Thursday, October 19, 2017

FutureWatch: After 51 Years MasterCard Boots Signatures

Mastercard Inc. is doing away with a rule requiring merchants to get signatures for transactions made with its credit and debit cards in the United States and Canada.

Announced early Thursday, Mastercard’s rule change goes into effect April 13, 2018, allowing issuers, merchants, and processors time to make adjustments, though merchants can adopt the change sooner, Mastercard says. Mastercard also issued a bulletin about the matter Wednesday afternoon. The new rule does not affect interchange, and applies only to point-of-sale transactions.

A majority of consumers believe that it would be easier to pay and that checkout lines would move faster if they didn’t have to sign for purchases, Mastercard says. more

So, why drop a 51 year old signature security requirement?

Mastercard announced that it’s adding fingerprint scanners to its “next generation” cards in order to safely verify the cardholder’s identity whenever they’re making in-store purchases. more

Most of Your Employees are Snoops

A new survey of IT security professionals reveals that 92 percent of respondents say employees at their organizations try to access information that is not necessary for their day-to-day work.

The study from identity management company One Identity also shows that IT security professionals themselves are among the worst offenders for corporate data snooping. One in three respondents admit to having accessed sensitive information that is not necessary for their day-to-day work -- showing an ongoing abuse of elevated rights given to the IT security role.

More than one in three (36 percent) of IT pros admit to looking for or accessing sensitive information about their company’s performance, beyond what is required to do for their job. 71 percent of executives admit seeking out extraneous information, compared to 56 percent of non-manager-level IT security team members. Additionally, 45 percent of executives admit to snooping for or accessing sensitive company performance information specifically, compared to just 17 percent of non-manager team members.

In smaller companies the problem is worse... more

No surprise here. Over half of the eavesdropping and information loss issues crossing my path (over the last four decades) are employee related. ~Kevin

Spybuster Tip #712: How to Vacuum Your Amazon Breadcrumbs

Amazon automatically tracks the products you browse on the site and compiles a visual list on your account’s home page, in case you are inspired to follow through with a purchase on a return visit.

If you find this sort of thing more creepy than helpful — or you share a computer and would rather not have others see your shopping whims — you can disable the tracking.

To do that, go to and log into your account. Click the Browsing History link at the top of the main page (just below the search window) to see the recent items you previously viewed while clicking around on the site. At the top of the page, click Manage History. more

Tuesday, October 17, 2017

Spike in Spy Camera Sales Online Causes Concern

Over a period of time, a sales engineer in Singapore amassed 280 obscene films, many of which depicted women in various stages of undress in public bathrooms and changing rooms.

The unsuspecting women, including schoolgirls, were filmed with secret cameras, and Joel Chew Weichen, 27, had collected the films for distribution.  

Based on checks by The Straits Times, a worrying trend has emerged - the sale of such cameras is on the rise.

On online shopping platform Lazada, which has more than 600,000 hidden camera products available, sales of such cameras have grown 1.5 times this year compared with last year. The cameras come disguised as clocks, pens and even smoke detectors.

A spokesman said spy pens, which can cost about $12, are the most popular. Spectacles with built-in cameras may cost about $85...

Chew, who was sentenced to six months in jail this month, was the first of five individuals to plead guilty to having the obscene films for distribution.

He was also part of groups that share and download such videos.

The victims were secretly filmed while in bathrooms in cafes, schools, offices, changing rooms of popular fashion outlets, and bathroom showers in private homes. more

Note: An on-line spycam detection training course is available to organizations and individuals.

My Sister Bugged my Teddy Bear

Chicago - Nobody feuds like a rich family with lawyers on the payroll.

But even by the standards of the tony North Shore, the bitter courtroom battles between the children of the late property developer Aaron Israel stands out.

The Israel brothers — Harvey, Alan and David — have been fighting on and off in court with their sister, Diane, and their late father over the family fortune for 25 years.

Now David Israel is suing his sister for more than $1 million, alleging she hired a private eye who bugged his Northbrook office with a recording device hidden inside a teddy bear.

A recently filed federal complaint includes a photo of the scarf-wearing pink bear, which David says he received from a cancer charity. According to the lawsuit, David cut open the bear and found a listening device inside it after he was taunted by an anonymous text-messager who told him about his office being bugged and said there was “a big surprise” inside the bear.

The taunting text and other creepy anonymous messages (including one telling him “A bit hot to be wearing that shirt don’t you think David?”) were sent by a private eye hired by Diane, according to David’s lawsuit, which also alleges that a listening device was installed in a plant pot, and that his Highland Park home and Gold Coast condo were bugged along with his cars.

Though the private eye, Michael Bucon, in April pleaded guilty to planting the bugs, Diane denies the allegations and wants U.S. District Judge Andrea Wood to throw out the lawsuit... more

How the All Blacks Bugging Story Ends

The security consultant who escaped conviction in a bugging case is reportedly back working with the All Blacks in Australia.

Adrian Gard, 52, was placed on a one-year good behaviour bond last month for breaching his security licence when organising a sweep of the Sydney hotel where the All Blacks were staying ahead of a test match against Australia in August of last year. more

Monday, October 16, 2017

Wi-Fi Traffic Open to Eavesdropping

Researchers have disclosed a serious weakness in the WPA2 protocol that allows attackers within range of vulnerable device or access point to intercept passwords, e-mails, and other data presumed to be encrypted, and in some cases, to inject ransomware or other malicious content into a website a client is visiting...

The proof-of-concept exploit is called KRACK, short for Key Reinstallation Attacks. The research has been a closely guarded secret for weeks...

A website disclosing the vulnerability said it affects the core WPA2 protocol itself and is effective against devices running Android, Linux, and OpenBSD, and to a lesser extent macOS and Windows, as well as MediaTek Linksys, and other types of devices.

The site warned that attackers can exploit the flaw to decrypt a wealth of sensitive data that's normally encrypted by the nearly ubiquitous Wi-Fi encryption protocol. "This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on," more

Friday, October 13, 2017

Google Home Mini Caught 'Spying' on Owner

A flaw has been discovered in the new Google Home Mini that allows the device to secretly record without the user knowing and sending the information to Google.

The flaw was discovered last week by tech blogger Artem Russakovskii and written about on Android Police. Russakovskii, who was given a free sample device before the official launch later this month, first noticed the device continually turned on and off on its own. Later, when he checked the activity logs, he saw that the device was recording without being prompted.

"My Google Home Mini was inadvertently spying on me 24/7 due to a hardware flaw," Russakovskii wrote.

In a letter to Google, he added: "Needless to say, if a listening device records almost every minute of every day and stores it remotely, we're talking about a huge privacy violation." Google then sent out an engineer to pick up and examine the next day. They then said the problem stemmed from a a glitch on the device's touch pad.

Friday, September 15, 2017

FutureWatch - Microphone with an Ear and Brains, or how to stay ahead of the bad guys...

Clients know how quickly technology advances, and they occasionally ask...

"Aren't you always one step behind the bad guys?"

I've heard some colleagues agree, and even mention it themselves as a pre-sweep hedge against failure, along with the idiotic statement, "All bets are off once we leave." Talk about defeatist logic.

The bad guys question is a good one, however, and there are several answers. All depend upon the mindset of the TSCM team...
  1. Yes, if you buy a detection gadget and only read the instructions.
  2. Yes, if you just surf the Internet for education.
  3. Yes, if you're getting your education from an annual TSCM seminar, or occasional training course.
  4. No, if you pay attention to research papers, newly developing electronic components and processes, before they are used in surveillance devices.
Here is a Number 4 example I came across this week... a very tiny microphone with an ear, a brain, and almost no need to be fed electricity.

Wake-On Sound - Piezoelectric MEMS Microphone
PUI Audio's ZeroPower Listening™ piezoelectric MEMS microphone designed for ultra-low power always listening solutions. 

PUI Audio’s PMM-3738-VM1010-R is a single-ended analog MEMS microphone with wake-on sound. The wake-on sound mode allows for detection of voice activity while consuming only 5 μA of supply current (9 μW of power). In wake-on sound mode, a sound in the vocal band above the level threshold instantly alerts a processor of an acoustic event. The processor (DSP or voice processor) then switches the PMM-3738-VM1010-R into normal mode, with full audio output within 100 microseconds. Fast enough for the microphone to capture the triggering sound and pass it along for processing. This is the system architecture for ZeroPower Listening. 

Wake-on sound delivers voice activation to battery-powered voice-interface consumer devices, such as smart speakers, smart TV remote controls, smart headphones, and IoT smart home products, while drawing nearly zero power. 

PUI Audio’s PMM-3738-VM1010-R, the first wake-on sound MEMS microphone, brings voice activation to battery-powered devices of all kinds. Drawing a scant 5 μA of current while in listening mode, PUI Audio’s newest piezoelectric MEMS microphone is the only device that uses sound energy itself to wake a system from full power-down. 

The PMM-3738-VM1010-R features a configurable voice zone, allowing voice in a 5 foot to 20 foot radius-zone to trigger the system and increase to a higher-power mode. When the environment is quiet, the system can enter the low-power ”wake-on-sound” mode. 

Imagine the new types of eavesdropping devices this microphone will make possible.

Combine this with a battery powered bug that recharges using ambient radio-frequency signals, and you have a sleeper bug that could (theoretically) last forever. 

The bad guys probably haven't built and deployed this yet, but when they do, it won't be a surprise to us.

The posts tagged FutureWatch you see in the Security Scrapbook are examples of Number 4 attention to detail. Here are some more...

Tuesday, September 12, 2017

New Clickless Bluetooth Attack - Billions of Devices Vulnerable

Researchers have devised an attack that uses the wireless technology to hack a wide range of devices, including those running Android, Linux, and, until a patch became available in July, Windows.

BlueBorne, as the researchers have dubbed their attack, is notable for its unusual reach and effectiveness. Virtually any Android, Linux, or Windows device that hasn't been recently patched and has Bluetooth turned on can be compromised by an attacking device within 32 feet. It doesn't require device users to click on any links, connect to a rogue Bluetooth device, or take any other action, short of leaving Bluetooth on. The exploit process is generally very fast, requiring no more than 10 seconds to complete...

"Just by having Bluetooth on, we can get malicious code on your device," Nadir Izrael, CTO and cofounder of security firm Armis, told Ars. "BlueBorne abuses the fact that when Bluetooth is on, all of these devices are always listening for connections."
Patch now, if you haven't already. more

Friday, September 8, 2017

Cautionary Tale: Spycams in Schools

As the school season starts, unfortunately it's time to remind children to be alert for spycams. Unfortunately, this is a story which pops up at least once or twice per month. Different players, same teacher v. student scenario...

Canada - A gymnastics coach who secretly filmed his young athletes using the toilet has received a two-year sentence for making and possessing child pornography. 

Just one of many disguises.
Angelo Despotas, 48, betrayed the trust of the students he was supposed to be teaching, guiding and inspiring, provincial court Judge Jim Threlfall told a sentencing hearing in Kelowna, B.C.

"The damage done to the victims is incalculable," Threlfall said. "Many of the victims had trained with him for years."

Despotas earlier pleaded guilty to the charges and received two consecutive sentences of 14 months for making child pornography and 10 months for possessing it. more

Wednesday, September 6, 2017

The Good News, Bad News VPN Joke

In January this year, China announced a 14-month campaign to crack down on VPNs in a bid to tighten online surveillance
ahead of the 19th National Congress of the Communist Party of China which opens in October....

Unlike individual users, multinational firms operating in China are still permitted to use VPNs in what amounts to something of a legal grey area, but it is likely that this usage will be restricted to software approved by the government, which will presumably have backdoors installed to allow eavesdropping, raising fears of an increase in industrial espionage activities. more

Apple Watch is Center of Sports Spying Scandal

For decades, spying on another team has been as much a part of baseball’s gamesmanship as brushback pitches and hard slides. The Boston Red Sox have apparently added a modern — and illicit — twist: They used an Apple Watch to gain an advantage against the Yankees and other teams.

Investigators for Major League Baseball have determined that the Red Sox, who are in first place in the American League East and very likely headed to the playoffs, executed a scheme to illicitly steal hand signals from opponents’ catchers in games against the second-place Yankees and other teams, according to several people briefed on the matter...

The Yankees, who had long been suspicious of the Red Sox’ stealing catchers’ signs in Fenway Park, contended the video showed a member of the Red Sox training staff looking at his Apple Watch in the dugout. The trainer then relayed a message to other players in the dugout, who, in turn, would signal teammates on the field about the type of pitch that was about to be thrown, according to the people familiar with the case.

Baseball investigators corroborated the Yankees’ claims based on video the commissioner’s office uses for instant replay and broadcasts, the people said. more

What's with Boston anyway?!?! Spying football team. Spying baseball team. Ugh.  

Extra Credit: Turn Your iPhone into a Spy Camera Using Your Apple Watch [How-To]
Put this in your pocket to be extra covert. ~Kevin

"So, we created a picture of our suspect from DNA sweat found on the bugging device."

Damn interesting...
Identification of Individuals by Trait Prediction Using Whole-genome Sequencing Data

Researchers from Human Longevity, Inc. (HLI) have published a study in which individual faces and other physical traits were predicted using whole genome sequencing data and machine learning. This work, from lead author Christoph Lippert, Ph.D. and senior author J. Craig Venter, Ph.D., was published in the journal Proceedings of the National Academy of Sciences (PNAS).
Click to enlarge.
The authors believe that, while the study offers novel approaches for forensics, the work has serious implications for data privacy, deidentification and adequately informed consent. The team concludes that much more public deliberation is needed as more and more genomes are generated and placed in public databases. more

Wiretapping Gained Interest This Week... and why.

There was a big spike in wiretap searches this week...
Here's why...
Justice Department: No evidence Trump Tower was wiretapped