Wednesday, August 26, 2015

TSMC Needs TSCM

Earlier this year, we covered the case of Liang Mong-song, a former TSMC engineer who stood unofficially accused of corporate espionage. Not long after we wrote the story, TSMC elected to file a lawsuit against Mong-song, and the Taiwan Supreme Court has now ruled in favor of the foundry company and against the engineer. Mong-song left TSMC and went to Samsung, not long before Samsung’s foundry plans took a significant leap forward. more

Number of Phones Infected by Dendroid Spying App Remains Unknown

An American student who hoped to sell enough malicious software to infect 450,000 Google Android smartphones pleaded guilty to a law meant to prevent hacking of phones and computers...

Infected phones could be remotely controlled by others and used to spy and secretly take pictures without the phone owner's knowledge, as well as to record calls, intercept text messages and otherwise steal information the owners downloaded on the devices...

Morgan Culbertson expected each person who bought Dendroid would be able to infect about 1500 phones with it, or 300,000 and 450,000 phones total. more

Illinois Law Allows Nursing Home Residents to Install Surveillance Equipment

Illinois Gov. Bruce Rauner signed legislation Aug. 21 supporters say will help prevent abuse and neglect of nursing home residents. The Authorized Electronic Monitoring in Long-Term Care Facilities Act allows nursing home residents to install audio and video surveillance equipment in their rooms.

Residents and their roommates must consent to having video or audio recording devices installed. The act allows legal guardians and family members to give consent for residents, if a physician determines a resident is incapable of doing so. Consent can be withdrawn at any time by residents or their roommates. more

Panel Upholds Christensen’s Conviction on Eavesdropping Charges

The Ninth U.S. Circuit Court of Appeals yesterday affirmed former powerhouse Los Angeles lawyer Terry N. Christensen’s conviction on charges of illegal eavesdropping and conspiracy.

Christensen—who practiced law in Los Angeles for more than 40 years at the famed Wyman Bautzer firm and at the firm he co-founded, Christensen Miller—was convicted along with former private investigator Anthony Pellicano, well known for his work on behalf of rich and famous clients. U.S. District Judge Dale Fischer of the Central District of California sentenced Christensen to three years in prison in 2008, but he has been free on bail pending appeal.

He has been under interim suspension from the State Bar since his conviction. more

Video Game Trade Secret Theft - Next Adventure - Game of War: Anul Stage

A manager at a maker of a popular videogame was arrested last week as he tried to board a plane for Beijing after allegedly stealing trade secrets, according to a federal criminal complaint unsealed Tuesday.

Jing Zeng, 42 years old, of San Ramon, Calif., allegedly downloaded data on how users interact with Game of War: Fire Age, one of the top-grossing games in Apple Inc.’s App Store. Mr. Zeng was a director of global infrastructure for the game’s maker, Machine Zone Inc...

On his LinkedIn profile, Mr. Zeng says that he left Machine Zone last month.

His current position: “Ready for next adventure.” more


Tuesday, August 25, 2015

A Conversation in the Bathroom with the Water Running Can't Beat a Noisebath®

Need to have a private conversation? 
No time to sweep the room for bugs?
Don't want to look like a paranoid hiding in the bathroom with the water running?

Take a Noisebath®... because running the water isn't very effective against determined eavesdroppers with high-tech filtering systems.

from the website...
Playing NOISEBATH masking source material through the speakers of a properly configured system creates a “bath” of noise around the target which mixes with the actual voices or equipment sounds to hinder the exploitation of the target’s acoustics.

NOISEBATH has been shown to be compatible with Secure Telephones. The masking sounds have negligible impact on the remote secure phone user and the local masking level can be adjusted by remote control.

There is up to a 25db reduction in sound level within the protection zone from the sound level outside the protection zone. NOISEBATH can be used with transducers on exterior windows and surfaces to protect against eavesdropping systems outside the room.

Noisebath® is the co-invention of Noel D. Matchet,  employed for 19 years at the National Security Agency where he was presented the Agency’s highest honor – The Exceptional Civilian Service Award for his contributions to information security. He has multiple patents to his credit. more

Surf Like A Spy

The default state of Internet privacy is a travesty. But if you're willing to work hard, you can experience the next best thing to absolute Internet anonymity...

1. Find a safe country
First, you would have to be physically located in a country that doesn't try its hardest to spy on you. Your best option is to find a country with good Internet connectivity that doesn't have enough resources to monitor everything its citizens are doing...

2. Get an anonymizing operating system
Next, you'll need an anonymizing operating system that runs on a resettable virtual machine running on secure portable media. The portable media device should use hardware-based encryption or a secure software-based encryption program. One of the top products on that list is Ironkey Workspace...

3. Connect anonymously
Next, you'll need to connect to the Internet using an anonymous method. The best approach would probably be to jump around random, different, open wireless networks, public or otherwise, as much as possible, rarely repeating at the same connection point. Barring that method, you would probably want to use a device built for anonymous wireless connections, like ProxyGambit...

4. Use Tor
Whatever Live OS and Internet connection method you use, make sure to go with an anonymizing browser, such as a Tor-enabled browser...

5. Don't use plug-ins

It's very important to remember that many of today's browser plug-ins, particularly the most popular ones, leave clues that reveal your identity and location. Don't use them if you want to preserve your anonymity.

6. Stick with HTTP/S
Don't use any protocols other than HTTP or HTTPS. Typically, other protocols advertise your identity or location. When working with HTTPS, use only handpicked, trusted certification authorities that don't issue "fake" identity certificates.

7. Avoid the usual applications
Don't install or use normal productivity software, like word processors or spreadsheets. They, too, will often "dial home" each time they're started and reveal information.

8. Set up burner accounts
You'll need a different email address, password, password question answers, and identity information for each website if you take the risk of creating logon accounts. This particular solution is not only for privacy nuts and should already be practiced by everyone already.

9. Never use credit cards
If you plan to buy anything on the Internet, you can't use a normal credit card and stay anonymous. You can try to use online money transfer services such as PayPal, but most have records that can be stolen or subpoenaed. Better, use an e-currency such as bitcoin or one of its competitors...

Each of these anonymizing methods can be defeated, but the more of them you add to your privacy solution, the harder it will be for another person or group to identify you... more

Monday, August 24, 2015

Report: Colts Still Sweep For Bugging Devices When They Visit Patriots

MA - It appears Peyton Manning left quite the lasting legacy in Indianapolis. Former Colts head coach Tony Dungy caused a major stir Thursday when he admitted Manning used to fear the New England Patriots bugged the visiting locker room at Gillette Stadium and even would go out into the hallway to discuss play-calling.

Manning left Indy in 2011, but apparently the team still takes precautionary measures whenever it comes to Foxboro, according to WTHR.com’s Bob Kravitz. more

Saturday, August 22, 2015

Thousands Of Ashley Madison Clients About To Learn (The Hard Way) That Most Employers Monitor Email

Upwards of 36 million email addresses were compromised when hackers infiltrated Ashley Madison, a site designed to help married people have affairs. Those email addresses, first released as an ungainly data dump, are now easily searchable on a number of different sites, leaving millions of people, some more famous than others, susceptible to personal and, it turns out, professional backlash.

Amazingly, tens of thousands of people, including more than 15,000 military and government personnel, decided to use their work email addresses to sign up for a dalliance, and if you’re wondering whether that puts them at any professional risk, the answer is almost certainly yes. A majority of American businesses monitor what their employees do online in some way or other, and they are not shy about cracking down on misbehavior.

According to a survey conducted by the American Management Association and the ePolicy Institute, more than one-quarter of employers have fired employees for misusing their work email addresses and more than one-third have fired workers for misusing the Internet. more

Spotify Apologizes for Spying on Its Users

On Wednesday, Spotify quietly updated its terms and conditions to grant itself sweeping abilities to track every location, movement, and online activity of its users, even when those users weren’t using Spotify. That data, including information pulled from friends’ profiles, would then be transmitted to advertising partners.

This morning, Spotify CEO Daniel Ek back-pedaled on those terms and promised an entirely new set of terms of conditions, to be updated next week. He also pointed to the ability for users to opt-out of certain data collection activities, a claim that contradicts language in the recently-updated terms.

The following is a statement on the matter shared with Digital Music News this morning from Ek... more

Mayor Bugged - No, really. He has been indicted.

SC - The mayor of the town of Lyman has been indicted on charges of wiretapping and misconduct in office.

A statement from the South Carolina Law Enforcement Division sent to local media outlets says Mayor Rodney Turner was indicted Friday by a Spartanburg County grand jury.

The 58-year-old Turner was charged earlier in August. According to the indictment, Turner used electronic devices to intentionally intercept the communications of employees working in and around Lyman Town Hall. more 

Friday, August 21, 2015

He's Back... The Air Gap Computer Hack

Researchers at the Ben-Gurion University of the Negev (BGU) Cyber Security Research Center have discovered that virtually any cellphone infected with a malicious code can use GSM phone frequencies to steal critical information from infected “air-gapped” computers.

Air-gapped computers are isolated -- separated both logically and physically from public networks -- ostensibly so they cannot be hacked over the Internet or within company networks.


Led by BGU Ph.D. student Mordechai Guri, the research team discovered how to turn an ordinary air-gapped computer into a cellular transmitting antenna using software that modifies the CPU firmware. GSMem malicious software uses the electromagnetic waves from phones to receive and exfiltrate small bits of data, such as security keys and passwords...

This is the third threat the BGU cyber team has uncovered related to what are supposed to be secure, air-gapped computers. Last year, the researchers created a method called Air-Hopper, which utilizes FM waves for data exfiltration. Another research initiative, BitWhisper, demonstrated a covert bi-directional communication channel between two close-by air-gapped computers using heat to communicate. more

Thursday, August 20, 2015

Everything You Believed About Telephone Security is Wrong - The SS7 Scandal

The scary version...
A massive security hole in modern telecommunications is exposing billions of mobile phone users in the world to covert theft of their data, bugging of their voice calls, and geo-tracking of their location from by hackers, fraudsters, rogue governments and unscrupulous commercial operators using hundreds of online portals across the planet.

In a world-first, 60 Minutes has proven the worst nightmares of privacy advocates around the world: that mobile phone calls and data are wide open to interception because of flaws in the architecture of the signalling system – known as SS7 - used to enable mobile phone roaming across telecommunications providers. Despite this concern, the Australian Government’s own Cyber Security Threat Report, published in June, makes no mention of what is probably the biggest threat to this country’s commercial secrets and individual privacy.


60 Minutes’ story shows how German hackers working from Berlin, given legal access to SS7 for the purposes of the demonstration, were able to intercept and record a mobile phone conversation between 60 Minutes reporter Ross Coulthart while he was speaking from Germany to Independent Australian Senator Nick Xenophon in Australia’s Parliament House. As further proof of the hack, Coulthart then made another phone call from London, England, to the Senator in Australia which the Berlin hackers were also able to intercept and record, even though they were in Germany 1000 kilometres distant. The Berlin hackers from SR Labs, who first warned of the vulnerability in SS7 in 2008, were also able to intercept and read the Senator’s SMS’ from Australia to Coulthart in London. The hackers were also then able to geo-track the Senator as he travelled to Japan on official business, mapping his movements around Tokyo and Narita down to the nearest cell tower (within a few hundred metres), and later precisely tracking around the streets of his South Australian home suburb when he returned to Australia.

The demonstration also shows how the key fraud protection relied on by banks to protect banking transactions from fraud – verification by SMS message – is useless against a determined hacker with access to the SS7 portal because they can intercept and use the SMS code before it gets to the bank customer. The same technique can also be used to take over someone’s online email account. The call-forwarding capacity of SS7 also allows any mobile to be forcibly redirected to call hugely expensive premium numbers, the cost of which is then billed to that customer’s account. SS7 also allows any number to be blocked, raising the fearful possibility that the vulnerability could be used by criminals or terrorists to stop a victim from calling police or emergency services. Cellular telephony is also used to remotely manage large industrial equipment, to send instructions to gas, electricity and other utililities and factories over 2G and 3G mobile communications. It is not inconceivable that an SS7 hack could be used to change settings or shut down a power station. more

The counterpoint version...
If you own a mobile phone, “you can be bugged, tracked and hacked from anywhere in the world”. That was the throughline of a particularly problematic story on the 60 Minutes program last night. It’s now being hailed as “the end of privacy” for all Australians, but let me assure you, that moment passed a long time ago.

“How it has been done, has never been shown before”, claimed the 20-minute report which demonstrated how a vulnerability in a global forwarding network can be “hijacked” to listen in on a user’s calls and text messages in real time.

After a lot of teasing and set-up, the report eventually took us to a basement in Germany, where security researcher Luca Melette demonstrated how he could intercept a phone call between the reporter and Australian Senator Nick Xenophon. Luca was able to intercept the call (if we’re to believe that there wasn’t any camera trickery going on), as well as a text message sent between the pair. Big drums. The hack has been reveeeeeeealed. more

Wednesday, August 19, 2015

Security Director Alert - NLRB Bans Blanket Confidentiality Policies for Workplace Investigations

It is common practice for employers to prohibit their employees from discussing ongoing workplace investigations. 

Many employers believe that this restriction is necessary to ensure the integrity and fairness of investigations involving employee misconduct. As a result, employers often have policies that require confidentiality in all workplace investigations.

According to a 2015 decision by the National Labor Relations Board (NLRB), these policies are illegal. The decision, known as Banner Estrella, states that employers cannot enforce a blanket policy requiring confidentiality during workplace investigations. Because of this decision, many employers will need to update their policies and human resources (HR) practices. more

Priest Fleas After Spycam Discovered in Chuch Bathroom

OR - Father Ysrael Bien logged on to a spy-gear website and paid $295 for the hidden camera that was discovered last spring in a Sherwood church bathroom, according to information turned over to police this week.

The camera, designed to look like an electrical outlet, came from the online retailer SpyGuy Security based in Dallas, Texas. Police served a search warrant for transaction records there Monday after the business tipped them off.

A Washington County judge signed a warrant Tuesday for Bien's arrest on misdemeanor charges of invasion of privacy, tampering with evidence and initiating a false report, but police think the priest may not be in the U.S.

They did not find him at his last known address in Sherwood. Another priest there told them that Bien had left the country....

A 15-year-old St. Francis parishioner found the hidden camera affixed to a bathroom wall on April 26. The device looked like a power outlet placed at waist-height near the toilet. Thinking that was odd, the teenager pulled it off the wall and brought it to the priest.  more