The audio chipsets in many modern PCs allow audio jacks to be flipped from lineout to line-in, says team from Israel’s Ben-Gurion University.
Researchers at Israel’s Ben-Gurion University of the Negev have devised a way to turn any computer into an eavesdropping device by surreptitiously getting connected headphones or earphones to function like microphones.
In a paper titled “SPEAKE(a)R: Turn Speakers to Microphones for Fun and Profit,” the researchers this week described malware they have developed for reconfiguring a headphone jack from a line-out configuration to a line-in jack, thereby enabling connected headphones to work as microphones.
The exploit works with most off-the-shelf headphones and even when the computer doesn’t have a connected microphone or has a microphone that has been disabled, according to the researchers.
The malware takes advantage of the manner in which some audio chipsets in modern motherboards and soundcards work. In a typical computer chassis, the audio jacks that are built into the front or rear panel are used either as line-in or input jacks or line-out jacks for audio output.
The chipsets in such cards support a little-used jack re-mapping or a jack re-tasking option for changing the function of the audio ports from line-in to line-out via software.
Audio chipsets from Realtek Semiconductor, for instance support this capability, though it is not documented in any technical specifications for the product, the researchers from Ben-Gurion University noted. Realtek codecs are the most widely used in PCs but other codec manufacturers allow jack repurposing as well, the researchers said.
In addition, researchers have for some time known that speakers can, with a little tweaking, be made to function like a microphone, they said. “Loudspeakers convert electric signals into a sound waveform, while microphones transform sounds into electric signals,” their paper noted.
In a speaker, electrical signals are used to create a changing magnetic field that moves a diaphragm in order to produce sounds. In a microphone, a diaphragm moves through a magnetic field to induce an electrical signal. “This bidirectional mechanism facilitates the use of simple headphones as a feasible microphone, simply by plugging them into the PC microphone jack,” the research paper said.
This capability, coupled with the fact that audio jacks can be programmatically altered to switch from output only to input jacks, creates a vulnerability that attackers can use to turn any computer into an eavesdropping device, according to the BGU researchers.
Tests to evaluate the quality of audio signals generated by off-the-shelf headphones plugged into jacks that had been modified by SPEAKE(a)R showed it is possible to acquire intelligible audio from several meters away.
Social media, employee reviews and spymail are areas of concern in the digital age.
Business is a game of constant competition, but the widespread emergence of covert surveillance and tracking tools has expanded the playbook. Now, industrial espionage has a new dimension.
In the corporate world, the practice is nothing new. In fact, it’s been a marketing tactic for decades. As its name suggests, industrial espionage involves companies deploying spying schemes to gain privileged actionable intelligence about business competitors. But the digital age has given corporate spying a new face. And with the modern proliferation of web-based spying options, corporate surveillance is more sophisticated and covert than ever.
Today, corporate spies for hire carry titles like “Competitive Intelligence Analyst” and “Competitive Market Strategist.” There are many lucrative opportunities for these workers. And they might be watching your business right now. Here are three of the ways they do it—and also how to dodge their efforts.
Monitoring online mentions
One of the easiest and most commonly used ways corporate spies track competitors is by monitoring their online mentions via various tools. As Kissmetrics’ blog points out, Google Alerts sits atop this list. Not only is it a straightforward tool that provides organizations with constant notifications when they’re competitors are mentioned via social or other web platforms—it’s also free. Other widely used tools include Buzzsumo, which monitors social mentions, and Competitive Research & Keyword Research Gadget.
Because these resources are so widely available and economical, there’s no way to counter their use. But companies can prevent them from being used more deviously by competitors by monitoring coverage to ensure they get out ahead of any negative publicity.
However, the act of monitoring can be cumbersome for certain businesses, particularly smaller organizations without the dedicated personnel to carry it out. That’s why enterprises often turn to reputation management companies to handle the job for them. For enterprises choosing to go this route, it’s important to comprehensively vet a prospective reputation management partner based on cost, transparency and the relevance of services offered. Because these companies cover a broad range of offerings and are often highly industry- and service-specific, it’s imperative to find the right reputation manager for your business. For example, if your business is looking to optimize its SEO strategy, then look for a reputation management service specifically geared toward SEO consulting.
Capitalizing on negative employee reviews
While many marketers use tools like Buzzsumo and Google Alerts solely to ascertain where they stand, the uses can get shadier. In some cases, for instance, a company spy may use a site like Google Alerts to closely monitor any negative reviews its closest business competitor receives on sites like Glassdoor and Ripoff Report. From there, the spy might attempt to share these negative reviews with the competitors’ top customers.
Because Glassdoor, Ripoff Report and other similar sites are open forums for user-submitted content, companies can’t hope to eliminate the negative reviews their competitors may be sharing. But they can significantly mitigate the negative impact by actively engaging with the reviews on these sites. By constructively responding to negative employee-contributed reviews, companies can undermine the efforts of corporate spies hoping to fuel negative sentiment by directing customers to this content.
Spymail is a more sophisticated and insidious industrial espionage technique. The process involves embedding hidden tracking code in emails that allows the sender to uncover data about the recipient. Spymail reveals when and where you open it and forward it. At the very least, corporate senders of spymail can use this metadata to monitor individual employees. At the worst, they can harness it to mount phishing and social engineering attacks.
Consider this hypothetical, and malicious, scenario: a company could use spymail to track the geographic movements of a competitor’s highest-ranking IT personnel, since all these staffers would have to do is open an email with spymail to reveal their exact location. By tracking these movement changes, the company could determine when its rival is most vulnerable—say, when the head of IT is on a plane to a conference—and use this moment to launch a cyberattack on the competitor carried out by a hacker for hire.
In recent years, spymail has grown exponentially, and today there are nearly 3 million people using email trackers. Among them are sophisticated marketers and corporate spies using it to dig up confidential information. To stop spymail from putting them at a competitive disadvantage—not to mention weakening their corporate cybersecurity and employee safety—companies should consider deploying an enterprise-grade anti-spymail solution.
Industrial espionage poses a significant risk to businesses across all sectors. It’s important for all companies to recognize the ways corporate spies are using sophisticated tools to undermine competitors. By taking proactive steps to counter these tactics, businesses can watch their back to avoid negative, and potentially catastrophic, fallout.
Paul Everton is the founder and CEO of MailControl, an anti-spymail solution that detects and removes email tracking code from emails before they are delivered to user inboxes.
This story first appeared in the November 28, 2016 issue of Adweek magazine.
A customer in Starbucks London allegedly found a hidden camera above a toilet in one of their cafes.
The customer was in Starbucks Vauxhall when he spotted a device hidden in an air vent above the toilet cubicle.
He was quoted as saying,
“I go in regularly. I ordered my drink and while I was waiting I popped in to use the toilet.
“I was standing using the toilet when I noticed a little glint Iike the way glass reflects.
“I stood on top of the toilet seat to get a better look and realised it was a webcam or some other kind of recording device.”
The gentleman, who once worked for Starbucks, stated that he brought it to management’s attention. The device was then removed and apparently handed to police.
Starbucks has confirmed that they were aware of the incident and had reported it to the police.
A spokesperson said: “This is a distressing discovery for our partners (employees) and customers, and we take our responsibility to provide a safe environment very seriously. As soon as the store was made aware of this, we removed the device and contacted the police who are investigating the incident.”.
The Indianapolis Colts, mobile developer YinzCam and audio technology company LISNR were named in a class action lawsuit filed Oct. 14 in Pennsylvania alleging that features of the team’s official app allowed them to listen in to private conversations without consent.
Plaintiff Alan Rackemann, a citizen of Indiana pursuing punitive and statutory damages, lists San Francisco-based law firm Edelson PC as a member of his legal counsel in the case. The Golden State Warriors’ official team app was the focus of a similar lawsuit filed in August that saw Edelson PC also represent the plaintiff in that case, LaTisha Satchell.
“It’s a lot of things that are fishy,” LISNR CEO and founder Rodney Williams said in response to the allegations. “It’s a little bit of lawyers being opportunistic, and it’s a lot of false allegations and just bad information.”
Rackemann’s suit alleges that LISNR “utilizes a novel beacon technology called audio beacons,” and that for it to work, the defendants “surreptitiously” turn on smartphone microphones and unlawfully listen in. Powered by low-energy Bluetooth, beacon technology pinpoints user locations and uses the information received to push ad-related content. Williams passionately refuted LISNR’s association with beacon technology.
Juniper Networks patched a crypto bug tied to its public key infrastructure that could have allowed hackers to access the company’s routers, switches and security devices and eavesdrop on sensitive communications. The flaw was tied to Juniper products and platforms running Junos, the Juniper Network Operating System.
The bug (CVE-2016-1280) was reported and patched by Juniper. Juniper also posted its own information on the security vulnerability, which was found internally.
The vulnerability allowed attackers to create specially crafted self-signed certificates that can bypass certificate validation within Juniper hardware running the Junos OS. If exploited, the vulnerability could have allowed an attacker in a man-in-the-middle position on the victim’s network to read supposedly secure communications.
“When a peer device presents a self-signed certificate as its end entity certificate with its issuer name matching one of the valid CA certificates enrolled in Junos, the peer certificate validation is skipped and the peer certificate is treated as valid,” explains Juniper.
Juniper said the vulnerability only affects certificates used for protocols Internet Key Exchange (IKE) and Internet Protocol security (IPsec).
For further details, please see – https://threatpost.com/juniper-crypto-bug-lets-attackers-eavesdrop-on-router-switch-traffic