Archive for the ‘Eavesdropping’ Category

Snoops can tell what you type while you Skype, researchers find

October 20th, 2016
Researchers developed an acoustic eavesdropping attack scenario using VoIP, hitting an accuracy rate of up to 91.7%.

Posted in Uncategorized | Comments (0)

Mayor arrested, accused of secretly recording strip poker game with teens

August 5th, 2016

This is the booking photo of Stockton Mayor Anthony Silva. (credit: Amador County Sheriff)

The mayor of Stockton, California was arrested Thursday and charged with felony eavesdropping, among other misdemeanor charges, related to a strip poker game that he allegedly played with teenage counselors at a camp for economically disadvantaged kids last year, according to prosecutors in neighboring Amador County.

Mayor Anthony Ray Silva was taken into custody Thursday morning at the annual mayor’s Youth Camp in Silver Lake, just outside of Stockton, an inland port city approximately 80 miles east of San Francisco.

N. Allen Sawyer, Silva's attorney, told Ars that his client remains mayor, has posted bail, and has returned Thursday afternoon to the camp to help final clean up. The City of Stockton said in a statement that law enforcement are on site at the camp, presumably to keep the peace.

Read 14 remaining paragraphs | Comments

Posted in Uncategorized | Comments (0)

How hackers eavesdropped on a US Congressman using only his phone number

April 18th, 2016

Enlarge (credit: 60 Minutes)

A US congressman has learned first-hand just how vulnerable cellphones are to eavesdropping and geographic tracking after hackers were able to record his calls and monitor his movements using nothing more than the public ten-digit phone number associated with the handset he used.

The stalking of US Representative Ted Lieu's smartphone was carried out with his permission for a piece broadcast Sunday night by 60 Minutes. Karsten Nohl of Germany-based Security Research Labs was able to record any call made to or from the phone and to track its precise location in real-time as the California congressman traveled to various points in the southern part of the state. At one point, 60 minutes played for Lieu a crystal-clear recording Nohl made of one call that discussed data collection practices by the US National Security Agency. While SR Labs had permission to carry out the surveillance, there's nothing stopping malicious hackers from doing the same thing.

The representative said he had two reactions: "First it's really creepy," he said. "And second it makes me angry. They could hear any call. Pretty much anyone has a cell phone. It could be stock trades you want someone to execute. It could be a call with a bank."

Read 7 remaining paragraphs | Comments

Posted in Uncategorized | Comments (0)

What your encrypted data says about you

March 18th, 2016
Your encrypted traffic could tell the government (or the crooks) more than you think, no decryption required.

Posted in Uncategorized | Comments (0)

Forget iPhone backdoors, here’s a *side* door that can steal your keys

March 4th, 2016
Researchers planted a magnetic coil under the table and sniffed out cryptographic keys using electromagnetic emissions.

Posted in Uncategorized | Comments (0)

Moment of truth: Feds must say if they used backdoored Juniper firewalls

January 26th, 2016

(credit: Jeremy Brooks )

Congressional oversight leaders are requiring most federal agencies to audit their networks to see if they use Juniper-manufactured firewalls that for four years contained an unauthorized backdoor for eavesdropping on encrypted communications.

Members of the House of Representatives Committee on Oversight and Government Reform gave the agencies until February 4 to produce documents showing whether they use Juniper's NetScreen line of firewall appliances. The committee is also requiring agency heads who used the vulnerable devices to show how they learned of the eavesdropping threat and whether they fixed it prior to the release of last month's patch. That update removed the unauthorized code from ScreenOS, the operating system that manages NetScreen firewalls.

The Committee on Oversight and Government Reform is the chief oversight body for the US House of Representatives, with broad authority to investigate most matters pertaining to federal agencies. Committee members informed agency heads of the eavesdropping-related investigation involving Juniper hardware in letters dated late last week.

Read 4 remaining paragraphs | Comments

Posted in Uncategorized | Comments (0)

Et tu, Fortinet? Hard-coded password raises new backdoor eavesdropping fears

January 12th, 2016

(credit: Fortinet)

Less than a month after Juniper Network officials disclosed an unauthorized backdoor in the company's NetScreen line of firewalls, researchers have uncovered highly suspicious code in older software from Juniper competitor Fortinet.

The suspicious code contains a challenge-and-response authentication routine for logging into servers with the secure shell (SSH) protocol. Researchers were able to unearth a hard-coded password of "FGTAbc11*xy+Qqz27" (not including the quotation marks) after reviewing this exploit code posted online on Saturday. On Tuesday, a researcher posted this screenshot purporting to show someone using the exploit to gain remote access to a server running Fortinet's FortiOS software.

This partially redacted screenshot purports to show the exploit in action. (credit: @dailydavedavids)

Ralf-Philipp Weinmann, a security researcher who helped uncover the innerworkings of the Juniper backdoor, took to Twitter on Tuesday and repeatedly referred to the custom SSH authentication as a "backdoor." In one specific post, he confirmed he was able to make it work as reported on older versions of Fortinet's FortiOS.

Read 4 remaining paragraphs | Comments

Posted in Uncategorized | Comments (0)

Advent tip #20: Free Wi-Fi is handy – but think before you connect!

December 20th, 2015
Free Wi-Fi can save you loads of money, especially when you're overseas and roaming - but it can also go horribly wrong...

Posted in Uncategorized | Comments (0)

Feds bugged steps of Silicon Valley courthouse

November 17th, 2015

(credit: James Vaughan)

Defense attorneys have asked a federal judge to throw out more than 200 hours of conversations FBI agents recorded using hidden microphones planted near the steps of a county courthouse in Silicon Valley.

The lawyers are representing defendants accused of engaging in an illicit real estate bid-rigging and fraud conspiracy. The steps to the San Mateo County courthouse are frequently the scene of public auctions for foreclosed homes. Federal prosecutors have admitted that on at least 31 occasions in 2009 and 2010, FBI agents used concealed microphones to record auction participants as they spoke, often in hushed voices with partners, attorneys, and others. Because the federal agents didn't obtain a court order, the defense attorneys argue the bugging violated Constitutional protections against unreasonable searches and seizures.

In a court brief filed Friday in the case, attorneys wrote:

Read 4 remaining paragraphs | Comments

Posted in Uncategorized | Comments (0)

Don’t count on STARTTLS to automatically encrypt your sensitive e-mails

October 30th, 2015

(credit: Yzmo)

Researchers have some good and bad news about the availability of secure e-mail. Use of STARTTLS and three other security extensions has surged in recent months, but their failure rate remains high, in large part because of active attacks that downgrade encrypted connections to unencrypted ones.

That conclusion, reached in a recently published research paper, means that a significant chunk of e-mail continues to be transmitted in plaintext and with no mechanism for verifying that a message hasn't been tampered with while it travels from sender to receiver. The downgrades are largely made possible by the simple mail transfer protocol used by many e-mail services. Because it wasn't originally designed to provide message confidentiality or integrity, it relies on later-developed extensions including STARTTLS, domainkeys Identified Mail, sender policy framework, and domain-based message authentication that often don't work as intended.

The researchers wrote:

Read 6 remaining paragraphs | Comments

Posted in Uncategorized | Comments (0)