Did You Know #172 - Credit Card Standards

If you have anything to do with credit cards,
you need to know this...

"Credit card companies want you to charge it and they know that concerns about identity theft might possibly slow down your card use — so it is in their best interests to make sure that a solid security standard is in place to protect you. The standard has turned into a requirement for everyone who takes a credit card and that turns out to be literally millions of grocers, retailers, online retail outlets, government agencies, convenience stores, utilities — almost everyone. So the PCI-DSS standard may be the most widely applied information (data) security standard in the world.

With such a widespread and critical standard, there is confusion about how to meet the standard because just doing a self-assessment isn’t enough — you are also required to do penetration tests on your systems that handle and transmit this electronic customer information and ATTEST that you use the standard in your information systems.

This includes having strong firewalls that protect cardholder data and making sure to remove the generic vendor-supplied passwords; using good storage devices for sensitive customer information and encrypting data that flows over your network. In addition, the card manager has to use anti-virus software, and also build secure systems. Once proper controls are in place, these controls need to be monitored and tested..."
Which leads us to the author of this piece.
Get to know her.
Caroline R. Hamilton is the Founder of RiskWatch, Inc. She offers twelve specialized risk assessment software programs which are used by thousands of her clients all over the world and in virtually every type of security assessment, gap analysis, and compliance assessment.

Murray Associates can assist you with the technical end of Wireless LAN compliance for PCI-DSS and...
• Sarbanes-Oxley Act – U.S. Public Companies
• HIPAA – Health Insurance Portability and Accountability Act
• GLBA – Gramm-Leach-Bliley Financial Services Modernization Act
• PCI-DSS – Payment Card Industry Data Security Standard
• FISMA – Federal Information Security Management Act
• DoD 8100.2 – Use of Commercial Wireless Devices, Services, and Technologies in the Department of Defense Global Information Grid
• ISO 27001 – Information Security Management
• Basel II Accord – Banking
• EU - CRD (Cad 3) – EU - Capital Requirements Directive - Banking

Smart Spy Cameras

UK - Intelligent CCTV cameras are being developed in Britain that not only see trouble but are able to hear it, scientists said.

The technology allows the sounds of breaking glass, someone shouting, or the noise of a crowd gathering to be 'learned' by artificial intelligence software in the cameras.

The technology could slash the speed with which crimes are caught on camera and responded to by police but will again raise a debate about the extent of "surveillance Britain" and the use of such technology.

The three-year project by the University of Portsmouth aims to adapt artificial intelligence software already being developed to identify visual patterns. (more)

Spying Spouses

Family law can sometimes involve “good people, behaving badly.”

That’s according to Laura W. Morgan, of Family Law Consulting in Charlottesville, Va., who offers the tale of a hypothetical client named Mary, who thinks her husband, John, is cheating on her and using marital funds to pay for his trysts. Among other tactics, Mary purchased surveillance software, popularly known as “spyware,” and installed it on a shared computer, so she could read John’s password-protected e-mails and see the Web sites he visits. She additionally took the computer to a forensic computer specialist, who made a copy of the hard drive and then found scads of evidence that could be damaging to John in a divorce.

Mary is what Morgan calls a “self-help” spouse, because she has forgone formal electronic discovery — and it was easy and fairly inexpensive for her to do that. The problem is she may have broken a few laws in the process. (more)

FutureWatch - VoIP Bug Aids Bugging

Plans to compress internet (VoIP) phone calls so they use less bandwidth could make them [more] vulnerable to eavesdropping. Most networks are currently safe, but many service providers are due to implement the flawed compression technology. (more)

How To Manage Rogue Mobile Devices

A single unsecured smartphone (or laptop) can jeopardize the security of your entire organization.

For those not schooled in the risks, smartphones are the back-door deployment that can provide hackers -- or the competition -- with access to your network.

Imagine...
Jim, your employee, buys a smartphone and loads it up with contracts, sales quotes, pricing schemes, and other information you wouldn't want your competitors or customers to know.

The smartphone falls out of his pocket while he is boarding a plane in a crowded airport. Whoever finds the device will have instant access to all of Jim's emails and your corporate information.

Solution - Do these things...
• Use VPN's
• Block Access to Public Wi-Fi
• Make Strong Passwords Mandatory
• Block Removable Storage
• Educate Employees
• Educate IT
• Encryption is Key
• Better Security Through Software
(here's how)

We can help you identify and locate rogue devices operating in your offices. This is just one of many problems we solve with our Wireless LAN (wi-fi) Security Audit and Compliance Report service.

Spook Vault Stuff - Data Loss via Optoanalysis

Researchers have developed two new techniques for stealing data from a computer that use some unlikely hacking tools: cameras and telescopes.

In two separate pieces of research, teams at the University of California, Santa Barbara, and at Saarland University in Saarbrucken, Germany, describe attacks that seem ripped from the pages of spy novels. In Saarbrucken, the researchers have read computer screens from their tiny reflections on everyday objects such as glasses, teapots, and even the human eye. The UC team has worked out a way to analyze a video of hands typing on a keyboard in order to guess what was being written. (more)

Wannaknowhowitisidone?
Reflections.
Observations.

FutureWatch - Eavesdropping on GSM Cell Phones

A web service that will make it easy and inexpensive to crack the GSM A5/1 encryption protocol, quickly enough for a call that is still in progress, is slated to launch at the end of April. Living right at the intersection of open hardware, open source software, software as a service, and cryptography, the service will reduce the cost and effort of cracking GSM call encryption by at least an order of magnitude.

The service is being developed by members of the GSM Software Project and demonstrates just how much things have changed in the world since the GSM system was designed. Various approaches to cracking both A5/1 (the European standard) and A5/2 (the weaker US standard) have been available for some time but this one is unique in that it should be available to researchers and hackers at the end of April in hosted api form instead of pdf.

Back in 1997, this overview of the GSM system declared that "Enciphering is an option for the fairly paranoid, since the signal is already coded, interleaved, and transmitted in a TDMA manner, thus providing protection from all but the most persistent and dedicated eavesdroppers." After all, such a radio encoding scheme made the signals invisible to typical radio band scanners.

Today, however, the availability of the Universal Software Radio Peripheral (USRP), an open hardware software defined radio that sells for about $700, combined with work being done at GNU Radio project to codify the GSM waveform (also targeted for the end of this month), makes this once reasonable point of view seem quaint. Good encryption is now a must and it appears that A5 no longer qualifies. (more)

How To Make Your Phone Untappable

In 1991, Philip Zimmermann developed a humble-sounding electronic encryption technology known as Pretty Good Privacy. In fact, it was very good--so good that not even the federal government has been able to crack it, a fact that has made Zimmermann a folk hero to privacy advocates and a headache to law enforcement.

Now Zimmermann, the CEO of PGP Corp., has found himself back in the fiery debate between federal investigators and those who oppose their snooping--this time thanks to ZRTP, a technology for encrypting Internet telephone calls. ZRTP throws a wrench in the Bush administration's controversial warrant-free wiretapping program and its proposed legal immunity for the telecommunications companies. So far, not even teams of supercomputers and cyberspies at the National Security Agency have cracked ZRTP. That means anyone who uses Zimmermann's Zfone software, a ZRTP-enabled voice over Internet Protocol (VoIP) program available for free on his Web site, can skirt the feds' wiretapping altogether.

Forbes.com spoke with Zimmermann about how his small company has been able to produce an encryption product that not even the U.S. government can break, what ZRTP means for national security, and why cutting off the government's access to our phones is necessary to keep out the truly malicious spies. (more)

Free advice.
Free software.
An end to wiretapping woes.
Come on. What more do you want from me?
The least you could do is send me some M&M's. :)
~Kevin

Computer Bug Gets Upgrade

from the seller's website...
New for 2008! eBlaster 6.0
eBlaster has been the standard in remote monitoring software for parents and employers for almost a decade. It's time for a real innovative change, and we have some very exciting news.

Blaster 6.0 is now available, and we have added features we believe you're really going to like. Now, you have the ability to change options and settings remotely without having to return to the computer on which eBlaster is installed.

What Else is New in eBlaster 6.0?
NEW! Block Web Sites
-- Block inappropriate web sites by name immediately...
NEW! Block Chat/IM Contacts
-- Block all chat and instant messaging with specific people...
NEW! Online Searches
-- records searches made on Google, AOL, MSN, and Yahoo...
NEW! Screen Snapshots with Keyword Alerts
-- Now you can actually see EXACTLY what they saw...
NEW! MySpace Activity
-- All activity on the popular but potentially dangerous MySpace site...

When was the last time you checked your computer for spyware?
eBlaster detection.

Turn Old 78 RPM Records into MP3s and CDs

Ace sound engineer, Mike Stewart, spins advice about how to turn old 78rpm records into MP3 or CD recordings.

Sounds like it should be easy, but consider, "modern" record players won't play at 78rpm.
Now you know why Mike is the Ace.
(video tutorial)

Hedge Fund vs. Hedge Fund - Spying, Stealing

NY - Elliott Associates has accused another hedge fund of spying and stealing proprietary trading technology.

The $10 billion New York-based hedge fund, run by Paul Singer, filed suit today against Cedar Hill Capital Partners alleging it of scheming to “literally steal the software in order to use it for its own trading activities,” branding the activity “nothing short of an overt act of corporate espionage.” (more)

In-house NSA

A rapid way to spot insider threats from individuals within an organization such as a multinational company or military installation is reported in the current issue of the International Journal of Security and Networks. The technology uses data mining techniques to scour email and build up a picture of social network interactions. The technology could prevent serious security breaches, sabotage, and even terrorist activity.

Gilbert Peterson and colleagues at the Air Force Institute of Technology at Wright Patterson AFB, in Ohio are developing technology that could help any organization sniff out insider threats by analyzing email activity or find individuals among potentially tens of thousands of employees with latent interests in sensitive topics. The same technology might also be used to spot individuals who feel alienated within the organization as well as unraveling any worrying changes in their social network interactions. (more)

New Gadget Can Spy On Text Messages

Suspicious spouses can check out their husband or wife's deleted texts with a new gadget. The £76 ($149.00) device can get all the data off a mobile telephone's sim card - including messages and numbers that have been deleted. The information can then be transferred to a PC or laptop through a USB port. BrickHouse Security say it is ideal to "spy on your wife, husband, teens or colleague". (more)

UPDATE (5/28/08)
(source)
Comments from secret sources who KNOW...
"Could not read any more information than I could with SIMCon or SIM Seizure. Save your money." - S.H.

"Interesting marketing strategy, but the statement on their website that "This is the only SIM Card reader in the world that can actually see the *deleted messages*" is completely false. It is certainly not the _only_ product. You can do the same thing with any SIM/smartcard reader and a copy of Smartcard Commander (manually) or many other SIM analysis packages do it automagically (such as SIM Analyzer Pro), and it will cost you less than half of what Brickhouse is charging for this product. Deleted SMS's are very very simple to recover, as only one byte of the SMS entry changes to mark it as "deleted." Recovery of SMS from the SIM will depend on whether the phone stores SMS (and the other data this product claims to recover) on the SIM card or on the phone itself. Not all GSM phones store SMS/phonebook/etc to the SIM, and it can be a user-defined option where to store the data. Also, a typical SIM card may only hold a maximum of 30 SMS messages." - P.K.

FREE Password Cracker

Here is how it works in geek-speak...
RainbowCrack is a general propose implementation of Philippe Oechslin's faster time-memory trade-off technique. In short, the RainbowCrack tool is a hash cracker. A traditional brute force cracker try all possible plaintexts one by one in cracking time. It is time consuming to break complex password in this way. The idea of time-memory trade-off is to do all cracking time computation in advance and store the result in files so called "rainbow table". It does take a long time to precompute the tables. But once the one time precomputation is finished, a time-memory trade-off cracker can be hundreds of times faster than a brute force cracker, with the help of precomputed tables.

Bottom line...
Your cat's name never was a good password anyway. Change it. (help)

"Encryption can't save you now, Sonny Boy... Muhhahahaaaaa!"

from c|net, by Declan McCullagh...
Computer scientists have discovered a novel way to bypass the encryption used in programs like Microsoft's BitLocker and Apple's FileVault and then view the contents of supposedly secure files.

In a paper (PDF) published Thursday that could prompt a rethinking of how to protect sensitive data, the researchers describe how they can extract the contents of a computer's memory and discover the secret encryption key used to scramble files. (I tested these claims by giving them a MacBook with FileVault; here's a slideshow.)

"There seems to be no easy remedy for these vulnerabilities," the researchers say...

Their technique doesn't attack the encryption directly. Rather, it relies on gaining access to the contents of a computer's RAM--through a mechanism as simple as booting a laptop over a network or from a USB drive--and then scanning for encryption keys. How the scan is done is one of the most clever portions of the paper. (more)

How secure are your text messages?

"For most people, the answer is ...don't worry."
(That, according to Time Magazine, who didn't see this.)

"In the mayor's case (see last story), the reason his messages have been exposed is because of the specialized service the city has contracted with to handle wireless communications between city officials. Although the scandal is already being dubbed BlackBerrygate by wags, the gizmo the mayor and Beatty used to communicate wasn't a BlackBerry at all.

It was a SkyWriter, and although it looks a lot like a BlackBerry, it's a dedicated messaging device provided to the city by SkyTel, a Mississippi-based wireless company that specializes in providing paging and messaging services to large corporations and governmental bodies through its own wireless network and devices.

"Every message sent over the SkyTel network ... is recorded, including: Date and time the message was sent... 'From' address... 'To' address... Length of the message..Entire message content up to 2,000 characters ," notes the company on its Web site in an article about the "benefits of message archiving."

For major corporations and governments, the automatic archiving of such messages is important, where legal requirements mandate the storage of all business- or government-related communications. But tell the mayor that's a benefit today." (more)

Researchers Develop 100% Accurate Electronic Face Recognition

Researchers claim they have perfected a system that uses computers to accurately identify images of people's faces, which could aid in the apprehension of criminals in public places such as airports that use surveillance cameras. (more)

...and a spy agency somewhere smiles.

Greece - A judge formally ended an investigation into a wiretapping scandal that targeted Greece's prime minister and other top officials during the 2004 Olympic Games in Athens, judicial officials said Thursday.

Investigating magistrate Panagiotis Petropoulos found no evidence of who was behind the wiretaps that hacked into Greece's Vodafone network. (more)

Hollywood - Make this into a movie. It has all the elements of a great thriller; side stories about impossible "suicides", cover-ups and technical elegance which would bring tears to any hacker's eyes.

Alert - SkyeSpy

Short Story - Add this inexpensive software to any S60 mobile phone (aka smart phone) and you have a bugging device with brains and the ability to snitch.

Why do I mention it?
So you know what you are up against.

Long Story - from the seller's website...
SkyeSpy is remote audio monitoring, detection and notification software for your S60v3 mobile device.

SkyeSpy can be used as:
(1) an intruder detection and alarm system for the home and office,
(2) a remote baby monitor,
(3) a remote car alarm monitor, or
(4) a spy device to listen-in on any environment without anyone knowing!

SkyeSpy is installed on a mobile device that is used as the audio monitoring hardware. The SkyeSpy device is placed in an area where the audio/sound is to be monitored e.g. near a baby, in the home/office etc. SkyeSpy is 'paired' to 'communicate' with another mobile device or landline. When SkyeSpy detects an audio instance, it alerts the paired device with an SMS, MMS or even a CALL!

There are 2 ways for the user to interact with the SkyeSpy device:
(1) SkyeSpy will contact the user.
(2) User can call the SkyeSpy and secretly listen in real-time.
1 day trial FREE!
Purchase price: $17.95

VoIP Reminder - ZFone

The VoIP industry has been amazingly uninterested in figuring out how to protect the privacy and security of VoIP users. Of all the commercial service providers, only Skype provides encryption and authentication. Fortunately, Phil Zimmerman, the inventor of the best encryption software for all platforms, PGP (Pretty Good Privacy), has turned his talents to protecting VoIP. This is good news because eavesdropping on VoIP traffic is just as easy as sniffing any TCP/IP traffic. So we now have the ZFone.

ZFone operates invisibly, without needing administration and setup the way PGP does. With PGP you have to set up a public key infrastructure (PKI). A PKI performs authentication, verifying that the person you're communicating with really is who he or she claims to be, prevents eavesdropping and alerts you if the transmission has been altered in transit. (more) (original alert)

Extra Credit...
VoIP calls are easy to eavesdrop on—anyone with access to any wire that carries your transmissions can snoop with trivial ease. There is a possible remedy, but it's not widely used yet, and that is the ZRTP encryption protocol. I think it shows the most promise, as it is lightweight, provides very strong encryption, and—best of all—requires no user or administrator intervention; it Just Works. ZRTP is somewhat like cell phone encryption, except that it's not weak or easily broken. Zfone is the software implementation of ZRTP, and now you can get a plugin for your softphones. It costs nothing but a bit of time to try it out. (more)

Threat Awareness - Keystroke Loggers

from Mike Mullins - TechRepublic...
Keystroke loggers are a particularly dangerous security threat because users typically don’t realize they’re even there...

Most antivirus and antispyware programs will miss software keystroke loggers, so how can you protect against these sneaky devices? Fortunately, there are some programs designed for this specific task. For example, SpyCop and SnoopFree Software are both software programs specifically designed to detect software keystroke loggers...

For a comprehensive list of keystroke loggers, Keyloggers.com maintains an updated list of both hardware and software versions sold by a multitude of companies. (more)

A Solution to USB Leaks and Injections of Malware

from the manufacturer's web site... The proliferation of data loss due to the inappropriate or sometimes criminal use of removable media devices has reached alarming levels.

Sanctuary Device Control allows you to regain control of the peripheral storage devices that your user community attempts to connect to your network assets. Through granular policy-based controls, Sanctuary Device Control reduces risk of data theft, data leakage and malware introduction via unauthorized removable media and assures compliance with the landslide of regulations governing privacy and accountability.

Positive Approach to USB Security
Hardware such as USB memory sticks, FireWire external hard-drives, scanners, music players, digital cameras, PDAs, and CD/DVD burner drives are scattered throughout offices around the world. Their proliferation amplifies the threats posed by outsiders or users who plug in devices that could compromise the security of sensitive data.

By employing a whitelist approach, Sanctuary enables only authorized devices to connect to a network, laptop or PC - facilitating security and systems management, while providing the necessary flexibility to the organization. (more) (our earlier warnings 1, 2, 3, 4)

Instant Education: Ten Information Security Concepts You Need to Know

(Summary of an article by Gerhard Lindenmayer)
1. Layered Approach
2. Encrypt, Encrypt, Encrypt
3. Security Policy Enforcement
4. Strong Password Protection
5. Antivirus
6. Employee Data Removal
7. Internet Access Restrictions
8. Regularly Scheduled Patches
9. Firewalls and Intrusion
10. Regular Penetration Tests
(See the full article for an explanation of these concepts.)

Instant Education - VoIP: The Top 5 Vulnerabilities

Nothing is hacker-safe these days unfortunately, not even your VoIP service. But knowing that going in, and protecting yourself appropriately, can make a world of difference. The folks at the Sipera VIPER Lab have released what they feel are the Top 5 VoIP Vulnerabilities in 2007.

They are:
• Remote eavesdropping of VoIP phone calls...
• VoIP Hopping, one of the enablers of remote eavesdropping...
• Vishing, enables hackers to spoof caller ID... (q.v.)
• Toll fraud...
• The Skype worm...
(more)

Ms. Nightmare, IT Manager

West Chicago's former information technology manager secretly installed spy software on computers used by the city manager and administrative services director and was able to view every keystroke they made for about two years, an attorney for the city said.

Attorney Patrick Bond said information technology manager Valerie Becker did not leak any "sensitive" information, like the details of publicly bid contracts, to anyone.

• As part of the severance agreement, Becker was to turn over administrative passwords but refused to do so.
• She allegedly deleted records that were supposed to be saved under the state's Freedom of Information Act laws.
• Becker failed to routinely backup e-mail messages sent and received by the city.
• Becker waited until three years after purchasing an upgrade for the city's e-mail software to install it. She also failed to update software on the city's servers.

The city eliminated Becker's position in May, opting to contract out for computer services instead, Bond said. (more)

Get up-to-speed on computer espionage. Read...

Secrets of Computer Espionage: Tactics and Countermeasures

"Is someone spying on you?

It could be your boss, your competition, or a private investigator, but it could just as easily be a foreign intelligence agent - or the whiz kid down the street. More and more people today want to know what's on your computer, your PDA, your cell phone, or your wireless network.

Joel McNamara takes you inside the mind of the computer espionage artist... This is the book that teaches you to think like a spy, because that's the only way to outwit one."

Contents at a Glance
Acknowledgments.
Introduction.
Chapter 1 Spies.
Chapter 2 Spying and the Law.
Chapter 3 Black Bag Jobs.
Chapter 4 Breaching the System.
Chapter 5 Searching for Evidence.
Chapter 6 Unprotecting Data.
Chapter 7 Copying Data.
Chapter 8 Snooping with Keyloggers.
Chapter 9 Spying with Trojan Horses.
Chapter 10 Network Eavesdropping.
Chapter 11 802.11b Wireless Network Eavesdropping.
Chapter 12 Spying on Electronic Devices.
Chapter 13 Advanced Computer Espionage.
Appendix A: What's on the Web Site.
Index.

Wireless Keyboard Interception - Encryption Cracked

Security researchers have cracked the rudimentary encryption used in a range of popular wireless keyboards.

Bluetooth is increasingly becoming the de-facto standard for wireless communication in peripheral devices and is reckoned to be secure. But some manufacturers such as Logitech and Microsoft rely on 27 MHz radio technology which, it transpires, is anything but secure.

Using nothing more than a simple radio receiver, a soundcard and suitable software, Swiss security firm Dreamlab Technologies managed to capture and decode the radio communications between a keyboard and a PC.

The attack opens the way up to all sorts of mischief including keystroke logging to capture login credentials to online banking sites or email accounts. (more)

Spyware tops list of threats in CompTIA survey

Spyware has become the biggest security threat to organizations, a survey from the Computer Technology Industry Association (CompTIA) has discovered. That's a big change from a few years ago, when spyware was barely even considered a threat. (more)

Spybuster's Tip #106 - Spot Cisco Eavesdroppers

Someone eavesdropping on your Cisco VoIP phone using the previous attack?

Look for these warning signs...
• Speakerphone light is on.
• Display shows off-hook icon.
• Phone makes static noises.

Best practices for securely setting up your Cisco Unified IP Phones may be found here. ~Kevin

Wiretapping Just The Start of VoIP's Security Woes

Security experts are once more urging businesses and consumers be wary of wiretapped Voice over IP (VoIP) calls -- as well as the vast number of potentially worse IP telephony vulnerabilities to which they may be exposed.

Last week, U.K. security researcher Peter Cox introduced a proof-of-concept that showed how easily Voice over IP phone calls could be intercepted. Cox, the former chief technology officer and co-founder of security vendor Borderware, successfully captured phone calls over a period of several months with a prototype Session Initiation Protocol (SIP) call monitoring tool.

The demonstration came as only the latest reminder that VoIP is vulnerable to mo