How New Corporate Espionage Techniques Are Born, or... Their Next App Attack

In a university somewhere (guess where) students are working on this...

"Introduction: Snooping keystrokes (a.k.a., keystroke inference attacks) seriously threaten information security and privacy. 

By launching such an attack, an adversary has an opportunity to steal sensitive information such as accounts, passwords, credit card numbers, SSNs, and conidential (sic) documents[1, 15, 29, 30] from the victims when they are typing on a keyboard. 

Smartphone-based snooping [15, 18, 24] further eases the launching when an adversary could intentionally leave his own smartphone near the victim’s keyboard. 

Furthermore, an attacker could spread a malicious mobile app (e.g., in app markets) that pretends to be a normal audio playing and recording application but stealthily collects user’s keystroke data over the Internet. He may afect (sic) a large volume of smartphones and enable large-scale keystroke inference attacks as shown in Fig. 1..." more

Zillow Sued For Alleged Wiretapping - It’s not what you think...

If your company maintains a website – whether offering financial products or just selling pet stairs – you now need to be familiar with state and federal wiretapping laws.

The term “wiretapping” probably brings to mind images of police detectives or FBI agents huddled in the back of a white panel van or in a dark room with headphones on, listening to and recording conversations among shady characters.

What likely doesn’t come to mind are interactive business websites. 

Yet a spate of recent class action lawsuits against a variety of business websites – including cases filed separately in September in Pennsylvania, Washington, and Missouri against Zillow Group Inc., as well as those filed against hardware retailer Lowe’s and travel website Expedia, among others – all cite state wiretapping laws as the basis of their complaints about invading consumer privacy...

Privacy experts say all of these wiretapping lawsuits have far reaching implications for any business that maintains a website and uses coding, software, or third-party vendors to analyze what clients or consumers do when they visit online. more

KeyTap3 Exploit Knows What You Type Keyboard Eavesdropping

A new KeyTap3 exploit might explain how some websites are able to track and offer recommendations for an item you just searched for. 

Programmer Georgi Gerganov doesn’t use any Bluetooth, WiFi, or RF-based methods to eavesdrop on your keyboards, but rather a normal microphone. That’s right, it essentially captures audio of you typing before using that information to generate a cluster map of clicks with similar sounds.

It then analyzes those clusters and utilizes statistical information about the frequency of the letter n-grams in the supposed language of the text. 

The algorithm realizes that some of these letter combinations are used more frequently in certain languages, like English, and then begins guessing. 

Try it out here if you have a clicky mechanical keyboard. This exploit would most likely not fare well against Samsung’s SelfieType, an AI-powered keyboard. more

Hawaiian Emergency Management - Passwords on Post-it Notes on Computer Screens

The Hawaii Emergency Management false alarm mess was not caused by pressing the wrong button. It was caused by poor design.

Ever select the wrong thing from a drop-down menu? Sure, it happens all the time.

The Washington Post reports...

The menu, which triggers alerts, contains a jumble of options, ranging from Amber alerts to Tsunami warnings to road closures. Some of them, such as “High Surf Warning North Shores,” are in plain English.

Others, including the one for a missile attack, “PACOM (CDW)-STATE ONLY,” use shorthand initials. (PACOM refers to the United States Pacific Command based in Hawaii.)

And the menu contained no ballistic missile defense false alarm option — which has now been added at the top of the image, marked up by officials for explanatory purposes. more

 Suggestions: 
1. Separate the messages into smaller groups: Routine Tests | Advisories | Life Threatening
2. Drop the jargon. Say what you mean, clearly.
3. Do not use instant-select dropdown menus.
4. Use radio buttons to select the message, plus a CONFIRMATION and CANCEL button to activate the selected alert, or not. Two extra seconds of thought can prevent a lot of mistakes.

If you need help with design, call on the master, John McWade. He can teach you.

And, what's with posting the passwords to an emergency management computer screen?!?!
If the personnel can't memorize a password as lame as this, they shouldn't be allowed anywhere near a keyboard. more

Password: Warningpoint2

Security Director Alert: HP Laptops with Hidden Keyloggers

Researcher Michael Myng found a deactivated keylogger in a piece of software found on over 460 HP laptop models. A full list of affected laptops is here. The keylogger is deactivated by default but could represent a privacy concern if an attacker has physical access to the computer...

The bottom line? Update your HP laptop as soon as possible. If you are on HP’s list of affected laptops you can download the fix here.  more

When Do People Use Keystroke Loggers Legally

According to PInow.com...

• Employers monitoring of company computers used by employees to ensure they are working as required and to prevent fraud and other criminal activities.

• Parents monitoring the use of computers for children below 18 years.

• Companies monitoring use of company resources like internet.

• Collection of forensic evidence from the computers being monitored for security reasons with a legitimate investigation cause. more

TSCM Alert - Keylogger Used to Hack School Grades

Former University of Iowa student Trevor Graves was arrested last week and charged...with hacking into the school's system to change grades.

...Graves allegedly attached a keylogger to several university computers in order to compromise faculty, staff and student information. In January 2017 the scheme was identified when a keylogger was discovered and reported by a staff member...

The school estimated that about 250 people had their HawkID and password stolen.

The court documents state that Graves allegedly used the information taken to escalate his privileges within the school's computer system enabling him to change grades, an ability given only instructors. more

This school was lucky. They discovered the spying device almost by accident. 

Most electronic surveillance and subsequent information loss is never discovered, because... "If you don't look, you don't find."

Typical keystroke logger attached to keyboard cable.

Technical Surveillance Countermeasures (TSCM) inspections are not just about finding bugs and wiretaps. These exams also discover keyloggers, optical surveillance (spycams) and other methods of information loss.

Periodic TSCM exams are as vital to an organization's health as medical exams are to people. Think about that for a second... both can spot a cancer while it can still be cured.

Need a TSCM exam, or a local referral? Contact me. ~Kevin

Shoulder Surfers Get Faked Out with IllusionPIN App

Researchers have created a smartphone application to combat “shoulder-surfing”—when someone else looks over your shoulder as you enter your phone’s password or other private digits, potentially even gleaning vital financial or personal information...

Nasir Memon, a professor of computer science and engineering at New York University’s Tandon School of Engineering, explains that the technology, called “IllusionPIN,” deploys a hybrid-image keyboard that appears one way to the close-up user and differently to an observer at a distance of three feet or greater.

The research team simulated a series of shoulder-surfing attacks on smartphone devices to test the effectiveness of IllusionPIN at various distances.

In total, they performed 84 attempted shoulder-surfing attacks on 21 participants, none of which was successful. For contrast, they also mounted 21 shoulder-surfing attacks on unprotected phones using the same distance parameters; all 21 attacks were successful. more much more

The Unexpected Keystroke Logger on Some HP Laptops

The audio driver installed on some HP laptops includes a feature that could best be described as a keylogger, which records all the user's keystrokes and saves the information to a local file, accessible to anyone or any third-party software or malware that knows where to look.

Swiss cyber-security firm modzero discovered the keylogger on April 28 and made its findings public today.

According to researchers, the keylogger feature was discovered in the Conexant HD Audio Driver Package version 1.0.0.46 and earlier.

This is an audio driver that is preinstalled on HP laptops. One of the files of this audio driver is MicTray64.exe (C:\windows\system32\mictray64.exe).

This file is registered to start via a Scheduled Task every time the user logs into his computer. According to modzero researchers, the file "monitors all keystrokes made by the user to capture and react to functions such as microphone mute/unmute keys/hotkeys."

This behavior, by itself, is not a problem, as many other apps work this way. The problem is that this file writes all keystrokes to a local file at: C:\users\public\MicTray.log more

Brand-Name Wireless Keyboards Open to Silent Eavesdropping

Wireless keyboards from popular hardware vendors are wide open to silent interception at long distances, researchers have found, without users being aware that attackers can see everything they type.

Bastille Research said the keyboards transmit keystrokes across unencrypted radio signals in the 2.4 GHz band, unlike high-end and Bluetooth protocol keyboards, which transmit data in an encrypted format, making it more difficult for attackers to intercept the scrambled keystrokes.

It means attackers armed with cheap eavesdropping devices can silently intercept what users type at distances of 50 to 100 metres away.

Such interception could reveal users' passwords, credit card numbers, security question replies and other personally sensitive information, Bastille said. Users would have no indication that the traffic between the keyboard and the host computer was intercepted.

Furthermore, attackers could inject keystrokes of their own into the signals, and type directly onto users' computers. Again, the attack would be unnoticeable to users in most cases.

Bastille tested eight keyboards from well-known vendors... more

Longtime Security Scrapbook readers may remember my warnings about this beginning in 2007...
https://spybusters.blogspot.com/2007/12/wireless-keyboard-interception.html  
https://spybusters.blogspot.com/2007/12/program-discovers-at-risk-wireless.html
https://spybusters.blogspot.com/2009/01/old-news-still-scary-bugged-keyboards.html

Is Your Wireless Keyboard & Mouse Vulnerable to Eavesdropping? Better check...

Some of the computer dongles that come with wireless keyboards and mouses may offer hackers a fairly simple way to remotely access and take over your computer, according to a new report from Internet-of-things security startup Bastille.

Click to enlarge.

Atlanta-based Bastille says it has determined that a number of non-Bluetooth wireless keyboards and mouses from seven companies—including Logitech, Dell, and Lenovo—have a design flaw that makes it easy for hackers from as far as about 90 meters away to pair with the dongle that these devices use to let you interact with your computer. A hacker could do things like control your computer or add malware to the machine.

In tests, the company found around a dozen devices that were susceptible to the flaw, which it’s listing online. more

PS - In addition to stealing keystrokes, this technique can also be used to inject keystrokes into the victims keyboard.  ~Kevin

Technical Espionage Tool #423 - Wireless Keyboards & Mice

The wireless link between your mouse and dongle might not be as useful as you think. A new hack shows that the links are often unencrypted and can be used to gain control of your computer.

Security researchers from Bastille Networks have found that non-Bluetooth wireless keyboards manufactured by Logitech, Dell, and Lenovo don’t encrypt communication between the input device and the dongle plugged into a computer’s USB slot. That’s allowed them to create an attack—that they’re calling Mousejack—which injects commands into the dongle.

The team claims the attack can be carried out from up to 300 feet away from the victim’s computer given the right hardware. Once compromised, the hacked dongle allows the team to transmit malicious packets that generate keystrokes.

While that might not sound too useful, remember that one of those packets can hold an awful lot of keystrokes—the equivalent of 1,000 words-per-minute of typing, according to the researchers. That’s enough to install a rootkit capable opening access to your whole computer in under 10 seconds, apparently—which means you might never know your wireless mouse dongle had been hacked. And once that’s done, it’s game over. more

How Browser Extensions Steal Logins & Browsing Habits; Conduct Corporate Espionage

via boingboing.com
Seemingly harmless browser extensions that generate emojis, enlarge thumbnails, help you debug Javascript errors and other common utilities routinely run secret background processes that collect and retransmit your login credentials, private URLs that grant access to sensitive files, corporate secrets, full PDFs and other personally identifying, potentially compromising data.

Many extensions conduct surveillance without any notification at all, but some do legal backflips to cover up their activities -- characterizing your installation of the extension as explicit permission to spy; pretending that URLs are by nature anonymous and so on. The data is aggregated and sold to unnamed third parties, reputedly for $0.04/user/month. Many of the spying extensions have more than a million users. One of the extensions identified as conducting secret spying advertises itself as a privacy-enhancing tool (!).

Detectify Labs have posted a technical explanation of how Chrome extensions conduct surveillance, and note near the end of their analysis that Firefox extensions are just as prone to spying. more

Windows 10 is a Window into Your World - Kill its Keystroke Logger

via Lincoln Spector, Contributing Editor, PCWorld 
 
Microsoft pretty much admits it has a keylogger in its Windows 10 speech, inking, typing, and privacy FAQ: “When you interact with your Windows device by speaking, writing (handwriting), or typing, Microsoft collects speech, inking, and typing information—including information about your Calendar and People (also known as contacts)…”

The good news is that you can turn off the keylogging. Click Settings (it’s on the Start menu’s left pane) to open the Settings program. You’ll find Privacy on the very last row.

Once in Privacy, go to the General section and Turn off Send Microsoft info about how I write to help us improve typing and writing in the future. While you’re there, examine the other options and consider if there’s anything else here that you may want to change.

Now go to the Speech, inking and typing section and click Stop getting to know me. (I really wanted to end that sentence with an exclamation point.)

You may also want to explore other options in Privacy. For instance, you can control which apps get access to your camera, microphone, contacts, and calendar. more

Radio Bug in a Pita Steals Laptop Crypto Keys

The list of paranoia-inducing threats to your computer’s security grows daily: Keyloggers, trojans, infected USB sticks, ransomware…and now the rogue falafel sandwich.

Researchers at Tel Aviv University and Israel’s Technion research institute have developed a new palm-sized device that can wirelessly steal data from a nearby laptop based on the radio waves leaked by its processor’s power use.

Their spy bug, built for less than $300, is designed to allow anyone to “listen” to the accidental radio emanations of a computer’s electronics from 19 inches away and derive the user’s secret decryption keys, enabling the attacker to read their encrypted communications. And that device, described in a paper they’re presenting at the Workshop on Cryptographic Hardware and Embedded Systems in September, is both cheaper and more compact than similar attacks from the past—so small, in fact, that the Israeli researchers demonstrated it can fit inside a piece of pita bread.

“The result is that a computer that holds secrets can be readily tapped with such cheap and compact items without the user even knowing he or she is being monitored,” says Eran Tomer, a senior lecturer in computer science at Tel Aviv University. “We showed it’s not just possible, it’s easy to do with components you can find on eBay or even in your kitchen.” more / research paper

Imagine these being built into restaurant and hotel room table tops.

Student Uses Keystroke Logger to Change Grades - Fail & Jail

UK - Student uses a keyboard spying device to hack the computer of Birmingham University to up his own grades and has been sentenced for 4 months of jail.

A final year student was found guilty of hacking the university computers to change his marks and to increase his overall final year grades has been sentenced by the court for a 4 months of jail.

Imran Uddin, a 25 year old student of Bio Science, at the University of Birmingham hacked the university computers by using “keyboard spying device”. This device resembles a USB stick and can be purchased from the internet sites for as low as £49. Mr. Uddin had bought these equipments from online website ebay and implanted them on a number of computers in the university where he was studying. more cue the cat

Microsoft's Windows 10 has permission to spy on you!

via Lauren Weinstein...

"Microsoft collects information about you, your devices, applications and networks, and your use of those devices, applications and networks. Examples of data we collect include your name, email address, preferences and interests; browsing, search and file history; phone call and SMS data; device configuration and sensor data; and application usage."

"If you open a file, we may collect information about the file, the application used to open the file, and how long it takes any use [of]it for purposes such as improving performance, or [if you]enter text, we may collect typed characters, we may collect typed characters and use them for purposes such as improving autocomplete and spell check features." (more)

"Such as" implies more than just two examples. 

Slack Wiretapping Sentence Imposed for Slack Attack on Slack

WV - A former West Virginia sheriff convicted of hacking his now ex-wife's work computer was sentenced to probation Thursday after she made an emotional plea for leniency.

Former Clay County Sheriff Miles Slack exchanged a long hug with Lisa Slack, his friends, and relatives after U.S. District Judge John T. Copenhaver sentenced him to one to two years' probation and fined him $1,000 for wiretapping...

Federal prosecutors say Slack secretly installed a keystroke logger on a computer in the county magistrate court in April where his wife worked. They were married at the time. Slack admitted he intended to monitor her activity.

Slack could have been sentenced to up to five years in prison. (more)

Rental Company Settles Spyware Case

The Federal Trade Commission says Atlanta-based furniture renter Aaron's Inc. has agreed to a settlement over allegations that it helped place spyware on computers that secretly monitored consumers by taking webcam pictures of them in their homes.

The FTC said in a Tuesday news release that Aaron's will be prohibited from using spyware that captures screenshots or activates the camera on a consumer's computer, except to provide requested technical support.

Aaron's officials previously blamed individual franchisees for the spyware. But the FTC said Aaron's knowingly played a direct role in the use of the spyware. (more)

Yet Another Good Reason to Conduct TSCM Sweeps

Police have arrested eight men in connection with a £1.3m theft by a gang who remotely took control of the computer system of a Barclays bank branch.

A man posing as an IT engineer gained access to the Swiss Cottage branch in north London on 4 April, fitting a keyboard video mouse (KVM) device, which enabled the gang to remotely transfer funds to bank accounts under its control. (more)