Monday, August 5, 2019

Wallet, Keys, Bag Packed... Ooopps, Forgot the Post-it Notes

When airline seatback entertainment systems started to come bundled with little webcams, airlines were quick to disavow their usage, promising that the cameras were only installed for potential future videoconferencing or gaming apps, and not to allow the crew or airline to spy on passengers in their seats.

Enter Hong Kong's Cathay Pacific, the country's flagship airline, which has just amended its privacy policy to reveal that it is recording its passengers as they fly, as well as gathering data on how individual passengers spend time in airport terminals, and even brokered data on their use of rivals' hotel and airplane loyalty programs.

But don't worry, the company promises it will take "commercially reasonable" cybersecurity measures to keep all that data from leaking. more

Amazon Alexa's New Dump the Human Eavesdropping Switch

Alexa users who don’t want their recordings reviewed by third-party contractors finally have an option to opt-out...

Unfortunately, Amazon has never made opting-out of data collection on its devices particularly easy, and this new policy doesn’t buck that trend.

According to Bloomberg, users need to dig into their settings menu, then navigate to “Alexa Privacy,” and finally tap “Manage How Your Data Improves Alexa” to see the following text: “With this setting on, your voice recordings may be used to develop new features and manually reviewed to help improve our services. Only an extremely small fraction of voice recordings are manually reviewed.” more

A Brief History of Surveillance in America


For the last several years, Brian Hochman has been studying electronic surveillance—both the technological developments that have made eavesdropping possible and the cultural and political realities that have made it a part of American life for more than 150 years...

How far back do we have to go to find the origins of wiretapping?
It starts long before the telephone. The earliest statute prohibiting wiretapping was written in California in 1862, just after the Pacific Telegraph Company reached the West Coast, and the first person convicted was a stock broker named D.C. Williams in 1864. His scheme was ingenious: He listened in on corporate telegraph lines and sold the information he overheard to stock traders...

It’s only in the 1920s that ordinary Americans start to take notice of wiretapping and it's not really until the 1950s that it's seen as a national problem...

The House Intelligence Committee looked into illegal wiretapping in 1975 as part of its investigation of risks of U.S. intelligence operations. Michael Hershman (holding a 'plug bug') explaining surveillance and counter-surveillance technology. (AP Photo/Charles Gorry)
FutureWatch...
Historians are not in the business of prognostication, but the one thing that I can say with some certainty is that electronic surveillance and dataveillance are going to scale. They will be more global and more instantaneous. I can say with much more certainty that that public attention to these issues will wax and wane. more

Millions Of Chinese-Made Cameras Can Be Hacked To Spy On Users

Despite more awareness of the risks associated with Chinese surveillance equipment, the news this week that cameras from the world's second-largest manufacturer of such devices can be used to secretly listen in to users still comes as a shock.

Put simply, the newly disclosed backdoor vulnerability means that millions of cameras have been carrying the potential to be used as eavesdropping devices—even when the audio on the camera is disabled.

"Essentially," warned Jacob Baines, the researcher who first disclosed the vulnerability with cameras used by both consumers and enterprises, "if this thing is connected directly to the internet, it’s anyone’s listening device."...

Baines initially shared this latest issue with Dahua OEM Armcrest two months ago, reporting that he could "remotely listen" to a tested camera "over HTTP without authentication." The vulnerability can be seen in action in a video shared by Baines on YouTube. more

Tuesday, July 23, 2019

The ‘Golden Age of SIGINT’ May Be Over

The US government cannot control the skyrocketing use of encrypted communications that allow adversaries, terrorists, criminals — and ordinary folks who care deeply about privacy, including journalists — to block eavesdropping by national security agencies, says a new study funded by DARPA and the Center for Advanced Studies on Terrorism (CAST).

The ‘golden age of SIGINT’ may be over, particularly within the next five or ten years,” the study, “Going Dark: Implications of an Encrypted World,” finds. The traditional methods of collecting signals intelligence and eavesdropping on communications used by the Intelligence Community (IC) will no longer be effective. “End-to-end encryption of all communications and data, differential privacy, and secure communications for all users are likely to be the new reality,” the study says. more

Android Smartphone Alert: Spearphone Eavesdropping

A Spearphone attacker can use the accelerometer in LG and Samsung phones to remotely eavesdrop on any audio that’s played on speakerphone, including calls, music and voice assistant responses. 

A new way to eavesdrop on people’s mobile phone calls has come to light in the form of Spearphone – an attack that makes use of Android devices’ on-board accelerometers (motion sensors) to infer speech from the devices’ speakers.

An acronym for “Speech privacy exploit via accelerometer-sensed reverberations from smartphone loudspeakers,” Spearphone was pioneered by an academic team from the University of Alabama at Birmingham and Rutgers University.

They discovered that essentially, any audio content that comes through the speakers when used in speakerphone mode can be picked up by certain accelerometers in the form of sound-wave reverberations. And because accelerometers are always on and don’t require permissions to provide their data to apps, a rogue app or malicious website can simply listen to the reverberations in real time, recording them or livestreaming them back to an adversary, who can analyze and infer private data from them. more

Apple Watch Walkie-Talkie is Fixed

The latest release fixes a security flaw in the Walkie-Talkie app that could potentially allow users to listen in on others’ conversations. Apple disabled the app until it could fix the problem, which watchOS 5.3 apparently does. more


Spycam Report from China

Sales of spy cameras are rampant at Shenzhen’s gadget paradise, Huaqiangbei, according to a report by state broadcaster CCTV. The report, secretly filmed (ironically) by CCTV reporters, found vendors selling secret cameras disguised as pens, lighters and alarm clocks, among a number of other things. This is in spite of the fact that it's illegal in China to sell “espionage equipment” that can be used for secretly monitoring and photographing people.


In one case, the CCTV reporter bought a fake power socket with a camera hidden in one of the holes and double-sided tape on the back to allow for mounting on a wall. It included an SD card socket and a charging port at the bottom...

In another example from the report, one shop demonstrated a different power socket that hides the camera in a small hole in the bottom-right corner. The video can also be watched in real time from a smartphone app.

In recent months, a series of events that show just how easy it is to secretly film people in hotels has unnerved people in China. The apparent prevalence of the practice has raised concerns about people’s privacy and safety...

In another case, a couple found a hidden camera in the TV in their hotel room in the city of Zhengzhou. Police later determined one person had installed hidden cameras in at least five rooms. Then they detained a manager at the hotel when he claimed more than 80% of the hotels in the city have hidden cameras. more

Google: Wi-Spy Case Cashed Out

Google is poised to pay a modest $13 million to end a 2010 privacy lawsuit that was once called the biggest U.S. wiretap case ever and threatened the internet giant with billions of dollars in damages.
The settlement would close the books on a scandal that was touched off by vehicles used by Google for its Street View mapping project. Cars and trucks scooped up emails, passwords and other personal information from unencrypted household Wi-Fi networks belonging to tens of millions of people all over the world. more

Monday, July 22, 2019

From the What Goes Around Files: Russia's FSB Hacked

Russia's Secret Intelligence Agency Hacked: 'Largest Data Breach In Its History'
 
Red faces in Moscow this weekend, with the news that hackers have successfully targeted FSB—Russia's Federal Security Service. The hackers managed to steal 7.5 terabytes of data from a major contractor, exposing secret FSB projects to de-anonymize Tor browsing, scrape social media, and help the state split its internet off from the rest of the world.

The data was passed to mainstream media outlets for publishing. FSB is Russia's primary security agency with parallels with the FBI and MI5, but its remit stretches beyond domestic intelligence to include electronic surveillance overseas and significant intelligence-gathering oversight. It is the primary successor agency to the infamous KGB, reporting directly to Russia's president. more

Tuesday, July 16, 2019

Information Security: Privacy Tips for Business Travelers

The Basics...
  • Beware of shoulder surfers. Get one of these.
  • Know when to shut your mouth. Don't give strangers any confidential information.
  • Use a Virtual Private Network (VPN).
  • Change any passwords you used while on your tip.
  • Keep your device with you to reduce info-suck opportunities.
  • Avoid using public charging stations (unless you have one of these).
  •  Read Murray Associates' Guide to Off-Site Meeting Information Security.

Security Director Tips: You Don't Have to be an IT Dude to Protect Your Company Online

The Top 6 things you can do to better than the IT department. (Go ahead. Take back some turf.)
  1. Establish a cyber incident response plan.
  2. Regularly rehearse the response plan using a range of different scenarios.
  3. Monitor and manage the risk posed from the supply chain.
  4. Ensure the company understands the terms of their insurance and what is covered.
  5. Understand what 'normal' looks like for the business, in terms of application usage, so the company can identify any unfamiliar patterns.
  6. Investing in regular training and raising their people's awareness of cyber security. more

Monday, July 15, 2019

Spanish App Works Like Spanish Fly... undercover

Spain’s data protection agency has fined the country’s soccer league, LaLiga, €250,000 (about $280,000) for allegedly violating EU data privacy and transparency laws. The app, which is used for keeping track of games and stats, was using the phone’s microphone and GPS to track bars illegally streaming soccer games...

Using a Shazam-like technology, the app would record audio to identify soccer games, and use the geolocation of the phone to locate which bars were streaming without licenses. more

Spot on ID, or... "The Tell-Tale Heart"

via MIT Technology Review 

A new device, developed for the Pentagon after US Special Forces requested it, can identify people without seeing their face: instead it detects their unique cardiac signature with an infrared laser. While it works at 200 meters (219 yards), longer distances could be possible with a better laser. “I don’t want to say you could do it from space,” says Steward Remaly, of the Pentagon’s Combating Terrorism Technical Support Office, “but longer ranges should be possible.”... In the longer run, this technology could find many more uses, its developers believe... more

Like eavesdropping? 
(Spoiler Alert: Israeli scientists did this in 2009, and then improved it in 2014.) ~Kevin

Friday, July 12, 2019

FREE: "Top Secret: From Ciphers to Cyber Security" GCHQ Exhibit in London

Historic gadgets used by British spies will be revealed for the first time later this week, as one of the country's intelligence agencies steps out the shadows to mark its centenary -- and to educate people about the risks of cyber-attacks.

The Government Communications Headquarters (GCHQ) will hold an unprecedented exhibition at London's Science Museum, taking visitors through 100 years of secret conversations and eavesdropping...

A prototype of the Enigma cipher machine used by the Germans will be on display. But the standout exhibit at this new exhibition is the 5-UCO machine developed in 1943 to send decrypted German messages to officers in the field...

"Top Secret: From Ciphers to Cyber Security" opens to the public on Wednesday and runs until February 2020. more

FREE but must book ahead: Science Museum, Exhibition Road, South Kensington, London SW7 2DD  ~Kevin