Wednesday, October 7, 2020

Apple T2 Security Chip Has Unfixable Flaw

Intel Macs that use Apple's T2 Security Chip are vulnerable to an exploit that could allow a hacker to circumvent disk encryption, firmware passwords and the whole T2 security verification chain, according to team of software jailbreakers.... 

On the plus side, however, it also means the vulnerability isn't persistent, so it requires a "hardware insert or other attached component such as a malicious USB-C cable" to work. more 

Malicious USB cables are the latest, and arguably the most insidious, threats on the corporate information security landscape. Every USB cable on premises, and those being used elsewhere by employees, needs to be vetted for authenticity. Security directors are enlisting the aid of technical counterespionage consultants to perform this task.

Tuesday, October 6, 2020

The Story of the Murray Associates Logo

“Does the logo have a meaning, or is it just a nice design?”

The logo does indeed have meaning. It was inspired by my college textbook. I saw the dots as information in motion, and the rings as protection.

Logo Report CMYK 300dpi

  • Blue dots are information.
  • The red ring is protection.
  • The gray ring represents the many unknown forces trying to steal the information.

Simple… and not inspired by a department store, shooting targets, or a brand of cigarette. Just my design inspired by a book which taught me a lot.

Another reason the shape is appealing is that circles represent comfort, safety, warmth—exactly how I want to make our clients feel.

The logo seems counter-intuitive for a security firm. It goes against the norm… swords, shields, lightning bolts, birds of prey; symbols seen in most security logos. People forget, strong and harsh symbols are used by governments. They are meant to inspire warriors and intimidate enemies. Clients are not enemies.

Murray Associates TSCM

The way we use the logo behind the company name is also intentionally symbolic, in a subliminal way. It’s the “rising sun” look; used to invoke that upbeat feeling you get when your problems are solved… sing-a-long ~Kevin D. Murray

Monday, October 5, 2020

Dumb Cyber Attack – Hacker Receives Our Darwin Award

...the hacker responsible for this attack on a luxury goods company which happened back in 2018 but has just been revealed by Max Heinemeyer...

The luxury goods business had installed ten fingerprint scanners so as to restrict access to warehouses in an effort to reduce risk. "Unbeknown to them," Heinemeyer continues, "an attacker began exploiting vulnerabilities in one of the scanners. In perhaps the weirdest hacker move yet, they started deleting authorized fingerprints and uploading their own in the hope of gaining physical access."

The AI brain picked this up because one scanner was behaving differently than the others, meaning the security team became aware of the attack within minutes. And, of course, had some pretty conclusive evidence to provide to law enforcement. more

Friday, October 2, 2020

Best Business Espionage Article of the Year (A corporate executive must read.)

The Espionage Threat to U.S. Businesses

By Bill Priestap, Holden Triplett

Many authoritarian governments are doing everything they can, including using their spy services, to build successful businesses and grow their economies. Indeed, even some nonauthoritarian governments are taking this approach. The reason for this is simple: A large number of nation-states view privately owned companies within their jurisdictions as extensions of their governments. They support and protect the companies as if those entities were integrated parts of government...

(Main Points)

  • U.S. companies must understand that in many cases they are no longer simply competing with corporate rivals. They are competing with the nation-states supporting their corporate rivals—nation-states with enormous resources and capabilities and with very little restraint on what they will do to succeed.

  • U.S. businesses are decidedly not supported by U.S. government spy agencies. For this reason, they are often competing on an uneven playing field.
     
  • Exacerbating the problem is the fact that businesses and investors are woefully unprepared for this new environment.

  • Intelligence and the art of spying are no longer constrained to the government sphere. While spy tools and tactics are more readily available, what is truly driving this proliferation is the intelligence realm’s shift in focus from government to businesses.

  • In addition, most companies are focused too myopically on strong cybersecurity as a panacea for spying. Of course, cybersecurity is extremely important, but it protects only one vector by which a nation-state could spy on and subsequently loot a company.
     
  • If businesses want to protect their assets, then developing an understanding of spies and their activities should become standard practice for business leaders and investors today.
     
  • Spy services may also target a business via its partners and vendors, so it is equally important to shield those entities from potential attack or attempted exploitation.
     
  • Understanding and mitigating the activities of spies must become standard practice for business leaders. And if investors don’t see companies doing this, they should hold onto their money—tightly. more

Tuesday, September 29, 2020

The Modern Detective: How Corporate Intelligence Is Reshaping the World (book)

More than thirty thousand private investigators now work in the United States, Maroney reports in his new book, “The Modern Detective: How Corporate Intelligence Is Reshaping the World (Riverhead). 

They engage in a dizzying variety of low-profile intrigue: tracking missing people, tailing cheating spouses, recovering looted assets, vetting job applicants and multibillion-dollar deals, spying on one corporation at the behest of another*, ferreting out investment strategies for hedge funds, compiling opposition research. 

Contemporary private eyes, Maroney explains, are often “refugees from other industries,” including law enforcement, journalism, accounting, and academia. 

One hallmark of the business is discretion—like spy agencies, private eyes must often keep their greatest triumphs secret—so it is notable that Maroney would write a book like this. In a disclaimer, he says that he has had to change names and alter some details, presumably to protect client confidentiality. But “The Modern Detective” is not an exposé. It is part memoir, part how-to guide, a celebration of the analytical and interpersonal intelligence that makes a great investigator. more

*Counterespionage is also being done.

Today's Spy Stories

The Spanish judge presiding over the trial of a security firm owner apparently hired to spy on jailed Wikileaks publisher Julian Assange has sent a request to the US Department of Justice for an interview with Zohar Lahav, the Israeli-American vice president for executive protection at Las Vegas Sands. more

The Greek authorities have "prepared a case file that includes the offenses of forming and joining a criminal organization, espionage, violation of state secrets, as well as violations of the Immigration Code against a total of 35 foreigners," reported Greek news agency ANA-MPA... more

A bug recently found in the coding of the Instagram app could give hackers easier access to try to spy on you. more

These days, many people consider their cars to be their safe havens-their sanctuary. Did you know that your car is actually spying on you? You probably already know your phone, your computer, heck, even some running shoes, are constantly collecting and storing information about you. Most of today’s vehicles are doing it, too. Most newer model vehicles collect data and send it wirelessly and surreptitiously to the vehicle manufacturer. more  sing-a-long

Is it time to start spying on your employees? more 

Conspiracy theories are common on social media; in the field of technology, the biggest of recent years proposed that 5G will kill you (it won't). But now Apple and iOS 14 have acquired a viral conspiracy theory of their own...claims that iOS 14's new home screen widgets - specifically the Widgetsmith and Color Widgets apps - contain keyloggers that read everything you type and steal your passwords. more

No Oversight, No Limits, No Worries: A Primer on Presidential Spying and Executive Order 12,333 more

Miss Universe Thailand contestants find a ‘spy’. Another beauty queen came under the spotlight on Monday after the manager of Miss Universe Thailand favourite Chayathanus ‘Cheraim’ Saradatta was found to be doubling up as an employee of the organising company. more

Why Private Eyes Are Everywhere Now - Private investigators have been touted as an antidote to corruption and a force for transparency. But they’ve also become another weapon in the hands of corporate interests. more

International Association of Professional Security Consultants (IAPSC) NEWS - Opt In

The bi-monthly IAPSC News (emailed) is full of the latest security news, webinar offerings, and product updates.  

It comes to you in one easy to read email. Nothing you need to know will slip by you. 

Best of all, it is FREE. No obligation. Cancel any time. Just click here to opt-in. 


Saturday, September 26, 2020

Extortionography: Executives Recorded Bragging of Cozy Government Relationships

Top executives hoping to blast open North America's largest gold and copper mine were secretly recorded describing in detail their cozy influence over US lawmakers and regulators. 

They also revealed their intentions to go far beyond what they were saying on applications for federal permits to work near the headwaters of Bristol Bay, Alaska -- one of the last great wild salmon habitats left on Earth.

"I mean we can talk to the chief of staff of the White House any time we want, but you want to be careful with all this because it's all recorded," said Ron Thiessen, CEO of Northern Dynasty Minerals, of official communications to the White House, as he himself was recorded unknowingly. "You don't want to be seen to be trying to exercise undue influence." more

What is Extortionography? You need to know. 

Friday, September 25, 2020

Ring's New Drone Camera - George Saw This Coming

Amazon’s Ring surveillance platform announced a new line of products, including a drone with a camera designed to fly around your home, that would expand its surveillance network beyond the Ring doorbell camera...

The Always Home Cam and a new line of Ring security cameras for cars are set to launch next year: the Car Cam, Car Alarm, and Car Connect platform... 

The biggest concern, however, is about where surveillance footage will end up...

Ring claims the surveillance drone will be autonomous but that users can direct paths for it, have it occupy specific parts of your home, and have it respond to alerts from the Ring surveillance network...

Last year, hackers broke into multiple Ring cameras thanks to a particularly porous security system.  more

Ventitillation

NJ - Additional charges have been filed against an HVAC technician from West Deptford for allegedly spying on students in a school bathroom. Gregory Mahley is now facing 20 additional counts for spying on students at Cape May County Technical High School in 2013 and 2014.

Earlier this month, Mahley was charged for secretly recording girls in the bathroom at Glen Landing Middle School in Gloucester County.

Mahley allegedly positioned mirrors in stalls to create a view from an overhead air conditioning vent. more

Wednesday, September 23, 2020

If there's something strange In your neighborhood, who you gonna call?

For 18 months, residents of a village in Wales have been mystified as to why their broadband internet crashed every morning... Then local engineer Michael Jones called in assistance...

 (Note: For a faster tracker, call a TSCM'er.)

Engineers used a device called a spectrum analyzer and walked up and down the village "in the torrential rain" at 6 a.m. to see if they could locate an electrical noise, Jones said in a statement. 

"The source of the 'electrical noise' was traced to a property in the village. It turned out that at 7 a.m. every morning the occupant would switch on their old TV which would in-turn knock out broadband for the entire village." more | sing-a-long | TSCM'er

TSCM Nerd Corner News

  • U.S. Army scientists at the CCDC Army Research Laboratory (ARL) have developed a first-of-its kind antenna that could change how ground vehicles and airborne systems communicate, transmit and receive radio frequency signals. The Army used a manufacturing process based on a special class of engineered materials known as metaferrites to make an ultra-thin wideband antenna. The antenna conforms to curved surfaces, making it ideal to integrate into unmanned aircraft systems, rotary wing aircrafts and ground vehicles. more

  • Of ever-increasing concern for operating a tactical communications network is the possibility that a sophisticated adversary may detect friendly transmissions. Army researchers developed an analysis framework that enables the rigorous study of the detectability of ultraviolet communication systems... In particular, ultraviolet communication has unique propagation characteristics that not only allow for a novel non-line-of-sight optical link, but also imply that the transmissions may be harder for an adversary to detect. more

  • Covert Ultrasonic Transmissions between Two Air-Gapped Computers using Speaker-to-Speaker Communication more

  • Groundbreaking new material 'could allow artificial intelligence to merge with the human brain' more

Tuesday, September 22, 2020

iRobot Picked the Wrong Person to Roomba With!

One of our Blue Blaze irregulars alerted us to some slick social engineering.

He recently purchased an iRobot Roomba 960 Robot Vacuum Cleaner. He writes...

"What is "odd" is that when we first bought the thing we didn't have any screens requiring registration. Then about two weeks later the entire user interface changed that required registration. 

These two screens were strategically placed among "required information" even though this information was not mandatory. If you weren't paying attention you'd fill this out. Clever!"

I had a look at their Privacy Policy. Dig deep enough and you find this...

Some of our Robots are equipped with smart technology which allows the Robots to transmit data wirelessly to the Service...

• When you register your Robot with the online App, we collect information about the Robot, such as a Robot name (how cute) and device number, and information about the Robot and/or App usage (reveals when might you not be home), such as battery life and health.

• Certain Robot models are equipped to collect information about the environment in which the Robot is deployed. For example, the Robot collects information about the level of dirt detection and the Wi-Fi signal strength in each location and information about its movement throughout the environment to create a location ‘map’ of the Robot’s domain and the existence and type of objects (chair, desk, fridge etc.) or obstacles encountered.

 

Security Issues

  1. Do you really want a map of your home and belongings sent who-knows-where?
  2. Do you really want someone to know all your router information and password which connects to one of their apps on the internal side of your firewall?
  3. What happens when their database gets hacked?

I am guessing you don't. I'm also guessing you didn't know this was going on in the Internet-of-Things.

Ah, for the good old Jetson days when robots only talked to themselves.


Sunday, September 20, 2020

How to Detect Malicious USB Cables

A malicious cable is any cable (electrical or optical) which performs an unexpected, and unwanted function. The most common malicious capabilities are found in USB cables. Data exfiltration, GPS tracking, and audio eavesdropping are the primary malicious functions...

The worst malicious cables take control of a user’s cell phone, laptop, or desktop...

We purchased and tested several malicious USB cables. From what was learned during these tests our technical staff developed several new inspection protocols.

 more

Can’t identify the bugged cable?
No worries. You can’t tell just by looking, even we can’t.

That’s why we put a small black mark on it.
It is Cable 3.

Saturday, September 19, 2020

Apple's iOS 14 Now Alerts You To Eavesdropping & Spycam'ing

Any time an app access your microphone, a little amber dot will appear in the status bar, over by where the Wi-Fi and cellular connection symbols are. 

When an app access the camera, a green dot will appear. 


These are fairly universally understood as “recording” lights and they will clearly point out when an app you’re using is accessing the camera or microphone at times it shouldn’t.

Just since the release of the iOS 14 beta, the lights have already revealed sketchy behavior in several apps that have gone on to promise updates to fix the “bugs.” (good word to use)

This and six other new privacy features can be found here... more