Friday, August 5, 2016

Does dropping malicious USB sticks really work?

Of course it does.
Common sense.  
I warned about this years ago. 
Now, we have empirical evidence!



Research presented this week at BlackHat by Elie Bursztein of Google’s anti-abuse research team shows that the danger is alarmingly real:
  • …we dropped nearly 300 USB sticks on the University of Illinois Urbana-Champaign campus and measured who plugged in the drives. And Oh boy how effective that was! Of the drives we dropped, 98% were picked up and for 45% of the drives, someone not only plugged in the drive but also clicked on files.
It seems folks just can’t resist picking up a USB stick that they see lying around – Bursztein says that it only took six minutes for the first device that he “lost” to be picked up.One would like to imagine that people are less likely to plug in a USB drive if it is clearly labelled with the owner’s contact details, and that appears to be borne out by the statistics.
On each type of drive, files consistent with the USB stick’s appearance were added. So, “private” files were added to USB sticks that were unlabelled or were attached to keys or a return label, “business” files to sticks marked confidential, etc.

However, in reality each of the files was actually an HTML file containing an embedded image hosted on the researcher’s server. In this way they were able to track when files were accessed. more

Smartphone Security Alert - "Juice Jacking" or... Getting your phone's brain drained at the airport,

“Juice-jacking” as the new travel scam is called, targets desperate travelers in need of a charge. Daniel Smith, a security researcher at Radware explains how this works.

“Attackers can use fake charging stations to trick unsuspecting users into plugging in their device. Once the device is plugged in the user’s data and photos could be downloaded or malware can be written onto the device.”

Hackers can download anything that is on your phone since the charging port is doubling as a data port. We’re talking passwords, emails, photos, messages, and even banking and other personal information via apps.

How to Prevent Juice-Jacking 
“Don’t use public charging stations. more

Solutions...
  • This is a tiny and lightweight external battery that is easy to travel with: Amazon.com
  • Plug into your laptop to charge your phone if you’re traveling with one and don’t have an external charger. 
  • If you absolutely need to use public charging stations you can block the data transfer using SyncStop ($19.99).

More Than 1,000 U.S. Spies Protecting Rio Olympics

U.S. intelligence has assigned more than 1,000 spies to Olympic security as part of a highly classified effort to protect the Rio 2016 Summer Games and American athletes and staff, NBC News has learned.

Hundreds of analysts, law enforcement and special operations personnel are already on the ground in Rio de Janeiro, according to an exclusive NBC News review of a highly classified report on U.S. intelligence efforts.

In addition, more than a dozen highly trained Navy and Marine Corps commandos from the U.S. Special Operations Command are in Brazil, working with the Brazilian Federal Police and the Brazilian Navy, according to senior military officials.

The U.S. military, as expected, has placed larger military units on call should a rescue or counter-terrorism operation be needed, the officials said.

The classified report outlines an operation that encompasses all 17 U.S. intelligence agencies, including those of the armed services, and involves human intelligence, spy satellites, electronic eavesdropping, and cyber and social media monitoring. more

Wednesday, August 3, 2016

Snapping Up Cheap Spy Tools, Nations ‘Monitoring Everyone’

Governments known to stifle dissent with

imprisonment and beatings or otherwise abuse their power are buying cheap, off-the-shelf surveillance software that can monitor the phone conversations and track the movements of thousands of their citizens, an Associated Press investigation has found.

Such so-called “lawful intercept” software has been available for years to Western police and spy agencies and is now easily obtained by governments that routinely violate basic rights — outside a short blacklist that includes Syria and North Korea. For less than the price of a military helicopter, a country with little technical know-how can buy powerful surveillance gear. more

Spy Bugs Wrong Phones

An Australian spy earned the nickname 'fat fingers' after he incorrectly bugged multiple phones by entering the wrong numbers. 

Inspector-General of Intelligence and Security revealed the anecdote during an address at the Australian Policy Institute on Tuesday night, reported Fairfax Media.

She told the story of the time she asked a senior ASIO officer how wrong numbers had been used in multiple telephone intercepts.

'I said: 'How can this happen? There's a whole series of them here.' And the answer was: 'It's fat fingers.'

 more

The Spy Who Turned... female

When the Chevalier d’Eon left France in 1762, 

it was as a diplomat, a spy in the French king’s service, a Dragoon captain, and a man. When he returned in July 1777, at the age of 49, it was as a celebrity, a writer, an intellectual, and a woman—according to a declaration by the government of France.

What happened? And why? 

The answer to those questions is complex, obscured by layers of bad biography, speculation and rumor, and shifting gender and psychological politics in the years since, as well as d’Eon’s own attempts to re-frame his story in a way that would make sense to his contemporary society. more

Pokemon Go No Go, or What a Great Spy Pretext

The Canadian Armed Forces are warning Pokemon Go players — both in and out of uniform — not to search for Pokemon on military property. 

A spokesperson said military police have reported "Pokemon Go occurrences" at three bases — CFB Borden and 22 Wing North Bay in Ontario, and 14 Wing Greenwood in Nova Scotia — within the first week of the game's release.

"In the interests of public safety, Pokemon Go players must refrain from attempting to access defence establishments without authorization for the purpose of searching for Pokemon,"...

"A Pokemon Go player found on a defence installation who is not authorized to be there could face sanctions including a warning, a citation and fine, or arrest and prosecution." more

Monday, August 1, 2016

Who Might Have Copies of Everyone's "Deleted" Emails?

The National Security Agency (NSA) has “all” of Hillary Clinton’s deleted emails and the FBI could gain access to them if they so desired, William Binney, a former highly placed NSA official, declared in a radio interview broadcast on Sunday.

Speaking as an analyst, Binney raised the possibility that the hack of the Democratic National Committee’s server was done not by Russia but by a disgruntled U.S. intelligence worker concerned about Clinton’s compromise of national security secrets via her personal email use.

Binney was an architect of the NSA’s surveillance program. He became a famed whistleblower when he resigned on October 31, 2001, after spending more than 30 years with the agency. more

Friday, July 29, 2016

Remotely Turning Office Equipment into Bugging Devices

You think about securing your laptop, but what about your desk phone, monitor, or printer?

Ang Cui, who heads up Red Balloon Security in New York City, has a particularly innovative way of hacking these devices. Using a piece of malware called “funtenna,” he’s able to make devices transmit data over radio (RF) signals, and then pick them up with an antenna. He’s basically using software to turn this equipment into bugging devices. more
(If video space is blank, click here.)
This is one reason why businesses conduct regularly scheduled bug sweeps (TSCM) of their offices and conference rooms. If you are not plugging these information leaks yet, call me. I'll help you put a protection strategy in place. ~Kevin

Your Weekend Spy Flick—Bourne... again

‘Jason Bourne’: A welcome return for Matt Damon’s spirited spy.

What with all their international adventures through the years, it seems like only a matter of time before Jason Bourne and Ethan Hunt cross paths, whether it be in a crowded town square in Greece or a winding boulevard in Paris — or maybe while the two of them happen to be involved in crazy high-speed chases at the same time.

Hey man. What are YOU doing here?

Just as Tom Cruise continues to carry the “Mission: Impossible” action franchise in his 50s, the 45-year-old Matt Damon still kicks butt in serious fashion in his fourth appearance (and first since 2007) as Jason Bourne in the film of the same name. more trailer movie times

The Cartoon You Won't See in Your Paper Today

"Today's strip that did not run in papers.
Seems harmless to me, but I guess these are sensitive times."
Stephan Pastis
@stephanpastis
Syndicated Cartoonist, Creator of Pearls Before Swine Comic Strip, 
Author of Timmy Failure book series

Click to enlarge.

Thursday, July 28, 2016

Stormy Weather, or Subterranean Homesick Blues at the National Weather Service

If it’s on Facebook, can it be secret?

Members of the National Weather Service Employees Organization (NWSEO) thought they had a secret Facebook page that was available only to them.

But not only did National Weather Service (NWS) management officials know about the page, they accessed it and made scornful comments about the postings, according to the union.

That amounts to “illegal surveillance” of union activities, according to the labor organization’s complaint filed Wednesday with the Federal Labor Relations Authority.

In the past six months, Weather Service officials “engaged in the surveillance of internal union communications about and discussions of protected activities” on the labor organization’s “ ‘secret’ (that is, ‘members only’) Facebook page,” according to the complaint. more sing-a-long

Wednesday, July 27, 2016

Brand-Name Wireless Keyboards Open to Silent Eavesdropping

Wireless keyboards from popular hardware vendors are wide open to silent interception at long distances, researchers have found, without users being aware that attackers can see everything they type.

Bastille Research said the keyboards transmit keystrokes across unencrypted radio signals in the 2.4 GHz band, unlike high-end and Bluetooth protocol keyboards, which transmit data in an encrypted format, making it more difficult for attackers to intercept the scrambled keystrokes.

It means attackers armed with cheap eavesdropping devices can silently intercept what users type at distances of 50 to 100 metres away.

Such interception could reveal users' passwords, credit card numbers, security question replies and other personally sensitive information, Bastille said. Users would have no indication that the traffic between the keyboard and the host computer was intercepted.

Furthermore, attackers could inject keystrokes of their own into the signals, and type directly onto users' computers. Again, the attack would be unnoticeable to users in most cases.

Bastille tested eight keyboards from well-known vendors... more

Longtime Security Scrapbook readers may remember my warnings about this beginning in 2007...
https://spybusters.blogspot.com/2007/12/wireless-keyboard-interception.html  
https://spybusters.blogspot.com/2007/12/program-discovers-at-risk-wireless.html
https://spybusters.blogspot.com/2009/01/old-news-still-scary-bugged-keyboards.html

The DNC Hack — Worse than Watergate

A foreign government has hacked a political party’s computers—and possibly an election. It has stolen documents and timed their release to explode with maximum damage. It is a strike against our civic infrastructure. And though nobody died—and there was no economic toll exacted—the Russians were aiming for a tender spot, a central node of our democracy...

What’s galling about the WikiLeaks dump is the way in which the organization has blurred the distinction between leaks and hacks. Leaks are an important tool of journalism and accountability. When an insider uncovers malfeasance, he brings information to the public in order to stop the wrongdoing. That’s not what happened here.

The better analogy for these hacks is Watergate. To help win an election, the Russians broke into the virtual headquarters of the Democratic Party. The hackers installed the cyber-version of the bugging equipment that Nixon’s goons used—sitting on the DNC computers for a year, eavesdropping on everything, collecting as many scraps as possible.

This is trespassing, it’s thievery, it’s a breathtaking transgression of privacy. more

Tuesday, July 26, 2016

Judge Flicks Off Uber and its Phony Private Eye

A strange side-show battle over snooping charges came to an end Monday when a judge in federal court ruled that Uber Technologies and its CEO Travis Kalanick could not use background information it dug up on a passenger who brought a price-fixing suit against Kalanick.

Courtesy of Thinkgeek
Judge Jed Rakoff said Ergo, the Manhattan-based firm Uber hired to conduct the investigation into the plaintiff and his lawyer, "engaged in fraudulent and arguably criminal conduct." Ergo was not licensed to conduct private investigations in New York state and its operative interviewed subjects under phony pretexts. He may also have violated state laws by taping the interviews without subjects' consent.

"It is a sad day," Rakoff began the 31-page opinion, "when, in response to the filing of a commercial lawsuit, a corporate defendant feels compelled to hire unlicensed private investigators to conduct secret personal background investigations of both the plaintiff and his counsel."

Uber declined to comment. more