Monday, March 3, 2014

Florida Cops’ Secret Weapon: Warrantless Cell Phone Tracking

Police in Florida have offered a startling excuse for having used a controversial “stingray” cell phone tracking gadget 200 times without ever telling a judge: the device’s manufacturer made them sign a non-disclosure agreement that they say prevented them from telling the courts. (more)

Sunday, March 2, 2014

Business Espionage: Rival CEO Posed as Exec to Get Secrets

The CEO of a sporting goods chain who once appeared on the TV show "Undercover Boss" pretended to be an executive from a rival company in an effort to get confidential information, according to a lawsuit.

Artist's conception. Not a real executive spying.
Dick's Sporting Goods claims in a lawsuit filed Feb. 20 in Mercer County Court that Mitchell Modell, CEO of Modell's Sporting Goods, showed up at a Dick's store in Princeton in February saying he was a Dick's senior vice president.

Dick's alleges Modell told employees he was to meet the Dick's CEO there and persuaded workers to show him the backroom of the store and to answer questions about the business. Modell gathered information about online sales, including a "ship from store" program that gets products to customers' doors quickly, the lawsuit said. (more)


Security Director Alert: Like electronic eavesdropping, business espionage via social engineering is one of the more common spy tricks. In addition to TSCM, make employee awareness about social engineering part of your counterespionage strategy. This story makes an excellent talking point.

If Your are Calling the FBI or Secret Service, ...

...don't get the phone number from a Google Maps listing.

Don't trust Google Maps, warns former map-jacker after he was ironically called a 'hero' by the feds he wiretapped.

The incident in question involves an individual posting their own phone number as a Secret Service field office phone number on Google Maps. When unsuspecting citizens utilize this incorrect third party phone number to contact the Secret Service the call is directed through the third party system and recorded. This is not a vulnerability or compromise of our phone system. Virtually any phone number that appears on a crowdsourcing platform could be manipulated in this way.

The Secret Service encourages the general public to visit their website at www.secretservice.gov to obtain accurate contact information for our field offices. (more) (video)

Anonymous Instant Messaging - Coming Soon

The Tor Foundation is moving forward with a plan to provide its own instant messaging service. Called the Tor Instant Messaging Bundle, the tool will allow people to communicate in real time while preserving anonymity by using chat servers concealed within Tor’s hidden network.

In planning since last July—as news of the National Security Agency’s broad surveillance of instant messaging traffic emerged—the Tor Instant Messaging Bundle (TIMB) should be available in experimental builds by the end of March, based on a roadmap published in conjunction with the Tor Project’s Winter Dev meeting in Iceland.

TIMB will connect to instant messaging servers configured as Tor “hidden services” as well as to commercial IM services on the open Internet. (more)

How the Avaya Phone on Your Desk Can Be Turned Into A Bug

Security researchers have designed a stealthy eavesdropping attack that sounds like it's straight out of a James Bond movie. It starts with a booby-trapped document that compromises an unpatched laser printer, which in turn converts a popular Internet phone into a covert bugging device.

The proof-of-concept attack exploits currently unpatched vulnerabilities in the Avaya one-X 9608, a popular model of phone that uses the Internet rather than a standard phone line to make and receive calls. Researcher Ang Cui, a Ph.D. candidate at Columbia University and chief scientist at Red Balloon Security, declined to provide many details on the vulnerabilities until users have had time to install a patch that Avaya is expected to release soon. He did say the weaknesses allow devices on the same local network to remotely execute code that causes the device to surreptitiously record all sounds within earshot and transmit them to a server controlled by attackers. He demonstrated a similar bugging vulnerability last year in competing Internet phones designed by Cisco Systems, which has since patched the underlying bugs...

The compromise begins with a booby-trapped document that when printed executes malicious code on certain models of HP LaserJet printers that have not been patched against a critical vulnerability. Once compromised, the printers connect to attack servers, creating a means for outside hackers to bypass corporate firewalls. The attackers then use the printers as a proxy to enumerate and connect to other devices in the corporate network.

Once an Avaya 9608 phone is discovered, the attackers can inject code into it that infects its firmware. The compromise, which survives reboots, activates the phone's microphone without turning on any lights or otherwise giving any indication that anything is amiss. The infected phones can be set up to record conversations only after attacker-chosen keywords are detected. Recorded conversations can be sent through a corporate network onto the open Internet, but the malware also has a secondary method for exfiltration that bypasses any devices that block suspicious network traffic. In the event that such devices are detected, the malware can turn a phone's circuit board into a radio transmitter that sends the recorded conversations to a receiver that's anywhere from several inches to 50 feet away, depending on environmental variables.
 

The larger point is that bugs in electronics firmware are notoriously easy to exploit, as a small sample of recent stories shows. Even if a target isn't using the phones or printers featured in the demonstration, chances are good that the target is using some constellation of devices that are susceptible to remote hijacking. And besides, many organizations fail to apply firmware updates, so even if a patch has been released, there's a good chance that it will never get installed on many vulnerable devices. (more)

Security Director Alert: Make sure software patching is a priority on the IT department's list. Start with this list for HP printers.

Saturday, March 1, 2014

"Black" Smartphones Come of Age

The launch of not one, but two, "Black phones" 
this past week may lead people to think that secure cell phones are a hot new item. 

Hot, yes. New, no. Many other secure smartphones, not to mention a plethora of apps, have existed for years. Mostly, these phones have been sold to governments and have commanded high prices. Now, as the demand heats up, prices are dropping. 

Want a government-level secure, encrypted smartphone at a reduced price? (You know you do. Even if only to attract attention.) 

Cryptophone™ today announced. "...special prices on the first two phones of any order placed this week." (more)

Friday, February 28, 2014

Eavesdropping News of the Day

IL - Warren Township High School board member Liz Biondi claimed at a meeting this week that "someone in the district" has wiretapped her telephone. Biondi made the accusation while bantering with John Anderson, board president at Gurnee-based Warren District 121. She did not respond to emailed questions Thursday on why Warren officials would eavesdrop on her or whether she has evidence supporting the wiretap claim. (more)
 

Alert - Unless you want a public sex tape, you should probably stop using any kind of digital machine to record your intimate acts. The latest leak from Edward Snowden shows how the NSA and the British equivalent Government Communications Headquarters collaborated to intercept webcam images from innocent Internet users. (more)
 

Turkey - Prime Minister Recep Tayyip ErdoÄŸan has hit back against unprecedented accusations of corruption after the leak of incriminating phone conversations, accusing both prosecutors and police of spying for another country. (more)

Scotland - Michelle Mone's bra firm ordered to pay former director £16k after bugging pot plant in his office. (more)

Thursday, February 27, 2014

Boeing to Launch its Own Black Phone

The world's biggest aerospace company is jumping into the business of making high-security smartphones.

Boeing Co. filed plans this week with the Federal Communications Commission for a smartphone dubbed Boeing Black, which is designed for defense and security customers and won't be available to average consumers. The phone is based on a modified version of Google Inc.'s Android operating system...

Boeing is being stealthy about the project. Without publicly announcing the product, the company posted a description on its website. It said the modular construction of the phone's 5.2-inch-tall body would allow users to attach devices that add such features as advanced location tracking, solar charging, satellite transceivers and biometric sensors.

In Monday's FCC filing, Boeing detailed plans to keep the phone's technology secret, saying it will be sold "in a manner such that low-level technical and operational information about the product will not be provided to the general public."

The filing documents also said the phone, which is about 50% heavier than Apple Inc.'s iPhone 5s and twice as thick, is designed to effectively self-destruct if tampered with: "Any attempt to break open the casing of the device would trigger functions that would delete the data and software contained within the device and make the device inoperable." (more)

Wednesday, February 26, 2014

New Tiny Ultrasound Camera Sees What's in Your Heart ...really

Developed by a team at the Georgia Institute of Technology, the device consists of a 1.5-mm-wide disc-shaped head, from which trails 13 tiny joined cables. The idea is that it will be inserted into a patient's coronary blood vessels or heart, snaking its way through while being pushed or pulled from outside the body via an integrated 430-micron-wide guide wire, all the while using the cables to transmit ultrasound imagery.


Its head is built around a single silicon chip, which is equipped with a dual-ring array of 56 ultrasound transmit elements and 48 receive elements. Much of the processing of the ultrasound data is performed onboard the chip itself, meaning that less information has to carried outside the body – this is why it requires no more than 13 cables, allowing its consolidated "umbilical cord" to stay skinny and flexible enough to easily move through blood vessels. (more)

Off-Hook Telecoms Call for Attorneys' Fees - Disconnected

AT&T, Verizon and other telecoms cannot recover attorneys' fees after ducking claims that they overcharged for electronic surveillance, a federal judge ruled.

Former New York Deputy Attorney General John Prather had filed the lawsuit on behalf of the U.S. government, claiming that AT&T, Verizon, Qwest Communications International and Sprint Nextel overcharged federal, state and city governments for services under the Communications Assistance to Law Enforcement Agencies Act (CALEA), which requires the companies to provide the government with electronic surveillance of their customers in exchange for reasonable expenses.


Prather claimed to have "observed eavesdropping charges increase tenfold after CALEA despite changes in technology that should have made it easier for Telecoms to provide wiretaps, and believed that the Telecoms were overcharging for wiretaps." (more)

Tuesday, February 25, 2014

Wiretapping Case Costs South Bend, IN almost $1 Million... so far

Summary: Former police communications director KarenDePaepe was fired in 2012 in the wake of an investigation into whether she and Chief Boykins violated the federal Wiretap Act by recording certain telephone conversations between Metro Homicide Commander Tim Corbett, officers Steve Richmond, David Wells and Brian Young and Young’s wife Sandy Young.
Timeline of the case.
TV report.

Brazil, Europe Plan Undersea Cable to Skirt Spying

Brazil and the European Union agreed on Monday to lay an undersea communications cable from Lisbon to Fortaleza to reduce Brazil’s reliance on the United States after Washington spied on Brasilia.

At a summit in Brussels, Brazilian President Dilma Rousseff said the $185 million cable project was central to “guarantee the neutrality” of the Internet, signaling her desire to shield Brazil’s Internet traffic from U.S. surveillance. (more)


Shhhh... Apparently, they missed reading this, this 1918 experiment and this modern day story. Not to mention... Operation Ivy Bells, Operation Tempora and Glimmerglass.

Computer Allegedly Bugged by Ethiopians

A Maryland man is suing the Ethiopian government after it was discovered that it infected his computer with spyware, wiretapped his calls made via Skype, and monitored his family’s computers for months.

"We have clear evidence of a foreign government secretly infiltrating an American's computer in America, listening to his calls, and obtaining access to a wide swath of his private life," said Electronic Frontier Foundation staff attorney Nate Cardozo. 


"The current Ethiopian government has a well-documented history of human rights violations against anyone it sees as political opponents. (more)

Turkish Watergate - Surprise - The Guard Gets Blamed for Bugging the Place

Turkey - A police officer only known as S.D., allegedly responsible for placing a bugging device in Prime Minister Recep Tayyip ErdoÄŸan's study inside his Ankara residence, has reportedly been working as a bodyguard for Saudi Arabian businessman Yasin al-Qadi, the Taraf daily claimed on Tuesday.

“It has come out that S.D., who has been accused in connection with the bugging device discovered in Prime Minister ErdoÄŸan's Ankara house, was assigned to protect Yasin al-Qadi,” Emre Uslu wrote in his Taraf column, which was also the daily's headline story.

Four covert listening devices, as ErdoÄŸan explained in December 2012, had been discovered in the office of his Subayevleri home in Ankara, without detailing exactly when the devices had been found, adding that an investigation was being launched. (more)

Netflix New Drone Delivery Service

Another nail in the Post Office's Coffin...
 
Sorry, this just couldn't wait until April 1st.