens and identity-related information. (It even turns of the shutter noise when taking photos.)

Templeman and co call their visual malware PlaceRaider and have created it as an app capable of running in the background of any smartphone using the Android 2.3 operating system. (more)


* Just two scary imagined use for this app.
Want to know more?
We've got their paper right here