Saturday, August 25, 2012

Business Espionage: The Apple Bonkers Get Theirs

Apple won a decisive victory on Friday in a lawsuit against Samsung

Click to enlarge.
a verdict that will give Apple ammunition in a far-flung patent war with its global competitors in the smartphone business.

The nine jurors in the case, who faced the daunting task of answering more than 700 questions on sometimes highly technical matters, returned a verdict after just three days of deliberations at a federal courthouse in San Jose, Calif. They found that Samsung infringed on a series of Apple’s patents on mobile devices, awarding Apple more than $1 billion in damages.

That is not a big financial blow to Samsung, one of the world’s largest electronics companies. But the decision could essentially force it and other smartphone makers to redesign their products to be less Apple-like, or risk further legal defeats. (more)

Wednesday, August 22, 2012

Business Espionage on CNBC - Thu, 23rd 9p & 12a ET

I participated in the making of CNBC series, Crime, Inc. ("Secrets for Sale") and thought you might like to see it. Some of our advanced electronic surveillance detection instrumentation is shown, and business espionage issues are discussed. ~ Kevin


on CNBC. “CRIME INC #9 - SECRETS FOR SALE”
Premieres Thursday, August 23rd 9p | 12a ET
Re-broadcast: Sunday, August 26th 11p

 
Spying is an ever-present threat in the workplace.

Kevin D. Murray discusses business espionage prevention with Carl Quintanilla.
From the coworker in the next cubicle to foreign governments, the faces of corporate espionage are all around us. Boeing, Intel and Coca-Cola have all been targets. The losses - estimated by the FBI to be more than 13 billion dollars a year in the United States - can go undetected for years despite sophisticated security. Crime Inc. follows cases where livelihoods are threatened, reputations ruined and trade secrets are bought and sold. (more)

Security Directors: FREE Security White Paper - "Surreptitious Workplace Recording ...and what you can do about it."   

Monday, August 20, 2012

Business Counterintelligence Conference at Kwa Maritane Bush Lodge, South Africa - September 17-19

CBIA will be hosting South Africa’s first conference on business counterintelligence  September 17-19, 2012, at the Kwa Maritane Bush Lodge in the Pilanesberg, North West Province...
Click to enlarge.
One of the key aims of the conference is to involve and to provide decision makers, managers and business unit leaders with the insight to understand business counterintelligence and how it differs from other streams of information management and security practices.

Corporate information gathering is a fact of life, even more so during hard and tough economic times...

The conference will take participants on an eye-opening journey regarding information protection issues. Attendees will gain a practical understanding of the value added role counterintelligence plays in competitive strategy and the protection of business information. 

Click to enlarge.
Conference Topics
• What is the scope of the business espionage and information theft threat to businesses;
• Non-cyber methods of information gathering and economic espionage;
• Social engineering, tradecraft and other psychological tricks used to penetrate a target company;
• The “insider” threat and motivational factors;
• Importance of information security awareness training;
• How to protect sensitive data and high value employees;
• Countering electronic espionage in business;
• Technical surveillance countermeasures (TSCM) risk management;
• The evolving cyber threat. The cyberspace is now providing relative small scale operators the opportunity to become involved in business espionage and information theft;
• Background screening and vetting, pre-employment and existing employee screening;
• The dark side of social media and what it means for business;
• The threat of consumerisation and BYOD;
• Policies, procedures and guidelines on how to build an effective business counterintelligence capability;
• A corporate case study;
• Active dialogue session (Ask the Expert) – An interactive brainstorming session to solve common challenges and to share innovative solutions;
• Technical security product demonstrations.

Security Alert: Conference room reservation system - Arrive® InfoPoint™

Affected Murray Associates clients can receive special attention due to our working relationship with DigitalSecurus.

DigitalSecurus has discovered that some touch screen smart devices for conference rooms have arrived in the United States infected with a computer virus/malware (malicious software).

The infection was discovered during a recent investigation into suspicious activity on a network belonging to a DigitalSecurus client. Further analysis in a lab environment by DigitalSecurus revealed a variant of the malware known as “Downadup/Conficker” virus in unopened InfoPoint AI-101 touch screen computers. DigitalSecurus contacted the manufacturer of the device, Arrive Systems, and has been working with them closely to investigate the circumstances surrounding the infection.

This malware is particularly dangerous to a network environment as it will attempt to spread itself to other computers. The virus also attempts to communicate with unauthorized computers on the Internet, possibly allowing unauthorized access to corporate files and other sensitive data.

The infection appears to have been installed onto the devices prior to shipping into the United States...

Companies using the InfoPoint AI-101 devices are advised to consider removing them from their network until they can be properly analyzed, made harmless, and patched with software updates. For further instructions on specific steps that can be taken users are encouraged to contact the manufacturer, Arrive Systems, at this link.

DigitalSecurus is an Alaskan based network security consulting firm that provides computer security consulting, analysis, forensics, security training, and computer incident response to corporations and organizations in the United States.

Hacker Targets: Computer, Smartphone, and now... Your Car

A team of top hackers working for Intel Corp's security division toil away in a West Coast garage searching for electronic bugs that could make automobiles vulnerable to lethal computer viruses... 

It's scary business. Security experts say that automakers have so far failed to adequately protect these systems, leaving them vulnerable to hacks by attackers looking to steal cars, eavesdrop on conversations, or even harm passengers by causing vehicles to crash.

"You can definitely kill people," said John Bumgarner, chief technology officer of the U.S. Cyber Consequences Unit, a non-profit organization that helps companies analyze the potential for targeted computer attacks on their networks and products. (more)

Another Butt Dialing Lands Man in the Can

PA - A Scranton man faces drug charges after he accidentally dialed 911 while he met with a drug dealer, recording the entire conversation at Lackawanna County dispatch center Wednesday, Scranton police said...

The Lackawanna County Communications Center called Scranton police to say there was an open line to a phone that was recording a conversation inside a vehicle on the 100 block of West Market Street regarding narcotics activity and a man named "Rick," according to the complaint.

Police tracked Mr. Kryzanowski to his apartment, where they found him talking with slow and slurred speech. Police also saw pill bottles and a bottle cap with water in it in plain sight, according to the complaint. (more) (more butt dialing stories)

Saturday, August 18, 2012

Secrets for Sale — Premieres Thursday, August 23rd 9p | 12a ET

on CNBC Thursday, August 23rd 9p | 12a ET
“CRIME INC #9 - SECRETS FOR SALE”
 
Spying is an ever-present threat in the workplace.

Kevin D. Murray discusses business espionage prevention with Carl Quintanilla.
From the coworker in the next cubicle to foreign governments, the faces of corporate espionage are all around us. Boeing, Intel and Coca-Cola have all been targets. The losses - estimated by the FBI to be more than 13 billion dollars a year in the United States - can go undetected for years despite sophisticated security. Crime Inc. follows cases where livelihoods are threatened, reputations ruined and trade secrets are bought and sold. (more)

A 20-Year Battery Will Power the Next Generation Bugs

Imagine a battery powered bugging device, voice recorder, or GPS tracker that never needs to have it's battery changed or charged.

Current generation.
City Labs says, "...the company’s team of scientists and engineers has developed batteries with a 20+ year lifetime of continuous power without the requirement for replacement or recharging. The NanoTritium™ battery can energize a broad range of devices where battery replacement is difficult, impractical, or even life-threatening."

The power cell generates electricity using a layer of the radioactive-element tritium, mounted onto a semiconductor. 

Next generation.
The City Labs’ battery produces nanowatts of power; it is not strong enough to power a cell phone or laptop. This is a low-power battery that can run micro-electronics, anywhere that is hard, dangerous or expensive to reach. Applications include implants such as pacemakers as well as devices in industry (sensors on deep-water oil drills) and defense. (more)

Currently, these batteries, "...are used to keep encryption keys alive in SRAM for more than 20 years...". A second generation (coming soon) will be able to do a whole lot more.

Talk Like A Spy with Throw-Away Phone Numbers

Spybusters Tip # 723: The new Burner app for iPhone generates throw-away phone numbers, which can be used for undercover operations or by those who simply prefer a deep layer of privacy.

With Burner, users can create multiple new phone numbers for a day, a week, a month, or longer, and manage all inbound calls, SMS messages, and voicemails for each number. Once you are finished with the number, you can "burn" it by taking it out of service and wiping it from your phone, as if it never existed.

Each number is a separate line within the iPhone, which can be redirected to your main mobile number, or go straight to voicemail, according to the Burner app blog...

Android users may not yet have access to Burner, but they can shield themselves from unwanted calls with the White Pages' new Current Caller ID app, which provides a directory of information about the incoming call.

When your phone rings, it will display details about the caller's recent social updates and check the weather where they are. The feature is also available for SMS texts. Even if you're not interested in the bells and whistles, the app also provides stripped-down caller ID information.

The White Pages app is available for free download in the Google Play store. (more)

Thursday, August 16, 2012

Cell Phone Eavesdropping is Back... and inexpensive

A small box, known in the Czech Republic as Agáta, may be listening in on your mobile phone calls at any moment. Agáta, or IMSI Catcher, is essentially an eavesdropping device that, by using relatively simple hardware, can track phone calls and SMS messages coming in and out of mobile phones in a specific radius... 

Former head of the Czech Military Intelligence Agency and a security analyst Andor Šándor underscored the danger of the widespread sale of Agátas:

"It’s been a known fact for a few years now that some companies do sell these devices. But if their use will not be in any way regulated, and access to these devices will not be in any way controlled, then a regular citizen can do absolutely nothing."

...Mr. Šándor claims that the most likely private users of Agátas are security firms or rival businesses, or even companies trying to win high-stakes tenders. (more) (home-brew IMSI Catcher)

Tuesday, August 14, 2012

Security Quote of the Day

"...we're at a critical moment where we need to find a different approach if we're going to protect intellectual property and the things we have at risk." — Peter G. George, President and Chief Executive Officer, Fidelis Security Systems, Inc. (more) (a different approach)

Monday, August 13, 2012

8th Raleigh Spy Conference August 22-24

Dramatic Revelations: Castro, J. Edgar Hoover, Deep Throat, CIA Secrets From the Deep and the New Profile of Today’s Terrorist Fidel Castro had foreknowledge of the JFK assassination.

Who was the real J Edgar Hoover? Deep Throat's motives were not what the public thought. How did the CIA scoop a satellite 12,000 below the sea? What is the new profile of today's terrorist? These are the topics for the 8th Raleigh Spy Conference August 22-24 at the NC Museum of History, presented by top experts drawing on the latest in declassified information. And the public is invited to learn and ask question and get to know each speaker personally... 

The Raleigh Spy Conference was founded in 2003 by magazine editor and publisher Bernie Reeves to address the increasing flow of declassified information available since the end of the Cold War. The Raleigh Spy Conference is recognized as the top intelligence conference specifically for the lay public by the Association of Former Intelligence Officers (AFIO). Three of the six conferences have been filmed and aired on C-SPAN. (more) (video)

James Bond turns 50

It’s the big 5-0 for 007 film franchise
One of the most successful film franchises of all time, featured in Friday’s Olympic opening ceremonies, is celebrating its golden anniversary this year. TODAY’s Matt Lauer takes a look back at half a century of Bond, James Bond.

Need to contact the CIA from your cell phone? There's an app for that...

The Central Intelligence Agency has joined the ranks of federal agencies offering mobile applications to the public with the release of a mobile version of CIA.gov.

Using a mobile device, visitors to the CIA website can contact the agency, apply for a job, get a quick overview of the agency and its mission, and access content from the CIA Museum.

Included in the online exhibits are technologies developed for the CIA that eventually led to public benefits. For instance, improvements in battery technology for the agency later were incorporated into medical devices such as pacemakers and consumer products such as digital cameras.

Other items on display demonstrate the role the CIA has played in the evolution of product miniaturization. Those include a 35-mm camera designed to fit inside a pack of cigarettes; a radio receiver that fit into the stem of a pipe and that the user could "hear" through bone conduction from the jaw to the ear canal; the "insectothopter," an insect-shaped micro-drone invented in the 1970s as a proof-of-concept; and a microdot camera.

The mobile version of the CIA Museum includes dozens of images and captions of museum artifacts, articles on topics such as the hunt for Osama Bin Laden, and a timeline of events related to the work of the CIA and other U.S. intelligence agencies. (more)

Sunday, August 12, 2012

This Week on Jersey Shore - "Lemiv da Blimp"

NJ - The Army is testing its $517 million spy blimp in the skies over the New Jersey military base where the German airship Hindenburg crashed in 1937.

The Long Endurance Multi-Intelligence Vehicle spent more than 90 minutes around Joint Base McGuire-Dix-Lakehurst in Ocean County on Tuesday.

Manufacturer Northrop Grumman says the 302-foot long airship is designed to be a high altitude observation platform.

It can be operated by a crew or by remote control. (more and video) (previous blimp news)

If successful, the blimp will stay in the air for up to three weeks at a time, using 2500 pounds’ worth of “sensors, antennas, data links and signals intelligence equipment” to capture still and video images of civilians and adversaries below and send the pictures to troops’ bases.

Sports World Business Espionage - Saints or Sinners

LA - A report (in April) on ESPN claimed General Manager Mickey Loomis had the ability to listen to opposing coaches during games with an electronic device installed in the team's suite at the Superdome.

Mickey Loomis, before it hit the fans.
Wednesday, Louisiana State Police Superintendent Col. Mike Edmonson confirmed the state's investigation into the eavesdropping claim "has moved within the FBI."

"As far as our case on the eavesdropping portion of it, we've been involved in interviews with the FBI," said Edmonson. "They brought us under their wing. We've been working closely with them. I've looked at it from a state perspective and all our findings have been turned over to the U.S. Attorney's Office who will be reviewing that along with the FBI."

Edmonson would not say if any of the information gathered and now in the possession of the FBI pointed to alleged wrongdoing by Loomis or the Saints. (more)

The fact that the case is still being investigated, and the FBI has been called in, is not a good sign. - Kevin

Sports World Business Espionage - Gladiator PI

Australia - The South Sydney patriarch George Piggins has accused the Rabbitohs co-owners Russell Crowe and Peter Holmes a Court of sending private investigators to spy on him and search in the garbage bins of those opposed to their takeover of the club - and this is why Piggins now refuses to return to the fold.

In an open letter to South Sydney supporters, penned exclusively for The Sun-Herald, Piggins outlines his reasons for distancing himself from the club he saved from the brink of oblivion. In the letter, he states: ''Crowe and Holmes a Court used the services of Palladino and Sutherland, an American private investigation firm, to come to Australia to investigate us, as well as using other local investigators to secretly search garbage bins of those opposed to the takeover bid, and secretly photograph me, my family and friends.'' (more)

Saturday, August 11, 2012

SO this Russian goes to work and finds a bug in his office...

Russia - Alexei Navalny showed up to work in Moscow on Monday to discover he was being bugged. He called the police, like many perhaps would, but not before tweeting photos and video of himself and his colleagues taking the Kremlin’s monitoring devices apart


It’s not hard to figure out why Navalny was bugged. He’s one of Russia’s most influential anti-corruption bloggers and is at the center of a protest movement aimed at toppling the regime of President Vladimir Putin. 

Since late July, the 36-year-old lawyer has faced possible arrest, trial and up to 10 years in prison for charges Putin’s prosecutors claim stem from an embezzlement scheme, but which Navalny and his supporters claim is an attempt to silence him. (more)

Bug Found in Ceiling of Jail's Chief of Operations

WV - A bugging device uncovered in an air duct in the office of the Regional Jail Authority's chief of operations has become the target of an FBI investigation, a key legislator disclosed Friday.

The first inkling of the bizarre episode came when Delegate Dave Perry, D-Fayette, as co-chairman of a legislative interims committee, quizzed acting Regional Jail Authority Director Joe DeLong if he was aware of any inquiry - internal or external - involving his agency. DeLong is a Hancock County native.
 
...the device allegedly turned up in John Lopez' office in Charleston...

Perry said he learned that Lopez found the device July 12 after spying some residue from a ceiling tile in the chair of his office.

"It was up overhead, and it had both audio and visual, in an air duct," Perry said...

"Almost like Watergate," Perry added, characterizing the alleged bugging incident, but again emphasized his committee, when meeting Monday, will not pursue it. (more)

"World domination. The same old dream. Our asylums are full of people who think they're Napoleon. Or God." - James Bond

NV - A Las Vegas tour company has launched a three-day, two-person Las Vegas bonding experience — as in James Bond.

The “Secret Agent 702” tour gives couples a chance to live the adventures of a spy, from soaring in helicopters to driving fast cars to zipping down wire cables.

The cost of being a secret agent: $6,800 for two people.

The package was developed by the Papillon Group, a Southern Nevada air tour operator that offers flights over the Strip, Hoover Dam and southwestern national parks. The tour company is partnering with Andre’s Restaurant and Lounge at the Monte Carlo, the Bank Nightclub at Bellagio, Dream Racing at the Las Vegas Motor Speedway, Flightlinez at Bootleg Canyon, the Light Group and Hotel32.

Secret Agent 702 “transforms mild-mannered Las Vegas visitors into sexy spies looking for the thrill of a lifetime,” company officials said in a release. (more)

Friday, August 10, 2012

The New York City Police Department now has "The most advanced and technological counter-terrorism bureau that anyone has ever seen."

NY - A new crime-tracking system designed jointly by the New York Police Department and Microsoft Corp. will pool existing data from cameras, 911 calls and other technologies to provide crime fighters with a comprehensive view of threats and criminal activity, as well as provide the city with a new revenue source.

The Domain Awareness System will be able to map suspects' movements and provide NYPD investigators and analysts with real-time crime alerts.

...the system will allow NYPD personnel to track a suspect's car, and find out where it's been located in the past days or weeks synthesizing archived video footage and license plate reader data. Other potential uses include mapping criminal history geospatially and chronologically to reveal patterns, and the ability to instantly see suspect arrest records, 911 calls associated with the suspect and related crimes occurring in the area. (more) (60 Minutes video) 
This afternoon the NYPD debuted their "all-seeing" Domain Awareness System, which syncs the city's 3,000 closed circuit camera feeds in Lower Manhattan, Midtown, and near bridges and tunnels with arrest records, 911 calls, license plate recognition technology, and even radiation detectors. Mayor Bloomberg dismissed concerns that this represented the most glaring example of Big Brother-style policing. "What you're seeing is what the private sector has used for a long time," Bloomberg said. "If you walk around with a cell phone, the cell phone company knows where you are…We're not your mom and pop's police department anymore."

NYPD Commissioner Ray Kelly stated that the system, which is currently operational out of the department's Lower Manhattan Security Commission HQ, was developed with a "state of the art privacy policy" and "working with the privacy community," but did not offer specifics. DAS does not have facial recognition technology at this time, but "it's something that's very close to being developed," the mayor said.  

The system was developed with Microsoft and paid for by the city for $30 to $40 million, and has already been in use for six months. The feeds compiled by the system are kept for thirty days, then erased.

The City will receive 30% on the profits Microsoft will make selling it to other cities, although Mayor Bloomberg declined to say if that money would go back into the NYPD. "Maybe we'll even make a few bucks." (more)

Lo-Jack Your Car, Kids, Pets... Anything!

from the manufacturer... 
"Simply give the PocketFinder GPS tracker to a person or attach it to your pet or vehicle and locate the devices from our website or on your smartphone with our iOS® and Android® apps.

PocketFinder features work even while you’re not thinking about them. Best of all, they’re simple to use! Geo-fence zones, speed limits, alerts, history and power features will maximize how much value you get from using the devices." (more)

Wednesday, August 8, 2012

FutureWatch: Telephones That Spot Scams

Nagoya University and Fujitsu first announced a research partnership in November 2009 aimed at developing automated technology to identify situations where one party might overtrust the other. 

In March of this year, the team announced the successful development of the world's first system capable of analyzing phone conversations and automatically highlighting suspect situations. The system looks for changes in a caller's voice pitch and level, together with keywords often used and repeated in phone scams.

Subsequent verification simulation testing undertaken in collaboration with the National Police Agency of Japan and the Bank of Nagoya found the technology to be over 90 percent accurate in detecting situations of overtrust. Now the research team is about to enter field trials of the system. (more
  

Eavesdropping History - Nixon Resigns

On Aug. 8, 1974, President Richard Nixon announced he would resign following damaging revelations in the Watergate scandal.

Tuesday, August 7, 2012

How to Prevent Corporate Espionage... in a nutshell

Corporate espionage is nothing new... 

The global economy has widened the playing field and raised the stakes for corporate competition and espionage, both defensive and offensive. American companies, big and small, lose billions of dollars a year through corporate espionage... Those who don’t actively pay attention to it and protect their businesses become easy targets for their competitors near and far. (more)

Instant Action Plan
1. Identify Your Information - paper, visual, oral and electronic
2. Guard Your Information - a comprehensive risk management plan
3. Test Your Information - test with simulated attacks on all four dimensions of information
4. Invest in Surveillance - CCTV, access control, and of course, electronic surveillance detection

A good information security consultant will help you with all of this.

Attention all Capitol Hill legislative researchers working on improving economic espionage laws...

The U.S. House of Representatives is considering new legislation concerning economic espionage. (more)

Attention all Capitol Hill legislative researchers...
Here is some background information and a fresh idea worthy of your consideration.

Any questions? Let's talk. ~Kevin

Saturday, August 4, 2012

Illinois Eavesdropping Law Judged Unconstitutional

An Illinois judge ruled last week that the state’s eavesdropping law – one of the broadest restrictions on audio recording in the nation – is unconstitutional.

The decision granted a request for dismissal made by Annabel K. Melongo, a 39-year old woman who faced criminal charges under the Illinois Eavesdropping Act. The controversial law criminalizes the audio recording of any communication without the consent of all parties involved, regardless of whether the conversation was intended to be private. Melongo, who is representing herself in court, recorded three phone calls with a clerk at the Cook County Court Reporter’s office in Illinois without consent and posted them on her watchdog website in 2010, incurring six charges of eavesdropping.

The eavesdropping law in Illinois “appears to be vague, restrictive and makes innocent conduct subject to prosecution,” wrote Circuit Court Judge Steven J. Goebel of Chicago in his ruling that was filed on July 26. “[T]he fault of the Statute is that it does not require an accompanying culpable mental state or criminal purpose for a person to be convicted of a felony.” (more)

Friday, August 3, 2012

DIY - Android Cell Phone Spyware Kit Coming Soon

Android continues to prove irresistible to the hacker community, which seems intent on finding ever newer, more innovative ways to exploit security holes in the open source mobile platform.

Now a new threat to Android may be on the horizon: A pair of security researchers are planning to make public next month a modular, open source framework called AFE (Android Framework for Exploitation) that bad guys can use to build and tailor Android malware to suit their tastes...

With AFE, according to the duo's description, a hacker can quickly cobble together malware capable of at least 20 different feats, including retrieving a user's call logs, contact information, and the content of his or her mailbox; swiping SD card contents; sending text messages; viewing browsing habits; recording phone conversations; capturing images with the affected device's camera; running root exploits; accessing the device's GPS location; and remotely dialing any number from the hijacked device.

In addition, the duo have created templates to mask the malware as legitimate apps such as File Explorer, Tic Tac Toe, and a jokes app. Users of the framework can add their own.

"For a basic effort at writing malware, that's not even really trying hard, you can make $10,000 a month," Gupta told SC Magazine. (more)  

...and for the price of a book it can all be thwarted.

Snitch on a Spy Site and Get Booked

If you have insights about spy sites around the country, H. Keith Melton and Robert Wallace want to talk to you.

They are just about to publish their new book, Spy Sites of New York City, and are planning future editions.

Here's the pitch...

U.S. Spies Probably Won’t Blow Up Our Airplanes, TSA Concludes

For years, America’s spies had to take off their shoes before they got on planes, just like the rest of us. 

No more. 

The Transportation Security Administration has quietly enrolled government employees at three of the nation’s intelligence agencies in a program that allows them to pass through airport security with less hassle. (more)

CIA Launches New Museum Gallery

The Central Intelligence Agency launched an enhanced and redesigned online gallery to highlight the Agency’s museum and its holdings.

The enhanced museum virtual gallery provides new content and a fresh look at exhibits few members of the public get the chance to see because they are located at our headquarters compound.

 

The online exhibit shares how some technologies developed for CIA ultimately benefited the public. For example, battery-technology advances led to new and efficient means to power medical devices and consumer goods—like pacemakers and digital cameras—and technology developed to help analyze satellite imagery now aids radiologists in comparing digital x-ray images for the detection of breast cancer. (more)

Mobile users can see the new museum pages here.

Few CPR Their Firmware Against Printer Hack Attacks

Despite staged malware attack seven months ago, one in four HP laser jet printers still have default password settings.

Using freely available information and a budget of $2,000 (£1,280), professor Salvatore Stolfo and researcher Ang Cui from Columbia University's appropriately named Intrusion Detection System Laboratory used the printer's remote firmware update to install potentially crippling malware that could even be targeted to destroy the device itself. 

While HP did challenge what turned out to be aspects of the way the demonstration was reported, the company took the conclusions seriously, acting quickly and with "diligence" to issue more than 56 firmware updates.

However, seven months later... only 1–2% (of printers connected to the Internet) have been updated. Of those, one in four is still using default password settings for printer updates.

...other brands may be just as vulnerable...

The key flaw comes because printers now have capabilities that let them receive documents from the cloud – in effect, emails. 

...perhaps the "the safest bet is just not to be connected to the internet in the first place." (more)

The Strange Case of the Bugging Billboard

Australia - Police are investigating rumours that the offices of the Greater Shepparton City Council, in northern Victoria, have been bugged.

Police say they have six recordings in their possession and the council is urging anyone with information to come forward.

An electronic billboard facing Shepparton's busiest intersection is saying information about councillors is about to be publicly leaked. (more)

Can't wait to see how this turns out.

Thursday, August 2, 2012

The USB Stick-it-to-ya - Bad Practical Joke or Brilliant Security?

Imagine this...
You come into the possession of a USB memory stick. You think it has valuable information on it. Not your information, but valuable nonetheless.

You're smart enough to know it might contain spyware so you plug it into an isolated computer where spyware can do no harm. Then... Fab-a-dab-a-ZAP! Fizzle. Smoke. WTF?!?!

Your USB port is fried.

You inspect the stick more closely and pop open the cover. Someone has soldered all four of the output pins together! Grrr, a 100% short circuit. 

Bad practical joke or brilliant security? You decide.

Did the owner safeguard the information (the solder can be removed quite easily) in case of accidental loss, or did the owner just set you up for a nasty surprise?

Removing the solder and analyzing the information on the stick might yield the answer.

Why do I mention this? 
1. It is another reason to avoid USB sticks from untrusted or unknown sources.
2. It's a true story.

~Kevin

The Top Two Things Business Spies Really Hate

The majority of information losses are caused by people, not electronic eavesdropping. Your employees are your weak links. They are tripped up by social engineering attacks, and their own poor security practices. They are also your first line of defense. You need them on your side to fix the problem.

Don't start by accusing them. 

What if your loss is a concerted business espionage attack? What if your office is bugged? What if your cell phone is infected with spyware? Think of the damage a false accusation would cause. Morale and law suits top a long list of possible collateral damage.

An electronic surveillance detection sweep (aka TSCM) is the best first step. Work with a specialist who can also identify your other information security loopholes. Eliminate the eavesdropping and espionage possibility first.

Once you have cleared your organization of bugs and wiretaps, and plugged the info-leak vulnerabilities, think ahead. Be proactive. Follow up with security awareness training.

Resources:
Security Awareness Training: Aujas, KnowBe4, WJM Enterprises, SANS™ Institute, and more.
Electronic Surveillance Detection and Business Counterespionage Consulting: Contact me for a referral to a competent specialist who suits your needs. ~Kevin

Tuesday, July 31, 2012

Cyber-Spy Malware Eavesdrops on Corporate, Government Targets Worldwide

More than 200 unique families of malware have been used to eavesdrop on corporate and government employees, including attacks on the Japanese government, according to the results of a study of cyber-espionage activities released on July 25.

Click to enlarge.
Unlike the massive botnets used by cyber-criminals to steal cash, such as the "Gameover" Zeus botnet, the espionage botnets typically consist of hundreds of compromised computers rather than tens or hundreds of thousands.

Most of the activity traces back to China, but some spying does not, including espionage carried out by a private security company that advertised “ethical” hacking courses, according to Joe Stewart, director of malware research at managed security provider Dell Secureworks, which carried out the investigation. In total, Stewart identified more than 1,100 domain names used in the attacks and registered by online spies. (more)

Cell Phones - The Remote Track Hack

A GPS weakness could allow hackers to remotely track smartphone users, or even completely take over mobile devices, University of Luxembourg researcher Ralf-Phillip Weinmann reported last night at Black Hat.

Instead of directly using GPS satellites, most mobile devices receive much faster assisted GPS (A-GPS) signals from cellular networks to determine approximate location. However, Weinmann discovered that these A-GPS messages are transmitted over a non-secure internet link, and could be switched for messages from an attacker. Weinmann demonstrated this vulnerability on several Android devices... (more)

Security Alert: Malware Via Email... From YOUR Printer!

In these high-tech times, scanners and photocopiers aren't just dumb machines sitting in the corner of the office.

They are usually connected to the corporate network, and - in some cases - can even email you at your desk to save you having to wear out your shoe leather.

And it's precisely this functionality that we have seen cybercriminals exploiting today, pretending that their malicious emails in fact come from an HP scanner inside your organization.

If you see a file like this one, beware...
hp_page-1-19_24.07.2012.exe
Clearly that's not a scanned-in image - it's executable code. ...be on your guard.

If you are one of the many people seeing this malware attack in your email today, please do not click on the attachment even if you are waiting for a scanned-in document to be sent to you. Instead, simply delete the email and your computer will be safe. (more)