Sunday, January 25, 2015

Business Espionage - The South Africa Report

SA - As the current Sony-North Korea tit-for-tat game attests, industrial espionage has now been brought to an open space, and its debilitating consequences are evident – including in South Africa...

Click to enlarge.
Industrial espionage is the least-known concept within the intelligence compendium, although many agencies are now involved in this activity... Several private businesses have been mentioned in cases involving illegal theft of commercial information. This attests to the fact that in modern societies, as was the case in earlier centuries, economic intelligence is an integral aspect of business, albeit as a business risk.

Studies conducted under the auspices of the University of the Witwatersrand and the University of South Africa for several years have found that industrial espionage in SA is on the rise...

SA-specific accounts of industrial espionage are mostly contained in business publications...

For example, in 2003, The Star reported that British American Tobacco SA (BATSA) conducted spying activities on its rival, Apollo Tobacco; and Finsettle, a subsidiary of Barnard Jacobs Mellet, stole business information secrets of CST Outsourcing. In March 2014, Business Day reported on a suspected case of industrial espionage practices of BATSA involving spy networks and payment of agents by the JSE-listed company. The inference is that industrial espionage is a burgeoning business strategy in SA.
(more)

Hacking Wi-Fi is Child's Play - Now run out and find me a child.

The great Groucho Marx, in character, was reading a report and remarked that a 4-year-old child could understand it. So, he said, "run out and find me a 4-year-old child."

Betsy Davis isn't 4. She's 7, but it's still pretty impressive that a computer-savvy 7 year old could Google the information she needed in order to hack into a public Wi-Fi system in a little under 11 minutes. Fortunately, Betsy is not a criminal hacker, but was enlisted as a part of a security experiment to show how easy it is to hack into such network and steal information from unwary people.

Many people assume that the Wi-Fi that they're using is secure, but this isn't always the case.
 (more)

The actual quote as reported by NPR...
In the Marx Brothers classic Duck Soup, there's a scene in which Groucho's Rufus T. Firefly, the newly installed leader of Freedonia, receives a report from the Treasury Department. "I hope you'll find it clear," says the minister of finance. "Clear?" replies Firefly incredulously. "Why, a 4-year-old child could understand this report." Then he pauses for a beat: "Now run out and find me a 4-year-old child. I can't make head or tail of it."

Did Meanwell Mean Well, or... She Wanted the Cash, Man

New York Yankees general manager Brian Cashman has more than just on-the-field problems... his alleged former mistress, Louise Meanwell, is filing a lawsuit against the Yanks' front office man. 

The suit says that Cashman not only hacked and spied on Meanwell's e-mails, but he also contacted the woman's mother in an attempt to have Meanwell committed in order to cover-up his affair... 


Cashman's mistress is currently in court going through her own legal battles after she was arrested for attempting to extort Cashman for $15,000, and she allegedly stalked him as well after what is believed to be a 10-month fling occurred with Cashman.

It was only after Meanwell found out Cashman had another mistress and had no intention of getting a divorce from his wife that she threatened to blow the lid off their relationship.

This one just keeps getting weirder and weirder by the day.
(more)

Email Encryption Options

Q.  I have a client who wants us to use encryption for emails and attachments (not voice). Do you have a solution?

A. Thanks for asking. Your client has a number of fairly easy and low cost options.

• If they use Microsoft Office Outlook have them read this.
• Mac Mail. Read this.
• Thunderbird. Read this.
• Google Apps. Read this.
• Here are the 2015 reviews for the "Top Ten" 3rd-party email encryption programs.
• This is a good article on how to implement email encryption.

Not knowing the client, their needs, IT expertise, etc. I can't point them to anything specific, but the above links will certainly get them started.

Hope this helps,
Kevin

Wednesday, January 21, 2015

Two Canadian Spy Opportunities

Canadian students who want a career in electronic spying have until January 25 to apply to the Communications Security Establishment Canada (CSEC), the electronic surveillance arm of the federal government.

CSEC has started a hiring campaign targeting colleges and universities a few months ahead of the inauguration of its new headquarters in Ottawa (see list of opportunities). The building, with an astronomical price tag of $1.2 billion, is the most expensive government complex in Canadian history, dubbed the spy "Taj Mahal" by several critics. The immense campus is located next to the Canadian Security Intelligence Service (CSIS) headquarters, and the two will be joined by a walkway. The veritable "spy nest" will house 4,000 cryptographers, secret agents and information specialists of all kinds in Gloucester, a suburb of the nation's capital.
(more)

The new headquarters of Canada’s electronic surveillance agency had an “extreme vulnerability” which was inadvertently breached by firefighters responding to an emergency call, the Toronto Star reports. The Canadian Communications Security Establishment (CSE) revealed the vulnerability by sending uncensored documents in response to an access to information request by the Star about the fire.

The sensitive information contained in the documents was highlighted, but not censored, compounding one security breakdown with another.

During the construction of the $800 million CAD (about $660 million USD) building for the CSE, a routine call in response to a small fire lead local firefighters to different entrance than the one they were expected at. Finding no-one there, they cut a padlock to access the building.

The documents also reveal vulnerabilities such as inoperative security cameras and a long-missing visitor pass. At least some of those vulnerabilities have since been addressed, and the agency told the Star that the construction access point used in the incident no longer exists, now that the building is complete and occupied.
(more)

Weird Science - One-way Spy Mirrors Prove Zero Topological Entropy

Entropy And Complexity Of Polygonal Billiards With Spy Mirrors
We prove that a polygonal billiard with one-sided mirrors has zero topological entropy. In certain cases we show sub exponential and for other polynomial estimates on the complexity.
(more)

iPhones Have Built-in Spyware - Well, duh.

NSA whistleblower Edward Snowden has claimed that Apple’s iPhone range of devices contains built-in spy software that can be used to track the owner.

According to Snowden’s lawyer, the software can be remotely activated at any time without the user’s knowledge.
(more)

2 Million Cars Open to Hackers - "Say it ain't so, Flo."

An electronic dongle used to connect to the onboard diagnostic systems of more than two million cars and trucks contains few defenses against hacking, an omission that makes them vulnerable to wireless attacks that take control of a vehicle, according to published reports.

US-based Progressive Insurance said it has used the SnapShot device in more than two million vehicles since 2008... According to security researcher Corey Thuen, it performs no validation or signing of firmware updates, has no secure boot mechanism, no cellular communications authentication, and uses no secure communications protocols. SnapShot connects to the OBDII port of Thuen's 2013 Toyota Tundra pickup truck, according to Forbes. From there, it runs on the CANbus networks that control braking, park assist and steering, and other sensitive functions.


The "Internet of automobiles" may hold promise, but it comes with risks, too."Anything on the bus can talk to anything [else] on the bus," Thuen was quoted as saying in an article from Dark Reading. "You could do a cellular man-in-the-middle attack" assuming the attacker had the ability to spoof a cellular tower that transmits data to and from the device.
(more)

Tuesday, January 20, 2015

Coming Soon - Confide - The Vanishing App for Executives

Sometime in the coming weeks, confidential-messaging startup Confide will launch a service that allows businesses to send documents, not just texts, using its signature version of disappearing ink.

This advanced Snapchat for grown-ups, the company believes, will bring back the sense of privacy and control that has increasingly become a casualty of online communications. It should also provide a defense against hackers...

The system has been envisioned as a sort of online version of the private business call...

Alone among ephemeral apps, Confide cloaks the text in a way that makes it impossible to capture with a screen shot. The user reads by moving a finger underneath each line of text, which unveils just a few words at a time... Confide's other selling points include end-to-end encryption... The message vanishes from users' phones once it's sent and after it's read.
(more)

Monday, January 19, 2015

Security Director Alert - China Travel and Email

Users of Microsoft's Outlook email service in China had their accounts hacked on Saturday 17 January by the Chinese government, according to web monitoring website GreatFire.org.

The attacks affected people using email clients such as Outlook, Mozilla's Thunderbird and apps on their smartphones that use the SMTP and IMAP protocols, but did not affect the browser versions such as www.outlook.com.

The man-in-the-middle attack used by the hackers allowed them to intercept conversations between victims, which appear to be private but are in fact controlled by the hackers.

GreatFire.org was able to reproduce the results seen by victims, including the fake certificates used by the hackers to pretend they were the intended recipient.

"If our accusation is correct, this new attack signals that the Chinese authorities are intent on further cracking down on communication methods that they cannot readily monitor," a blog post said on Monday 19 January.

The attack on Outlook comes just a month after the Chinese government blocked the use of Google's Gmail service in the country.
(more)

Sunday, January 18, 2015

Know What They Call... Spy vs. Spy vs. Spy vs Spy?

A tranche of fresh Snowden leaks... detailing the bizarre, fractal practices of "fourth-party collection" and "fifth-party collection."

 "Fourth party collection" is the practice of spying on spy agencies to gather all the data they're taking in. "Fifth-party collection" is the practice of spying on spies who are spying on other spies. Really.
(more)

Spy Penned Friends, or You Look a Lot Hotter on the Net

PA - A Blairsville man has pleaded guilty to a single charge that he surreptitiously photographed friends, co-workers, relatives and others without permission, using a digital “spy pen” to capture their images in May 2013.

Wesley Lear, 57, also was accused by investigators of editing the photos to place his victims’ faces on nude bodies and circulated them on the Internet, and was charged with downloading child pornography images to his computer.
(more)

UK - Former Deputy Prime Minister Finds Car Bugged

UK - John Prescott has turned detective after finding his Jaguar had been bugged.

The former Deputy Prime Minister discovered the device hidden in his car when he took it to a garage because it had problems starting.

Mechanics found a tracker concealed under the driver’s seat that was hooked up to the car battery, draining its power.

The sophisticated device uses mobile phone technology and is capable of reporting the Jag’s movements at all times. It also has an inbuilt microphone enabling it to pick up conversations.

And the 6 inch-square black box is even capable of immobilising the car if instructed to by mobile phone.

Lord Prescott told the Sunday Mirror: “I’ve been told that whoever knows the SIM card that goes with the tracker can send out a signal and stop the engine...

"This type of surveillance breaches our right to privacy – I’ve had my mobile hacked, my phone tapped, and now someone might have been tracking my car.”

But insisting he was calm about the find he joked: “I can only hope whoever listened to my conversations installed an automatic bleeper too.”
(more)

Best guess from here... Installed by the car dealership, or previous owner, to thwart late payments or theft.

History: The Case of the Vanishing Private Eyes

How 19th-century America's biggest, most dogged detective agency went on to get unceremoniously acquired 100 years later by a Swedish conglomerate...

Sam (Dashiell) Hammett was a wayward youth. Having left school at the age of 13, he spent his teenage years holding down odd jobs, blowing his paychecks on horse races and boxing matches, and consorting with prostitutes in the rougher sections of Baltimore and Philadelphia. Within a few years, alcoholism had its claws in him, and by age 20 it was rumored that he had already contracted a venereal disease.

In 1915, Hammett, the son of a Maryland farmer, joined the Pinkerton National Detective Agency at the age of 21. During the early 1890s, the Pinkertons, as they were more commonly known, had boasted a force of 2,000 active operatives and some 30,000 reserve officers. By comparison, the United States Army, which for decades had been primarily concerned with fighting Native Americans in the West, had fewer than 30,000 officers and enlisted men assigned to active duty.
(more)

60 Seconds + 1 USB Necklace = A Spy Hiding in Your Computer

The necklace, called USBdriveby, it’s a USB-powered microcontroller-on-a-chain, rigged to exploit the inherently awful security flaws lurking in your computer’s USB ports. In about 60 seconds, it can pull off a laundry list of nasty tricks...

...this device hijacks your machine, disables many layers of security, cleans up the mess it makes, and opens a connection for remote manipulation even after the device has been removed..

So what can you do to protect yourself from things like this? Not a whole lot, really — that’s why attacks like this and BadUSB are so freaky. A lot of these flaws are inherent to the way the USB protocol was designed and implemented across so many hundreds of millions of computers; short of filling your USB ports with cement or never, ever leaving your computer’s ports unattended while out and about, there’s no magic fix.
(more)