New Book - "Eavesdropping, Surveillance and Espionage"

New Book
 "...examines the escalating security and privacy threats from spy cameras, audio bugs, telephone bugs, GPS trackers, GSM listening devices, surveillance software, smart-phone compromises and other high-tech technologies that are actively marketed to civilians. Modern security professionals must grasp the magnitude of these emerging threats, how they are identified and the counter-measures by which they are neutralized."

The press release explains...

"Eavesdropping, Surveillance And Espionage: Threats, Techniques and Countermeasures is a comprehensive introduction to TSCM specifically for law enforcement, private investigators, homeland security, key military personnel, foreign service and diplomatic staff, intelligence operatives, private security contractors, TSA, security advisors and other security professionals in the private and public sectors.

Authored by Norbert Zaenglein, author of Disk Detective, Secret Software and the Covert Bug Book, the new TSCM book fills a much needed gap in security awareness related to civilian surveillance capabilities, a development that impacts military, government, diplomatic venues, homeland security, corporations, businesses and the general public.

The essential new security manual explains how mass production of sophisticated surveillance technology pattered after law-enforcement and intelligence-grade spy devices has marshaled the once secretive spy trade into civilian circles with far-reaching implications and consequences." (preview)

Note: Only available at http://www.modernprivacy.info/

Detecting and Preventing Eavesdropping - U.S. Government Advice

(A long, but worthwhile read.)

Detecting and Preventing Eavesdropping

Any indication that an adversary or competitor is using illegal means to collect information should alert you to the possibility, at least, that listening devices might be planted in your office or home. There are a number of specific warning signs that you may be the target of eavesdropping. Of course, if eavesdropping is done by a professional, and done correctly, you may not see any of these signs.

One of the most common indicators of eavesdropping is that other people seem to know something they shouldn’t know. If you learn that an activity, plan, or meeting that should be secret is known to an adversary or competitor, you should ask yourself how they might have learned that.

An eavesdropper will often use some pretext to gain physical access to your office or home. It is easy for an outsider to gain access to many office buildings by impersonating a technician checking on such things as the air conditioning or heating. The only props needed are a workman’s uniform, hard hat, clipboard with some forms, and a belt full of tools. If challenged, the imposter might threaten not to come back for three weeks because he is so busy. In one version of this technique, the eavesdropper actually causes a problem and then shows up unrequested to fix it. In other words, you must verify that anyone performing work in or around your office was actually requested and is authorized to do this work. If a worker shows up without being asked, this suggests an attempted eavesdropping operation and should be reported immediately to your security office. Even when the work is requested, outside service personnel entering rooms containing sensitive information should always be accompanied and monitored.

Gifts are another means of infiltrating a bug into a target office. Be a little suspicious if you receive from one of your contacts a gift of something that might normally be kept in your office -- for example, a framed picture for the wall or any sort of electronic device. Electronic devices are especially suspicious as they provide an available power supply, have space for concealing a mike and transmitter, and it is often difficult to distinguish the bug from other electronic parts. Have any gift checked by a technical countermeasures specialist before keeping it in a room where sensitive discussions are held.

Unusual sounds can be a tip off that something is amiss. Strange sounds or volume changes on your phone line while you are talking can be caused by eavesdropping. However, they can also be caused by many other things and are relatively common, so this is not a significant indicator unless it happens repeatedly. On the other hand, if you ever hear sounds coming from your phone while it is hung up, this is significant and definitely should be investigated. If your television, radio, or other electrical appliance in a sensitive area experiences strange interference from some other electronic device, this should also be investigated if it happens repeatedly.

Illegal entry to your office or home to install an eavesdropping device sometimes leaves telltale signs, especially if done by an amateur. Evidence of improper entry with nothing being taken is suspicious. Installing an eavesdropping device sometimes involves moving ceiling tiles, electrical outlets, switches, light fixtures, or drilling a pinhole opening in the wall or ceiling of the target room (drilling in from the other side of the wall or ceiling). This can leave a small bit of debris, especially white dry-wall dust that should not be cleaned up. It should be reported to the security office.

In summary, protection against the installation of eavesdropping devices requires:

• Alert employees.
• Round the clock control over physical access by outsiders to the area to be protected.
• Continuous supervision/observation of all service personnel allowed into the area for repairs or to make alterations.
• Thorough inspection by a qualified technical countermeasures specialist of all new furnishings, decorations, or equipment brought into the area.

What to Do if You Suspect
You Have Been Bugged

If you suspect you are bugged, do not discuss your suspicions with others unless they have a real need to know. Above all, do not discuss your suspicions in a room that might be bugged. Do not deviate from the normal pattern of conversation in the room. Advise your security officer promptly, but do not do it by phone. The bug may be in the telephone instrument. Do it in person, and discuss the problem in an area that you are confident is secure.

These security measures are important to ensure that the perpetrator does not become aware of your suspicions. A perpetrator who becomes aware you are suspicious will very likely take steps to make it more difficult to find the device. He may remove the device or switch it off remotely.

1. Never try to find a bug or wiretap yourself. What’s the point? If you are suspicious enough to look, you already know you should not have any sensitive conversation in that room. If there is a bug there, do-it-yourself approaches probably will not find it. If you look and don’t find it, that certainly shouldn’t give you any sense of confidence that you can speak freely in that room. Don’t be misled by what you see on television, in the movies, or in spy-shop catalogs. Detecting bugs is difficult even for the professionals who specialize in that work.

Technical Security Countermeasures
A Technical Security Countermeasures (TSCM) survey, also known as a "sweep," is a service provided by highly qualified personnel to detect the presence of technical surveillance devices and hazards and to identify technical security weaknesses that could facilitate a technical penetration of the surveyed facility. It consists of several parts.

• An electronic search of the radio frequency (RF) spectrum to detect any unauthorized emanations from the area being examined.
• An electronically enhanced search of walls, ceilings, floors, furnishings, and accessories to look for clandestine microphones, recorders, or transmitters, both active and quiescent.
• A physical examination of interior and exterior areas such as the space above false ceilings and heating, air conditioning, plumbing, and ventilation systems to search for physical evidence of eavesdropping.
• Identification of physical security weaknesses that could be exploited by an eavesdropper to gain access to place technical surveillance equipment in the target area.

During the survey, TSCM team members may enter office areas where employees are working. Employees should be advised in writing, not orally, that a technical security inspection is being conducting and that they should not discuss it in the office before, during, or after the survey. (Note: Most private sector surveys are conducted after normal business hours.)

Contact me for additional information on conducting a professional technical information security survey, which is more through than the standard TSCM sweep. ~Kevin

(original government post)

Interesting Question About Jamming Bugs & SpyCams

Q. "Looking for a bug jammer that will block out all bugs video or audio near my doorway looking at the rj4000 from the bug jammer store wondering if what they say is true they claim it will block 1 g bugs and 1.2 g bugs with a jamming frequency between 900 to 1000 mhz and 1100 mhz to 1300mhz for bugs"

A. Good thing you asked.  

You really don't want to solve your problem this way.

Here's why...
• Jamming is illegal in the U.S. http://www.fcc.gov/encyclopedia/jammer-enforcement
"seizure of unlawful equipment" " subjects the operator to possible fines, imprisonment, or both"

• Your imported purchase runs the risk of being confiscated by Customs before it even reaches you.

• The RF jammer RJ4000 ALSO jams 2.4 GHz Wi-Fi and 1.5 GHz GPS signals. Your neighbors will complain.

Estimated area of noticeable interference. Actual jamming area is less.

But, yes, it will probably do what they say, assuming the bug/spycam transmitter is less powerful than the jammer's transmitter.

Best advice: Think of an alternate way to solve your concerns. ~Kevin

Sand Sized Gyroscopes to Track You Anywhere

Mini-gyroscopes developed to guide smartphones and medical equipment...
Prof. Koby Scheuer of Tel Aviv University`s School of Physical Engineering is now scaling down this crucial sensing technology for use in smartphones, medical equipment and more futuristic technologies.

Working in collaboration with Israel`s Department of Defense, Prof. Scheuer and his team of researchers have developed nano-sized optical gyroscopes that can fit on the head of a pin — and, more usefully, on an average-sized computer chip — without compromising the device`s sensitivity... Measuring a millimeter by a millimeter (0.04 inches by 0.04 inches), about the size of a grain of sand, the device can be built onto a larger chip that also contains other necessary electronics...

Nano-gyroscopes integrated into common cellphones could provide a tracking function beyond the capabilities of existing GPS systems. "If you find yourself in a place without reception, you would be able to track your exact position without the GPS signal," he says.
There are benefits to medical science as well... (more)

Pentagon’s Spies Pimp Their Phones

The Pentagon has big plans for its spy agency. But first it’s going to upgrade its secret agents’ cellphones.

That’s the gist of a recent request for information from the cryptic Virginia Contracting Activity (or VACA), the public face for the Defense Intelligence Agency’s secretive contract business. According to the request, the DIA is looking for a company with the “ability to work and store classified information at the SECRET Collateral Level” to design custom “cellular phone point-to-point communication systems.” In other words, a private communications link. (more)

Top Wi-Fi Routers Easy to Hack, Says Study

The most popular home wireless routers are easily hacked and there's little you can do to stop it, says a new study by research firm Independent Security Evaluators.

Thirteen popular routers were tested and found vulnerable to hacks in a new study by research firm Independent Security Evaluators.

The Wi-Fi router you use to broadcast a private wireless Internet signal in your home or office is not only easy to hack, says a report released today, but the best way to protect yourself is out of your hands.

Click to enlarge.

The report, written by research firm Independent Security Evaluators of Baltimore, found that 13 of the most popular off-the-shelf wireless routers could be exploited by a "moderately skilled adversary with LAN or WLAN access." It also concludes that your best bet for safer Wi-Fi depends on router vendors upping their game. All 13 routers evaluated can be taken over from the local network, with four of those requiring no active management session. Eleven of the 13 can be taken over from a Wide-Area Network (WAN) such as a wireless network, with two of those requiring no active management session. (more)

How to Hack-proof Your Wireless Router
(Maybe not hack-proof but at least hack-resistant.)

DoD Inspector General v. Army Commercial Mobile Devices (CMD)

There are lessons for your organization in this report. 
Insert your organization's name where you see the word "Army".

Click to enlarge.

"The Army did not implement an effective cybersecurity program for commercial mobiles (sic) devices. If devices remain unsecure, malicious activities could disrupt Army networks and compromise sensitive DoD information." (full report)

If you travel with a cell phone, tablet and/or laptop...

...this should interest you...

35,000. That’s how many business travelers depart the United States every day. With them goes over 40,000 cell phones, more than 50,000 laptops, and nearly 500,000 pages of business documents holding privileged information. When you travel abroad, your company is at risk. 

Among Enemies tells you how to protect yourself.

Luke Bencie has traveled to more than 100 countries over the past 15 years on behalf of the U.S. intelligence community, as well as for the private defense industry. 

While abroad, he has experienced, firsthand and sometimes painfully, the threat of espionage and the lengths to which foreign intelligence services and other hostile global competitors will go to steal American business secrets. 

Mr. Bencie currently serves as the managing director of Security Management International, LLC, a security-consulting firm in the Washington, D.C. area.

Sen. Mitch McConnell's "Bug" - Recorded Acoustical Leakage

The center of political intrigue and an FBI investigation in Kentucky's U.S. Senate race is the otherwise inconspicuous second floor hallway of the Watterson West office building in Louisville.

...behind plain, black doors is Sen. Mitch McConnell's campaign headquarters.

It is in this hallway on February 2 that two members of the Progress Kentucky SuperPAC allegedly recorded a private campaign strategy meeting underway inside an office on the other side of one of those plain, black doors, according to Jacob Conway a member of the Jefferson County Democratic Party's Executive Committee.

"You have about a half an inch gap right there where a recording device or a microphone could have been inserted," Benton said, pointing to the bottom of the door...

With the campaign's permission, WHAS11 tested whether an iPhone voice memo program could successfully record a conversation by placing the phone's mouthpiece at the bottom door opening.

Playback of the test recording confirmed that it captured the voices of campaign workers meeting behind the door. The workers had been advised of the recording test...

Some legal analysts suggest that if the closed door meeting could be heard from the hallway, the recording might not be a crime. During the WHAS11 visit, some voices could be heard, without electronic assistance, from the hallway. (more)

Imagine, two guys in the hallway listening under the door. Eavesdropping doesn't get any more basic than that. Spying tricks haven't changed, there are just more of them these days. All the old tricks still work. 

If they had their offices inspected by a TSCM team they would have been notified about the acoustical leakage vulnerability... in time to protect themselves.

FREE Security "Green" Papers on Laptop, Mobile Phones & Storage Devices

IT Governance is a supplier of corporate and IT Governance related books, toolkits, training and consultancy. They offer a wealth of knowledge and experience. 

Their Green Papers contain information and guidance on specific problems and discuss many issues. Here are two just published this month...

Technical Briefing on Laptop and Mobile Storage Devices

Technical Briefing on Mobile Phones and Tablets

About two dozen more may be found here.

... thus, giving new meaning to a bright idea!

Optogenetics is the process by which genetically-programmed neurons or other cells can be activated by subjecting them to light. Among other things, the technology helps scientists understand how the brain works, which could in turn lead to new treatments for brain disorders.

Presently, fiber optic cables must be wired into the brains of test animals in order to deliver light to the desired regions. That may be about to change, however, as scientists have created tiny LEDs that can be injected into the brain.

The LEDs were developed by a team led by Prof. John A. Rogers from the University of Illinois at Urbana-Champaign, and Prof. Michael R. Bruchas from Washington University. The lights themselves can be as small as single cells and are printed onto the end of a flexible plastic ribbon that’s thinner than a human hair. Using a micro-injection needle, they can be injected precisely and deeply into the brain, with a minimum of disturbance to the brain tissue. (more)

FutureWatch - Mico-sensors to allow downloading of consciousness - knowledge, visuals, ideas, etc..

Small Business Espionage Attacks Up 42%

Smaller companies, their websites and their intellectual property are increasingly being targeted by cyberattacks, a new report on IT security trends says.

Targeted attacks were up 42 per cent in 2012 compared to the year before, and businesses with fewer than 250 employees are the fastest growing segment being targeted, according to the annual internet security threat report issued Tuesday by Symantec...

The type of information being targeted by attackers is also changing — financial information is now losing ground to other kinds of competitive data, the report found. (more)

McConnell's Suspected Bugger Has Hand Out

The man who is suspected of bugging Senate Minority Leader Mitch McConnell’s office has started a legal defense fund aimed at raising $10,000 — and so far, he’s received $185.

Breitbart reported that Curtis Morrison, who’s also a Progress Kentucky volunteer, said in a message about his fund that he’s cooperating with the FBI. But he’s struggling to pay for his legal defense...

A Kentucky Democratic Party operative and the founder of Progress Kentucky outed Mr. Morrison last week as the person who allegedly bugged Mr. McConnell’s office, Breitbart reported. (more)

The Schizo Illinois Eavesdropping Law

There was major development Tuesday in the fight over the state's controversial eavesdropping law. A court decision now allows citizens to record the audio of police officers on the job in public.

Citizens can legally record video of police officers doing their jobs on the public way, as long as you don't interfere, but the Illinois Eavesdropping Act does not permit you to record audio.

If you do, you're still subject to arrest and criminal charges, even though two state court judges in Illinois have declared the law unconstitutional.

It remains a law on the books without clarity though a new agreement just approved by a federal court judge will change things in Cook County. (more)

Weird.

RFID Tracks Jewelry Popularity

Interesting application of RFID technology.

RFID smart shelves can help retailers analyze market demand. 

Beyond sales reports, retailers want to understand which items had the highest shopper interest. For example, while one jewelry item is picked up 100 times and sold 90 time, another jewelry item is picked up 100 times but only sold 10 times. Retail statistics monitoring shopper behavior cannot be accurately counted by man.

However, the RFID Jewelry Smart Shelf Solution developed by Alpha Solutions enables retailers to clearly see data on which types of jewelry are picked up frequently. From the data obtained, discount promotions and programs can be made for the jewelry types that are having trouble selling.

There is a Magazine for Everything... Even Penetration Testing

Kamil Sobieraj, editor of PenTest Magazine introduced me to his publication this week. It was an eye-opener. If you have anything to do with protecting information, you will find this as interesting as I did... 

 PenTest Magazine is a weekly downloadable IT security magazine, devoted exclusively to penetration testing. It features articles by penetration testing specialists and enthusiasts, experts in vulnerability assessment and management. All aspects of pen testing, from theory to practice, from methodologies and standards to tools and real-life solutions are covered.

48 issues per year (4 issues in a month).

A different title is published every week of the month:
• PenTest Regular – 1st Monday
• Auditing & Standards PenTest – 2nd Monday
• PenTest Extra – 3rd Monday
• Web App Pentesting – 4th Monday

...about 200 pages of content per month.

Each issue contains...
• News
• Tools testing and reviews
• Articles – advanced technical articles showing techniques in practice
• Book review
• Interviews with IT security experts
(more)

Nice to know there is a smart way to keep up with the bad guys.

Campaign Headquarters Bugged - FBI Investigating

Senate Minority Leader Mitch McConnell (R-Ky.) accused opponents Tuesday of bugging his headquarters and asked for an FBI investigation after a recording from an internal campaign meeting surfaced in a magazine report.

The 12-minute audiotape released by Mother Jones magazine reveals McConnell and his campaign staff at a Feb. 2 meeting lampooning actress Ashley Judd — then a potential Senate candidate — and comparing her to “a haystack of needles” because of her potential political liabilities. Judd has since decided not to run.



“We’ve always said the left will stop at nothing to attack Sen. McConnell, but Nixonian tactics to bug campaign headquarters is above and beyond,” campaign manager Jesse Benton said in a statement. (more)

UPDATE: "It is our understanding that the tape was not the product of a Watergate-style bugging operation. We cannot comment beyond that." – David Corn, Editor, Mother Jones (more)

Note: More than one person is heard speaking on the tapes (above is just an excerpt). Based on this, (and room echoes) the FBI will be able to figure out the location of the microphone. Hope everyone remembers where they were sitting.

Shodan - The Scary Search Engine

Cautionary Tale...
Unlike Google, which crawls the Web looking for websites, Shodan navigates the Internet's back channels. It's a kind of "dark" Google, looking for the servers, webcams, printers, routers and all the other stuff that is connected to and makes up the Internet...

It's stunning what can be found with a simple search on Shodan. Countless traffic lights, security cameras, home automation devices and heating systems are connected to the Internet and easy to spot.

Shodan searchers have found control systems for a water park, a gas station, a hotel wine cooler and a crematorium. Cybersecurity researchers have even located command and control systems for nuclear power plants and a particle-accelerating cyclotron by using Shodan.

What's really noteworthy about Shodan's ability to find all of this -- and what makes Shodan so scary -- is that very few of those devices have any kind of security built into them. (more)

Free - Computer Security Tools Book

"Open Source Security Tools: A Practical Guide to Security Applications"

Few frontline system administrators can afford to spend all day worrying about security. But in this age of widespread virus infections, worms, and digital attacks, no one can afford to neglect network defenses.

Written with the harried IT manager in mind, Open Source Security Tools is a practical, hands-on introduction to open source security tools. Seasoned security expert Tony Howlett has reviewed the overwhelming assortment of these free and low-cost solutions to provide you with the “best of breed” for all major areas of information security.

By Tony Howlett. Published by Prentice Hall. Part of the Bruce Perens' Open Source Series.

Offered Free by: informIT

A 600-page PDF, written in 2004, which still contains useful information.

Son Bugs Mom (yawn)... with a Wiretap!

UK - Police have arrested a Lincoln man on suspicion that he bugged his 90-year-old mother’s phone. 

Richard Stamler, 59, was arrested Thursday night for unlawful interception of communications, a felony, Lincoln Police Officer Katie Flood said.

Stamler’s sister called police March 28 to say she found a recording device in the basement of her mother’s home that had been connected to the phone line, Flood said.

The woman played the tape, Flood said, and recognized her brother’s voice reciting date information. The device was set to record any time someone in the house picked up a phone. (more)

Canadian Technical Security Conference (CTSC) - April 23-25, 2013

Canadian Technical Security Conference (CTSC) - April 23-25, 2013

The annual Canadian Technical Security Conference (CTSC) event (Cornwall, Ontario) is a three (3) day professional development and networking opportunity with a local, regional, national and international following of professional technical operators, TSCM specific and test & measurement based equipment manufacturers and service providers. 

The conference is being held at Strathmere, near Ottawa.
GPS Coordinates, Latitude 45.157216, Longitude 75.703858

This annual CTSC conference event is of special interest to local, regional and international technical security professionals from the private sector, corporate security industry, financial sector, oil, gas and mining sector, government, law enforcement and military organizations and agencies. (more) Contact: Paul D Turner, TSS TSI 

This is the conference's 8th year. Every year I hear reports about how worthwhile it is. Every year they schedule it when I am obligated to be elsewhere :(

Burglar Used SpyCams to Case High-Income Homes

The discovery of a hidden camera may help solve a series of break-ins at upscale homes in several North Texas cities.



"This one has already been camouflaged," said Dalworthington Gardens police Det. Ben Singleton, holding what looks like a piece of bark that would go unnoticed in most yards.

It's actually a video camera not much bigger than a matchbox, and it's activated by a motion detector. Such cameras turned up in March planted outside several upscale homes in Dalworthington Gardens.

"I've never seen anything like this," Singleton said. (more)

New Italian Cocktail "The Gepetto" - Thwarted by SpyCam

A retired Italian carpenter has been arrested after his sleuthing wife suspected he was trying to poison her and set about trying to prove it with the help of a spy alarm clock bought on the internet.

Click to enlarge.

The drama began in February in the northern Italian town of Dalmine, where the couple had reportedly lived for almost 40 years. The 61-year-old woman grew suspicious when some water brought to her by her husband created a burning sensation in her mouth.

The woman, who has not been named, sent it off for tests in a laboratory, which, when they came back, revealed the presence of hydrochloric acid.

Perturbed, the woman became even more worried when she found a bottle among her husband's things that had no label on it and was filled with a clear liquid. She sent that off to be analyzed, as well, and was told that it, too, was hydrochloric acid.

Police confirmed that she then took advice from relatives and bought a miniature video-camera-cum-alarm-clock, proceeding to film her husband in the kitchen. (more)

The Era of Women Spies is Returning

White House counterterrorism adviser Lisa Monaco is all poised to head the FBI, following last week's appointment of Julia Pierson as director of the Secret Service and an unnamed CIA agent will be the first woman to lead the agency's clandestine service. 

With these back-to-back developments, the era of women spies seems to have returned. 

Some of them became legends and remained in the history as picturesque creatures, who with their skill, grace, charm or nerve, pulled the strings behind the most delicate political movements of the world. 

Learn more about some of the most famous and sexy spy women...
• Mata Hari
• Virginia Hall
• Hedy Lamarr
• Elizabeth Van Lew • Belle Boyd
• Sarah Emma Edmonds
• Noor Inayat Khan

Amazing Drone Footage - Just for fun - Enjoy Your Weekend

The SkyMotion Video team provided the aerial video services for the 2012 Tourism Partnership of Niagara commercials for the Niagara Falls region shoot - making use of their state of the art remote controlled helicopter drone.



Niagara Falls has of course been filmed countless times in the past using full sized helicopters. However, with this remote controlled helicopter, the shoot was not limited by minimum altitude restrictions, and so was able to achieve shots which were unlike any before. Flying only a couple feet above the water, the camera was able to approach the waterfall edge to give the viewer a true sense of the shear scale of the world famous falls.

However, the Niagara region is not limited to just the falls. The surrounding area is full of beautiful landscapes with quaint towns, and world class vineyards. The area is full of life, and the hope is that these dynamic shots give a real sense of the variety of things offered by not only the falls, but by the region as a whole. (more) (more movies)

PS - The security tie-in's... 
• Law Enforcement - Crime scene documentation and assessment.
• Security Consultants - Security assessment surveys.

Apple's iMessage has DEA Tongue Tied

Encryption used in Apple's iMessage chat service has stymied attempts by federal drug enforcement agents to eavesdrop on suspects' conversations, an internal government document reveals.

Click to enlarge.

An internal Drug Enforcement Administration document seen by CNET discusses a February 2013 criminal investigation and warns that because of the use of encryption, "it is impossible to intercept iMessages between two Apple devices" even with a court order approved by a federal judge...

When Apple's iMessage was announced in mid-2011, Cupertino said it would use "secure end-to-end encryption." It quickly became the most popular encrypted chat program in history: Apple CEO Tim Cook said last fall that 300 billion messages have been sent so far, which are transmitted through the Internet rather than as more costly SMS messages carried by wireless providers. (more)

But... if messages are exchanged between an Apple device and a non-Apple device, they "can sometimes be intercepted, depending on where the intercept is placed." (more)

Security Consultant Alert - IAPSC Annual Conference in Napa, CA

NOTE: It is not too late to register. Be a hero. Take your significant other to Napa for a few days.

The International Association of Professional Security Consultants (IAPSC) Annual Conference is the largest and most exclusive gathering of top security consultants.

Their 2013 conference offers a wide range of topics focused on Security Consulting and Business Profitability, as well as, Technical, Forensic, and IT Security. 

Presenters will discuss security standards, best practices, risk management, promotional uses of media, including webinar development, marketing and communications techniques for consultants, retirement and selling your business, as well as technical and forensic security focused sessions.

Visit the conference website
View the conference program
Download the brochure
Register Now

Not yet an IAPSC Member? 
When you register to attend the conference, ask about special registration offer available exclusively to new members. (more)

I have been attending IAPSC conferences, each year, for about two decades. Every one has been well worth attending. I return to the office with a broader knowledge of security, fresh ideas about improving services to my clients, and recharged mental batteries. If you are on the fence about going, hop off... and into the vineyard. Try it once. You will see what I mean. Be sure to find me and say hello. ~Kevin

AppSec USA 2013 is Coming to NYC

Call for Papers NOW OPEN!
CareerFair
Events (Capture the Flag, Battlebots, Lockpick Village, and more)

AppSec USA is a software security conference for technologists, auditors, risk managers, and entrepreneurs, gathering the world's top practitioner, to share the latest research and practices at the Marriott, NYC. It is hosted by OWASP. (Why you would want to attend.)

What is OWASP?

The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software. Their mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks. 

Everyone is free to participate in OWASP and all of their materials are available under a free and open software license. 

You'll find everything about OWASP here on or linked from our wiki and current information on our OWASP Blog. 

OWASP does not endorse or recommend commercial products or services, allowing our community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide.

OWASP is a global group of volunteers with over 36,000 participants. (more)

Blue Bugging - An old topic and growing problem

When you pair your smart phone with your vehicle's audio system and leave that connection open, you may become the target of Blue-bugging.

"They have paired their car and they leave their Bluetooth pairing open and then they get out of the car…they come out of the car and go to a store or something like that and the Bluetooth capability is still on," explains Mike Rohrer with the Arkansas Better Business Bureau.

The BBB advises you switch your Bluetooth into "Not discoverable" mode when you aren't using it…especially in crowded, public places.

Always use at least eight characters in your pin.

When pairing devices for the first time, do it at home or in the office. And download the latest security updates. (more) (video)

There is also a chapter (Bluetooth® Eavesdropping) devoted to the subject of Bluetooth vulnerabilities in, "Is My Cell Phone Bugged?"

Cell Phone Tracking v. Right to Privacy - To be Decided

A secretive technology which lets police locate and track people through their cellphones in alleged violation of the US constitution will be challenged in a potential landmark court case... 

The American Civil Liberties Union hopes to rein in the little known but widespread "stingray" surveillance devices which it claims violate the fourth amendment and the right to privacy.

The group will urge a federal court in Arizona to disregard evidence obtained by a stingray in what could be a test case for limiting the technology's use without a warrant. (more) (much more)

Digital Cameras Easily Turned into Spying Devices

Newer cameras increasingly sport built-in Wi-Fi capabilities or allow users to add SD cards to achieve them in order to be able to upload and share photos and videos as soon as they take them.

But, as proven by Daniel Mende and Pascal Turbing, security researchers... these capabilities also have security flaws that can be easily exploited for turning these cameras into spying devices.

Mende and Turbing chose to compromise Canon's EOS-1D X DSLR camera an exploit each of the four ways it can communicate with a network. Not only have they been able to hijack the information sent from the camera, but have also managed to gain complete control of it. ...like uploading porn to the camera, or turning it into a surveillance device. (more) (video presentation - long and boring)

Solution in a nutshell... Before purchasing any Wi-Fi enabled device, make sure it supports encryption.

Range Wars Redux - Animal Welfare Group Drones v. Cattlemen

Australia - Farming bodies have criticized an animal welfare group's plan to use a drone to film farming practices on properties around Australia, with one saying the drone would be shot down.

Animal Liberation has purchased a surveillance drone equipped with a powerful camera. The group says the drone can film from as low as 10 metres above the ground to gather potential evidence of animal abuse.

Click to enlarge

Spokesman Mark Pearson says the practice will not contravene trespass or privacy laws. He says animal welfare is in the public interest...

But the head of the Northern Territory Cattleman's Association, David Warriner, disagrees... Mr Warriner says he expects some farmers would shoot down the drones. (more)

Yo, Warriner! The war already started...
A remote-controlled aircraft owned by an animal rights group was reportedly shot down near Broxton Bridge Plantation Sunday near Ehrhardt, S.C. (more) (much more)

How to Have Safe Specs - Just Say No

Amidst rising concerns about cyber spying and a House Intelligence Committee report last October, Sprint and Softbank have said they will not use any equipment from China-based Huawei Technologies.

The two companies are preparing for a merger, which is being overseen by the US government. The government has asked only to be informed when these two companies buy new equipment and where they buy it.

Mike Rogers, a Michigan Republican who leads the House Intelligence Committee, has confirmed these two companies have made this pledge.

“I … was assured they would not integrate Huawei into the Sprint network and would take mitigation efforts to replace Huawei equipment in the Clearwire network,” said Rogers in a statement on Thursday. (more)

Putin on the Quits

Russian President Vladimir Putin jokingly told members of the All-Russia People's Front, a political movement he started, that he's stopped eavesdropping since he left the KGB, because it's not a nice thing to do, Russia’s RIA reported on Friday. (more) (rimshot)

Better Eyes for Flying Robots - A Runaway Hit

New systems could improve the vision of micro aerial vehicles.

Aerial robotics research has brought us flapping hummingbirds, seagulls, bumblebees, and dragonflies. But if these robots are to do anything more than bear a passing resemblance to their animal models, there is one thing they’ll definitely need: better vision.


In February, at the International Solid-State Circuits Conference (ISSCC) in San Francisco, two teams presented new work (PDF) aimed at building better-performing and lower-power vision systems that would help aerial robots navigate and aid them in identifying objects.
 

Dongsuk Jeon, a graduate student working with Zhengya Zhang and IEEE Fellows David Blaauw and Dennis Sylvester at the University of Michigan, in Ann Arbor, outlined an approach to drastically lower the power of the very first stage of any vision system—the feature extractor.  (more) (A "Runaway" hit from 1984.) 

FutureWatch: Mosquito-bots custom programmed to deliver injections (stun / drug / poison / etc.) based on recognition algorithms?

FutureWatch Update - Skype Tapping

When we last left Skype...

Was Skype reworked by Microsoft to make it easier to wiretap?

Hey kids, we bought and fixed Skype just for you!

In today's episode... 

Since its acquisition of Skype in May 2011, Microsoft has added a legitimate monitoring technology to Skype, says Maksim Emm, Executive Director of Peak Systems. Now any user can be switched to a special mode in which encryption keys will be generated on a server rather than the user's phone or computer.

Access to the server allows Skype calls or conversations to be tapped. Microsoft has been providing this technology to security services across the world, including Russia.

Group-IB CEO Ilya Sachkov said that the security services have been able to monitor the conversations and location of Skype users for a couple of years now.

"This is exactly why our staff are not allowed to discuss business on Skype," he said. (more)

Security Director Tip of the Month - More Secure Conferencing Calling

Over the years, you have read many posts here about organizations being victimized by eavesdroppers on their conference calls. I am expecting you will see fewer in years to come...

CrowdCall, a specialized conference-calling app available for iOS and Android smartphones and the web. 

Instead of scheduling a dial-in line, e-mailing all parties involved and then hoping everyone calls at the appointed time, CrowdCall's interface lets users choose up to 20 participants from their contacts list and LinkedIn connections and dial them immediately (assuming the contacts have added their phone number to their LinkedIn profiles). When participants answer, they simply push "1" to enter the conference--they don't even need to have the app to participate.

...one feature in particular makes it attractive to small businesses. Because the call originator controls invitations, unauthorized participants can't use dial-in information to access the call, providing a measure of security when discussing sensitive information. (more)

Cell Phone Fingerprinting - GPS Tells WHO You Are

Can you be identified only by where you take your phone? Yes, according to a new study, which finds it's not very hard at all.

While most of us are free to go wherever we want, our daily and weekly movement patterns are pretty predictable. We go to work, to school, to church, to our neighborhood gym, grocery store or coffee shop, and we come home -- all quietly tracked by the GPS in our phone.

Click to enlarge.

And with nothing more than this anonymous location data, someone who wanted to badly enough could easily figure out who you are by tracking your smartphone. Patterns of our movements, when traced on a map, create something akin to a fingerprint that is unique to every person.
 
"Four randomly chosen points are enough to uniquely characterize 95% of the users (ε > .95), whereas two randomly chosen points still uniquely characterize more than 50% of the users (ε > .5). This shows that mobility traces are highly unique, and can therefore be re-identified using little outside information."

Those are the findings of a report by researchers from MIT and elsewhere, published this week in the journal Scientific Reports. (more)

Hello Federal! Give Me No Second Hand

Despite the pervasiveness of law enforcement surveillance of digital communication, the FBI still has a difficult time monitoring Gmail, Google Voice, and Dropbox in real time. 

But that may change soon, because the bureau says it has made gaining more powers to wiretap all forms of Internet conversation and cloud storage a “top priority” this year.

Last week, during a talk for the American Bar Association in Washington, D.C., FBI general counsel Andrew Weissmann discussed some of the pressing surveillance and national security issues facing the bureau. He gave a few updates on the FBI’s efforts to address what it calls the “going dark” problem—how the rise in popularity of email and social networks has stifled its ability to monitor communications as they are being transmitted. It’s no secret that under the Electronic Communications Privacy Act, the feds can easily obtain archive copies of emails. When it comes to spying on emails or Gchat in real time, however, it’s a different story. (more)

Bugged Van, Other Man, "I'll kill him"... "Just kidding."

A 44-year-old Howell man is facing felony charges after allegedly installing an eavesdropping device in his wife's van in an attempt to catch her in an extramarital affair.

Livingston County Sheriff Bob Bezotte said Friday that the case came to police attention when the 48-year-old woman's alleged boyfriend, 21, called to ask if installing such devices is illegal. He told police that he felt his privacy had been violated after learning that the device captured him and the wife being "passionate," the sheriff said.

Bezotte said the defendant allegedly threatened to kill the 21-year-old boyfriend and threatened to "make him lose his coaching position." The sheriff (said) the defendant claimed that he was "mad and kidding" when he made the comments. (more)

Zombie Privacy Bills Struggle to Become Laws

Just two days after new legislative reform on e-mail privacy was re-introduced in Congress, another privacy bill was brought back from years past.

On Thursday, three members of the House (two Republicans and a Democrat) and two bipartisan senators introduced the GPS Act, which would require law enforcement to obtain a probable cause-driven warrant before accessing a suspect’s geolocation information. The bill had originally been introduced nearly two years ago by the same group of legislators. 
  
The new GPS bill as it stands (PDF) contains exceptions for emergencies, including "national security" under the Foreign Intelligence Surveillance Act, but otherwise requires a warrant for covert government-issued tracking devices. The proposed penalty for violating this new provision could come with fines and/or five years in prison.
(more)