Numbers on corporate espionage are hard to come by. The Germans recently estimated that they lose around $69 billion to foreign business spies every year, but—at best—that’s basically just a piece of well-informed speculation.
The main problem with getting an exact fix on these figures is that they’re impossible to prove, because the nature of espionage generally relies on keeping stuff secret. It’s difficult to track the exchange of information, for instance, when it involves murmuring something at the sauna, or handing over a USB stick in a multi-level parking garage. And like a rigged sports game or steroid usage, it’s not something we’re in the mood to wake up to until it’s 100 percent, incontrovertibly there—an arsenal of smoking guns right under our noses.
“[Worrying about corporate espionage] very quickly becomes a matter of paranoia,” says Crispin Sturrock, who’s been running WhiteRock—a firm of anti-espionage specialists—for more than 20 years. “There’s a very British tendency to want to shake it off. To say, ‘Oh, I must be being paranoid.’ And, of course, just to be paranoid doesn’t necessarily make you wrong.” (more)
ISM Bugging Out
The revelation this week that the International Spy Museum would be once again hitting the pavement in search of a new home got us thinking: Where else in the District might work for the popular museum? (more)
ISIS Changing Name
During the premiere episode of the sixth season of Archer,
FX’s outrageously funny animated spy series, spy matriarch Malory
Archer is seen speaking on the phone with her juvenile,
coddled son. In the background, you can see two movers rolling out a
large, circular blue ISIS sign... for the past five seasons,
ISIS (International Secret Intelligence Service) has been the name for
the underground, non-government approved, New York City-based spy
organization at the heart of the show. In light of recent events,
however, creator Adam
Reed along with executive producers Matt Thompson and Casey Willis—made
a decision to quietly eliminate the acronym from their show. (more)
HHSC Wants Blimpies
Rep. Michael McCaul,
chairman of the House Homeland Security Committee, said Friday that he
wants to redeploy U.S. military spy blimps in Afghanistan to America’s
southern border. (more) Poop on them if they don't know about this. (more)
Former NSA Head Said
“Our data’s in there (NSA databases), my data’s in there. If I talk to an Al Qaeda operative, the chances of my data being looked at is really good, so I try not to do that. If you don’t want to you shouldn’t either,” he told MIRcon delegates. (more)
Phone and internet users should be worried about big commercial companies, rather than intelligence agencies obtaining and sharing their private data, Government Communications Headquarters (GCHQ) Director Sir Iain Lobban said in an interview with the Telegraph.
"Look, who has the info on you? It's the commercial companies, not us, who know everything – a massive sharing of data," Lobban was quoted as saying by the newspaper on Friday.
"The other day I bought a watch for my wife. Soon there were lots of pop-up watches advertising themselves on our computer, and she complained," the GCHQ director added. (more)
via Lauren Weinstein...
"Microsoft collects information about you, your devices, applications
and networks, and your use of those devices, applications and
networks. Examples of data we collect include your name, email
address, preferences and interests; browsing, search and file history;
phone call and SMS data; device configuration and sensor data; and
application usage."
"If you open a file, we may collect information about the file, the
application used to open the file, and how long it takes any use
[of]it for purposes such as improving performance, or [if you]enter
text, we may collect typed characters, we may collect typed characters
and use them for purposes such as improving autocomplete and spell
check features." (more)
"Such as" implies more than just two examples.
Federal officials announced the arrest of the maker of a popular smartphone app marketed as a tool for catching cheating spouses by eavesdropping on their calls and tracking their locations — a technology critics have dubbed “stalker apps.”
In the first prosecution of its kind, federal officials said that StealthGenie violated the law by offering the ability to secretly monitor phone calls and other communications in almost real time, something typically legal only for law enforcement. The arrest comes as the market for surveillance software has grown so big that Web sites rank such apps on their price, features and even customer service...
The chief executive of the company that makes StealthGenie, Hammad Akbar, 31, of Lahore, Pakistan, was arrested in Los Angeles on Saturday, according to a news release from the Justice Department...
Court filings suggest that Akbar has contended that any legal issues were limited to the users of SmartGenie, not its maker. “When the customer buys the product, they assume all responsibility,” he wrote in a 2011 e-mail, court filings show. “We do not need to describe the legal issues.”
Efforts to reach Akbar’s attorney, based in Los Angeles, were not successful. (more)
FutureWatch - Will he pull the "primarily useful" card from the deck? This is what many audio eavesdropping gadget manufacturers used in the past to evade the law.
"Hey, its a baby monitor."... that can hear through concrete walls.
...two independent security researchers, who
declined to name their employer, say that publicly releasing the USB
attack code will allow penetration testers to use the technique, all the
better to prove to their clients that USBs are nearly impossible to
secure in their current form. And they also argue that making a working
exploit available is the only way to pressure USB makers to change the
tiny devices’ fundamentally broken security scheme. (more)
Plenty of people dream about quitting their day job, buying that fixer-upper farmhouse, and opening a bed-and-breakfast. Those B&B owners seem so happy. Well, everything isn’t quite as idyllic as it seems. We got one set of innkeepers — “Bob and Emily” — to anonymously spill the beans on what really happens behind those perfectly painted shutters.
This week. Bob and Emliy reveal the sordid side of running an inn. Here are some things you probably don’t want to know the next time you check into that seemingly quaint country B&B. (more)
A Department of Justice proposal to amend Rule 41 of the Federal Rules of Criminal Procedure would make it easier for domestic law enforcement to hack into computers of people attempting to protect their anonymity on the Internet. The DOJ has explicitly stated that the amendment is not meant to give courts the power to issue warrants that authorize searches in foreign countries—but the practical reality of the underlying technology means doing so is almost unavoidable...
As for extraterritorial hacking, the DOJ commentary explicitly states that the proposal does not seek power to extend search authority beyond the United States:
- In light of the presumption against international extraterritorial application, and consistent with the existing language of Rule 41(b)(3), this amendment does not purport to authorize courts to issue warrants that authorize the search of electronic storage media located in a foreign country or countries. AUSA Mythili Raman, Letter to Committee.
Yet the commentary also articulates a standard of searches that “are within the United States or where the location of the electronic media is unknown....
The latter standard seems to be a significant loophole in the DOJ’s own formulation of the approach, particularly given the global nature of the Internet. For instance, over 85% of computers directly connecting to the Tor network are located outside the United States. (more)
Beijing authorities have initiated a ban on all secret surveillance equipment in the city amid increasing pressure from the central government to crack down on spying activities.
The decision was issued jointly by the city's Administration for Industry and Commerce, Beijing Municipal Public Security Bureau and Beijing National Security Bureau, which added that purchases of these devices–such as surreptitious cameras installed in glasses or walking sticks to secretly record photos or videos of people in bathrooms and changing rooms–could lead to serious criminal liability...
Chinese media outlets reported that the majority of buyers are private detectives and investigators, debt collectors and lawyers looking to collect evidence for their cases. There have so far been 91 official investigations into illegal surveillance in Beijing this year. (more)
* Except their own, we presume.
The National Security Agency has some of the brightest minds... But a new chat program designed by a middle-school dropout in his spare time may turn out to be one of the best solutions to thwart those efforts...
John Brooks, who is just 22 and a self-taught coder who dropped out of school at 13, was always concerned about privacy and civil liberties. Four years ago he began work on a program for encrypted instant messaging that uses Tor hidden services for the protected transmission of communications. The program, which he dubbed Ricochet, began as a hobby. But by the time he finished, he had a full-fledged desktop client...
“Ricochet is idiot-proof and anonymous.” (more)
A team of researchers from Stanford University and the University of California, Berkeley, has created prototype radio-on-a-chip communications devices that are powered by ambient radio waves. Comprising receiving and transmitting antennas and a central processor, the completely self-contained ant-sized devices are very cheap to manufacture, don't require batteries to run and could give the "Internet of Things" (IoT) a serious kick start.
(more)
Let's just call it "Spy Dust".
A Metasploit module has been developed to easily exploit a dangerous flaw in 75 percent of Android devices that allows attackers to hijack a users' open websites...
Tod Beardsley, a developer for the Metasploit security toolkit dubbed the "major" flaw a "privacy disaster".
"What this means is any arbitrary website - say, one controlled by a spammer or a spy - can peek into the contents of any other web page," Beardsley said.
"[If] you went to an attackers site while you had your web mail open in another window, the attacker could scrape your email data and see what your browser sees.
"Worse, he could snag a copy of your session cookie and hijack your session completely, and read and write web mail on your behalf." (more)
Solution: Use a Firefox or Chrome browser.
... unless you are using them.
The Pwn
Plug Academic Edition is the Industry’s First
Enterprise Penetration Testing Drop Box
- Wireless (802.11b/g/n) high gain Bluetooth & USB Ethernet
adapters
- Fully-automated NAC/802.1x/Radius bypass
- One-click EvilAP, stealth mode & passive recon
The Pwn Plug Academic Edition acts as a penetration testing drop
box that covers most of a full-scale pentesting engagement, from
physical-layer to application layer. The Pwn Plug Academic Edition
is controlled through a simple web-based administration and comes
preloaded with an array of penetration testing tools and Wireless,
Bluetooth, and USB Ethernet adapters.
The Pwn
Plug R3 is a next-generation penetration testing
device in a portable, shippable, “Plug-and-Pwn” form factor.
- Onboard high-gain 802.11a/b/g/n wireless
- Onboard Bluetooth
- External 4G/GSM cellular
- Greatly improved performance and reliability
The Pwn Plug R3 is a next-generation penetration testing device
in a portable, shippable, “Plug-and-Pwn” form factor. With onboard
high-gain 802.11a/b/g/n wireless, onboard Bluetooth, external
4G/GSM cellular, ruggedized case design, and greatly improved
performance and reliability, the Pwn Plug R3 is the enterprise
penetration tester’s dream tool.
The MiniPwner
The MiniPwner
is described as a penetration testing “drop box”. You (or maybe a
cleaner you’ve bribed) needs to plug it into an Ethernet plug in
the target’s building, and then you can slurp all the data out of
their network via a wifi link.
The penetration tester uses stealth or social engineering
techniques to plug the MiniPwner into an available network port.
(common locations include conference rooms, unoccupied
workstations, the back of IP Telephones, etc.)
Once it is plugged in, the penetration tester can log into the
MiniPwner and begin scanning and attacking the network. The MiniPwner can
simultaneously establish SSH tunnels through the target network,
and also allow the penetration tester to connect to the MiniPwner
via Wifi.
WiFi
Pineapple Mark V
Slightly larger than a smartphone the WiFi Pine-apple Mark V is
the “ultimate” cyber surveillance device. It uses an “intuitive”
web interface to enable hackers to break into a corporate’s IT
networks through its wifi connections. It costs $100.
USB Switchblade
The goal of the USB Switchblade is to silently recover information
from a target Windows 2000 or higher computer, including password
hashes, LSA secrets, IP information, etc.
A gadget that looks like a USB stick has a
program that swings into action when it’s inserted into the USB
drive and can then begin its naughty work without the user knowing
it by exploiting a flaw in USB autorun settings. How about
dropping it in the car park of your target’s offices, seeing if
someone will pick it up and plug it in to see what’s on it…
USB
8GB Flash Drive Cufflinks
The thing
about these is that the bad guy can carry a load of malware, ready
for use at any time. These go for less than $50. Easy to smuggle
in.
The
Rubber Ducky
The Rubber Ducky is becoming the “field-weapon of choice” for
cyber spies. It’s the size of a normal USB stick but when you plug
it in to a PC it pretends to be a keyboard and starts ‘typing’
away, possibly trying to break into systems or maybe stealing
passwords. If you get a few seconds alone with someone’s phone
you can get an adapter to plug it in and maybe hack that too. (The last five items courtesy of Financial News.)
MEMS gyroscopes found on modern smart phones are sufficiently sensitive to measure acoustic signals in the vicinity of the phone. The resulting signals contain only very low-frequency information (< 200 Hz). Nevertheless we show, using signal processing and machine learning, that this information is sufficient to identify speaker information and even parse speech.
Since iOS and Android require no special permissions to access the gyro, our results show that apps and active web content that cannot access the microphone can nevertheless eavesdrop on speech in the vicinity of the phone. (more)
Your information assets have never been more crucial, more valuable, or more at risk. This is why information security is becoming a crucial business priority in many organizations. Moreover, complying with (international) information standards and guidelines (such as the NIST Handbook, ISO 17799, CobiT, and ITIL Security Management) is becoming a hot issue worldwide.
This unique distance learning course provides you with vital information for developing or reviewing your information security management framework. The course will help you determine the levels of risk your organization is facing and the steps you will need to take to provide adequate protection.
The course will be of particular benefit to:
- CIOs, CISOs and anyone who has direct line responsibility for information security
- Business Continuity Planners, Asset Managers, Risk Managers
- Legal Advisors and Corporate Security Consultants
- Company Secretaries, Finance Directors and Auditors (more)
