Cameras May Open Up the Board Rooms for evesdropping

This is a New York Times article published on January 23, 2011 with the title “Cameras May Open Up the Board Room to Hackers” by Nicole Perlroth:

Mike Tuchen and HD Moore of Rapid 7
Mike Tuchen, left, and H D Moore of Rapid 7 were able to gain access to company boardrooms with videoconferencing equipment.

One afternoon this month in San Francisco, a hacker took a tour of a dozen conference rooms around the globe via equipment that most every company has in those rooms; videoconferencing equipment.

With the move of a mouse, he steered a camera around each room, occasionally zooming in with such precision that he could discern grooves in the wood and paint flecks on the wall. In one room, he zoomed out through a window, across a parking lot and into shrubbery some 50 yards away where a small animal could be seen burrowing underneath a bush. With such equipment, the hacker could have easily eavesdropped on privileged attorney-client conversations or read trade secrets on a report lying on the conference room table.

A company boardroom viewed via videoconferencing equipment from Rapid 7’s offices.

In this case, the hacker was H D Moore, a chief security officer at Rapid 7, a Boston based company that looks for security holes in computer systems that are used in devices like toaster ovens and Mars landing equipment. His latest find: videoconferencing equipment is often left vulnerable to hackers.

Businesses collectively spend billions of dollars each year beefing up security on their computer systems and employee laptops. They agonize over the confidential information that employees send to their Gmail and Dropbox accounts and store on their iPads and smartphones. But rarely do they give much thought to the ease with which anyone can penetrate a videoconference room where their most guarded trade secrets are openly discussed.

Mr. Moore has found it easy to get into several top venture capital and law firms, pharmaceutical and oil companies and courtrooms across the country.

He even found a path into the Goldman Sachs boardroom. “The entry bar has fallen to the floor,” said Mike Tuchen, chief executive of Rapid 7. “These are [highlight_1] some of the world’s most important boardrooms [/highlight_1] — this is where their most critical meetings take place — and [highlight_1] there could be silent attendees in all of them[/highlight_1].”

Read more in the New York Times


Spy@home? Mandatory Filtering Software in China

from the Electronic Frontier Foundation’s Deeplinks blog

China’s Spy in the Home

Commentary by Danny O’Brien

The Chinese Ministry of Industry and IT’s announcement that all PCs sold in China must include government-approved filtering software is a profoundly worrying development for online privacy and free speech in that country. While the application, “Green Dam Youth Escort”, claims to only block pornographic sites, the access to a home computer such filtering software requires means that it could also have the power to conduct all sorts of other surveillance and control — far more than China’s current monitoring and blocking systems at the ISP level permits.

On present day operating systems, government-controlled software that are granted such admin rights would be able to collect IM and email conversations, install keyloggers, relay microphone and webcam recordings. It could prevent or detect the use of web proxies (the primary method of Chinese citizens seeking an uncensored Internet), and scan for privacy-protecting software like Tor and PGP. Business users of Chinese PCs will be vulnerable to state-sponsored corporate espionage. Foreign users of computers in China will be unable to guarantee the security of their communications.

Are these realistic threats? Absolutely: indeed, we’ve already seen what many suspect is the Chinese government’s use of software in this way. A localised Chinese version of Skype included backdoors that passed on private IM conversations to third-parties. Tibetan dissidents have struggled with keylogging spyware that is uniquely targetted to this political group.

But until now, such software has relied on duping its users as to its function or on the poor security of their operating systems. “Green Dam Youth Escort” will allow the Chinese state an automatic foothold on every Chinese PC, installing their own code remotely through automatic upgrades.

PC distributors have already reacted negatively to the announcement, not least because of its unrealistic deadline of July 1st. Dell has said that it will only consider installing the software if its only purpose is to block pornographic content from children, and only if it can be disabled.

These companies need to continue the pushback, not just for reasons or practicality, or for privacy and surveillance, but in defence of their users’ right to manage their own property.

Other software companies, like the anti-virus companies, can assist by detecting and removing such programs in just the same way as they defeat other malware that undermines user control (if they do not, they risk having criminal non-government malware use the Chinese program as method to conceal their own intentions, as happened with the Sony Rootkit).

Finally, Western governments need to understand that their own plans to infect computers with such software — under the proposed Loppsi 2 law in France, or the Federal Trojan project in Germany, or via the FBI’s current domestic spyware projects — needs detailed scrutiny and firm judicial controls in place. The modern PC is as private and personal a locale as a citizen’s home. Any state that claims to respect human rights and civil liberties should respect that privacy.