Sunday, May 15, 2016

Spycam Found in Hospital Bathroom

Harris Health Systems is confirming that a hidden camera was found in a staff restroom at Ben Taub General Hospital. 

Hospital staff turned the camera over to Houston police.

Harris Health Systems oversees the county's public hospitals, including Ben Taub.

Kese Smith of the Houston Police Department said Thursday that the camera was found concealed inside a fifth floor restroom at the hospital which is used mostly by staff but is also sometimes accessed by the public.

It was not immediately known what kind of camera was found or how long it had been in the staff restroom. more

Thursday, May 12, 2016

Alarming Security Defects in SS7, the Global Cellular Network—and How to Fix Them

The global network that transfers calls between mobile phone carriers has security defects that permit hackers and governments to monitor users’ locations and eavesdrop on conversations.

Courtesy ESD America
As more reports of these activities surface, carriers are scrambling to protect customers from a few specific types of attacks.

The network, called Signaling System 7, or SS7, is a digital signaling protocol that mobile phone carriers including AT&T, T-Mobile, and Sprint use to send messages to each other about who is a subscriber, where subscribers are located, and how calls should be routed to reach them.

SS7 began as a closed network shared among a few major mobile phone carriers, but grew porous as more carriers joined. Hackers and governments can now gain access by purchasing rights from a carrier (which many are willing to provide for the right price) or infiltrating computers that already have permission. more

One security firm advises:
"...we have two products that represent the world’s first comprehensive solution against
SS7 attacks: ESD Oversight Protect & ESD Oversight Detect. SS7 Network Penetration testing is
also available to carriers around the world who recognize the need to ensure their networks and their
subscribers are protected from the potential damaged these vulnerabilities expose."


Extra Credit — Ghosts in the Network: SS7 and RF Vulnerabilities in Cellular Networks — a presentation given at RSA Conference 2016

Tuesday, May 10, 2016

Med Students Caught Cheating with Spycams & Smart Watches

A top Thai medical college has caught students using spy cameras linked to smartwatches to cheat during exams in what some social media users have compared to a plot straight out of a Mission: Impossible movie.

Key points:
  • Thai students caught using spyglasses to send images of exam questions to accomplices
  • Accomplices sent answers back to students' smartwatches
  • Students paid 800,000 baht ($31,000) for equipment, answers
Arthit Ourairat, the rector of Rangsit University, posted pictures of the hi-tech cheating equipment on his Facebook page, announcing that the entrance exam in question had been cancelled after the plot was discovered.

Three students used glasses with wireless cameras embedded in their frames to transmit images to a group of as yet unnamed people, who then sent the answers to the smartwatches.

Mr Arthit said the trio had paid 800,000 baht ($31,000) each to the tutor group for the equipment and the answers.

"The team did it in real-time," Mr Arthit wrote. more

Checklist for Admissibility of Electronic Evidence


by Paul W. Grimm & Kevin F. Brady

HOPE Cranks it to Eleven this Summer - Tickets on Sale Now

Hackers On Planet Earth (HOPE) holds their 11th gathering July 22-24 in New York City.

Cory Doctorow is on tap to be their first keynote speaker.

Cory Doctorow (craphound.com) is a science fiction novelist, blogger, and technology activist. He is the co-editor of the popular weblog Boing Boing (boingboing.net), and a contributor to The Guardian, Publishers Weekly, Wired, and many other newspapers, magazines, and websites. (He even wrote an article for 2600 under a different name many years ago!) He is a special consultant to the Electronic Frontier Foundation (eff.org), you know, those superheroes who defend freedom in cyberspace on a daily basis. more

Why "Eleven"? The same reason Tesla auto sound systems peak at Eleven! video

The End of "A Little Bird Told Me"

At Twitter’s behest, US intelligence agencies have lost access to Dataminr, a company that turns social media data into an advanced notification system, according to the Wall Street Journal. While that may sound like a win for privacy, it’s a bit more complicated in practice.

The move leaves government officials without a valuable tool. Somewhat less clear is what sort of stand, if any, Twitter is taking...

“From the government perspective, it’s a good tool, because it gives real-time alerts to things that are happening before anyone really knows what’s going on,” says Aki Peritz, a former CIA counterterrorism expert and current adjunct professor at American University. “We want to allow law enforcement and the intelligence services to know bad things are happening in real time.” more

It's time to make peace with passwords. This free guide will help.

By now we're all well aware of what makes a bad password … it's us. 

A glance at SplashData's annual reporting on the world's worst passwords shows just how laughably bad at creating passwords us humans really are. But what's worse, as Steve Ragan's analysis of leaked passwords shows, is that many passwords on the naughty list adhere to the carefully crafted password policies in use in companies today.

How can security leaders do better? For one thing, we can stop blaming users, says Michael Santarcangelo. Instead, we can focus on providing them with technology that makes the job easier.

That's where this guide comes in. more

US Government Study of Spyware - Possible Precursor to New Laws

Why GAO Did This Study
Smartphone tracking apps exist that allow a person to not only surreptitiously track another person’s smartphone location information, but also surreptitiously intercept the smartphone’s communications—such as texts, e-mails, and phone calls. This type of monitoring—without a person’s knowledge or consent—can present serious safety and privacy risks...

The federal government has undertaken educational, enforcement, and legislative efforts to protect individuals from the use of surreptitious tracking apps, but stakeholders differed over whether current federal laws need to be strengthened to combat stalking. Educational efforts by the Department of Justice (DOJ) have included funding for the Stalking Resource Center, which trains law enforcement officers, victim service professionals, policymakers, and researchers on the use of technology in stalking. With regard to enforcement, DOJ has prosecuted a manufacturer and an individual under the federal wiretap statute for the manufacture or use of a surreptitious tracking app.

Some stakeholders believed the federal wiretap statute should be amended to explicitly include the interception of location data and DOJ has proposed amending the statute to allow for the forfeiture of proceeds from the sale of smartphone tracking apps and to make the sale of such apps a predicate offense for money laundering. Stakeholders differed in their opinions on the applicability and strengths of the relevant federal laws and the need for legislative action. Some industry stakeholders were concerned that legislative actions could be overly broad and harm legitimate uses of tracking apps. However, stakeholders generally agreed that location data can be highly personal information and are deserving of privacy protections. more full study

Wednesday, April 27, 2016

CBRE Made the Forbes Best Employers List - Partly with Good Infosec

via Forbes, April 19, 2016...
Cone of Silence chairs + a Clear Desk Policy = Security, and a competitive advantage in the eyes of their customers. Smart.

CBRE Group, Inc. is an American commercial real estate company with headquarters in Los Angeles, California. As of its successful 2011 bid to acquire part of ING, CBRE was the world's largest real estate investment manager. Wikipedia

Monday, April 25, 2016

Please tell us that You Didn't Sign a "Monitoring Consent Form"

via mobipicker.com...

"We will look at an app called xnspy that is used for spying on Android phones since a lot of businesses are starting to focus on employee productivity during office hours, more and more companies have implemented signing of monitoring consent forms as a part of their hiring process. They then give their employees company-owned smartphones/tablets with a pre-installed monitoring app. 

When it comes to tracking and monitoring for use by businesses and for spying on Android phones, we found xnspy to be the torch bearer. It has all the fundamental features that such an app should have, it has a small footprint, it’s discrete, does not use up resources. All these factors count a lot when it comes to monitoring and tracking, it would be a nightmare for the device user if the app slowed down the device and drained the battery.

Xnspy works in the background providing the app user with data such as call records and recordings, text messages from SMS, IM Chats and emails, a complete list of Contacts stored on the device along with a list of all installed apps. Besides these functions the app provides the browsing history and bookmarks of the device user; it also gives the location history of where the device has been. 

All of this is made accessible through a web-based dashboard that can be virtually accessed from anywhere in the world. The app user can use a single dashboard to control multiple devices. Xnspy offers two packages a Basic Edition and a Premium Edition." more

Edward Snowden Will Sue Norway

Edward Snowden will sue Norway in an attempt to secure free travel to the country, a Norwegian law firm representing him told Reuters Thursday.

The ex-contractor at the U.S. National Security Agency (NSA) has been invited to Norway to receive an award for his work defending free speech, but his attorneys said he is worried that traveling there would allow the Norwegian government to extradite him to the U.S., where he is wanted on charges of espionage.

The Norwegian branch of the global organization of writers PEN International, which hopes to give Snowden the free speech award, said in a statement that “we will do our utmost to ensure that Snowden may receive the prize in person.” more

Finally, an American Spy is Honored – Show Us the Money

It took nearly a century to get a woman on the front of the $20 bill, but only about a year for a small New Jersey company to contribute a vital two cents to the effort.

Since April 2015, Montclair-based Mosaic Strategies Group has helped manage a website for Women on 20s to make the country's currency co-ed — one that finally paid off big last week when the U.S. Treasury announced Harriet Tubman would replace Andrew Jackson on the $20 bill.

Gov. Chris Christie...
"As long as the $20 bill still works when I hand it to somebody, I quite frankly don't really care who's on it," Christie said Friday. more

True to its nature, Comedy Central’s Drunk History, shed some light on a lesser-known chapter of Tubman’s life in a September 2015 episode entitled “Spies.”

In one segment, ... a slightly inebriated Crissle West relates Tubman’s less-heralded exploits. “Harriet Tubman does not get her just due,” West explains. “You hear her name and think she led the slaves to freedom. But you most certainly do not know that she was a spy for the Union.” more

Did Edison Also Invent Corporate Spying?

He's known for the light bulb, recordings, motions pictures and discoveries too numerous to mention. But did Thomas Edison also condone corporate spying on his enemies? Did he help create corporate espionage? 

While he may not have invented it ... information from one of his employees can certainly be interpreted that way.

McCoy is on the left.
That employee was Joseph F. McCoy, who was hired at 20 years of age to work for the Edison Company. Not much is known about him except some basic details, but as Sloat-Olsen told the story of his jobs over the years, McCoy emerges as a shadowy figure, but influential in numerous ways...

In electric light dealings, companies like American Electric, U.S. Electric Company and Westinghouse were all on Edison's radar, so Sloat-Olsen says McCoy was sent to work at each of those companies, without their knowing he was an Edison employee, to find out about their plans or if they could be bought out. more

DIY - Tiny FM Spy Bug for Under $20.

from the creator...
"I wanted to know how small a FM spy bug could be build when manually assembled.

This is what I came up with, it measures about 0.05 square inches and is powered by a single 1.55V silver oxide battery.

Frankly, this is just a fun object, I don`t have a practical use for it.

I`m sure professionally made spy bugs could even be smaller and work at higher frequencies which allows the antenna to be made smaller." more

The complete instructions and Gerber files (for PCB manufacturing) for this FM spy bug are available on Gumroad and Payhip:
https://gum.co/GRouL
https://payhip.com/b/YXVd