Tuesday, January 19, 2016

Did Your Lame Password Make the Top 25 List for 2015?

Here are the most popular passwords found in data leaks during the year, according to SplashData:
  1. 123456
  2. password
  3. 12345678
  4. qwerty
  5. 12345
  6. 123456789
  7. football
  8. 1234
  9. 1234567
  10. baseball
  11. welcome
  12. 1234567890
  13. abc123
  14. 111111
  15. 1qaz2wsx
  16. dragon
  17. master
  18. monkey
  19. letmein
  20. login
  21. princess
  22. qwertyuiop
  23. solo
  24. passw0rd
  25. starwars 
    more 

Your Old Wi-Fi Router May Be Security Screwed

...starting from the day you bought it.
 
The reason: A component maker had included the 2002 version of Allegro’s software with its chipset and hadn’t updated it. Router makers used those chips in more than 10 million devices. The router makers said they didn’t know a later version of Allegro’s software fixed the bug.
 
The router flaw highlights an enduring problem in computer security: Fixing bugs once they have been released into the world is sometimes difficult and often overlooked. The flaw’s creator must develop a fix, or “patch.” Then it often must alert millions of technically unsophisticated users, who have to install the patch.

The chain can break at many points: Patches aren’t distributed. Users aren’t alerted or neglect to apply the patch. Hackers exploit any weak link. more

Four Textbook Business Espionage Case Histories

This past year, the FBI has observed a stark increase (53%!) in the amount of corporate espionage cases within the United States... the FBI has pointed out that a major concern in corporate espionage today are “insider threats” – essentially, employees who are knowledgeable of confidential matters are being recruited by competitor companies, and foreign governments in exchange for large amounts of money at much higher rates than ever before. 

Walter Liew vs. DuPont – “titanium dioxide”
In July 2014, Walter Liew, a chemical engineer from California, pleaded guilty to selling DuPont’s super secret pigment formula that makes cars, paper, and a long list of other everyday items whiter to China.

Starwood vs. Hilton
In 2009, Starwood Hotels accused Hilton Hotels of recruiting executives out from under them and stealing confidential materials... Starwood alleged that the ex-employees had stolen more than 10,000 documents and delivered them to Hilton – the worst part being that Starwood didn’t even notice that the documents were missing until after the indictment.

Microsoft vs. Oracle
In June 1999, Oracle hired a detective agency called Investigative Group International (IGI) to spy on Microsoft – it was headed by a former Watergate investigator, if that says anything... IGI, following Oracle’s orders, sifted through Microsoft’s trash (a practice also known as Dumpster Diving)...

The following May, the same happened. This time, IGI focused its investigations on the Association for Competitive Technology, a trade group; IGI arranged for a random woman to bribe ACT’s cleaning crew with $1,200 in exchange for bringing any office trash to an office nearby – of course, the office was a front for IGI.

Steven Louis Davis vs. Gillette
In 1997, Steven Louis Davis, an engineer helping Gillette develop its new shaving system, was caught faxing and emailing technical drawings to four of Gillette’s competitors...

Sadly, these economic espionage cases aren’t shocking to most corporate executives; it’s not uncommon for rivalry companies to dumpster dive, hack, bribe, and hire away key employees. In a rush to push out new products, major corporations will do just about anything to defame their competitors. And, although a few of these cases stem from the 1990s, their spirit still holds today – as the FBI has noted that corporate espionage is no where near slowing downmore

Workplace Surveillance is Sparking a Cyber Rebellion

GPS jammers in vans, FitBits strapped to dogs — employees are fighting back.

...Worksnaps is a piece of software that takes regular screenshots of a worker’s computer screen (with their full knowledge), counts their mouse and keyboard clicks each minute, and even offers the option of capturing webcam images. The customer testimonials are worth reading. One small business owner enthuses that she was able to “find and weed out” workers who were chatting on Facebook even though she was in the US and they were in the Philippines...

There are the drivers who plug cheap GPS jammers from China into the cigarette lighter slots in their vans to confuse their companies’ tracking systems. Or the workers who strap their employer-provided Fitbits on to their dogs to boost their “activity levels” for the day. Remember the business owner who used Worksnaps to monitor her workers in the Philippines? She found they were using programs to fool the software into thinking they were working. Worksnaps had to design a tool to identify the cheaters. more

Estranged Husband Goes Under House to Bug Wife

Australia - A Wilsonton man who suspected his ex-wife was seeing another man "bugged" her home to spy on her, Toowoomba Magistrates Court heard.

The couple had been in a relationship for six years but separated last year, the court heard.

In early October, the woman had started receiving text messages from her 48-year-old estranged husband that she took as threatening and intimidating, police prosecutor Tim Hutton told the court...

...toward the end of the offending period, the victim noticed some of the text messages contained information that only she and a few people close to her knew including the sale of a horse and other private matters, Sergeant Hutton said...

When police spoke with the man on October 24, he readily admitted to having planted a recording device attached to an air-conditioning duct underneath his ex-wife's home which was connected through the floor to a microphone in the woman's bedroom, Sgt Hutton told the court. more

Monday, January 18, 2016

Cyber Crime Costs Projected To Reach $2 Trillion by 2019

‘Crime wave’ is an understatement when you consider the costs that businesses are suffering as a result of cyber crime. ‘Epidemic’ is more like it. IBM Corp.’s Chairman, CEO and President, Ginni Rometty, recently said that cyber crime may be the greatest threat to every company in the world...

In 2015, the British insurance company Lloyd’s estimated that cyber attacks cost businesses as much as $400 billion a year, which includes direct damage plus post-attack disruption to the normal course of business. Some vendor and media forecasts over the past year put the cybercrime figure as high as $500 billion and more...

The World Economic Forum (WEF) says a significant portion of cybercrime goes undetected, particularly industrial espionage where access to confidential documents and data is difficult to spot. [Especially when electronic surveillance and classic corporate espionage techniques are used.] Those crimes would arguably move the needle on the cyber crime numbers much higher.

For anyone who wants to tally their own bill from cyber crime, check out Cyber Tab from Booz Allen. It is an anonymous, free tool that helps information security and other senior executives understand the damage to companies inflicted by cyber crime and attacks. more

CBS 60 Minutes - The Great Brain Robbery... and what to do about it.

The following is a script from "The Great Brain Robbery" which aired on Jan. 17, 2016 by CBS. Lesley Stahl is the correspondent. Rich Bonin, producer.

If spying is the world's second oldest profession, the government of China has given it a new, modern-day twist, enlisting an army of spies not to steal military secrets but the trade secrets and intellectual property of American companies. It's being called "the great brain robbery of America."

The Justice Department says that the scale of China's corporate espionage is so vast it constitutes a national security emergency, with China targeting virtually every sector of the U.S. economy, and costing American companies hundreds of billions of dollars in losses -- and more than two million jobs.

John Carlin: They're targeting our private companies. And it's not a fair fight. A private company can't compete against the resources of the second largest economy in the world. more

Part of the problem (worldwide) are the victims themselves. Many companies view taking steps to protect themselves an expensive annoyance. Corporate espionage is truly a national security issue, for many countries. Countering it requires an enhanced response. The old "punish the spy" solution is lopsided and ineffective. Check here for a new solution. Please spread the word.

Illya Kuryakin Writes a Spy Novel - Welcome back to the genre!

David McCallum — yes, actor of “The Man from U.N.C.L.E.” 
and “NCIS” fame — confidently embarks on a second career in his highly entertaining debut that mixes the espionage novel with the mystery thriller, Once a Crooked Man.

McCallum, 82, is no John le Carre, nor does his “Once a Crooked Man” hero, Harry Murphy, resemble George Smiley or Illya Kuryakin, the role that made the Scottish actor famous. But McCallum respects the genres’ tenets, supplying the right amount of intrigue, violence and sex for a well-plotted, action-packed tale. more

Thursday, January 14, 2016

Do You Have an IoT in the Workplace Policy? (you need one)

via Rafal Los 
It’s the beginning of the year, and for many of us that means hauling in some new gear into the office. Santa continues to bring more widgets and gizmos, and some of that stuff comes to the office with you. I think this is as good a time as any to think about the Internet of Things (IoT) and what it means for your CISO.

We’ve had an Amazon Echo at my house for a while now, since I couldn’t help myself but get on the early adopters list long ago. Truth be told, I love it. Alexa tells me the weather, keeps the twins’ Raffi albums close at hand, and reminds me to buy milk. But since my daughter has discovered her inner spider monkey, she likes to climb up on the cabinet where Alexa lives and likes to talk to her… and pull on the power cable. Also, she once turned the volume up all the way so that when I asked Alexa the weather at 6:30 a.m. I woke up the entire house…whoops. So long story short, Alexa has been unplugged, and I thought … why not take it to the office?

The find.
Here’s the issue — Echo is “always listening” so there’s that question of how welcome she would be in my office where confidential and highly sensitive conversations are a-plenty. Furthermore, Echo streams music and would need my credentials to get wireless network access. I suppose I could just use my personal Wi-Fi hotspot, but that seems like a waste. In case you’re wondering, I opted to not test my CISO’s good will, and Alexa will just have to live with my twins’ abuse. more

This is not a theoretical, I found an Echo in a top executive's office last year. He said it was a gift.

Add an IoT policy to your BYOD policy, and have us check for technical surveillance items and information security loopholes periodically. ~Kevin

American Textile Industry - Woven from Espionage

Samuel Slater, who established the United States' first textile mill in 1793, is widely regarded as the father of America's industrial revolution, having received that very accolade from Andrew Jackson. But American industry may owe as much to his fantastic memory and legally questionable sneakiness as his skill as a machinist and manager. This is the story of how the industrial pioneer earned his other title: "Slater the Traitor."

The ninth of 13 children, Samuel Slater was born in Belper, England in 1768. At age 14, he entered a seven-year apprenticeship agreement with mill owner Jedediah Strutt. He proved a clever, talented young man and quickly became Strutt’s “right hand.” During Slater’s apprenticeship, he learned a great deal about cotton manufacturing and management. He had the opportunity to work on the machines, and saw how Richard Arkwright’s spinning frame—the first water-powered textile machine—was used in large mills. Unfortunately for the ambitious Slater, Strutt had several sons of his own. As a result, Slater would not have a path to advance in the business.

In 1790, Slater decided to leave Strutt’s employment after coming across a Philadelphia newspaper that offered a “liberal bounty” (£100) to encourage English textile workers to come to the United States... Once he arrived in Rhode Island, legend has it that it took him just one year to build the complicated Arkwright machines from memory. Soon they had plenty of thread to sell and Slater’s reputation was secure. In 1793, the newly established Almy, Brown, and Slater company built the mill that would usher in the American industrial revolution. The rest is history. more

EU Law - Yes, the boss can spy on you... and what you can do about it. (updated)

The European Court of Human Rights has ruled that your boss has the right to spy on you at work.

Europe’s top human rights court ordered the handover of transcripts of private conversations by a Romanian worker on Yahoo Messenger. In this case, the employer had warned staff in its company policy that their devices were only to be used for work.

They argued: “It proved that he had used the company’s computer for his own private purposes during working hours.”

But lawyers told the Independent that your employer doesn't have to give you warning before monitoring your private correspondence. "Within the UK you can conduct monitoring without employee consent," said Paula Barrett, partner, head of privacy, at Eversheds. more

UPDATE - No, the European Court of Human Rights did NOT just greenlight spying on employees
The press has got itself carried away with a European court ruling on a labour dispute: workers' private communications are safe. more

Read both articles and decide for yourself. ~Kevin 

Your New IoT Ding-Dong Can Open Your Wi-Fi... to hackers

Getting hacked is bad, but there’s something worse than that: getting hacked because of your own smart doorbell. 

Ring is a popular smart doorbell that allows you to unlock your door from your phone, as well as see and hear visitors via a webcam.

Unfortunately for Ring, that same doorbell meant you could have had your Wi-Fi password stolen in a few minutes if someone cracked into the physical doorbell...

According to Pen Test Partners, the attack was relatively trivial... more

Wednesday, January 13, 2016

What Makes a Trade Secret a Trade Secret?

Article 39 of the Trade-Related Aspects of Intellectual Property Rights Agreement (TRIPS) provides general guidance on necessary conditions for trade secrets:
  • The information must be secret (i.e. it is not generally known among, or readily accessible to, circles that normally deal with the kind of information in question);
  • It must have commercial value because it is a secret; and
  • It must have been subject to reasonable steps by the rightful holder of the information to keep it secret (e.g., through confidentiality agreements, non-disclosure agreements, etc.). more
The "etc." part also includes providing extra security for the information, and the areas where it is generated, stored and used. Periodic Technical Surveillance Countermeasures inspections (TSCM) are a very important part of these conditions. Contact me for more information about this.

The Unofficial World's Record for Arresting Wiretappers Goes to...

Turkey - Thirty people alleged to have illegally wiretapped hundreds of Turkish officials, politicians and journalists were detained in simultaneous operations across the country early Tuesday. 

Suspects are accused of illegally wiretapping the communications of 432 people, including businessmen, journalists and politicians from the ruling Justice and Development (AK) Party, Republican People’s Party Party and the Nationalist Movement Party. more

Today in Spying - Bad Day for Spies

Iran Seizes U.S. Sailors Amid Claims of Spying more

Kuwait sentences two to death for 'spying for Iran' more

North Korea holding U.S. citizen for allegedly spying more

Senior officer quizzed on 'police spying' more

Former Skidmore security guard admits spying on woman more

Indian man sentenced to five years in prison for spying in UAE more

Man accused of spying on female neighbor with homemade selfie stick pleads guilty more