Business Espionage Alert: Embedded Web Servers

Many types of Web-connected photocopiers, scanners, and VoIP servers have no default passwords or other security enabled to stop remote eavesdropping.

Numerous models of printers, photocopiers, and voice over IP (VoIP) systems are Internet-connected. But their embedded Web servers often use well-known default passwords or firmware that has known vulnerabilities, either of which could be used by remote eavesdroppers to intercept internal communications...

Web-accessible photocopiers and the like are essentially repositories of any recent documents or communications of interest, and thus could serve as a competitive intelligence treasure trove. 

Some devices even offer would-be attackers time-saving shortcuts. Certain models of Sharp photocopiers, for example, can be set to upload all scanned or copied documents to an external site via FTP, or email them to an outside email address. Meanwhile, some HP all-in-one printers have a feature called Webscan, which allows anyone with a browser to scan and download whatever is on the scanner bed. (more)

New York’s senior senator Charles Schumer wants the feds to investigate OnStar’s controversial new privacy policy, and demanded the Detroit navigation-and-emergency company refrain from monitoring vehicles after customers cancel service.

“By tracking drivers even after they’ve cancelled their service, OnStar is attempting one of the most brazen invasions of privacy in recent memory,” Schumer, a Democrat, said in a statement Monday. “I urge OnStar to abandon this policy and for the Federal Trade Commission to immediately launch a full investigation to determine whether the company’s actions constitute an unfair trade practice.”

OnStar last week began e-mailing customers about its update to the privacy policy, which grants OnStar the right to sell GPS-derived and other data in an anonymized format. That data might include a vehicle’s location, speed, odometer reading and seatbelt usage. Schumer also asked the company, a General Motors subsidiary, not to sell that data. (more)

Search in Secret

Startpage.com now offers Google search results in complete privacy!

"When you perform a web search through Startpage, we remove all identifying information from your query and submit it to Google anonymously through our own servers. We obtain Google's search results and serve them to you in total privacy. Then we delete all records of your visit.

Your IP address is not recorded, your visit is not logged, and no tracking cookies are placed on your browser. In fact, Startpage does not record any information about its users. Nothing. Nada. Zilch. And Google never sees you at all."

In China, business travelers take extreme precautions to avoid cyber-espionage

Packing for business in China? Bring your passport and business cards, but maybe (definitely) not that laptop loaded with contacts and corporate memos.

China’s massive market beckons to American businesses — the nation is the United States’ second-largest trading partner — but many are increasingly concerned about working amid electronic surveillance that is sophisticated and pervasive.

Security experts also warn about Russia, Israel and even France, which in the 1990s reportedly bugged first-class airplane cabins to capture business travelers’ conversations...

But China’s brazen use of ­cyber-espionage stands out because the focus is often corporate, part of a broader government strategy to help develop the country’s economy, according to experts who advise American businesses and government agencies.

“I’ve been told that if you use an iPhone or BlackBerry, everything on it — contacts, calendar, e-mails — can be downloaded in a second. All it takes is someone sitting near you on a subway waiting for you to turn it on, and they’ve got it,” said Kenneth Lieberthal, a former senior White House official for Asia who is at the Brookings Institution. (more)

Want to increase the level of information security in your offices in China? We've been there. We can help.

World's First Concept Wireless Phone?

1922 - The umbrella is being used as the antenna. The fire hydrant is the ground. Good concept so far, but where is the battery?

From British Pathé - "The world's finest news and entertainment video film archive."
You can view and buy films and still photographs from the entire archive of 90,000 videos covering newsreel, sports footage, social history documentaries, entertainment and music stories from 1896 to 1976. (more)

Security Letter Book Review - "Is My Cell Phone Bugged?"

RECOMMENDED BOOK: IS MY CELL PHONE BUGGED?  Savvy readers have known for decades that cell phones are two-way radios. That means that someone else who hones in on the transmission can listen to everything that’s being said. But the matter is a quantum more serious when the cell phone itself has been rigged so that a third party can listen anytime, anywhere without discovery.

            Kevin D. Murray has been a well regarded consultant for over three decades in electronic eaves-dropping detection and countermeasures. He has a knack of explaining problem and controls of them in simple language, as this book reflects. While the focus is on cell phone vulnerabilities, other electronic communications risks are discussed as well.

            “We’ve got a problem with communications.” Many security practitioners face on-going frustrations in limiting confidential information from being discussed over cell phones. This book reveals the fragility of cell phone communications. It also offers other tips to protect cell phone communications.

            Murray is like an anti-eavesdropping missionary. His book is a real value. It also comes with a free SpyWarn Mobile™ to help conduct your own cell phone diagnosis. Pub. by: Emerald Book Co., www.ismycellphonebugged.com 158 pp. includes the SpyWarn Mobile token; $17.95. 

Thank you!

Annual Espionage Research Institute Meeting in DC

The world's top technical surveillance countermeasures specialists are meeting today through Sunday. If you're planning on planting a bug, now would be a good time. The cats are away.

Here is what they will be learning today...

• Blocking Competitive and State Sponsored Threats

• The Future of TSCM

• GSM Cell Phone Bug Detection using AirPatrol

• GSM and Hybrid Devices

• TSCM Product Demos

• Kestrel TSCM Software

• TSCM Inside Out

Oh, and that bug you planted. These cats will be back.

Where Can You Buy A Bug in Washington, DC?

...at the International Spy Museum, of course...

Audio Bug
Price: $25.00

Code: 17039

Product Facts: The walls have ears…and now, thanks to Audio Bug, so can tables, windows, bookshelves, and lockers! Use the attached suction cup to stick this clever bug where it won’t be seen. With the voice-activation feature, it will start recording when your adversaries start talking or if they make noise when snooping in your headquarters. A hidden speaker records the audio — play it back at the touch of a button. Save your files and upload the evidence to your computer with the secret USB connector. Then start bugging again!

Technical Data: Ages 8 and up. Plastic and metal. Black/silver/orange. 3-1/2” x 1” x 1”. Requires 1 AAA battery, not included. (more)

Next question...

How can you find a bug in Washington, DC? (more)

Tip: Remove the Secret Stuff From Your Smartphone Today

Back in March, Scarlett Johansson's name popped up on a list of celebrities who found themselves the target of hackers that broke into their cell phones and leaked some nude photos and video.

With sultry X-rated pics of the sex symbol surfacing today on various gossip sites, ScarJo's fighting back by reaching out to the feds to find the perpetrators. (more)

Jackie, oh!

According to interviews, Jackie Kennedy gives "tart commentary on former presidents, heads of state, her husband's aides, powerful women, women reporters, even her mother-in-law." 

(She also said.) Martin Luther King Jr is "a phony" whom electronic eavesdropping has found arranging encounters with women. (more)

She also admits to eavesdropping on her husband and his advisers one morning when the emergency committee in charge of the crisis gathered in the Oval Room, unbeknownst to the press.

"So then, I went in the Treaty Room where I well, just to fiddle through some mail or something, but I could hear them talking through the door. And I went up and listened and eavesdropped," she confided. (more)

The News of the World Phone Hacking Scandal Continues

UK - As the UK parliament's inquiry into News of the World phone-hacking scandal continues, there's a lot of back-and-forth going on with regards to who knew what was happening - and when.

Immediately after the major players testified in July, it appeared that a bit of a calm before the storm was on the horizon. Things went silent for a bit. But that's changed now as new allegations, arrests and concerns have brought about new questions and evidence in the case.

To start with, a former lawyer for News of the World testified that News Corp. executive James Murdoch must have known that illegal phone hacking at the News of the World newspaper was not confined to the single journalist who was imprisoned for it. Tom Crone, who was legal manager of the paper, said Murdoch would only have given Crone authority to settle a lawsuit against News of the World if he had understood that there had been more illegal eavesdropping. (more)

They are very busy. That's why they're called busybodies.

UK - Millions of adults are self confessed computer hackers with more than one in 10 (13%) admitting they have accessed someone else's online account details without their permission.

According to research by life assistance company CPPGroup Plc (CPP), the most common 'casual' hacking takes place on Facebook and other social network sites. And while this will often be viewed as harmless spying, many admitted to accessing personal and work emails, money transaction portals such as PayPal and online banking sites.

Many people (32%) casually dismissed their hacking as something they did 'just for fun' while others admitted they did it to check up on their other half (29%) or a work colleague (8%). But it wasn't all passive spying - two per cent had very different motives admitting they did it for financial gain. (more)

Missing Email? Maybe it was Doppelganged!

Two researchers who set up doppelganger domains to mimic legitimate domains belonging to Fortune 500 companies say they managed to vacuum up 20 gigabytes of misaddressed e-mail over six months.

The intercepted correspondence included employee usernames and passwords, sensitive security information about the configuration of corporate network architecture that would be useful to hackers, affidavits and other documents related to litigation in which the companies were embroiled, and trade secrets, such as contracts for business transactions.

Sample of Info Netted - Click to Enlarge

“Twenty gigs of data is a lot of data in six months of really doing nothing,” said researcher Peter Kim from the Godai Group. “And nobody knows this is happening.”

Doppelganger domains are ones that are spelled almost identically to legitimate domains, but differ slightly, such as a missing period separating a subdomain name from a primary domain name – as in the case of seibm.com as opposed to the real se.ibm.com domain that IBM uses for its division in Sweden. (more)

If you use mobile devices, malware will come

IT people who try to secure mobile devices in a big company face three big conceptual problems.

First, many, if not most, of the smartphones and tablets are from Apple. Both veteran and rookie users tend to believe Apple devices aren't vulnerable to malware and hacks, so users don't need to take any precautions.

Second, even non-Mac users tend to think security is already built in to their smartphones or tablets, so they also resist efforts to install antivirus, firewall, or other additional security on what are often their own systems.

Third, the fastest-growing malware segment targets Adobe applications rather than the traditional browser or operating system, doing an end run around the expectations of both users and many IT security people, according to analysts at the security vendors McAfee and Commtouch. (more)

Sick of Snooki? Tired of Trump? Fab-a-dab-a-Zap Shutdafacesup!

MAKE video producer Matt Richardson from Brooklyn shows you how to use an Arduino microcontroller to mute your television based on keywords found in the broadcast's closed captioning transcription. You can rest easy knowing that you'll never have to hear about Kim Kardashian—or whoever you're sick of—again! 

"A while ago it was Charlie Sheen. And then it was Sarah Palin. And then it was Donald Trump," said Richardson, who is a video producer for Make Magazine. "And after a while I realized there's sort of always someone who I don't really want to hear about."

Like any good hacker, Richardson decided to come up with a fix: He developed a do-it-yourself TV remote control that will automatically mute the television when certain celebrity names are mentioned.

He plans to debut and explain the hack at the upcoming Maker Faire event in New York. The name of his talk is "Enough Already: Silencing Celebs with Arduino." (more) (Wanna go?)