Tuesday, January 29, 2013

Are DARPA's dissolvable electronics the future of espionage?

America's Defense Advanced Research Projects Agency (DARPA) doesn't want our military technology to fall into enemy hands, where it could be studied, reverse engineered, and possibly used against us. That's why the Pentagon's research arm is investing significant resources into developing battlefield electronics that, literally, disintegrate on command.
Above is a small piece of hardware that's part of a program called VAPR, or Vanishing Programmable Resources. Essentially, it's a thin sheet of programmable silicon, magnesium, and silk that dissolves when liquid is introduced. Imagine littering a battlefield with VAPR sensors to collect intel on the enemy. Once our soldiers complete their objective, a button is pressed, liquid is introduced, and hundreds of sensors quietly vanish in the blink of an eye. While self-destructing technology is nothing new, these electronics don't leave any blown-up parts behind to collect. Researchers even imagine implanting them in our soldiers' bodies to monitor their health remotely.
More here: http://theweek.com/article/index/239366/watch-are-darpas-dissolvable-electronics-the-future-of-espionage

Man Arrested On Suspicion Of Business Espionage

He is due to be interviewed at an Oxfordshire Police Station and a search of his property is being carried out. The man has been arrested on suspicion of offences under the Computer Misuse Act.
The arrest forms part of Kalmyk, an operation relating to computer hacking offences. Kalmyk is a sub-operation under Operation Tuleta, which is looking into breaches of privacy related to the hacking scandal that embroiled News Corporation and other media outlets.
There have been 20 arrests so far under Operation Tuleta. In August, a former Times journalist was arrested, whilst in September a 33-year-old man was arrested in South London on suspicion of breaking the Computer Misuse Act.
This is one of the first cases under Tuleta to relate to business espionage, however.
More here: http://www.techweekeurope.co.uk/news/met-arrest-business-espionage-operation-tuleta-105745

Thursday, January 24, 2013


ComSec LLC Appoints Keesling Director of New Healthcare Cyber Defense Initiative (via PR Newswire)

Healthcare is entering a fight against an opponent that is already armed with advanced tools and techniques that have been field tested against the global financial giants for years VIRGINIA BEACH, Va., Jan. 24, 2013 /PRNewswire/ -- Healthcare data breaches are rapidly outpacing those of the financial…

Monday, January 21, 2013

Hackers "own" Philips XPER medical management system

Security experts hack a Philips XPER medical management system, finding vulnerabilities that would allow them to "own" the machine and control any other medical systems connected to it.

Researchers at security services firm Cylance Inc. uncovered a vulnerability in a Philips(NYSE:PHG) XPER medical management system, exploiting a security flaw to "own" the machine.
The weakness gave the hackers complete control of the machine, one which they had purchased for testing purposes, and gave them access to any devices subsequently connected to it, which may include patient data, they told reporters.
"Anything on it or what's connected to it was owned, too," Cylance's Billy Rios told tech security news site Dark Reading. "By design, these things connect to a database."  
Philips' XPER system "manages other devices," Rios added, which means that a hole in its security compromises other technologies that deliver information to or take orders from the system.
Once hacked, "you can do anything you want to it," he said.
More here: http://www.massdevice.com/news/hackers-own-philips-xper-medical-management-system

Friday, January 18, 2013

iHelicopters releases iSpy Tank, an “iPhone controlled spy tank”

We seem to have had a whole bunch of new iPhone-controlled accessories recently, the latest of which being the iSpy Tank. Made by iHelicopters, this tiny iOS accessory is exactly what  it says on the tin, a tank with a camera for spying on your friends and family in real time.
The tank uses Wi-Fi to connect to your iDevice, and once set up, you are free to record video and take pictures using the on-board webcam.
While not the most discrete or feasible spying weapon (it’s bright white and has headlights), this is probably one of the coolest iPhone controlled accessories out there, and at $99, it’s priced pretty reasonably. If you fancy one, head on over to iHelicopters.net and hand over your money.
Check out the dubstep-filled video of the iSpy Tank for a closer look:

Thursday, January 17, 2013

USB sticks infect two power plants with malware

A US power plant was recently hit by a virus thanks to an infected USB stick, a report from the Department of Homeland Security has revealed.

The virus, a Trojan used for identity theft, was unwittingly introduced by a technician working for a third party contractor, and kept the power plant offline for three weeks.

"When the IT employee inserted the drive into a computer with up-to-date antivirus software, the antivirus software produced three positive hits," says the DHS's Computer Emergency Readiness Team (ICS-CERT) in a report.

"Initial analysis caused particular concern when one sample was linked to known sophisticated malware."

The malware, it says, was found on two engineering-based workstations that are critical to the control of the power station. Neither workstation had any effective backup, it says.

And ICS-CERT says another unidentified power plant was also hit by a more sophisticated virus, again introduced on a USB stick. The infection, in a turbine control system, affected around ten computers.

"ICS-CERT continues to emphasize that owners and operators of critical infrastructure should develop and implement baseline security policies for maintaining up-to-date antivirus definitions, managing system patching, and governing the use of removable
media," says ICS-CERT.

Wednesday, January 16, 2013

B.C. Health Ministry data breach affects millions.

The personal health data of more than five million British Columbians was improperly stored or accessed, said B.C. Health Minister Margaret MacDiarmid, Monday.
The information was used by researchers for research only, MacDiarmid said, however regarding the most serious alleged privacy breach, letters will be sent out to 38,000 individuals this week.
“The ministry has confirmed that there have been three instances of health data that has been inappropriately accessed and the public needs to be aware of these,” MacDiarmid said, in a press conference.
The Health Ministry’s has been investigating allegations of conflict of interest, along with inappropriate conduct, data management and contracting out in its pharmaceutical services division since May.
Ministry investigators are looking at alleged privcy breaches regarding the storing and sharing of provincial and federal health data as well as research grant practices between Health Ministry employees and researchers at the Univeristy of Victoria and University of B.C.
In an update of the nine-month probe of “tens of thousands” of computer records dating back several years, MacDiarmid served up three examples of alleged wrongdoing Monday.
The alleged breaches in June 2012 and October 2010 do not include personal names, social insurance numbers or financial information.
However, they do include personal health numbers, birthdates, postal codes and in one case in which Statistics Canada data was being used, the breaches included information pertaining to individuals’ mental, physical and sexual health status.

Businesses Overconfident on Cyber Security: Study

Businesses are overconfident about their cyber security and should treat data security breaches as inevitable, according to an article from Computer Weekly.
A new study from business advisory firm Deloitte shows that 88 percent of companies in technology, media and telecommunications (TMT) do not think they are vulnerable to an external cyber threat, the article says.
Although 68 percent of companies say they understand their cyber risks and 62 percent say they have a program in place to address those risks, 59 percent experienced a security breach, according to Deloitte’s sixth annual Global TMT Security Study.
More than half of those polled were aware of security breaches in the past year.
Deloitte says that companies should invest significant time and effort in detection and response planning. But despite the importance of such a disaster recovery plan, only half of companies have this planning in place, the article says. James Alexander, lead partner for TMT security at Deloitte, says that these statistics show that companies are “being overconfident in their resilience.”
Companies rated mistakes by their employees as the top threat, with 70 percent highlighting a lack of security awareness as a vulnerability. However, only 48 percent offer general security-related training, the article says.
Especially as smartphones and other personal, portable devices enter the workplace, business data and personal software applications mingling in a single device makes mobile devices a prime target for hackers and provides new opportunities for attack, Deloitte says in the report.
The study shows that only 52 percent of companies polled had a BYOD (bring your own device) policy, although 74 percent of respondents considered the increased use of mobile devices as a vulnerability.

Monday, January 14, 2013

Kaspersky Lab Unearths Cyber-Spying Operation, Christens It ‘Red October’

The Russian antivirus firm that first fingered Stuxnet as a state-sponsored cyberattack is outing massive clandestine digital operations once more. This time, Kaspersky Lab says they’ve uncovered a massive, years-long cyber-espionage campaign. The perpetrators: unknown. Demonstrating a rather charming flare for the dramatic, the Moscow-based researchers have dubbed the network “Red October.”
We had long suspected the lads and ladies of Kaspersky were Tom Clancy types.
Researchers announced the discovery in a blog post:
During the past five years, a high-level cyber-espionage campaign has successfully infiltrated computer networks at diplomatic, governmental and scientific research organizations, gathering data and intelligence from mobile devices, computer systems and network equipment.
Whoever it was tipped Kaspersky to the malware “prefers to remain anonymous.”
The perpetrators target organizations in the Russian Federation, Eastern Europe, and Central Asia–but North America and Western Europe aren’t immune, either. “Hundreds” worldwide have been affected, across categories like military, research institutions, aerospace, oil and gas, and so forth–”all of them in top locations such as government networks and diplomatic institutions.”

Friday, January 11, 2013

Cybersecurity regulation: 5 issues for companies

Federal overnight of cybersecurity practices is coming

WASHINGTON (MarketWatch) — Hardly a day seems to go by without news of a cyber-attack or dire warnings about the vulnerability of our nation’s critical computer networks.
Most people believe that the government must do more to regulate cybersecurity practices, particularly in industries that own or operate “critical infrastructure,” that is, infrastructure that could cause significant disruptions or damage to our daily lives if subjected to a cyber attack.
The owners and operators of such infrastructure — for example, oil and gas pipelines, chemical refineries, transportation systems, financial institutions, hospitals, nuclear reactors, dams and agricultural infrastructure — will likely see more government oversight of their cybersecurity practices in the coming years.
What will such regulation look like? How will a company’s cybersecurity practices and the ways in which it documents and implements them be affected by the increasing government oversight headed our way?

Thursday, January 10, 2013

Man admits to paying hospital employees to steal patient data

A Central Florida man associated with medical centers and an injury hotline admitted in federal court that he paid Florida Hospital employees to steal patient information.

Federal authorities say Sergei Kusyakov, who was involved with Metro Chiropractic and Wellness Center and City Lights Medical Center, illegally obtained private information about patients through Dale Munroe II and his wife, Katrina Munroe, who worked at Florida Hospital's Celebration campus.

Authorities said Dale Munroe accessed more than 763,000 records for patients treated at various Florida Hospital locations. He focused on patients who were in automobile accidents, and inappropriately reviewed in detail more than 12,000 patient records. Prosecutors said that from 2009 until July 2011, Munroe accessed patient data while working as a registration representative in the emergency department.

Kusyakov paid Munroe for the patient information, and then Kusyakov and other conspirators used the information to solicit patients for lawyers and chiropractors.

Some patients received a phone call within days after their visit to a Florida Hospital campus, prosecutors said. The caller knew specifics about the vehicle accident and the patients' treatment at the hospital. If the patient asked the caller how they received their personal information, the solicitor either hung up, or tried to give an excuse that the information was public record.

Prosecutors said one of the phone numbers used by one of the solicitors was linked to Kusyakov. Investigators found Kusyakov paid Munroe and his wife more than $10,000 for their work.

Dale and Katrina Munroe each pleaded guilty to federal charges and are awaiting sentencing. Visit the Orlando Sentinel for the article.

Tuesday, January 8, 2013

Control, Monitor & Track Your Car With Your Phone

Smartphones have become our cameras, our radios, and our wallets, and they'll continue to become more central in our lives -- at least until they're integrated into eyeglasses or contacts or some kind of high-tech implant.
If you've been paying attention to auto news, you also know that phones are becoming substitutes for car keys. Rides like the Chevrolet Volt and Nissan Leaf allow owners to unlock their vehicles with a smartphone app, as well as check vehicle status.
So far, such high-tech wizardry has been limited to new vehicles, but at this week's Consumer Electronics Show in Las Vegas, Delphi has debuted a new gizmo that will offer similar functionality to nearly anyone driving a car with an onboard diagnostics port.
The device is called -- for now, anyway -- "Vehicle Diagnostics", and it plugs directly into the OBD-II port that's been found under the dashboards of U.S. vehicles since 1996. According to an official press release, the tool will allow owners to:
  • Open a vehicle without a key.
  • Find their vehicle without going through an elaborate tagging process.
  • Check up on vehicle stats and engine health.
  • Monitor driving behavior (useful for parents with teen drivers at home).
  • Track and geo-fence a vehicle. (The gadget updates its location every five seconds and can send alerts when the car wanders outside certain pre-established boundaries.)
  • Keep simple trip logs for taxes and expense reports.

Read more: http://www.foxnews.com/leisure/2013/01/07/new-device-lets-control-monitor-car-with-your-phone/?intcmp=features#ixzz2HOd9xLEH

Monday, January 7, 2013

John McAfee claims:'I was a spymaster'

Former software entrepreneur John McAfee has claimed that he masterminded a spying ring that used computer hacking and "pillow talk" operatives to solicit information from high ranking officials. 

American McAfee, who founded the antivirus firm that bears his name and at one stage was worth over $100 million, went on the run at the end of last year after being accused of murdering his next door neighbor in Belize. 
He in turn accused the government of a conspiracy against him and claimed that he would be killed if the Belizean police tracked him down. McAfee is now back in the US after slipping across the border into Guatemala

On his blog, McAfee said last week that following a raid by Belize police at his home in April 2011, he decided to take revenge on the government authorities. 

McAfee claims to have purchased 75 cheap laptops and installed invisible keystroke logging software on all of them, meaning they would feed him files and data on command. 

He says that he then repackaged the laptops as though they were new and sent them as presents to "government employees, police officers, Cabinet Minister's assistants, girlfriends of powerful men, boyfriends of powerful women". 
"I hired four trusted people full time to monitor the text files and provide myself with the subsequent passwords for everyone's e-mail, Facebook, private message boards, and other passworded accounts," he explained in the post.

"The keystroke monitoring continued after password collection, in order to document text input that would later be deleted. So nothing was missed."

Read more: http://www.digitalspy.com/tech/news/a449121/john-mcafee-claims-to-have-created-spying-operation-i-was-a-spymaster.html#ixzz2HKwIvsgK

V K Singh demands probe into alleged bugging at his residence

Former Army Chief General V K Singh on Monday demanded a probe into the alleged bugging attempt at his residence in Delhi last week, and wanted the identity of the person who had instructed the officer to enter his home to be made public.
“The identity of the person who had ordered the officer to go to my residence should be disclosed and the matter should be probed to ascertain why the officer entered and roamed around in my house without permission,” Singh said on the sidelines of a function.
On Saturday, an Army officer had landed at Singh's house in Delhi Cantonment apparently to remove a telephone exchange from there. It was seen by Singh's family as an attempt to install snooping device, after which the Army apologised.
The family had claimed that Major R Vikram from 1st Signals Regiment entered their house without prior permission and may have been trying to bug their telephones.
“The matter is related with a former Army chief – an institution and not an individual, so things should be clear,” Singh demanded.
“I blame neither the officer nor the Army, but the person who ordered him to go to my house, is responsible for this entire issue and his intention should be revealed,” he said.
Asked about the withdrawal of his security cover, Singh said it was “deliberately highlighted”.

Friday, January 4, 2013

Android, iPhone are Top Fraud Targets, Study Finds

A Javelin Strategy & Research report on mobile payments found that the two most popular smartphone platforms are targets for fraudsters.

Consumers who use Android and iPhone devices to conduct mobile payments and mobile banking are top targets of fraudsters, according to a new report from Javelin Strategy & Research.
The research firm says that Android is especially vulnerable in the $20 billion mobile payments market because of its large and growing user base and open source platform. However, according to Javelin, the 33 million iPhone users are also attractive targets, as they spend more on average and shop more frequently with their smartphones than Android users. Javelin found that iPhone users spend 49% more money shopping through the mobile browser on their phone than through mobile apps, with $2.7 billion spent via mobile browser and $1.8 billion spent through an app.
Likewise, Android users spent 38% more, making $2.9 billion in mobile payments through their mobile browser, and $2.1 billion through the mobile app. Users of all other smartphones spent approximately $1.3 billion via a mobile browser.

Office Phones Vulnerable to Eavesdropping Hack

This small gadget can be attached to a single Cisco IP phone and turn an entire company's network into a sophisticated bugging device within seconds, researchers say.

High-tech telephones common on many workplace desks in the U.S. can be hacked and turned into eavesdropping devices, researchers at Columbia University have discovered.
The hack, demonstrated for NBC News, allows the researchers to turn on a telephone's microphone and listen in on conversations from anywhere around the globe. The only requirement, they say, is an Internet connection.
Doctoral candidate Ang Cui and Columbia Professor Sal Stolfo, who discovered the flaw while working on a grant from the U.S. Defense Department, say they can remotely order a hacked telephone to do anything they want and use software to hide their tracks.  For example, they said they could turn on a webcam on a phone equipped with one or instruct the phone's LED light to stay dark when the phone's microphone has been turned on, so an eavesdropping subject wouldn’t be alerted that their phone has been hacked.
More: http://redtape.nbcnews.com/_news/2013/01/04/16328998-popular-office-phones-vulnerable-to-eavesdropping-hack-researchers-say?lite

Could China blocking VPNs lead to spying on business?

January 04, 2013 — CSO — The "Great Firewall of China," designed to prevent its citizens from accessing some overseas content, has apparently undergone an upgrade.
And some observers say this may not only be an effort to stop citizens from reading or viewing Western information, but also to spy on international corporations doing business in the country who encrypt their internal communications.
The Guardian reported recently that the Chinese government is blocking internet services that have been able to "burrow secretly through what is known as the 'Great Firewall' ..."
"A number of companies providing virtual private network (VPN) services to users in China say the new system is able to 'learn, discover and block' the encrypted communications methods used by a number of different VPN systems," the report said.
"China Unicom, one of the biggest telecoms providers in the country, is now killing connections where a VPN is detected, according to one company with a number of users in China," the report said.
If the encryption works, even if the data is monitored, it cannot be read. It also means that a user's connection effectively starts outside the Great Firewall, providing access to all the sites the government blocks, including those of news organizations, search engines and social networking.
The crackdown is apparently no surprise to some users, who suspected more than 18 months ago, in May 2011, that the government was trying to disrupt VPNs. But The Guardian report  said VPN providers are now noticing it as well.
Astrill, a VPN provider for users inside and outside China, has emailed its users to warn them that the Great Firewall system is "blocking at least four of the common protocols used by VPNs, which means that they don't function."