Tuesday, October 31, 2017

TSCM Alert - Keylogger Used to Hack School Grades

Former University of Iowa student Trevor Graves was arrested last week and charged...with hacking into the school's system to change grades.

...Graves allegedly attached a keylogger to several university computers in order to compromise faculty, staff and student information. In January 2017 the scheme was identified when a keylogger was discovered and reported by a staff member...

The school estimated that about 250 people had their HawkID and password stolen.

The court documents state that Graves allegedly used the information taken to escalate his privileges within the school's computer system enabling him to change grades, an ability given only instructors. more

This school was lucky. They discovered the spying device almost by accident. 

Most electronic surveillance and subsequent information loss is never discovered, because... "If you don't look, you don't find."

Typical keystroke logger attached to keyboard cable.
Technical Surveillance Countermeasures (TSCM) inspections are not just about finding bugs and wiretaps. These exams also discover keyloggers, optical surveillance (spycams) and other methods of information loss.

Periodic TSCM exams are as vital to an organization's health as medical exams are to people. Think about that for a second... both can spot a cancer while it can still be cured.

Need a TSCM exam, or a local referral? Contact me. ~Kevin

Monday, October 30, 2017

USB Stick Security, or God Save the Queen

UK - Heathrow Airport officials have launched an internal investigation into how a USB memory stick containing the airport's security information was allegedly found on a London street...

The USB stick, which apparently held details such as the route which the Queen takes when using the airport and maps pin-pointing CCTV cameras and a network of tunnels and escape routes, was not given to police but instead was handed to a national newspaper, the Sunday Mirror.

The Sunday Mirror reported that an unemployed man said he was on the way to the library to search the internet for jobs when he found the USB stick in the leaves... he plugged the USB stick into a library computer a few days later and was amazed at what he found... more

Take away security tips...
• Encrypt information you put on a USB memory stick. Assume it will be lost or stolen.
• If you find a USB stick, don't plug it in. It may contain a virus. Dropping virus laden sticks in company parking lots is a simple spy trick.

Sunday, October 29, 2017

Cuba Bugged by US Allegations of Sonic Attacks

Could the mysterious “sonic attacks” allegedly waged against U.S. Embassy employees in Cuba really just be the sounds of very loud crickets and cicadas?

That’s what Cuban officials seemed to suggest Thursday in a half-hour prime-time television special titled “Alleged Sonic Attacks.”

The special broadcast was Cuban officials’ most detailed defense to date against U.S. accusations that American diplomats in Havana were subjected to mysterious sounds that left them with a variety of ailments -- including headaches, hearing problems and concussions. more

Odd that it only affected American and Canadian diplomats. ~Kevin

When Amateurs Spy

Headline: Wedding crasher spying on ‘boyfriend’ sparks massive bridesmaids brawl: cops



Tip: Spy Rule #1 - Remain covert.

Want to know more?

Vacuum Cleaner Spy - Dishin' Your Dirt to a Pervert

Your vacuum cleaner can spy on you and send the video to hackers.

Sound like a science fiction horror story?

It's reality in 2017.

Researchers at CheckPoint... discovered that as a vulnerability in the LG SmartThinQ app that accompanies the firm's smart devices. As can be seen in the video below, by exploiting that weakness, the researchers were able to force an LG Hom-Bot smart vacuum cleaner to relay a video feed to them from its camera to them.

The vulnerability apparently emanated from how SmartThinQ handled authentication and authorization of users... - that is, the tickets that allow users to access the device's video feed.



What this means is that if you have a vulnerable app and use a Hom-Bot with it anyone who knows your username - which is typically your email address - could potentially access your device's video feed or other data from the device.

Furthermore, besides creating a problem for Hom-Bot, the vulnerability may affect other LG smart devices that connect to the same app.

LG has already fixed the vulnerability, so, if you have any LG smart device and use SmartThinQ, make sure to download the latest version (1.9.23). more

FutureWatch - Antenna-less Bugs - Easier to Hide

Antenna-less technology is based on replacing a complex and usually customized antenna design with an off-the-shelf, standardized, miniature component called antenna booster.

The Ever Shrinking Antenna.
Being surface-mount and chip-like in nature, the antenna booster fits seamlessly in an electronic printed circuit board, the same way any other electronic component does, such as a microprocessor, memory, amplifier, filter or switch.

It can be assembled with a conventional pick-and-place machine, making the design and manufacture of the next generation of IoT/mobile or wireless devices simpler, faster and more effective. more

Friday, October 27, 2017

Prolific Spy Camera Man Posts Videos Gets Caught

WI - A 28-year-old man is charged with surreptitiously filming women in various states of undress in three locations, including a Target changing room at the Fox River Mall.

Andrew R. Persen of Appleton was charged Monday with 10 counts of capturing an intimate representation without consent, five counts of invading privacy with a surveillance device and a single charge of posting a sexually explicit image without consent...

Besides Target, locations included his own bathroom and the bathroom and bedroom at a female friend's house, according to the criminal complaint...

According to the criminal complaint:
The friend told police on Oct. 11 that her friend had found a nude video of her on a pornography website and she believed Persen had posted it without her consent. The video was posted around June of this year and the website indicated it had hundreds of public views.

She said the username the video was posted under was one that Persen commonly used on social media...

Typical Bathroom Spycam Enclosures — Look for the pinhole.
Police searched Persen's house on Oct. 20 and found "numerous" electronic storage devices.

He said that he had put hidden cameras in his friend's bedroom and bathroom in the spring and also in a Target dressing room. He also said he put a camera in his own shower to capture another woman.

Police found videos of the friend filmed at her home. Two detailed in the complaint clearly show him installing the cameras.

One video showed a woman using his shower.

Investigators also found 66 video files that appeared to show the inside of a changing room at Target. If the date and time display is correct, it appears the videos were recorded between 3:20 p.m. and 7:15 p.m. on April 6.

One video appears to show him setting up the camera in the changing room at 3:18 p.m. with his face clearly visible. more

Unfortunately, this type of story appears in the news several times per week. And... these are the failures; this is the tip of all video voyeur activity.

You should really learn how to detect spycams, and then teach your family and friends how to do it as well. It's really simple, once you know how.

Tuesday, October 24, 2017

TSCM News - Professional Spybusters in Demand for Bug-Sweeping

In the trade it is known as TSCM but everyone else calls it bug-sweeping. It is not cockroaches that these pest controllers are hunting but eavesdropping devices that could be hidden anywhere from a mobile phone to the cable in the back of a computer.

Demand for the services of professional technical surveillance countermeasures specialists has grown dramatically along with public awareness of the dangers. Britain’s professional spy catchers have never been busier as businesses and wealthy individuals realise that they are being watched and listened to. 

According to James Williams, director of the TSCM Institute, the only professional body covering the emerging industry, “eavesdropping is on the increase” as the number of devices and ways to bug people have multiplied. more

If you are looking for a reliable firm (many are not), contact me for a referral in your area. ~Kevin

Corporate Espionage Fail - WeWork Staffers Caught

NYC - The battle in the red-hot co-working space business is heating up.

WeWork, the No. 1 player in the sector, allegedly sent two spies to infiltrate rival Knotel — to steal info and some customers, Knotel claimed.

The spies showed up at seven Knotel properties in Manhattan last month in a “systematic attempt to pilfer Knotel’s proprietary information and trade secrets,” according to a cease-and-desist letter the smaller company sent to WeWork...

The corporate espionage rookies might have pulled off the caper — except, in a totally random happening, a Knotel employee recognized one of them as a friend of a friend, according to sources close to Knotel.

While the pair used fake names to gain entry, according to the letter, a call to the Knotel worker’s pal got the spy’s real name — and a couple of social media inquiries turned up the fact that he worked for rival WeWork, sources said. more

SPYSCAPE in NYC is Set to Open in December

A museum dedicated to spycraft is landing soon in possibly the least inconspicuous place on Earth: midtown Manhattan.

The project, known as SPYSCAPE, is set to open in New York City this December — but details are, fittingly, under wraps. Archimedia, the creative and investment company behind the project, has acquired a number of spy artifacts and archival materials, and will use immersive storytelling to explore history’s greatest spy affairs, from the Enigma code crackers to the teenage hacker behind a recent breach of the CIA website.

The museum's website hints at interactive interrogation rooms, laser tunnels, and more. At the end of the tour, visitors will learn what kind of spy work they’re destined for — allegedly based on a proprietary “profiling system” created by the Head of Training for British Intelligence.

The museum space was designed by Ghanaian-British architect David Adjaye’s New York City-based firm, Adjaye Associates, whose many high-profile projects include Washington, D.C.’s new National Museum of African American History and Culture. more

Can't wait? Cuba's Spy Museum in Havana is open. (Optional, but recommended.) ~Kevin

Ransomware Security Infographic - Winning the War

via Trustwave...
Click graphic to enlarge. Click Trustwave for PDF.

Friday, October 20, 2017

Security Report: Kids Smartwatches Found to Act Like Bugs and Worse

The tests done by Mnemonic have uncovered critical security flaws in three of the apps and devices. 

As detailed in Mnemonic's report, two of the devices have flaws which could allow a potential attacker to take control of the apps, thus gaining access to children's real-time and historical location and personal details, as well as even enabling them to contact the children directly, all without the parents’ knowledge.

Additionally, several of the devices transmit personal data to servers located in North America and East Asia, in some cases without any encryption in place.

One of the watches also functions as a listening device, allowing the parent or a stranger with some technical knowledge to audio monitor the surroundings of the child without any clear indication on the physical watch that this is taking place. more

Thursday, October 19, 2017

FutureWatch: After 51 Years MasterCard Boots Signatures

Mastercard Inc. is doing away with a rule requiring merchants to get signatures for transactions made with its credit and debit cards in the United States and Canada.

Announced early Thursday, Mastercard’s rule change goes into effect April 13, 2018, allowing issuers, merchants, and processors time to make adjustments, though merchants can adopt the change sooner, Mastercard says. Mastercard also issued a bulletin about the matter Wednesday afternoon. The new rule does not affect interchange, and applies only to point-of-sale transactions.

A majority of consumers believe that it would be easier to pay and that checkout lines would move faster if they didn’t have to sign for purchases, Mastercard says. more

So, why drop a 51 year old signature security requirement?

Mastercard announced that it’s adding fingerprint scanners to its “next generation” cards in order to safely verify the cardholder’s identity whenever they’re making in-store purchases. more

Most of Your Employees are Snoops

A new survey of IT security professionals reveals that 92 percent of respondents say employees at their organizations try to access information that is not necessary for their day-to-day work.

The study from identity management company One Identity also shows that IT security professionals themselves are among the worst offenders for corporate data snooping. One in three respondents admit to having accessed sensitive information that is not necessary for their day-to-day work -- showing an ongoing abuse of elevated rights given to the IT security role.

More than one in three (36 percent) of IT pros admit to looking for or accessing sensitive information about their company’s performance, beyond what is required to do for their job. 71 percent of executives admit seeking out extraneous information, compared to 56 percent of non-manager-level IT security team members. Additionally, 45 percent of executives admit to snooping for or accessing sensitive company performance information specifically, compared to just 17 percent of non-manager team members.

In smaller companies the problem is worse... more

No surprise here. Over half of the eavesdropping and information loss issues crossing my path (over the last four decades) are employee related. ~Kevin

Spybuster Tip #712: How to Vacuum Your Amazon Breadcrumbs

Amazon automatically tracks the products you browse on the site and compiles a visual list on your account’s home page, in case you are inspired to follow through with a purchase on a return visit.

If you find this sort of thing more creepy than helpful — or you share a computer and would rather not have others see your shopping whims — you can disable the tracking.

To do that, go to Amazon.com and log into your account. Click the Browsing History link at the top of the main page (just below the search window) to see the recent items you previously viewed while clicking around on the site. At the top of the page, click Manage History. more