Thursday, April 7, 2016

Proof Almost 50% of People are Computer Security Morons

In what’s perhaps the most enthralling episode of the hacker drama Mr. Robot, one of F-Society’s hackers drops a bunch of USB sticks in the parking lot of a prison in the hopes somebody will pick one up and plug it into their work computer, giving the hackers a foothold in the network. Of course, eventually, one of the prison employees takes the bait.

Using booby-trapped USB flash drives is a classic hacker technique. But how effective is it really? A group of researchers at the University of Illinois decided to find out, dropping 297 USB sticks on the school’s Urbana-Champaign campus last year.

As it turns out, it really works. In a new study, the researchers estimate that at least 48 percent of people will pick up a random USB stick, plug it into their computers, and open files contained in them. Moreover, practically all of the drives (98 percent) were picked up or moved from their original drop location. Very few people said they were concerned about their security. Sixty-eight percent of people said they took no precautions... more

The Voyeur Who Bought A Hotel To Spy On His Guests

A historically interesting essay in The New Yorker, and a cautionary tale.

Erin Andrews was not the first victim of hotel voyeurism, and she won't be the last. more

Wednesday, April 6, 2016

A Wi-Fi that Knows Where You Are

There's a lot of buzz around "smart home" products and the convenience of advanced automation and mobile connectivity. However, new research may soon be able to add extra emphasis on "smart" by enhancing wireless technology with greater awareness. A team at MIT's Computer Science and Artificial Intelligence Laboratory (CSAIL) has developed a system that enables a single wireless access point to accurately locate users down to a tenth of a meter, without any added sensors.

Wireless networks are good at quickly identifying devices that come within range. Once you link several access points together, it becomes possible to zero in on someone's position by triangulation. But this new wireless technology – dubbed "Chronos" – is capable of 20 times the accuracy of existing localization methods. Through experiments led by Professor Dina Katabi, Chronos has been shown to correctly distinguish individuals inside a store from those outside up to 97 percent of the time, which would make it easier for free Wi-Fi in coffee shops to be a customer-only affair, for example.

A paper on the research was recently presented at the USENIX Symposium on Networked Systems Design and Implementation (NSDI '16).  more

Monday, April 4, 2016

A $40 Attack that Steals Police Drones from 2km Away

Black Hat Asia IBM security guy Nils Rodday says thieves can hijack expensive professional drones used widely across the law enforcement, emergency, and private sectors thanks to absent encryption in on-board chips.

Rodday says the €25,000 (US$28,463, £19,816, AU$37,048) quadcopters can be hijacked with less than $40 of hardware, and some basic knowledge of radio communications.

With that in hand attackers can commandeer radio links to the drones from up to two kilometres away, and block operators from reconnecting to the craft.

The drone is often used by emergency services across Europe, but the exposure could be much worse; the targeted Xbee chip is common in drones everywhere and Rodday says it is likely many more aircraft are open to compromise. more

Sunday, April 3, 2016

19 Years Ago: Economic Espionage in America - Booknotes Interview on C-Span

A fascinating video interview with the author of Economic Espionage in America.
As relevant today as it was in 1997.


YouTube.com description: "Industrial espionage, economic espionage or corporate espionage is a form of espionage conducted for commercial purposes instead of purely national security. Economic espionage is conducted or orchestrated by governments and is international in scope, while industrial or corporate espionage is more often national and occurs between companies or corporations." more

UK Launches National Cyber Security Centre

UK - Setting out in stark terms that the UK faces a growing threat of cyber-attacks from “states, serious crime gangs, hacking groups as well as terrorists”, 


Cabinet Office Minister Matthew Hancock announced the launch of the National Cyber Security Centre (NCSC)...

Led by current Director General for Cyber at GCHQ, Ciaran Martin, the NCSC has been set up to ensure that people, public and private sector organisations and the critical national infrastructure of the UK are safer online. It will bring the UK’s cyber expertise together to transform how the UK tackles cyber security issues and seeks to establish itself as the authoritative voice on information security in the UK. more

Dating Deck Stacked with Secret Eavesdrop Feature

Boompi works like most other dating apps...

Here’s the catch: If you’re a girl, you can invite your female friends to secretly join your private conversations, without your potential suitors ever knowing. 

If you’re a girl on Boompi and you start a chat with someone, you can invite your girl friend to eavesdrop on that conversation at any time. 

Your friend will be able to see every message sent since the beginning of the chat, and leave their own comments in the conversation, which only you will be able to see. And if you aren’t interested in finding a date and only want to read your friends’ chats, you can do that too—Boompi allows female users to use “Ghost Mode,” which makes sure guys never see their profile. more

Corporate Espionage: Move to Zap Zillo for $2 Billion

One of the most contentious fights in the history of real estate listings is going nuclear, thanks to a “staggering” claim of damages from Move in its trade secret theft lawsuit against Zillow.

According to legal documents obtained by HousingWire, Move, which operates Realtor.com for the National Association of Realtors, is claiming that Zillow owes the company $2 billion in damages over allegations of trade secret theft involving Errol Samuelson, who was once Move's chief strategy officer...

Move filed suit against Zillow after Samuelson left, alleging that Samuelson and Zillow stole trade secrets and proprietary information, and that they then made efforts to cover up the alleged theft...

The original lawsuit alleged breach of contract, breach of fiduciary duty and misappropriation of trade secrets and accused Samuelson of misappropriating trade secret information by acquiring it using improper means, and by copying it without authorization.

“Plaintiffs (Move) have asserted a huge case,” Zillow notes in the legal filing. “They claim $2 billion in damages, assert 46 separate trade secrets (not including the 1000-plus documents claimed as trade secrets in their entirety) and have assigned at least 29 different lawyers to prosecute their claims.”  more

Spy Agency Few Know Gets Free Land for HQ

A US spy agency's new $1.7 billion western headquarters will be constructed in St Louis, Missouri...

NGA Campus East, the headquarters of the agency
The National Geospatial-Intelligence Agency (NGA) hopes to build its new western HQ in north St Louis, where it was offered free land...

So what exactly is the NGA?

The NGA is part of the Department of Defense and works with the CIA and the Air Force to provide intelligence that is largely geographical in nature...

According to the NGA, "anyone who sails a U.S. ship, flies a U.S. aircraft, makes national policy decisions, fights wars, locates targets, responds to natural disasters, or even navigates with a cellphone relies on NGA." more

Saturday, April 2, 2016

The Erin Andrews $55,000,000 verdict: Can it happen to your property?

by David C. Tryon - Porter Wright Morris & Arthur LLC

If you own or manage a hotel or inn, the Erin Andrews $55,000,000 verdict probably caught your attention. You wonder, “could that happen to my hotel?” Yes it can...

One fact which has not been widely reported is that Andrews’ room was allegedly on a “secure floor” – a designation which likely has varying meanings to property owners and guests. Barrett was able to use his immediate proximity to tamper with the peep hole on Andrews door at an ideal time – allowing him to see from the outside in. A disturbing reality is that anyone can do this with a readily available $60 (or $12.99) device. Barrett then videoed Andrews nude in her room without being detected by the hotel staff. He later posted the video on the Internet, which subsequently went viral...

So, what steps can you take to prevent something like this from happening to your property? Start by having a very direct conversation with your staff about your security measures. Assess what efforts you have in place and if those efforts should be enhanced. Ask yourself these questions... more

PS - Hotels are not the only vulnerable targets. The term "property" easily expands to include: country clubs, gyms, schools, hospitals, and more. In fact, all corporate locations offering rest room / maternity room / changing room / shower and locker room facilities to their employees and visitors is at risk. 

The best first steps to protecting yourself and your company:
1. Have a written Recording in the Workplace Policy in place.
2. Train security and facilities employees how to conduct inspections for spycams.
3. Conduct in-house spy camera inspections periodically, and document your efforts.

Friday, April 1, 2016

Spycam Lawsuit: Female Oil Rig Worker Sues for $1 Million

It looked like a normal clothing hook -- small and unsuspecting, mounted on the back door of her sleeping quarters on the Transocean Deepwater oil rig.

But to her, for some reason it just didn't feel right.

"The rooms are pretty bare and minimum, so when you notice something that's different, it kind of sticks out to you."

Though 26, she'd been on plenty of rigs before. In fact, she'd spent much of her life dedicated to working offshore in the Gulf of Mexico. But she says she'd never seen something like this.
"It was out of place."

She dismissed the weird feeling and thought to herself, "Well, it must just be extra storage."
That was a Friday in August 2015. Four days later, the hook was gone. more

Thursday, March 31, 2016

Security Director Alert: 20,000 Printers Under the Siege

The notorious hacker and troll Andrew Auernheimer, also known as “Weev,” just proved that the Internet of Things can be abused to spread hateful propaganda.

On Thursday, Auernheimer used two lines of code to scan the entire internet for insecure printers and made them automatically spill out a racist and anti-semitic flyer. 

Hours later, several people started reporting the incident on social media, and eventually a few local news outlets picked up on the story when colleges and universities all over the United States found that their network printers were spilling out Auernheimer’s flyer.

Auernheimer detailed this “brief experiment,” as he called it, in a blog post on Friday. Later, in a chat, he said that he made over 20,000 printers put out the flyer, and defended his actions. more

Imagine the chaos if he sent a more realistic version of the coupon shown above, or false documents to internal company printers. Make sure all printers associated with your company operate in a secure manner – internal and home office units. Don't forget to check for insecure Wi-Fi settings as well. Need help? Call me.

Scary Password Stats

Market Pulse Survey 
Click to enlarge.
Reveals Growing Security Negligence in the Workplace 
Despite Employees’ Concern Over Risk to Personal Data 
more 

Yes, 1 in 5 would sell their passwords... and it only take one to spring a leak.  ~Kevin

Business Espionage: Guaranteed Rate Hit with $25M Judgment

A jury awarded Mount Olympus Mortgage Co. more than $25 million in a lawsuit alleging "corporate espionage" by former employee Benjamin Anderson and his new employer, Guaranteed Rate.

Anderson and another former Mount Olympus originator who now works for Guaranteed Rate, Brian Decker, were accused of stealing loan files, borrower information and other proprietary data from the Irvine, Calif.-based lender.

"The purpose of the scheme was to divert hundreds of MOMCo loan customers to Guaranteed. The Individual Defendants misappropriated MOMCo's confidential and proprietary information and directed MOMCo customers to Guaranteed," the lawsuit, filed in an Orange County, Calif., superior court, reads.

The complaint alleges the pair acted with the encouragement of Chicago-based Guaranteed Rate. more

Surveillance Self-Defense 101: A teach-in for activists

On Sunday, April 3, 

EFF will co-host a free workshop on surveillance self-defense with local grassroots groups in New York and Brooklyn. The workshop will be open to the public, though particularly structured for activists supporting social movements.

Participants need not wield technical expertise to attend this session, which is geared towards regular smartphone and laptop users. EFF's Shahid Buttar will facilitate a teach-in and skill-share on surveillance, some immediate and practical steps you can take to protect your communications, and how to work with neighbors to inform surveillance policy at the state and local level. An EFF staff technologist will remotely join for a question & answer session. more