Thursday, August 2, 2012

The Top Two Things Business Spies Really Hate

The majority of information losses are caused by people, not electronic eavesdropping. Your employees are your weak links. They are tripped up by social engineering attacks, and their own poor security practices. They are also your first line of defense. You need them on your side to fix the problem.

Don't start by accusing them. 

What if your loss is a concerted business espionage attack? What if your office is bugged? What if your cell phone is infected with spyware? Think of the damage a false accusation would cause. Morale and law suits top a long list of possible collateral damage.

An electronic surveillance detection sweep (aka TSCM) is the best first step. Work with a specialist who can also identify your other information security loopholes. Eliminate the eavesdropping and espionage possibility first.

Once you have cleared your organization of bugs and wiretaps, and plugged the info-leak vulnerabilities, think ahead. Be proactive. Follow up with security awareness training.

Resources:
Security Awareness Training: Aujas, KnowBe4, WJM Enterprises, SANS™ Institute, and more.
Electronic Surveillance Detection and Business Counterespionage Consulting: Contact me for a referral to a competent specialist who suits your needs. ~Kevin

Tuesday, July 31, 2012

Cyber-Spy Malware Eavesdrops on Corporate, Government Targets Worldwide

More than 200 unique families of malware have been used to eavesdrop on corporate and government employees, including attacks on the Japanese government, according to the results of a study of cyber-espionage activities released on July 25.

Click to enlarge.
Unlike the massive botnets used by cyber-criminals to steal cash, such as the "Gameover" Zeus botnet, the espionage botnets typically consist of hundreds of compromised computers rather than tens or hundreds of thousands.

Most of the activity traces back to China, but some spying does not, including espionage carried out by a private security company that advertised “ethical” hacking courses, according to Joe Stewart, director of malware research at managed security provider Dell Secureworks, which carried out the investigation. In total, Stewart identified more than 1,100 domain names used in the attacks and registered by online spies. (more)

Cell Phones - The Remote Track Hack

A GPS weakness could allow hackers to remotely track smartphone users, or even completely take over mobile devices, University of Luxembourg researcher Ralf-Phillip Weinmann reported last night at Black Hat.

Instead of directly using GPS satellites, most mobile devices receive much faster assisted GPS (A-GPS) signals from cellular networks to determine approximate location. However, Weinmann discovered that these A-GPS messages are transmitted over a non-secure internet link, and could be switched for messages from an attacker. Weinmann demonstrated this vulnerability on several Android devices... (more)

Security Alert: Malware Via Email... From YOUR Printer!

In these high-tech times, scanners and photocopiers aren't just dumb machines sitting in the corner of the office.

They are usually connected to the corporate network, and - in some cases - can even email you at your desk to save you having to wear out your shoe leather.

And it's precisely this functionality that we have seen cybercriminals exploiting today, pretending that their malicious emails in fact come from an HP scanner inside your organization.

If you see a file like this one, beware...
hp_page-1-19_24.07.2012.exe
Clearly that's not a scanned-in image - it's executable code. ...be on your guard.

If you are one of the many people seeing this malware attack in your email today, please do not click on the attachment even if you are waiting for a scanned-in document to be sent to you. Instead, simply delete the email and your computer will be safe. (more)

Saturday, July 28, 2012

SpyCam Story #662 - This Week In SpyCam News

SpyCam stories have become commonplace and the techniques used, repetitive. We continue to keep lose track of the subject for statistical purposes, but won't bore you with too many details. Links supplied.

General
NY - Apple store spycam'er gets exposure. Life 'intimates' art. 
OH - Mr. Nicely indited on video voyeurism charges. No relation to Mr. Rogers.


Hotels

Showers & Changing Rooms
AR - Old Navy changing room spycam'er nailed at Starbucks. Police checking phone.

Bathrooms
WA - Fish hatchery manager/bathroom spycam'er sentenced. Employees smelled something...

The Tanning Guys...

Off their meds...

"Trusted Agents"

Upskirters



Oh, did I mention our voyeurism detection services are being requested more and more often? 

Due diligence makes sense to businesses like: hotels, gyms, swimming pools, country clubs, educational institutions, clothing retailers, and all businesses offering private areas to their employees and guests.

Security Directors: FREE Security White Paper - "Surreptitious Workplace Recording ...and what you can do about it."   

We can not guarantee you will never be on the wrong end of a voyeurism law suit. However, we are sure our services will pay for themselves many times over when damages are assessed. These days, if you're in business, you must proactively protect your employees and the visiting public's privacy. ~Kevin

Outdated Law Clouds Wi-Fi Eavesdropping Privacy Rights

If you don’t protect your Wi-Fi connection with a password, does that mean it’s legal to tap your Internet and monitor what you’re doing?

The key part of the federal anti-wiretap law was written in the 1980s, long before anyone contemplated using Wi-Fi networks, so the answer isn’t clear. In fact, legal experts say, it’s possible that how well you’re protected by the law would depend on what channel your Wi-Fi router is set to. (more) (spybusters link)

Apps: Know Your Rights & Protect Your Rights

Reporters Committee FirstAid app
The Reporters Committee FirstAid app was designed to help journalists who need quick answers to legal issues that arise while covering the news. It is meant as a quick solution during an urgent situation, such as when a judge or other official is keeping you from a hearing or a meeting, or a police officer is threatening you with arrest.

FirstAid also provides quick access to their hotline for any media law issues, either by phone or email. 

Click to enlarge.
The Reporters Committee and this app are available for journalists of all varieties, whether you work for a national news organization or a neighborhood news blog. They never charge for our assistance. (more)


Android app allows citizens to record and store video and audio of police encounters, includes guide to citizens’ rights  

Citizens can hold police accountable in the palms of their hands with “Police Tape,” a smartphone application from the ACLU of New Jersey that allows people to securely and discreetly record and store interactions with police, as well as provide legal information about citizens’ rights when interacting with the police.




The Android “Police Tape” app records video and audio discreetly, disappearing from the screen once the recording begins to prevent any attempt by police to squelch the recording. In addition to keeping a copy on the phone itself, the user can choose to send it to the ACLU-NJ for backup storage and analysis of possible civil liberties violations.

A version awaiting approval from Apple will be available later this summer in the App Store for iOs to audio record encounters with police. (more)

Friday, July 27, 2012

eBlaster Shatters Crystal - $20,000 Loss

The ex-wife of a wealthy businessman must pay him $20,000 for installing spyware on his computers and using it to illegally intercept his emails to try to gain an upper hand in their divorce settlement, a federal judge in Tennessee ruled.

U.S. Magistrate Judge William Carter ordered Crystal Goan to pay ex-husband James Roy Klumb $20,000 for violating federal and state wiretap laws when she used Spectorsoft's eBlaster spyware to intercept Klumb's email. (more)

Thursday, July 26, 2012

Happy Birthday CIA

On July 26, 1947, President Truman signed the National Security Act, creating the Department of Defense, the National Security Council, the Central Intelligence Agency and the Joint Chiefs of Staff. (more)

$50 Hacking Device Opens Millions of Hotel Room Locks

If you're staying at hotel, it might be a good idea to check the manufacturer of your door lock. A black hat hacker has unveiled a method that allows a fairly simple hardware gadget to unlock door locks manufactured by Onity.

Mozilla software developer Cody Brocious recently discovered two vulnerabilities within Onity's locks. Brocious was able to exploit said vulnerabilities with a device that cost him $50 to build. The schematics for the device are open source and available on the Web. Brocious will present his findings at the Black Hat Security Conference in Las Vegas on Tuesday night.

Onity tells PCWorld that it is aware of Brocious' work, but has declined to comment until it reviews additional information on the hack itself. (more)
 
Chilling thought...

Framing hotel staff for murder
"Given the ability to read the complete memory of the lock, it is possible to gain access to the master key card codes. With these -- in combination with the sitecode for encryption -- it is possible to create master cards which will gain access to locks at the property.

Let's look at a hypothetical situation:
• An attacker uses the before-mentioned vulnerabilities to read the memory of the lock
• Attacker uses the site-code and master key card codes to generate one or more master cards
• Attacker uses a master card to enter a room
• Attacker murders the victim in the room
• Attacker escapes

During the course of investigation, it's quite possible that the criminal investigators may look at the audit report for the lock, to see who entered the door at what time. Upon doing so, they will see a specific member of the staff (as the key cards are uniquely identified in the ident field) using a master key card to gain access to the room near the time of death.

Such circumstantial evidence, placing a staff member in the room at the time of death, could be damning in a murder trial, and at least would make that staff member a prime suspect. While other factors (e.g. closed circuit cameras, eyewitnesses, etc) could be used to support the staff member's case, there's no way we can know whether or not the audit report is false."
On the other hand... Brocious's work has just given hotel workers a "Get out of jail" card.

Info-leaks Topple CEO

The chief executive and chief operating officer of Nomura Holdings are stepping down to take responsibility for their company’s involvement in a series of leaks of inside information. 

Chief Executive Kenichi Watanabe
Chief Executive Kenichi Watanabe and Chief Operating Officer Takumi Shibata are planning to resign following admissions that Nomura salespeople allegedly gave information on share offerings to customers before it was public, a person familiar with their thinking said. (more)

FutureWatch - The End of Privacy, Contraband & Cancer?!?!

via gizmodo.com...
Hidden Government Scanners Will Instantly Know Everything About You From 164 Feet Away

Within the next year or two, the U.S. Department of Homeland Security will instantly know everything about your body, clothes, and luggage with a new laser-based molecular scanner fired from 164 feet (50 meters) away. From traces of drugs or gun powder on your clothes to what you had for breakfast to the adrenaline level in your body—agents will be able to get any information they want without even touching you.

And without you knowing it. The technology is so incredibly effective that...

...But the machine can sniff out a lot more than just explosives, chemicals and bioweapons. The company that invented it, Genia Photonics, says that its laser scanner technology is able to "penetrate clothing and many other organic materials and offers spectroscopic information, especially for materials that impact safety such as explosives and pharmacological substances."

...Genia Photonics has 30 patents on this technology, claiming incredible biomedical and industrial applications—from identifying individual cancer cells in a real-time scan of a patient, to detecting trace amounts of harmful chemicals in sensitive manufacturing processes. (more)

See What 6 Months of Your Phone Data Reveals

Green party politician Malte Spitz sued to have German telecoms giant Deutsche Telekom hand over six months of his phone data that he then made available to ZEIT ONLINE. We combined this geolocation data with information relating to his life as a politician, such as Twitter feeds, blog entries and websites, all of which is all freely available on the internet.

Click to enlarge.
By pushing the play button, you will set off on a trip through Malte Spitz's life. The speed controller allows you to adjust how fast you travel, the pause button will let you stop at interesting points. In addition, a calendar at the bottom shows when he was in a particular location and can be used to jump to a specific time period. Each column corresponds to one day. (more)

Wednesday, July 25, 2012

The Incredible Tale of the Spying Broken Heart Surgeon

A Connecticut heart surgeon has been ordered by a civil jury to pay $2 million to his ex-girlfriend after admitting to planting cameras in her home.

"And this year's award goes to..."
Dr. William V. Martinez, a divorced father of nine, admitted to planting surveillance cameras in the home of D'Anna Welsh, a physician's assistant at Hartford Hospital. He also said he planted a tracking device in her car.

The Hartford Courant reported Welsh and Martinez dated from sometime in 2001 to February 2007, when Martinez broke up with Welsh.

Later that year, a plumber discovered "suspicious" equipment embedded in a crawl space beneath the floor of Welsh's home. She first called the police. Then she called Martinez, who admitted to planting the equipment in her home.

"Martinez further admitted to [her] that he had been viewing video of her bedroom and that he had also been eavesdropping from his car via audio devices he installed in her home," says the civil complaint.

At the time Welsh did not press charges. However a year later, Martinez mentioned details of Welsh's life to her that he had no way of knowing about, leading her to believe he was still spying on her, the newspaper said.

Martinez was charged in criminal court with eavesdropping and voyeurism in 2008, and agreed to two years of accelerated rehabilitation.

Welsh, still uneasy, hired a security firm to sweep her home in January 2010, the newspaper said. She filed a civil suit against Martinez in July 2010 after the firm discovered a camera hidden inside her TV. (more)

New Mobile Malware Threat Revealed at Black Hat

Mobile malware is viewed as a growing threat, particularly on the Android platform. To protect Android users and prevent malicious applications from being uploaded to Google Play, Google created an automated malware scanning service called Bouncer.

At Black Hat, Nicholas Percoco and Sean Schulte, security researchers from Trustwave, will reveal a technique that allowed them to evade Bouncer's detection and keep a malicious app on Google Play for several weeks.

The initial app uploaded to Google Play was benign, but subsequent updates added malicious functionality to it, Percoco said. The end result was an app capable of stealing photos and contacts, forcing phones to visit Web sites and even launch denial-of-service attacks.

Percoco would not discuss the technique in detail ahead of the Black Hat presentation, but noted that it doesn't require any user interaction. The malicious app is no longer available for download on Google Play and no users were affected during the tests, Percoco said. (more) (more)