Researchers have devised a new way to siphon data out of an infected computer even when it has been physically disconnected from the Internet to prevent the leakage of sensitive information it stores.
The method has been dubbed "DiskFiltration" by its creators because it uses acoustic signals emitted from the hard drive of the air-gapped computer being targeted. It works by manipulating the movements of the hard drive's actuator, which is the mechanical arm that accesses specific parts of a disk platter so heads attached to the actuator can read or write data.
By using so-called seek operations that move the actuator in very specific ways, it can generate sounds that transfer passwords, cryptographic keys, and other sensitive data stored on the computer to a nearby microphone. The technique has a range of six feet and a speed of 180 bits per minute, fast enough to steal a 4,096-bit key in about 25 minutes. more
Solution: Upgrade to a solid state drive.
Friday, August 12, 2016
Mom Alerted - Daughters' Bedroom Nanny Cam Streaming on Internet
A mother from Texas was horrified to learn that the cameras she used to keep watch on her 8-year-old girls had been hacked and were being live streamed on the internet.
She made the appalling discovery after she found a screenshot posted by another woman on a Facebook group for Houston Mothers, who was trying to alert mothers after stumbling across a free app ‘Live Camera Viewer.’ ...
According to security experts, her private cameras had been hacked by accessing the household’s IP address through her daughter’s iPad whilst she was playing a video game, and was consequently live streamed to an online feed.
The feed, which is sorted according to the number of ‘likes’ that users give, had been available since July, and had 571 ‘likes,’ meaning at least that many people had been watching it over the course of the stream. more
She made the appalling discovery after she found a screenshot posted by another woman on a Facebook group for Houston Mothers, who was trying to alert mothers after stumbling across a free app ‘Live Camera Viewer.’ ...
According to security experts, her private cameras had been hacked by accessing the household’s IP address through her daughter’s iPad whilst she was playing a video game, and was consequently live streamed to an online feed.
The feed, which is sorted according to the number of ‘likes’ that users give, had been available since July, and had 571 ‘likes,’ meaning at least that many people had been watching it over the course of the stream. more
Wednesday, August 10, 2016
IT Guy Pleads Not Guilty to Eavesdropping Charge — Recordings Found
IL - The technology director of Abingdon-Avon schools pleaded not guilty to charges of eavesdropping Tuesday at a hearing.
Mark L. Rogers, 56, of Abingdon, is on paid administrative leave from Abingdon-Avon School District 276 and has been charged with three felony counts of eavesdropping. Abingdon Police Chief Kenneth Jones testified...
Jones said authorities found that Rogers had installed a webcam in his office that was not part of the school system. Authorities found a "number of videos collected from February 2016," including one of a meeting between Rogers and Drew Witherall, who was assistant technology director at the time. Witherall said he was unaware of the Feb. 11 recording. more
Mark L. Rogers, 56, of Abingdon, is on paid administrative leave from Abingdon-Avon School District 276 and has been charged with three felony counts of eavesdropping. Abingdon Police Chief Kenneth Jones testified...
Jones said authorities found that Rogers had installed a webcam in his office that was not part of the school system. Authorities found a "number of videos collected from February 2016," including one of a meeting between Rogers and Drew Witherall, who was assistant technology director at the time. Witherall said he was unaware of the Feb. 11 recording. more
Car Key Fobs — Wireless = Useless
...a team of researchers from the University of Birmingham and the German engineering firm Kasper & Oswald plan to reveal two distinct vulnerabilities they say affect the keyless entry systems of an estimated nearly 100 million cars.
One of the attacks would allow resourceful thieves to wirelessly unlock practically every vehicle the Volkswagen group has sold for the last two decades, including makes like Audi and Škoda. The second attack affects millions more vehicles, including Alfa Romeo, Citroen, Fiat, Ford, Mitsubishi, Nissan, Opel, and Peugeot.
Both attacks use a cheap, easily available piece of radio hardware to intercept signals from a victim’s key fob, then employ those signals to clone the key. The attacks, the researchers say, can be performed with a software defined radio connected to a laptop, or in a cheaper and stealthier package, an Arduino board with an attached radio receiver that can be purchased for $40. “The cost of the hardware is small, and the design is trivial,” says Garcia. “You can really build something that functions exactly like the original remote.”
...they were able to extract a single cryptographic key value shared among millions of Volkswagen vehicles. By then using their radio hardware to intercept another value that’s unique to the target vehicle and included in the signal sent every time a driver presses the key fob’s buttons, they can combine the two supposedly secret numbers to clone the key fob and access to the car. “You only need to eavesdrop once,” says Birmingham researcher David Oswald. “From that point on you can make a clone of the original remote control that locks and unlocks a vehicle as many times as you want.” more
original paper
One of the attacks would allow resourceful thieves to wirelessly unlock practically every vehicle the Volkswagen group has sold for the last two decades, including makes like Audi and Škoda. The second attack affects millions more vehicles, including Alfa Romeo, Citroen, Fiat, Ford, Mitsubishi, Nissan, Opel, and Peugeot.
Both attacks use a cheap, easily available piece of radio hardware to intercept signals from a victim’s key fob, then employ those signals to clone the key. The attacks, the researchers say, can be performed with a software defined radio connected to a laptop, or in a cheaper and stealthier package, an Arduino board with an attached radio receiver that can be purchased for $40. “The cost of the hardware is small, and the design is trivial,” says Garcia. “You can really build something that functions exactly like the original remote.”
...they were able to extract a single cryptographic key value shared among millions of Volkswagen vehicles. By then using their radio hardware to intercept another value that’s unique to the target vehicle and included in the signal sent every time a driver presses the key fob’s buttons, they can combine the two supposedly secret numbers to clone the key fob and access to the car. “You only need to eavesdrop once,” says Birmingham researcher David Oswald. “From that point on you can make a clone of the original remote control that locks and unlocks a vehicle as many times as you want.” more
original paper
Quote of the Week
"We have never had absolute privacy in this country." ~FBI Director James Comey more
Pokemon Go — The Story Behind the Story
The suddenly vast scale of Pokemon Go adoption is matched by the game’s aggressive use of personal information. Unlike, say, Twitter, Facebook, or Netflix, the app requires uninterrupted use of your location and camera — a “trove of sensitive user data,” as one privacy watchdog put it in a concerned letter to federal regulators.
All the more alarming, then, that Pokemon Go is run by a man whose team literally drove one of the greatest privacy debacles of the internet era, in which Google vehicles, in the course of photographing neighborhoods for the Street View feature of the company’s online maps, secretly copied digital traffic from home networks, scooping up passwords, email messages, medical records, financial information, and audio and video files.
Before Niantic Labs CEO John Hanke was the man behind an unfathomably popular smartphone goldmine, he ran Google’s Geo division, responsible for nearly everything locational at a time when the search company was turning into much more, expanding away from cataloging the web and towards cataloging every city block on the planet.
Hanke landed at Google after his wildly popular (and admittedly very neat) CIA-funded company Keyhole, which collected geographic imagery, was acquired in 2004 and relaunched as Google Earth in 2005. more
All the more alarming, then, that Pokemon Go is run by a man whose team literally drove one of the greatest privacy debacles of the internet era, in which Google vehicles, in the course of photographing neighborhoods for the Street View feature of the company’s online maps, secretly copied digital traffic from home networks, scooping up passwords, email messages, medical records, financial information, and audio and video files.
Before Niantic Labs CEO John Hanke was the man behind an unfathomably popular smartphone goldmine, he ran Google’s Geo division, responsible for nearly everything locational at a time when the search company was turning into much more, expanding away from cataloging the web and towards cataloging every city block on the planet.
Hanke landed at Google after his wildly popular (and admittedly very neat) CIA-funded company Keyhole, which collected geographic imagery, was acquired in 2004 and relaunched as Google Earth in 2005. more
Tuesday, August 9, 2016
What Has More Privacy Than the Invisible iPhone Screen?
Inventor Builds Invisible iPhone Screen for Covert Viewing
A Kurdish inventor builds a secret screen for the iPhone that enables only the user to see the contents by wearing special glasses.
It's a problem many of us have faced - how to stop prying eyes peeking at what's on our phone screen But an inventor in Turkey claims to have solved it Celal Goger has invented a secrecy screen that turns iPhones invisible. Only the wearer of these glasses can see the screen. The magic is in a chip that enables the glasses to communicate with the phone...
"The mobile's screen is completely white, nothing can be seen, you can't see the menu. He gave me the glasses and, when I put them on, I saw the complete menu. If I had this on my mobile, nobody would see what I'm looking at or which apps I'm using when I'm commuting."
His next plan is to invent a nanochip that can fit any glasses and turn the screen visible or invisible with a single button. more
It's a problem many of us have faced - how to stop prying eyes peeking at what's on our phone screen But an inventor in Turkey claims to have solved it Celal Goger has invented a secrecy screen that turns iPhones invisible. Only the wearer of these glasses can see the screen. The magic is in a chip that enables the glasses to communicate with the phone...
"The mobile's screen is completely white, nothing can be seen, you can't see the menu. He gave me the glasses and, when I put them on, I saw the complete menu. If I had this on my mobile, nobody would see what I'm looking at or which apps I'm using when I'm commuting."
His next plan is to invent a nanochip that can fit any glasses and turn the screen visible or invisible with a single button. more
Tapes Could Compel Major Fox News Settlement
A settlement with former Fox News host Gretchen Carlson
over alleged sexual harassment by Roger Ailes, the network's former chairman, is expected to reach eight figures. The reason: There are audio tapes of conversations between several female employees and Ailes, who resigned last month. A settlement would most likely keep the tapes private. more
over alleged sexual harassment by Roger Ailes, the network's former chairman, is expected to reach eight figures. The reason: There are audio tapes of conversations between several female employees and Ailes, who resigned last month. A settlement would most likely keep the tapes private. more
Monday, August 8, 2016
Android Bug May Affect 900 Million Smartphones
The bugs were uncovered by Checkpoint researchers looking at software running on chipsets made by US firm Qualcomm.
Qualcomm processors are found in about 900 million Android phones, the company said...
In response, Qualcomm is believed to have created patches for the bugs and started to use the fixed versions in its factories. It has also distributed the patches to phone makers and operators. However, it is not clear how many of those companies have issued updates to customers' phones.
Checkpoint has created a free app called QuadRooter Scanner that can be used to check if a phone is vulnerable to any of the bugs, by looking to see if the patches for them have been downloaded and installed. more
Qualcomm processors are found in about 900 million Android phones, the company said...
- Affected devices included:
- BlackBerry Priv
- Blackphone 1 and Blackphone 2
- Google Nexus 5X, Nexus 6 and Nexus 6P
- HTC One, HTC M9 and HTC 10
- LG G4, LG G5, and LG V10
- New Moto X by Motorola
- OnePlus One, OnePlus 2 and OnePlus 3
- US versions of the Samsung Galaxy S7 and Samsung S7 Edge
- Sony Xperia Z Ultra
In response, Qualcomm is believed to have created patches for the bugs and started to use the fixed versions in its factories. It has also distributed the patches to phone makers and operators. However, it is not clear how many of those companies have issued updates to customers' phones.
Checkpoint has created a free app called QuadRooter Scanner that can be used to check if a phone is vulnerable to any of the bugs, by looking to see if the patches for them have been downloaded and installed. more
Here's What Eavesdropper See When You Use Unsecured Wi-Fi Hotspots
You’ve probably read at least one story with warnings about using unsecure public Wi-Fi hotspots, so you know that eavesdroppers can capture information traveling over those networks. But nothing gets the point across as effectively as seeing the snooping in action. So I parked myself at my local coffee shop the other day to soak up the airwaves and see what I could see.
My intent wasn't to hack anyone's computer or device—that's illegal—but just to listen. It’s similar to listening in on someone’s CB or walkie-talkie radio conversation. Like CBs and walkie-talkies, Wi-Fi networks operate on public airwaves that anyone nearby can tune into.
As you'll see, it’s relatively easy to capture sensitive communication at the vast majority of public hotspots—locations like cafes, restaurants, airports, hotels, and other public places. You can snag emails, passwords, and unencrypted instant messages, and you can hijack unsecured logins to popular websites. Fortunately, ways exist to protect your online activity while you’re out-and-about with your laptop, tablet, and other Wi-Fi gadgets. I'll touch on those, too. more
PS - The author, Eric Geier, also provides a very good "How to use Wi-Fi hotspots securely" checklist. ~Kevin
My intent wasn't to hack anyone's computer or device—that's illegal—but just to listen. It’s similar to listening in on someone’s CB or walkie-talkie radio conversation. Like CBs and walkie-talkies, Wi-Fi networks operate on public airwaves that anyone nearby can tune into.
As you'll see, it’s relatively easy to capture sensitive communication at the vast majority of public hotspots—locations like cafes, restaurants, airports, hotels, and other public places. You can snag emails, passwords, and unencrypted instant messages, and you can hijack unsecured logins to popular websites. Fortunately, ways exist to protect your online activity while you’re out-and-about with your laptop, tablet, and other Wi-Fi gadgets. I'll touch on those, too. more
PS - The author, Eric Geier, also provides a very good "How to use Wi-Fi hotspots securely" checklist. ~Kevin
Mayor Charged: Strip Poker, Alcohol, Eavesdropping... with minors
CA - Stockton Mayor Anthony Silva was arrested Thursday at his youth camp on charges that he played strip poker with a minor and provided youngsters with alcohol, according to authorities...
The 42-year-old mayor stands accused of one felony count of making an illegal recording and one misdemeanor count each of providing alcohol to a minor, cruelty to a child by endangering their health and contributing to the delinquency of a minor...
Amador County District Attorney Todd Riebe said the strip poker game occurred in Silva’s bedroom at the camp.
According to prosecutors, one of the participants was a 16-year-old boy. Prosecutors alleged that the audio was recorded secretly and that a “surreptitious recording clearly indicates that the participants did not want to be recorded.”
Witnesses also informed FBI agents that Silva provided alcohol to the poker game participants, all of whom were underage. Witnesses stated also that Silva had supplied alcohol and made it available to a number of underage counselors at the camp, according to officials.
Included in the evidence were details of a prior episode in which Silva audiotaped a conversation with a Stockton city employee without their consent, officials said. Prosecutors said that another witness told investigators that Silva had cameras installed in his bedroom and at the Stockton Kid's Club. more
http://documents.latimes.com/complaint-against-stockton-mayor-anthony-silva/ |
Amador County District Attorney Todd Riebe said the strip poker game occurred in Silva’s bedroom at the camp.
According to prosecutors, one of the participants was a 16-year-old boy. Prosecutors alleged that the audio was recorded secretly and that a “surreptitious recording clearly indicates that the participants did not want to be recorded.”
Witnesses also informed FBI agents that Silva provided alcohol to the poker game participants, all of whom were underage. Witnesses stated also that Silva had supplied alcohol and made it available to a number of underage counselors at the camp, according to officials.
Included in the evidence were details of a prior episode in which Silva audiotaped a conversation with a Stockton city employee without their consent, officials said. Prosecutors said that another witness told investigators that Silva had cameras installed in his bedroom and at the Stockton Kid's Club. more
Labels:
amateur,
dumb,
eavesdropping,
employee,
government,
lawsuit,
political
Friday, August 5, 2016
Does dropping malicious USB sticks really work?
Of course it does.
Common sense.
I warned about this years ago.
Now, we have empirical evidence!
Research presented this week at BlackHat by Elie Bursztein of Google’s anti-abuse research team shows that the danger is alarmingly real:
On each type of drive, files consistent with the USB stick’s appearance were added. So, “private” files were added to USB sticks that were unlabelled or were attached to keys or a return label, “business” files to sticks marked confidential, etc.
However, in reality each of the files was actually an HTML file containing an embedded image hosted on the researcher’s server. In this way they were able to track when files were accessed. more
Common sense.
I warned about this years ago.
Now, we have empirical evidence!
Research presented this week at BlackHat by Elie Bursztein of Google’s anti-abuse research team shows that the danger is alarmingly real:
- …we dropped nearly 300 USB sticks on the University of Illinois Urbana-Champaign campus and measured who plugged in the drives. And Oh boy how effective that was! Of the drives we dropped, 98% were picked up and for 45% of the drives, someone not only plugged in the drive but also clicked on files.
On each type of drive, files consistent with the USB stick’s appearance were added. So, “private” files were added to USB sticks that were unlabelled or were attached to keys or a return label, “business” files to sticks marked confidential, etc.
However, in reality each of the files was actually an HTML file containing an embedded image hosted on the researcher’s server. In this way they were able to track when files were accessed. more
Smartphone Security Alert - "Juice Jacking" or... Getting your phone's brain drained at the airport,
“Juice-jacking” as the new travel scam is called, targets desperate travelers in need of a charge. Daniel Smith, a security researcher at Radware explains how this works.
“Attackers can use fake charging stations to trick unsuspecting users into plugging in their device. Once the device is plugged in the user’s data and photos could be downloaded or malware can be written onto the device.”
Hackers can download anything that is on your phone since the charging port is doubling as a data port. We’re talking passwords, emails, photos, messages, and even banking and other personal information via apps.
How to Prevent Juice-Jacking
“Don’t use public charging stations. more
Solutions...
“Attackers can use fake charging stations to trick unsuspecting users into plugging in their device. Once the device is plugged in the user’s data and photos could be downloaded or malware can be written onto the device.”
Hackers can download anything that is on your phone since the charging port is doubling as a data port. We’re talking passwords, emails, photos, messages, and even banking and other personal information via apps.
How to Prevent Juice-Jacking
“Don’t use public charging stations. more
Solutions...
- This is a tiny and lightweight external battery that is easy to travel with: Amazon.com
- Plug into your laptop to charge your phone if you’re traveling with one and don’t have an external charger.
- If you absolutely need to use public charging stations you can block the data transfer using SyncStop ($19.99).
More Than 1,000 U.S. Spies Protecting Rio Olympics
U.S. intelligence has assigned more than 1,000 spies to Olympic security as part of a highly classified effort to protect the Rio 2016 Summer Games and American athletes and staff, NBC News has learned.
Hundreds of analysts, law enforcement and special operations personnel are already on the ground in Rio de Janeiro, according to an exclusive NBC News review of a highly classified report on U.S. intelligence efforts.
In addition, more than a dozen highly trained Navy and Marine Corps commandos from the U.S. Special Operations Command are in Brazil, working with the Brazilian Federal Police and the Brazilian Navy, according to senior military officials.
The U.S. military, as expected, has placed larger military units on call should a rescue or counter-terrorism operation be needed, the officials said.
The classified report outlines an operation that encompasses all 17 U.S. intelligence agencies, including those of the armed services, and involves human intelligence, spy satellites, electronic eavesdropping, and cyber and social media monitoring. more
Hundreds of analysts, law enforcement and special operations personnel are already on the ground in Rio de Janeiro, according to an exclusive NBC News review of a highly classified report on U.S. intelligence efforts.
In addition, more than a dozen highly trained Navy and Marine Corps commandos from the U.S. Special Operations Command are in Brazil, working with the Brazilian Federal Police and the Brazilian Navy, according to senior military officials.
The U.S. military, as expected, has placed larger military units on call should a rescue or counter-terrorism operation be needed, the officials said.
The classified report outlines an operation that encompasses all 17 U.S. intelligence agencies, including those of the armed services, and involves human intelligence, spy satellites, electronic eavesdropping, and cyber and social media monitoring. more
Subscribe to:
Posts (Atom)