How a Slight Movement Can ID Your Smartphone

One afternoon, security researcher Hristo Bojinov placed his Galaxy Nexus phone face up on the table in a cramped Palo Alto conference room. Then he flipped it over and waited another beat. And that was it. In a matter of seconds, the device had given up its "fingerprints."

Code running on the website in the device's mobile browser measured the tiniest defects in the device's accelerometer — the sensor that tracks movement — producing a unique set of numbers that advertisers could exploit to identify and track most modern smartphones.

The accelerometer enables, among other things, the browser to shift from landscape to vertical as a user tilts the phone. It turns out every accelerometer is predictably imperfect, and slight differences in the readings can be used to produce a fingerprint. Marketers could use the ID the same way they use cookies — the small files that download from websites to desktops — to identify particular users, monitor their online actions and target ads accordingly.

It's a novel approach that raises a new set of privacy concerns: Users couldn't delete the ID like browser cookies, couldn't mask it by adjusting app privacy preferences — and wouldn't even know their device had been tagged. (more)

When Paranoids Collide they Blow the Whistle on Tea Kettles

Customs agents in Russia found tea kettles and irons bugged with tiny Spyware chips that exploit WiFi connections, reports a local news outlet coming out of St. Petersburg.

According to Gizmodo, the microchips are capable of spreading spam and malware to WiFi-enabled devices within 200 meters.  Specific details of the dodgy shipments remain shady...

Simon Sharwood of The Register reports that it is indeed possible to build a spambot small enough to fit inside of a kettle, as the necessary components are small and cheap enough...

One question remains unanswered, however: why would China send bugged tea kettles to spy on the ordinary tea-drinkers of Russia?

Gizmodo suggests that perhaps local authorities were mistaken about their findings, pointing out that WiFi tea kettles already exist.

Business Insider speculates that if the kettles are bugged, it could very well be a test for larger operations to plant such microchips.

We'll let you weave your own intricate conspiracy theory. (more)

Last Week on Halloween

This Judge is a Surveillance Expert. He has Cred.

James G. Carr ’62, a senior judge on the U.S. District Court for the Northern District of Ohio and a former member of the Foreign Intelligence Surveillance Court (FISC), described the process through which the federal government conducts electronic surveillance and railed against National Security Agency (NSA) whistleblower Edward Snowden in a talk in the Gund Gallery’s Community Foundation Theater...

Carr told his audience “every one of us in this room probably has been overheard under a FISA warrant... It’s a general search,” Carr said, “that which the Fourth Amendment most directly and most clearly, unequivocally prohibits. Nobody can dispute that.”...

In July, Carr wrote an op-ed in The New York Times calling for Congress to reform the court. He suggested judges be allowed to appoint outside lawyers to “represent the interests of the Constitution and the public” in cases where a novel issue, such as new surveillance technology, is present in the warrant application. Government agents are required to inform the court if their application raises that kind of issue...

Carr had harsh words for Edward Snowden, the former NSA contractor who provided documents about NSA surveillance procedures to journalists before fleeing to Hong Kong and then Russia. He asked audience members how many of them thought Snowden’s actions were worthwhile, and upon seeing hands raise, said, “I want to try and disabuse you of that view.”

Snowden, he said, had been “in the hands of the Chinese and the Russians for months, and if anybody in this room thinks for a moment that they don’t know everything he learned … c’mon now.” 

The NSA, Carr said, “does a crucially important job,” whereas Snowden, whom he mockingly called “the great American patriot,” had done “irredeemable” damage.

In the Q & A after the talk, one student asked Carr, “Why bother protecting our lives if you don’t first protect our rights?” Carr responded, “Because if we have no lives, we have no rights.” (more)

Why is Carr the expert? 
Because he wrote the book. (more)

10 Most Audacious Eavesdropping Plots

Operation Ivy Bells
At the height of the cold war, the National Security Agency, CIA and the US Navy collaborated to tap into underwater communication lines used by the Soviet Union. 

Operation Stopwatch
This joint operation between the CIA and the British Secret Intelligence Service was again an attempt to tap into communications by the Soviet Military.

The Cambridge Spies
Rather than relying on modern eavesdropping, this operation used old fashioned infiltration.

Click to enlarge.

The Gunman Project
During 1976, the KGB managed to install miniaturized eavesdropping equipment and transmitters inside 16 IBM Selectric Typewriters used by staff at the US embassy in Moscow and consulate in Leningrad. 

The Bundesnachrichtendienst Trojan Horse Affair
Germany may have been the victim off NSA eavesdropping, but its own Federal Intelligence Service, the Bundesnachrichtendienst, has also engaged in such activities.

The MI6 Spy Rock
In a modern version of the dead letter drop, British spies working out of the embassy in Russia used a transmitter concealed in an artificial rock to pass classified data. 

Acoustic Kitty
Acoustic Kitty was a top secret 1960s CIA project attempting to use cats in spy missions, intended to spy on the Kremlin and Soviet embassies. (more)

Moles in Berlin

In 1956, American and British agents tunneled into East German territory in order to tap a telephone line. This allowed them to eavesdrop on important conversations between Red Army leaders and the KGB. A segment of the tunnel can now be visited. (more)

U2
An international diplomatic crisis erupted in May 1960 when the Union of Soviet Socialist Republics (USSR) shot down an American U-2 spy plane in Soviet air space and captured its pilot, Francis Gary Powers. Confronted with the evidence of his nation's espionage, President Dwight D. Eisenhower was forced to admit to the Soviets that the U.S. Central Intelligence Agency (CIA) had been flying spy missions over the USSR for several years. (more)

Animal Spies
A former CIA trainer reveals, the U.S. government deployed nonhuman operatives—ravens, pigeons, even cats—to spy on cold war adversaries. “We never found an animal we could not train.” (more)

What Corporations Can Learn from the Vatican

Contrary to a widely circulated report, the US National Security Agency (NSA) could not have eavesdropped on the conclave that elected Pope Francis, a veteran Vatican journalist has reported.

Andrea Tornielli of La Stampa writes that the Vatican had deployed sophisticated anti-bugging technology in the Sistine Chapel and throughout the apostolic palace in the days leading up to the conclave. The anti-bugging measures were already in place during the general congregations at which cardinals exchanged ideas prior to the opening of the conclave. Reporters who were in the building testified that internet connections were interrupted and cell-phone signals lost when the system was activated. 

Vatican security experts take pride in their ability to foil espionage, Tornielli reports. (more)

Can a Perv Skirt Privacy Laws by Raising The First Amendment?

MA - An Andover man is hoping to slip past the law by arguing women in skirts are taking a chance when they ride the T (Boston's transit system) because there’s no guarantee of privacy. 

Michael Robertson is appealing to the state’s highest court saying he didn’t commit a crime when he allegedly tried to take cellphone photos up women’s dresses on the Green Line in August 2010.

That “up-skirt” case included an undercover transit cop and another T passenger. The 31-year-old now faces more than two years in jail if convicted of two counts of photographing an unsuspecting nude or partially nude person.

His lawyer argues it’s the outdated law that’s in the wrong — not her (sic) client — and other photographers could have their First Amendment rights trampled, too. (more)

Music to Spy By

via Jason Whiton, SpyVibe.blogspot.com...The UK distributor, Network (the "Criterion Collection" of retro TV/Film), has been tempting us for some time with news of upcoming remastered vinyl soundtracks from spy shows like The Prisoner, Department S, and The Saint. Some lucky collectors in Britain even had a chance to pick up a limited-edition EP of spy tunes during the last Record Store Day.

From Network's On Air newsletter: "It’s a measure of the quality of the music from these series that it can be enjoyed outside of the context of the programmes themselves, as our previous soundtrack releases on CD have demonstrated. 

Now, with the resurgence of interest in that formerly archaic artefact the LP record, we’re proud to present the first in a series of brand-new audiophile releases on 180g virgin vinyl. 

Although high-quality masters were already available from the CD releases, we have returned to the original analogue tapes which have been mastered afresh for vinyl to take advantage of the format’s more subtle dynamic range. Mastering and vinyl cutting have been supervised by one of the very best in the business – Ray Staff of AIR Studios – ensuring that these tracks have never sounded so good since they went down onto tape in the late 1960s." (more)

High School Football Spying?!?! - Four Destrehan Coaches Accused

LA - Five people, including four Destrehan High School assistant football coaches, were booked with unauthorized use of intellectual property Wednesday after they allegedly used a leaked computer password to get a sneak peek at the game plan of their upcoming opponent, South Lafourche. 

Others could still be charged, said Brennan Matherne, public information officer for the Lafourche Parish Sheriff’s Office...

The criminal charges are the latest fallout stemming from an incident in which the coaches allegedly used computers to spy on South Lafourche’s football practices last week.

The scandal already has resulted in a forfeit for Destrehan and sanctions for the coaches involved. (more)

Encryptor's Unite! - From Those Wonderful Folks Who Brought You Lavabit & Silent Circle

Our Mission - To bring the world our unique end-to-end encrypted protocol and architecture that is the 'next-generation' of private and secure email.

As founding partners of The Dark Mail Alliance, both Silent Circle and Lavabit will work to bring other members into the alliance, assist them in implementing the new protocol and jointly work to proliferate the worlds first end-to-end encrypted 'Email 3.0' throughout the world's email providers. 

Our goal is to open source the protocol and architecture and help others implement this new technology to address privacy concerns against surveillance and back door threats of any kind. (more)

In the Days Before Spread Spectrum Communications - Spread Wings Communications

Read all about America's secure communications laboratory, just miles from the Countermeasures Compound, in Ft. Monmouth, NJ... (more)

Mobile Phone Use a Significant Security Risk for Companies

New research suggests that companies are leaving themselves open to potentially serious security and legal risks by employees’ improper use of corporate mobile devices.

Buy them the Cone of Silence.

Experts from the University of Glasgow looked at a sample of mobile phones returned by the employees from one Fortune 500 company and found that they were able to retrieve large amounts of sensitive corporate and personal information. The loss of data such as this has potential security risks, inviting breaches on both an individual and corporate level.

A University of Glasgow release reports that the data yielded by this study on thirty-two handsets included a number of items that could potentially cause significant security risks and, lead to the leakage of valuable intellectual property or exposed the company to legal conflicts. (more)

Kremlin Alledegly Slipped Spy Gadgets into G20 Summit Gift Bags

Russian hosts of the Group of 20 summit near St. Petersburg in September sent world leaders home with gifts designed to keep on giving: memory sticks and recharging cables programmed to spy on their communications, two Italian newspapers reported Tuesday.

A Kremlin spokesman denied the allegations reported by Il Corriere della Sera and La Stampa, both of which attributed their stories to findings of technical investigations ordered by the president of the European Council and carried out by German intelligence.

The USB thumb drives marked with the Russia G20 logo and the three-pronged European phone chargers were "a poisoned gift" from Russian President Vladimir Putin, Turin-based La Stampa said in its report.

“They were Trojan horses designed to obtain information from computers and cellphones,” the paper said.

The bugging devices were included in gift bags given to all delegates who attended the Sept. 5-6 summit at the palace in Stelna, outside of St. Petersburg, the newspapers said. (more)

Too obvious to be true? 
You decide.

Do You Have an IT Spy Guy?

Two tales to get you thinking...

Old tech equipment rarely dies, it just finds a new home -- and sometimes, that home is with your IT employees... The problem with taking equipment bound for the scrap heap or the recycling bin is that it often still contains sensitive data, which if lost could result in massive liability for the company that owns the equipment. Think... It is more than just theft, much more.

"There are no secrets for IT," says Pierluigi Stella, CTO for managed security service provider Network Box USA. "I can run a sniffer on my firewall and see every single packet that comes in and out of a specific computer. I can see what people write in their messages, where they go to on the Internet, what they post on Facebook. In fact, only ethics keep IT people from misusing and abusing this power. Think of it as having a mini-NSA in your office." Also think... "The scariest thing is that the same people who present the greatest risk are often the very people who approve access." (more)

Business Espionage in America - We Lose More Than We Take in Taxes

The United States has known for sometime that it has been victimized by economic espionage mounted by other countries, especially China and Russia. According to a counterintelligence expert hired by companies to help them counter this threat, the toll for these crimes is far, far higher than what has been officially reported.

Economic espionage represents “the greatest transfer of wealth in history,” said General Keith Alexander, NSA director and commander of U.S. Cyber Command, at the American Enterprise Institute in 2012...

Due to the nature of the business, it is often difficult to place solid numbers on the cost of economic espionage. To protect their investors, companies rarely want to announce breaches by spies or hackers to the public, and government agents often find gathering enough evidence to charge an insider with espionage difficult.

The lack of transparency on economic espionage makes it a difficult problem to tackle.

The FBI estimates that economic espionage costs the U.S. $13 billion a year, yet their numbers are based only on current FBI cases where spies have been caught and charged. It does not include the majority of theft that was not reported, or the scale of breaches that are unknown to the companies...

During his speech, General Alexander said investigations by the FBI and other agencies find that for every company that detects a cyberattack there are 100 others that are unknowingly being hacked...

Nonetheless, U.S. companies are still largely on their own when it comes to defending against economic espionage, and the threat is very real. When the “Economic Espionage Penalty Enhancement Act of 2011″ was passed, former U.S. Senator Herb Kohl said in a press release “As much as 80 percent of the assets of today’s companies are intangible trade secrets.” (more)

You don't have to be on your own. Help is available. Call me.