Spying is multifaceted. It includes everything from plain old audio eavesdropping, to spycams (thus adding the visual element), to aggregating all the telltale data about us. Once science fiction, even facial recognition is coming to airports. Is it possible to squeeze more from a spy's cornucopia of tricks?
What if you want to know what a person is thinking, or what they look like?
These two challenges are the future of spying, and they are being worked on today.
We started covering mind reading advancements in 2006. And now, how to tell what a person looks like—and even their environment... just from the sound of their voice.
Sunday, August 11, 2019
Friday, August 9, 2019
Warshipping - The Next Corporate Espionage Headache
Hackers looking to gain access to your Wi-Fi network don’t necessarily have to lurk around your home or office, warns IBM X-Force Red.
Instead, writes Charles Henderson, global head of that security unit, they could simply ship you a package with a tiny, concealed device they can remotely control.
“In fact, they could ship multiple devices to their target location thanks to low build cost,” Henderson writes. “The device, a 3G-enabled, remotely controlled system, can be tucked into the bottom of a packaging box or stuffed in a toy (a device no bigger than the palm of your hand) and delivered right into the hands or desk of an intended victim.”...
Such a device could even set up a rogue wireless network of its own to sniff login credentials to use on the real target network, according to the post. Devices made for the technique, which IBM has dubbed warshipping, can be built for under $100, the company says.
To avoid such attacks, Henderson’s team recommends companies set up policies to inspect and isolate packages and potentially discourage employees from getting personal shipments at work. more
Instead, writes Charles Henderson, global head of that security unit, they could simply ship you a package with a tiny, concealed device they can remotely control.
“In fact, they could ship multiple devices to their target location thanks to low build cost,” Henderson writes. “The device, a 3G-enabled, remotely controlled system, can be tucked into the bottom of a packaging box or stuffed in a toy (a device no bigger than the palm of your hand) and delivered right into the hands or desk of an intended victim.”...
 |
| Scheduled TSCM inspections find electronic surveillance items like this. Dead or alive. |
To avoid such attacks, Henderson’s team recommends companies set up policies to inspect and isolate packages and potentially discourage employees from getting personal shipments at work. more
iPhone iMessage iHacked
When you think about how hackers could break into your smartphone, you probably imagine it would start with clicking a malicious link in a text, downloading a fraudulent app,
or some other way you accidentally let them in.
It turns out that's not necessarily so—not even on the iPhone, where simply receiving an iMessage could be enough to get yourself hacked.
At the Black Hat security conference in Las Vegas on Wednesday, Google Project Zero researcher Natalie Silvanovich is presenting multiple so-called “interaction-less” bugs in Apple’s iOS iMessage client that could be exploited to gain control of a user’s device. And while Apple has already patched six of them, a few have yet to be patched...
The six vulnerabilities Silvanovich found—with more yet to be announced—would potentially be worth millions or even tens of millions of dollars on the exploit market. more
Our 41 Smartphone Security Tips.
It turns out that's not necessarily so—not even on the iPhone, where simply receiving an iMessage could be enough to get yourself hacked.
At the Black Hat security conference in Las Vegas on Wednesday, Google Project Zero researcher Natalie Silvanovich is presenting multiple so-called “interaction-less” bugs in Apple’s iOS iMessage client that could be exploited to gain control of a user’s device. And while Apple has already patched six of them, a few have yet to be patched...
The six vulnerabilities Silvanovich found—with more yet to be announced—would potentially be worth millions or even tens of millions of dollars on the exploit market. more
Our 41 Smartphone Security Tips.
The Avaya Phone Bug – Back From the Dead
Experts at McAfee Advanced Threat Research say they were just doing
general studies of Avaya desk phone security when they stumbled on the
reincarnated bug.An attacker could exploit it to take over the phone’s operations, extract audio from calls, and even essentially bug the phone to spy on its surroundings.
“It was kind of a holy crap moment,” says Steve Povolny, McAfee's head of advanced threat research...
Though a fix is now available (again), the McAfee researchers note that it will take time for the patch to distribute out to all the corporate and institutional environments where vulnerable phones are lurking on every desk. more
My past posts about Avaya eavesdropping vulnerabilities.
Update: Avaya is second only to Cisco in the enterprise VoIP market, and is used by almost all of the Fortune 100. The company's response and advisory notice can be found here.
Wednesday, August 7, 2019
Security Director Alert: Check for Unsecured Wi-Fi Printers
A group of hackers linked to Russian spy agencies are using "internet of
things" devices like printers and internet-connected phones to break
into corporate networks, Microsoft announced on Monday. more
We see this vulnerability at approximately a third of the corporations where we conduct inspections. It is a very common issue. Very dangerous.
Q. "So, why does this happen so often?"
A. When initially outfitting the office the IT Department usually does a good job of turning on encryption for Wi-Fi Access Points, and the things connecting to them.
Later, someone decides they need their own printer. It arrives. It is plugged in. Nobody thinks about turning on the encryption.
Often, the Wi-Fi feature of the printer is not even used, but it's on by default. The company network is now subject to compromise.
The only way to know if you have this issue is to look for it. Have your IT Department check periodically, or have us do it, but do it. ~Kevin
We see this vulnerability at approximately a third of the corporations where we conduct inspections. It is a very common issue. Very dangerous.
Q. "So, why does this happen so often?"
A. When initially outfitting the office the IT Department usually does a good job of turning on encryption for Wi-Fi Access Points, and the things connecting to them.
Later, someone decides they need their own printer. It arrives. It is plugged in. Nobody thinks about turning on the encryption.
Often, the Wi-Fi feature of the printer is not even used, but it's on by default. The company network is now subject to compromise.
The only way to know if you have this issue is to look for it. Have your IT Department check periodically, or have us do it, but do it. ~Kevin
Business Security Trend: Proactive Information Security... Legislated by law!
via Brian G. Cesaratto, Epstein Becker Green
New York is the latest state to adopt a law that requires businesses that collect private information on its residents to implement reasonable cybersecurity safeguards to protect that information.
New York now joins California, Massachusetts and Colorado in setting these standards. New York’s law mandates the implementation of a data security program, including measures such as risk assessments, workforce training and incident response planning and testing.
Businesses should immediately begin the process to comply with the Act’s requirements effective March 21, 2020.
Notably, New York’s law covers all employers, individuals or organizations, regardless of size or location, which collect private information on New York State residents.
In order to achieve compliance, an organization must implement a data security program that includes:
New York is the latest state to adopt a law that requires businesses that collect private information on its residents to implement reasonable cybersecurity safeguards to protect that information.
New York now joins California, Massachusetts and Colorado in setting these standards. New York’s law mandates the implementation of a data security program, including measures such as risk assessments, workforce training and incident response planning and testing.
Businesses should immediately begin the process to comply with the Act’s requirements effective March 21, 2020.
Notably, New York’s law covers all employers, individuals or organizations, regardless of size or location, which collect private information on New York State residents.
In order to achieve compliance, an organization must implement a data security program that includes:
- reasonable administrative safeguards that may include designation of one or more employees to coordinate the security program, identification of reasonably foreseeable external and insider risks, assessment of existing safeguards, workforce cybersecurity training, and selection of service providers capable of maintaining appropriate safeguards and requiring those safeguards by contract;
- reasonable technical safeguards that may include risk assessments of network, software design and information processing, transmission and storage, implementation of measures to detect, prevent and respond to system failures, and regular testing and monitoring of the effectiveness of key controls; and
- reasonable physical safeguards that may include detection, prevention and response to intrusions, and protections against unauthorized access to or use of private information during or after collection, transportation and destruction or disposal of the information.
AT&T Employees Took Bribes to Plant Malware
AT&T employees took bribes to unlock millions of smartphones, and to install malware and unauthorized hardware on the company's network, the Department of Justice said yesterday...
The bribery scheme lasted from at least April 2012 until September 2017...
The two recruited AT&T employees by approaching them in private via telephone or Facebook messages. Employees who agreed, received lists of IMEI phone codes which they had to unlock for sums of money. moreRemember this survey from 2016? "One in five employees said they would sell their passwords."
The Point: Quarterly Technical Information Security Surveys mitigate this risk, and prove due diligence.
Monday, August 5, 2019
Spy Tip: How to Break Out of Automated Phone Trees
Want to Talk with a Human?
Skip the cue.
Try...
- Dial O, or try multiple zeros.
- You can add the # key or the * key before and after a 0.
- Dial multiples of other numbers 1111, 2222, 3333, 4444, etc.
- Being silent sometimes works (believe it or not some people still have rotary phones).
- Speak non-sensible phrases to confuse computer.
- Try speaking and repeating "Operator" or "Customer Service".
- If there is a company directory, press just one letter and then try to connect to that person and then may transfer you or give you an inside phone number.
- Make sure once you get a human, ask for the direct line to call.
Wallet, Keys, Bag Packed... Ooopps, Forgot the Post-it Notes
When airline seatback entertainment systems started to come bundled with little webcams, airlines were quick to disavow their usage, promising that the cameras were only installed for potential future videoconferencing or gaming apps, and not to allow the crew or airline to spy on passengers in their seats.
Enter Hong Kong's Cathay Pacific, the country's flagship airline, which has just amended its privacy policy to reveal that it is recording its passengers as they fly, as well as gathering data on how individual passengers spend time in airport terminals, and even brokered data on their use of rivals' hotel and airplane loyalty programs.
But don't worry, the company promises it will take "commercially reasonable" cybersecurity measures to keep all that data from leaking. more
But don't worry, the company promises it will take "commercially reasonable" cybersecurity measures to keep all that data from leaking. more
Amazon Alexa's New Dump the Human Eavesdropping Switch
Alexa users who don’t want their recordings reviewed by third-party contractors finally have an option to opt-out...
Unfortunately, Amazon has never made opting-out of data collection on its devices particularly easy, and this new policy doesn’t buck that trend.
According to Bloomberg, users need to dig into their settings menu, then navigate to “Alexa Privacy,” and finally tap “Manage How Your Data Improves Alexa” to see the following text: “With this setting on, your voice recordings may be used to develop new features and manually reviewed to help improve our services. Only an extremely small fraction of voice recordings are manually reviewed.” more
Unfortunately, Amazon has never made opting-out of data collection on its devices particularly easy, and this new policy doesn’t buck that trend.
According to Bloomberg, users need to dig into their settings menu, then navigate to “Alexa Privacy,” and finally tap “Manage How Your Data Improves Alexa” to see the following text: “With this setting on, your voice recordings may be used to develop new features and manually reviewed to help improve our services. Only an extremely small fraction of voice recordings are manually reviewed.” more
A Brief History of Surveillance in America
By
April White, Smithsonian Magazine
For the last several years, Brian Hochman has been studying electronic surveillance—both the technological developments that have made eavesdropping possible and the cultural and political realities that have made it a part of American life for more than 150 years...
How far back do we have to go to find the origins of wiretapping?
It starts long before the telephone. The earliest statute prohibiting wiretapping was written in California in 1862, just after the Pacific Telegraph Company reached the West Coast, and the first person convicted was a stock broker named D.C. Williams in 1864. His scheme was ingenious: He listened in on corporate telegraph lines and sold the information he overheard to stock traders...
It’s only in the 1920s that ordinary Americans start to take notice of wiretapping and it's not really until the 1950s that it's seen as a national problem...
 |
The House Intelligence Committee looked into illegal wiretapping in 1975 as part of its investigation of risks of U.S. intelligence operations.
Michael Hershman (holding a 'plug bug') explaining surveillance and counter-surveillance technology. (AP Photo/Charles Gorry)
|
Historians are not in the business of prognostication, but the one thing that I can say with some certainty is that electronic surveillance and dataveillance are going to scale. They will be more global and more instantaneous. I can say with much more certainty that that public attention to these issues will wax and wane. more
Millions Of Chinese-Made Cameras Can Be Hacked To Spy On Users
Despite more awareness of the risks associated with Chinese surveillance equipment, the news this week that cameras from the world's second-largest manufacturer of such devices can be used to secretly listen in to users still comes as a shock.
Put simply, the newly disclosed backdoor vulnerability means that millions of cameras have been carrying the potential to be used as eavesdropping devices—even when the audio on the camera is disabled.
"Essentially," warned Jacob Baines, the researcher who first disclosed the vulnerability with cameras used by both consumers and enterprises, "if this thing is connected directly to the internet, it’s anyone’s listening device."...
Baines initially shared this latest issue with Dahua OEM Armcrest two months ago, reporting that he could "remotely listen" to a tested camera "over HTTP without authentication." The vulnerability can be seen in action in a video shared by Baines on YouTube. more
"Essentially," warned Jacob Baines, the researcher who first disclosed the vulnerability with cameras used by both consumers and enterprises, "if this thing is connected directly to the internet, it’s anyone’s listening device."...
Baines initially shared this latest issue with Dahua OEM Armcrest two months ago, reporting that he could "remotely listen" to a tested camera "over HTTP without authentication." The vulnerability can be seen in action in a video shared by Baines on YouTube. more
Tuesday, July 23, 2019
The ‘Golden Age of SIGINT’ May Be Over
“The ‘golden age of SIGINT’ may be over, particularly within the next five or ten years,” the study, “Going Dark: Implications of an Encrypted World,” finds. The traditional methods of collecting signals intelligence and eavesdropping on communications used by the Intelligence Community (IC) will no longer be effective. “End-to-end encryption of all communications and data, differential privacy, and secure communications for all users are likely to be the new reality,” the study says. more
Android Smartphone Alert: Spearphone Eavesdropping
A Spearphone attacker can use the accelerometer in LG and Samsung phones to remotely eavesdrop on any audio that’s played on speakerphone, including calls, music and voice assistant responses.
A new way to eavesdrop on people’s mobile phone calls has come to light in the form of Spearphone – an attack that makes use of Android devices’ on-board accelerometers (motion sensors) to infer speech from the devices’ speakers.
An acronym for “Speech privacy exploit via accelerometer-sensed reverberations from smartphone loudspeakers,” Spearphone was pioneered by an academic team from the University of Alabama at Birmingham and Rutgers University.
They discovered that essentially, any audio content that comes through the speakers when used in speakerphone mode can be picked up by certain accelerometers in the form of sound-wave reverberations. And because accelerometers are always on and don’t require permissions to provide their data to apps, a rogue app or malicious website can simply listen to the reverberations in real time, recording them or livestreaming them back to an adversary, who can analyze and infer private data from them. more
A new way to eavesdrop on people’s mobile phone calls has come to light in the form of Spearphone – an attack that makes use of Android devices’ on-board accelerometers (motion sensors) to infer speech from the devices’ speakers.
An acronym for “Speech privacy exploit via accelerometer-sensed reverberations from smartphone loudspeakers,” Spearphone was pioneered by an academic team from the University of Alabama at Birmingham and Rutgers University.
They discovered that essentially, any audio content that comes through the speakers when used in speakerphone mode can be picked up by certain accelerometers in the form of sound-wave reverberations. And because accelerometers are always on and don’t require permissions to provide their data to apps, a rogue app or malicious website can simply listen to the reverberations in real time, recording them or livestreaming them back to an adversary, who can analyze and infer private data from them. more
Subscribe to:
Posts (Atom)