Thursday, June 29, 2017

FutureWatch: Is Privacy the New Luxury?

There is nothing more luxurious than your own private island.

A secluded space, which is owned only by you. Private islands are the definition of privacy, security, peace, tranquility and an extraordinary lifestyle. There are only a handful of people in the world who have the opportunity to provide themselves and their family with the exclusive privacy and seclusion.

Enjoy it while you can...

Sea level rise accelerated by the melting of glaciers due to rising global temperatures has put many island nations on high alert, as their very survival hangs in the balance.

NASA researchers recently predicted that we are currently "locked into at least three feet of sea level rise, and probably more" by the end of the century.

Specifically, the Intergovernmental Panel on Climate Change listed the "Marshall Islands, Kiribati, Tuvalu, Tonga, the Federated States of Micronesia and the Cook Islands (in the Pacific Ocean); Antigua and Nevis (in the Caribbean Sea); and the Maldives (in the Indian Ocean)," as the most vulnerable nations to the effects of climate change. more

Business Espionage: The Slow Burn Costs


"Businesses need to be aware of the full costs of a cyber-attack, in particular, the “slow-burn” costs (i.e. those associated with the long-term impacts of a cyber-attack, such as the loss of competitive advantage and customer churn). When added to immediate costs (i.e. legal
and forensic investigation fees, and extortion pay outs), slow burn costs can dramatically increase the final bill."
Lloyd's Report - in association with KPMG and legal firm DAC Beachcroft more

Lloyd's is promoting their cyber-insurance with this report. Their warning, however, actually applies to all forms of business espionage. Insurance is for the disaster. A good Technical Information Security Survey can prevent disasters. You need both.

15 Photos of ATM Scams

Take note of some of the most common ways thieves will try to steal your credit card details.


 Fourteen more photos.

Stepfather Accused of Murder Preceded by Spycam

Man accused of killing stepdaughter may have photographed her through peep holes.

Detectives found a photo they believe is of 13-year-old Jayden Glomb in her bathroom wearing a sports bra, apparently taken secretly by her stepfather who is now accused of killing her, court documents say.

Property seized so far in the investigation includes an endoscope camera, spy camera, thumb drives, clothing and photographs, according to a search warrant.The Tucson Police Department’s crime laboratory has begun to analyze the contents of a home computer that was used by Joshua Lelevier, 37, who was arrested May 31 in Jayden’s suffocation death. more

Tuesday, June 27, 2017

Cyber Espionage: Canada and China Agree to Knock it Off

The Chinese government has reached a landmark agreement with Canadian authorities that pledges to halt "economic cyber espionage", a technique long-used by Beijing to hack into large firms and steal trade secrets, often including details of proprietary technology and military plans...

"The two sides agreed that neither country's government would conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages," a portion of the deal stated.

According to the Globe and Mail, which first reported the deal, the accord solely covers economic espionage, declining to mention online espionage, surveillance and hacking to spy on state activity. more

Other business espionage items the accord does not cover...
  • Electronic eavesdropping.
  • Telephone wiretapping.
  • Physical penetration of the workplace.
  • Social Engineering.
  • Infiltration of the workforce.
  • Subversion of employees. (blackmail, payoffs, etc.)
  • Optical surveillance.
A good Technical Information Security Survey will cover these vulnerabilities for you.

Sunday, June 25, 2017

Dumb Thought #1: Spying — Dumb Thought #2...

On June 22, Kevin Patrick Mallory was brought before a US federal judge for his first hearing on charges that he sold highly classified documents to a Chinese intelligence agent.

These documents, which are considered "National Defense Information," included at least one Top Secret document and three classified as Secret and were found on a phone Mallory had been provided by his Chinese contacts.

Mallory, a 60-year-old former Central Intelligence Agency employee had thought the documents were in messages that had been deleted automatically from the device. Mallory faces life in prison if convicted. more

Saturday, June 24, 2017

Things We See — Blue Bucket Blues


Not all information security issues are this obvious. 
Finding all of them requires an independent Technical Information Security Survey. more

Business Espionage: America's Cup Teams Spy

The definition of a spy is that he or she operates furtively. But there's been no secrecy around the blatant spying of Oracle and Team New Zealand on each other's boats during the five-day America's Cup break.

Both teams have dropped all pretense about their intelligence-gathering ahead of the final resuming in Bermuda this Sunday New Zealand time.

With Peter Burling and the red-hot Kiwis leading 3-0 in the first-to-seven-wins showdown, desperate Oracle spies went about their work today with the subtlety of a sledgehammer...

Team New Zealand has been doing the same thing, assiduously gaining as much information as possible... more

How a Calgary Woman Brought Down the CanadaCreep Account

Canada - The Twitter user who initially raised alarm about the 'CanadaCreep' is relieved to hear her actions may have taken a voyeur off the street.

Jeffrey Robert Williamson, 42, is accused of filming women without their knowledge and posting the images online under the Twitter handle ‘CanadaCreep.’

He was charged last week with three counts each of voyeurism and publication of voyeuristic recordings in relation to three alleged incidents and later released on bail, but freedom would be short-lived... more

Snapchat is Now Your New GPS Ankle Bracelet

Bored Snapchat users looking for something to do should update their apps today: they'll be greeted with a new map view that shows where exactly their friends are and what they're up to. 

Snap Map, as the company is calling it, can be activated by pinching your fingers together on the camera view when you first start the app. Once in map view, you'll see "Actionmoji" versions of your nearby friends, which include their names and profile photos in a configuration that vaguely resembles the tags you might find on plants for sale at the nursery.

When you tap on one of your friends' icons, you'll see stories they've posted recently...

What if none of your friends are around or they haven't posted anything interesting recently? Not to worry: the map view will also show a heat map based on the activity of other Snapchat users. more

Friday, June 23, 2017

TSCM Questions We Get - "How small is a bug's microphone?"

A. Very small.
You probably carry the one shown in the photo, in your cell phone.


In some cases, microphones are invisible. Before you say impossible, hear me out...

You are surrounded by items which can be commandeered for surveillance eavesdropping wherever you go. Solids and liquids conduct sound even better than air. Vibrations through these items may be picked up and amplified at some distance using: a piezoelectric contact microphone, a hydrophone, or light / sound beams (laser / ultrasonic).

Optimic1140 fiber optical microphone
There is also one esoteric microphone to consider—the fiber optic microphone. No wires. No electricity. Just connected to a clear glass thread.

It is so unusual, many people who claim to be technical surveillance countermeasures (TSCM) technicians don't know it exists.

So, when you add Technical Information Security Surveys to your organization's security program, ask the vendor what they know about fiber optic microphones. Good ones will tell you all about it, and how it works. They will also be impressed with you for asking.

Click here for more questions we get.

Wednesday, June 21, 2017

Security Alert: If Your Phone Says Avaya... ask IT about this.

Internet telephony company Avaya has patched a high-severity vulnerability in its Aura Application Enablement Services product that put phone call and API data running through the server at risk for interception.

Researchers at Digital Defense found a vulnerability where an attacker could, without authentication, abuse Remote Procedure Calls (RPC) into the server and modify input in such a way that they would be granted remote administrative access...

“Anything that passes through that server [would be at risk],” said Mike Cotton, vice president of research and development... “An attacker could send malformed input at the interfaces and take control over the service and any voice data...  “Eventually you can get root command through remote compromise,” he said.

In an advisory updated June 14, Avaya said versions 6.3.1, 6.3.2, 6.3.3 and 7.x are affected. The company said that versions 6.3.1, 6.3.2 and 6.3.3 should install Super Patch 7 and apply AE Services 6.3.3.7 security hotfix. Users on 7.0.x should upgrade to 7.0.1 and install Super Patch 4 and AE Services 6.3.3.7 security hotfix as well. Users on 7.1 should apply AE Services 7.1.0.0.0 Security Hotfix.

“Certainly for enterprises that use the product, this is a high-impact vulnerability,” Cotton said. “The ultimate severity is how many business-critical apps are attached to this thing and where it’s sitting within the network infrastructure. This is something I would prioritize and move to the top of patching lists.” more

Tuesday, June 20, 2017

Be Successful Like Apple - Get Serious About Information Security

A recording of an internal briefing at Apple earlier this month obtained by The Outline sheds new light on how far the most valuable company in the world will go to prevent leaks about new products.

The briefing, titled “Stopping Leakers - Keeping Confidential at Apple,” was led by Director of Global Security David Rice, Director of Worldwide Investigations Lee Freedman, and Jenny Hubbert, who works on the Global Security communications and training team...

The briefing, which offers a revealing window into the company’s obsession with secrecy, was the first of many Apple is planning to host for employees. In it, Rice and Freedman speak candidly about Apple’s efforts to prevent leaks...

Director of Global Security, David Rice...“We deal with very talented adversaries. They're very creative and so as good as we get on our security controls, they get just as clever.” more

If your security plan does not include Technical Information Security Surveys, contact me. ~Kevin

Friday, June 16, 2017

Why You Need a Technical Information Security Survey - Reason #413

Reason #413 - Yes, they are out to get you.

Here is a brief excerpt from an Entrepreneur Magazine article I read recently. It's entitled: 



3 Reasons You Should Spy on Your Competition 


"One of the best ways to thoroughly understand your market is to take a look at your competition. By not spying, you are at a significant disadvantage. 

 

Here are three reasons it’s a good idea to spy on your competition…
  1. Without spying, it’s impossible to know what you’re up against -- as a result, you can’t completely prepare.
  2. It’s easy to do. Don’t be discouraged from spying on your competition by assuming that it is daunting or resource intensive. 
  3. It would be wasteful to not spy. Speaking of wasted resources, without spying on your competition it’s very easy to waste time trying to find your ideal market and your reach."
Although the article does not advocate anything illegal, do you really think a budding entrepreneur ingesting this advice will stop after tasting (legal) low-hanging fruits of knowledge? No, forbidden fruit is even more nourishing. They will "ladder up."

Background

There have always been industrial espionage spies and business espionage tricks. Heck, the Industrial Revolution in the U.S. began this way. The Chinese lost their secrets of silk this way.

Spying as a method of getting ahead in business, was not encouraged by the media during most of the 20th Century. Children were taught entrepreneurial ideals, like: hard work, independence, persistence, and inventiveness.

So, how did we get to the point of, "Screw it, let's just spy!”

Corrosion of societal mores is an evolutionary process. Some of you will remember the days when kids had heroes who exemplified moral codes: The Shadow ("The weed of crime bears bitter fruit. Crime does not pay."), Joe Friday (Dragnet), Dan Matthews (Highway Patrol), The Lone Ranger, etc. Others may remember the glamorization of the "good" spy from TV shows like: Secret Agent Man, The Man from U.N.C.L.E., Mission Impossible, and The Prisoner.

These radio and TV shows still languish deep in digital tombs like YouTube; as forgotten as the Greek Chorus. On the bright side, at least these morality plays still exist.

1960’s spy shows spawned a huge market for children’s spy toys. The market remains strong today, and much more technically advanced.

For decades, children have grown up with spy toys. Spy toy manufacturers blatantly promote spying as cool and fun.

The morally strong TV heroes children used to look up to have disappeared. Today’s “Super Hero” has little connection with reality. The good vs. evil dividing line in the plots has become fuzzy. The super heroes themselves are confusing. Dark sides and moral cracks have infected the genre. Several generations of children have been desensitized to spying, and now, as adults, their moral compasses look like Batman fidget spinners.

Today’s Reality

The workplace is now filled with former children who have no compunction about spying. Almost everyone has a spy tool in their pocket that Maxwell Smart could only dream about. And, if one needs a thumb-sized bug that can be listened in on via a cell phone, from anywhere in the world… it can be purchased on eBay for less than $25.00.

Analysis of Business Espionage Today
   • Risk level: Low.
   • Reward level: High.
   • Why people spy in the workplace:
          - Money.
          - Power.
          - Sex
   • Surveillance Tools:
          - Inexpensive.
          - Readily available in spy shops and 
on the Internet.
          - Untraceable when purchased from 
foreign countries.

Other Contributing Factors…
  • The mores about eavesdropping and espionage have changed.
  • Increased competitive pressures placed on employees, consultants and businesses force ethics bending.
  • Media glorification presents spying as sexy and justifiable.
  • Since the 60's, spy toys and games have been actively promoted to children as being fun and acceptable. Children grow up.
“We don’t need a Technical Information Security Survey. We’ve never had a spying issue here.”

How would you know?
 

Spy Rule #1 - Stay undetected. 
By definition, successful espionage goes undetected, only failures become known.


If you ignore business espionage, or decide to take a “risk-assessment” gamble, you will never know if you’re bleeding information. (Parasites don’t alert their hosts.)

Business espionage can be forced to fail.
Actively look for:
  • evidence of information loss,
  • evidence of electronic surveillance: audio, video and data,
  • information loss vulnerabilities in: the workplace, your transportation, your home office, and at off-site meeting venues,
  • loopholes in your perimeter security,
  • decaying or broken security hardware, upon which you rely,
  • information security policies employees no longer follow,
  • information security vulnerabilities inherent in normal office equipment,
  • and, an independent security consultant, whose specialty is the Technical Information Security Survey, to do this for you.
Vigilant organizations conduct these surveys during off-hours, on a quarterly basis. Diligent organizations tend to have their surveys conducted biannually. Negligent organizations, well, they just have their pockets picked. The point is re-inspections limit windows-of-vulnerability. They also cost less.

An independent consultant’s report is proof of the organization’s due diligence, and may be very helpful in showing enhanced duty of care for trade secrets and other sensitive information in legal settings.

Considering what is at stake, a Technical Information Security Survey is very economical insurance, even better than insurance… it can prevent losses in the first place. Add it to your security program.

Wiretapping in the Workplace

by Benjamin E. Widener - Stark & Stark

The recent turmoil, investigation and controversy surrounding President Donald Trump’s firing of former FBI Director James Comey has thrust the issue of wiretapping into the public and political spotlight. “James Comey better hope that there are no ‘tapes’ of our conversations before he starts leaking to the press!,” President Trump tweeted on May 12, 2017, suggesting that “tapes” of his private conversations with Director Comey might exist...

All of this commotion prompted me to think about wiretapping in the workplace and, specifically, the issue of audio recordings or, as President Trump has expressed, “tapes” of conversations secretly recorded by an employer of its employees. What types of audio or tape recordings are legally permitted in the employment environment? more

Extra Credit: Workplace Eavesdropping - Time to Consider a Recording in the Workplace Policy

Android Malware - Steals Personal Data, Then Covers its Tracks

A new variant of Android malware is making rounds in the Google Play store and it is bad news all around.

According to Trend Micro, a Trojan dubbed Xavier, which is embedded in more than 800 applications on Android’s app store, clandestinely steals and leaks personal data.

Mobile malware is not new to the Android platform, but Xavier is a little more clever. It downloads codes from a remote server, executes them, and uses a string encryption, Internet data encryption, emulator detection, and a self-protect mechanism to cover its tracks. more

Wednesday, June 14, 2017

Foscam Remote Control Video Cameras: Pull Plug for Now

A Chinese company warned Monday that some of its remote-controlled video cameras contain flaws that a security firm said could be used in cyber attacks and cyber espionage.

The notice sent by Foscam USA, a subsidiary of Foscam Intelligent Technology Co. Ltd. that sells internet-linked video cameras, said in an urgent notice that 12 models made by China-based Shenzhen Foscam contain security flaws.

The flaws could allow the cameras to be taken over and used in massive cyber strikes called distributed denial of service attacks.

"Foscam US has been notified of 18 security vulnerabilities that exist on cameras manufactured by Shenzhen Foscam which leave users vulnerable to hacks which allow attackers to remotely take-over cameras, live stream, download stored files, and even compromise other devices located on the local network," the company said.

The company urged users to disconnect the cameras from the internet until the security vulnerabilities can be patched. more

The hackability of these cameras was first reported here in 2013.

The models affected include the following:
C1
C1 Lite
C2
FI9800
FI9826P
FI9828P
FI9851P
FI9853EP
FI9901EP
FI9903P
FI9928P
R2

Monday, June 12, 2017

Ponder of the Week

Lawyers and manufacturers are also vulnerable to corporate espionage.  Months can go by before they even realize they've been hit. — Mandy Simpson, CEO, Cyber Toa

No Jail Time for Teacher who hid Camera in Washroom

Canada - A former Brantford-area teacher and school administrator was handed a conditional sentence Thursday for various voyeurism-related offences. 

Brent Hachborn will spend eight months under house arrest. He will also serve a two-year probation term.

Hachborn once worked as a teacher at James Hillier Public School in Brantford. After he moved to another school, a camera was discovered in the school’s staff washroom.

Investigators later learned that Hachborn used three different cameras in a rotation. They had been there for about a year before anybody noticed – containing dozens of videos and 1,300 photographs of adult men in total. more

Early Radio Head Gear

According to an August 1930 issue of Modern Mechanix, a Berlin engineer invented the hat, which allowed its wearer to “listen to the Sunday sermon while motoring or playing golf, get the stock market returns at the ball game, or get the benefit of the daily dozen while on the way to work by merely tuning in.”



This was not, however, the first radio hat. The technology appears to date back to the early 1920s; a Library of Congress photo taken “between 1921 and 1924” features a man with a radio hat similar to Pathetone Weekly’s. Ultimately, neither hat seems to have made much of a splash among the public—but a radio hat designed two decades later certainly did.

In 1949, a Brooklyn novelty store introduced what they called “The Man From Mars Radio Hat.” A flurry of articles promoting it followed, and as did a temporary buying frenzy.

In one article, LIFE Magazine called the Man From Mars Radio Hat “the latest and silliest contribution to listeners who feel compelled to hear everything on the air.” more

Sunday, June 11, 2017

NSA’s Leaked Bugging Devices - Reverse Engineered

Radio hackers have reverse-engineered some of the wireless spying gadgets used by the US National Security Agency. Using documents leaked by Edward Snowden, researchers have built simple but effective tools that can be attached to parts of a computer to gather private information in a host of intrusive ways.

The NSA’s Advanced Network Technology catalogue was part of the avalanche of classified documents leaked by Snowden, a former agency contractor. The catalogue lists and pictures devices that agents can use to spy on a target’s computer or phone. The technologies include fake base stations for hijacking and monitoring cellphone calls and radio-equipped USB sticks that transmit a computer’s contents.

But the catalogue also lists a number of mysterious computer-implantable devices called “retro reflectors” that boast a number of different surreptitious skills, including listening in on ambient sounds and harvesting keystrokes and on-screen images. more

Friday, June 9, 2017

Defamation Lawsuit Filed over Methodist Hospital Phone Bugging Claims

A Houston Methodist doctor has filed a lawsuit against the hospital claiming he was demoted for raising concerns about recording of conversations on hospital phone lines.

According to the lawsuit, Dr. Eric Haufrect MD was removed as vice chairman of Methodist's obstetrics and gynecology department after he raised concerns that the hospital was illegally recording conversations between staff and patients.

Haufrect learned of the alleged phone bugging in October 2016 after a nurse said a technician working on her phone explained it to her, according to the lawsuit.



When he alerted hospital administrators to the recording, they said his department could not opt out of recordings, the suit alleges. Haufrect said he raised concerns to several different parties in the hospital about potential HIPAA violations, including CEO Dr. Robert Phillips. more

Which is most secure: HomePod, Echo, or Google Home

Apple's HomePod, Google Home and Amazon Echo all encrypt the voice recordings sent to their respective servers. But there are varying degrees of how they keep the data secret...

Echo
"The recordings are securely stored in the [Amazon Web Services] cloud and tied to your account to allow the service to be personalized for each user," an Amazon spokeswoman said in an email.

Google Home 
Similarly, Google Home collects data from your apps, your search and location history, and your voice commands, which are all tied to your Google account... If a government agency requests data from Google or Amazon from a voice assistant, they can point to accounts associated with the user...

Home Pod
With anonymized IDs, Apple's speakers have a much more compelling argument for not handing over data: They can't find it. In the game of hide and seek with your voice data, the advantage -- for now -- goes to Apple. more

Wednesday, June 7, 2017

Yellow Printer Dots Nail Spy Agency Leaker

‘Colour printers spy on you’: Barely visible yellow dots lead to arrest of Reality Winner, alleged NSA leaker.

According to Rob Graham, who writes for the blog Errata Security, the Intercept’s scanned images of the intelligence report contained tracking dots – small, barely visible yellow dots that show “exactly when and where documents, any document, is printed.” Nearly all modern color printers feature such tracking markers, which are used to identify a printer’s serial number and the date and time a page was printed. 

“Because the NSA logs all printing jobs on its printers, it can use this to match up precisely who printed the document,” Graham wrote. more

Long term readers of the Security Scrapbook already knew about this.
From 10 years ago... Is Your Printer Spying on You? Good!

When Your Stuff Spies on You

What do a doll, a popular set of headphones, and a sex toy have in common? All three items allegedly spied on consumers, creating legal trouble for their manufacturers.

In the case of We-Vibe, which sells remote-control vibrators, the company agreed to pay $3.75 million in March to settle a class-action suit alleging that it used its app to secretly collect information about how customers used its products. The audio company Bose, meanwhile, is being sued for surreptitiously compiling data—including users’ music-listening histories—from headphones.

For consumers, such incidents can be unnerving. Almost any Internet-connected device—not just phones and computers—can collect data. It’s one thing to know that Google is tracking your queries, but quite another to know that mundane personal possessions may be surveilling you too.

So what’s driving the spate of spying? more

Wartime Spies Who Used Knitting as an Espionage Tool

During World War I, a grandmother in Belgium knitted at her window, watching the passing trains. As one train chugged by, she made a bumpy stitch in the fabric with her two needles. Another passed, and she dropped a stitch from the fabric, making an intentional hole. Later, she would risk her life by handing the fabric to a soldier—a fellow spy in the Belgian resistance, working to defeat the occupying German force.

Whether women knitted codes into fabric or used stereotypes of knitting women as a cover, there’s a history between knitting and espionage. “Spies have been known to work code messages into knitting, embroidery, hooked rugs, etc,” according to the 1942 book A Guide to Codes and Signals. During wartime, where there were knitters, there were often spies; a pair of eyes, watching between the click of two needles. more

You Already Bugged Your Own House Years Ago

If you're unnerved at the prospect of an always-on mic in your home, then take a second to consider the ones that are already there... more