Tag Archives: Surveillance

The Challenge of Privacy

Everyone has heard about the Federal Trade Commission fining (tentatively) Facebook $5 billion for sharing your data – with Cambridge Analytica  – without your permission.

The FBI has sought proposals for third parties to hoover up everything that is visible on social media and build a database so the FBI can search it for information on activities that you do that they think is sketchy.

The FBI wants to search your stuff by location (neighborhood), keywords and other functions.

Which seems to me precisely what cost Facebook $5 billion for allowing Cambridge Analytica to do.

Except the FBI wants to do this not just with Facebook, but with all social media platforms combined.

Not to worry.  I am sure that it will be secure.  And not abused.  And not used for political purposes.  After all, we are from the government and…..

The FBI wants to capture your photos as well.

Of course, doing so would violate the terms of service of every social media platform, so unless the do it secretly or Congress passes a law nullifying the social media terms of service, it is likely that social media platforms will terminate the accounts if they detect it.  *IF* they detect it.  Given the relationship between social media and DC, they may be motivated to stop it.

However, it is already being done by private companies, in spite of the prohibition, to sell to marketers, so who knows.

Facebook and Instagram actually have a ban on using the platform for surveillance purposes.

From a user perspective, there is likely nothing that you can do other than stop using social media.  It is POSSIBLE that if you stop making posts public (and instead only make them visible to your friends), that MIGHT stop them from being hoovered up.

If you stop using the platforms, that will make Facebook, Twitter and other platforms sad.

Smart terrorists will shift to covert platforms to make detection harder.

The good news is that there are not very many smart terrorists.

Source: ZDNet

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending April 5, 2019

Oops – Office Depot Mimics Phone Phishers

Thanks to reader Gina for this one.  Office Depot got caught scamming its customers telling them they had (fake) malware on their computers when they asked OD and its vendor Support.com to scan their computers.

No, they didn’t have malware – just a bill for unneeded services.

While taking your computer to Office Depot or Best Buy is convenient and inexpensive,  historically, it has not always worked to your advantage.

Office Depot will pay $25 Mil in fines; Support.com another $10 Mil.  Source: Ars Technica.

FBI Doesn’t Warn Hacking Victims of Their Rights

The FBI’s Office of Inspector General says that the FBI does not warn victims of international cyber-espionage that their data was under attack, say by the Russians.

The OIG says that FBI victim letters were almost never sent in national security cyber cases.

The FBI’s Office of Victim Assistance blames outdated guidelines.  An AP investigation showed that only a handful of the victims of Russian hacking during the 2016 election season received any assistance from the FBI.

This is consistent with my post this week titled “Who *IS* going to rescue us” .  Plan on protecting yourself.  Source: Seattle Pi.

Earl Restaurants Admits Breach – Likely 2 Million Cards Hacked

Early Enterprises, parent of Buca de Beppo, Earl of Sandwich , Planet Hollywood and other brands finally admitted that their point of sale system was hacked.  For almost a year before someone told them.  No, they did not find it themselves.

They are not providing any details; not even information on how many cards were stolen.  They are also not offering any support to the victims other than a web page FAQ and a call center to complain to.  Beyond that, you are on your own.  Source: Brian Krebs.

Lock ‘Em Up!

No, I am not talking about our President at a campaign rally.

But I am talking about a Presidential candidate.

Elizabeth Warren wants to make sure that CEOs who are at the controls of companies who have large breaches, like Equifax, are held accountable.

For companies that earn more than a billion dollars in revenue the consequences of a breach could be a year in jail.  Repeat offenders could get three years in jail.  Source: Ars Technica.

More on Hidden Cameras in Rental Properties

In March I wrote about the problem with hidden cameras in rental properties and hotel rooms (see post here).  This week there was an article in CNN discussing this very issue.

A Family with 5 kids is travelling around the world and when they arrived in Ireland, the father scanned for WiFi signals and found a hidden camera that was livestreaming their stay.  It didn’t say if scanning for cameras was their normal practice.

The owner would not confirm whether there were more cameras, so the family moved to a hotel, but AirBnB would not refund their money.

In fact, initially, AirBnB claimed to investigate the owner and after the investigation, said there was no problem and reinstated the listing.

Only after they posted the item on social media and the local New Zealand news stations picked up the item did AirBnB understand the potential brand damage and refund their money.

 

Facebooktwitterredditlinkedinmailby feather

Hidden Cameras in Your Vacation Rental or Hotel Room?!

After you are done gasping — it is not a far fetched scenario, at least for vacation rentals.  There have been many stories of AirBnB rentals having surveillance cameras – even though their agreement requires that they be disclosed if present.

When it comes to hotels, it is much more likely that those cameras were placed there by pervs rather than by the hotel staff.  Remember the Erin Andrews nude video story?  (See story here if you don’t remember it.  Note:  this is suitable for work – there are no pictures, just the story).

On the other hand, if you are in a foreign country, hotel video cams are more common, especially if you are an American executive, work for a tech company or have a security clearance.  If you do travel internationally and need a defensive security briefing, contact us.

First thing I need to do is provide a warning.  For international travelers, even detecting surveillance cameras, never mind disabling it, can be hazardous to your safety, literally, depending on the country.

This advice comes from a guy, nicknamed Monk, who does counter-surveillance for members of the U.S. military’s Special Operations Command among many others, so I take his advice at face value.

There are three primary methods for checking for hidden surveillance devices.  Remember some of these cameras are maybe a quarter inch across, so they are not easy to see.  They can be hidden in almost anything, including light fixtures, bedside radios, smoke detectors and other places.

The three methods are scanning for transmissions, detecting the lenses and physical search.    Many devices that will help can be purchased online for less than $100, but remember this is an art, not an exact science.

Scanners only work, of course, when the device is transmitting.  This MAY not be a big problem because the smaller devices likely don’t have a lot of storage, so they have to transmit often.

Lens detection works quite well, but there is a technique to develop.  And, it requires a lot of patience. Physical detection works quite well also, but you have to have an idea of what a bug might look like and you have to be willing to disassemble stuff like your bedside radio or the smoke alarm.

I have a sample video of foreign intelligence officials “reviewing” a hotel room when the occupant was gone, so that is definitely real.

As I said, this is not an exact science, but a mixture of all three is probably going to serve you best.

First thought – where are they going to hide a camera?  Kind of depends what they want.  If they want compromising video, it needs a clear line to the bed.  If they want your userid and password, it needs a clear line to your desk.  Remember, top down is fine, so the ceiling is a good candidate.

Alarm clocks, outlets, surge  protectors and lamps are all good locations because they have a built in source of power that won’t raise any suspicions.

This is not meant to be a complete how to article.  That would require way more ink.  Mostly, it will (probably scare you) warn you of the risk.

Hiding cameras in air vents and returns provides good cover because the cameras, electronics, power and storage can be bigger but still hidden.

The article suggests that you ask for a room change, but if you are being targeted, they will just put you in another room with built in surveillance.  Instead, block the suspected camera.  Turn the lamp camera to face the wall.  If it gets turned back the next time the room is serviced, you were probably right.  Point the alarm away from the bed, etc.

While this story may scare the bejibbers out of you, remember that most of the time, the surveillance is there to record damage to the owner’s property, although Erin Andrews’ surveillor had different ideas,  This is also the case if you are a higher risk business person.  AND do not fall for the “who would want to steal stuff from me” ruse.  Higher value business person is a relative term.

Just in case you think I am paranoid (well, that is valid, I am), here is a link to an article by entertainer Kim Komando who hosts a weekly show on tech.  It is real.  What we don’t know is how prevalent is is.  No idea.

Information for this post comes from USA Today.

Facebooktwitterredditlinkedinmailby feather

Friday News for May 11th, 2018

Irish High Court Deals Blow to Facebook

In yet another case that could deal a blow to the way that Facebook and others transfer data between the EU and the US, the Irish High Court told Facebook that it would not stay it’s “referral” to the European Court of Justice.  The case in question is a ruling about whether “Standard Contract Clauses” and the U.S. Privacy Shield provide sufficient protections for E.U. residents private data.  Facebook wants to appeal the decision to turn the question over to the ECJ to the Irish Supreme Court because the last place they want to be is at the ECJ – who ruled against them in their last privacy suit that destroyed the predecessor to Privacy Shield,  Safe Harbor (Source: Reuters).

Georgia Governor Vetos Cybersecurity Bill

The Georgia legislature recently passed a cybersecurity bill that would have likely criminalized cybersecurity research and allowed so-called hack back attacks where victims can hack the hackers (what could possibly go wrong when security novices go after professional hackers?).  The law, written by lawyers, was so vague that it might have made reporting a vulnerability a crime.  Equally likely, the large cybersecurity firms with offices in Georgia would have left the state and security researchers at Georgia Universities would have likely found more understanding states to do their research in.  Faced with a horribly drafted bill and the prospect of losing hundreds or maybe thousands of high paying jobs, the governor did the expedient thing – he vetoed the bill and told the legislature to find someone who knows something about security before they wrote the next version (Source: CSO Online).

IBM Bans All Removable Storage

IBM has issued a new company-wide policy that bans ALL FORMS OF REMOVABLE STORAGE from the company.  IBM’s Global Chief Information Security Officer made the announcement saying “the possible financial and reputational damage from misplaced, lost or misused removable portable storage devices must be minimised.” IBM isn’t saying “Why now?” , but likely someone screwed up big time.

That being said, it is relatively easy to technically implement this ban and, if done along side a policy on the appropriate use of services like Dropbox, Box, One Drive and others, it likely will reduce the certain types of information leakage.

What is or should be your company’s policy?  (Source: Gizmodo)

Beware of those Browser Extensions

Social engineering is still a very popular way to get you to load malware.  Researchers are warning people of a campaign, said to have already infected a hundred thousand users, where people are lured to click on a link on social media which redirects them to a page that tells them that they have to install a plugin or browser extention to continue reading the page.  DON’T!  Once the software is invited in by the user,  it steals passwords for a variety of accounts.  Other variants of this type of attack could empty your bank account when you log in to your bank or forward all of your email to the hacker, as other examples.

If you think you need a plugin or browser extension to view a page and  it is not already installed, independently find that extension and install it from the vendor’s site.  Make sure that the site is not one with a name similar to the real site (think App1e is not Apple, for example) that hackers have set up to fool you (source: The Hacker News).

The Dangers Of Government Surveillance

The conversation often comes up about trusting the government with all of the data that they have of ours.   Some people say there is nothing to worry about if you didn’t do anything wrong.

And then reality creeps in.

Sheriff Cory Hutcheson of Mississippi County, MO, used a service sold by Securus Technologies that is used to record and track phone calls to and from prisoners,

Unfortunately, he used it to track calls of a Judge and members of the State Highway Patrol.  This would allow him to track the location and obtain call data of these people. And anyone else he wanted to.

Securus requires someone to upload a document authorizing the request and certify that the activity was legal – basically, pinky swearing.

When the sheriff was arrested and the media went to Securus to ask about their practices, they claimed that they weren’t judges or lawyers, so, basically, they just trust people.

Sometimes trust is good, but verifying usually better.

How much of this activity goes on – who knows (Source: NY Times)?

Facebooktwitterredditlinkedinmailby feather