Think this can't happen to you?
Think again.
This case comes from the files of the FBI.
Why?
It was their employee. (more)
P.S. This report was labeled "NOT FOR PUBLIC DISSEMINATION" (oops, again)
 |
| Click to enlarge. |
Monday, March 11, 2013
Employee Bugs Boss - True Story
"Employee hid a recording device in supervisor's office. In addition, without authorization, Employee made copies of supervisor's negative comments about Employee that Employee located by conducting an unauthorized search of the supervisor's office and briefcase. Employee provided the notes to lawyer in support of lawsuit against supervisor. Finally, Employee lied to investigators during the course of the administrative inquiry."
Think this can't happen to you?
Think again.
This case comes from the files of the FBI.
Why?
It was their employee. (more)
P.S. This report was labeled "NOT FOR PUBLIC DISSEMINATION" (oops, again)
Think this can't happen to you?
Think again.
This case comes from the files of the FBI.
Why?
It was their employee. (more)
P.S. This report was labeled "NOT FOR PUBLIC DISSEMINATION" (oops, again)
Vatican Bugs
Last Month - An Italian news magazine, Panorama, claimed that Vatican authorities had conducted, and are still conducting, an extensive covert surveillance programme, tapping the phone calls and intercepting the emails of cardinals and bishops in the Curia, the governing body of the Catholic Church. (more)
This Month - The Vatican has gone high tech to prevent leaks like in 2005 when German media outlets were able to report that Joseph Ratzinger was going to be elected as Pope. A Faraday cage is being put in place to jam any signals. A Faraday cage is a mesh structure used to block outside electrical fields. For the Vatican, the usage of the Faraday cage will cause the Sistine Chapel to become a “dead zone,” preventing any cell phones from getting service. (more)
Prior to the vote, Vatican officials will sweep the chapel and the guesthouse that houses the cardinals with anti-bugging scanners to detect any hidden microphones. (more)
...and what are you doing to protect your business secrets? (more)
This Month - The Vatican has gone high tech to prevent leaks like in 2005 when German media outlets were able to report that Joseph Ratzinger was going to be elected as Pope. A Faraday cage is being put in place to jam any signals. A Faraday cage is a mesh structure used to block outside electrical fields. For the Vatican, the usage of the Faraday cage will cause the Sistine Chapel to become a “dead zone,” preventing any cell phones from getting service. (more)
Prior to the vote, Vatican officials will sweep the chapel and the guesthouse that houses the cardinals with anti-bugging scanners to detect any hidden microphones. (more)
...and what are you doing to protect your business secrets? (more)
Perkele - Android Malware Swipes SMS Messages
via Kreb's on Security...
An explosion in malware targeting Android users is being fueled in part by a budding market for mobile malcode creation kits, as well as a brisk market for hijacked or fraudulent developer accounts at Google Play that can be used to disguise malware as legitimate apps for sale...
Unsurprisingly, this particular entrepreneur also sells an Android SMS malware package that targets customers of Citibank, HSBC and ING, as well as 66 other financial institutions in Australia, France, India, Italy, Germany, New Zealand, Singapore, Spain, Switzerland and Turkey (the complete list is here). The targeted banks offer text messages as a form of multi-factor authentication, and this bot is designed to intercept all incoming SMS messages on infected Android phones.
This bot kit — dubbed “Perkele” by a malcoder who goes by the same nickname (‘perkele’ is a Finnish curse word for “devil” or “damn”) — does not appear to be terribly diabolical or sophisticated as modern mobile malware goes. Still, judging from the number and reputation of forum buyers who endorsed Perkele’s malware, it appears quite popular and to perform as advertised. (more)
Tip: Before downloading an app, check out the name of the app developer. If it's a name you aren't familiar with, do a quick Web search for either the developer's name or the name of the app. Anything questionable about the developer or the application should come up. (more)
An explosion in malware targeting Android users is being fueled in part by a budding market for mobile malcode creation kits, as well as a brisk market for hijacked or fraudulent developer accounts at Google Play that can be used to disguise malware as legitimate apps for sale...
This bot kit — dubbed “Perkele” by a malcoder who goes by the same nickname (‘perkele’ is a Finnish curse word for “devil” or “damn”) — does not appear to be terribly diabolical or sophisticated as modern mobile malware goes. Still, judging from the number and reputation of forum buyers who endorsed Perkele’s malware, it appears quite popular and to perform as advertised. (more)
Tip: Before downloading an app, check out the name of the app developer. If it's a name you aren't familiar with, do a quick Web search for either the developer's name or the name of the app. Anything questionable about the developer or the application should come up. (more)
Super Secure Cell Phone
CryptoPhone 500 is a new configurable secure cell phone. Protection is based on...
• End-to-end voice and message encryption: Secure end-to-end encrypted messaging and voice over IP. Works on any network, including 2G GSM, 3G/UMTS, and Wireless LAN.
• Hardened operating system: It is the first mobile phone featuring GSMK's secure Android operating system, built from source code with granular security management. Permission enforcement module controls access to networks, data and sensors (camera, microphone, etc.).
• Baseband firewall: Protection against over-the-air attacks. Constant monitoring of baseband processor activity, baseband attack detection, and automated initiation of countermeasures.
• Encrypted storage system: Protects data at rest against unauthorized access.
The CryptoPhone 500 becomes commercially available by end of April. (more)
 |
| Click to enlarge. |
• Hardened operating system: It is the first mobile phone featuring GSMK's secure Android operating system, built from source code with granular security management. Permission enforcement module controls access to networks, data and sensors (camera, microphone, etc.).
• Baseband firewall: Protection against over-the-air attacks. Constant monitoring of baseband processor activity, baseband attack detection, and automated initiation of countermeasures.
• Encrypted storage system: Protects data at rest against unauthorized access.
The CryptoPhone 500 becomes commercially available by end of April. (more)
Barney Google 2013
Google Glass is the company's upcoming product that puts a computer on your face. Google is about to release the dorky-looking device and most likely it will be snapped up by the techie crowd. It is an innovative product that pushes live-blogging to the next level, and that will unleash a storm of concern never before seen caused by a mobile gadget. ...
Rightly or wrongly there's already a concern about folks taking photos and videos in certain public locations and situations. Pull out a camera in places like public schools, playgrounds, and airports and you might incur the wrath of authorities and parents, especially where public safety of kids are concerned.
When public awareness of Google Glass reaches a critical mass and it's understood that these devices can record photos, video, and audio of the wearer's surroundings, an outbreak of bans is sure to result. Don't be surprised if within weeks of the Google Glasses general release we start seeing bans of it cropping up all over the place.
These bans are not going to be the result of Google Glass wearers actually using them, they are going to be a result over the concern that they can be used discretely. (more)
When public awareness of Google Glass reaches a critical mass and it's understood that these devices can record photos, video, and audio of the wearer's surroundings, an outbreak of bans is sure to result. Don't be surprised if within weeks of the Google Glasses general release we start seeing bans of it cropping up all over the place.
Friday, February 22, 2013
Security Scrapbook Reader's Question - Spy School
Q. "I really enjoy your articles. Let me ask you: Would a spy school go over here in the U.S.?"
A. It probably would. There are plenty of people - from kiddies to Mitty's - who think spying is cool, albeit illegal. Training is probably not illegal, just implementing the skills.
I educate my clients on spying techniques, just so they know what to look out for. Being aware helps them protect themselves against spying.
Come to think of it, we are one of the very few countries whose government spy agencies do not support the private sector with the business intel they collect. Perhaps there is a spy school niche market, to help us level the international economic playing field. Hummm... Just don't have your Bonds reporting to HR or Facilities, like the security departments I see in some corporations.
Examples of spy schools, games and books...
http://www.jamesbondlifestyle.com/news/bond-experience-launches-november-7th
http://thebondexperience.com
http://www.spymuseum.org/education-programs/
http://www.stilettospyschool.com/newyork.php
http://www.mi6academy.com/newyork.php
http://www.spyschool.com/
http://www.beyondweird.com/survival/sschools.html
http://www.fxnetworks.com/archer/spyschool (game for kids)
Spy School (book for kids)
Another Spy School (book for kids)
So You Want to Be A Spy (book for kids)
So you want to be an industrial spy? (rare, out of print)
The Complete Idiot's Guide to the CIA (book)
Spy's Secret Handbook (Project X Top Secret) (book for kids)
It's True! This Book is Bugged (book for kids)
How to be a Spy: The World War II SOE Training Manual
The Spycraft Manual: The Insider's Guide to Espionage Techniques
The Official CIA Manual of Trickery and Deception
The Spy's Handbook: Learn How To Spy On Anyone At Anytime Without Getting Caught By Using Spy Gadgets And Other...
A. It probably would. There are plenty of people - from kiddies to Mitty's - who think spying is cool, albeit illegal. Training is probably not illegal, just implementing the skills.
I educate my clients on spying techniques, just so they know what to look out for. Being aware helps them protect themselves against spying.
Come to think of it, we are one of the very few countries whose government spy agencies do not support the private sector with the business intel they collect. Perhaps there is a spy school niche market, to help us level the international economic playing field. Hummm... Just don't have your Bonds reporting to HR or Facilities, like the security departments I see in some corporations.
Examples of spy schools, games and books...
http://www.jamesbondlifestyle.com/news/bond-experience-launches-november-7th
http://thebondexperience.com
http://www.spymuseum.org/education-programs/
http://www.stilettospyschool.com/newyork.php
http://www.mi6academy.com/newyork.php
http://www.spyschool.com/
http://www.beyondweird.com/survival/sschools.html
http://www.fxnetworks.com/archer/spyschool (game for kids)
Spy School (book for kids)
Another Spy School (book for kids)
So You Want to Be A Spy (book for kids)
So you want to be an industrial spy? (rare, out of print)
The Complete Idiot's Guide to the CIA (book)
Spy's Secret Handbook (Project X Top Secret) (book for kids)
It's True! This Book is Bugged (book for kids)
How to be a Spy: The World War II SOE Training Manual
The Spycraft Manual: The Insider's Guide to Espionage Techniques
The Official CIA Manual of Trickery and Deception
The Spy's Handbook: Learn How To Spy On Anyone At Anytime Without Getting Caught By Using Spy Gadgets And Other...
Thursday, February 21, 2013
Business Espionage - Quote of the Month
“This is an absolute tidal wave of criminal activity, and we’re not even scratching the surface. We are literally having our nation systematically stolen out from under us.”
– Brett Kingstone, a one-time victim of trade secret theft and writer of The Real War Against America, a book that details how his start-up company was crippled by the theft of trade secrets related to LED lighting. (more)
Spykpe
A technology called Legal Intercept that Microsoft hopes to patent would allow the company to secretly intercept, monitor and record Skype calls. And it's stoking privacy concerns. (more)
We're shocked. q.v. - Yesterday's story.
We're shocked. q.v. - Yesterday's story.
Express Scripts vs. E&Y - Trade Secret Theft Allegations
Express Scripts Inc. sued the accounting firm Ernst & Young LLP and one of its partners for the alleged theft of trade secrets and misappropriation of the pharmacy benefit manager’s confidential and proprietary data.
The Express Scripts Holding Co. unit said in a complaint filed yesterday in state court in Clayton, Missouri, that it learned last year that accounting firm partner Don Gravlin had been “sneaking” into its St. Louis headquarters and e-mailing documents to a private Google account via the account of an Ernst & Young consultant...
The accountants allegedly took the equivalent of more than 20,000 pages of data, including pricing information, business strategy, projections and “performance metrics” documents, to aid development of Ernst & Young’s own health-care business segment, which includes Express Scripts and Medco Health Solutions Inc., which it acquired last year, as well as some of their competitors. (more)
The accountants allegedly took the equivalent of more than 20,000 pages of data, including pricing information, business strategy, projections and “performance metrics” documents, to aid development of Ernst & Young’s own health-care business segment, which includes Express Scripts and Medco Health Solutions Inc., which it acquired last year, as well as some of their competitors. (more)
Wednesday, February 20, 2013
U.S. Unveils New Strategy to Combat Trade-Secret Theft
The White House unveiled a new strategy to exert pressure on China and other countries that engage in corporate espionage against the U.S. as part of a new Obama administration push to counter cyberattacks and commercial spying.
The strategy, released Wednesday in a report that was the subject of a White House meeting, raised the prospect of stepped-up U.S. trade restrictions on products and services derived from stolen trade secrets. Officials also outlined a series of diplomatic actions to reinforce the administration's commitment to curbing such thefts.
The new push comes on the heels of fresh revelations of Chinese cyberspying and represents an effort by Washington to respond to growing complaints about theft of military and corporate secrets, with a number of the allegations focusing on China. (more)
Trade restrictions and diplomatic actions are historically ineffective, not to mention unrealistic and counterproductive when trying to develop a global economy. These hand slaps are likely viewed as a cost ofstealing doing business. Reward outweighs punishment.
The missing element in intellectual property protection...
Holding caretakers responsible. If your information would hurt the country if stolen, there should be a legal duty to protect that information. Add that element to trade restrictions and diplomatic actions, and you may just have a workable counterespionage strategy. Hey, it works for the other guys. (more)
P.S. "Promote Voluntary Best Practices by Private Industry to Protect Trade Secrets" (Section 2 of the report) is both vague and voluntary. It will never be adopted. Why? Two words... Risk Analysis. Think HIPAA or Sarbanes-Oxley would work if they were just voluntary best practices?
Don't get me started.
~Kevin
The new push comes on the heels of fresh revelations of Chinese cyberspying and represents an effort by Washington to respond to growing complaints about theft of military and corporate secrets, with a number of the allegations focusing on China. (more)
Trade restrictions and diplomatic actions are historically ineffective, not to mention unrealistic and counterproductive when trying to develop a global economy. These hand slaps are likely viewed as a cost of
The missing element in intellectual property protection...
Holding caretakers responsible. If your information would hurt the country if stolen, there should be a legal duty to protect that information. Add that element to trade restrictions and diplomatic actions, and you may just have a workable counterespionage strategy. Hey, it works for the other guys. (more)
P.S. "Promote Voluntary Best Practices by Private Industry to Protect Trade Secrets" (Section 2 of the report) is both vague and voluntary. It will never be adopted. Why? Two words... Risk Analysis. Think HIPAA or Sarbanes-Oxley would work if they were just voluntary best practices?
Don't get me started.
~Kevin
Skype Plebes Petition Redmond Patricians
A coalition of activists, privacy organizations, journalists, and others have called upon Microsoft to be more forthright about when, why, and to whom it discloses information about Skype users and their communications.
In an open letter published on Thursday, the group argues that Redmond's statements about the confidentiality of Skype conversations have been "persistently unclear and confusing," casting the security and privacy of the Skype platform in doubt...
The group claims that both Microsoft and Skype have refused to answer questions about what kinds of user data the service retains, whether it discloses such data to governments, and whether Skype conversations can be intercepted. (more)
"more forthright"
"in doubt"
Please.
The original Skype-in-the-wild was viewed as high security privacy tool. Guess who didn't like that. Guess why Skype was "bought" in from the wild and given adult supervision. (Think Spypke.)
Post de facto petitioning is painful to watch. If you want privacy, you need to start much earlier in the game. It begins with self-reliance.
Example: You don't see smart corporations sitting around waiting for 'the government' or some free software to protect their information. No, they take proactive measures like TSCM and IT security. They don't wait and whine later.
The group claims that both Microsoft and Skype have refused to answer questions about what kinds of user data the service retains, whether it discloses such data to governments, and whether Skype conversations can be intercepted. (more)
"more forthright"
"in doubt"
Please.
The original Skype-in-the-wild was viewed as high security privacy tool. Guess who didn't like that. Guess why Skype was "bought" in from the wild and given adult supervision. (Think Spypke.)
Post de facto petitioning is painful to watch. If you want privacy, you need to start much earlier in the game. It begins with self-reliance.
Example: You don't see smart corporations sitting around waiting for 'the government' or some free software to protect their information. No, they take proactive measures like TSCM and IT security. They don't wait and whine later.
Yet Another Teleconference Eavesdrop (with recommendations)
Alaska’s largest statewide commercial fishing trade association announced (it will) request Alaska authorities to investigate what they say was unauthorized eavesdropping of their United Fishermen of Alaska private teleconference by the Kenai River Sportfishing Association's office.
According to UFA Interim President Bruce Wallace, on January 17, 2013 the United Fishermen of Alaska, representing 34 member organizations, held a private teleconference.
In addition to 25 UFA Board members, UFA alleges an individual or individuals at the offices of the Kenai River Sportfishing Association (KRSA) was also on the line during the private teleconference.
This allegation was later confirmed by the teleconference vendor, who provided a phone log, which included a phone number registered to the Kenai River Sportfishing Association (KRSA) office. KRSA is not affiliated with UFA in any way. (more) (REAL Spy Fishing)
A reminder to our clients, and a free sample for potential clients...
Murray's Teleconferencing Checklist
Passcodes...
• Change all current passcodes, now.
• Prohibit employees from mass e-mailing or posting passcodes.
Switch to a conference call system with accountability features...
• each participant is given a unique passcode,
• the passcode is changed for each new conference call,
• only the pre-authorized number of callers may be admitted,
• and a record of all call participants is available to the call leader.
In addition to 25 UFA Board members, UFA alleges an individual or individuals at the offices of the Kenai River Sportfishing Association (KRSA) was also on the line during the private teleconference.
This allegation was later confirmed by the teleconference vendor, who provided a phone log, which included a phone number registered to the Kenai River Sportfishing Association (KRSA) office. KRSA is not affiliated with UFA in any way. (more) (REAL Spy Fishing)
A reminder to our clients, and a free sample for potential clients...
Murray's Teleconferencing Checklist
Passcodes...
• Change all current passcodes, now.
• Prohibit employees from mass e-mailing or posting passcodes.
Switch to a conference call system with accountability features...
• each participant is given a unique passcode,
• the passcode is changed for each new conference call,
• only the pre-authorized number of callers may be admitted,
• and a record of all call participants is available to the call leader.
Send Employees for Counterespionage Training? Brilliant!
Russia - Reviving the Soviet cult of vigilance in the digital age, the administration of Russia’s second biggest city launched a tender to teach its officials the basics of combating technological espionage.
A hand-picked cadre of 25 civilian bureaucrats in St. Petersburg will train in ways of “countering foreign technical intelligence services and technical data protection,” according to the tender’s description... The course would last for 108 hours and end in a test. The tender has a price tag of 727,000 rubles ($24,000)...
In December, the administration of St. Petersburg – headed by Governor Gennady Poltavchenko, also a former KGB officer – also contracted anti-espionage companies to look for covert listening devices in its offices, Fontanka.ru city news website reported. (more)
The ROI on this should be tremendous.
Every organization should be so smart.
~Kevin
In December, the administration of St. Petersburg – headed by Governor Gennady Poltavchenko, also a former KGB officer – also contracted anti-espionage companies to look for covert listening devices in its offices, Fontanka.ru city news website reported. (more)
The ROI on this should be tremendous.
Every organization should be so smart.
~Kevin
Tuesday, February 19, 2013
United States Intelligence Community - Virtual Career Fair
The United States Intelligence Community (IC) invites you to attend the fourth annual IC Virtual Career Fair - a free online event - on Tuesday, February 26, 2013, from 2 p.m. to 8 p.m. (Eastern).
Space is limited. To guarantee entrance, pre-registration is highly encouraged. Reserve your spot today!
Don't miss this opportunity to learn about IC careers and get tips on how to apply for positions.
The following agencies and components will be participating in the 2013 IC Virtual Career Fair:
Central Intelligence Agency (CIA)
Defense Intelligence Agency (DIA)
Federal Bureau of Investigation (FBI)
FBI Language Services Section (FBI LSS)
National Geospatial-Intelligence Agency (NGA)
National Security Agency (NSA)
National Virtual Translation Center (NVTC)
Space is limited. To guarantee entrance, pre-registration is highly encouraged. Reserve your spot today!Don't miss this opportunity to learn about IC careers and get tips on how to apply for positions.
The following agencies and components will be participating in the 2013 IC Virtual Career Fair:
Central Intelligence Agency (CIA)
Defense Intelligence Agency (DIA)
Federal Bureau of Investigation (FBI)
FBI Language Services Section (FBI LSS)
National Geospatial-Intelligence Agency (NGA)
National Security Agency (NSA)
National Virtual Translation Center (NVTC)
Weird Security News of the Week
Japanese police believe they have finally caught the man behind an extraordinary malware campaign that included taunting police in January by sending them clues on an SD card strapped to a cat.
According to TV station NHK, 30 year-old Yusuke Katayama was picked up after Tokyo police accessed CCTV pictures that showed the accused near the animal not long before the memory card was retrieved from its collar.
It later emerged that police had attempted to coerce confessions from four of the innocent suspects which led to a hugely embarrassing climbdown when they were shown to be uninvolved.
Disturbing messages were also received by a lawyer in Tokyo and a TV station threatening suicide, backed up by a picture of an anime doll inside a noose made from Ethernet cable. (more)
More strange security news...
Ex employee wiped financial data from bikini bar
Fugitive John McAfee taunts police as he evades capture
Burglar unintentionally films robber while using iPhone as flashlight
According to TV station NHK, 30 year-old Yusuke Katayama was picked up after Tokyo police accessed CCTV pictures that showed the accused near the animal not long before the memory card was retrieved from its collar.
It later emerged that police had attempted to coerce confessions from four of the innocent suspects which led to a hugely embarrassing climbdown when they were shown to be uninvolved.
Disturbing messages were also received by a lawyer in Tokyo and a TV station threatening suicide, backed up by a picture of an anime doll inside a noose made from Ethernet cable. (more)
More strange security news...
Ex employee wiped financial data from bikini bar
Fugitive John McAfee taunts police as he evades capture
Burglar unintentionally films robber while using iPhone as flashlight
Subscribe to:
Posts (Atom)