Wednesday, July 22, 2015

SPY Act - Senate Bill To Lock Hackers Out Of Connected Cars

As reporter Andy Greenberg recently detailed in Wired, hackers were able to remotely disable a Jeep while he was driving it. In a country where car ownership and the freedom of the open road are closely tied to individual and national identity, losing control over any vehicle you're driving is a nightmarish scenario.

Connecting more devices and vehicles to the Internet has immense economic potential but carries both security and privacy risks. The number of ways cars and trucks can be hacked has grown quickly, as automakers roll out new vehicles more screens and navigation, entertainment and communications systems in response to consumer demand.

Concern about the lack of security in vehicles led Sens. Ed Markey (D-Mass.) and Richard Blumenthal (D-Conn.) to introduce on Tuesday the Security and Privacy in Your Car Act, or the "SPY Act," which would require automobile manufacturers to build IT security standards into connected cars. more

Friday, July 17, 2015

How IT Can Spy on Your Smartphone

So what can your employer see about you on your smartphone if you let IT manage that device through an MDM tool?

On an iPhone or iPad, Apple's iOS restricts IT's visibility, so your private data stays private....in iOS IT can see only your full list of apps. If you give IT permission, it can see your location. Respondents' other sensitive areas are shielded: personal email, personal contacts, texts, voicemails, phone and Internet usage details, and data stored in apps.

IT can see anything in your corporate email, contacts, and calendar since it manages those servers, and it can see your Web activities conducted on its network since it can snoop that traffic.

...IT can see what apps you have installed (not only those deployed by IT), your battery level, your storage capacity and amount used, your phone number and its hardware ID (called an IMEI), your carrier and country, and your device's model and OS version. Plus, if you give IT permission to do so, it can track your location (iOS forces apps and websites to ask for your permission first, so they can't do it secretly).

Android shields almost as much as iOS does, but IT can change that... The default situation for Android users is slightly less private than for iOS users. The big difference involves location information access. iOS asks you when an app first requests access, and it lets you revoke the access at any time in the Settings app. Android asks when you install an app and does not let you revoke the permissions later; however, the forthcoming Android M changes that, working like iOS. more

What you want kept private, and where mobile devices oblige...

Device information All adults' discomfort in IT seeing Young adults' discomfort in IT seeing iOS shields from IT Android shields from IT
Personal email 78% 66% Yes Yes
Personal contacts 75% 63% Yes Yes
Texts and instant messages 74% 62% Yes Yes [2]
Voicemails 71% 63% Yes Yes [2]
Phone and Internet usage details 69% 59% Yes Yes 
Information stored in mobile apps 71% 60% Yes [1] Yes [1]
List of all installed apps 67% 57% No No
Location 66% 57% User decides User decides [3]
Source: MobileIron
[1] Except data sent to corporate servers from apps
[2] Apps can access this data, so IT could monitor it if desired through an app
[3] At install only in Android 4 and earlier

Wednesday, July 15, 2015

iPhones Can be Infected with SpyWare Without Jailbreaking... and what you can do about it.

via lookout.com
The security world exploded with the news that Hacking Team, a vendor of Italian spyware — software that captures Skype, message, location, social media, audio, visual, and more data, and is marketed as “stealth” and “untraceable” — was hacked…
 
When it comes to iOS, public reports to-date have claimed that the Hacking Team spyware can only infect jailbroken iOS devices… this is not the case.

While Apple does an admirable job protecting users from most malicious software, the fact is that non-jailbroken devices can be infected with Hacking Team’s spyware too…

For its part, Apple created security warnings to inform users before they install apps from outside the App Store. The challenge, however, is that recent research states that people are getting increasingly conditioned to ignore these security warnings.

Here’s what the warning looks like when Hacking Team’s fake Newsstand app is installed on a non-jailbroken iPhone:

pasted image 0


Once a user clicks “trust,” the app is fully functional on the non-jailbroken iPhone…

So what can you do about it? 
First off, don’t freak out. Chances are, you do not have Hacking Team’s surveillanceware on your device. To check for this specific instance of Hacking Team’s surveillanceware you can:

Check iOS Settings for any apps with an empty name.
Screen Shot 2015-07-10 at 12.06.17 PM
  • Check iOS Settings -> General -> Keyboard -> Keyboards to make sure that only keyboards you have installed are set up on your device.
Screen Shot 2015-07-10 at 12.06.47 PM
And, here are some general tips for staying safe:
  • Keep a passcode on your phone. A lot of spyware sold on the market requires that the attacker have physical access to the target device to install the software. Putting a passcode on your phone makes it that much harder for them.
  • Don’t download apps from third party marketplaces or links online. Spyware is also distributed through these means. Only download from official and vetted marketplaces such as the Apple App Store and Google Play.
  • Don’t jailbreak your device unless you really know what you’re doing. Because jailbroken iOS devices are inherently less protected, they are more vulnerable to attack when security protection measures aren’t properly enabled.
  • Download a security app that can stop attacks before they do harm. Lookout does this, but if you’re not a Lookout user, ask your security provider if they detect Hacking Team and other forms of spyware.

Friday, July 10, 2015

FutureWatch - The Dark Art of Light Eavesdropping is Coming

Maite Brandt-Pearce, a professor in the Charles L. Brown Department of Electrical and Computer Engineering, and Mohammad Noshad, now a postdoctoral fellow in the Electrical Engineering Department at Harvard University, have devised a way of using light waves from light-emitting diode fixtures to carry signals to wireless devices at 300 megabits per second from each light. It’s like having a whole wi-fi system all to yourself; using light waves, there would be more network access points than with radio waves, so less sharing of the wireless network...

Their breakthrough means that data can be transmitted faster with light waves using no more energy than is already required to run the lights....

“You can use it any place that has lighting,” Brandt-Pearce said. “In a stadium, in a parking lot, or from vehicle to vehicle if using LED headlights and taillights.”

Like current wireless communications, encryption is necessary to keep data secure, but Brandt-Pearce noted that a secure network could be created in a room with no windows.

“It can’t be detected outside the room because the light waves stop when they hit something opaque, such as a wall,” she said. “That can keep communications secure from room to room.” (Generally speaking. However, a hair-like strand of fiber optic poking into the fixture from above the false ceiling should do the trick.)

And two separate networks in different rooms would not interfere with each other the way they do with present wi-fi networks.

She said devices with LED circuits in them can also communicate with each other. more more

Modulation of room lights for eavesdropping purposes is not new. The advent of ubiquitous LED lighting, however, will dramatically increase the effectiveness and ease of this tactic for eavesdropping... and the long-range wireless interception of computer data via optical means (even if it is encrypted).

Tuesday, July 7, 2015

The Contorted Case of John Large Under Antiquated Wiretapping Laws

PA - Concerned about the care his disabled daughter was receiving in a Bethlehem nursing home, John Large set out last June to register his complaint with an administrator.

Tired of the he-said-she-said nature of their previous conversations, Large went to the HCR Manor Care facility on Westgate Drive prepared to make a recording of the meeting.

Unbeknownst to Patricia Zurick, the director of nursing services, Large used a video recording device concealed in a pair of glasses to capture the sometimes heated hourlong discussion, court papers say.

No one would have been any the wiser except that Large mailed a DVD containing the footage to an FBI field office in Scranton, according to court documents.

The FBI saw the video as a potential violation of wiretap laws, Large's attorney said. Agents forwarded the DVD to Bethlehem police, who charged Large with intercepting communications and possession of a device for intercepting communications.

Large, 50, of Lansford, was held in Carbon County Jail until April, when Lehigh County Judge Robert L. Steinberg ordered the charges dismissed.

In his opinion, Steinberg wrote that because Zurick's office door was open — she testified that she left it open because she was scared of Large — she had no expectation of privacy, a crucial element for determining whether a secret recording is illegal. And because investigators never determined what kind of device Large had used to make the video, Steinberg wrote, the charge of possessing a device for intercepting communications could not be sustained.

He added that Pennsylvania's wiretap law is not keeping pace with the widespread adoption of technology such as tablet computers and Google Glass — essentially a smartphone contained in eyeglass frames. more

Weird Wiretap Case - Anesthesiologist Calls Patient a Retard

Last month, a Virginia jury awarded $500,000 to a man who inadvertently recorded an anesthesiologist trashing him as he lay unconscious during a colonoscopy, the Washington Post reported.

The man had activated the recorder on his smartphone to capture his doctor's instructions for his discharge but forgot to turn it off. He was stunned after the procedure to hear the anesthesiologist say she wanted to punch him in the face, suggest that he had syphilis and call him a "retard," according to the newspaper.

The doctor's lawyers argued that the recording was illegal, but the patient's lawyers pointed out that in Virginia, only one party needs to consent to a recording, the Post reported. more

Screening of Staff Made Mandatory to Check Info Leak

India - To plug information leak in the wake of corporate espionage case, the Centre has issued stringent guidelines for its departments, making security screening of personnel outsourced from elsewhere mandatory and avoiding doing confidential work on computers with net connection.
 
The guidelines, which say external memory devices must not be connected to the USB drives on these computers and that misuse of photocopying machines should be prevented, were issued by the Ministry of Home Affairs last week.

The MHA came out with the guidelines against the backdrop of the leak of classified information from some ministries including the Ministry of Petroleum and Natural Gas. more

Monday, July 6, 2015

Italian Surveillance Company Hacked, or "What goes around, comes around."

An Italian surveillance company known for selling malicious software used by police bodies and spy agencies appears to have succumbed to a damaging cyberattack that sent documents and invoices ricocheting across the Internet.

Hacking Team’s Twitter account appears to have been hijacked late Sunday, posting screenshots of what were purported to be internal company emails and details of secret deals with various world governments.

“Since we have nothing to hide, we’re publishing all our emails, files and source code,” an apparent message from the attacker or attackers said Sunday. At the same time a massive file, several hundred gigabytes in size, was leaked online. more

The Rise of Workplace Spying

A growing number of companies are using technology to monitor their employees' emails, phone calls, and movements. Here's everything you need to know:

How are employees being tracked?

In almost every way...

When did companies start snooping?

Bosses have always kept a close eye on employees. Henry Ford famously paced the factory floor with a stopwatch, timing his workers' motions in a bid for greater efficiency. He also hired private investigators to spy on employees' home lives to make sure personal problems didn't interfere with their work performance...  

Does this boost efficiency?
Yes, according to the data...

Who does the actual monitoring?
It's all done automatically: Software programs scan employees' email accounts and computer files and alert supervisors to anything inappropriate...

What else are they looking for?
Some companies search for evidence that employees might be thinking about quitting...

Can employees stop this tracking?

Generally, no. Most employee contracts give management free rein to do what it wants with data gathered from office-issued equipment, but some surveilled workers are fighting back...

Listening in at the water cooler.

If you find the idea of your boss reading your emails creepy, how about having your location, tone of voice, and conversation length monitored throughout the working day? Boston-based analytics firm Sociometric Solutions has supplied some 20 companies with employee ID badges fitted with microphone, location sensor, and accelerometer... more

Brazen Snoop Goes to Digital Extremes for Game Scoop

Lousy security, but “great food.”

That was a parting shot from a snoop who slipped into a London digital gaming company, hung out there for the day, ate a free lunch — then spilled details online about a new game the firm is developing.
The security breach last week at Digital Extremes, the city’s largest gaming company, underlines the perils of the open workplace that sets tech companies apart from many businesses, one observer said.

“This case illustrates the risk for any technology company of having an open environment and how vulnerable they can be to corporate espionage,” independent technology analyst Carmi Levy said. “There is a risk, when a stranger walks into an office, of losing trade secrets . . . They have to prevent that.” more

One Way to Silence Your On-Air Competition - Sue them for wiretapping!

Philippines - A municipal councilor in Aklan has sued a broadcaster for wiretapping after he allegedly taped a private conversation without the official’s consent. 

In a complaint filed before the provincial prosecutor’s office on July 3, Augusto Tolentino, a councilor of the capital town of Kalibo, accused Ma-ann Lachica of violating Republic Act 4200 (Anti-Wiretapping Act), punishable with imprisonment from six months to six years.

In his complaint, Tolentino, a veteran broadcaster who currently hosts a radio program, accused Lachica of recording a conversation of the official with broadcaster Rolly Herrera at the session hall of the municipal building in September 2014. more

Sunday, July 5, 2015

How Hackable is Your Life (infographic)

If you're reading this, there's 69 percent chance you will become a victim of hacking at some point in your lifetime. And if you think protecting yourself is as easy as changing a couple passwords and installing some anti-virus software, you're 100 percent wrong.

Luckily, the paranoia-inducing infographic below will whip you into shape, stat. Find out how hackers gain access to your information, all the scary things they can do with it, and what you can do to protect yourself.

more

Thursday, July 2, 2015

Man Tapes Upstairs Neighbor with Pole-Mounted Spycam - Claims "Investigative purposes"

MD - Imagine living on the third floor of your condominium building and glancing outside to find a camera looking back. That is exactly what a woman told police she saw, and now her downstairs neighbor is facing multiple criminal charges.

According to police, Donald Beard, 60, repeatedly attached a camera to a long metal pole. Beard would then walk onto his second floor balcony... and hoist the pole, camera rolling, to spy on the woman who lived upstairs.

Around 10 p.m. one night... the victim looked outside her living room window and saw a metal pole swinging back-and-forth. A camera was attached, recording her every move. She immediately called police...

While searching Beard's computers, external hard drives, flash cards, cell phones, tablets, cameras, and other electronic devices, detectives say they uncovered 16 individual videos of the victim. One clip showed the middle-aged women topless.

As for a motive, Beard reportedly told police his unique surveillance mission was "for investigative purposes", claiming his neighbor was spending time with married men and he wanted to catch her in the act...

Police say Beard also kept an audio journal of the victim's daily activities.  more video

Employee Security Awareness Training: Keeping Your Data Safe

"Human Error is among the most common causes of data loss and security breaches."

Develop a compelling security awareness training that improves employee behavior. Join this FREE webinar and learn about best practices on securing your data from sophisticated attacks. Security experts from Smarttech and Security Innovation will place a great emphasis on:
  • Hacker Tools and Types of Attacks
  • Why Employees Are the Perfect Target
  • How a Breach Can Hurt Your Organization
  • Mitigation Strategies and Tools 
Date: Thursday, July 9
Time: 10-11 AM EDT

Presenters:
Ronan Murphy
CEO, Smarttech

Ed Adams
CEO, Security Innovation

Registration 

Wednesday, July 1, 2015

Corporate Espionage: not your typical sports-“gate”

Generally when one refers to “competitors” in the context of protecting trade secrets, it is in regard to business competitors, not competing sports teams...

Recently, however, the worlds of sports and trade secret protection collided on the baseball diamond when the St. Louis Cardinals were accused of hacking into the Houston Astros’ internal computer network and stealing proprietary information. According to the New York Times, Cardinals employees gained access to the Astros’ “internal discussions about trades, proprietary statistics and scouting reports,” which the Astros no doubt would prefer to keep private. Specifically:

Law enforcement officials believe the hacking was executed by vengeful front-office employees for the Cardinals hoping to wreak havoc on the work of Jeff Luhnow, the Astros’ general manager, who had been a successful and polarizing executive with the Cardinals until 2011. more