Larry, The IT Guy (No... make that, Spy)

Security Directors, CEOs, Chief Legal Counsels:
Immediately after you read this, make sure you have a clear, concise written policy in place detailing allowable IT behavior.

One in three IT administrators say they or one of their colleagues have used top-level admin passwords to pry into confidential or sensitive information at their workplace, according to a survey by a password-management vendor.

Nearly half also confessed that they have poked around systems for information not relevant to their jobs.

"We asked these questions last year, too," said Adam Bosnian, vice president of product strategy and sales for Cyber-Ark, a Newton, Mass.-based maker of password file security management software. "And we got similar results. So on one hand, the results weren't surprising. What was surprising initially -- and this time around, too -- is that people admit to it." (more)

Spying Spouses

Family law can sometimes involve “good people, behaving badly.”

That’s according to Laura W. Morgan, of Family Law Consulting in Charlottesville, Va., who offers the tale of a hypothetical client named Mary, who thinks her husband, John, is cheating on her and using marital funds to pay for his trysts. Among other tactics, Mary purchased surveillance software, popularly known as “spyware,” and installed it on a shared computer, so she could read John’s password-protected e-mails and see the Web sites he visits. She additionally took the computer to a forensic computer specialist, who made a copy of the hard drive and then found scads of evidence that could be damaging to John in a divorce.

Mary is what Morgan calls a “self-help” spouse, because she has forgone formal electronic discovery — and it was easy and fairly inexpensive for her to do that. The problem is she may have broken a few laws in the process. (more)

Open Season on Bugging Cellphones

The Geek Chorus welcomes Alan Reiter, President of Wireless Internet & Mobile Computing as he echos our warnings, in his well-written piece 'Open Season on Bugging Cellphones'...

"Silently, but with increasing frequency, government agencies and private individuals around the world are bugging cellular phones. Some of those phones are surreptitiously transmitting copies of their SMS, emails, call histories, and locations to Websites where the data may be viewed by those who have installed the clandestine software.

Most cellular subscribers don't have to worry about this happening to them, at least not yet. But anyone -- suspected criminals, spies, corporate executives, spouses, and even ex-lovers -- could be targeted. Thanks to software you can purchase over the Web, you don't have to be a secret agent to listen to cellular conversations or retrieve data transmissions.

Recently, a Swedish man was found guilty of hiding a cellular phone behind the headboard of his ex-girlfriend’s bed and remotely turning on the phone to listen to conversations..." (more)

How To Manage Rogue Mobile Devices

A single unsecured smartphone (or laptop) can jeopardize the security of your entire organization.

For those not schooled in the risks, smartphones are the back-door deployment that can provide hackers -- or the competition -- with access to your network.

Imagine...
Jim, your employee, buys a smartphone and loads it up with contracts, sales quotes, pricing schemes, and other information you wouldn't want your competitors or customers to know.

The smartphone falls out of his pocket while he is boarding a plane in a crowded airport. Whoever finds the device will have instant access to all of Jim's emails and your corporate information.

Solution - Do these things...
• Use VPN's
• Block Access to Public Wi-Fi
• Make Strong Passwords Mandatory
• Block Removable Storage
• Educate Employees
• Educate IT
• Encryption is Key
• Better Security Through Software
(here's how)

We can help you identify and locate rogue devices operating in your offices. This is just one of many problems we solve with our Wireless LAN (wi-fi) Security Audit and Compliance Report service.

World Spy News Roundup

The world is a busy place when it comes to spying.
Here is the action over the last few weeks...

Australia
• Government email spying plan under criticism.
• Government report... embrace "illegal", "deceptive" and "underhanded" espionage overseas.

Canada
• Was the bedroom of minister's ex really bugged?

China
• China calls computer spying claim ‘totally groundless’.
• Video surveillance equipment will be installed at Beijing schools.

European Union
• In-flight spycams - one in every seat; software analyzes you.

France
• Privy Privacy in Cannes - Madonna's unpaid $93,000 hotel bill over spying camera.

Germany
• Businesses across Germany spy on their workers.
• German spying scandals reawaken dark memories.
• Deutsche Telekom admits bugging phones of top management; then denies that it listened!
• The spying scandal affecting Deutsche Telecom continues to grow.
• Government gives police greater powers to monitor homes, phones and computers.
• Heinz Geyer, deputy head of former East German spy agency, dies.
• Lufthansa admits spying on journalist.

India
• Debate continues: Should Blackberry allow government security to spy on users.
• India practices unacceptably intrusive electronic surveillance.

Israel
• Israel frees Hezbollah spy for soldiers' remains.

Italy
• Ferrari spying may still be an issue.

The Netherlands
• Netherlands banned electronic voting machines; "eavesdropping risk".

Pakistan
• Dueling wiretaps. Battle of the political phone bugs.

Poland
• Lech Walesa angry with President Kaczynski about spying accusations.
• President Kaczynski denies ordering wiretaps on ex-prime minister Kazimierz Marcinkiewicz.

Russia
• Russia to demand Georgia ends spy flights.

Saudi Arabia
• 6 caught selling eavesdropping devices.

Sweden
• Swedish government may soon get power to spy on its citizens.

Taiwan
• National Security Bureau denied wiretapping telephone calls of officials and president.

Turkey
• A possible Turkish Watergate scandal.
• “AK Party is eavesdropping” claims the opposition.
• Turkish opposition claims security forces bugged its headquarters.

Uganda
• MP accuses government of spying on committees.

United Kingdom
• Government refused to investigate BT's covert wiretapping of thousands of customers.
• Councils admit spying on residents.
• Councils admit phone, e-mail spying.
• Bugging epidemic spreads - Vodafone fingered in new spying row.
• Top gadgets for spying on fellow SEO’s.
• Redcar hotel owner set up video camera to spy on couple.
• Government considering interception and data-mining all electronic communications.

United States
• Former S. Korean spy granted asylum. Had divulged illicit wiretapping of mobile phones.
• Court upholds conviction of Cuban spies.
• Study secretly tracked cell phone users outside US.
• Chinese expelled from the US for suspected industrial spying.
• Sheriff's Office disbands tarnished spy squad.
• Gutierrez possible victim of Chinese cyber spying.
• Former police chief accused of illegally bugging his secretary's office has pleaded guilty.
• P.I.'s In HP spying scandal fined.
• Billboards look back. Tiny cameras gather and analyze viewer's faces.
• Woman pleads guilty to aiding Chinese spy.
• Rent-A-Spy - 3/4's of the U.S. intelligence budget now goes to outside contractors.
• Feds encrypt 800,000 laptops; 1.2 million to go.
• Ex-CIA official indicted over agency job for mistress.
• TJX staffer sacked; talked about lax information security.

Venezuela
• Hugo Chavez's move to boost internal spying in Venezuela.
• Chavez spy laws 'creating society of informers'.
• Update! Chavez changes his mind. No new spy law.

Who's Watching You at Work?

"Surveillance is now routine business practice among American employers, both large and small, as the cost and ease of introducing have dropped. You leave your rights at the office door every day you go to work. Most surveillance is conducted without any individualized suspicion, and personal as well as business-related information is routinely collected," explained Jeremy Gruber, legal director at the National Workrights Institute.

Two-thirds of the companies included in the "2007 Electronic Monitoring & Surveillance Survey" said they monitor Internet connections. (more)

Spy Agency’s Eavesdropping Rose Last Year

S. Korea - The Broadcasting and Communications Commission (BCC) said Thursday that the number of eavesdropping requests from the spy agency and police last year was the highest since 2004, while the number of cases of e-mail monitoring and caller identification also rose.

Telephone companies allowed the National Intelligence Service (NIS), police officials and prosecutors to tap 1,142 phone calls last year, up from 1,062 cases in 2006. Most of the requests were from the NIS, the spy agency.

The number of caller identification requests from investigation authorities also increased by more than 20 percent to 183,659 cases from 150,743, the BCC said. E-mail monitoring rose 28.9 percent to 326 cases.

Furthermore, the actual number of eavesdropping cases can be higher than the released figure since multiple requests on a single case are counted as one, the BCC said. (more)

"...and she went to the hospital to have it removed! Blahaaaaaa..."

Australia - Attorney-General Robert McClelland says the proposal to let some employers access workers' emails without consent is only being considered as a way to stop cyber terrorist attacks.

He says it would not be targeted at personal communications.

"What you would be looking and permitting access to is information that would reveal an attempted infiltration," he said.

But deputy Opposition leader Julie Bishop says...
"Employers should not be burdened with the responsibility of intercepting emails involving staff suspected of behaviour that threatens Australia's national security."

"This places an unfair surveillance responsibility upon employers and effectively requires them to undertake what is a potential criminal investigation." (more)

Seriously bad idea...
- Pay IT guy to do a government intelligence agents' work?
- Pay twice!?!? Salary for IT guy and (via taxes) government intelligence agents'.
- Conflict of interest? Employees spying on friends and colleagues?
- Entrust national security to an army of untrained private employees...
- ...whose work product might equal less than educated guesswork?
- ...who may be tempted to use the snoop power for personal gain?
- Not to mention: loss of regular business productivity, opening new avenues of corporate espionage, data vulnerabilities, etc.
Outsourcing your job responsibilities should not be an option; especially when you have been entrusted with national security.

...and, 85% declined to answer.

"Me, My Spouse and the Internet"
Oxford Internet Institute, University of Oxford,
Survey Results...
• 20% of married Internet users admitted to reading their partner’s emails and text messages; and
• 13% to having checked their partner’s browser history.
More than 6,000 married people were invited to take part in the study. The final sample involved 929 couples, with both partners completing a questionnaire. (more) (Project website.)

Blackemail, Espionage or Just Coincidence?

MA - Two staff members in the school superintendent’s office spied on e-mails sent to Cambridge School Committee members over the span of one month. (more)

...administration officials did not tell the School Committee they were receiving committee e-mails from parents and others. A School Committee member only found out the two school officials were copied into School Committee e-mails after they hit “reply all” and found the duo copied in the e-mail. 14 days after it was discovered, School Committee members voted to enter contract negotiations with Superintendent Thomas Fowler-Finn. (more)

India Wants to Eavesdrop on BlackBerrys

BlackBerry users, beware of the snoops. India's Telecommunications Dept. told telecom carriers, Internet service providers, and officials at Research In Motion (RIM), the Canadian company that makes BlackBerrys, that it wants to eavesdrop on transmissions from every BlackBerry phone in the country. To comply, RIM might have to route calls and e-mails through government computer servers based in India. (more)
FutureWatch... Look for other countries to jump on this bandwagon.

Corporate Espionage Arrest - AMX Corp. V.P.

Short version: AMX Corporation's Vice President, David Goldenberg, was "arrested for allegedly participating in corporate espionage practices against a competing manufacturer's representative firm."

The following is from the Bergen County (NJ) Prosecutor's press release...
NJ - Bergen County Prosecutor John L. Molinelli announced the arrest of David A. Goldenberg, D.O.B. 05/18/1962, of 432 Golf Dr., Oceanside NY. Goldenberg was arrested on March 28, 2008, on charges of Unlawful Access of a Computer System / Network (2C:20-25b); Unlawful Access of Computer Data / Theft of Data (2C:20-25c); and Conducting an Illegal Wiretap (2A:156A-27)...

The arrest stemmed from an investigation concerning the following: The Paramus Police Department received a complaint from a Paramus based corporation known as Sapphire Marketing, who specializes in high-end audio/visual systems. Representatives of Sapphire reported that they were being suspiciously and consistently underbid for contracts by a competitor for whom David Goldenberg works. They expressed suspicion of corporate espionage. Based on anomalies that the complainant noticed within their computer network and more specifically their electronic mail (e-mail) system, they suspected that the company’s e-mail system had been compromised and that e-mail was being intercepted. The Paramus Police Department (a member of the Computer Crimes Task Force) and the Bergen County Prosecutor’s Office Computer Crimes Unit initiated an investigation.

The investigation revealed that Mr. Goldenberg had engineered the passwords protecting several of the complainant’s e-mail accounts. For a period of time, Mr. Goldenberg was intercepting and reading e-mails that related to potential contracts. Mr. Goldenberg then established a free e-mail account that he had control over, and created an automatic forward of the victim’s e-mail so that they would be sent to him directly. This afforded Mr. Goldenberg advanced knowledge of Sapphire’s customers and bid prices, thus further affording him an opportunity to underbid Sapphire. Sapphire Marketing estimates the loss in revenue from Mr. Goldenberg’s actions to exceed one-million dollars. Mr. Goldenberg was arrested without incident on this date. (more) (more - scroll down)

Goldenberg was hired by AMX June 11, 2007...
“David has a proven track record of satisfying the needs of his customers while boosting sales and profitability. He is also an aggressive marketer focused on value creation,” said Rashid Skaf, AMX president and CEO. “David is a dynamic leader who has proven that he can successfully manage and motivate a diverse team of individuals. I am confident that he will fit well into the AMX culture and accomplish great things with our company.” (more)

Cell Phone Spying Victim? Tell Your Story.

Have you ever been a victim of cell phone spying?

If your significant other or family member has ever plotted to listen in on your calls, even check your records or download spying software on your phone, we want to hear from you.

GMA is looking for guests who can talk about their experience with cell phone spying. Fill out the info below and you might just end up on GMA. (more)

In-house NSA

A rapid way to spot insider threats from individuals within an organization such as a multinational company or military installation is reported in the current issue of the International Journal of Security and Networks. The technology uses data mining techniques to scour email and build up a picture of social network interactions. The technology could prevent serious security breaches, sabotage, and even terrorist activity.

Gilbert Peterson and colleagues at the Air Force Institute of Technology at Wright Patterson AFB, in Ohio are developing technology that could help any organization sniff out insider threats by analyzing email activity or find individuals among potentially tens of thousands of employees with latent interests in sensitive topics. The same technology might also be used to spot individuals who feel alienated within the organization as well as unraveling any worrying changes in their social network interactions. (more)

Basic Email Security Tips

Chad Perrin at TechRepublic has some excellent tips...
There is a lot of information out there about securing your email. Much of it is advanced, and doesn’t apply to the typical end user. The following is a short list of some important security tips that apply to all email users...

1. Never allow an email client to fully render HTML or XHTML emails without careful thought.
2. If the privacy of your data is important to you, use a local POP3 or IMAP client to retrieve email. This means avoiding the use of Web based email services such as GMail, Hotmail, and Yahoo! Mail for email you wish to keep private for any reason.
3. It is always a good idea to ensure that your email authentication process is encrypted, even if the email itself is not. (lazy man's email encryption)
4. Digitally sign your emails. As long as you observe good security practices with email in general, it is highly unlikely that anyone else will ever have the opportunity to usurp your identity for purposes of email, but it is still a possibility. (What is a digital signature?)
5. If, for some reason, you absolutely positively must access an email account that does not authorize over an encrypted connection, never access that account from a public or otherwise unsecured network. Ever. Under any circumstances.

Be aware of both your virtual and physical surroundings when communicating via email. Be careful. Trust no one that you do not absolutely have to trust, and recognize the dangers and potential consequences of that trust.

Your email security does not just affect you; it affects others, as well, if your email account is compromised. (full article with greater tip detail)

Unsecured Wi-Fi Could Compromise Your Identity

CBS3.com - Special Report...
The wireless internet signal you rely on for convenience could be making things easier for internet intruders. Police said hackers could be using your computer to download illegal music, child porn, or even your bank information.

Using a simple can antenna from his car, George Sandford can burglarize homes from hundreds of yards away out in the open and without wearing a mask.

"You can open bank accounts. You get drivers licenses, you can get practically anything you want," Sandford said.

All by using relatively low tech equipment, just about anyone with knowledge can hack into computers using unsecured wireless internet or Wi-Fi signals of unsuspecting people...

"I can build a body of information about you, your back accounts," Sandford said.

Jamie Smith spoke to one unsuspecting resident, "We were able to get onto your internet just a few seconds ago," and Rebecca Hansen of Swarthmore responded, "No."

Rebecca is a client of Tech Guides Incorporated and George Sandford is far from a thief. He is actually Tech Guides' security expert. He sat down and showed Rebecca how to secure her Wi-Fi something everyone should do.

"Not securing your wireless networking is pretty much putting a sign on your house saying 'Hey, we're open,'" Sanford said. Only about half of homes with Wi-Fi are locked. If you don't your computer's connection could be slowed down by others accidentally using your Wi-Fi. (complete story with video)

• Directions for securing your Wi-Fi

2007 Electronic Monitoring & Surveillance Survey:

Over Half of All Employers Combined Fire Workers for E-Mail & Internet Abuse

From e-mail monitoring and Website blocking to phone tapping and GPS tracking, employers increasingly combine technology with policy to manage productivity and minimize litigation, security, and other risks. To motivate compliance with rules and policies, more than one fourth of employers have fired workers for misusing e-mail and nearly one third have fired employees for misusing the Internet, according to the 2007 Electronic Monitoring & Surveillance Survey from American Management Association (AMA) and The ePolicy Institute. (more)

"Boss, this suspect gets a lot of email."

The FBI revealed that human error led to surveillance of an entire email network back in 2006, rather than the single email address approved by the secretive court which approves domestic wiretaps and other forms of e-surveillance...

The ISP involved allegedly misinterpreted a warrant for one email address to be a warrant for - ahem - the entire network. (more)

Worst Security Ad of the Year Award

This plopped into my mailbox this morning...

- To whom would this ad appeal?
- Is that the type of person you want carrying a gun?
- Why are the 'Super Heros' standing in a police line-up?
- What did they do wrong?
- Hey, these aren't Super Heros. Real Super Heros are big and strong!
- Are 'Crime Fighters' out there rounding up fake Super Heros!
- What a waste of tax dollars.
- I getting scared now. This is creepy. I give up.
It is only February and we have the Worst Security Ad of the Year.

"Let me tell you how it will be..."

UK - He already has the power to arrest, and as of today, the British taxman will also be able to intercept phone calls, emails and letters, as well as bug residential premises and private vehicles. (more)
(sing-along)

Electronic eyes and ears keep tabs on workers

Canada - The sudden resignation of a South Shore police chief over allegations of e-spying on the local police union is the latest controversy over electronic eavesdropping in the workplace in the greater Montreal area.

Here and elsewhere, advances in electronic technologies have given employers new tools to keep an around-the-clock eye on employees. Unions are crying foul and fighting back. (more)

To eavesdrop, or not - teenage opinions

Q. Should the federal government be allowed to listen in on phone conversations of Americans and to read their e-mails and other information on their computers without their knowledge and without a warrant? (answers)

How secure are your text messages?

"For most people, the answer is ...don't worry."
(That, according to Time Magazine, who didn't see this.)

"In the mayor's case (see last story), the reason his messages have been exposed is because of the specialized service the city has contracted with to handle wireless communications between city officials. Although the scandal is already being dubbed BlackBerrygate by wags, the gizmo the mayor and Beatty used to communicate wasn't a BlackBerry at all.

It was a SkyWriter, and although it looks a lot like a BlackBerry, it's a dedicated messaging device provided to the city by SkyTel, a Mississippi-based wireless company that specializes in providing paging and messaging services to large corporations and governmental bodies through its own wireless network and devices.

"Every message sent over the SkyTel network ... is recorded, including: Date and time the message was sent... 'From' address... 'To' address... Length of the message..Entire message content up to 2,000 characters ," notes the company on its Web site in an article about the "benefits of message archiving."

For major corporations and governments, the automatic archiving of such messages is important, where legal requirements mandate the storage of all business- or government-related communications. But tell the mayor that's a benefit today." (more)

Wal-Mart Spying: Good, Bad, Or Just The Wave Of The Future?

Wal-Mart is used to finding its name on the front page of The New York Times and The Wall Street Journal, but in March of 2007 it found itself making news under very different circumstances.

Wal-Mart officially apologized to the Times and retail reporter Michael Barbaro after a member of its internal security organization was found to have secretly taped conversations between Wal-Mart employees and the Times reporter. Not only did Wal-Mart apologize to the reporter, chief executive H. Lee Scott phoned the chief executive of The New York Times to personally offer an explanation and convey the information that the technician involved, who had 19-years with the company, as well as a supervisor, had been fired.

But the matter did not end there. Weeks later, the fired technician, Bruce Gabbard, went public, telling The Wall Street Journal he was part of a larger, sophisticated surveillance operation at Wal-Mart. Gabbard said the retailer employs a variety of means, including...

To be fair, Wal-Mart is not the only company involved in a spying controversy. Other high-profile corporate spying incidents have drawn public attention to the fact that companies are using an increasing array of methods to snoop on, or monitor as is the preferred term, the everyday activities of employees, suppliers and customers on their networks. (more)

Spying Claims Rock British National Party

The British National Party has been engulfed by a bitter internal row with around 50 senior figures resigning the party whip amid claims the leadership has been spying on private emails and telephone calls.

The Labour MP Jon Cruddas has written to the head of the Metropolitan police, Sir Ian Blair, calling for an inquiry into what he claims are "criminal activities involving senior members" of the party.

"They appear to be monitoring phone calls and emails of their members and removing computers from private households. This is not the behaviour of a normal political party and I would like to see the police investigate this." (more)

Ms. Nightmare, IT Manager

West Chicago's former information technology manager secretly installed spy software on computers used by the city manager and administrative services director and was able to view every keystroke they made for about two years, an attorney for the city said.

Attorney Patrick Bond said information technology manager Valerie Becker did not leak any "sensitive" information, like the details of publicly bid contracts, to anyone.

• As part of the severance agreement, Becker was to turn over administrative passwords but refused to do so.
• She allegedly deleted records that were supposed to be saved under the state's Freedom of Information Act laws.
• Becker failed to routinely backup e-mail messages sent and received by the city.
• Becker waited until three years after purchasing an upgrade for the city's e-mail software to install it. She also failed to update software on the city's servers.

The city eliminated Becker's position in May, opting to contract out for computer services instead, Bond said. (more)

Get up-to-speed on computer espionage. Read...

Secrets of Computer Espionage: Tactics and Countermeasures

"Is someone spying on you?

It could be your boss, your competition, or a private investigator, but it could just as easily be a foreign intelligence agent - or the whiz kid down the street. More and more people today want to know what's on your computer, your PDA, your cell phone, or your wireless network.

Joel McNamara takes you inside the mind of the computer espionage artist... This is the book that teaches you to think like a spy, because that's the only way to outwit one."

Contents at a Glance
Acknowledgments.
Introduction.
Chapter 1 Spies.
Chapter 2 Spying and the Law.
Chapter 3 Black Bag Jobs.
Chapter 4 Breaching the System.
Chapter 5 Searching for Evidence.
Chapter 6 Unprotecting Data.
Chapter 7 Copying Data.
Chapter 8 Snooping with Keyloggers.
Chapter 9 Spying with Trojan Horses.
Chapter 10 Network Eavesdropping.
Chapter 11 802.11b Wireless Network Eavesdropping.
Chapter 12 Spying on Electronic Devices.
Chapter 13 Advanced Computer Espionage.
Appendix A: What's on the Web Site.
Index.

Mexico expands electronic surveillance

Mexico is widening its capacity for electronic surveillance, using funds from Washington to expand its ability to tap telephone calls and e-mail. The expansion comes as new President Felipe Calderon pushes to amend the Mexican Constitution to allow phone taps without a judge's approval in some cases... The new system provides extensive data storage capacity and will allow voice identification of callers... (more)