Thursday, August 17, 2017

Spycam Darwin Award of the Week - The Creepy Kid

Jeremy Gabrysch put up a camera in their living room because his kid kept getting up in the middle of the night to watch TV.


The kid was not to be deterred, even if he didn't quite understand how a wide-angle lens works. more

Wednesday, August 16, 2017

Good Spy News - Mom Bugs Kids... but not the way our moms did it.

California law makes it a crime to record someone’s conversation secretly, with a few exceptions — and one of them, a state appeals court says, allows a parent to use a hidden cell phone to record her child’s talks with a babysitter suspected of abuse.

A mother’s recording led to the conviction of a 12-year-old babysitter for molesting his 4-year-old cousin. The defense lawyer argued that the recording was illegal because neither of the speakers had consented.

But the Fifth District Court of Appeal in Fresno said Monday that a parent who reasonably fears harm to her child, particularly a young child, can consent to a secret recording on the child’s behalf. State law normally requires the consent of both parties to a conversation, but allows consent by one person who reasonably suspects the other of a serious crime. more

SCIFs Go Corporate

With cybersecurity threats on the rise, the private sector is taking a cue from national security protocol to protect corporate secrets, investing in highly protected SCIFs, or Sensitive Compartmented Information Facilities.

What happens in a SCIF stays in a SCIF—and has ever since the concept of the “war room” originated during World War II. ...

Private companies are increasingly seeing the benefits too—especially those working in fields whose success is dependent on continually out-innovating their competitors. “The rooms can be used in many ways once built, from proposal writing and strategy sessions, to hands-on R&D and product testing,” says Gordon. “They can even be portable. But they all give companies piece of mind that work and discussions taking place inside the room are completely confidential.” more

Can't afford a SCIF (they're expensive), use a TSCM team to conduct pre-meeting inspections. If you can afford a SCIF (sweet), use a TSCM team to re-certify it's integrity against eavesdropping. SCIF effectiveness tends to decay with age and use. ~Kevin

Security Director Alert #857 - Coordinated Hotel Wi-Fi Spying

Mention this to your traveling executives. Reinforce VPN usage.
 
Russian hackers who infiltrated the computer systems of the Democratic National Committee in the US are now focusing on the wifi networks of European hotels to spy on guests in a “chilling” cyberoperation.

The state-sponsored Fancy Bear group infected the networks of luxury hotels in at least seven European countries and one Middle Eastern country last month, researchers say. FireEye, the US cybersecurity company that discovered the attacks, said the hotels were in capital cities and belonged to international chains that diplomats, business leaders and wealthy travelers would use. more

A TSCM Cautionary Tale - The All Blacks Affair

Background... A security consultant for the All Blacks rugby team announces he found a bug in a meeting room chair seat cushion. The arrest. And now, the trial...

An upholsterer called as a witness in the All Blacks bugging trial told a Sydney court he didn’t find any evidence of “tampering” or “reupholstering” when he inspected a chair allegedly used to conceal a listening device in the lead up to the Bledisloe Cup.

All Blacks security consultant Adrian Gard has denied making up claims he found the bug concealed in a chair in the All Blacks’ meeting room at the InterContinental Hotel in Double Bay in August 2016.

Mr Gard has pleaded not guilty to making a false representation resulting in a police investigation into the bug...

All Blacks team manager Darren Shand told the court last week Mr Gard on August 15, 2016, showed him two chairs which he claimed had given off abnormal readings during a bug sweep in the meeting room. Mr Shand said he could see what looked like a listening device. more

Why should you care?
• Not all TSCM "experts" are honest. (I'm shocked!)

• Reputation and experience matters.
• Ignore the smooth talk. Check references thoroughly, before letting them in.

~Kevin

This just in... The bugging device found in a chair in the All Blacks' Sydney hotel is sold at a chain of spy stores, a court has heard. Technician Mark Muratore told Downing Centre Local Court on Wednesday the FM transmitter powered by a nine-volt battery was sold at the Oz Spy chain of stores and on eBay. Mr Muratore told the court about 80 of the FM transmitter devices, known as the RBFM600, were sold each year on eBay and at Oz Spy for $120 (≈$95 usd) each.

Tuesday, August 15, 2017

This Month in the Internet Disaster Incidents of Things (IDIoT)

Instant Lockdown...
Hundreds of Internet-connected locks became inoperable last week after a faulty software update caused them to experience a fatal system error, manufacturer LockState said. The incident is the latest reminder that the so-called Internet of Things—in which locks, thermostats, and other everyday appliances are embedded with small Internet-connected computers—often provide as many annoyances as they do conveniences. more
---
Fish Tank Phishing...
The hackers attempted to acquire data from a North American casino by using an Internet-connected fish tank, according to a report released Thursday by cybersecurity firm Darktrace.

The fish tank had sensors connected to a PC that regulated the temperature, food and cleanliness of the tank.“Somebody got into the fish tank and used it to move around into other areas (of the network) and sent out data,” said Justin Fier, Darktrace’s director of cyber intelligence. more
--- 
Flatline Surfing
Over a third of IoT medical device organizations suffer security incidents... Many medical devices are not built with cybersecurity in mind, yet a survey by Deloitte Cyber Risk Services of over 370 professionals organizations operating in the medical device/IoT arena shows that 36.5 percent have suffered a cyber security incident in the past year. more
---
Wait! What? You mean they are not secure!?!?
The Department of Homeland Security (DHS) has announced a $750k investment to develop a solution which bolsters the security of IoT disaster sensors. more
---
This Really Sucks
iRobot, the company that makes the adorable Roomba robots that trundle around your home sucking up everything in their path, has revealed its plans to sell maps of living rooms to the world's biggest tech companies. more
---
Car Wash Crazies
A group of security researchers have exposed the vulnerabilities in automatic car washes and proved just how easy it can be for hackers to target an internet-connected, drive-through car wash and damage vehicles. Their findings showed an attacker could easily manipulate bay doors to trap or strike vehicles in the car wash. Their findings showed an attacker could easily manipulate bay doors to trap or strike vehicles in the car wash. Hackers could also potentially control the mechanical arms inside the car wash, releasing powerful streams of water at a vehicle’s doors to prevent passengers from leaving. more
---
IoT Army MIA
In a competition between 24 skilled cyber amateurs, IoT connected soldiers were hit by a sophisticated mock cyber attack. ...designed to secretly intercept and control communications, resulting in a loss of contact with the unit of soldiers. more
---
Security Camera Insecurity times Millions
A flaw in a widely-used code library known as gSOAP has exposed millions of IoT devices, such as security cameras, to a remote attack. Researchers at IoT security firm Senrio discovered the Devil's Ivy flaw, a stack buffer overflow bug, while probing the remote configuration services of the M3004 dome camera from Axis Communications... Axis Communications confirmed that 249 of its 251 surveillance camera models were affected by the flaw. more
---
Alexa. My Wife Never Listens. Will You?
Every good paranoiac sees an always-listening device like an Amazon Echo as a potential spy sitting in plain sight. Now one security researcher has shown exactly how fine the line is between countertop computer and surveillance tool. With just a few minutes of hands-on time, a hacker could turn an Echo into a personal eavesdropping microphone without leaving any physical trace. more
---
FutureWatch - Soon ALL organizations will need a good Technical Security Consultant on-call. Periodically checking for new unintentional (and intentional) security vulnerabilities is their specialty. ~Kevin

Researchers: 'Stingray' Detector Apps - Not 100% Effective

Academic researchers at Oxford University and the Technical University of Berlin found that several leading Android apps designed to detect when a phone connects to a fake cell site, known as a "stingray," can be easily bypassed, allowing the stingray owner to eavesdrop on calls, intercept messages, and track the precise location of a phone.

The researchers found that the top five stingray detection apps in the Google Play app store -- SnoopSnitch, Cell Spy Catcher, GSM Spy Finder, Darshak, and AIMSICD -- failed on at least one count to alert the phone owner when their device has connected to a fake cell site...

The paper was released Monday ahead of a presentation at the Usenix Woot conference in Vancouver, Canada. more

Friday, August 11, 2017

Security Director Alert # 522 - Spying USB Power Plugs & Charging Cables

Freely for sale on Amazon's marketplace, and plenty of other online stores, are USB and iPhone cables that can be used to listen to your phone calls and track your location.

When these cables are connected to a power source they can use a SIM card to connect to a mobile network. The hardware is unsophisticated but can send both audio and very coarse location data to a third-party...

A more worrying feature is the ability of the cable to detect sound over a certain threshold and then call a pre-programmed number. Once it has done this is relays the sound near it, be that a phone call or conversation, and allows a third-party to listen in.

Not only are there cables that do this, there are also USB power adaptors for your wall outlet that have the same SIM functionality.

Cables and power adapters like this should also be something of a worry to firms that need their security too, they may well not be noticed by security checks and could be responsible for a lot of sensitive information walking out the front door. more

Best Practice: Include the inspection of cables and charging blocks as part of your TSCM inspections.

The Cuban "Acoustic Attack" - Eavesdropping, TSCM, or Other?

The FBI is reportedly investigating who was behind an “acoustic attack” that inflicted at least two staffers of the U.S. Embassy in Havana with sudden hearing loss. Washington expelled two Cuban diplomats earlier this year in response to the incident, the U.S. State Department said on Wednesday.

The Cuban foreign ministry said it was investigating the allegations.

Citing officials familiar with the investigation, The Associated Press reported on Wednesday that embassy staff in Havana began suffering from hearing loss in the fall of 2016. U.S. officials later concluded that a device operating outside the range of audible sound has been installed inside or near diplomatic residences in Havana. more

Media speculation as to what and who is rampant. 

Some what theories, which the media has missed, include: 
• An ultrasonic bugging device (an eavesdropping attack).
• An ultrasonic room flooding device (an eavesdropping countermeasure). 


If either of these were incompetently programmed–thus producing a higher than safe level of audio power output–people would experience hearing loss and other sickness symptoms (headache, nausea, disorientation, etc.).

As to who... A bugging device could be planted by anyone, not just the Cubans. An ultrasonic room flooding device would be placed by whoever has control of the room, in an effort to deter electronic eavesdropping attempts — mixing differing frequencies of ultrasound has a detrimental effect on microphones. This is a rarely used Technical Surveillance Countermeasures (TSCM) tactic due to the fine balance between effectiveness and dangerousness. It zaps hearing aids, too.

An "acoustic attack" just to cause intentional harm seems unlikely. The results of the investigation should be interesting, if they see the light of day. Ultra-unlikely. ~Kevin

Visit us at counterespionage.com to learn how business and governments protect themselves against electronic eavesdropping attacks.

Now Available at Your Favorite Android App Store...

Hackers have flooded Android app stores, including the official Google Play store, with over 1,000 spyware apps, which have the capability to monitor almost every action on an infected device.

Dubbed SonicSpy, the malware can silently record calls and audio, take photos, make calls, send text messages to numbers specified by the attackers, and monitor calls logs, contacts, and information about wi-fi access points.

In total, SonicSpy can be ordered to remotely perform 73 different commands and its suspected to be the work of malware developers in Iraq. more  Antidote: SpyWarn 2.0

Surveillance Feeds Become Reality TV & Movie

They may be blocked from watching YouTube, but China’s 751 million internet users can binge on real-time video streams of yoga studios, swimming lessons, alpaca ranches and thousands of other scenes captured by surveillance cameras.

Much of what’s available would be unthinkable in the West...

In China, however, surveillance is both pervasive and widely accepted. And that’s the subject of a new film by one of China’s best-known contemporary artists.

In “Dragonfly Eyes,” director Xu Bing uses real surveillance footage to tell the story of an ill-fated romance between a young woman who works on a dairy farm and a technician who watches her through the farm’s surveillance system. Mr. Xu believes it’s the first full-length fiction film to be made entirely with surveillance footage. 

Creating “Dragonfly Eyes” convinced Mr. Xu of the prescience of “The Truman Show,” the 1998 satire starring Jim Carrey as a man whose every moment is telecast live without his knowledge, the director said.


“The entire world has become a gigantic film studio,” he said. more sing-a-long

Friday, August 4, 2017

Drone Over Your Home? It’s the Insurance Inspector

When Melinda Roberts found shingles in her front yard after a storm, her insurer didn’t dispatch a claims adjuster to investigate. It sent a drone.

The unmanned aircraft hovered above Ms. Roberts’ three-bedroom Birmingham, Ala., home and snapped photos of her roof. About a week later a check from Liberty Mutual Insurance arrived to cover repairs.

“It took a lot less time than I was expecting,” Ms. Roberts said.

Drones, photo-taking apps and artificial intelligence are accelerating what has long been a clunky, time-consuming experience: the auto or home-insurance claim. more

Electronic Eavesdropping & Wiretapping: Two More Reasons Businesses Need TSCM Inspections

There are two different types of wiretapping threats that can harm startups and established businesses alike -- especially if they house proprietary, confidential information.

When espionage hits. It feels like this.
First, there's government wiretapping. You might assume the simplest way to eliminate this threat is to abide by the law, but you’d be forgetting that, aside from the U.S. government, there are plenty of countries that have proven they’re willing to use Big Brother-style surveillance tactics to compromise private companies. If you work with an opposition party or in a sensitive industry in another country, your client’s government might target your business. 

Then, there's old-fashioned corporate espionage. If a competing company is desperate to get an edge over your business, it may use wiretapping to steal your information or otherwise compromise your company to gain an advantage. more

Thursday, August 3, 2017

Murray's TSCM Tip # 623 - Hiding in Plain Sight - The USB Microphone

USB microphones have many legitimate uses, students recording lectures, for example. Much more sensitive than a laptop's built-in microphone, they are perfect for that application. They also make eavesdropping on co-workers very easy.

The Plausible Deniability Bonus... Hey, it's not a bug. It's a legitimate piece of office equipment.

If you see one of these in a laptop, always assume it is recording. Some USB microphones have a red tally light, but a dot of black paint (or a piece of electrical tape) can cripple that tip-off. 

From the seller...
"This microphone is capable of picking up all of the sounds in large room (range of approximately 80 feet) or it can pick up small area its up to you, because you control the amplifier power! It's small size makes it perfect for situations where you don't want to draw attention to the fact that you are recording audio right into your computer."

Visit counterespionage.com to learn more about what you can do to detect and deter electronic eavesdropping.

Tuesday, August 1, 2017

Security Researchers: Amazon Echo Can be Turned Into a Spying Device

Security researchers have recently shown that the popular Amazon Echo speaker can be hacked to eavesdrop on conversations without permission.

Security firm MWR InfoSecurity claims it was able to exploit a vulnerability which turns the Alexa-fueled device into a “wiretap” without altering its standard functionalities.

But before you get all alarmed, let us tell you the vulnerability was found to affect only 2015 and 2016 versions of the Amazon Echo. On top of that, in order to successfully hack the speaker, a hacker would need to have physical access to it. So you might want to lock your Amazon Echo away when your computer wiz cousin comes over for a visit. more