Wednesday, August 14, 2013

Spy Malware Buried on Official Tibetan Website

Chinese-speaking individuals visiting the website for the Central Tibetan Administration are being targeted with a Java exploit that installs advanced malware on their machines.

According to researchers at security firm Kaspersky Lab, the official site for the Tibetan government-in-exile, led by the Dalai Lama, was seeded with a backdoor that takes advantage of a vulnerability in Java, CVE-2012-4681, which was fixed by Oracle roughly a year ago.

The incident bears the signature of a watering hole attack, in which espionage malware is planted on a legitimate site, and then the attackers wait for their desired victims to visit and take the bait. (more)

Clap On - Clap Off... Some Applaud

Clapper won't lead NSA review, White House says...

Intelligence Director James Clapper will not lead a National Security Agency review President Obama vowed would be autonomous, a spokeswoman said.

An Obama memorandum Monday directing Clapper, the nation's top intelligence figure, to "establish" the review group and report its findings to the president did not mean Clapper would head the panel or be involved with the panel members' selection, White House National Security Council spokeswoman Caitlin Hayden said Tuesday.

"The panel members are being selected by the White House, in consultation with the intelligence community," she said in a statement. (more)

Britain’s Fraud Agency Admits to Loss of Data and Audio Tapes

The Serious Fraud Office has admitted accidentally sending a huge cache of confidential documents from an investigation into Britain's biggest arms firm, BAE, to the wrong person.
It did not realise for up to a year that it had misplaced the material which comprised 32,000 pages of documents, 81 audio tapes and computer files.

The material had originally been given to the SFO by 59 sources that helped the agency during one of its most high-profile investigations.

The SFO is not identifying at the moment the individual who inadvertently received the documents, nor did it spell out what they contained. (more)


If someone dumped 32,000 pages of documents, 81 audio tapes and computer files on you - "by accident" - wouldn't you immediately call the sender and say, "What do I look like, a freakin' warehouse?!?!"

Time to call in the Monty Python Very Very Serious Fraud Office to investigate.
Not a joke. Click to enlarge.

Friday, August 9, 2013

Silent Circle Silenced

...as predicted here and here and here...
Two major secure e-mail service providers on Thursday took the extraordinary step of shutting down service.

A Texas-based company called Lavabit, which was reportedly used by Edward J. Snowden, announced its suspension Thursday afternoon, citing concerns about secret government court orders.

By evening, Silent Circle, a Maryland-based firm that counts heads of state among its customers, said it was following Lavabit’s lead and shutting its e-mail service as a protective measure.

Taken together, the closures signal that e-mails, even if they are encrypted, can be accessed by government authorities and that the only way to prevent turning over the data is to obliterate the servers that the data sits on.

Mike Janke, Silent Circle’s chief executive, said in a telephone interview late Thursday that his company had destroyed its server. “Gone. Can’t get it back. Nobody can,” he said. “We thought it was better to take flak from customers than be forced to turn it over.”

The company, in a blog post dated Friday, Aug. 9, said it had taken the extreme measure even though it had not received a search order from the government. (more)

Thursday, August 8, 2013

Espionage Battlebots - China v. USA - Guess Who Wins

...by Brian Dodson, gizmag.com...
 For the past 23 years, the IARC has challenged college teams with missions requiring complex autonomous robotic behaviors that are often beyond the capabilities of even the most sophisticated military robots. This year's competition, which was held in China and the United States over the past week, saw the team from Tsinghua University in Beijing successfully complete the current mission – an elaborate espionage operation known as Mission Six.

First proposed in 2010, the Mission Six scenario is that an enemy has plans for taking control of the Eurasian banking system, a move that could throw the entire world into chaos. This plan is contained in a USB flash drive located in a remote security office of the enemy's intelligence organization.

The target building has a broken window on the same floor as the security office...and is equipped with laser intrusion detectors, floor sensors, video surveillance, and periodic patrols. Mission Six calls for covertly capturing the flash drive, and replacing it with another of the same make to postpone discovery of the theft... The mission must be carried out within ten minutes to avoid security patrols.

The vehicles are required to be completely autonomous, with no external commands accepted during the mission. The vehicles can be of any type (as long as they fly)...



(Play Mission Impossible theme while watching.)

All vehicles must contain their own power supplies. The vehicle is required to sense its immediate surroundings, and decide on its own actions, but need not contain its control computer – it can instead be linked to an external computer by radio. While external navigation aids are allowed, GPS locating is not.

...the Michigan Autonomous Aerial Vehicles team, associated with the University of Michigan, had been touted as the most likely entry at the American venue to succeed with Mission Six. Unfortunately, they encountered a perfect storm of equipment malfunctions, and were unable to complete the mission. (more)

FutureWatch - Just as piloted fighter planes are being replaced by unmanned drones, spies keep themselves out of harm's way using technology too. Bugs, wiretaps, spyware, and now robots will also be doing the dirty work in the future. Imagine, armies of robo-roaches scanning all the paperwork left out overnight, and perhaps planting themselves as audio / visual bugs.

Today in Eavesdropping History

On Aug. 8, 1974, President Richard Nixon announced he would resign following damaging revelations in the Watergate scandal. (more)
 
He submitted his official resignation the following day...

Wednesday, August 7, 2013

How to Protect Your Company Against Corporate Espionage

An abridged overview by Jim Lindell, President, Thorsten Consulting Group Inc.... 
First, the company must establish values and principles that define appropriate behavior regarding confidential information such as personnel, technologies, customers and suppliers. Once values and policies have been established, management must support, review and enforce them.

Second, make sure the hiring process emphasizes how employees must handle confidential information. Determine the candidate's ability to maintain confidentiality. How? By asking tough questions during the interview and doing thorough background checks.  

After the employee is hired, continue training and explaining your policies and procedures regarding confidential information. The role of the CEO and senior management can't be overstated.  

The CEO, on a regular basis, should highlight unacceptable public behavior and emphasize that it won't be tolerated. The Snowden/Manning incidents provide excellent examples that illustrate confidentiality expectations for all employees. At a minimum, these messages must come from the CEO at last once a year. 

The best policies and procedures
To be effective, policies and procedures must:
• Reinforce acceptable behavior.
• Create a monitoring process to detect breaches in confidential information. (An integral part of a TSCM bug sweep.)
• Create an audit process to determine whether existing rules are being followed.
(An integral part of a TSCM bug sweep.)
 
You must assess the nature of confidential information that is maintained and the potential for abuse. Both Snowden and Manning required technological tools and technological skills. You must understand the devices your employees are using, and how they can use them to access confidential information...
 

In addition to electronic access to your systems, you also must be aware of people who have physical access. The ability to take pictures of processes, documents and employees has changed dramatically. You must restrict access to your plant and offices.  

Finally, it's important to establish policies and procedures that address disposal of equipment like computers, tablets, hard disk drives and flash drives. Since we can't see the digital information, it's easy to discard hardware and not realize what we're actually tossing out.  

All businesses are at risk. Some are just more prepared than others. (more)

Tuesday, August 6, 2013

Solar-Powered Smartphones (and more) Coming Soon

Smartphones should soon be able to charge themselves

using transparent Wysips Crystal photovoltaic panels bonded into their screens. And if the idea takes off, tablets and eventually whole buildings could follow... (more) (more including photovoltaic clothing)

Imagine... 
The bug hidden in the picture frame would never have to have its battery replaced.

Think Changing Your SIM Card Can Mask Who You Are? Think Again

Tech-savvy criminals try to evade being tracked by changing their cellphone's built-in ID code and by regularly dumping SIM cards. But engineers in Germany have discovered that the radio signal from every cellphone handset hides within it an unalterable digital fingerprint — potentially giving law enforcers a simple way of tracking the handset itself.

Developed by Jakob Hasse and colleagues at the Technical Univ. of Dresden the tracking method exploits the tiny variations in the quality of the various electronic components inside a phone.

When analogue signals are converted into digital phone ones, the stream of data each phone broadcasts to the local mast contains error patterns that are unique to that phone's peculiar mix of components. In tests on 13 handsets in their lab, the Dresden team were able to identify the source handset with an accuracy of 97.6 percent. (more)

Windows Phones Susceptible to Password Theft When Connecting to Rogue Wi-Fi

Smartphones running Microsoft's Windows Phone operating system are vulnerable to attacks that can extract the user credentials needed to log in to sensitive corporate networks, the company warned Monday...

"An attacker-controlled system could pose as a known Wi-Fi access point, causing the victim's device to automatically attempt to authenticate with the access point and in turn allowing the attacker to intercept the victim's encrypted domain credentials," the Microsoft advisory warned. "An attacker could then exploit cryptographic weaknesses in the PEAP-MS-CHAPv2 protocol to obtain the victim's domain credentials." (more)

Turn on certificate requirement before connecting to WPA2 networks. Now.

CreepyDOL - The sinister Espionage System for $57

Brendan O’Connor is a security researcher. How easy would it be, he recently wondered, to monitor the movement of everyone on the street – not by a government intelligence agency, but by a private citizen with a few hundred dollars to spare?

Mr. O’Connor, 27, bought some plastic boxes and stuffed them with a $25, credit-card size Raspberry Pi Model A computer and a few over-the-counter sensors, including Wi-Fi adapters. He connected each of those boxes to a command and control system, and he built a data visualization system to monitor what the sensors picked up: all the wireless traffic emitted by every nearby wireless device, including smartphones.


Each box cost $57. He produced 10 of them, and then he turned them on – to spy on himself. He could pick up the Web sites he browsed when he connected to a public Wi-Fi – say at a cafe – and he scooped up the unique identifier connected to his phone and iPad. Gobs of information traveled over the Internet in the clear, meaning they were entirely unencrypted and simple to scoop up.

Even when he didn’t connect to a Wi-Fi network, his sensors could track his location through Wi-Fi “pings.” His iPhone pinged the iMessage server to check for new messages. When he logged on to an unsecured Wi-Fi, it revealed what operating system he was using on what kind of device, and whether he was using Dropbox or went on a dating site or browsed for shoes on an e-commerce site. One site might leak his e-mail address, another his photo.

It could be used for anything depending on how creepy you want to be,” he said.

You could spy on your ex-lover, by placing the sensor boxes near the places the person frequents, or your teenage child, or the residents of a particular neighborhood. You could keep tabs on people who gather at a certain house of worship or take part in a protest demonstration in a town square. Their phones and tablets, Mr. O’Connor argued, would surely leak some information about them – and certainly if they then connected to an unsecured Wi-Fi. The boxes are small enough to be tucked under a cafe table or dropped from a hobby drone. They can be scattered around a city and go unnoticed. (more) (Want your own CreepyDOL?)


Yet another thing a TSCM survey could uncover for you.

Thursday, August 1, 2013

Mystery Car Thefts - Solved

Remember this post from June
---
The news media is overflowing with reports of "High Tech" car burglars. They appear to be opening locked cars while holding a "black box" which "has police all over the nation stumped as to how it works."

Here, at the Spybusters Countermeasures Compound, we believe the black box is nothing more than a radio signal jammer. 
---

The spybusters tracked down the tool they probably used to pull off the heists...
You can read all about it here.

Corporate Sleuths on Edge after China Detains Foreign Consultants

The detention by Chinese authorities of a British corporate investigator and his American wife in the wake of a corruption probe into pharmaceutical giant GlaxoSmithKline has had a chilling effect on other risk consultants working in China.

It's unclear why Peter Humphrey and Yu Yingzeng, whose firm ChinaWhys has done work for GSK and other drug makers, were detained. But corporate investigators said they were concerned about the repercussions for the industry.

Multinationals, banks and investors rely on corporate investigators for information about potential partners and investments in China, where a lack of transparency is a hurdle to doing business. Restrictions in the flow of such background information could potentially leave foreign investors exposed to greater risk in the world's second-largest economy. (more)

Men's Room Leaks Prompt Eavesdropping Fears

Canada - Men are forced to use the women’s washroom at Peterborough city hall when council is in closed door meetings. The reason? Fear of people eavesdropping.

Peterborough city council thinks there is more than one kind of leak happening in the men’s bathroom.
 

City officials are closing down the washroom — which shares a wall with council chambers — for fear that people could eavesdrop on proceedings.
 

That means men needing the washroom during any closed-door meeting are being asked to use the ladies’ room instead — and a security guard is positioned in the hallway to make sure of that.

City clerk John Kennedy defended the decision to close down the washroom, saying it happens whenever there is a confidential meeting. (more)

Warrantless Cellphone Tracking Is Upheld

In a significant victory for law enforcement, a federal appeals court on Tuesday said that government authorities could extract historical location data directly from telecommunications carriers without a search warrant. 

The ruling is the first that squarely addresses the constitutionality of warrantless searches of the historical location data stored by cellphone service providers. (more)