Thursday, March 6, 2014

County Jail Official Retires Amid Wiretap Charges

NJ - The deputy director of the Hudson County jail, who is facing federal charges he used a website to illegally wiretap fellow employees, has put in his retirement papers, officials said.

The retirement papers of Kirk Eady, 45, of East Brunswick, are dated retroactively to Feb. 1, Hudson County spokesman Jim Kennelly said.

Eady turned himself in to federal authorities on Feb. 15 after being charged with intentionally intercepting the wire, oral or electronic communications of others, according to a criminal complaint. (more)

Update - Rayney Phone Bugging Case

Australia - Former Perth barrister Lloyd Rayney will be making an application to put a permanent hold on charges of bugging his wife's phone, a court has heard. Rayney is accused of intercepting the calls of his wife Corryn in the lead up to her death in 2007. (more)

Previously reported in 2007...
She bootscoots. He taps. What could possibly go wrong? 
The Continuing Saga of the Rayney Wiretap 
Update - Rayney ‘phone’ man in key talks

Wednesday, March 5, 2014

Bogus Boris Netflix App

Android phones and tablets from four different manufacturers are arriving with malware “pre-installed” – a bogus version of Netflix which sends password and credit card information to Russia, according to app security specialist Marble Security.

David Jevans, CTO and founder of the company said that he was alerted to the problem by a company testing his product, software to help organizations manage mobile devices, after it repeatedly flagged Netflix as malicious, according to PC World’s report.

Jevans’ team analysed the app, and found that it was bogus, using tools including one that analyzed the app’s network traffic for signs of communication with known malicious servers. Jevans says, “This isn’t the real Netflix. You’ve got one that has been tampered with, and is sending passwords and credit card information to Russia.” (more)

A Black Eye for Blackphones

Australian law enforcement agencies are increasingly unable to monitor the communications of some of the country's most powerful criminals due to the rising prevalence of uncrackable encrypted phones. 

The phones are linked to a series of the underworld killings that rocked Sydney, several senior law enforcement officials told the ABC on condition of anonymity.

The phones are sold by dozens of companies worldwide and have legitimate uses.

But the law enforcement officials say thousands of the phones have been obtained by Australian criminals and they are using them to commit serious crimes, including murder. (more)
(video report)

Interesting article, but... one half of my brain is saying wouldn't the LE's want criminals to think these phones are secure? And, once the general public views encryption as a criminal tool, the politicians would be free to pass laws restricting communications encryption so then only the outlaws (and selected others) would use it... kind-of-like gun silencers.

Or, maybe I've been "Snowed-in" over the long winter and have become cynical.

Tuesday, March 4, 2014

Crypto Bug Leaves Linux, Hundreds of Apps Open to Eavesdropping

Hundreds of open source packages, including the Red Hat, Ubuntu, and Debian distributions of Linux, are susceptible to attacks that circumvent the most widely used technology to prevent eavesdropping on the Internet, thanks to an extremely critical vulnerability in a widely used cryptographic code library.

The bug in the GnuTLS library makes it trivial for attackers to bypass secure sockets layer (SSL) and Transport Layer Security (TLS) protections available on websites that depend on the open source package. Initial estimates ... indicate that more than 200 different operating systems or applications rely on GnuTLS to implement crucial SSL and TLS operations, but it wouldn't be surprising if the actual number is much higher. 


Web applications, e-mail programs, and other code that use the library are vulnerable to exploits that allow attackers monitoring connections to silently decode encrypted traffic passing between end users and servers. (more)

Chevron Wins Suit Fighting $9.5 Billion Ecuador Judgment - The Spy Pen Helped

Back in 2009, I posted this: Spy Pen May Kill $27 Billion Lawsuit. A little later: The Chevron Secret Recordings Case Continues. Chevron claimed that the Ecuadorian legal system was corrupt and they were not getting a fair hearing. 

They backed up their claim with covert videos showing the bribery and corruption. For a while they hosted the videos on their website, while saying they had nothing to do with the making of them.

The videos were made with nothing more than a cheap spy pen and video wristwatch bought from a SkyMall catalog. 

Now, a $9.5 Billion lawsuit is $0.00. If this doesn't prove the power of spy gadgets, nothing does. 

Got any cheap spy gadgets hanging around your offices? You don't know, do you? Call me.

Here is how the lawsuit ended today...
A federal judge ruled in favor of Chevron Corp. on Tuesday in a civil racketeering case, saying a record $9.5 billion environmental judgment in Ecuador against the oil giant was "obtained by corrupt means."

U.S. District Judge Lewis Kaplan found that New York lawyer Steven Donziger and his litigation team engaged in coercion, bribery, money laundering and other criminal conduct in pursuit of the 2011 verdict.
The decision barred Mr. Donziger and his two Ecuadorean co-defendants from profiting from the verdict.

The case in New York stems from a 2003 lawsuit filed by a group of Ecuadorean villagers from the Lago Agrio region over decades-old pollution from oil exploration in the Amazon rain forest by Texaco Inc., which Chevron acquired in 2001. The decision could hamper efforts to enforce the 2011 judgment by pursuing Chevron's assets in Canada and elsewhere. (more)

Monday, March 3, 2014

G-Men Chase Sprint'er Over Inflated Wiretap Billing

Sprint Corp. overcharged the Federal Bureau of Investigation, the Drug Enforcement Administration and other law-enforcement agencies by more than 50% to facilitate eavesdropping on phone calls, the U.S. Justice Department alleged in a lawsuit filed Monday.

The suit accuses Sprint of inflating the bills it submitted to federal law-enforcement agencies for wiretaps and other surveillance services to cover capital expenditures necessary to respond to the requests—something prohibited by federal law and Federal Communications Commission rules, according to the complaint filed in federal court in San Francisco.

Sprint covered up the fact that the extra charges were included in the bills paid by the FBI and others by disguising them as regular surveillance costs, the suit alleges. As a result, the federal government overpaid Sprint by $21 million over a period of three and a half years.
Sprint said it didn't break the law and will fight the charges. (more)

Florida Cops’ Secret Weapon: Warrantless Cell Phone Tracking

Police in Florida have offered a startling excuse for having used a controversial “stingray” cell phone tracking gadget 200 times without ever telling a judge: the device’s manufacturer made them sign a non-disclosure agreement that they say prevented them from telling the courts. (more)

Sunday, March 2, 2014

Business Espionage: Rival CEO Posed as Exec to Get Secrets

The CEO of a sporting goods chain who once appeared on the TV show "Undercover Boss" pretended to be an executive from a rival company in an effort to get confidential information, according to a lawsuit.

Artist's conception. Not a real executive spying.
Dick's Sporting Goods claims in a lawsuit filed Feb. 20 in Mercer County Court that Mitchell Modell, CEO of Modell's Sporting Goods, showed up at a Dick's store in Princeton in February saying he was a Dick's senior vice president.

Dick's alleges Modell told employees he was to meet the Dick's CEO there and persuaded workers to show him the backroom of the store and to answer questions about the business. Modell gathered information about online sales, including a "ship from store" program that gets products to customers' doors quickly, the lawsuit said. (more)


Security Director Alert: Like electronic eavesdropping, business espionage via social engineering is one of the more common spy tricks. In addition to TSCM, make employee awareness about social engineering part of your counterespionage strategy. This story makes an excellent talking point.

If Your are Calling the FBI or Secret Service, ...

...don't get the phone number from a Google Maps listing.

Don't trust Google Maps, warns former map-jacker after he was ironically called a 'hero' by the feds he wiretapped.

The incident in question involves an individual posting their own phone number as a Secret Service field office phone number on Google Maps. When unsuspecting citizens utilize this incorrect third party phone number to contact the Secret Service the call is directed through the third party system and recorded. This is not a vulnerability or compromise of our phone system. Virtually any phone number that appears on a crowdsourcing platform could be manipulated in this way.

The Secret Service encourages the general public to visit their website at www.secretservice.gov to obtain accurate contact information for our field offices. (more) (video)

Anonymous Instant Messaging - Coming Soon

The Tor Foundation is moving forward with a plan to provide its own instant messaging service. Called the Tor Instant Messaging Bundle, the tool will allow people to communicate in real time while preserving anonymity by using chat servers concealed within Tor’s hidden network.

In planning since last July—as news of the National Security Agency’s broad surveillance of instant messaging traffic emerged—the Tor Instant Messaging Bundle (TIMB) should be available in experimental builds by the end of March, based on a roadmap published in conjunction with the Tor Project’s Winter Dev meeting in Iceland.

TIMB will connect to instant messaging servers configured as Tor “hidden services” as well as to commercial IM services on the open Internet. (more)

How the Avaya Phone on Your Desk Can Be Turned Into A Bug

Security researchers have designed a stealthy eavesdropping attack that sounds like it's straight out of a James Bond movie. It starts with a booby-trapped document that compromises an unpatched laser printer, which in turn converts a popular Internet phone into a covert bugging device.

The proof-of-concept attack exploits currently unpatched vulnerabilities in the Avaya one-X 9608, a popular model of phone that uses the Internet rather than a standard phone line to make and receive calls. Researcher Ang Cui, a Ph.D. candidate at Columbia University and chief scientist at Red Balloon Security, declined to provide many details on the vulnerabilities until users have had time to install a patch that Avaya is expected to release soon. He did say the weaknesses allow devices on the same local network to remotely execute code that causes the device to surreptitiously record all sounds within earshot and transmit them to a server controlled by attackers. He demonstrated a similar bugging vulnerability last year in competing Internet phones designed by Cisco Systems, which has since patched the underlying bugs...

The compromise begins with a booby-trapped document that when printed executes malicious code on certain models of HP LaserJet printers that have not been patched against a critical vulnerability. Once compromised, the printers connect to attack servers, creating a means for outside hackers to bypass corporate firewalls. The attackers then use the printers as a proxy to enumerate and connect to other devices in the corporate network.

Once an Avaya 9608 phone is discovered, the attackers can inject code into it that infects its firmware. The compromise, which survives reboots, activates the phone's microphone without turning on any lights or otherwise giving any indication that anything is amiss. The infected phones can be set up to record conversations only after attacker-chosen keywords are detected. Recorded conversations can be sent through a corporate network onto the open Internet, but the malware also has a secondary method for exfiltration that bypasses any devices that block suspicious network traffic. In the event that such devices are detected, the malware can turn a phone's circuit board into a radio transmitter that sends the recorded conversations to a receiver that's anywhere from several inches to 50 feet away, depending on environmental variables.
 

The larger point is that bugs in electronics firmware are notoriously easy to exploit, as a small sample of recent stories shows. Even if a target isn't using the phones or printers featured in the demonstration, chances are good that the target is using some constellation of devices that are susceptible to remote hijacking. And besides, many organizations fail to apply firmware updates, so even if a patch has been released, there's a good chance that it will never get installed on many vulnerable devices. (more)

Security Director Alert: Make sure software patching is a priority on the IT department's list. Start with this list for HP printers.

Saturday, March 1, 2014

"Black" Smartphones Come of Age

The launch of not one, but two, "Black phones" 
this past week may lead people to think that secure cell phones are a hot new item. 

Hot, yes. New, no. Many other secure smartphones, not to mention a plethora of apps, have existed for years. Mostly, these phones have been sold to governments and have commanded high prices. Now, as the demand heats up, prices are dropping. 

Want a government-level secure, encrypted smartphone at a reduced price? (You know you do. Even if only to attract attention.) 

Cryptophone™ today announced. "...special prices on the first two phones of any order placed this week." (more)

Friday, February 28, 2014

Eavesdropping News of the Day

IL - Warren Township High School board member Liz Biondi claimed at a meeting this week that "someone in the district" has wiretapped her telephone. Biondi made the accusation while bantering with John Anderson, board president at Gurnee-based Warren District 121. She did not respond to emailed questions Thursday on why Warren officials would eavesdrop on her or whether she has evidence supporting the wiretap claim. (more)
 

Alert - Unless you want a public sex tape, you should probably stop using any kind of digital machine to record your intimate acts. The latest leak from Edward Snowden shows how the NSA and the British equivalent Government Communications Headquarters collaborated to intercept webcam images from innocent Internet users. (more)
 

Turkey - Prime Minister Recep Tayyip ErdoÄŸan has hit back against unprecedented accusations of corruption after the leak of incriminating phone conversations, accusing both prosecutors and police of spying for another country. (more)

Scotland - Michelle Mone's bra firm ordered to pay former director £16k after bugging pot plant in his office. (more)

Thursday, February 27, 2014

Boeing to Launch its Own Black Phone

The world's biggest aerospace company is jumping into the business of making high-security smartphones.

Boeing Co. filed plans this week with the Federal Communications Commission for a smartphone dubbed Boeing Black, which is designed for defense and security customers and won't be available to average consumers. The phone is based on a modified version of Google Inc.'s Android operating system...

Boeing is being stealthy about the project. Without publicly announcing the product, the company posted a description on its website. It said the modular construction of the phone's 5.2-inch-tall body would allow users to attach devices that add such features as advanced location tracking, solar charging, satellite transceivers and biometric sensors.

In Monday's FCC filing, Boeing detailed plans to keep the phone's technology secret, saying it will be sold "in a manner such that low-level technical and operational information about the product will not be provided to the general public."

The filing documents also said the phone, which is about 50% heavier than Apple Inc.'s iPhone 5s and twice as thick, is designed to effectively self-destruct if tampered with: "Any attempt to break open the casing of the device would trigger functions that would delete the data and software contained within the device and make the device inoperable." (more)