Thursday, July 2, 2009

iOpener

If you own an iPhone, security researcher Charlie Miller can take control of it, and short of turning off the device, it appears there isn't much you can do to stop him. Not until Apple fixes the flaw, anyway.

Exploiting a bug in the way iPhones parse SMS messages, the principal analyst at Independent Security Evaluators has demonstrated how to send malicious commands to monitor the phone's location, turn on its microphone, or cause it to join a DDoS, or distributed denial of service attack, according to this report from IDG News.

The vulnerability is significant because there are few measures iPhone users can take to prevent an attack... (more)

Dumpster Diver Surfaces with New Identities

CA - Police have arrested a man who allegedly admitted to stealing the identities of more than 500 people by going through the trash of local banks and businesses.

The criminal complaint filed against 30-year-old suspect Jonah Nelson claims that he made more than 1,000 fake ID cards that he used to rip off people, stores and banks. Nelson also allegedly admitted to stealing the identities of more than 500 people all acro
ss Northern California, ranging from the Bay Area to the Central Valley.

Federal agents say Nelson said it was easy to find new victims: All he needed to do was visit a local bank and search their dumpsters. (
more)

My amazing bank shredder story...
I received a package cushioned with strips of shredded paper filler...
made from bank records!

Names, addresses, deposit amounts, account numbers, phone numbers, Social Security numbers. It was all there. Easily reconstructed.

This was worth looking into.

My secretary wrote to the company who sent us the box...
“Your packing material was most interesting (the recycled paper). Is there a company that supplies it? Is there a charge for it? If you have a company name I would appreciate your sharing it with me. Thanks!”

Their reply...

“Check with any local bank - they shred 6-10 bags per week - you can get it for free for the asking!”

Fortunately, this was an honest person. They could just as easily have been and investigator or spy... and, the bank could have been any business or government agency.

Were their hearts in the right place for recycling?
Probably.

Is this a good practice.
No.

Buy and use a good crosscut shredder. ~Kevin

Wednesday, July 1, 2009

The Search Engine That Didn't Snitch... and other disasters

Hey gang, it's almost Independence Day here in America. Yup, July 4th is just around the corner.

Fireworks are in America's bloodstream... but, did you know your on-line curiosity could get you in trouble with the terrorist chasers? Your fireworks search engine enquires might start popping red flags...

"Ludlow Kissel and the Dago Bomb That Struck Back"
"What is a Dago Bomb?"
"How can I build a Dago Bomb?"
"Dago Bomb ingredients"
"What was blown up by the Dago Bomb?"

(Knock, Knock)
"We're from Homeland Security..."


"Excelsior, you fathead!" Next time, don't use a search engine that captures your IP address. Search privately. Go to https://www.ixquick.com
ixquick is the only search engine which gives you anonymity.

Oh, and Ludlow... he had his 15 minutes of fame... about 2:17 into this Great American Fourth of July video. ~Kevin

UPDATE - NEW URL. Startpage.com

Monday, June 29, 2009

Security Director Alert - Fake Tweets

Twitter users have caused an uproar by impersonating celebrities on the popular micro-blogging service. Businesses, too, are targets of fake Twitter profiles -- sometimes from competitors.

Exxon Mobil Corp. has found at least two unauthorized Twitter accounts under variations of its name. Twitter -- a networking service where users create profiles and send out short messages, or "tweets" to their followers -- terminated one of the profiles last summer. An Exxon spokesman says the oil company is considering what to do about the second profile, which it discovered several weeks ago.

In a defensive move, AMR Corp.'s American Airlines in April "registered every possible Twitter name that could be associated with us," a spokesman says. The move came after airline employees last summer found a rogue profile in the name AmericanAir, which was shut down four weeks later.

At Elevation Burger, a seven-outlet chain owned by Elevation Franchise Ventures LLC, a vendor in March found an unauthorized Twitter profile with tweets promoting rival Z Burger. Hans Hess, Elevation's founder and chief executive, complained to Z Burger and Twitter, which later suspended the profile after a letter from Mr. Hess's lawyer.

Amusement-park operator Cedar Fair LP, of Sandusky, Ohio, received an email from a marketing consultant who had created a Twitter profile in the name of its Cedar Point amusement park. The consultant, David Goebel, president of Goebel Group Inc., offered to relinquish control of the account in exchange for season passes to the Cedar Fair park and suggested that the company hire his firm to oversee its Twitter account. (more)

Recommendation: Get to know Twitter. Monitor it for malicious content about your company, the same way you monitor the Web and chat groups.

You do monitor, don't you?


Ok, I'll give you this tip for free...
Plug yourself into Addictomatic.com. It's free too.

Bugs found in Georgian Opposition Party's office

In the office of Georgian opposition party “Way of Georgia” eavesdropping bugs were discovered to have been installed in the office’s electrical sockets.

The leader of the party, ex-minister of foreign affairs Salome Zurabishvili, said that the devices were found where meetings take place among leaders of the party, which is demanding the resignation of current Georgian President Mikhail Saakashvili.

“They were found by employees of the party in the electrical sockets of the room,” said Zurabishvili, who showed the devices to journalists. (more)

SpyCam Story #539 - The Watchful Neighbor

CA- Police in Newbury Park say they've found evidence that a man arrested for allegedly spying on his female neighbors with a hidden camera may have taped other people as well.

Police say Michael Farge, 38, recorded the daily activities of his neighbors, including them changing, for more than two years.

Residents of the community of condos near Wheelwright Lane told KTLA that Farge was good friends with the women he is accused of watching, a woman and her 19-year-old daughter.


They said Farge had a key to the victims' house and watched their house and pets when they were out of town. (more) (video)

Technical director of new product development... charged with 5 counts of spying

A federal grand jury indicted former Arlington Heights resident David Yen Lee on charges he stole trade secrets to divulge to a competitor.

The indictment, which U.S. attorney Patrick Fitzgerald announced Friday, charges Lee with five counts of economic espionage.

According to the indictment, the 52-year-old Lee worked as technical director of new product development for the Wheeling branch of Valspar Corp., a Minneapolis-based paint company, from 2006 to March 2009.

According to the indictment, Lee downloaded documents and data from Valspar and its China subsidiary, Huarun Ltd., to an external thumb drive... (more)

Building Spy Bats

Researchers are studying creatures that fly through the night in hopes of making tiny flying spies.

(right) AeroVironment's DARPA-funded prototype drone made a successful test flight, lifting itself and its energy source.

The most popular of these drones are called Ravens, built by the Monrovia, Calif., company AeroVironment. They are about 4.5 feet across, weigh six pounds and can stay aloft for about an hour and a half. (More, with two cool clips of a bat flying in slow motion.)

Friday, June 26, 2009

FutureWatch - Amazing MagLev

Is this cool, or what?!?!
Enjoy your weekend.
See you Monday.

Japan discovers 1970's 'Broken Window Theory'

A Tokyo district plagued with burglaries has turned to planting flowers to beautify its streets and help stamp out crime.

"'Operation Flower' began about three years ago. By planting flowers facing the street, more people will be keeping an eye out while taking care of the flowers or watering them," said Kiyotaka Ohyagi, a Suginami City official...

Suginami, with a population of 528,800, saw a record 1,710 break-ins in 2002... Suginami says its efforts have paid off, with the number of burglaries falling to 390 in 2008, down almost 80 percent from 2002.

Oh, by the way...
The flowers are part of a wider crime prevention campaign. The district also has 9,600 volunteer patrollers and 200 security cameras set up in areas where there are frequent break-ins. It also emails crime information daily to residents. (more)

Broken Window Theory... (via The Atlantic - March 1982)
...at the community level, disorder and crime are usually inextricably linked, in a kind of developmental sequence. Social psychologists and police officers tend to agree that if a window in a building is broken and is left unrepaired, all the rest of the windows will soon be broken. This is as true in nice neighborhoods as in rundown ones. Window-breaking does not necessarily occur on a large scale because some areas are inhabited by determined window-breakers whereas others are populated by window-lovers; rather, one unrepaired broken window is a signal that no one cares, and so breaking more windows costs nothing. (It has always been fun.)

Philip Zimbardo, a Stanford psychologist, reported in 1969 on some experiments testing the broken-window theory. He arranged to have an automobile without license plates parked with its hood up on a street in the Bronx and a comparable automobile on a street in Palo Alto, California. The car in the Bronx was attacked by "vandals" within ten minutes of its "abandonment." The first to arrive were a family—father, mother, and young son—who removed the radiator and battery. Within twenty-four hours, virtually everything of value had been removed. Then random destruction began—windows were smashed, parts torn off, upholstery ripped. Children began to use the car as a playground. Most of the adult "vandals" were well-dressed, apparently clean-cut whites. The car in Palo Alto sat untouched for more than a week. Then Zimbardo smashed part of it with a sledgehammer. Soon, passersby were joining in. Within a few hours, the car had been turned upside down and utterly destroyed. Again, the "vandals" appeared to be primarily respectable whites. (more)

"How does this apply to information security?"
If management doesn't care, employees won't care. When employees don't care, your company is easy pickings for info-vultures. Patch all the holes. ~Kevin

FutureWatch - Your Own Private Internet

For those struggling with privacy on the Web, security researchers at Hewlett-Packard might have found the light at the end of tunnel.

A duo from HP's Web security group, Billy Hoffman and Matt Wood, are scheduled to present an idea at the BlackHat security conference in July that could shed new light on an old idea about how to communicate privately over the Internet.

The researchers, who previewed their concept to Forbes, say
their model works like a private Internet on top of the existing public one: People can share information like files and messages via the Internet medium, but without the kind of public-facing personally identifiable information that Internet protocol addresses provide...

The darknet concept as we know it today has been around for a while, and current implementations usually rely on some sort of third-party technology to make it work. The model Hoffman and Wood are previewing is notable in that it uses the latest in rich Internet technologies to make using a darknet as simple as browsing a Web site. That innovation should drastically reduce the barrier to sharing secure information over darknets. (
more)

Thursday, June 25, 2009

The Apple Lesson

"You can only give them as much security as they will take," the old saying goes.

Most organizations don't take much.
"Not our corporate culture."
"People would quit."
"How do you enforce that!"
These excuses are lame.
Worse, they are profit suckers.

Considering information is the genesis of profits, it is hard to fathom laissez faire attitudes. Employees want to be part of a successful, cool, winning organization. They want their company to be profitable. To them it means job security, better salaries and prestige.

All they need is leadership.


"Prove it," I hear you say.

via The New York Times...
Apple is one of the world’s coolest companies. But there is one cool-company trend it has rejected: chatting with the world through blogs and dropping tidbits of information about its inner workings.

Few companies, indeed, are more secretive than Apple, or as punitive to those who dare violate the company’s rules on keeping tight control over information. Employees have been fired for leaking news tidbits to outsiders, and the company has been known to spread disinformation about product plans to its own workers.

“They make everyone super, super paranoid about security,” said Mark Hamblin, who worked on the touch-screen technology for the iPhone and left Apple last year. “I have never seen anything else like it at another company.”...

Secrecy at Apple is not just the prevailing communications strategy; it is baked into the corporate culture. Employees working on top-secret projects must pass through a maze of security doors, swiping their badges again and again and finally entering a numeric code to reach their offices, according to one former employee who worked in such areas...

...the culture of secrecy had its origin in the release of the first Macintosh, which competitors like Microsoft and Sony knew about before it was unveiled. (more)

There is a lesson here.
On September 25, 1981 Apple stock traded at $1.78; today, $139.86.

This doesn't happen by letting someone pick your intellectual pockets.
Be proactive. Create a strong information secuity program.
Your employees will love it, and respect you for it.

Wednesday, June 24, 2009

Paris Hilton bugged by hotel-room bugging

For once, it seems that someone is actually interested in what Paris Hilton has to say, as the heiress' bodyguards have reportedly found a secret recording device hidden in her hotel room in Dubai.

The U.K. Daily Express reports that Hilton, 28, was less than pleased after the bug was discovered, immediately ordering more security and demanding that hotel staff investigate where the device came from. The incident has not stalled production of the Dubai edition of Hilton's My New BFF reality show.


"
We're not sure what the device picked up or whom it was transmitting to. But it did leave Paris very jittery," a source working with Hilton told the Express. "Everyone she has come into contact with during her stay in Dubai has been fantastic and gracious. We've been told there are some quarters where there is anti-American feeling." (more)

While you may not be a Paris Hilton fan, give her credit. She hired competent security who knew how to find bugs. Should you need the same,
contact me. ~Kevin

Update...
Paris Hilton has played down media reports that her Dubai hotel room was bugged, saying stories in the British tabloids were "another lie created by the media"... None of Hilton's spokespeople were available to comment on Wednesday morning. (more)

We'll keep you posted.

Spies Under Every Watt?

The electric-utility industry is planning a pilot initiative to see whether Chinese spies have infiltrated computer networks running the power grid, according to people familiar with the effort.

Officials of the North American Electric Reliability Corp., an industry regulatory group, are negotiating with a defense contractor for the job of searching for breaches by cyberspies, according to people familiar with the plans...


The Wall Street Journal reported in April that Russian and Chinese spies had penetrated the U.S. electric grid. (more)

China dominates NSA-backed coding contest

About 4,200 people participated in the U.S. National Security Agency-supported challenge... Programmers from China and Russia have dominated an international competition on everything from writing algorithms to designing components... Of 70 finalists, 20 were from China, 10 from Russia and two from the U.S.... Of the total number of contestants, 93% were male, and 84% were aged between 18 and 24. (more)

"You too may be a big hero,
Once you've learned to count backwards to zero.
'In German oder English I know how to count down,
Und I'm learning Chinese,' says Wernher von Braun."
Tom Lehrer1965