ISSUE 23, 20 April 2016
whitenews GLOBAL PRIVACY & TECHNOLOGY NEWS
ISSUE 23 Headlines:
Disappearing Into Air: Insider-Spy Trend: Playing Hot Potato: 21 Century Data Thefts: How to Manage the Banks Hiring Former Everything You Need to From Social Engineering Threat of Trade Secret Intelligence Agents to Spy Know About Encryption and Phishing to Hacks Theft in The Cloud Era? on Their Behalf and Its Security and Cyber Leaks
Launching Mobilewatch: Transforming Security with Locationing
Spring brings new life and transformation. We at Whiterock have fully embraced this as we are marrying up the IoT technology with the security applications. This week, on 19-20 April 2016, at the Security and counter Terror EXPO in London, we are launching a brand new IoT technology, Mobilewatch - that detects and locates mobile devices – to the UK and Europe.
With this, we are transforming Whiterock into a technology company. We are coming out with a new brand and have revamped everything – our strategies, people, services, HQ and technology. Appropriately, the feature story in this issue focuses on mobile phones and how the location based services is ready to transform the security industry. With 18 billion connected devices in the world, we live in the era of everything connected. Whilst this might be beneficial for the ‘bad guys’, being connected is really positive also for the security industry.
The company transformation also changes our news. We will be much more tech focused, which you will notice already in this issue and even more so in the upcoming newsletters, which will look, feel and read different. Oh, and I almost forgot – we are making the Whitenews available to all interested businesses.
If you are unable to join us this week @SCTX in Olympia, London, I want to invite you to our brand new demonstration centre at our HQ near London, where you can see the Mobilewatch capabilities live. Just get in touch!
Raili Maripuu WhiteRock CEO
whiterock PRIVACY & TECHNOLOGY EDITORIAL PAGE whiterock 2 PRIVACY & TECHNOLOGY
Brand New Whiterock: Contents: Embracing Technology & Technology Transforming Security • Dissappearing Into Air: Trade Secrets and Cloud 3 Whiterock is transforming. This month, and one-year worth News of preparations later, we are excited to expand into brand • Insider Spy Trend: Banks Hiring Ex-Agents to Spy new mobile security and location based services markets, • IoT Surveillance: Germany Authorises Police Spying 4-5 currently valued at US$1,500 million and US$11.36 billion • Stolen Satellites: Canada Battles Chinese Espionage respectively. We have revamped everything – our counter espionage strategies, technology, people, headquarters, services and branding in general. Feature 6-8 With over two decades in the security market, Whiterock • Launching Mobilewatch: Security with LBS has protected hundreds of high-level confidential business events and board meetings from information leaks, and Technology audited often lacking security measures in thousands • New Technology: Camera that Sees Around Corners of corporate office spaces worldwide. Our 20 years of experience has clearly confirmed that the two leading threats • Printer Vulnerability Leads to Reverse-Engineering 9-10 to a competitive advantage of any business are humans and • 21 Century Hacking: 7 Worst Data Security Breaches mobile devices. For years now, mobile phones have been a number one espionage threat, and combined with humans Extra these devices have become even lethal to some businesses. • Playing Hot Potato: ‘Encryption for Dummies’ As a company with a strong R&D vision, we are always • Woven by Spy: The Rise of American Textile Industry 11 on a lookout for new solutions that cater for corporate • Video of the Month: The Great Brain Robbery of US requirements. Whilst we have worked with many cutting- edge security technologies, we have really been struggling to Letter From America find a system that manages mobile devices individually over a large area whilst respecting the privacy of each person. • Worst Leaker Since Titanic: Ensuring Wi-Fi Security 12
Until we found Mobilewatch. This is the world’s most accurate mobile detection and locationing technology, Cartoon of the Month: powered by AirPatrol / Sysorex, and now available in the UK and European markets. It is a cutting-edge yet non- Lucky Days are on Their Way! intrusive geofencing product that detects and instantly locates all mobile devices operating on wireless and cellular networks within 10 feet or 3 metres. It is a necessary tool for fighting terrorism, helping communication, consumer behaviour research, or for providing much needed security blanket for our corporate clients in protecting their most sensitive corporate meetings and events. This technology is already widely and successfully used in security sector in the US, such as trading floors, highly sensitive executive meetings, airports, hospitals as well as governments and their enforcement agencies. Mobilewatch is a powerful new locationing technology also in the retail environment, again successfully used by retail banks, shopping centres and airports in the US. We are excited about our brand new demonstration centre in Whiterock headquarters, where we can show capabilities of the Mobilewatch technology live. This is truly the only place in Europe, where you can see this technology in action.
We live in the era of almost absolute connectivity. Last year, there were 18 billion connected devices in the world, a figure that by a conservative view is estimated to grow fast up to 50 billion connected devices by 2020. With these figures in mind and the impact they leave on the world economy in Did You Know? general, we are proud to be introducing the Mobilewatch and excited to share with you the experience of securing mobiles UK spy agency GCHQ has admitted that it lost in a new way. the cyber-security battle on a national level despite the Government spending almost £1 billion. “I think the best way to sum up the challenge we face is
that while we’ve done a lot over the past five years and RAILI MARIPUU spent quite a lot of money as a Government, particularly in CEO those years of austerity we’ve been through, the bottom line is it hasn’t worked,” said Alex Dewedney, Director of UK Cyber Security at CESG/GCHQ.
more...
whiterock PRIVACY & TECHNOLOGY TECHNOLOGY whiterock 3 PRIVACY & TECHNOLOGY
Disappearing Into Air: Trade Secret Theft in the Cloud Era
The variety of methods that corporate spies and governments use to get their hands on extremely valuable trade secrets and other sensitive information has widened considerably in just a decade. Therefore, organisations have become more vigilant in marking their trade secrets as confidential whilst also restricting employee access to sensitive data. However, these efforts often neglect a relatively new, but significant, threat: spying through cloud-based storage. Therefore, another option is to select a Companies that operate under Bring-Your- secure system, controlled by the employer, Own-Device (BYOD) policies should take One of the first such cases to hit the headlines with a requirement that employees submit advantage of ‘mobile device management’ was the lawsuit that San Francisco-based usernames and passwords for all accounts to (MDM) software, which enables employers computer gaming company Zynga filed the company with the agreement that login to override personal passwords and wipe against its former employee, Alan Patmore, in information is the property of the company. devices remotely. When an employee 2012. Patmore was found to have uploaded Similar policy should also be applied to the departs, his/her name should be removed 760 Zynga documents onto his personal company’s social media accounts such as from email group lists, distribution lists, the Dropbox account before leaving to become Twitter, Facebook, and LinkedIn. The aim company website, and the building directory, Vice President of a competitor, Kixeye. here is not to be able to prove in court that all email, user accounts and passwords of the Despite the successful suit, it was a dramatic a former employee has violated company terminated employee should be deactivated, incident for the gaming giant, resulting in protocol if this happens, but to promote and all access privileges should be removed. its share price falling significantly over the awareness and address the possibility before course of the following year and eventually it becomes a threat. Although at first glance this relatively leading to lawsuits alleging insider trading. new threat may seem difficult to tackle, In fact, preventive measures such as policy organisations quite simply only need to get implementation are often the easiest their ‘corporate heads’ out of the clouds. When an employee quits or is and least costly ways to tackle the threat With the right policies and exit measures, it terminated, the business documents associated with cloud sharing. Without filing is possible to control and contain the damage in cloud may be locked away in a a lawsuit, options for compensation are that could otherwise ruin your business. location that is inaccessible to the very limited. Recovering company property from terminated employees has become company whilst still allowing the ex- greatly complicated. Employees can easily employee to access trade secrets in send documents to their cloud-based email 5 Popular Clouds : order to spy on the firm. accounts, such as Gmail.com, for off-site use. What Do You Use? For example, at the end of 2015, the CARBONITE: Online backup service Whether it be Google Docs, Dropbox, or any Virginia-based Atlantic Marine Construction other file-sharing system, employees are Company filed a lawsuit against a former for documents, e-mails, music, now increasingly likely to set up personal Vice President (VP) of Construction and his photos, and settings. cloud-based document sharing and storage new employer, alleging trade secret theft. At DROPBOX: File-hosting service for accounts for work purposes. In today’s first glance, the scenario sounds familiar: a remote working environment, this is usually departing employee steals confidential data cloud storage, file synchronisation, done with good intentions, such as achieving on his way out and later provides it to a and client software. A special greater convenience and flexibility, and with competitor. However, this case has a curious sycronised folder appears to be the explicit company approval. twist: Atlantic Marine stated that the VP stole same folder regardless of which trade secrets after he was terminated, using computer is used to view it. Files When an employee quits or is terminated, Google Chrome Remote Desktop software are accessible through a website and however, that account, and the business tool to access the company network. mobile phone applications. documents it contains, may be locked The program allows users to gain remote away in a location that is inaccessible to access and control over one computer from BOX.COM: Online file-sharing and the company whilst still allowing the ex- another via the Internet, and the VP installed cloud content management service employee to access trade secrets in order this program on a work computer without for businesses with its employees to spy on his/her previous employer. This authorisation during his employment. collaborating and working with files is where things can get ugly and may result He then took advantage of this access that are uploaded to Box. in damaged trust and reputation, the leak of when terminated, viewing copying and valuable trade secrets and losses that extend downloading various trade secrets and other GOOGLE DRIVE: File storage and into the millions. So, what should you, as an valuable confidential data from his former synchronisation service provided by employer, do to address this ? employer. Google enables user cloud storage, file-sharing and collaborative Firstly, it is absolutely crucial to issue clear Both the alleged espionage and the policies on the use of personal cloud-based consequential trial could have been avoided editing. accounts for work purposes. The most if Atlantic Marine had insisted on wiping the SKYDRIVE: Service allows users straightforward approach is of course a strict hard drive of the VP’s work computer upon to upload and sync files to cloud prohibition against using personal accounts termination. Another option would have to store any company-related information. been to remove and preserve the VP’s hard storage and then access them from However, this can affect the productivity drive, which would both retain the hard drive a Web browser or their local device. employees can achieve under flexible for future purposes whilst also preventing it working conditions. from being used for data removal.
whiterock PRIVACY & TECHNOLOGY NEWS whiterock 4 PRIVACY & TECHNOLOGY
In May 2014, the FCA banned Adoboli’s News Bites: former manager, John Christopher Hughes ‘from performing any function in relation to any regulated activity in the financial Ten Ex-Nokian Tyres Employees Go services industry for failings related to on Trial Over Industrial Espionage the USB billions’. Tom Hayes was involved in the fixing of the LIBOR rate and was 10 former employees of Finnish tyre subsequently jailed for his role, although he manufacturer Nokian Tyres are to had his sentence reduced after an appeal. go on trial this summer for stealing These types of scandals are hugely confidential information from the embarrassing for banks as well as incredibly company. One sub-contractor’s costly. For instance, the LIBOR scandal, a employee has confessed to theft, Insider-Spy Trend: fraudulent scheme connected to the London but the rest deny wrongdoing. The Banks Hiring Ex-Agents Interbank Offered Rate that came to light information was leaked in 2010- in 2012, cost six banks a combined total 2011 to the Black Donuts Engineering to Spy on Their Behalf of around US$6 billion (£4.15 billion), with firm, a company set up by workers Barclays alone footing a bill for US$2.2 There is a new trend in corporate in-house who had been made redundant from billion (£1.5 billion). Increased scrutiny in surveillance as some of the world’s biggest the banking sector, thanks in large part to the research and development arm banks are hiring former spies at an increasing stricter stances from regulators like the of Nokian Tyres. The complaint, rate to try and prevent the rise of any more SEC in the USA and the FCA in Britain, has issued in autumn 2011, has taken so-called ‘rogue traders’ and to ensure that resulted in a number of financial institutions several years to investigate due to banks are put on the hook for fewer fines. taking major steps to prevent such scandals the number of leaked documents occurring again and costing them billions. Although in the security industry, many reaching in the thousands. former law enforcement officers and As a result of increased regulation, banks are more... government agents tend to move to private allocating extensive resources into ensuring surveillance agencies or create their own that they don’t get on the wrong side of
detective firms, the increasing fear of insider regulators. As profits are squeezed, the 357 Suspects Acquitted in Military threat has now motivated major financial banks’ ability to absorb big fines decreases. Espionage Case in Turkey players to hire fully trained government For example, UBS announced plans in 2015 agents as corporate spies. Whether or not to bring in around 350 new compliance staff A court in the province of Izmir in what they do is legal is another question, to the bank, after being hit by a series of Turkey has acquitted 357 suspects, but it is clear that desperate times call for large fines. desperate measures. including active duty soldiers, in original source... the trial of a military espionage According to a Bloomberg publication, case where the defendants were banks including HSBC, Deutsche Bank, and accused of keeping confidential JP Morgan have all hired ex-spies from the military information and likes of the UK and US military, the CIA, and GCHQ. The primary purpose of the ex-spies documents. The case, filed in 2012, is to watch the activities of bank employees was based on the 10th clause of and to try prevent misconduct. Apparently, Turkey’s Anti-Terror Law and it major former spies keep tabs on everything also involved 49 regular soldiers. from how long employees are taking for their cigarette breaks to how often they text their more... significant other. As a result, they try and spot the early signs of rule-breaking. WikiLeaks Reveals the US Spying on Recently, men like Jerome Kerviel, Kweku Ban Ki-Moon to Protect Oil Firms Adoboli, and Tom Hayes have all been jailed IoT Surveillance: for their roles in big banking scandals. In 2008, Jerome Kerviel lost €4.9 billion Germany Authorises The NSA has spied on UN Secretary (£3.7 billion) at the French bank Société General Ban Ki-moon’s private Générale S.A. His lawyers argued that his Police Spying meetings to save American oil managers knew about his three-year period German courts now allow national police companies, claims WikiLeaks’ latest of questionable financial operations in forces to load surveillance software onto revelation. The whistleblower’s 2007 before the scandal erupted in January computers and any mobile device without disclosure also touched upon the 2008. Although Société Générale states that the permission of the owner or operator of NSA’s bugging of meetings held Kerviel used computer and financial skills in the device. This action represents another combination with fake documents to conceal among other world leaders, including step in the evolution of the ‘Internet of his unauthorised trading, France’s highest Things’ (read more in WhiteNews, Issue 21; the Israeli Prime Minister Netanyahu court annulled the damages, ruling that the and Italian Prime Minister Berlusconi. and WhiteSparks, Issue 165) into a massive bank shared the responsibility. The civil trial surveillance platform. In addition, the US espionage agency began earlier this year. spied on meetings between key EU Kweku Adoboli’s trades left Swiss global Although a court order must be obtained on and Japanese trade ministers, who financial services, UBS AG, on the hook the basis of lives at risk or the possibility were discussing their secret trade for US$2 billion (£1.4 billion) in 2011. The of a national threat, German police can now rules at WTO negotiations. Some rogue trader himself, who lost UBS billions, secretly install spyware onto any Internet- of the new documents revealed has now been released from Maidstone enabled device. Apart from phones, this by WikiLeaks are the most highly prison in the UK after having served only includes various electronic devices at homes classified documents ever published half of his seven-year sentence. Adoboli and offices, such as doorbells, security and by a media outlet. was convicted of fraud in November 2012. heating systems, TVs, fridges, vehicles and even children’s toys. For example, if your more... The UK’s Financial Conduct Authority (FCA) banned him from holding a regulated position television or car can be voice-activated and in the financial services industry. records certain conversations, it could be
whiterock PRIVACY & TECHNOLOGY NEWS whiterock 5 PRIVACY & TECHNOLOGY argued that those conversations qualify as communications and are thus subject to News Bites: surveillance. Moreover, let’s assume that your video game system enables you to communicate with other players. Therefore, Brazil Constructing a US$250 Million it can be argued that the communications Submarine Cable to Avoid US Spies capability of your game system makes it eligible for surveillance. The Brazilian government has announced plans to develop a In order to comply with a 2008 decision of submarine cable linking Brazil the German Constitutional Court, spyware directly with Europe. We have used by the authorities must comply only Stolen Satellites: previously reported on the concerns with some limitations. It must monitor only that the US is spying though fibre communications between the targeted party Canada Battles Chinese optic cables running between the and another party, and is not permitted to continents. The cable is expected to include the monitoring of information held Industrial Espionage by the targeted individual if these are not be operational in late 2017 and is communicated to another party. Canadian federal police charged an American, estimated to cost US$250 million. a Briton, and two Canadians with the theft Google and Facebook said they of sensitive satellite imaging technology can help to finance the cable as and the resale of the information to China. they are interested in using this for An extensive, two-year investigation into secure transmission. This illustrates industrial espionage case involved the that the bulk data collection of US Canadian Space Agency, the US Department of Homeland Security, and the FBI. surveillance agencies is now too great a nuisance to ignore. The stolen and highly sensitive more... microelectronics was intended for space satellite use by the Canadian military. Uber Sues South Carolina Airport Reportedly, two men stole a sensor from to Protect its Trade Secrets their employer, Teledyne Dalsa of Waterloo, Ontario, with theoriginal source... help Uber is suing the authority that from an ex-employee of the company. The operates Charleston International theft took place with the aim to then sell the technology to two Chinese firms. The Airport in South Carolina in the US fourth man was working for one of the in an attempt to block the release of Chinese companies allegedly involved in the information relating to its operations scheme. Teledyne Dalsa, a tech company that at the facility. This is one of several German police can now secretly install specialises in digital imaging, circuit, and lawsuits that Uber has launched spyware not only to smartphones, electronic technology software, has offices in recently to protect disclosure of its but essentially on any Internet- Canada, the US, Europe, and Asia. trade secrets. Aviation Authority enabled device. filed the Freedom of Information Arrested Canadians Arthur Xin Pang (46) and Act in February seeking monthly These may include various electronic Binqiao Li (59) were charged with more than devices at homes and offices a dozen related crimes including theft, fraud, reports about the number of such as doorbells, security and and the possession and transfer of controlled passenger pickups. Uber is arguing that the information in the monthly heating systems, TVs, fridges, but also goods contrary to the Defence Production Act. reports would put the company vehicles and even children’s toys. Their trial started last month. An arrest has been issued for the two other men currently at a substantial and irreparable hiding in China: Nick Tasker (62) from the UK competitive disadvantage. and Hugh Ciao (50) from the US. According more... Nevertheless, the potential impact of to the Canadian Security Intelligence Service, this surveillance on the development of the country’s knowledge-based, hi-tech the Internet of Things and the emerging sectors are a prime target for corporate UPDATE: Former Analyst of Citadel global network of Internet-connected espionage. This costs the economy an Re-sentenced in Trade Secrets Case devices including consumer electronics, estimated CA$100 billion annually and not entertainment, as well as media products enough is being done to tackle the problem. Yihao ‘Ben’ Pu, an ex-analyst at and appliances is massive. Interestingly, the Citadel, one of the world’s largest police are not required to develop their own However, Teledyne Dalsa reportedly spyware for their surveillance activities, but alternative asset management firms, cooperated fully with the investigation, was re-sentenced in an espionage it is possible for them to purchase and use which was launched in early 2014. In the past, case. In January 2015, Pu pleaded commercially available software products. Canada has seen a number of high-profile Apart from apparent privacy concerns, the corporate espionage cases with devastating guilty to stealing trade secrets introduction of surveillance software onto results for organisations. For example, the worth US$12.7 million from the devices also presents a gateway for viruses telecommunications giant Nortel Network’s hedge fund, resulting in a three-year and other malware. 2009 collapse and bankruptcy has been prison sentence and an order to pay Obviously, there is a high risk of any linked to its targeting for years by hackers over US$750,000 in restitution. An sensitive corporate information ending up in allegedly operating from China (Read more appellate court has now voided that from WhiteNews, Issue 19). wrong hands, especially as law enforcement sentence suggesting that intended can use surveillance services and devices Also, the Canadian government pointed to a loss calculation conflicted with the provided by private companies. Whenever ‘highly sophisticated Chinese state-sponsored a third party has access to your confidential lack of evidence. actor’ being responsible for hacking into data, the risk of leaked data increases more... computers at the federal research and considerably and, with authorities involved, development body, the National Research it is very difficult to take legal action.
Council of Canada, in 2014. original source... original source...
whiterock PRIVACY & TECHNOLOGY FEATURE whiterock 6 PRIVACY & TECHNOLOGY
Launching Mobilewatch:
Transforming Security with Location Based
Technology T T
We live in the era of everything connected. T Last year, there were 18 billion connected devices in the world, a figure that by a conservative view is estimated to grow fast up to 50 billion connected devices by 2020.
Whether we have fully acknowledged it or not, we are living under a constant surveillance, even those of us whose life is not completely technology-dependent.
There is one piece of equipment that we can no longer live without. We are pretty much This month, Whiterock is stepping into the Today, LBS are widely used information inseparable from our mobile devices as new markets by launching Mobilewatch services in various contexts, including they hold the data that makes up our lives. in partnership with AirPatrol. This is the health, indoor object search, entertainment, most cutting-edge technology that can be work, personal life, and pretty much Internet of Things: The World of Everything used to counter number the one espionage anything in between. Often they are even Connected vulnerability today – the mobile phone threat. considered critical for businesses as well Mobilewatch, the world’s most accurate as government organisations, as a result As busy executives, you conduct your mobile detection and locationing technology, of the fact that they drive real insight business from your smartphone or tablet by is now available in the European privacy from data tied to a specific location where flipping through emails, holding conference market, and this is crucial for a wide range activities take place. This evolution has calls, and storing sensitive documents. Mobile of reasons, be it fighting terrorism, helping become possible due to the blending of LBS devices hold your banking and health data, communication and consumer behaviour with another branch of research – what photos and videos of loved ones, travelling research, or providing a much needed we today know as behavioural analytics security blanket for our corporate clients in – that also started flourishing in 1990. information, and the newsfeeds you follow. protecting their most sensitive meetings and events. As you communicate and network professionally through your smart gadgets, you also use these to organise your home life, be it switching on electricity, heating, Mobilewatch extracts information or security systems or choosing what that helps us to spot immediate TV programmes to watch. The era of the threats, identify them, and link them Internet of Things (IoT) has fully settled in, to certain sets of behaviours. and our identity, as well as our location, our minute-by-minute activity, and information relating to who we spend this time with, is Such cutting-edge, geofencing technology as locked into this miniature piece of smart Mobilewatch is part of mobile security and technology. Therefore, if your mobile is location-based services (LBS). It extracts hacked into, it pretty much strips us naked; information that, if used for the greater there is nowhere to hide (read more about good, not only makes our lives easier, but the IoT Era in WhiteNews, Issues 21 and 22). also helps us to spot immediate threats,
identify them, and link them to certain Scientifically, behavioural analytics is called sets of behaviours. This enables us to cut Machine Learning (ML) and it grew out of down its elimination time dramatically. The limitless possibilities to tap into the quest to create artificial intelligence the data held in mobile phones may (AI) in the 1980s. The researchers’ work on Creation of Artificial Intelligence function as our biggest privacy cover. symbolic and knowledge-based learning led to inductive logic programming and, in Location-based services (LBS) have become turn, this resulted in pattern recognition and increasingly important with the expansion information retrieval technology. However, rather than viewing this period of the mobile devices market, but they are of ultimate technology-dependence as a in fact based on a 16 year old technological In 1990s, ML, as a separate field of study, risk, it should be noted that the value of the leap. The forerunners were the infrared Active shifted focus away from the symbolic other side of the same coin is impossible to Badge Location System, from the beginning of approaches it had inherited from AI towards overestimate. If used in an authorised way, the 1990s, and the Ericsson-Europolitan GSM methods and models borrowed from statistics the limitless possibilities to tap into the data LBS trial, formulated by Jörgen Johansson in and probability theory. Naturally, it also held in mobile phones may not only give us 1995. In the same year, Nokia employee Timo benefited enormously from the increasing vast amount of information, but also it may Rantalainen also wrote his master thesis on the availability of digitised information and the function as our biggest privacy cover. subject (read more in the Sidebar next page). possibility to distribute this via the Internet.
whiterock PRIVACY & TECHNOLOGY FEATURE whiterock 7 PRIVACY & TECHNOLOGY
This is the reason why technologies such For instance, in retail sectors, industries use as Mobilewatch are so special. Apart from the power of Mobilewatch to gain unique locationing, they are also powerful ML and insight into visitor and consumer habits and The Revolution of behavioural analytics tools. However, being preferences that make up their behaviour. Location Based the most accurate in the market, the strength Now, when combined with the bank/retailer of Mobilewatch in particular is that it detects loyalty apps, Mobilewatch automatically Services (LBS) and instantly locates mobile devices operating triggers a ‘customer location alert’ to the In 1990, the LA-founded International on WiFi, cellular, and wideband RF networks application server in order to provide the Teletrac Systems that we today know within only 10 feet (3 meters). For the first most relevant visitor offer at the precise as PacTel Teletrac, introduced the time, it not only displays all live devices in moment when it’s required. world’s first dynamic and real-time pre-determined areas, but also it understands stolen vehicle recovery services. and reports the movement of these devices. When asking how authorities track down terrorist suspects in the After this, research really kicked This technology connects to virtually any immediate aftermath of attacks, such off. The company began to develop mobile app and it provides powerful analytics as Paris, Brussels, Ankara or any other location-based services (LBS) that data that drives mobile engagement. Whilst location that has recently suffered could transmit information about location-based goods and services to drawing powerful statistics, Mobilewatch from such tragedies, advanced LBS will still maintain the privacy of every custom-programmed alphanumeric technology is the answer. mobile device user. Therefore, it is easy Motorola pagers. to understand why it is the most cutting- It shouldn’t come as a surprise that edge combined LBS and ML tool to date. In 1996, the first ‘Digital Timestamp regardless of whether you use Internet Server’ for Email was created, and the search engines, your social media site, or first instances of ‘GeoSpatial Keying’, a familiar application, the countless ad a complex cryptographic process for banners appearing for you to see are far using time and location data to access from randomly chosen. On the contrary, or certain key services, appeared. these are all specially tailored responses Later that same year, the US Federal to your recorded consumer interests and Communication Commission (FCC) preferences. was already issuing regulations
requiring all American mobile This is how smoothly the technology works, operators to determine the location Power-Player in Behavioural Analytics and it will not be long until it’s difficult for of emergency callers. businesses to survive and remain competitive The majority of smartphone users have as Mobilewatch provides such a large The spatial patterns that location- come across a message from a new quantity of information with unparalleled related data and services can provide application on their device that offers to accuracy. pinpoint the user’s location. Accepting this is one of its most powerful and offer is often the pre-condition to use the useful aspects. Location is a common applications for all these daily activities denominator in all of these activities that make our lives so much easier. and it can be leveraged to facilitate an increased awareness of patterns This message is also one of the rare occasions and relationships. For example, when where otherwise invisible geofencing we ask how authorities track down technology shows us the extent of its heavy terrorist suspects in the immediate engagement in our mobile devices. Now, add aftermath of notable attacks, the powerful ML system and you will end up including Paris, Brussels, Ankara, or with a technology that is very close to artificial any other location that has recently intelligence. It has the ability to analyse an suffered from such tragedies, enormous quantity of behavioural data in a advanced LBS technology is the specified domain within a matter of seconds. answer. Such technology explains how the US government tracks down This non-intrusive technology is already much-hunted dictators and, in a widely used in both security and retail notable example, how it arranged the environments in the US. Some of the public execution of the mastermind contexts include retail banks, trading floors, behind the biggest terrorist attack to sensitive executive meetings, shopping take place on American soil. centres, airports, universities, hospitals, and governments enforcement agencies, such as LBS privacy issues arise depending border control and corrective institutions. on the context, but it is important to understand that, at present, they are involved in everything from control Did You Know? systems to smart weapons. Today, The New York Police Department (NYPD) has used mobile phone spying devices, LBS is one of the most heavily used known as Stingrays, over 1,000 times since 2008, including for the investigation – we are talking trillions of times a of low-level crimes. According to the New York Civil Liberties Union (NYCLU), day here – application-layer decision these are typically used without a warrant. frameworks in computing.
more...
whiterock PRIVACY & TECHNOLOGY FEATURE whiterock 8 PRIVACY & TECHNOLOGY
Designed to allow officials to have top secret Not only can a sophisticated ML system detect discussions on the move, it withstands intrusions, it can predict such events to the eavesdropping, phone tapping, and computer point where it is possible to ask the machine hacking. Whitefloor provides the same if you’ll be attacked next Wednesday at 9 am solution – the safest place for sensitive from Russia or China. To believe that you’ll get conversations, calls, conferences, and for an answer that has over 99% chance of being viewing confidential documents. It can be accurate, takes a leap of faith. And yet, this fitted into a permanent enclosure within a is what a powerful ML system can give you. building or set up in mobile areas for people on the move. Whitefloor, with Mobilewach being Mobilewatch can be integrated into corporate part of it, provides the the safest headquarters for access control and safe place for sensitive conversations, Military Technology Goes Commercial meetings, or it can be part of an event in calls, conferences, and for viewing a third party location such as a hotel or confidential documents. Whilst companies are increasingly losing conference centre. out to a global corporate espionage problem currently valued at $445bn annually in the US alone, the current corporate security demands are often not met. This is primarily a result of the lack of availability of military- grade cutting-edge systems.
It is already widely known that government agencies, along with the military industrial complex, have access to systems similar to Mobilewatch on their top-secret missions, be it hunting down terrorists after the Paris shootings or Brussels explosion, or catching internationally wanted criminals such as Osama Bin Laden (photo above) and Saddam Hussein. So far, the technology has been too expensive for corporate/commercial use, but LBS and ML Revolution Under Way One of the key benefits of the LBS/ML this situation is changing rapidly. technology like Mobilewatch is its versatility The situation is relatively gloomy when and adaptability. It allows organisations to Today, solutions like Mobilewatch offer very industrial and corporate spies are seemingly harness vast amounts of data in order to advanced features that are affordable for always a step ahead, both in terms of predict all types of behaviour – including global businesses. In 2011, the White House creativity and technology, of the security fraudulent activity, such as spying, stealing, released a rare photo showing US President and privacy providers. However, the and attacking. It is more than likely that the Barack Obama fielding calls, to keep up-to- implementation of ML and behavioural major security breaches, leaks, and hacks date with events in Libya, from his super analytics, especially in combination with the of the last decade – Target, Home Depot, secure ‘blue tent’ in Brazil. This tent is a cutting-edge accuracy of LBS, finally offers Sony, J.P. Morgan, and others (read on Page mobile secure area known as a Sensitive some promise of detecting hackers before 10) – could soon be a thing of the past if Compartmented Information Facility (SCIF). they start exfiltrating high-value trade security solutions gain predictive capabilities secrets and intellectual property (IP). provided by sophisticated technology that combines LBS and ML. Both small and large
businesses would be able to identify oddities According to security specialists, a growing sooner by connecting the dots between trend is shifting the industry away from behavioural and contextual signals, alerting signature-based technologies, they are not them that an attack is likely. sufficient to detect and prevent today’s sophisticated adversaries. Furthermore, Gartner, Inc. (NYSE: IT), the world’s leading With over two decades in the security market, information technology research and Whiterock has protected hundreds of high- advisory company, ranked ML among the level confidential business events and board top five technologies at the ‘peak of inflated meetings from information leaks. What we expectations’ in its 2015 Hype Cycle. have found is that, in order to protect our clients’ competitive edge, it is necessary not to underestimate the human factor, to control the devices around confidential information, Did You Know? and, most importantly, to employ the most cutting-edge technology to counter Although 97% of Android phones have encryption as an option, physical threats. No business that has its less than 35% of the devices are actually prompted to turn it on when the phone security measures lagging behind those of is first activated. This means that the majority of Android phones are not encrypted, its competitors is ever going increase its whilst 94% of iPhones encrypt all data. value, especially in the current era of speedy
more... technological development.
whiterock PRIVACY & TECHNOLOGY TECHNOLOGY whiterock 9 PRIVACY & TECHNOLOGY
‘My group basically stumbled upon this finding last summer as we were doing work New Spy Technology: to try to understand the relationship between information and energy flows,’ said Al Camera that Sees Faruque. ‘According to the fundamental laws Around Corners of physics, energy is converted from one form to another and some become emissions, It is no longer a mission impossible which may unintentionally disclose secret to track people and moving objects information’. The emissions produced by 3D around the corner in blind spots. printers are acoustic signals that contain a Using a highly sensitive camera that lot of information. Although the researcher’s can take 20 billion frames per second team was initially not investigating this from with an infrared laser, researchers the security angle, various US government have developed a way of seeing and Espionage Vulnerability: agencies quickly picked up the discovery as filming around corners. Although the notable and, resultantly, the study received system will find plenty of legal use in 3D Printer Spying Leads funding from the US National Science rescue operations or in automobiles, Foundation. it also offers limitless new espionage to Reverse-Engineering opportunities. Researchers at the University of California The revolutionary surveillance reported findings last month that could Although researchers discovered system works by shining a short belong to a spy novel. The team, led by this vulnerability, there is not yet pulse laser on the floor just beyond Mohammad Al Faruque, director of UCI’s a way to protect companies a corner. When the scattered light Advanced Integrated Cyber-Physical Systems from such an attack. meets an object hidden around the Lab, demonstrated that they could purloin corner, it is reflected and, with the Intellectual Property (IP) by recording and help of a super-sensitive camera, processing sounds emitted by a 3D printer. the system detects the extremely faint reflected light or ‘echo’. This Apparently, a device as ordinary for all of us information is used to generate an as a smartphone can capture acoustic signals image. that carry information about the precise movements of the printer’s nozzle, if placed By looking at how long it takes next to the machine. It is possible then to for this light to reach the camera, use the recording to reverse-engineer the researchers can calculate how far object being printed and, subsequently, to away the object is. Moreover, by re-create it anywhere else. This describes a examining the echo’s shape, it is new kind of espionage attack that could be possible to determine the location used to decipher trade secrets and sensitive of the object. In this way, the camera information in various forms. can track people/objects that are out Al Faruque’s team presented their results of sight as they move in real-time. Let us imagine a manufacturing plant at this month’s International Conference on According to Genevieve Gariepy, in which the labourers who work on a Cyber-Physical Systems in Vienna. State-of- a lead photonics researcher at shift basis are not monitored by their the-art 3D printing systems convert digital Edinburgh-based Heriot Watt smartphones. Stealing confidential process information embedded in source code in University in Scotland, the results and product information, blueprints, or such a way so as to build layer upon layer pave the way for tracking hidden designs in prototyping phases may hit large of material until a solid object takes shape. objects in real time in a number of organisations that are working on cutting- That source file, referred to as G-code, can be real-life scenarios. The situations edge products or solutions and cause them protected from a potential thief with strong include surveillance, rescue to suffer financially. Furthermore, although encryption, but once the creation process has missions, and an implementation in researchers discovered this vulnerability, begun, the printer emits sounds that can give automobiles for detecting incoming there is not yet a way to protect companies up the secrets buried in the software. hidden vehicles. from such an attack. As a counter measure, Al Faruque suggests Although there have been groups that engineers should think about ways to who have previously revealed jam the acoustic signals emanating from technology based on the analysis of 3D printers. It has been proposed that this reflected light from hidden objects could take place possibly via a white-noise to see around corners, the ability to device that introduces intentional acoustic track objects has previously been randomness or by deploying algorithmic difficult. This is because the reflected solutions. At the very minimum, a basic light is a faint signal. However, a precaution to prevent people from carrying highly sensitive camera in a new smartphones near the rapid prototyping system eliminates the problem areas should be applied. caused by the faint signal. original source... The research, published in the journal Nature Photonics, uses a camera that is capable of capturing 20 billion Did You Know? frames per second. This device can also detect just a single photon, Much of the encryption world today depends on the challenge of factoring large the basic particle that forms light. numbers, but scientists say that they have created the first five-atom quantum Furthermore, as an infrared laser, it cannot be seen with the naked eye. computer. This is significant as this device has the potential to crack the security of traditional encryption schemes.
original source... more...
whiterock PRIVACY & TECHNOLOGY TECHNOLOGY whiterock 10 PRIVACY & TECHNOLOGY
5. Google / Other Silicon Valley firms in 2009 Chinese government hackers launched a massive and unprecedented industrial espionage attack on Google, Yahoo, and dozens of other Silicon Valley companies in mid-2009. They exploited a weakness in an old version of Internet Explorer in order gain access to Google’s internal network. It’s not known exactly what data was stolen from the US companies, but Google admitted that some of its intellectual property had been stolen and that it would soon cease operations in China.
3. Target Stores in December 2013 21st Century Hacking: The breach that was discovered in December 7 Worst Data Security actually began before Thanksgiving. The retail giant stated that hackers gained access Breaches through a third party to its point-of-sale (POS) payment card readers. Here it collected Headlines about another massive hack or approximately 40 million credit and debit data breach appear in news so frequently card numbers. Currently, the final estimate today that we have almost stopped paying is that the breach affected as many as 110 attention to the magnitude of one or another. million customers. Target’s CIO resigned in For some perspective, here are 10 of the March 2014, and its CEO resigned in May. biggest incidents in recent memory. The company recently estimated the cost of the breach at US$162 million. 1. Heartland Payment Systems in 2008 6. CardSystems Solutions in June 2005 SQL injection installed spyware on the data As a result of hack in 2005, CSS, one of Hackers broke into the database of systems of this New Jersey-based Fortune the top payment processors for Visa, CardSystems’ (CSS) that was one of the top 1000 payment processing and technology Mastercard and American Express, payment processors for Visa, MasterCard, provider, exposing 134 million credit and American Express, using an SQL Trojan cards. A Cuban-American, Albert Gonzalez, was forced into acquisition. attack. This inserted code into the database was alleged to have masterminded the via the browser page every four days, placed international operation. In addition to him, data into a zip file, and sent it back through two unnamed Russian accomplices were an FTP. Since the company never encrypted indicted in 2009. In March 2010, Gonzalez users’ personal information, hackers gained as sentenced to 20 years in federal prison. access to names, account numbers, and Whilst security analysts had warned retailers verification codes for more than 40 million about the organisation’s vulnerability to SQL card holders. At the time, Visa spokeswoman injection for years, it still remains the most Rosetta Jones told Wired News that CSS common form of attack against websites. received an audit certification in June 2004 associated with a compliant about data storage standards, but an assessment after Hacker groups launched phishing the breach showed it was not a compliant. attacks against RSA employees, “Had they been following the rules and requirements, they would not have been posing as people they trusted compromised”, Jones said. The company was in order to penetrate forced to acquisition, and was bought by
the company’s network. Pay-by-Touch at the end of 2005.
7. AOL in August 2006 4. Sony’s PlayStation Network in 2011 2. RSA Security in March 2011 In January 2007, what has been called In April five years ago, the worst gaming one of the ‘Dumbest Moments in Business’ The impact of the cyber attack which stole community data breach of all-time affected occurred. Namely, AOL Research released a 40 million employee records from the 77 million accounts Playstation network compressed text file on one of its websites world’s biggest insurance group’s SecurID and resulted in the loss of 12 million containing 20 million search keywords for authentication tokens is still being debated. unencrypted credit card numbers as well more than 650,000 users over a three- Two hacker groups worked in collaboration as millions of dollars. Sony states that it month period along with their shopping with a foreign government to launch a spear has still not found the source of the hack. and bankind data. While it was intended for phishing attacks against RSA employees, Whoever it was, they gained access to full research purposes, it was mistakenly posted posing as people they trusted in order names, passwords, e-mails, home addresses, publicly. AOL pulled the file from public to penetrate the company’s network. purchase history, credit card numbers, and access by the next day, but not before it This required at least US$66 million on PSN/Qriocity logins and passwords. It should had been mirrored and distributed on the remediation. We reported on the RSA hack as remind those in IT security to identify and Internet. Personally identifiable information one of the best examples of a phishing attacks apply security controls consistently across was present in many of the queries, and the (read in WhiteNews, Issue 22). This attack their organisations and warn customers to breach led to the resignation of AOL’s CTO, illustrates that the human factor continues to be vigilant as to who has access to their Maureen Govern. be notably weak link in organisations. sensitive data. original source...
whiterock PRIVACY & TECHNOLOGY EXTRA whiterock 11 PRIVACY & TECHNOLOGY
Woven from Espionage: Video of the Month: The Rise of American The Great Brain Textile Industry Robbery of US Samuel Slater, later also called ‘Slater the Traitor’, established the United States’ first textile mill in 1793. Now, he is regarded as the father of America’s industrial revolution. However, today’s US industry owes as much Playing Hot Potato: to his fantastic memory and sneakiness as it does to his skills as a textile weaver. ‘Encryption for Dummies’ Slater, who took textile secrets from England Encryption has been leading headlines to America, made a considerable fortune ever since the Apple vs. FBI fight broke of US$10 million by the time of his death in 1835. When adjusted for inflation, his out earlier this year. It is also a hot-but- If spying is the world’s second oldest ton topic in the ongoing United States fortune was worth the equivalent of today’s US$250 million. profession, the government of China presidential primaries. But what exact- has given it a new, modern-day twist, ly is encryption and how does it work? enlisting an army of spies not to steal
military secrets but the trade secrets Encryption or cryptography, which is as old as secrets themselves, is a way of scram- and intellectual property of American bling a message so as to render it unread- companies. able. Du-ring the IIWW, the Nazis famously jumbled up their communications with a The Justice Department says that the device called the Enigma Machine, but the scale of China’s corporate espionage Allies were eventually able to crack the today is so vast it constitutes a code. Today’s best cryptography is ad- national security emergency. The vanced enough that it’s very hard for even extent of the problem is such that it the world’s greatest code breakers to crack. costs American companies US$450
Modern encryption takes a file and scram- billion in losses annually and also, Born in Belper, England in 1768, Slater bles its content, sometimes also adding bits more than two million jobs. started working as an apprentice with mill of meaningless information to make it even owner Jedediah Strutt when only 14 years more difficult to decipher. This is done using old. Clever and talented, he quickly became an encryption key, an algorithm that tells a Strutt’s ‘right hand and learned a great deal computer how to scramble or unscramble a about cotton manufacturing and management file. Although this explanation sounds simple over next seven years. It was there that he enough, heavy-duty math is involved in pow- saw how the first water-powered textile ering encryption. It is often said that it would machine, Richard Arkwright’s spinning frame, take 1 billion years for a supercomputer to was used in large mills. When Slater saw crack 128-bit encryption using a ‘brute force’ Philadelphia newspaper that offered a ‘liberal process. bounty’ of £100 to encourage English textile workers to come to the US, he was ready to But does this still apply in today’s world, take off with trade secrets. where technology develops at ‘light-speed’? Whiterock introduces the report In fact, many of today’s computers use even with 60 Minutes, investigative news stronger, 256-bit encryption, but there is Although happy to purchase American flagship, discussing how China is cause to consider that this encryption is targeting virtually every sector of the not as secure as we once believed. Take the cotton, England wanted it to be US economy. documents intercepted by Wiki-leaks’ and processed by English workers in order Edward Snowden’s revelations: if these can to guard its manufacturing secrets. break into organisations such as the NSA, the Click Here to Watch the Video same hackers could also break many of the world’s top security standards. At the time, England wanted to unsure
that the colonies would be dependent on Nevertheless, encryption still protects vast Britain as the major market for their cotton Upon arrival, Slater managed to commence quantities of data from the majority of hack- and other raw materials. Although happy business with the Brown family and William ers, who are not extensively sophisticated. to purchase American cotton, the country Almy in Rhode Island. Also, legend has What is relevant to today’s debate over en- wanted it to be processed by English workers it that it took him just one year to build cryption – should global companies provide in order to guard its manufacturing secrets. the complicated Arkwright machine from ‘backdoors’ so that law enforcement can England passed laws in 1774 that prohibited memory. Within a short space of time the access encrypted data? Although the ‘yes- both the export of technology and the travel business took off, and they had plenty of camp’ believes that the authorities require or emigration of textile workers to the US. thread to sell. In 1793, the newly established such access in order to stop criminals and Almy, Brown, and Slater Company built save lives, the ‘no-camp’ argues that this in- In light of this, Slater clearly understood the mill that would usher in the American evitably serves to keep the same ‘backdoors’ the risks involved. When he boarded a ship industrial revolution. Thanks to Slater, the open for hackers. Clearly, final agreement on bound for New York, he was dressed as an US processed over 40 times the amount of this debate will have massive implications English farmer’s son, not a machinist or mill cotton in 1835 as it did in 1790, and the for our online security and safety for de- worker, and he took no machine plans or British textile industry shrank as America’s cades to come. models with him. Instead, he memorised all industry expanded. original source... the necessary information. original source...
whiterock PRIVACY & TECHNOLOGY 11 Manor Courtyard, Hughenden Avenue High Wycombe Buckinghamshire EXTRA HP13 5RE UK whiterock +44 (0) 844 247 4538 12 PRIVACY & TECHNOLOGY www.whiterockprivacy.com
Letter From America: Solution to the Worst Leaker Since the Titanic
Murray’s Security: Summary Checklist • Change the default URL, username and administrator password; the network security settings to WPA2; and the default SSID (but not to something which identifies you). • Turn off Wi-Fi Protected Setup (WPS), or use it with caution. “PIN” codes have a finite number of combinations and can be easily guessed using a hacking program.
• Maintain an up-to-date list of everything you expect to see on the network, even if you do not use MAC I have a saying, “Raise your head above the 2. Harden your Wi-Fi network. filtering (see below). crowd, and somebody will throw a brick.” Usually, this is a good thing. Seeing salvos If you have staff IT technicians, have them • Scan the network for “UFO” MAC whiz by is a sign one is achieving. The more run down my checklist to fix any oversights and IP addresses regularly. you see, the better you are doing. In the or vulnerabilities. Your TSCM consultant can • Make sure the Wi-FI hardware case of the ubiquitous Wireless Local Area also help you accomplish the task. You don’t firmware is kept up-to-date. Network (WLAN, aka Wi-Fi), the salvos are need to know all the technical details. Pages more like silent torpedoes. You won’t see of explanations have been written as to why • Disable remote login to the them coming. Spies, hackers and terrorists, each of these items are on the list. Just trust Appearance Points (APs) and Wi-Fi administration of the router. hiding in their digital U-boats, are targeting each item is on the list for a good reason, Wi-Fi big time. It is top of their hit list. And, and double-check to make sure each task is • Turn on the firewall if your device why not? Most Wi-Fi systems are sitting accomplished. offers one and turn off Guest ducks. networking. If you need to offer 3. Conduct re-inspections of your Wi-Fi Guest access, keep it separate from There is good reason for the increased focus system on a scheduled basis. your network. on attacking from this angle. Wi-Fi is not just • Use anti-virus and anti-spyware for laptops anymore. These portals are now In addition to establishing a history of due diligence, re-inspections identify new software on the devices which access used by smartphones, printers, VoIP phones, your wireless network. IP video cameras, smart TVs, personal connections to the network which may be assistants (amazon echo), and a host of other unauthorized, or incorrectly configured for • Check for Wi-Fi capability when Internet of Things (IoT) devices. Even some security. Quality TSCM consultants will do adding new equipment to your home weather stations and alarm systems this as a matter of course when conducting network. Printers are notorious are transmitting audio and video. Wi-Fi your regular inspections for bugging devices. for having Wi-Fi capability active exposes them all to remote attack. by default without any security measures activated. Additionally, many bugging devices now use “I am the master of my fate, I am the • Once you’ve set up your router or Wi-Fi as a bilge pump to move information captain of my soul.” AP, log out as administrator. out, without sinking the ship. Batten down William Ernest Henley 1849–1903 the hatches and turn on the radar. It’s as • Disable broadcasting of the SSID easy as 1-2-3, and you don’t have to do it and reduce the range of the wireless signal to only what is needed. yourself. All you have to do is make sure it His words apply to many things in life, and gets done. Let’s get started. • Filter MAC addresses to comb out these days it includes our electronic souls. unauthorized users from connecting. 1. Conduct an independent technical Start the protection process, now, before it Tip: On larger Wi-Fi networks, adding assessment of your Wi-Fi system. is too late. a MAC profile matcher1 will make this a much more effective security Have a TSCM consultant handle this for you From America, sail safely my friends! measure. at work, and at home. The assessment should be conducted from two points of view: Kevin • Turn off the wireless router when security and legal compliance. you are not using it and ever assume public wireless networks are secure.
We always value your comments and feedback. [email protected] Kevin D. Murray, CPP, CISM, CFE +44 (0) 844 247 4538 is our associate in America. Katrin Vaga Twitter: @whiterockprivacy His security tips may be found here. Research and PR Executive Youtube: @whiterockprivacy
© Cope Whiterock Limited 2016 - WhiteNews® - USCM® - SECM® - ISO9001 Registered Firm - Certification Number GB2000647
whiterock PRIVACY & TECHNOLOGY