Monday, March 23, 2015

Security Director Alert - Cisco VoIP Phone Eavesdropping Vulnerability

Cisco is warning customers about several vulnerabilities in some of its IP phones that can allow an attacker to listen in on users’ conversations. The bug affects the Cisco SPA 300 and 500 Series IP phones.

Cisco had confirmed the vulnerabilities, which were discovered by Chris Watts, a researcher at Tech Analysis in Australia, and is working on a new version of the firmware to fix the bugs.

“A vulnerability in the firmware of the Cisco Small Business SPA 300 and 500 series IP phones could allow an unauthenticated, remote attacker to listen to the audio stream of an IP phone,” Cisco said in its advisory.

“The vulnerability is due to improper authentication settings in the default configuration. An attacker could exploit this vulnerability by sending a crafted XML request to the affected device. An exploit could allow the attacker to listen to a remote audio stream or make phone calls remotely.”

...The fix for the bug is not yet available, but Cisco said it is preparing one. more

CSIS Sends 6-year-old Boy Tips on How to Become a Spy

Canada - When six-year-old Jacob St. Jean found out that secret agents weren't just the stuff of stories, he asked his mom, Erin, to help him track down some real spies.

The pair wrote a letter to CSIS, asking if Canada's spy agency would set up a club for kids.

For four months, Jacob checked the mail daily, only to be disappointed...

Then, earlier this week, Jacob received a mysterious package in the mail — and an apology for the delayed response — from the B.C. regional director of CSIS. more

Thursday, March 19, 2015

Security Director Alert - iPhone Password Crack

via... blog.mdsec.co.uk
We recently became aware of a device known as an IP Box that was being used in the phone repair markets to bruteforce the iOS screenlock. This obviously has huge security implications and naturally it was something we wanted to investigate and validate. For as little as £200 we were able to acquire one of these devices and put it to work.

Although we’re still analyzing the device it appears to be relatively simple in that it simulates the PIN entry over the USB connection and sequentially bruteforces every possible PIN combination. That in itself is not unsurprising and has been known for some time. What is surprising however is that this still works even with the “Erase data after 10 attempts” configuration setting enabled. Our initial analysis indicates that the IP Box is able to bypass this restriction by connecting directly to the iPhone’s power source and aggressively cutting the power after each failed PIN attempt, but before the attempt has been synchronized to flash memory. As such, each PIN entry takes approximately 40 seconds, meaning that it would take up to ~111 hours to bruteforce a 4 digit PIN.

...our advice to all is ensure you have a sufficiently complex password applied to your device rather than a PIN. more

Wednesday, March 18, 2015

NYPD Blue IT

NYC - A rogue auxiliary cop hacked into an NYPD database for confidential information about traffic accidents, then contacted the victims posing as an ambulance-chasing lawyer, federal authorities said Tuesday.

"Mr. Katz will see you, as soon as you put on this neck brace."
Yehuda Katz devised an elaborate scheme inside the 70th Precinct station house in Flatbush, Brooklyn, where he was not only able to access law enforcement databases from a remote location, but also installed a hidden camera in a cable TV box in the traffic safety office to make sure he wouldn’t be found out...

Investigators found an electronic device connected to the computer had been logging into the NYPD database using the passwords of three cops on their days off.

The surveillance camera had the capability to broadcast a live image of the office to the Internet. Investigators suspect Katz would activate the device from a remote location to make sure no one was using the computer so he could log into the database. more

Monday, March 16, 2015

Canadians Concerned About Bill C-51's Surveillance Powers

Canadians should be “spooked” by the enhanced powers spies are going to get, says a national security expert.

Agents of the Canadian Security Intelligence Service will not just be capable of eavesdropping and opening other people’s mail, according to Reg Whitaker.

The Vancouver Island-based academic and author of The End of Privacy: How Total Surveillance is Becoming a Reality said they’ll be able to do pretty much everything, short of murder, torture, sexual assault, and obstruction of justice.

That’s care of Bill C-51, the federal Liberal party-backed anti-terrorism bill introduced by the Conservatives in Parliament.

“The way that legislation is drawn up, anything,” Whitaker told the Straight in a phone interview. “I mean, it’s open ended. It’s a blank cheque.” more

Sunday, March 15, 2015

Lawyer Asks Judge to Rule... Wiretapper was a Party to the Calls

NJ - A top official at a New Jersey jail has been convicted of illegal wiretapping.

Hudson County Correctional Facility Deputy Director Kirk Eady was convicted Friday of the only charge he faced.

Authorities say he used a website to intercept and record at least a dozen telephone calls of other employees and another person who were critical of his work performance.

The 46-year-old Eady, of East Brunswick, scheduled to be sentenced on July 8. He faces up to five years in prison and a fine of up to $250,000. 

His lawyer has asked a judge to rule that Eady was actually a party to the phone calls and not breaking the law. more

BlackBerry's SecuTABLET

BlackBerry is returning to its core expertise in mobile phones — security — as it was known half-a-decade ago.
In its efforts to stage back in the lost ground of mobile market, the Canada-based company said its new high-security tablet based on the Samsung Galaxy Tab S 10.5 would extend its secure mobile services developed in partnership with IBM and Samsung.

Called the SecuTABLET, the device was presented by its Secusmart unit at the CeBIT 2015 in Germany, BlackBerry said the new mobile brings forth once again its core strength on secure connections for government and big businesses, In fact a decade ago, BlackBerry ruled the world of secrecy with its encrypted e-mail message facility that became a headache for many governments used to swooping on big business conglomerates. more

He Wiretapped His Way Into Her Heart

AR - A little wiretapping and a less than harmonious conversation with another man were the catalyst for romance in 1986 for Beth Guerin and the office telephone installation tech.

He had certainly noticed her. The really cute girl who was answering phones part time in the doctor's office? Yes, 19-year-old Darrin Adcock had noticed her. He was doing a job for a small telecommunications company in Hot Springs, and he likely would have left without exchanging a word with her had he not made a small mistake first.

"I had my test set and I accidentally clicked onto the line that she was on. And I listened. Maybe I shouldn't have, but I did," Darrin says. "I really didn't mean to do that, but in doing so I heard her talking to her then-boyfriend and realized her and her boyfriend were not getting along and I thought, 'Well, this is kind of neat.'" more

Corporate Espionage: CBI Names PricewaterhouseCoopers as a Suspect

India - The Central Bureau of Investigation on Saturday named consultancy firm PricewaterhouseCoopers as a suspect in the corporate espionage case...

The Delhi Police had earlier last month arrested two more persons - one from the UPSC and the other from the Environment Ministry - broadening its probe into the corporate espionage case.

They were held for leaking sensitive documents to energy consultant Lokesh Sharma.

Around 17 people, including government employees, energy consultants and senior executives of top energy companies, have been arrested so far by the Delhi Police. more

Friday, March 13, 2015

Business Espionage: The Cruffin Caper (and 230 other recipes swiped)

It takes three days to make a cruffin, a muffin-croissant hybrid that is the signature of Ry Stephen, a 28-year-old pastry chef. His shop, Mr Holmes Bakehouse, has been open three months and inspired a wild following, with customers lining up early to buy the ice-cream-cone-shaped cruffins, which reliably sell out before the line is gone...

Now, the tempting sweet may have inspired a crime. Overnight last week, a thief stole the recipe for cruffins, and Mr. Stephen’s 230 other recipes, from binders in the bakery’s kitchen. Nothing else in the store was touched: not money, valuable baking equipment, an iPad or other computers...

Mr. Stephen does not think it was an inside job. He said he trusts his employees and has told them, “You can have any recipe you want, provided you know how to execute it.” Plus a new surveillance system had been installed, but was not yet operational, although the employees did not know that. more

This is a cautionary tale with important points for your business...

1. Secure your proprietary information and business secrets. Keeping them in your "locked" office, on a shelf, where everyone knows where they are, is not adequate.

2. Use top notch security to protect your business secrets. Hire an independent security consultant to assist you with this. Periodically double-check to make sure your security systems are 100% operational.

Expect to see cruffins everywhere, soon.

Tea - the "greatest single act of corporate espionage in history."

The Scottish Spy Who Stole China's Tea Empire

Robert Fortune
In the mid-19th century, Britain was an almost unchallenged empire. It controlled about a fifth of the world's surface, and yet its weakness had everything to do with tiny leaves soaked in hot water: tea. By 1800, it was easily the most popular drink among Britons.

The problem? All the tea in the world came from China, and Britain couldn't control the quality or the price. So around 1850, a group of British businessmen set out to create a tea industry in a place they did control: India.

For All the Tea In China: How England Stole the World's Favorite Drink and Changed History is writer Sarah Rose's account of the effort to control the tea market, what she calls the "greatest single act of corporate espionage in history." more

Wednesday, March 11, 2015

Barbie Learns How to Talk. (It only took her 50 years.)

In a recent demonstration of its Internet-connected doll, Hello Barbie, a Mattel spokesperson greeted the souped-up version of the iconic doll by saying, “Welcome to New York, Barbie.”

Thanks to voice-recognition technology, Barbie was able to analyze that remark and give a relevant, conversational response: “I love New York! Don’t you? Tell me, what’s your favorite part about the city? The food, fashion or the sights?”

The company promises that the software will enable the doll “to listen and learn each girl’s preferences and then adapt to those accordingly.”

The interactive doll is slated to hit shelves in the fall, and Mattel is likely hoping it will help revive sinking sales of its flagship brand.

But a children’s privacy advocacy group is calling for the company to cease production of the toy, saying Hello Barbie might more accurately be called "eavesdropping" Barbie. Because the doll works by recording children’s speech with an embedded microphone and then sending that data over the Web, these advocates call the technology “creepy” and say it could leave children vulnerable to stealth advertising tactics. On Wednesday, the Campaign for a Commercial-Free Childhood launched a petition urging Mattel to keep the doll from hitting store shelves. more

"Well, gag me with a spoon!"

Tuesday, March 10, 2015

Defense Against the Spy - 1967 CIA Training Film

The United States Central Intelligence Agency (CIA) presents a case study of devices that were used for espionage purposes during the 1960's.

Security Director Alert - Time to Update Your BYOD Policy (You do have one don't you?)

According to Alcatel-Lucent’s Motive Security Labs, around 16 million mobile devices are already infected by malicious software designed to spy on users and steal confidential data.

This form of malware is capable of tracking the phone and its owner’s location, monitoring ingoing and outgoing calls, text messages and emails, as well as tracking web browsers.

Cyber-criminals are now targeting Android devices with infection rates for Android and Windows devices estimated to be split 50/50.

Many multinational firms, however, still employ an unmonitored bring-your-own-device (BYOD) policy. This frequently means key staff are connecting to the corporate communications network via unsecured smartphones. It has also led to a situation where staff access social networking sites and audio/visual entertainment of all kinds, exposing them to a growing number of malware attacks. more

Spycams and Wiretaps - Motives for Murder

PA - A man has shot his neighbor eight times - leaving her in critical condition - and taken his own life after accusing her of wiretapping his apartment in a years-long rift.

Steven Outlaw, 51, confronted his downstairs neighbor, 46-year-old Mary Pitts-Devine, in the first-floor hallway of their West Philadelphia building just before 11am on Sunday, WPVI reported.

He shot at her 10 times, hitting her with eight bullets and leaving her in critical condition.

Outlaw then went to his second-floor apartment and shot himself dead, police said.

The shooting came after a simmering argument over whether Pitts-Devine was wiretapping the telephone lines of Outlaw's apartment, Philly.com reported...

He had also written down accusations that she was spying on him with video cameras, according to the channel. more