Sunday, October 19, 2014

Chinese Phone Turns Smart Spy

China-based leading smartphone manufacturer Xiaomi, which recently marked a successful entry into the Indian market, is allegedly a security threat. It has been accused by the Indian Air Force (IAF) of sending user data to remote servers located in China -- a charge that amounts to spying...

Xiaomi MI Hongmi 1280x720 MIUI V5
Field Reports

• F-secure, a leading security solution company, recently carried out a test of Xiaomi Redmi 1s, the company’s budget smartphone, and found that the phone was forwarding carrier name, phone number, IMEI (the device identifier) and numbers from address book and text messages back to Beijing.

• A Hong Kong-based mobile phone user claims to have tested the Redmi Note smartphone and found it was automatically connected to an IP address hosted in China. The data transmitted included photo in media storage and text messages also.

According to the PhoneArena report, looking up the website of the company owning the IP address in the range 42.62.48.0-42.62.48.255 reveals that the website owner is www.cnnic.cn. CNNIC is the administrative agency responsible for Internet affairs under the Ministry of Information Industry of People’s Republic of China. It is based in the Zhongguancun hi-tech district of Beijing.

Therefore, the IAF in its alert to all of its Commands has stated that air warriors and their family members are advised to refrain from using these devices. (more)

Saturday, October 18, 2014

Privacy Rights Fact Sheets


Privacy Fact Sheets

1. Privacy Survival Guide: Take Control of Your Personal Information
2. Wireless Communications: Voice and Data Privacy
2a. Hang Up on Harassment: Dealing with Cellular Phone Abuse
2b. Privacy in the Age of the Smartphone
3. How to Put an End to Unwanted or Harassing Phone Calls
4. Junk Mail: How Did They All Get My Address?
4a. "Shine the Light" on Marketers: Find Out How They Know Your Name
4b. Junk Mail FAQ
5. Telemarketing: How to Have a Quiet Evening at Home
5a. Junk Faxes: No Relief in Sight
5b. Frequently Asked Questions about Telemarketing
6. Credit Reporting Basics: How Private Is My Credit Report?
6a. Facts on FACTA, the Fair and Accurate Credit Transactions Act
6b. "Other" Consumer Reports: What You Should Know about "Specialty" Reports
6c. Your Credit Score: How It All Adds Up
7. Workplace Privacy and Employee Monitoring
8. Introduction to Health and Medical Information Privacy
8a. Health Privacy: HIPAA Basics
8b. The HIPAA Privacy Rule: How May Covered Entities Use and Disclose Health Information
8c. The HIPAA Privacy Rule: Patients' Rights
8d. Protecting Health Information: the HIPAA Security and Breach Notification Rules
8e. Health Privacy outside the Healthcare Environment: Health Records on the Job, Available to the Government, and in Credit Reports
9. Wiretapping and Eavesdropping on Telephone Calls
10. My Social Security Number - How Secure Is It?
10a. Social Security Numbers FAQ
11. From Cradle to Grave: Government Records and Your Privacy
12. Checklist of Responsible Information-Handling Practices
12a. Personal Data Retention and Destruction Plan
14. Are You Being Stalked?
14a. Security Recommendations For Stalking Victims
15. What Personal Information Should You Give to Merchants?
16. Employment Background Checks: A Jobseeker's Guide
16a. Employment Background Checks in California: A Focus on Accuracy
16b. Small Business Owner Background Check Guide
16c. FAQ on Employment Background Checks
16d. Volunteer Background Checks: Giving Back Without Giving Up on Privacy
17. Coping with Identity Theft: Reducing the Risk of Fraud
17a. Identity Theft: What to Do if It Happens to You
17b. How to Deal with a Security Breach
17d. Frequently Asked Questions about Identity Theft
17g. Criminal Identity Theft: What to Do if It Happens to You
18. Online Privacy: Using the Internet Safely
18a. Online Privacy FAQ
19. Caller ID and My Privacy
20. Anti-Spam Resources
21. Children’s Online Privacy: A Resource Guide for Parents
21a. Children's Safety on the Internet
22. Electricity and Your Privacy: Deregulation in California
23. Online Shopping Tips: E-Commerce and You
24. Protecting Financial Privacy: The Burden Is on You
24a. Financial Privacy: How to Read Your "Opt-Out" Notices
24d. Financial Privacy FAQ
24e. Is Your Financial Information Safe?
25. Privacy Tips for Online Job Seekers
25a. Avoiding Online Job Scams
26. CLUE and You: How Insurers Size You Up
27. Debt Collection Practices: When Hardball Tactics Go Too Far
27a. Frequently Asked Questions about Debt Collection
28. Online Privacy for Nonprofits
29. Privacy in Education: Guide for Parents and Adult-Age Students
30. Check 21: Paperless Banking
31. Customer Identification Programs for Financial Transactions
32. Paper or Plastic: What Have You Got to Lose?
33. Identity Theft Monitoring Services
34. Protecting Your Telephone Records: Does Your Carrier’s Privacy Policy Ring True?
35. Social Networking Privacy: How to be Safe, Secure and Social
36. Securing Your Computer to Maintain Your Privacy
37. The Perils and Pitfalls of Online Dating: How to Protect Yourself
38. A Renter’s Guide to Privacy: What to Know Before You Sign the Lease, While You Rent, and When You Move Out
39. Mobile Health and Fitness Apps: What Are the Privacy Risks?
40. Bring Your Own Device . . . at Your Own Risk
41. Data Brokers and Your Privacy

California Medical Privacy Series

C1. Medical Privacy Basics for Californians
C2. How Is Your Medical Information Used and Disclosed -- With and Without Consent?
C3. Your Medical Information and Your Rights
C4. Your Prescriptions and Your Privacy
C5. Employment and Your Medical Privacy
C6. Health Information Exchange: Is Your Privacy Protected?
C7. Personal Health Records and Privacy
C8. Medical Information Covered by Laws Other than HIPAA
C9. Beyond the Doctor's Office: privacy laws may apply in situations you haven't considered.
C10. The "Gray Areas": Is Your Health Privacy Protected?

Friday, October 17, 2014

Even Good Spys Have a Bad Day Once in a While

The Australian Security Intelligence Organisation (Asio) inadvertently spied on its own employees, 

in one of a series of surveillance breaches in the past 12 months compiled by Australia’s intelligence watchdog.

The Inspector General of Intelligence and Security (Igis) annual report was tabled in parliament on Thursday, and identified a series of breaches of Asio’s spying powers at a time when the federal government is granting the agency unprecedented new powers. (more)

Binder Flaw Threatens to Blow Apart Android Security

Security researchers have warned of a serious security flaw in Android which could potentially leave every device open to attack.

The vulnerability is in the operating system’s ubiquitous inter-process communication (IPC) tool known as Binder, according to a Black Hat Europe presentation on Thursday by Check Point researchers Nitay Artenstein and Idan Revivo...

Subverting this component allows an attacker to see and control almost all important data being transferred within the system,” the two say in their research paper. (more)

Hackers Target Hong Kong Protesters via iPhones

When the Hong Kong protests were at their height, activists using WhatsApp received messages advertising a program that promised to help them coordinate protests.  

When the demonstrators downloaded the program through a link in the message, it turned out to be malicious software—most likely created by the Chinese government—that hacked their smartphones.

Lacoon Mobile Security, based in San Francisco, began to analyze the phony app after spotting unusual communication on the networks of its corporate clients, some of whose employees had downloaded it. In tracing the spyware’s path to the websites where it sent data, Lacoon’s researchers found a much rarer species of malware: a version that can steal information from iPhones. (more) (video)

Thursday, October 16, 2014

FBI to Congress - More Power Please

The FBI is asking Congress to give it new powers to force technology companies to turn over private information on their customers. 

FBI Director James Comey warned Thursday that new technologies are making it easy for criminals to hide incriminating information from police...

For several years, the FBI has been warning about the problem of new technologies allowing criminals to "go dark." But Comey explained that his new push was prompted by the decisions by Apple and Google to provide default encryption on their phones that will make it impossible to unlock them for police, even when faced with a court order. (more)

Tunnel Vision Focus on IT Security - The Biggest Mistake...

...companies make when securing sensitive data.

FACTS

• All pre-computer era information theft tactics still work, and are still used.
• Most “computerized” information is available long before it is put into a computer.

• Data theft is the low hanging fruit of the business espionage world. The real pros use ladders.


Murray's Holistic Approach to Information Security

1. Protect information while it is being generated (discussions, audio and video communications, strategy development). Conduct Technical Surveillance Countermeasures (TSCM) inspections of offices and conference rooms on a scheduled basis. Example: Ford Motors found voice recorders hidden in seven of their conference rooms this summer.

2. Protect information while it is in transit (phone, teleconference, Board meetings, off-site conferences). Wiretapping and Wi-Fi are still very effective spy tools. Check for wiretaps on a scheduled basis, and/or encrypt the transmissions. Conduct pre-meeting TSCM inspections. Tip: Never let presenters use old technology FM wireless microphones. The signal travels further than you think, and is easily intercepted.

3. Protect how information is stored. Unlocked offices, desk and file cabinets are a treasure trove of the freshest information. Print centers store a copy of all print jobs. Limit written distribution of sensitive information. Crosscut shred sensitive waste paper. All these vulnerabilities and more should be covered during the security survey portion of your TSCM inspection.

4. Educate the people to whom sensitive information is entrusted. Security briefings don’t have to be long and tedious. Establish basic rules and procedures. Explain the importance of information security in terms they can understand, e.g. “Information is business blood. If it stays healthy and in the system, your job, and chances for advancement, stay healthy.”

Effective information security requires a holistic protection plan. IT security is an important part of this plan, but it is only one door to your house of information.
 
There is more you need to know. Contact a TSCM specialist for further assistance. (counterespionage.com)

Cell Phone Eavesdropping Just Became Really Difficult

Scientists have invented a new method to encrypt telephone conversations that makes it very difficult to 'eavesdrop'. 

Professor Lars Ramkilde Knudsen from Technical University of Denmark (DTU) has invented a new method called dynamic encryption to ensure that all telephone calls are encrypted and eavesdroppers are unable to decrypt information in order to obtain secrets...

The new method expands the AES algorithm with several layers which are never the same... The new system can prove hugely effective in combating industrial espionage, said Knudsen.

Industrial espionage occurs when different players discover and steal trade secrets such as business plans from companies, technical know-how and research results, budgets and secret plans using phone tapping. (more)

Wednesday, October 15, 2014

Chinese Renovation Plan Creates Waldorf-Hysteria

Concerned about potential security risks, the U.S. government is taking a close look at last week's sale of New York's iconic Waldorf Astoria hotel to a Chinese insurance company.

U.S. officials said Monday they are reviewing the Oct. 6 purchase of the Waldorf by the Beijing-based Anbang Insurance Group, which bought the hotel from Hilton Worldwide for $1.95 billion. Terms of the sale allow Hilton to run the hotel for the next 100 years and call for "a major renovation" that officials say has raised eyebrows in Washington, where fears of Chinese eavesdropping and cyber espionage run high. (more)

Rogue Bank Security Department Buys Wiretaps

The accusations read like a pulp thriller: Citigroup employees in Mexico are suspected of pocketing millions of dollars in kickbacks from vendors. And bodyguards for bank executives bought audio recordings of personal phone calls and created shell companies to disguise their fraud...

The security unit’s primary purpose was to protect the Banamex leadership, but at some point, the unit started operating beyond its approved duties, according to the person briefed on the matter who was not authorized to speak publicly because of the criminal investigation. The security unit was also providing protection and security consulting services for people outside the bank, sometimes as a courtesy and at other times for money, the internal investigation found. The conduct spanned more than a decade, the investigation found, extending into last year... 

Citigroup’s outside lawyers have turned over information to law enforcement officials in Mexico and the United States, but there are many things the bank doesn’t know about the rogue security unit. For example, the security team had purchased audio surveillance files from “third parties” that included cellphone and landline conversations of dozens of people — some of a highly personal nature, the person said. The Banamex unit then transcribed many of these files. It was unclear why the security team was amassing records of the personal conversations. The bank’s investigators are still working to determine why the security unit gathered the conversations, involving dozens of people, many of whom had nothing to do with the bank. (more)

Tuesday, October 14, 2014

Aaron's Settles Spy Software Installation Charges

Aaron's Inc., the nation's second-largest chain of rent-to-own appliance and furniture stores,

agreed to pay $28.4 million to settle allegations that it violated California consumer privacy and protection laws by allowing software that secretly monitored consumers to be installed on rental computers, according to regulators.

The Atlanta-based retailer allegedly overcharged customers, left out important contract disclosures and installed software that could track the keystrokes of people who rented computers and even activate webcams or microphones to record users. (more)

Monday, October 13, 2014

Word on the Street: Hertz has cameras in their cars!

...from an anonymous blog entry...
I am a regular renter from Hertz (President's Circle)... I got into a rental car at O'Hare airport. 

I immediately noticed the new NeverLost and I was completely shocked to see a camera built into the device looking at me. The system can't be turned off from what could tell...

I know rental car companies have been tracking the speed and movements of their vehicles for years but putting a camera inside the cabin of the vehicle is taking their need for information a little TOO FAR. I find this to be completely UNACCEPTABLE. In fact, if I get another car from Hertz with a camera in it, I will move our business from Hertz completely. 

I influence car rentals of many others and I don't think anyone would want to be on camera while they are driving around or sitting at a red light. 

Given what Hertz has invested in this system, I wonder how much consumer pressure will make them to pull the plug on this. Business is built one customer at a time and they will no longer have me as a customer. What are your thoughts? (more)

Further investigations revealed...
...the Hertz NeverLost 6 platform will include an ARM Cortex-A9 architecture with quad cores running at 1GHz, a high-res TFT display, Bluetooth and Wi-Fi connectivity and a GPS module that engineers built around SiRFstarIV architecture. Also included are a keypad, camera module, accelerometers and a Gyros sensor board...


Huff Butt Dial Blues

If a person accidentally calls someone from their cell phone, do they have a right to privacy protecting any conversation heard on the other end? The courts don’t think so.

Jim Huff, then chairman of the Kenton County (Kentucky) Airport Board, which manages Cincinnati’s international airport, was at a conference in Italy on October 24, 2013, when he unintentionally dialed airport offices while his phone was in his pocket and reached Carol Spaw. Spaw listened to Huff’s conversation for 90 minutes, even writing down some of his remarks and passing them along to a third party.

Huff claimed Spaw’s actions violated his right to privacy, since he never intended to “pocket dial” her in the first place.

But a federal judge didn’t agree, ruling individuals don’t have a reasonable expectation of privacy due to the common problem of pocket dialing and “butt calls.” (more) (sing-a-long)

In 60 Seconds: Snoopy Books, Malware in Firmware, and an SMS Virus on Android

Nixon Offered To Illegally Wiretap New York Mayor John Lindsay

The disclosure that Nixon offered to wiretap Lindsay comes via the detailed diaries of Dr. W. Kenneth Riland, who was Rockefeller’s osteopath and confidante.

He also treated Nixon and gained his confidence, too. (more)