Ask the Consultant - Spycam Question Received this Week

"Have you ever been called upon by a client to check for unauthorized or hidden cameras?
And to that end, is there some technology available to security professionals (not what the Secret Service uses) that can identify wireless cameras?" 

Yes. The video voyeurism craze had prompted requests from corporate clients, country clubs, private schools and religious institutions (usually in response to an incident), and occasionally pro-actively, for due diligence purposes.

DIY detecting cameras in situ can be accomplished in several ways...

Spycam finds courtesy Murray Associates.

1. Physical inspection - If you know where a spycam is likely to be looking (bathroom, bedroom, office, etc.), stand there and do a 360º turn. The camera will be in your line-of-sight (take into account mirrors).
2. Look for the lens - This may be accomplished with this device, or with this app. Neither solution is 100% effective, however.
3. If the device is not recording internally, but broadcasting a FM radio-frequency signal, there are these detectors 1 2 . Neither solution is 100% effective, however.
4. If the camera is transmitting to the Internet via Wi-Fi (popular with the baby monitors), detection options 1 & 2 are the best bet for the amateur sleuth. A professional TSCM team will be able to conduct a Wi-Fi analysis to absolutely detect the transmitter.
5. Thermal imaging is also very effective for finding "live" cameras (as opposed to the battery powered ones that just snap photos upon sensing movement). This has become affordable this year with the introduction of this iPhone add-on.
6. Call us. In addition to Wi-Fi analysis, we also use Non-Linear Junction Detection (NLJD), more sensitive thermal imaging, and spectrum analysis detection techniques.

You may also want to read this.

by Kevin D. Murray CPP, CISM, CFE

...which left us wondering about the clowns in business and government who spy.

A new study finds that more Americans fear spying from corporations than the government (but only slightly). 

In total, 82 percent of Americans fear corporations, while 74 percent fear the government.

The data comes from a new Chapman University survey of everything that freaks Americans out. In addition to Internet fears, around 65 percent of Americans also fear public speaking — meaning that more Americans are concerned about Internet privacy than speaking in public.

Interesting, but unrelated: 20 percent of Americans are at least somewhat afraid of clowns. (more)

Why the IT Guy Can't Protect Your Information

• Most “computerized” information is available
  elsewhere long before it is put into a computer.
• Hacking is only one tool in the spy's kit.
• Data theft is the low-hanging fruit of the business
  espionage world. Pros use bucket trucks.
• Traditional spying is invisible. Hacking leaves trails.
  Result... IT guy gets budget. Company is still a sieve. 

Go Holistic
Close All Loopholes

Loophole 1: Information Generation
    People generate information. They talk, discuss, plan. The human voice contains the freshest information.
    Conduct Technical Surveillance Countermeasures (TSCM) inspections of offices, labs, conference and boardrooms on a scheduled basis. TSCM works.
Ford Motors found voice recorders hidden in seven of their conference rooms this summer.

Loophole 2: Information Transmission
    People communicate. They phone, fax, email, hold teleconferences — over LAN, Wi-Fi and cables.
    Traditional wiretapping and VoIP/Wi-Fi transmission intercepts are very effective spy tools. TSCM sweeps discover attacks.

Loophole 3: Information Storage
   People store information all over the place; in unlocked offices, desks, and file cabinets. Photocopiers store all print jobs in memory. TSCM surveys identify poor storage, and the perimeter security gaps which put storage at risk.

Loophole 4: Information Handling
    People control information. Educate them. Security briefings don’t have to be long and tedious. Establish basic rules and procedures. Enforce them.

    Effective information security requires a holistic protection plan. IT security is an important part of this plan, but it is only one door to your house of information.

by Kevin D. Murray CPP, CISM, CFE

Excellent Article on Web Surfing Privacy

The Best Browser Privacy Tools (That Don't Make Life More Difficult)

Watergate - Ben Bradley Dies at 93

Ben Bradlee, the former top editor of The Washington Post who oversaw the paper's coverage of the Watergate scandal, has died, the newspaper said Tuesday.
He was 93.

Yo, Jimmy. You know how to use this thing?

Newly released documents definitively show that local law enforcement in Washington, DC, possessed a cellular surveillance system—commonly known as a "stingray"—since 2003. 

However, these stingrays literally sat unused in a police vault for six years until officers were trained on the devices in early 2009.

"It's life imitating The Wire," Chris Soghoian, a staff technologist at the American Civil Liberties Union, told Ars. "There's an episode in Season 3 where [Detective Jimmy] McNulty finds a [stingray] that has been sitting on the shelf for a while." (more)

Traveling to China? Have an iPhone? Clear Your Cloud First

Chinese authorities just launched “a malicious attack on Apple” that could capture user names and passwords of anyone who logs into the iCloud from anywhere in the country, the well-respected censorship watchdog GreatFire.org reports. 

With that information, a hacker can view users contacts, photos, messages and personal information stored in the cloud.

China has an estimated 100 million iPhone users in China, and all of them could be vulnerable, GreatFire reports, thanks to a “man in the middle” attack that tricks users into believing they are logging into a secure connection, when they are actually logging into a Chinese government-controlled site instead. (more)

A Police Commander's Wife, Their Unlicensed PI Business and Spyware...

Woo-woo-woo-woo-woo-woo, nyunt, nyunt, nyunt!
A Monterey County woman was charged with wiretapping a police officer and possessing "illegal interception devices,” according to the Northern California District Attorney’s office. The District Attorney said that Kristin Nyunt, age 40, allegedly intercepted communications made by a police officer on his mobile phone.

Nyunt is the ex-wife of former Pacific Grove Police Commander John Nyunt, and she has already been sentenced to eight years and four months in prison after pleading guilty in July to five counts of identity theft, two counts of computer network fraud, one count of residential burglary, and two counts of forgery. 

In the latest charges [PDF], the District Attorney accused Nyunt of using illegal spyware including MobiStealth, StealthGenie, and mSpy to intercept "sensitive law enforcement communication” in real time. Nyunt allegedly placed the spyware on a police officer’s phone surreptitiously, although court documents do not detail how or why...

...between 2010 and 2012, Nyunt and her husband operated an unlicensed private investigator business called Nyunt Consulting and Investigative Services Corporation and used access to their customers’ devices and information to later commit identity theft. (more)

Staples Suspects Hackers - That Was Easy

Staples, the nation’s largest office supply retailer, said Monday it is investigating a "potential issue" involving credit card data at its stores.

Staples spokesman Mark Cautela said in an email that the retailer has contacted law enforcement to help with its investigation.

"We take the protection of customer information very seriously and are working to resolve the situation," Cautela said in an email. “If Staples discovers an issue, it is important to note that customers are not responsible for any fraudulent activity on their credit cards that is reported on a timely basis." (more) (now-hack-the button)

Business Phone VoIP Hack - Phreaking Expensive

Bob Foreman’s architecture firm ran up a $166,000 phone bill in a single weekend last March. But neither Mr. Foreman nor anyone else at his seven-person company was in the office at the time... (hackers) routed $166,000 worth of calls from the firm to premium-rate telephone numbers in Gambia, Somalia and the Maldives...

The scheme works this way, telecommunications fraud experts say: Hackers sign up to lease premium-rate phone numbers, often used for sexual-chat or psychic lines, from one of dozens of web-based services that charge dialers over $1 a minute and give the lessee a cut...

Hackers then break into a business’s phone system and make calls through it to their premium number, typically over a weekend, when nobody is there to notice. With high-speed computers, they can make hundreds of calls simultaneously, forwarding as many as 220 minutes’ worth of phone calls a minute to the pay line...

...telecom experts advise people to turn off call forwarding and set up strong passwords for their voice mail systems and for placing international calls. (more)

A Royal Sting Spybusting Trick You Can Use

Kate Middleton reportedly thinks that someone is keeping a close eye on the day-to-day happenings of the palace. 

The reports have suggested that there is an over enthusiastic photographer or someone who is getting to know all the royal secrets.

"Middleton's paranoid that someone inside the palace is leaking her secrets. It's her worst nightmare," a source told Life &Style magazine...

The report added that the royal couple is taking required step to have a very private life. "They're trying desperately to find out who's spying on them by giving out false information to different people. If any of that information comes out, they'll know who's responsible." (more)

Business Espionage via Crowd Sourcing

Crowd sourcing any part of your secret project can blow your cover and evaporate your competitive advantages. Take your marketing materials for example. Just requesting help on a crowd source web site can alert the competition to your plans.

via frankie.bz...
Two weeks ago I discovered through a crowd sourcing portal for graphic design that a competitor of my client is preparing to launch a whole new product line. They where pitching for a “name” and “logo design” for a range of products.

I informed my client about the pitch and ask them if they knew something about the new product line. They didn’t and neither did the market – a scoop so to say. The information in the pitch was valuable to my client since it contained a very good description about the features of the new product line and when it will be launched. Therefore the client informed its sales force and they are now prepared to answer questions of their clients.

What can we learn from this experience?

• Do not crowd source design of “secret” products – especially if the pitch can be seen without any registration
• Do not describe your product in the project brief – send the description to an interested designer after he has signed a non disclosure agreement
• Do not link directly to your competitors site – I’ve found out about the pitch because I’ve seen hundreds of visitors coming from a non-industry related site
• Do prohibit your employees to blog, twitter, Facebook about a new product
• Use a project code name that does not relate to your industry or product
• Do not use Cloud-Services for your product development - unless you are sure that none of the information can be made available to the public

How can you use crowd sourcing and the internet for spying on your competitors?

• Visit crowd sourcing portals on a regular basis and search for projects related to your industry and competitors
• Use Google Alerts not only to monitor the web activity of your firm and brands, but also of your competitors
• Use crowd sourcing traditionally by letting the crowd search through social networks, forums and the web for information about your competitors
• Sign up and monitor the support forums of your main competitors (if they have one). If they don’t have one try to open a user-to-user support forum for your competitors products – and see what happens.

1958 - The Hollow Coin Spy Case

CIA Archives: The Hollow Coin - Espionage Case of Rudolf Abel (1958) 

Vilyam (Willie) Genrikhovich (August) Fisher (Вильям Генрихович Фишер) (July 11, 1903 — November 16, 1971) was a noted Soviet intelligence officer. He is generally better known by the alias Rudolf Abel, which he adopted on his arrest. His last name is sometimes given as Fischer; his patronymic is sometimes less exactly transliterated as Genrikovich. 

The Hollow Nickel Case (also known as The Hollow Coin), refers to the method that the Soviet Union spy Vilyam Genrikhovich Fisher (aka Rudolph Ivanovich Abel) used to exchange information between himself and his contacts, including Mikhail Nikolaevich Svirin and Reino Häyhänen. 

On June 22, 1953, a newspaper boy (fourteen-year-old newsie Jimmy Bozart), collecting for the Brooklyn Eagle, at an apartment building at 3403 Foster Avenue in Brooklyn, New York, was paid with a nickel (U.S. five cent piece) that felt too light to him. When he dropped it on the ground, it popped open and contained microfilm inside. The microfilm contained a series of numbers. 

He told the daughter of a New York City Police Department officer, that officer told a detective who in two days told an FBI agent about the strange nickel. After the FBI obtained the nickel and the microfilm, they tried to find out where the nickel had come from and what the numbers meant...

Chinese Phone Turns Smart Spy

China-based leading smartphone manufacturer Xiaomi, which recently marked a successful entry into the Indian market, is allegedly a security threat. It has been accused by the Indian Air Force (IAF) of sending user data to remote servers located in China -- a charge that amounts to spying...

Xiaomi MI Hongmi 1280x720 MIUI V5

Field Reports

• F-secure, a leading security solution company, recently carried out a test of Xiaomi Redmi 1s, the company’s budget smartphone, and found that the phone was forwarding carrier name, phone number, IMEI (the device identifier) and numbers from address book and text messages back to Beijing.

• A Hong Kong-based mobile phone user claims to have tested the Redmi Note smartphone and found it was automatically connected to an IP address hosted in China. The data transmitted included photo in media storage and text messages also.

According to the PhoneArena report, looking up the website of the company owning the IP address in the range 42.62.48.0-42.62.48.255 reveals that the website owner is www.cnnic.cn. CNNIC is the administrative agency responsible for Internet affairs under the Ministry of Information Industry of People’s Republic of China. It is based in the Zhongguancun hi-tech district of Beijing.

Therefore, the IAF in its alert to all of its Commands has stated that air warriors and their family members are advised to refrain from using these devices. (more)

Privacy Rights Fact Sheets

Privacy Fact Sheets

via The Privacy Rights Clearinghouse

1.	Privacy Survival Guide: Take Control of Your Personal Information
2.	Wireless Communications: Voice and Data Privacy
2a.	Hang Up on Harassment: Dealing with Cellular Phone Abuse
2b.	Privacy in the Age of the Smartphone
3.	How to Put an End to Unwanted or Harassing Phone Calls
4.	Junk Mail: How Did They All Get My Address?
4a.	"Shine the Light" on Marketers: Find Out How They Know Your Name
4b.	Junk Mail FAQ
5.	Telemarketing: How to Have a Quiet Evening at Home
5a.	Junk Faxes: No Relief in Sight
5b.	Frequently Asked Questions about Telemarketing
6.	Credit Reporting Basics: How Private Is My Credit Report?
6a.	Facts on FACTA, the Fair and Accurate Credit Transactions Act
6b.	"Other" Consumer Reports: What You Should Know about "Specialty" Reports
6c.	Your Credit Score: How It All Adds Up
7.	Workplace Privacy and Employee Monitoring
8.	Introduction to Health and Medical Information Privacy
8a.	Health Privacy: HIPAA Basics
8b.	The HIPAA Privacy Rule: How May Covered Entities Use and Disclose Health Information
8c.	The HIPAA Privacy Rule: Patients' Rights
8d.	Protecting Health Information: the HIPAA Security and Breach Notification Rules
8e.	Health Privacy outside the Healthcare Environment: Health Records on the Job, Available to the Government, and in Credit Reports
9.	Wiretapping and Eavesdropping on Telephone Calls
10.	My Social Security Number - How Secure Is It?
10a.	Social Security Numbers FAQ
11.	From Cradle to Grave: Government Records and Your Privacy
12.	Checklist of Responsible Information-Handling Practices
12a.	Personal Data Retention and Destruction Plan
14.	Are You Being Stalked?
14a.	Security Recommendations For Stalking Victims
15.	What Personal Information Should You Give to Merchants?
16.	Employment Background Checks: A Jobseeker's Guide
16a.	Employment Background Checks in California: A Focus on Accuracy
16b.	Small Business Owner Background Check Guide
16c.	FAQ on Employment Background Checks
16d.	Volunteer Background Checks: Giving Back Without Giving Up on Privacy
17.	Coping with Identity Theft: Reducing the Risk of Fraud
17a.	Identity Theft: What to Do if It Happens to You
17b.	How to Deal with a Security Breach
17d.	Frequently Asked Questions about Identity Theft
17g.	Criminal Identity Theft: What to Do if It Happens to You
18.	Online Privacy: Using the Internet Safely
18a.	Online Privacy FAQ
19.	Caller ID and My Privacy
20.	Anti-Spam Resources
21.	Children’s Online Privacy: A Resource Guide for Parents
21a.	Children's Safety on the Internet
22.	Electricity and Your Privacy: Deregulation in California
23.	Online Shopping Tips: E-Commerce and You
24.	Protecting Financial Privacy: The Burden Is on You
24a.	Financial Privacy: How to Read Your "Opt-Out" Notices
24d.	Financial Privacy FAQ
24e.	Is Your Financial Information Safe?
25.	Privacy Tips for Online Job Seekers
25a.	Avoiding Online Job Scams
26.	CLUE and You: How Insurers Size You Up
27.	Debt Collection Practices: When Hardball Tactics Go Too Far
27a.	Frequently Asked Questions about Debt Collection
28.	Online Privacy for Nonprofits
29.	Privacy in Education: Guide for Parents and Adult-Age Students
30.	Check 21: Paperless Banking
31.	Customer Identification Programs for Financial Transactions
32.	Paper or Plastic: What Have You Got to Lose?
33.	Identity Theft Monitoring Services
34.	Protecting Your Telephone Records: Does Your Carrier’s Privacy Policy Ring True?
35.	Social Networking Privacy: How to be Safe, Secure and Social
36.	Securing Your Computer to Maintain Your Privacy
37.	The Perils and Pitfalls of Online Dating: How to Protect Yourself
38.	A Renter’s Guide to Privacy: What to Know Before You Sign the Lease, While You Rent, and When You Move Out
39.	Mobile Health and Fitness Apps: What Are the Privacy Risks?
40.	Bring Your Own Device . . . at Your Own Risk
41.	Data Brokers and Your Privacy

California Medical Privacy Series

C1.	Medical Privacy Basics for Californians
C2.	How Is Your Medical Information Used and Disclosed -- With and Without Consent?
C3.	Your Medical Information and Your Rights
C4.	Your Prescriptions and Your Privacy
C5.	Employment and Your Medical Privacy
C6.	Health Information Exchange: Is Your Privacy Protected?
C7.	Personal Health Records and Privacy
C8.	Medical Information Covered by Laws Other than HIPAA
C9.	Beyond the Doctor's Office: privacy laws may apply in situations you haven't considered.
C10.	The "Gray Areas": Is Your Health Privacy Protected?