Researchers at enterprise security vendor ForeScout have warned that malware specifically targeting smart buildings is an inevitable next step given the rapidly expanding attack surface that building automation systems expose.
The operational technology researchers at ForeScout should know: they created proof-of-concept malware that revealed smart building vulnerabilities every business should be concerned about.
...just yesterday, Tenable Research revealed it had discovered several zero-day vulnerabilities in a premises access control system used by Fortune 500 companies.
Among the many attack scenarios these vulnerabilities could facilitate
was 'unfettered access to the badge system database' which in turn meant
an ability to create fraudulent access badges and disable building
locks. more
Wednesday, February 6, 2019
Spybusters Tip #847: Stop Car Theft via Key Fob Signal Intercept
By simply wrapping your key FOB in aluminum foil you can prevent a thief
from intercepting the signal.
If you park your car outside at home then you might consider using a foil-lined container or placing your keys in a coffee can.
I’m going to start wrapping mine in aluminum foil when I travel and stay in a hotel. If you doubt that this issue is a serious threat then watch How Thieves Unlock A Car. more
A big thank you to our Blue Blaze Irregular ensconced in Illinois for alerting us to this tip. ~Kevin
If you park your car outside at home then you might consider using a foil-lined container or placing your keys in a coffee can.
I’m going to start wrapping mine in aluminum foil when I travel and stay in a hotel. If you doubt that this issue is a serious threat then watch How Thieves Unlock A Car. more
A big thank you to our Blue Blaze Irregular ensconced in Illinois for alerting us to this tip. ~Kevin
Sunday, February 3, 2019
Hackers Now Banking on Two-Factor Authentication for Profit
Sophisticated hackers have long exploited flaws in SS7, a protocol used by telecom companies to coordinate how they route texts and calls around the world. Those who exploit SS7 can potentially track phones across the other side of the planet, and intercept text messages and phone calls without hacking the phone itself.
This activity was typically only within reach of intelligence agencies or surveillance contractors, but now Motherboard has confirmed that this capability is much more widely available in the hands of financially-driven cybercriminal groups, who are using it to empty bank accounts. So-called SS7 attacks against banks are, although still relatively rare, much more prevalent than previously reported. Motherboard has identified a specific bank—the UK's Metro Bank—that fell victim to such an attack...
One source familiar with SS7 attacks across banks said the exploitation has targeted banks globally, but that American banks seem to be less impacted. more
Reader comment: "Please note the Motherboard reporter carefully differentiates between "sophisticated hackers" and "financially-driven cybercriminal groups". I hope you'll consider being equally judicious in your own reporting and online comments."
This activity was typically only within reach of intelligence agencies or surveillance contractors, but now Motherboard has confirmed that this capability is much more widely available in the hands of financially-driven cybercriminal groups, who are using it to empty bank accounts. So-called SS7 attacks against banks are, although still relatively rare, much more prevalent than previously reported. Motherboard has identified a specific bank—the UK's Metro Bank—that fell victim to such an attack...
One source familiar with SS7 attacks across banks said the exploitation has targeted banks globally, but that American banks seem to be less impacted. more
Reader comment: "Please note the Motherboard reporter carefully differentiates between "sophisticated hackers" and "financially-driven cybercriminal groups". I hope you'll consider being equally judicious in your own reporting and online comments."
Friday, February 1, 2019
Book Review Request: Technical Surveillance Counter-Measures a Complete Guide
If any TSCM'er out there buys this book. Please send me a review.
Thank you, Kevin
Evil Child Watch Spies
In late 2017, the Norwegian Consumer Council published its audit of kids' smart-watches, reporting that the leading brands allowed strangers to follow your kids around and listen in on their conversations; a year later, Pen Test Partners followed up to see if anything had changed (it hadn't).
Now, a year and a half later, Pen Test Partners have done another security audit of kids' smart watches and you'll never guess what they found! Kids' smart-watches are still a dumpster-fire: anyone can access the entire database of kids' data, including "real time child location, name, parents details etc," and since most leading brands use the same back-end from Gator, virtually every kid's smart-watch is vulnerable. more
Smartphone Security Tips
2/4/19 UPDATE: European Commission orders mass recall of creepy, leaky child-tracking smartwatch. more
Now, a year and a half later, Pen Test Partners have done another security audit of kids' smart watches and you'll never guess what they found! Kids' smart-watches are still a dumpster-fire: anyone can access the entire database of kids' data, including "real time child location, name, parents details etc," and since most leading brands use the same back-end from Gator, virtually every kid's smart-watch is vulnerable. more
Smartphone Security Tips
2/4/19 UPDATE: European Commission orders mass recall of creepy, leaky child-tracking smartwatch. more
Thursday, January 31, 2019
Business Espionage – A Cunning Protection Plan to Protect us and U.S.
We are bombarded with news stories and court trials tornado-ing around Chinese spies. They’re everywhere. Collecting everything. They are such a fixture in and around our hapless businesses that it only seems right to offer them health insurance, a pension plan, cookies and milk.
But wait. Let’s think this through.
Aren’t these the folks who had the secrets of silk stolen from them by Justinian I? Humm, could this be why great neckties are made in Italy, not China? Even their espionage death penalty law couldn’t protect them. Boom! Business espionage devastated their economy.
I also recall a dude from the UK, Robert Fortune, sort of an early 007. He was sent to steal the secrets of tea production from… Have you guessed yet? China! That caper is now know as The Great British Tea Heist. Boom! Business espionage devastated their economy yet again.
Oh, and what about the Chinese secret of making porcelain? A French Catholic priest stole that one. BOOM!! I could go on and on. Gunpowder, paper, etc. Bing! Bam! BOOM!
Feeling sorry for China yet? Don’t. They are making up for it, right now. The disk drive that just started whirring in your computer… it might be them.
And, don’t think this is just some cosmic Yin and Yang, great mandella, or as we say here in New Jersey, “What goes around, comes around.” No, that explanation is too simplistic, not to mention fatalistic. There is more to this industrial espionage business. The circle is bigger. This is history repeating itself, over and over and over, but I think I have the solution... more
But wait. Let’s think this through.
Aren’t these the folks who had the secrets of silk stolen from them by Justinian I? Humm, could this be why great neckties are made in Italy, not China? Even their espionage death penalty law couldn’t protect them. Boom! Business espionage devastated their economy.
I also recall a dude from the UK, Robert Fortune, sort of an early 007. He was sent to steal the secrets of tea production from… Have you guessed yet? China! That caper is now know as The Great British Tea Heist. Boom! Business espionage devastated their economy yet again.
Oh, and what about the Chinese secret of making porcelain? A French Catholic priest stole that one. BOOM!! I could go on and on. Gunpowder, paper, etc. Bing! Bam! BOOM!
Feeling sorry for China yet? Don’t. They are making up for it, right now. The disk drive that just started whirring in your computer… it might be them.
And, don’t think this is just some cosmic Yin and Yang, great mandella, or as we say here in New Jersey, “What goes around, comes around.” No, that explanation is too simplistic, not to mention fatalistic. There is more to this industrial espionage business. The circle is bigger. This is history repeating itself, over and over and over, but I think I have the solution... more
Second Apple Pickin' Spy Caught in Last 6 Months
The United States FBI this week accused a Chinese citizen working for
Apple of attempting to steal trade secrets that are related to the
company's autonomous vehicle program, reports NBC Bay Area.
Apple launched an investigation into the employee, Jizhong Chen, when another employee spotted him taking photographs "in a sensitive work space."
Apple Global Security employees searched his personal computer and found "thousands" of Apple files, including manuals, schematics, photographs, and diagrams.
Chen had recently applied for a position with a China-based autonomous vehicle company that is a direct Apple competitor. Chen was arrested a day before he was set to fly to China.
Apple launched an investigation into the employee, Jizhong Chen, when another employee spotted him taking photographs "in a sensitive work space."
Apple Global Security employees searched his personal computer and found "thousands" of Apple files, including manuals, schematics, photographs, and diagrams.
Chen had recently applied for a position with a China-based autonomous vehicle company that is a direct Apple competitor. Chen was arrested a day before he was set to fly to China.
Apple in a statement said that it
is working with the authorities."Apple takes
confidentiality and the protection of our IP very seriously," the
company said in a statement Tuesday. "We are working with authorities on
this matter and are referring all questions to the FBI."
This is not the first time an employee has been caught trying to steal secrets from Apple's car team. Back in July, the FBI charged former Apple employee Xiaolang Zhang with theft of trade secrets for stealing hardware and software that included prototypes and detailed prototype requirements. more
This is not the first time an employee has been caught trying to steal secrets from Apple's car team. Back in July, the FBI charged former Apple employee Xiaolang Zhang with theft of trade secrets for stealing hardware and software that included prototypes and detailed prototype requirements. more
Wednesday, January 30, 2019
Tired of Smartphone Security Vulnerabilities? Go Dumb!
Punkt - The MP02 is significantly more complex than the MP01, so we have teamed up with BlackBerry to keep it secure. BlackBerry adds enhanced security to the device at the point of manufacture, which means the MP02 is hardened and highly secure. With BlackBerry’s integrated software components, the MP02 will be built with security from the start so you can trust that your data will be safe. more
The new Nokia 3310 2.4” polarized and curved screen window makes for better readability in sunlight. Remember when you could leave the house without a charger? Well, with the Nokia 3310, you can. It comes with a long-lasting battery, so you can talk all day, or leave the phone on standby for up to a month. When needed, a Micro-USB port makes charging simple. more
The Light Phone 2 is a 4G LTE phone with a beautiful black & white matte display. It's a more reliable, durable, and practical phone than its predecessor. It brings a few essential tools to the Light Phone, like messaging, an alarm clock, or a ride home, so you can leave behind your smartphone more often... or for good. We call this experience 'going light'. more (An indiegogo project at the moment.)
Another dumb phone, the Alba Flip fits right between the borderline-brain-dead dumbness of the Light Phone and the smarter-than-you’d-think trickery of the Nokia remakes. Plus, it's a flip phone, which you've got to love. The Alba Flip is not designed to be a basic phone. Alba are a brand designed for those who struggle with conventional mobile phones, either through technophobia or because of visual impairments. more (Warning: 2G only which is becoming harder to rely upon as it is phasing out. In the U.S. that means T-Mobile 2G.)
And, the dumbest one I've ever used... The BM70 is the smallest phone which supports 4G network. With built-in Micro SIM card slot, it can store 250 contact numbers. Not only a mini cell phone, also a Bluetooth earphone more (Only $12.99, and yes it really works.) ~Kevin
If you don't go dumb, go smart, and smarter.
The new Nokia 3310 2.4” polarized and curved screen window makes for better readability in sunlight. Remember when you could leave the house without a charger? Well, with the Nokia 3310, you can. It comes with a long-lasting battery, so you can talk all day, or leave the phone on standby for up to a month. When needed, a Micro-USB port makes charging simple. more
The Light Phone 2 is a 4G LTE phone with a beautiful black & white matte display. It's a more reliable, durable, and practical phone than its predecessor. It brings a few essential tools to the Light Phone, like messaging, an alarm clock, or a ride home, so you can leave behind your smartphone more often... or for good. We call this experience 'going light'. more (An indiegogo project at the moment.)
Another dumb phone, the Alba Flip fits right between the borderline-brain-dead dumbness of the Light Phone and the smarter-than-you’d-think trickery of the Nokia remakes. Plus, it's a flip phone, which you've got to love. The Alba Flip is not designed to be a basic phone. Alba are a brand designed for those who struggle with conventional mobile phones, either through technophobia or because of visual impairments. more (Warning: 2G only which is becoming harder to rely upon as it is phasing out. In the U.S. that means T-Mobile 2G.)
And, the dumbest one I've ever used... The BM70 is the smallest phone which supports 4G network. With built-in Micro SIM card slot, it can store 250 contact numbers. Not only a mini cell phone, also a Bluetooth earphone more (Only $12.99, and yes it really works.) ~Kevin
If you don't go dumb, go smart, and smarter.
Shred Bin Security – Yours Stinks – Fix it for Free
Shred Bin Security — How to upgrade it... probably for free!
If you have a sizable contract with a shredding company, keep reading.
The Shred Bin Security Conundrum
Your organization realizes they need help getting rid of their wastepaper. Some of it can be recycled. Easy. There are plenty of recycling companies around. Some of it, however, contains sensitive information that must be destroyed.
So, you contact your local "I-Rip-A-Part" shredding company.
You are offered your choice of two shred bin styles, if you are lucky. The elegant particle board beige box, or the converted garbage can.
Both scream security joke. But hey, they only gave you two choices. So, you take what "I-Rip-A-Part" gives you. After all, it's their business. They know best.
Your employees may not laugh out loud, but they get the message. Management either doesn't know much about shred bin security, or they only care enough to make it look like they are doing their due diligence. The result...
Pretty soon these start popping up.
Who's laughing now?
Just the office snoops, competitive intelligence professionals, activists, news media, hackers, etc.
Let me provide some background before providing a workable solution. The crummy shred bin issue is a problem for most U.S. based organizations.
The problem has two roots:
Attacks include: unscrewing the cabinet, picking the cheap lock, sticking a $8.00 flexible grabber through the slot, bending the plastic lid back, or pulling the inner liner bag through the slot... more
If you have a sizable contract with a shredding company, keep reading.
The Shred Bin Security Conundrum
Your organization realizes they need help getting rid of their wastepaper. Some of it can be recycled. Easy. There are plenty of recycling companies around. Some of it, however, contains sensitive information that must be destroyed.
So, you contact your local "I-Rip-A-Part" shredding company.
You are offered your choice of two shred bin styles, if you are lucky. The elegant particle board beige box, or the converted garbage can.
Both scream security joke. But hey, they only gave you two choices. So, you take what "I-Rip-A-Part" gives you. After all, it's their business. They know best.
Your employees may not laugh out loud, but they get the message. Management either doesn't know much about shred bin security, or they only care enough to make it look like they are doing their due diligence. The result...
Pretty soon these start popping up.
Who's laughing now?
Just the office snoops, competitive intelligence professionals, activists, news media, hackers, etc.
Let me provide some background before providing a workable solution. The crummy shred bin issue is a problem for most U.S. based organizations.
The problem has two roots:
- A lack of understanding about information security on the part of the confidential information custodians.
- Shredding companies preying on this ignorance to maximize their profits. (Number one allows number two.)
Attacks include: unscrewing the cabinet, picking the cheap lock, sticking a $8.00 flexible grabber through the slot, bending the plastic lid back, or pulling the inner liner bag through the slot... more
Inside Information: Email Sales Pitches Some Spies Receive
Only the names have been changed to protect the reticent.
Intercept and capture any phone ANYWHERE in the world... Remotely!
Are your clients looking for a powerful solution to capture all app messages?
Our new monitoring technology for deployment on cellphones is now available.
This advanced method of interception does not require any infrastructure or tactical equipment to gain access to a target’s communication path.
The latest model, Octo+2, can target up to 10 phones at any one time and convert their microphones to a listening post for worldwide audio and video monitoring.
It’s now time to turn on the microphone on your target’s phone so you can listen from any where in the world!
.... Available to authorized agencies only.
Intercept and capture any phone ANYWHERE in the world... Remotely!
Are your clients looking for a powerful solution to capture all app messages?
Our new monitoring technology for deployment on cellphones is now available.
- Penetrate cellular defenses
- Generate effective access to Target devices
- Perform interception of their data communications
- Operate in 'new' locations, without requiring any integration
- Extract data from phones without any user interaction required
This advanced method of interception does not require any infrastructure or tactical equipment to gain access to a target’s communication path.
The latest model, Octo+2, can target up to 10 phones at any one time and convert their microphones to a listening post for worldwide audio and video monitoring.
It’s now time to turn on the microphone on your target’s phone so you can listen from any where in the world!
.... Available to authorized agencies only.
Tuesday, January 29, 2019
The Case of the Bumbling Spy
Just the interesting bits...
The case of the bumbling spy is the latest episode involving undercover agents, working for private intelligence firms or other clients, who adopt false identities to dig up compromising information about or elicit embarrassing statements from their targets...
The phenomenon of private spies drew widespread attention in 2017, when Black Cube, an Israeli private intelligence firm, was found to have used undercover agents to approach women who had accused Harvey Weinstein, the Hollywood producer, of sexual misconduct...
At their lunch meeting, he read questions from cue cards of three colors that seemed to be organized by topic, explaining that at his age he needed them to keep the details straight. He held the cards in one hand, while in the other he held and awkwardly pointed a pen that appeared to contain a video recorder, Mr. Scott-Railton said. (John Scott-Railton, a senior researcher at Citizen Lab
In a phone conversation, he had told Mr. Scott-Railton that he had a son about his age. When they met, he said the child was a daughter. more
The point is obvious. Nine out of ten private investigators did not graduate in the top 10% of their class. However, there are plenty out their who did, and they can pretext you and bug your office quicker than a magician can make a coin disappear.
The case of the bumbling spy is the latest episode involving undercover agents, working for private intelligence firms or other clients, who adopt false identities to dig up compromising information about or elicit embarrassing statements from their targets...
The phenomenon of private spies drew widespread attention in 2017, when Black Cube, an Israeli private intelligence firm, was found to have used undercover agents to approach women who had accused Harvey Weinstein, the Hollywood producer, of sexual misconduct...
At their lunch meeting, he read questions from cue cards of three colors that seemed to be organized by topic, explaining that at his age he needed them to keep the details straight. He held the cards in one hand, while in the other he held and awkwardly pointed a pen that appeared to contain a video recorder, Mr. Scott-Railton said. (John Scott-Railton, a senior researcher at Citizen Lab
In a phone conversation, he had told Mr. Scott-Railton that he had a son about his age. When they met, he said the child was a daughter. more
The point is obvious. Nine out of ten private investigators did not graduate in the top 10% of their class. However, there are plenty out their who did, and they can pretext you and bug your office quicker than a magician can make a coin disappear.
Labels:
#espionage,
#spycam,
business,
cautionary tale,
PI,
scam
FaceTime Bug Lets Callers Hear You Before You Answer
Users have discovered a bug in Apple's FaceTime video-calling application that allows you to hear audio from a person you're calling before they accept the call—a critical bug that could potentially be used as a tool by malicious users to invade the privacy of others.
Apple: "We're aware of this issue, and we have identified a fix that will be released in a software update later this week." An hour or two after this post went live, Apple disabled Group FaceTime to mitigate the bug.
The bug requires you to perform a few actions while the phone is ringing, so if the person on the other end picks up quickly, they might not be affected. Knowledge of how to use the bug is already widespread.
The steps include:
Updates: What we have also found is that if the person presses the Power button from the Lock screen, their video is also sent to the caller — unbeknownst to them. In this situation, the receiver can now hear your own audio, but they do not know they are transmitting their audio and video back to you. From their perspective, all they can see is accept and decline. (Another update: It seems there are other ways of triggering the video feed eavesdrop too.) more
Temporary fix. General smartphone security tips.
Apple: "We're aware of this issue, and we have identified a fix that will be released in a software update later this week." An hour or two after this post went live, Apple disabled Group FaceTime to mitigate the bug.
The bug requires you to perform a few actions while the phone is ringing, so if the person on the other end picks up quickly, they might not be affected. Knowledge of how to use the bug is already widespread.
The steps include:
- Tap on a contact on your iPhone to start a FaceTime call with them.
- Swipe up and tap "Add Person."
- Instead of adding a new person, enter your own number and add yourself as another participant in the Group FaceTime call. more
Updates: What we have also found is that if the person presses the Power button from the Lock screen, their video is also sent to the caller — unbeknownst to them. In this situation, the receiver can now hear your own audio, but they do not know they are transmitting their audio and video back to you. From their perspective, all they can see is accept and decline. (Another update: It seems there are other ways of triggering the video feed eavesdrop too.) more
Temporary fix. General smartphone security tips.
Friday, January 25, 2019
Hackers Access Family Security Cameras - Then Yell and Curse
WA - If you have security cameras connected to the internet inside your home, you’re going to want to play close attention to this story. A local family says someone hacked their account and watched them for weeks inside their home; even yelling and cursing at their children...
The couple says things got really creepy this week, while Abby and the children sat here in the living room. She says could hear multiple male voices. At first, she thought it was Conrado just checking in via the security cameras.
“And then they started cussing...
Abby wanted proof. “I grabbed a chair and I was doing this, but my face was back here and my hand was right here because I didn’t want to look at them. They were like stop recording us! What the ‘F’ are you doing?...
Abby and Conrado called Auburn Police, who confirm they are investigating. more
The couple says things got really creepy this week, while Abby and the children sat here in the living room. She says could hear multiple male voices. At first, she thought it was Conrado just checking in via the security cameras.
“And then they started cussing...
Abby wanted proof. “I grabbed a chair and I was doing this, but my face was back here and my hand was right here because I didn’t want to look at them. They were like stop recording us! What the ‘F’ are you doing?...
Abby and Conrado called Auburn Police, who confirm they are investigating. more
Eyeglasses and Earbuds for Real Spies
Misumi Electronics Corp. is a prestigious name in the fields of Spy applications, Surveillance system, Industrial inspection, and Medical application. They specialize in making modules and finished products, including camera modules, transmitters, UVC, USB capture cards and grabbers, and accept customized camera request as well.
The example below shows off the high-resolution of their cameras, including the ability to read computer screens and instantly transmit the video elsewhere. A spy wearing these eyeglasses and earbuds can see in three directions at once, in high-definition, without anyone knowing!
Their tiny, high-quality, HD video cameras have been mass produced for years. Should you come across one, keep searching. There is likely more to find. more
The example below shows off the high-resolution of their cameras, including the ability to read computer screens and instantly transmit the video elsewhere. A spy wearing these eyeglasses and earbuds can see in three directions at once, in high-definition, without anyone knowing!
Their tiny, high-quality, HD video cameras have been mass produced for years. Should you come across one, keep searching. There is likely more to find. more
Click to enlarge. |
Cybercriminals Home in on Ultra-High Net Worth Individuals
Research shows that better corporate security has resulted in some hackers shifting their sights to the estates and businesses of wealthy families.
Threat intelligence experts and research groups have seen a shift of cybercriminals increasingly targeting ultra-high net worth (UHNW) individuals and their family businesses...
More than half the attacks were viewed as malicious. And, nearly one-third came from an inside threat, such as an employee intentionally leaking confidential information. more
Congratulations to the corporations who have instituted better information security practices. Their elevated security includes periodic checks for electronic surveillance, or Technical Surveillance Countermeasures (TSCM).
These checks are absolutely necessary at family compounds and home offices. There, guests, staff, and tradespeople have great opportunities to plant audio, video and data electronic surveillance devices.
Threat intelligence experts and research groups have seen a shift of cybercriminals increasingly targeting ultra-high net worth (UHNW) individuals and their family businesses...
More than half the attacks were viewed as malicious. And, nearly one-third came from an inside threat, such as an employee intentionally leaking confidential information. more
Congratulations to the corporations who have instituted better information security practices. Their elevated security includes periodic checks for electronic surveillance, or Technical Surveillance Countermeasures (TSCM).
These checks are absolutely necessary at family compounds and home offices. There, guests, staff, and tradespeople have great opportunities to plant audio, video and data electronic surveillance devices.
Subscribe to:
Posts (Atom)