Most of Your Employees are Snoops

A new survey of IT security professionals reveals that 92 percent of respondents say employees at their organizations try to access information that is not necessary for their day-to-day work.

The study from identity management company One Identity also shows that IT security professionals themselves are among the worst offenders for corporate data snooping. One in three respondents admit to having accessed sensitive information that is not necessary for their day-to-day work -- showing an ongoing abuse of elevated rights given to the IT security role.

More than one in three (36 percent) of IT pros admit to looking for or accessing sensitive information about their company’s performance, beyond what is required to do for their job. 71 percent of executives admit seeking out extraneous information, compared to 56 percent of non-manager-level IT security team members. Additionally, 45 percent of executives admit to snooping for or accessing sensitive company performance information specifically, compared to just 17 percent of non-manager team members.

In smaller companies the problem is worse... more

No surprise here. Over half of the eavesdropping and information loss issues crossing my path (over the last four decades) are employee related. ~Kevin

Spybuster Tip #712: How to Vacuum Your Amazon Breadcrumbs

Amazon automatically tracks the products you browse on the site and compiles a visual list on your account’s home page, in case you are inspired to follow through with a purchase on a return visit.

If you find this sort of thing more creepy than helpful — or you share a computer and would rather not have others see your shopping whims — you can disable the tracking.

To do that, go to Amazon.com and log into your account. Click the Browsing History link at the top of the main page (just below the search window) to see the recent items you previously viewed while clicking around on the site. At the top of the page, click Manage History. more

Spike in Spy Camera Sales Online Causes Concern

Over a period of time, a sales engineer in Singapore amassed 280 obscene films, many of which depicted women in various stages of undress in public bathrooms and changing rooms.

The unsuspecting women, including schoolgirls, were filmed with secret cameras, and Joel Chew Weichen, 27, had collected the films for distribution.  

Based on checks by The Straits Times, a worrying trend has emerged - the sale of such cameras is on the rise.

On online shopping platform Lazada, which has more than 600,000 hidden camera products available, sales of such cameras have grown 1.5 times this year compared with last year. The cameras come disguised as clocks, pens and even smoke detectors.

A spokesman said spy pens, which can cost about $12, are the most popular. Spectacles with built-in cameras may cost about $85...

Chew, who was sentenced to six months in jail this month, was the first of five individuals to plead guilty to having the obscene films for distribution.

He was also part of groups that share and download such videos.

The victims were secretly filmed while in bathrooms in cafes, schools, offices, changing rooms of popular fashion outlets, and bathroom showers in private homes. more

Note: An on-line spycam detection training course is available to organizations and individuals.

My Sister Bugged my Teddy Bear

Chicago - Nobody feuds like a rich family with lawyers on the payroll.

But even by the standards of the tony North Shore, the bitter courtroom battles between the children of the late property developer Aaron Israel stands out.

The Israel brothers — Harvey, Alan and David — have been fighting on and off in court with their sister, Diane, and their late father over the family fortune for 25 years.

Now David Israel is suing his sister for more than $1 million, alleging she hired a private eye who bugged his Northbrook office with a recording device hidden inside a teddy bear.

A recently filed federal complaint includes a photo of the scarf-wearing pink bear, which David says he received from a cancer charity. According to the lawsuit, David cut open the bear and found a listening device inside it after he was taunted by an anonymous text-messager who told him about his office being bugged and said there was “a big surprise” inside the bear.

The taunting text and other creepy anonymous messages (including one telling him “A bit hot to be wearing that shirt don’t you think David?”) were sent by a private eye hired by Diane, according to David’s lawsuit, which also alleges that a listening device was installed in a plant pot, and that his Highland Park home and Gold Coast condo were bugged along with his cars.

Though the private eye, Michael Bucon, in April pleaded guilty to planting the bugs, Diane denies the allegations and wants U.S. District Judge Andrea Wood to throw out the lawsuit... more

How the All Blacks Bugging Story Ends

The security consultant who escaped conviction in a bugging case is reportedly back working with the All Blacks in Australia.

Adrian Gard, 52, was placed on a one-year good behaviour bond last month for breaching his security licence when organising a sweep of the Sydney hotel where the All Blacks were staying ahead of a test match against Australia in August of last year. more

Wi-Fi Traffic Open to Eavesdropping

Researchers have disclosed a serious weakness in the WPA2 protocol that allows attackers within range of vulnerable device or access point to intercept passwords, e-mails, and other data presumed to be encrypted, and in some cases, to inject ransomware or other malicious content into a website a client is visiting...

The proof-of-concept exploit is called KRACK, short for Key Reinstallation Attacks. The research has been a closely guarded secret for weeks...

A website disclosing the vulnerability said it affects the core WPA2 protocol itself and is effective against devices running Android, Linux, and OpenBSD, and to a lesser extent macOS and Windows, as well as MediaTek Linksys, and other types of devices.

The site warned that attackers can exploit the flaw to decrypt a wealth of sensitive data that's normally encrypted by the nearly ubiquitous Wi-Fi encryption protocol. "This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on," more

Google Home Mini Caught 'Spying' on Owner

A flaw has been discovered in the new Google Home Mini that allows the device to secretly record without the user knowing and sending the information to Google.

The flaw was discovered last week by tech blogger Artem Russakovskii and written about on Android Police. Russakovskii, who was given a free sample device before the official launch later this month, first noticed the device continually turned on and off on its own. Later, when he checked the activity logs, he saw that the device was recording without being prompted.

"My Google Home Mini was inadvertently spying on me 24/7 due to a hardware flaw," Russakovskii wrote.

In a letter to Google, he added: "Needless to say, if a listening device records almost every minute of every day and stores it remotely, we're talking about a huge privacy violation." Google then sent out an engineer to pick up and examine the next day. They then said the problem stemmed from a a glitch on the device's touch pad.

FutureWatch - Microphone with an Ear and Brains, or how to stay ahead of the bad guys...

Clients know how quickly technology advances, and they occasionally ask...

"Aren't you always one step behind the bad guys?"

I've heard some colleagues agree, and even mention it themselves as a pre-sweep hedge against failure, along with the idiotic statement, "All bets are off once we leave." Talk about defeatist logic.

The bad guys question is a good one, however, and there are several answers. All depend upon the mindset of the TSCM team...

1. Yes, if you buy a detection gadget and only read the instructions.
2. Yes, if you just surf the Internet for education.
3. Yes, if you're getting your education from an annual TSCM seminar, or occasional training course.
4. No, if you pay attention to research papers, newly developing electronic components and processes, before they are used in surveillance devices.

Here is a Number 4 example I came across this week... a very tiny microphone with an ear, a brain, and almost no need to be fed electricity.

Wake-On Sound - Piezoelectric MEMS Microphone
PUI Audio's ZeroPower Listening™ piezoelectric MEMS microphone designed for ultra-low power always listening solutions. 

PUI Audio’s PMM-3738-VM1010-R is a single-ended analog MEMS microphone with wake-on sound. The wake-on sound mode allows for detection of voice activity while consuming only 5 μA of supply current (9 μW of power). In wake-on sound mode, a sound in the vocal band above the level threshold instantly alerts a processor of an acoustic event. The processor (DSP or voice processor) then switches the PMM-3738-VM1010-R into normal mode, with full audio output within 100 microseconds. Fast enough for the microphone to capture the triggering sound and pass it along for processing. This is the system architecture for ZeroPower Listening. 

Wake-on sound delivers voice activation to battery-powered voice-interface consumer devices, such as smart speakers, smart TV remote controls, smart headphones, and IoT smart home products, while drawing nearly zero power. 

PUI Audio’s PMM-3738-VM1010-R, the first wake-on sound MEMS microphone, brings voice activation to battery-powered devices of all kinds. Drawing a scant 5 μA of current while in listening mode, PUI Audio’s newest piezoelectric MEMS microphone is the only device that uses sound energy itself to wake a system from full power-down. 

The PMM-3738-VM1010-R features a configurable voice zone, allowing voice in a 5 foot to 20 foot radius-zone to trigger the system and increase to a higher-power mode. When the environment is quiet, the system can enter the low-power ”wake-on-sound” mode. 

Imagine the new types of eavesdropping devices this microphone will make possible.

Combine this with a battery powered bug that recharges using ambient radio-frequency signals, and you have a sleeper bug that could (theoretically) last forever. 

The bad guys probably haven't built and deployed this yet, but when they do, it won't be a surprise to us.

The posts tagged FutureWatch you see in the Security Scrapbook are examples of Number 4 attention to detail. Here are some more...
https://spybusters.blogspot.com/2017/03/futurewatch-cheap-difficult-to-detect.html
https://spybusters.blogspot.com/2013/08/solar-powered-smartphones-and-more.html

New Clickless Bluetooth Attack - Billions of Devices Vulnerable

Researchers have devised an attack that uses the wireless technology to hack a wide range of devices, including those running Android, Linux, and, until a patch became available in July, Windows.

BlueBorne, as the researchers have dubbed their attack, is notable for its unusual reach and effectiveness. Virtually any Android, Linux, or Windows device that hasn't been recently patched and has Bluetooth turned on can be compromised by an attacking device within 32 feet. It doesn't require device users to click on any links, connect to a rogue Bluetooth device, or take any other action, short of leaving Bluetooth on. The exploit process is generally very fast, requiring no more than 10 seconds to complete...

"Just by having Bluetooth on, we can get malicious code on your device," Nadir Izrael, CTO and cofounder of security firm Armis, told Ars. "BlueBorne abuses the fact that when Bluetooth is on, all of these devices are always listening for connections."
Patch now, if you haven't already. more

Cautionary Tale: Spycams in Schools

As the school season starts, unfortunately it's time to remind children to be alert for spycams. Unfortunately, this is a story which pops up at least once or twice per month. Different players, same teacher v. student scenario...

Canada - A gymnastics coach who secretly filmed his young athletes using the toilet has received a two-year sentence for making and possessing child pornography. 

Just one of many disguises.

Angelo Despotas, 48, betrayed the trust of the students he was supposed to be teaching, guiding and inspiring, provincial court Judge Jim Threlfall told a sentencing hearing in Kelowna, B.C.

"The damage done to the victims is incalculable," Threlfall said. "Many of the victims had trained with him for years."

Despotas earlier pleaded guilty to the charges and received two consecutive sentences of 14 months for making child pornography and 10 months for possessing it. more

The Good News, Bad News VPN Joke

In January this year, China announced a 14-month campaign to crack down on VPNs in a bid to tighten online surveillance
ahead of the 19th National Congress of the Communist Party of China which opens in October....

Unlike individual users, multinational firms operating in China are still permitted to use VPNs in what amounts to something of a legal grey area, but it is likely that this usage will be restricted to software approved by the government, which will presumably have backdoors installed to allow eavesdropping, raising fears of an increase in industrial espionage activities. more

Apple Watch is Center of Sports Spying Scandal

For decades, spying on another team has been as much a part of baseball’s gamesmanship as brushback pitches and hard slides. The Boston Red Sox have apparently added a modern — and illicit — twist: They used an Apple Watch to gain an advantage against the Yankees and other teams.

Investigators for Major League Baseball have determined that the Red Sox, who are in first place in the American League East and very likely headed to the playoffs, executed a scheme to illicitly steal hand signals from opponents’ catchers in games against the second-place Yankees and other teams, according to several people briefed on the matter...

The Yankees, who had long been suspicious of the Red Sox’ stealing catchers’ signs in Fenway Park, contended the video showed a member of the Red Sox training staff looking at his Apple Watch in the dugout. The trainer then relayed a message to other players in the dugout, who, in turn, would signal teammates on the field about the type of pitch that was about to be thrown, according to the people familiar with the case.

Baseball investigators corroborated the Yankees’ claims based on video the commissioner’s office uses for instant replay and broadcasts, the people said. more

What's with Boston anyway?!?! Spying football team. Spying baseball team. Ugh.  

Extra Credit: Turn Your iPhone into a Spy Camera Using Your Apple Watch [How-To]
Put this in your pocket to be extra covert. ~Kevin

"So, we created a picture of our suspect from DNA sweat found on the bugging device."

Damn interesting...
Identification of Individuals by Trait Prediction Using Whole-genome Sequencing Data

Researchers from Human Longevity, Inc. (HLI) have published a study in which individual faces and other physical traits were predicted using whole genome sequencing data and machine learning. This work, from lead author Christoph Lippert, Ph.D. and senior author J. Craig Venter, Ph.D., was published in the journal Proceedings of the National Academy of Sciences (PNAS).

Click to enlarge.

The authors believe that, while the study offers novel approaches for forensics, the work has serious implications for data privacy, deidentification and adequately informed consent. The team concludes that much more public deliberation is needed as more and more genomes are generated and placed in public databases. more

Wiretapping Gained Interest This Week... and why.

There was a big spike in wiretap searches this week...
Here's why...
Justice Department: No evidence Trump Tower was wiretapped

Eavesdropping Boss Must Pay for Unjust Dismissal

A woman whose boss used to eavesdrop on her phone conversations with clients has won €10,000 in compensation after she was sacked illegally five years ago.

An industrial tribunal heard how the firm’s managing director also installed monitoring software to see if she accessed Gmail and Facebook.

He continually victimized her and expected her to obey his orders unquestioningly, because, as he said, “I’m the boss!”

The MD regularly changed the password of her work e-mail and often called clients behind her back. He would turn up at meetings with them after listening in on her conversations, the labour tribunal heard. more sing-a-long

These Companies Can Track Any Phone Anywhere

Tracking or tapping phones across the planet used to be a niche capability. Now, a myriad of for-profit spy companies sell border-crossing surveillance of mobile phones. 

As soon as the target switches the phone on, it’s already too late. Digital spies have pinpointed the phone’s location and, without hacking the device itself, are tracking it from tens of thousands of miles away. This is not a capability limited to superpowers—private firms now provide global phone tracking and interception. more

Spy Tech Talk - A Method to Detect a Wiretap Attack

...encryption and other forms of protection are important for fiber optic/copper communications, but there is also the need to consider physical protection for the infrastructure where those cable are installed. Many communication wires could be at risk of being physically tapped...

RBtec has introduced a new system dedicated to protecting physical connections such as conduits, cable trays and any other means that hold communication cables. A new protective sensor has been introduced with a layout that links directly to a wire setup as a means of ensuring data is less likely to be tampered with. The design of the system is used to ensure that data is not going to be lost or harmed in any manner.

The sensor wire is a vibration sensor capable sensing the unique vibration associated with tampering. This is attached outside the pipe, sneaked inside the pipe or tray that a wire connection is linked up to. This connects right onto an alarm system through a series of relay outputs. It analyzes any vibrations on the conduit that cause mean someone is trying to accessing the data pipe and stops outside forces from getting in. more

Spy Tech Talk - How to Stop ISPs From Spying on Your IoTs

Botnets are not the only threat to your Internet of Things (IoT) devices: Your internet service provider (ISP) can also detect and track your in-home activities by analyzing internet traffic from smart devices, even when those devices use encryption, according to a paper from Princeton University researchers.

However, the researchers found a simple way to block ISPs from spying on your smart devices: Traffic shaping. more

When Spies Screw Up

Botched surveillance job may have led to strange injuries at US embassy in Cuba.

At first thought to be a deliberate attack, the outbreak of mysterious symptoms may be the result of shoddy espionage equipment, experts say...

The state department said it was investigating the outbreak, and that some of the worst affected diplomats had been evacuated to Miami for examination and treatment. more

But you already knew this, remember.

When Mars Attacks, We May Already be Dead

Some of the most popular industrial and consumer robots are dangerously easy to hack and could be turned into bugging devices or weapons, IOActive Inc. said...

These vulnerabilities could allow the robots to be turned into surveillance devices, surreptitiously spying on their owners, or let them to be hijacked and used to physically harm people or damage property...
                    ...or, do the Dobi Boogie!
more

Google 500+ Spy Apps - Update

Google has removed over 500 apps that included mobile games for teenagers from its Play Store on account of a spyware threat.

The decision came after US-based cyber-security firm Lookout discovered more than 500 apps that could spread spyware on mobile phones, Fortune reported late on Wednesday.

According to Lookout, the apps used certain software that had the ability to covertly siphon people's personal data on their devices without alerting the app makers.  more

Shoulder Surfers Get Faked Out with IllusionPIN App

Researchers have created a smartphone application to combat “shoulder-surfing”—when someone else looks over your shoulder as you enter your phone’s password or other private digits, potentially even gleaning vital financial or personal information...

Nasir Memon, a professor of computer science and engineering at New York University’s Tandon School of Engineering, explains that the technology, called “IllusionPIN,” deploys a hybrid-image keyboard that appears one way to the close-up user and differently to an observer at a distance of three feet or greater.

The research team simulated a series of shoulder-surfing attacks on smartphone devices to test the effectiveness of IllusionPIN at various distances.

In total, they performed 84 attempted shoulder-surfing attacks on 21 participants, none of which was successful. For contrast, they also mounted 21 shoulder-surfing attacks on unprotected phones using the same distance parameters; all 21 attacks were successful. more much more

Eavesdropping Device Found in State Gaming Office

NY - The Erie County District Attorney’s Office confirmed Monday afternoon it is investigating allegations made by the New York State Gaming Commission that its employees were eavesdropped on by the Seneca Gaming Authority. A source close to the investigation said gaming officials found a listening device last year in a casino space that was leased to state officials. more

Spying Using Acoustic Imaging Via Smart Devices

A team of student hackers have demonstrated a method for using music to turn smart devices into tools for spying. The system is based on sonar, and embeds an inaudible signal into songs played on a smartphone or TV. The system can then use the device’s microphone to listen to how the signal bounces, and track the movements of anyone near the audio source.

The University of Washington research team behind the technology, known as CovertBand, tested it using a 42-inch Sharp TV in five different Seattle homes.

They found that the method is able to track the physical movements of multiple people to within 18 centimeters of accuracy, and even differentiate between particular gestures and motions. The tech can also track people, though less accurately, through walls.

They also demonstrated that listeners couldn’t distinguish between songs containing the hidden sonar signals, and those without it. ...and all CovertBand needs to work is a speaker and a microphone. more

Smartphone Replacement Parts as Spies

If cracking your smartphone’s touchscreen wasn’t bad enough, researchers have found out a new security threat that might emerge out following the replacement of your touch screen as it has been found out that the replaced units might contain hardware that could hijack a device. 

A paper presented by researchers at Ben-Gurion University of Negev, Israel, at the 2017 Usenix Workshop on Offensive Technologies, shows how smartphone replacement units can be a security risk for the user.

Click to enlarge.

According to the researchers, devices with cracked touchscreens or even other damaged components are prone to security risks as the replaced parts installed by a repair shop might contain additional hardware that can hijack the device and track usage, log keystrokes, install other malicious apps, access files and more. more

Dude, No Kid Uses a Landline Phone Anymore

MI - A heads up for parents! 

Cue theme music.

You might not know it, but you could end up in jail for eavesdropping on your child's conversations from a landline phone.

So many parents might pick up another line in the house to see who their child is talking to, but listening in on a call is a felony punishable by up to two years behind bars and a $2,000 fine.

However, a Republican lawmaker wants to change that. State Representative Peter Lucido (R-Shelby Township), introduced a bill last week that would give parents exemption from the eavesdropping law. more 

Idea! How about a law against loitering in phone booths.

So You Named Your Robot Bedmate, Mata Hari. Cute.

At the Hack in the Box security conference later this week in Singapore,

Argentinian security researchers Lucas Apa and Cesar Cerrudo plan to demonstrate hacker attacks they developed against three popular robots: the humanoid domestic robots known as the Alpha2 and NAO, as well as a larger, industrial-focused robotic arm sold by Universal Robots.

The duo plan to show that they can hack those machines to either change critical safety settings or, in the case of the two smaller bots, send them whatever commands they choose, turning them into surveillance devices that silently transmit audio and video to a remote spy.

"They can move, they can hear, they can see," says Cesar Cerrudo, the chief technology officer of IOActive, where both of the researchers work. Those features could soon make robots at least as tempting a target for spies and saboteurs as traditional computers or smartphones, he argues. "If you hack one of these things, the threat is bigger."...

Privacy invasion presents a more realistic worry... domestic robots contain mobile cameras and microphones whose data a spy could not only intercept, but manipulate and move at will around a target's house.  more

Do Bug Detecting Gadgets Work? Let's Ask an Ex-Police Chief

CA - A judge set bond at $100,000 on Friday for former La Joya police Chief Geovani Hernandez, who’s accused of accepting cash to provide security for drug shipments... When agents arrested Hernandez, they found a “bug detector” designed to reveal hidden recording devices and prevent electronic surveillance. more

TSCM News: All Blacks Bugging Case Settled

Australia - Adrian Gard, the security consultant at the centre of the All Blacks bugging case, had his public mischief charge dismissed by a Sydney court on Friday.

Gard was accused of making a false statement to police about a listening device found in the All Blacks’ hotel meeting room before the August 2016 match against Australia in Sydney.

The magistrate was unable to rule out that someone else could have planted the bug.

Gard was found guilty of a second charge relating to carrying out a security operation without a license.

The matter, dubbed “bug-gate”, caused much friction between the Australian and New Zealand Rugby unions when it was revealed last year. more

Moral of the story... This all could have been avoided if the All Blacks spent the money to hire a real, reputable (and licensed) technical security consultant. ~Kevin

PI Alert: New NY Law Reduces Surveillance Opportunities

Spying on your neighbor's backyard barbecue with video surveillance is now illegal in New York.

Gov. Andrew Cuomo has signed a bill cracking down on the unauthorized invasion of privacy by video surveillance in the backyard... Unlawful surveillance was made a crime in 2003, but it only applied to places where there's an expectation of privacy like bathrooms and dressing rooms. more


PS - Law enforcement surveillance is exempted under the new law.

Spycam Darwin Award of the Week - The Creepy Kid

Jeremy Gabrysch put up a camera in their living room because his kid kept getting up in the middle of the night to watch TV.


The kid was not to be deterred, even if he didn't quite understand how a wide-angle lens works. more

Good Spy News - Mom Bugs Kids... but not the way our moms did it.

California law makes it a crime to record someone’s conversation secretly, with a few exceptions — and one of them, a state appeals court says, allows a parent to use a hidden cell phone to record her child’s talks with a babysitter suspected of abuse.

A mother’s recording led to the conviction of a 12-year-old babysitter for molesting his 4-year-old cousin. The defense lawyer argued that the recording was illegal because neither of the speakers had consented.

But the Fifth District Court of Appeal in Fresno said Monday that a parent who reasonably fears harm to her child, particularly a young child, can consent to a secret recording on the child’s behalf. State law normally requires the consent of both parties to a conversation, but allows consent by one person who reasonably suspects the other of a serious crime. more

SCIFs Go Corporate

With cybersecurity threats on the rise, the private sector is taking a cue from national security protocol to protect corporate secrets, investing in highly protected SCIFs, or Sensitive Compartmented Information Facilities.

What happens in a SCIF stays in a SCIF—and has ever since the concept of the “war room” originated during World War II. ...

Private companies are increasingly seeing the benefits too—especially those working in fields whose success is dependent on continually out-innovating their competitors. “The rooms can be used in many ways once built, from proposal writing and strategy sessions, to hands-on R&D and product testing,” says Gordon. “They can even be portable. But they all give companies piece of mind that work and discussions taking place inside the room are completely confidential.” more

Can't afford a SCIF (they're expensive), use a TSCM team to conduct pre-meeting inspections. If you can afford a SCIF (sweet), use a TSCM team to re-certify it's integrity against eavesdropping. SCIF effectiveness tends to decay with age and use. ~Kevin

Security Director Alert #857 - Coordinated Hotel Wi-Fi Spying

Mention this to your traveling executives. Reinforce VPN usage.
 
Russian hackers who infiltrated the computer systems of the Democratic National Committee in the US are now focusing on the wifi networks of European hotels to spy on guests in a “chilling” cyberoperation.

The state-sponsored Fancy Bear group infected the networks of luxury hotels in at least seven European countries and one Middle Eastern country last month, researchers say. FireEye, the US cybersecurity company that discovered the attacks, said the hotels were in capital cities and belonged to international chains that diplomats, business leaders and wealthy travelers would use. more

A TSCM Cautionary Tale - The All Blacks Affair

Background... A security consultant for the All Blacks rugby team announces he found a bug in a meeting room chair seat cushion. The arrest. And now, the trial...

An upholsterer called as a witness in the All Blacks bugging trial told a Sydney court he didn’t find any evidence of “tampering” or “reupholstering” when he inspected a chair allegedly used to conceal a listening device in the lead up to the Bledisloe Cup.

All Blacks security consultant Adrian Gard has denied making up claims he found the bug concealed in a chair in the All Blacks’ meeting room at the InterContinental Hotel in Double Bay in August 2016.

Mr Gard has pleaded not guilty to making a false representation resulting in a police investigation into the bug...

All Blacks team manager Darren Shand told the court last week Mr Gard on August 15, 2016, showed him two chairs which he claimed had given off abnormal readings during a bug sweep in the meeting room. Mr Shand said he could see what looked like a listening device. more

Why should you care?
• Not all TSCM "experts" are honest. (I'm shocked!)
• Reputation and experience matters.
• Ignore the smooth talk. Check references thoroughly, before letting them in.
~Kevin

This just in... The bugging device found in a chair in the All Blacks' Sydney hotel is sold at a chain of spy stores, a court has heard. Technician Mark Muratore told Downing Centre Local Court on Wednesday the FM transmitter powered by a nine-volt battery was sold at the Oz Spy chain of stores and on eBay. Mr Muratore told the court about 80 of the FM transmitter devices, known as the RBFM600, were sold each year on eBay and at Oz Spy for $120 (≈$95 usd) each.

This Month in the Internet Disaster Incidents of Things (IDIoT)

Instant Lockdown...
Hundreds of Internet-connected locks became inoperable last week after a faulty software update caused them to experience a fatal system error, manufacturer LockState said. The incident is the latest reminder that the so-called Internet of Things—in which locks, thermostats, and other everyday appliances are embedded with small Internet-connected computers—often provide as many annoyances as they do conveniences. more
---
Fish Tank Phishing...
The hackers attempted to acquire data from a North American casino by using an Internet-connected fish tank, according to a report released Thursday by cybersecurity firm Darktrace.

The fish tank had sensors connected to a PC that regulated the temperature, food and cleanliness of the tank.“Somebody got into the fish tank and used it to move around into other areas (of the network) and sent out data,” said Justin Fier, Darktrace’s director of cyber intelligence. more
--- 
Flatline Surfing
Over a third of IoT medical device organizations suffer security incidents... Many medical devices are not built with cybersecurity in mind, yet a survey by Deloitte Cyber Risk Services of over 370 professionals organizations operating in the medical device/IoT arena shows that 36.5 percent have suffered a cyber security incident in the past year. more
---
Wait! What? You mean they are not secure!?!?
The Department of Homeland Security (DHS) has announced a $750k investment to develop a solution which bolsters the security of IoT disaster sensors. more
---
This Really Sucks
iRobot, the company that makes the adorable Roomba robots that trundle around your home sucking up everything in their path, has revealed its plans to sell maps of living rooms to the world's biggest tech companies. more
---
Car Wash Crazies
A group of security researchers have exposed the vulnerabilities in automatic car washes and proved just how easy it can be for hackers to target an internet-connected, drive-through car wash and damage vehicles. Their findings showed an attacker could easily manipulate bay doors to trap or strike vehicles in the car wash. Their findings showed an attacker could easily manipulate bay doors to trap or strike vehicles in the car wash. Hackers could also potentially control the mechanical arms inside the car wash, releasing powerful streams of water at a vehicle’s doors to prevent passengers from leaving. more
---
IoT Army MIA
In a competition between 24 skilled cyber amateurs, IoT connected soldiers were hit by a sophisticated mock cyber attack. ...designed to secretly intercept and control communications, resulting in a loss of contact with the unit of soldiers. more
---
Security Camera Insecurity times Millions
A flaw in a widely-used code library known as gSOAP has exposed millions of IoT devices, such as security cameras, to a remote attack. Researchers at IoT security firm Senrio discovered the Devil's Ivy flaw, a stack buffer overflow bug, while probing the remote configuration services of the M3004 dome camera from Axis Communications... Axis Communications confirmed that 249 of its 251 surveillance camera models were affected by the flaw. more
---
Alexa. My Wife Never Listens. Will You?
Every good paranoiac sees an always-listening device like an Amazon Echo as a potential spy sitting in plain sight. Now one security researcher has shown exactly how fine the line is between countertop computer and surveillance tool. With just a few minutes of hands-on time, a hacker could turn an Echo into a personal eavesdropping microphone without leaving any physical trace. more
---
FutureWatch - Soon ALL organizations will need a good Technical Security Consultant on-call. Periodically checking for new unintentional (and intentional) security vulnerabilities is their specialty. ~Kevin

Researchers: 'Stingray' Detector Apps - Not 100% Effective

Academic researchers at Oxford University and the Technical University of Berlin found that several leading Android apps designed to detect when a phone connects to a fake cell site, known as a "stingray," can be easily bypassed, allowing the stingray owner to eavesdrop on calls, intercept messages, and track the precise location of a phone.

The researchers found that the top five stingray detection apps in the Google Play app store -- SnoopSnitch, Cell Spy Catcher, GSM Spy Finder, Darshak, and AIMSICD -- failed on at least one count to alert the phone owner when their device has connected to a fake cell site...

The paper was released Monday ahead of a presentation at the Usenix Woot conference in Vancouver, Canada. more

Security Director Alert # 522 - Spying USB Power Plugs & Charging Cables

Freely for sale on Amazon's marketplace, and plenty of other online stores, are USB and iPhone cables that can be used to listen to your phone calls and track your location.

When these cables are connected to a power source they can use a SIM card to connect to a mobile network. The hardware is unsophisticated but can send both audio and very coarse location data to a third-party...

A more worrying feature is the ability of the cable to detect sound over a certain threshold and then call a pre-programmed number. Once it has done this is relays the sound near it, be that a phone call or conversation, and allows a third-party to listen in.

Not only are there cables that do this, there are also USB power adaptors for your wall outlet that have the same SIM functionality.

Cables and power adapters like this should also be something of a worry to firms that need their security too, they may well not be noticed by security checks and could be responsible for a lot of sensitive information walking out the front door. more

Best Practice: Include the inspection of cables and charging blocks as part of your TSCM inspections.

The Cuban "Acoustic Attack" - Eavesdropping, TSCM, or Other?

The FBI is reportedly investigating who was behind an “acoustic attack” that inflicted at least two staffers of the U.S. Embassy in Havana with sudden hearing loss. Washington expelled two Cuban diplomats earlier this year in response to the incident, the U.S. State Department said on Wednesday.

The Cuban foreign ministry said it was investigating the allegations.

Citing officials familiar with the investigation, The Associated Press reported on Wednesday that embassy staff in Havana began suffering from hearing loss in the fall of 2016. U.S. officials later concluded that a device operating outside the range of audible sound has been installed inside or near diplomatic residences in Havana. more

Media speculation as to what and who is rampant. 

Some what theories, which the media has missed, include: 
• An ultrasonic bugging device (an eavesdropping attack).
• An ultrasonic room flooding device (an eavesdropping countermeasure). 

If either of these were incompetently programmed–thus producing a higher than safe level of audio power output–people would experience hearing loss and other sickness symptoms (headache, nausea, disorientation, etc.).

As to who... A bugging device could be planted by anyone, not just the Cubans. An ultrasonic room flooding device would be placed by whoever has control of the room, in an effort to deter electronic eavesdropping attempts — mixing differing frequencies of ultrasound has a detrimental effect on microphones. This is a rarely used Technical Surveillance Countermeasures (TSCM) tactic due to the fine balance between effectiveness and dangerousness. It zaps hearing aids, too.

An "acoustic attack" just to cause intentional harm seems unlikely. The results of the investigation should be interesting, if they see the light of day. Ultra-unlikely. ~Kevin

Visit us at counterespionage.com to learn how business and governments protect themselves against electronic eavesdropping attacks.

Now Available at Your Favorite Android App Store...

Hackers have flooded Android app stores, including the official Google Play store, with over 1,000 spyware apps, which have the capability to monitor almost every action on an infected device.

Dubbed SonicSpy, the malware can silently record calls and audio, take photos, make calls, send text messages to numbers specified by the attackers, and monitor calls logs, contacts, and information about wi-fi access points.

In total, SonicSpy can be ordered to remotely perform 73 different commands and its suspected to be the work of malware developers in Iraq. more  Antidote: SpyWarn 2.0

Surveillance Feeds Become Reality TV & Movie

They may be blocked from watching YouTube, but China’s 751 million internet users can binge on real-time video streams of yoga studios, swimming lessons, alpaca ranches and thousands of other scenes captured by surveillance cameras.

Much of what’s available would be unthinkable in the West...

In China, however, surveillance is both pervasive and widely accepted. And that’s the subject of a new film by one of China’s best-known contemporary artists.

In “Dragonfly Eyes,” director Xu Bing uses real surveillance footage to tell the story of an ill-fated romance between a young woman who works on a dairy farm and a technician who watches her through the farm’s surveillance system. Mr. Xu believes it’s the first full-length fiction film to be made entirely with surveillance footage. 

Creating “Dragonfly Eyes” convinced Mr. Xu of the prescience of “The Truman Show,” the 1998 satire starring Jim Carrey as a man whose every moment is telecast live without his knowledge, the director said.


“The entire world has become a gigantic film studio,” he said. more sing-a-long

Drone Over Your Home? It’s the Insurance Inspector

When Melinda Roberts found shingles in her front yard after a storm, her insurer didn’t dispatch a claims adjuster to investigate. It sent a drone.

The unmanned aircraft hovered above Ms. Roberts’ three-bedroom Birmingham, Ala., home and snapped photos of her roof. About a week later a check from Liberty Mutual Insurance arrived to cover repairs.

“It took a lot less time than I was expecting,” Ms. Roberts said.

Drones, photo-taking apps and artificial intelligence are accelerating what has long been a clunky, time-consuming experience: the auto or home-insurance claim. more

Electronic Eavesdropping & Wiretapping: Two More Reasons Businesses Need TSCM Inspections

There are two different types of wiretapping threats that can harm startups and established businesses alike -- especially if they house proprietary, confidential information.

When espionage hits. It feels like this.

First, there's government wiretapping. You might assume the simplest way to eliminate this threat is to abide by the law, but you’d be forgetting that, aside from the U.S. government, there are plenty of countries that have proven they’re willing to use Big Brother-style surveillance tactics to compromise private companies. If you work with an opposition party or in a sensitive industry in another country, your client’s government might target your business. 

Then, there's old-fashioned corporate espionage. If a competing company is desperate to get an edge over your business, it may use wiretapping to steal your information or otherwise compromise your company to gain an advantage. more

Murray's TSCM Tip # 623 - Hiding in Plain Sight - The USB Microphone

USB microphones have many legitimate uses, students recording lectures, for example. Much more sensitive than a laptop's built-in microphone, they are perfect for that application. They also make eavesdropping on co-workers very easy.

The Plausible Deniability Bonus... Hey, it's not a bug. It's a legitimate piece of office equipment.

If you see one of these in a laptop, always assume it is recording. Some USB microphones have a red tally light, but a dot of black paint (or a piece of electrical tape) can cripple that tip-off. 

From the seller...
"This microphone is capable of picking up all of the sounds in large room (range of approximately 80 feet) or it can pick up small area its up to you, because you control the amplifier power! It's small size makes it perfect for situations where you don't want to draw attention to the fact that you are recording audio right into your computer."

Visit counterespionage.com to learn more about what you can do to detect and deter electronic eavesdropping.

Security Researchers: Amazon Echo Can be Turned Into a Spying Device

Security researchers have recently shown that the popular Amazon Echo speaker can be hacked to eavesdrop on conversations without permission.

Security firm MWR InfoSecurity claims it was able to exploit a vulnerability which turns the Alexa-fueled device into a “wiretap” without altering its standard functionalities.

But before you get all alarmed, let us tell you the vulnerability was found to affect only 2015 and 2016 versions of the Amazon Echo. On top of that, in order to successfully hack the speaker, a hacker would need to have physical access to it. So you might want to lock your Amazon Echo away when your computer wiz cousin comes over for a visit. more