Sunday, February 8, 2015

Why Hotels Check Your ID ...and who gets to see it.

If you’re a privacy-conscious traveler, you may have wondered from time to time why hotels ask for ID when you check in, or why they ask you to give them the make and model of your car and other information that isn’t essential to the transaction. What’s the ID-checking for? ...

DIY ID card
Well, in many jurisdictions around the country, that information-gathering is mandated by law. Local ordinances require hotels, motels, and other lodgers (such as AirBnB hosts) to collect this information and keep it on hand. These laws also require that the information be made available to the police on request, for any reason or no reason, without a warrant.
(more)

Extra...
13 Things Your Hotel Front Desk Clerk Won't Tell You

Privacy Quote of the Week

"The age of information-sharing is brilliant, as long as you have no secrets."
~ Heather du Plessis-Allan
 

...your spoken words will be transmitted to a third party via Voice Recognition.

As the number of connected devices — aka the Internet of Things, aka the sensornet — proliferates so too does the number of devices leaning on voice recognition technology as an interface to allow for hands free control...

The potential privacy intrusion of voice-activated services is massive. Samsung, which makes a series of Internet connected TVs, has a supplementary privacy policy covering its Smart TVs which includes the following section on voice recognition:

You can control your SmartTV, and use many of its features, with voice commands... Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.

When all the objects in your home have networked ears that are fine-tuned for commercial intelligence gathering, where will you go to talk about “personal” or “sensitive” stuff?
(more)

Thursday, February 5, 2015

Some Simple Corporate Spy Countermeasures

Some information spies navigate the hiring process with every intention to steal corporate secrets for a competitor or foreign state once inside. Others turn against an employer when angered and leave, lured by job offers and incentives to haul out as much data as they can when they go.

Meanwhile, enterprise efforts to spot traitors and limit their access to sensitive data may not be enough. With the right job and the right access, operatives posing as janitors, mailroom employees, or IT staff can skirt efforts to defend data, using their broad access to walk data out the door.

CSO looks at enterprise barriers to these information sleeper agents, how corporate spies get past the protections, and what security leaders can do technically and otherwise to keep their data vaults safe from prying eyes...
(more)

Summary... Thorough background checks, limit access, keep your eyes open.

Security Director Alert - DarkLeaks - The Espionage Bazaar

It looks like the days when concerned individuals share the inner secrets of corporations and governments only due to their nagging consciences are numbered, from here on in they will do so for nothing more than a fast buck. 

A new WikiLeaks-style website has recently been announced that will reward its contributors with Bitcoins in exchange for information.  

If the most valuable commodity is information then it is about to get its own hypermarket; DarkLeaks will allow uses to sell leaked data to the highest bidder in an anonymous blockchain-powered environment where anything goes.

DarkLeaks is being developed by unSystem who are behind DarkWallet, and DarkMarket an anonymous ebay-style marketplace which unlike Silk Road operates on the P2P model so that there is no central point of failure for law enforcement to take down.

The DarkLeaks system is so secure that it does not even allow communication between the seller and the buyer of information. Their website states: “The software uses bitcoin’s blockchain to encrypt files which are released when payment is claimed by the leaker. Files are split into segments and encrypted. These segments are unlocked only when the leaker reveals the key by claiming his bitcoins.”

There are also no limits on the type of content that can be bought and sold. Everything from evidence of corporate corruption to naked pictures of celebrities is up for grabs. UnSystem developer Amir Taaki has told CoinDesk that platforms like DarkLeaks provide a financial incentive for insiders to reveal information thereby “devaluing business models based around proprietary secrecy”.
(more)

This is going to be a BIG problem for corporations. 
Those without a counterespionage strategy will hurt first.

Tuesday, February 3, 2015

Night Janitor Admits to Hiding Spycam in Staff Bathroom


NV - A former school district janitor told police he hid a video camera in a staff bathroom with the intent to record people using the bathroom in various stages of undress, according to the arrest report.

Gary Wayne Higbee, who has only been employed part-time with the district since September 2014, is facing three counts of capturing an image or the private area of another person...

The video camera was discovered when an employee at Givens Elementary School noticed what appeared to be something hidden next to a silk plant on the bathroom sink.

Another employee told police she noticed Higbee checking out the unisex bathroom every time someone came out of it.

According to the arrest report, Higbee told police he took the camera from his other job at Southwest Airlines, where he works as a ramp agent. He said, he researched on the Internet how to do hidden recordings of people.
(more)

Chinuts - Move Here, Give Us Source Code and Build Some Back Doors (wtf?!?!)

China plans to unveil new cybersecurity rules that require tech companies to hand over source code and build back doors in hardware and software for government regulators. The rules only apply to companies selling computer products to Chinese banks, but they have already sparked anxiety on the part of Western tech companies about being trapped between either giving up intellectual property or not doing business in China.

The new rules—part of cybersecurity policies intended to protect China’s critical industries—first appeared in a 22-page document at the end of 2014, according to a New York Times report. Such rules have not been officially announced yet. But the U.S. Chambers of Commerce joined a number of other foreign business groups in sending a letter [pdf] to the Central Leading Group for Cyberspace Affairs, chaired by President Xi Jinping, that called for “urgent discussions” about the policies. Tech giants such as Microsoft, Cisco, and Qualcomm have also independently voiced their concerns.

Under the bank rules, tech companies would have to hand over source code, set up research and development centers in China, and build hardware and software back doors that would permit Chinese officials to monitor data within their computer systems
.
(more)

Workplace Video Voyeurism - Streaming Covert Dressing Room Camera

Reality TV star and Las Vegas showgirl Holly Madison said managers at Mandalay Bay’s 1923 Bourbon and Burlesque watched secret, intimate recordings of her and other women in their dressing room.

Madison and her company, Awesometown Inc., filed a lawsuit Monday against multiple individuals involved with her show, 1923 Bourbon and Burlesque by Holly Madison. A second suit was filed on behalf of the other dancers by the same Las Vegas firm, Garcia-Mendoza and Snavely.

The court documents allege that the corporations and managers who hired Madison and ran the venue filmed, transmitted and disseminated images of the women naked and changing costumes for about five months last year without the women’s knowledge or consent.

Robert W. Sabes, Noel Bowman, Robert Fry and Avi Kopelman, the individuals named in the suit, are accused of secretly placing a digital video recorder capable of storing 17 days of film in the women’s changing room. Video was then streamed to the men’s computers and other digital devices, according to the lawsuit...

In addition to the men named in the lawsuit, the action targets the corporations involved, Fat Hat LLC, ICE Lounge Las Vegas LLC and J. F. Sabes Investment Inc, as well as 20 unnamed people and corporations, which were involved in building the dressing room and setting up the surveillance camera.
(more)

Sunday, February 1, 2015

Australian PI Goes Undercover and Gets Sacked (no, really)

Australia - A private investigator who gets paid by councils to have undercover sex inside illegal brothels has been fired after withholding information about a prostitute whom he met on a job.

Over the past four years, "Fred Allen" has received tens of thousands of dollars from at least 10 Sydney metropolitan councils in exchange for evidence that is required, in court, to help close underground parlours.

But in October the investigator was accused, by Sydney-based consultancy firm Brothel Busters, of having "deliberately omitted" important details from a brief of evidence to "protect" an illegal sex worker, with whom he had become "enchanted", while working covertly inside an underground vice den.
(more)

Three Grumpy Spies Nailed with Bugs and Taps

Three men accused in the latest Russian spy case didn't hide behind fake identities and weren't stealing military secrets. The evidence even suggests they were annoyed that their assignment wasn't more like a James Bond film.

Their alleged plot to dig up "economic intelligence" on possible banking penalties and alternative energy sources may not be the stuff of Hollywood movies, but U.S. authorities insist the case is proof that Russian spying is thriving in America more than two decades after the end of the Cold War.

It also shows the time and resources the U.S. still throws at those suspected of being Putin-era spies, using methods developed before many of them were born: listening bugs, hidden cameras and intercepted phone calls.
(more)

Ex-Spy Chief Wanted on Charges of... Spying

Colombia — The former head of Colombia’s intelligence agency ended several years on the run and surrendered to face charges of spying on opponents of former President Alvaro Uribe.

Maria del Pilar Hurtado late Friday turned herself over to authorities in Panama, where she fled in 2010. She was taken on a pre-dawn flight to Bogota, where a judge ordered her to be jailed at the chief prosecutor’s office while charges are considered.

Chief prosecutor Eduardo Montealegre said Hurtado was being processed for at least five offenses that could bring 15 to 20 years in prison for a conviction. He said he would urge Hurtado to cooperate and reveal “who gave the order for the illegal wiretapping.”
(more)

Saturday, January 31, 2015

Weird Science - Eavesdropping 3,000 miles away while underwater

1944 - Maurice Ewing and a team of American scientists... believed there may be a layer in the ocean where a combination of pressure and temperature create a narrow channel where certain low-frequency sounds would travel long distances.

In the deep waters of the Atlantic, researches dropped several explosives containing four pounds of dynamite, each timed to detonate at a different depth. Using an underwater microphone called a hydrophone, a second boat stationed 900 miles away successfully detected the sounds.

Subsequent tests picked up the signal at a distance of 3,000 miles.



The discovery of the SOFAR sound channel opened up a new way to study the world's oceans, as well as a unique tool in the nation's defense.
(more)

Four of the Newest (and lowest) Social Engineering Scams

1. Phishing with new lethal-strains of ransomware
Ransomware caught businesses’ attention in 2013 with Cryptolocker, which infects computers running Microsoft Windows and encrypts all of its files, as well as files on a shared server. The extortionists then hold the encryption key for ransom (about $500 USD), to be paid with untraceable Bitcoin. The longer the victim waits to pay, the higher the price, or the data can be erased. Now, copycat CryptoDefense has popped up in 2014 and targets texts, picture, video, PDF and MS Office files and encrypts these with a strong RSA-2048 key, which is hard to undo. It also wipes out Shadow Copies, which are used by many backup programs... 

2. Phishing with funerals 
Perhaps a new low - social engineering gangs have been caught sending people phishing emails that appear to be from a funeral home telling the reader that a close friend of yours is deceased and the burial ceremony is on this date. They have already penetrated and compromised the funeral home’s website, so the moment that the concerned friend clicks on the compromised website they get redirected to a bad guy’s server...

3. IVR and robocalls for credit card information 
Similar Articles group masks Social engineering attacks from the front lines attention. Bad guys steal thousands of phone numbers and use a robocaller to call unsuspecting employees. “It’s fully automated, Sjouwerman says. “The message goes something like – ‘This is your credit card company. We are checking on a potential fraudulent charge on your card. Did you purchase a flat screen TV for $3,295? Press 1 for yes or 2 for no.’” If the person responds no – the script then asks the victim to enter his credit card number, expiration date and security code. In some cases, employees worry that their company credit card has been compromised and they might get into trouble, so they play along...

4. Healthcare records for spear-phishing attacks 
With massive data breaches in 2013, the criminal element has reached a point where they can grab personally identifiable information and start merging records – including healthcare records. For instance, a bogus email looks like it’s coming from your employer and its healthcare provider announcing that they’ve made some changes to your healthcare program. They’re offering preferred insurance rates for customers with your number of children. Then they invite the email reader to check out a link that looks like it goes to the health insurer’s web page. “Because the email is loaded with the reader’s personal information, there’s a high likelihood of one click – and that’s all it takes” to infiltrate company systems...
(more)

How the Hell Are These Popular Spying Apps Not Illegal?

(a long and excellent article)
Here are some sordid scenarios. Your ex-girlfriend can see every time you swipe right while using Tinder. Your former husband is secretly listening to and recording your late-night Skype sessions with your new boyfriend. Some random slippery-dick is jacking off to the naked photos in your private photo library. For millions of people, it's not hypothetical. 

Someone could be spying on every call, Facebook message, snapchat, text, sext, each single keystroke you tap out on your phone, and you'd never know. I'm not talking about the NSA (though that too); I'm talking about software fine-tuned for comprehensive stalking—"spyware"—that is readily available to any insecure spouse, overzealous boss, overbearing parent, crazy stalker or garden-variety creep with a credit card. It's an unambiguously malevolent private eye panopticon cocktail of high-grade voyeurism, sold legally. And if it's already on your phone, there's no way you can tell.

Spyware companies like mSpy and flexiSPY are making money off the secret surveillance of millions of people's devices. Literally millions of people, according to the sales figures provided by these spyware companies, are going about their days not knowing that somewhere, some turdknockers are scouring their photo libraries and contacts and WhatsApp messages, looking for digital misdeeds.

Spyware has been around for decades, but the current crop is especially invasive. They make money by charging people—from $40 a month for a basic phone spying package on mSpy up to $200 a month on one of flexiSPY's bigger plan—for siphoning activity off their target's devices.
(more)

Friday, January 30, 2015

The Sundance Film the FBI Doesn't Want You to See

(T)ERROR is the first film to document an active FBI counterterrorism sting investigation.

In the feature documentary (T)ERROR, which premiered this week at the 2015 Sundance Film Festival, everyone is spying on everyone: the informant on the target, the target on the informant, the FBI on the informant, the filmmakers on the FBI.

Incredibly, directors Lyric R. Cabral and David Felix Sutcliffe manage to film not just the one doing the surveilling but also the one being surveilled — without either subject knowing the other is also appearing on-camera.

It’s a daring feat made even more impressive when you realize the FBI has no idea that the informant they’re using is in fact simultaneously using them.

But unlike Homeland or some John le Carré novel, where spying is sexy and the characters are all perspicacious, (T)ERROR depicts the reality of today’s domestic intelligence gathering: it is not glamorous, the vernacular is informal, the surveillance techniques utilized include “advanced” approaches like trying to befriend someone on Facebook, and incompetence abounds (at one point a confidential phone number is discovered by typing it into Google).
(more)