Monday, July 19, 2021

Private Espionage Is Booming - The US Needs a Spy Registry

via Wired Magazine...
Years ago, while
stationed in Moscow as the bureau chief for a major news magazine, I was approached by a representative of a multinational company and presented with a tantalizing offer. He said he had highly sensitive materials exposing possible criminal activity by a Russian competitor. The documents were mine with one condition: advance notice so he could be out of the country when any story was published.

I had every reason to think the materials came from a private intelligence operative hired by the company—there were many such operatives in Moscow—but I didn’t ask my source for his source. Instead I embarked on a somewhat harrowing investigation of my own, and on corroborating the materials, I was able to publish a splashy story.

This episode came back to me while reading Barry Meier’s new book, Spooked: The Trump Dossier, Black Cube, and the Rise of Private Spies. A former New York Times investigative reporter, Meier casts a harsh light on both “private spies” and journalists who make frequent use of nuggets unearthed by these operatives. In the book’s afterword, he revives an idea for “a kind of ‘spy registry’ in which operatives for hire would have to disclose the names of their clients and assignments,” just as Congress now requires of lobbyists hired to influence legislators.

Is this truly a problem in need of a solution? Or would a spy registry create worse problems?

It’s tempting to conclude that there is really nothing new here and that private spies may even supply a public service. In the original, late-19th-century Gilded Age, the Pinkerton Detective Agency devoted itself to the art of subterfuge. In 1890, a Pinkerton man went undercover on behalf of his client, the governor of North Dakota, and confirmed from rigorous barroom investigation that a fair amount of “boodle,” bribe money, was being dispensed by advocates of a state lottery opposed by the governor. The governor revealed the dirty dealings to the public, and the lottery scheme failed—all perhaps to the civic good.

Today’s circumstances are far different. Inexpensive, off-the-shelf technologies for surveillance, hacking, and spoofing make the spy game easier to play than ever before. What hired sleuth doesn’t now travel with one of those metallic-fabric bags that blocks cellphone GPS signals, like the GoDark Faraday model that sells online for $49.97? It’s an insignificant item on the expense report.  more

US Warns Businesses in Hong Kong About Electronic Surveillance

The advisory, which was nine pages long, was issued by the Departments of State, Treasury, Commerce and Homeland Security. It alerted businesses to the possible risks associated with doing business in Hong Kong. According to the advisory, businesses are at risk from electronic surveillance without warrants and the disclosure of customer and corporate data to authorities. more


 

Pegasus Spyware Back in the News

Washington Post... NSO Group’s Pegasus spyware, licensed to governments around the globe, can infect phones without a click... Military-grade spyware licensed by an Israeli firm to governments for tracking terrorists and criminals was used in attempted and successful hacks of 37 smartphones belonging to journalists, human rights activists, business executives and two women close to murdered Saudi journalist Jamal Khashoggi, according to an investigation by The Washington Post and 16 media partners. more

India Today... Pegasus spying: how Pegasus is installed on phone, what it does, and how to get rid of it...

  • Pegasus can be installed on vulnerable phones through a web link or a missed call.
  • The spyware can steal passwords, contacts, text messages, and photos.
  • The only way to avoid Pegasus after it has infected a phone is by getting rid of the phone.

Pegasus, developed by Israeli cybersecurity firm NSO Group, is a highly sophisticated spyware that has been referred to as the "most sophisticated smartphone attack ever". It was first noticed in 2016 but created a lot of buzz in late 2019 when it was revealed that the spyware was used for snooping on journalists and human rights activists across the globe, including in India. more

Tech Xplore... Pegasus spyware: how does it work?

More recent versions of Pegasus, developed by the Israeli firm the NSO Group, have exploited weak spots in software commonly installed on mobiles.

In 2019 the messaging service WhatsApp sued NSO, saying it used one of these so-called "zero-day vulnerabilities" in its operating system to install the spyware on some 1,400 phones.

By simply calling the target through WhatsApp, Pegasus could secretly download itself onto their phone—even if they never answered the call.

More recently, Pegasus is reported to have exploited weaknesses in Apple's iMessage software.

That would potentially give it access to the one billion Apple iPhones currently in use—all without the owners needing to even click a button. more

Why You Can't Get James Bond's Custom Martini These Days

 via Futility Closet... (worth subscribing)


In the first James Bond novel, 1953’s Casino Royale, Bond orders a drink of his own invention:

‘A dry martini,’ he said. ‘One. In a deep champagne goblet.’

‘Oui, monsieur.’

‘Just a moment. Three measures of Gordon’s, one of vodka, half a measure of Kina Lillet. Shake it very well until it’s ice-cold, then add a large thin slice of lemon peel. Got it?’

‘Certainly monsieur.’ The barman seemed pleased with the idea.

‘Gosh, that’s certainly a drink,’ said Leiter.

Bond laughed. ‘When I’m … er … concentrating,’ he explained, ‘I never have more than one drink before dinner. But I do like that one to be large and very strong and very cold, and very well-made. I hate small portions of anything, particularly when they taste bad. This drink’s my own invention. I’m going to patent it when I think of a good name.’

The name he thinks of is the Vesper, ostensibly inspired by the character Vesper Lynd. But in fact the recipe wasn’t original to Bond — Fleming had first received the drink from the butler of an elderly couple in Jamaica — it was named after vespers, a service of evening prayer. Bond says, “It sounds perfect and it’s very appropriate to the violet hour when my cocktail will now be drunk all over the world.” He’d have trouble getting one today — Kina Lillet was discontinued in 1986, and the strength of Gordon’s Gin was reduced in 1992.

Thursday, July 15, 2021

The "Encrypted" Cell Phones Had One Flaw: The FBI Controlled Them

The criminals texted each other about drug deals and money laundering, confident in special encrypted devices using a platform dubbed Anom. There was just one problem for the crime rings: The FBI was being copied on every message — millions of them worldwide. In fact, the agency had sent the Anom devices into the black market in the first place.

Those are the details and allegations that are now emerging about Operation Trojan Shield, an international effort coordinated by the FBI that has resulted in more than 800 arrests.

With the help of Europol, the FBI identified "over 300 distinct TCOs [transnational criminal organizations] using Anom, including Italian organized crime, Outlaw Motorcycle Gangs, and various international narcotics source, transportation, and distribution cells," according to a search warrant affidavit filed in court by Nicholas Cheviron*, an FBI special agent in San Diego. The document was unsealed Monday.

In addition to heading the investigation, FBI Special Agent, Nic Cheviron (son of the best corporate security director ever), wrote the search warrant. It is a fascinating read.

Wednesday, July 14, 2021

Quantum Disappointment to Quantum Reserection

In theory, quantum cryptography enables two or more people to communicate with one another in complete secrecy. In practice, eavesdroppers can exploit weaknesses in the equipment used to send and receive secret keys.

Researchers in Singapore have now shown how practice can be brought closer to theory—by inserting a fairly simple passive device to prevent eavesdropping attacks involving bright light (Phys. Rev. X, doi: 10.1103/PRXQuantum.2.030304). They reckon their solution could be widely adopted in future, having shown that it can be applied to a number of popular cryptographic schemes...

Here is how it works.
Don't worry if you don't get it.
Just pretend Dr. Emilio Lizardo is doing the explaining.

Their device exploits an acrylic prism with a negative thermo-optical coefficient. Incoming light generates a gradient in temperature, and therefore in refractive-index, inside the prism that turns the acrylic into a concave lens. A small aperture placed behind the prism blocks most of the resulting diverged light beam, diminishing the beam power. more

Weird Science - Windows that Prevent and Facilitate Eavesdropping (you decide)

C-Bond Systems
(the “Company” or “C-Bond”) (OTC: CBNT), a nanotechnology solutions company, announced today that it has received a purchase order for $220,000 to install specialty defense window film for a government customer.

Radio frequency defense film, also known as RF attenuation window film or anti-eavesdropping film, protects homes or workplaces against radio frequencies and electromagnetic radiation. The RF film that the customer requires meets strict security requirements for facilities handling classified or other sensitive information. The government customer has requested to remain anonymous for security reasons. more 

We've been down this road before, in 2007 and 2009.

•••


Listening & Anti-Eavesdropping Device

(18 years ago this month)
Abstract

A method and apparatus for transmitting information from a conversation in a room to a remote listener comprising selecting a structure (101) in the room which is capable of supporting vibration, selecting an electromechanical force transducer (90) which has an intended operative frequency range and comprises a resonant element (84, 86) having a frequency distribution of modes in the operative frequency range, mounting the transducer (90) to the structure (101) using coupling means (68) whereby the transducer excites vibration in the structure, positioning a sensor to detect vibration in the structure (101), determining information from the detected vibration and transmitting said information to a remote listener. There is also provided an anti-eavesdropping system which is the reverse of the method and apparatus according to the first and second aspects of the invention. (self-licking ice cream cone) more

Nervy Doctor Arrested - Spy Cameras Found in Woman Doctor's Bedroom & Bath

India - A 42-year-old neurologist was arrested in Maharashtra's Pune for allegedly installing spy cameras in the bathroom and bedroom of a trainee doctor's residential quarters, police said on Tuesday.

"The accused doctor is a neurologist lecturer at a city-based medical college," said Jagannath Kalaskar, senior police inspector, Bharti Vidyapeeth police station.

Last week, the trainee doctor had tried to switch on the bulb in her bathroom, however, it did not work. She then called an electrician who spotted a spy camera installed in the bulb. The doctor found another spy camera in her bedroom too, following which she lodged a police complaint. more

Facebook Reportedly Fired 52 Employees Caught Spying on Users

Facebook fired 52 employees for abusing their access to the social network’s user data — including creepy men who obtained location data on women they were romantically interested in, according to a new report. 

Using their access to troves of user data through Facebook’s internal systems, male engineers were able to view women’s locations, private messages, deleted photos and more, according to a bombshell report in the Telegraph...

While 52 employees were fired for such transgressions in 2014 and 2015, Facebook’s then-chief security officer Alex Stamos reportedly warned that hundreds of others may have slipped by unnoticed. more

Friday, July 2, 2021

Recording Conversations And Phone Calls - A Quick Primer

by Gary L. Wickert

One-Party Consent

If the consent of one party is required, you can record a conversation if you’re a party to the conversation. If you’re not a party to the conversation, you can record a conversation or phone call provided one party consents to it after having full knowledge and notice that the conversation will be recorded...

All-Party Consent

Twelve (12) states require the consent of everybody involved in a conversation or phone call before the conversation can be recorded. Those states are: California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Pennsylvania and Washington. These laws are sometimes referred to as “Two-Party” consent laws but, technically, require that all parties to a conversation must give consent before the conversation can be recorded.

Consent

What constitutes “consent” is also an issue of contention when you are considering recording a conversation. In some states, “consent” is given if the parties to the call are clearly notified that the conversation will be recorded, and they engage in the conversation anyway. Their consent is implied. For example, we have all experienced calling a customer service department only to hear a recorded voice warning, “This call may be recorded for quality assurance or training purposes.” It is usually a good practice for practitioners to let the witness know they are recording the call in order to accurately recall and commemorate the testimony being given – such as during the taking of a witness’ statement.

Exceptions

Nearly all states include an extensive list of exceptions to their consent requirements. Common exceptions found in a majority of states’ laws include recordings captured by police, court order, communication service providers, emergency services, etc... 

Interstate/Multi-State Phone Calls

Telephone calls are routinely originated in one state and participated in by residents of another state. In conference call settings, multiple states (and even countries) could be participating in a telephone call which is subject to being recorded by one or more parties to the call. This presents some rather challenging legal scenarios when trying to evaluate whether a call may legally be recorded. A call from Pennsylvania to a person in New York involves the laws of both states. Which state’s laws apply and/or whether the law of each state must be adhered to are questions parties to a call are routinely faced with...

Federal Law

In most cases, both state and federal laws may apply. State laws are enforced by your local police department and the state’s attorney office. Federal wiretapping laws are enforced by the FBI and U.S. Attorney’s office. It is a federal crime to wiretap or to use a machine to capture the communications of others without court approval, unless one of the parties has given their prior consent. This means that if you are initiating a recording on a call that you are participating in, the other party does not need to be notified that the call is being recorded. It is likewise a federal crime to use or disclose any information acquired by illegal wiretapping or electronic eavesdropping. more

More information on the laws in all 50 states regarding the recording of phone conversations found here.

Don't Own the Trade Secret But Still Want to Sue for Misappropriation?

You may be able to bring a misappropriation of trade secrets claim even if you do not actually own the misappropriated trade secret. A growing number of federal cases indicate ownership of a trade secret may not be required in order for a plaintiff to sue for misappropriation; possession alone may be enough to confer standing.

In Advanced Fluid Systems, Inc. v. Huber, the Third Circuit affirmed a district court ruling holding that a plaintiff suing for misappropriation under the Pennsylvania Uniform Trade Secrets Act (“PUTSA”) need only demonstrate lawful possession of the trade secret at issue, and not legal ownership, to maintain a claim. There, Advanced Fluid Systems (“AFS”), a designer and installer of hydraulic systems, filed suit against defendants alleging they had conspired to misappropriate AFS trade secret information to divert business to a competitor.  

Trade Secret Tug of War

In a twenty-six page opinion, the Court concluded that fee simple ownership of a trade secret is not a prerequisite to recover for its misappropriation. more

Saturday, June 26, 2021

FutureWatch – The Eyes Have IT

One of the more interesting aspects of Technical Surveillance Countermeasures (TSCM), or sweeping for bugs, is looking into the future. Seemingly an exercise in entertainment at first glance, looking forward has a serious purpose—staying ahead of the bad guys, not one step behind (as some TSCM’ers seem to be proud to say). Smart contact lens technology caught my eye for this episode of FutureWatch.

Taking a look at “future vision” we see… more

While we don’t have smart contact lenses yet, we do have X-ray vision.

Wednesday, June 23, 2021

FutureWatch - Super Microphones Coming to Eavesdropping Devices and...

... more mundane items like smart speakers and cell phones...  

 A KAIST research team ... has developed a bioinspired flexible piezoelectric acoustic sensor with multi-resonant ultrathin piezoelectric membrane mimicking the basilar membrane of the human cochlea. The flexible acoustic sensor has been miniaturized ... is ready for accurate and far-distant voice detection. more

Tuesday, June 22, 2021

CCTV Company Pays Remote Workers to Yell at Armed Robbers

Clerks at 7-Eleven and other convenience stores are being constantly monitored by a voice of god that can intervene from thousands of miles away.Screen Shot 2021-06-18 at 2

In a short CCTV video, a clerk at a small convenience store can be seen taking a bottle of coffee from a cooler and drinking it. When he returns to the cash register, an unseen person's voice emits from a speaker on the ceiling and interrogates him about whether he scanned and paid for the item.

In another video, a cashier is standing behind the counter talking to someone just out of frame. There’s a 'ding' sound, and the voice from above questions the cashier about who the other man is—he’s there to give the cashier a ride at the end of his shift—then orders the man to stand on the other side of the counter.

The videos are just a few examples that Washington-based Live Eye Surveillance uses to demonstrate its flagship product: a surveillance camera system that keeps constant watch over shops and lets a remote human operator intervene whenever they see something they deem suspicious.  

For enough money—$399 per month according to one sales email Motherboard viewed—a person in Karnal, India will watch the video feed from your business 24/7. The monitors “act as a virtual supervisor for the sites, in terms of assuring the safety of the employees located overseas and requesting them to complete assigned tasks,” according to a job posting on the company's website. more


Thursday, June 17, 2021

Security Director Alert: Millions of Connected Cameras Open to Eavesdropping

A supply-chain component lays open camera feeds to remote attackers thanks to a critical security vulnerability.  


Millions of connected security and home cameras contain a critical software vulnerability that can allow remote attackers to tap into video feeds, according to a warning from the Cybersecurity and Infrastructure Security Agency (CISA).

The bug (CVE-2021-32934, with a CVSS v3 base score of 9.1) has been introduced via a supply-chain component from ThroughTek that’s used by several original equipment manufacturers (OEMs) of security cameras – along with makers of IoT devices like baby- and pet-monitoring cameras, and robotic and battery devices. 

The potential issues stemming from unauthorized viewing of feeds from these devices are myriad.

For critical infrastructure operators and enterprises:

  • video-feed interceptions could reveal sensitive business data,
  • production/competitive secrets,
  • information on floorplans for use in physical attacks,
  • and employee information.

And for home users, the privacy implications are obvious. more