Whether it’s Sports Illustrated swimsuit model Brooks Nader or Elon Musk and his private jet, celebrities have the public’s attention which sometimes becomes obsession. And obsession can be fed through both legal and illegal tracking of such celebrities. But what happens when an unknown stalker’s threats cannot even be proven?

Just this past week, Days of Our Lives star and social media influencer, Jessica Serfaty contacted police to report an unknown device tracking her. That unknown device was apparently identified by her own iPhone as an Apple AirTag placed somewhere in her Range Rover as she drove around with her young son. However, as originally reported by TMZ, when “Sheriff’s deputies showed up and searched the vehicle, but couldn’t find the AirTag. It’s unclear if it fell off, or someone removed it.”

The distraught actress claimed to have never put any tracking device in her own vehicle so not only is she left with a mystery as to where the tracking device went, but she also does not have a real motive or possible stalker to even avoid or guard against. Could a passenger or passerby have placed the AirTag to simply steal the car at a more convenient time or place? Perhaps she has an unknown stalker trying to keep tabs on her whereabouts.

Another rumor involves an allegedly abusive fiancé that she recently posted about on social media. According to PerezHilton.com, Jessica quickly retracted her abuse allegations but this wouldn’t be the first time a victim protected their own abuser from consequences.

As a wireless cybersecurity expert, I feel like I’ve now overstayed my welcome at the Hotel California with all its glamour and scandals. However, I do feel confident in speaking to the fear that victims of stalking have to endure and the difficulty in sometimes convincing authorities and even friends of that clear and present threat. I receive calls and emails every week from people claiming to be tracked by the government, by jealous ex and by complete strangers.

The dramatic increase in wireless tracking technology and decrease in the price has allowed anyone with $20 and a free iCloud account to track anyone, anywhere in the world at their leisure. So while beautiful and famous starlets tend to make the stalking headlines, regular folks also feel the threats in a very real way. Apple has added some anti-stalking tech into their devices letting users know when an unknown tag has been tracking them for an extended period of time. The problem is that these stalking alerts rely upon physical movement and time durations in order to trigger an alert. Sometimes it can take days or even hours to reveal a hidden AirTag in your car or purse.

Because of the potential warning delays, my company has developed, BlueSleuth-Lite, a pocket-sized tool that immediately alerts users to all nearby tags including Apple’s AirTag, Samsung’s Smart Tag, Tile trackers and many other hidden trackers. Bodyguards, private security and executive protection service providers rely on immediate feedback for their high profile clients, but they’re not the only ones who have come to us for help. Anyone with something to lose including their privacy or safety has the right to protect themselves and loved ones.

Jessica Serfaty recently posted “Courage doesn’t mean you don’t get afraid. Courage means you don’t let fear stop you”. She has not issued any further statements about her stalking scare, but her somewhat cryptic message on her social media seems to indicate that she feels safe to move about freely in her life again.

The post Stalking threats still very real for TV actress appeared first on Scott Schober.

In an era where technology permeates every aspect of our lives, the travel industry stands as one of the most heavily reliant sectors. From booking tickets to navigating airports, technology has streamlined travel, making it more efficient and convenient. However, global outages due to a Microsoft system failure sparked by a CrowdStrike software update bug left millions of travelers stranded highlighting a significant downside to our overreliance upon technology.

The Fragility of Technological Systems

Modern travel depends on a web of interconnected technological systems. Airlines, airports, and travel agencies all use complex software to manage reservations, check-ins, security, and flight operations. While these systems are generally robust, they are not infallible. When they fail, the consequences can be catastrophic.

On July 17, 2023, a coordinated ransomware attack hit United Airlines, causing a system-wide failure in their reservation and check-in systems. This led to the grounding of over 2,000 flights and affected more than 1.5 million passengers over three days. Travelers found themselves stranded, unable to rebook or get timely updates. Airports became scenes of chaos, with frustrated passengers forming long lines at understaffed counters, trying to find alternative travel arrangements. At the time, United issued statements denying an attack trying to downplay  the fact that their security systems were antiquated and required updating. I told Benzinga that a series of “glitches” were too coincidental to not be coordinated attacks, especially considering the cyber vulnerabilities that most companies continue to overlook.

The Human Element

In the long term, over reliance on technology always leads to a reduction in the human workforce in any industry and the travel industry is no different. Automated kiosks and online check-ins have replaced many front-line staff. While this shift has increased efficiency, it has also left the industry vulnerable when technology fails.

During the 2023 outage, the shortage of human staff exacerbated the problem and the major outages affecting Delta this week appear to be no different. Many passengers reported that there were not enough ground personnel to handle the crisis, leading to a breakdown in communication and customer service. This incident underscores the importance of maintaining a balance between technology and human resources. Human employees can provide flexibility and problem-solving skills that automated systems cannot, especially during emergencies.

Here come the Hackers

This week, US Secretary of Transportation, Pete Buttigieg, weighed in on the massive outages. While many airlines were affected, it seemed that Delta Airlines were not only affected but entirely too slow in recuperating and continue to face massive delays even as I write.

“We need to understand how that happened, and we are investigating with an eye toward accountability over that breakdown as we have done in other cases,” Buttigieg said.

Whether there ever is true accountability for the likes of Delta or CrowdStrike, we can be certain of one thing, cyber criminals will take advantage of the uninformed customers. Angry and frustrated customers will begin receiving phishing emails and texts claiming to be from CrowdStrike, Delta or possibly some other airlines. When you have millions of angry travelers receiving fake apology emails and texts offering travel vouchers or some kind of customer credit, you are bound to get many folks clicking on those messages. Just because the CrowdStrike outage wasn’t the result of a hack, doesn’t mean that hackers won’t seize the opportunity to exploit the victims even more. I touch on this in my interview with NTD News on the many lessons and takeaways from this outage.

The Domino Effect

Technology’s interconnectedness means that a problem in one area can quickly cascade, affecting multiple systems. The CrowdStrike incident showed how a single point of failure in a routine software update could cripple an entire global network. Flights were grounded not only for the affected airlines but also for those sharing codes and using the same airport facilities.

This domino effect highlights the need for robust contingency planning. Travel companies should develop comprehensive backup strategies to ensure continuity of operations during technological failures. This could include maintaining offline systems that can be activated during emergencies and training staff to handle manual processes when necessary. It would seem that most airlines had some redundancies in place but not Delta.

Lessons for the Future

The CrowdStrike travel disruption serves as a wake-up call for the industry and travelers alike. It underscores the need for a balanced approach to technology, where innovation is tempered with resilience and security. Travel companies must invest in robust systems, cybersecurity, and human resources to ensure they can withstand and quickly recover from technological failures.

For travelers, it is essential to be prepared for unexpected disruptions. This includes keeping backup copies of important documents, maintaining flexible travel plans, and staying informed about potential risks. I always print out hardcopies of my itineraries when possible before traveling. By taking proactive measures, travelers can reduce their vulnerability to the pitfalls of overreliance on technology.

The post CrowdStuck thanks to CrowdStrike appeared first on Scott Schober.

AT&T has been hacked…again. Not to be confused with a massive data leak back in 2021, this latest breach involves the customer data of 110 million people. AT&T insists that no call or text content was compromised, only the metadata from that content. So instead of private conversations being leaked and sold all over the dark web, we might soon see phone numbers, call durations, cell site IDs and other location-related metadata go up for grabs. The lack of private content breached might come as a relief to some, but it simply serves as a reminder that our data privacy laws in the US are almost non-existent, non-regulated and have become just the cost of doing business. But can we afford it?

Speaking with News 12 NJ’s Walt Kane about AT&T’s massive data breach

An overly cynical viewpoint of this hack is that we have simply removed the middle man known as data brokers. You probably never heard of companies like CoreLogic, Epsilon, Acxiom, but you may have heard of Experian. These companies are data brokers and all make their revenue from buying access to metadata just like this from companies just like AT&T. Experian is not only selling data but also the credit freezing and protection services when your data is breached so they’re making money on both sides of the problem.

Instead of shady data brokers directly supplying your personal data to law enforcement, loan companies and even political consultants, the dark web is poised to collect metadata from 110 million AT&T customers. This breached data even includes some non-AT&T customers who were contacted or texted by AT&T customers. Once distributed across the dark web, chunks of data will be bundled and sold to hackers looking to pull out contact information to deploy phishing attacks and much more. The lines between local law enforcement collecting data on citizens and hackers collecting data on citizens can sometimes blur enough to make it difficult to tell which ones are the good guys and while proposals like FAINFSA (Fourth Amendment Is Not For Sale Act) would attempt to close the data broker loophole, we still do not have a federal mandate on our personal data.

It’s the metadata, stupid

Our most valuable data (passwords, financial account numbers, medical records, etc.) remain protected through a combination of obfuscation and encryption, but these defenses are still somewhat reliant upon the integrity our own security habits. We have some help from our devices, tech companies and even some deterrents in the form of basic legislation, but if you leave your phone unprotected with a security PIN and it is hacked, you really have no one to blame but yourself. Metadata is different from this private data. As consumers, we leave metadata breadcrumb trails everywhere we go and metadata is not protected in the same manner. For an example of the difference between our private data and our metadata, we need look no further than our own smartphone cameras. Every picture we take on our phones reveals exactly where, when and how we took that image. However, if there are people in that image or sensitive material, these are considered data and to be guarded fiercely. But the metadata that surrounds this sensitive data is generally unprotected and can be reverse engineered to fill in many blanks that the private data would’ve provided.

Metadata has been reverse engineered for years now. Redacted data can be exposed and location data can be exposedwhich can sometimes fill in even more details than the actual data especially in a court of law. For years, prosecutors and defenders have been citing cell site IDs to geolocate their clients. The data says nothing of motives or even proof in the way of innocence or guilt, but when you introduce enough circumstantial evidence into a case, it can not only create a very compelling argument for or against the burden of proof, but even defeat damning confessions and physical evidence in the minds of jurors.

Snowflake in the Cloud

AT&T might be responsible for this massive data breach but they weren’t the ones who were actually breached. Snowflake is a 3rd party cloud storage platform storing and analyzing exabytes of customer data. At some point in mid-April of 2024, Snowflake was compromised by attackers using stolen login credentials provided by an installed malware package called Infostealer. Due to a lack of MFA (Multi-Factor Authentication) enforcement in Snowflake’s security infrastructure, hackers were able to exfiltrate massive amounts of data. Snowflake has since increased reliance upon MFA but this is only due to the public and media scrutiny they have faced. The larger problem falls back into AT&T’s court. Cloud, payment and support systems are too complex for even billion dollar companies like AT&T to handle internally which is why they outsource these services to a variety of providers. These relationships are generally good for the consumer but when 3rd part vendors aren’t vetted properly or audited regularly, security is always the first casualty.

Snowflake does more than just store data. They use AI and ML to analyze tons of data for AT&T and other high profile clients. This means that not only was AT&T customer data stolen, it was also analyzed and packaged for AT&T to sell to the highest bidder. The only question is will the highest bidders contact “legitimate” data brokering services or simply go directly to the dark web to get the stolen data.

You may recall another massive breach from way back in 2013 involving Target. Fazio Mechanical was one of many vendors working with Target but they were the only ones who were infected by malware allowing entry into Target’s vendor portal. Without proper compartmentalization of this portal, Target faced root compromise of servers. It’s hard to believe that the Target hacking story was the first major breach I covered. What’s even harder to believe is that such a large breach only amounted to an $18.5 million fine. Fast forward 11 years and it appears little has changed. Let’s hope that the monetary fines are adjusted not just for inflation but also for culpability.

The post AT&T breach too big to ignore appeared first on Scott Schober.

Cybersecurity expert and BVS, Inc. CEO, Scott Schober, bags another hidden skimmer into evidence

Massive Ponzi schemes created by the likes of a Bernie Madoff or Sam Bankman Fried get all the attention. They rake in greedy or gullible investors and depending upon their positioning within the pyramid, stand to make a lot of money or lose their shirts. It’s certainly a grift predicated on betting big in order to win big. But there’s another, smaller ongoing grift that affects all of us. Some of us in small ways and some in big ways.

According to FICO, debit card skimming increased by 700+% in the first half of 2022 and 70% of fraud cases in the U.S. are tied to skimmers in CA, NY, PA, FL, and WA. Skimming is a multi-billion dollar crime and these large numbers don’t even take into account all of the collateral damage that stems from the ensuing identity theft and credit fraud down the line. Card skimming is essentially an extra card reader secretly inserted into any normal looking ATM, gas pump or vending machine. It allows the customer to make their transaction seamlessly while also stealing their card and personal data.

If you’ve ever gotten alerts from your bank detailing possible fraudulent charges, there’s a good chance that your card has been recently skimmed. And even if you’re lucky enough to not have had your accounts drained, you still face the major inconvenience of waiting for a new card to be issued to you only after a series of unnerving questions surrounding your recent purchases. Of course, you also face the distinct possibility of identity and monetary theft if you fail to freeze your credit in time. So am I just trying to scare you into a defensive posture right now or do I have a point to this lecture?

One point I would like to make is that the good guys are on the case. The public is regularly reminded to check for suspicious alterations made to gas pump and ATM card slots and keypad overlays. Skimmer alerts are regularly issued to service stations or banks that fall into an epicenter of fraudulent activity, particularly when an actual skimmer is discovered. Skimmer fraud task forces are also on the case, but is this enough? We don’t think so which is why my company has entered into the card skimmer detection game. We sold hundreds of Skim Scan skimmer detectors to retail centers, credit unions and fuel stations across the country and we’re just getting started. Unlike other anti-skimming solutions, our skimmer detectors require no hardware modifications, can be operated by anyone, and only takes a few seconds to detect a hidden skimmer without the need to open up every machine for thorough inspections.

My company is really a wireless security company at its heart, so we have also introduced BT (Bluetooth) skimmer detection products which have become a growing concern. A BT skimmer can be hidden deep inside a payment terminal. It behaves like any other card skimmer but transmits all stolen card credentials wirelessly to a nearby cyber thief. The risk of getting caught while trying to retrieve stolen data wirelessly is next to none. This quick turnaround allows thieves to steal credentials and create an army of cloned cards all in the same day. These cards are then dispersed around the area to withdraw large but controlled sums of cash from victims’ accounts so as not to arouse too much suspicion among account holders, banks or law enforcement. According to studies, the average card skimming event captures 185 cards and the average skimmed card will generate $2,000 in fraudulent charges before being detected. Some simple math tells us that a single skimmer can generate around $370,000 of stolen cash. But the thieves aren’t finished yet. They go on to sell all of those stolen card credentials on the Dark Web. They package thousands of stolen cards into bundles and sell them to an assortment of criminals and Dark Web bottom-dwellers.

But haven’t modernized chip and pin cards put an end to card skimming? Not really. Old fashioned magnetic stripe cards have always been easy to skim and clone. And most modern chip card readers in the U.S. continue to support mag stripe cards so we are left with a self-perpetuating system of fraud that exists so long as consumers aren’t incentivized to update their card technology and retailers and banks aren’t incentivized to update their card reader technology. And on top of all of that, card shimmers have emerged.

A shimmer is simply a duplicate chip reader hidden inside a card reader that can capture data stored on the microchips stored in any EMV-compliant credit or debit cards. So the old guard of pitifully secured mag stripe card readers are slowly being replaced by the new guard of advanced EMV chip cards and readers that have already been hacked by advanced shimmers. There’s not too much good news to go around except that companies like ours are working with law enforcement on a detection solution and should have something to bring to market in 2024. In the meantime, keep a watchful eye on both your surroundings and the ATM or fuel pump right in front of you next time you are getting cash or paying at the pump. It could save you a major headache and lots of money.

This blog originally appeared in The Beverly Hills Times Magazine.

The post Behind the Great Skim appeared first on Scott Schober.

Ever since the first GPS (Global Positioning Satellites) systems went live back in the early nineties, privacy experts have warned us about our diminishing rights. And while we have gained both safety and security as a result of this ability to globally track people and things, we seemed to have lost our true sense of privacy. I’ve been inventing devices that track these trackers for decades, mostly in an effort to assist law enforcement from becoming the victims of tracking themselves, and here is what I have learned.

It all began with GPS trackers back in 1994 when fully operational GPS systems began to emerge. Tracking valuable things on the move usually manifested itself as fleet vehicles containing hidden GPS trackers. This gave fleet managers both a way to keep an eye on potentially stolen vehicles and their own drivers at the same time. Before smartphones hit the mainstream in the mid to late 2000s, GPS trackers were expensive, bulky, and mostly relied upon users to install and fetch GPS trackers in order to see where it had been.

Smartphones emerged with their own GPS and cellular broadband connectivity, allowing users to track their hidden GPS trackers in real time. When the GPS tracker sensed movement, it would ping out to the nearest cell tower and update its whereabouts. Users could log into their account any time to see real-time positioning of their tracker. After a few days or weeks, the tracker would start to run low on power and have to be retrieved for a recharge. Suspicious spouses, insecure bosses, and a variety of criminal elements began to use GPS trackers for all kinds of surreptitious purposes.

The legality of tracking someone or something without their consent began to splinter in the U.S., with many states allowing some degree of electronic tracking without consent. By this point, smartphones had become cheap enough to be used as tracking devices by themselves. An inexpensive phone could be purchased and left in someone’s bag or car for several days while an app communicates with the user’s account to notify them whenever the phone is on the move. The majority of phone users simply go about their day with GPS, Wi-Fi, Bluetooth, and cellular data switched on all day. These radios are being tracked and tagged by marketers, telecom companies, and individuals in an effort to resell that data to parties willing to pay. According to a study by the Ponemon Institute, $14,000 is the average value of the personal data contained on a mobile device.

My company began developing tools to track all kinds of cellular signals legally. We never relied on metadata or any kind of saved user data. We didn’t even communicate with the devices. We simply looked at the signal strength of all nearby phones and created alert systems to trigger when these signals got too strong or too close to secure areas. Sometimes our cell phone detectors were used to catch bad guys trying to wirelessly hack into a network, but many times, we are our own worst enemies, so the business of detecting and alerting to a common cell phone left in one’s pocket by accident during a confidential meeting has remained a lucrative one. GPS trackers utilize the same broadband cellular networks, so while it can be tricky to detect these subtle, infrequent pulses from a tracker hidden in a vehicle, we managed to modify our cell phone detectors to do just that.

There is still no federal-wide data privacy laws, but lawmakers on both sides of the aisle have introduced a bill banning law enforcement and intelligence agencies from easily purchasing personal data use that includes location tracking, social media activity, and search history records. In the meantime, both law enforcement and criminals have not sat idly by, waiting for lawmakers to catch up. Everyone has moved onto the latest inexpensive tracker that can be hidden anywhere and track someone for up to a year.

Ever since Apple’s AirTags were introduced, users have been finding new ways to protect their belongings while sometimes simultaneously violating the privacy of others. Tiny BLE (Bluetooth Low Energy) tags are being placed in people’s vehicles, pockets, bags, and other items on the move all the time. Mostly, these are harmless trackers, but an increase in stalking, theft and even murder has resulted over the past few years, and where tech companies have failed to respond, victims are looking for ways to fight back.

My company developed a BLE tag detector that can sit in your pocket all day that will immediately alert you when any hidden BLE tag is nearby. Apple has built some smarts into their AirTag and its vast Find My network of devices, but these alerts do not always arrive quick enough to help someone before a stalking escalates into a confrontation or worse.

By detecting a special sequence of packets, our detectors identify hidden tags and even help users to find them using signal strength coupled with a bit of direction finding. This might not be necessary if you’re digging through your own pockets to discover a hidden tag, but one can spend large amounts of time searching the inside and outside of a large automobile every day and still fail to find that tiny AirTag hidden under a passenger seat. This is where our product solutions can really shine for professionals tasked with providing security for events and executive protection of important individuals.

GPS trackers and BLE tags rely on cellular networks and millions of devices around the world that serve as a giant mesh network. So one would assume that our privacy and security remain intact in areas where wireless activity is virtually non-existent. After all, 75% of the earth is ocean where most cellular signals cannot reach. Throw in wilderness and desert and you have huge, uninhabited areas where vehicles and people simply cannot be tracked, right? Not so fast.

Thousands of satellites canvas the earth’s upper and lower atmospheres. The same technology that allows a SpaceX Starlink device to communicate with someone from the middle of the Atlantic Ocean also allows others to know exactly where that tracking device is located. This might not seem like such a threat until we consider a more dangerous target to track. The U.S. Navy relies upon the vastness of the world’s oceans to keep their missions and destinations a secret from state enemies. But what happens when these ships can be tracked all over the world by enemies of the U.S. Navy?

In fact, these enemies could use the United States’ own satellite technology against them. Satellite trackers do not rely upon conventional cellular bands to transmit their whereabouts. They communicate directly with satellites that orbit the Earth. It’s not difficult to imagine a state enemy hiding a satellite tracker somewhere aboard a giant U.S. naval ship or even a small enemy drone dropping a payload containing an active satellite tracker. We have already been approached by concerned security experts on just this matter. My engineers and I are confident that we can not only detect nearby satellite trackers but also determine their location through some advanced triangulation.

Advanced wireless technology will always allow for tiny, tracking devices that can easily violate our privacy and security. However, the flipside to this is that this same technology also allows all kinds of wireless trackers to be detectable and locatable. Technology has a way of blurring the lines between good and bad intentions, so one of my jobs is to ensure our products help the good guys more than they could ever possibly help the bad guys.

This blog originally appeared on SecureWorld

The post Tracking the Trackers… for Better or Worse appeared first on Scott Schober.

There are roughly 250,000 CEOs in the United States. That doesn’t include CISOs, CFOs, VPs and of course, an array of other very important and wealthy people. That’s a lot of attack surfaces as we say in the cybersecurity biz. You might think you know why a cybersecurity expert like myself would even be writing about the protection of wealthy business people, influential politicians and famous celebrities, but you’d probably be wrong.

In the world of executive protection, car chases, fist fights and guns blazing are only a last ditch effort and should never be considered unless there are no safer alternatives. Protecting the privacy and safety of any high-powered individual is all about avoiding unsecured situations and people. It’s about prevention. Before we discuss any solutions, we need to first define the problem.

Headlines would have us all believe that criminals are content with hacking the accounts of famous people in order to steal a few compromising photos and hold them for ransom. There’s no denying that Jlaw’s nude photos would’ve been easy money for criminals that hacked her iCloud account back in 2014 had they not been caught. But there are lesser known criminal schemes that can pay off by orders of magnitude more because they also involve a breach in the physical privacy and safety of highly sought after targets.

Famous people stay famous by engaging with their public and fans. This means more than just accruing as many Insta followers as they can. It also means public appearances, late night parties and press junkets physically spread all over town and beyond. The same goes for prominent dignitaries, powerful executives and sports stars. Only their trusted inner circle of bodyguards, representatives and assistants know where they are headed at any given moment, but they might not be the only ones.

Up until recently, physical stalkers had two choices: follow an important individual around all day to determine their regular routines or slip a GPS tracker onto their vehicle and follow their car digitally. The former involves a lot of time and there is always the possibility of being made (industry term meaning caught following someone). The criminal drawbacks of a GPS tracker involve a traceable user account and a typical battery life of only a few days. But tiny trackers have recently emerged that give new life to creepy and dangerous stalking. Devices such as Apple’s AirTags and Tile’s Trackers are small enough to slip into anyone’s pocket, bag, or outside of their vehicle. Moreover, such devices can track the whereabouts of anyone in the world in real time for a full year due to their highly efficient BLE (Bluetooth Low Energy) technology and one year battery life.

In 2022, famous Sports Illustrated swimsuit model, Brooks Nader, was tracked by someone while walking home from a local bar. She never learned the identity of her stalker but they were watching and following her thanks to the AirTag they slipped into her purse earlier that evening.

If one is inclined to stalk, all one would have to do is briefly gain access to the target’s clothes, bag, vehicle or any personal item in order to quickly place the lightweight (about 4 ounces) tag. Once the tracker is planted, non-stop surveillance can begin. By now you may be thinking that tech giants like Apple and Google have already solved this problem, but they haven’t. AirTags do not notify iPhone users that they are being tracked by a hidden tag until anywhere between 3 hours and 3 days. A lot can happen to our personal safety in the span of a few hours. And that little chime that plays when the tag has been away from its owner and on the move for a while can be easily disabled. Modified, mute tags are being sold on Ebay, Etsy and of course, the Dark Web.

It seems like the deck is stacked against people who deem their privacy a prerequisite but not so fast. My company has been detecting hidden GPS trackers for years so the detection of an AirTag is only a natural extension of this technology. After a successful Kickstarter campaign, we have begun selling BlueSleuth-Lite at www.bvsystems.com and on Amazon. This $499 little wonder will detect all BLE tags (AirTag, Tile, Galaxy SmartTag, etc.) and notify the user immediately all from their pocket. The device doesn’t rely on consumer smart phones or apps. Rather, it uses a sophisticated receiver and custom antenna to not only detect any nearby BLE tag but also identify the manufacturer and even assist the user in locating the hidden tag. Many of our customers are law enforcement agents, private investigators, bodyguards and executive protection teams, but some are just regular folks who have been stalked by jealous ex-boyfriends or spouses and want to maintain their safety and privacy.

No device or security expert can guarantee the safety of any one individual, especially if their movements are being tracked by a criminal or a stalker, but there are some precautions that can even benefit those of us that can afford a full time security staff.

• Stop all contact and communication with a stalker if safe to do so
• Keep evidence of stalking (voicemails, texts, emails, etc.,) as evidence
• If someone is following you, it is generally not a good idea to go home
• Have a safe place in mind to go in the event of an emergency (police station,
  place of worship, public area, the home of a friend unknown to the stalker)
• Try not to travel alone. If you run or walk for exercise, get an exercise buddy
• Always try to vary your daily routes to school, work, home, etc.
• Be aware of tracking devices on your car or person especially if you
  vary your routes but the stalker still seems to find you
• Be aware of personal information you post online

The post Executive Protection has a new weapon in its arsenal appeared first on Scott Schober.

There are many facets surrounding the arrest of 21 year old Air National Guardsman, Jack Tiexeira, that would suggest run-of-the-mill hacking, but that would be misguided. So what went wrong in the chain of security that led to such a massive breach by such an inexperienced and alleged traitor to the intelligence community?

We’ve seen it before. Hackers score a big data deposit and then go on to brag about it to their colleagues, the hacker community and even across social media. Like young hip hop stars boasting about their conquests and money, it’s become almost cliche for young hackers to behave similarly – only, these boasts can go on to wreak havoc upon billion dollar companies or even the most powerful intelligence communities in the world.

By all appearances, Jack Tiexeira is not a hacker motivated by monetary gains and is unaffiliated with any known groups. His small gaming chat group on Discord, Thug Shaker Central, never appeared to benefit in any substantial way from his leaks except to boost their importance in their own minds. They boasted front row seats to highly confidential U.S. Intelligence reports, plans and projections pertaining to the war in Ukraine. And this data didn’t appear long after the body counts and battlefields were already reported. According to latest reports from the New York Times, classified data leaks began appearing in Discord as early as February of 2022. Sensitive data involving Ukrainian troop deployments and potential Russian targets were made visible all in an effort for this 21 year old IT technician to prove his worthiness to his chat group friends. So how did such a seemingly minor player in the game of global intelligence get access to such treasured information?

Jack Tiexeira held the title of cyber transport systems specialist at the Air National Guard airforce base in Massachusetts. He did not hold security clearance for the data that was allegedly leaked but as an IT tech, he did have indirect access to all kinds of classified information. Just like when we take our PC laptops in for repair, we provide the technician with a password so that they can freely move about our system without having to constantly ask us to enter in the password while they look in the other direction, IT specialists have clearances that allow them to access, networks, devices and even SCIFs (Sensitive Compartmented Information Facility).

SCIFs are physical spaces designed primarily for the communication of highly classified information. This communication often comes in the form of simple briefings from one individual to others, all with high level security clearances. Sometimes powerpoint-like projections are used, sometimes secured landlines are used and sometimes just oral reports are used to convey top secret details, but all of these methods are confined within the SCIF. SCIFs typically contain safeguards to detect devices entering into its confines as well as wireless transmissions that could be communicating to other sources outside the walls of the SCIF.

A security detail is posted to physically search for obvious contraband such as cell phones, cameras and tablets but also less invasive items such as smartwatches, wireless earbuds and MP3 players. This is because any device containing a wireless Bluetooth or Wi-Fi chip can be configured to record or transmit private communications with or without the user’s knowledge. In addition, malware can be planted and spread into nearby networks and devices so it is paramount for security to detect and intercept such electronic devices.

According to latest NYT reports, “At times, he appeared to be posting from the military base where he was stationed. In one conversation, he said he was about to enter an area where people with security clearance can access classified computer networks, known as a SCIF…” and at one point he writes, “The job I have lets me get privilege’s above most intel guys,”

The ability for one individual with limited security clearance to laterally move within a classified network is concerning to say the least. However, President Biden and his administration don’t seem too concerned about the leaks. In my recent interview with NY Post reporter Caitlin Doornbos, I expound on that notion further.

“Just the fact that US classified information was leaked could potentially lessen the flow of future classified intelligence sharing for fear of being leaked,” he said. “Downplaying the seriousness might be a smart political move in the short term but it sends the wrong message to US allies that will reverberate far beyond this current administration.”

As the CEO of a wireless security company and a cybersecurity expert, this story pushes all of my buttons. In my books and live presentations, I always stress layers of security or compartmentalization as the best method to keep hackers at bay. It’s the reason I also commissioned the development of several wireless products designed to improve detection and security audits performed regularly on SCIFs. Our products are currently in use by every Department of Defense agency, but what good are they if insider threats (even those who do not appear to be sophisticated hackers) are given the keys to the kingdom? When an individual is granted broad access to confidential data, it’s like using a cheat code in a video game. Everyone (except for one player) is at an enormous disadvantage and the entire system is at risk.

Safeguards that were not in place need to be and exploits like these, no matter how juvenile their motivations appear to be, need to be taken seriously. Unfortunately, that usually requires someone be made an example of. In this case, the perpetrator appeared to have been working alone so I expect to see substantial incarceration for this young man.

The post The importance of compartmentalization in security appeared first on Scott Schober.

As an average sized male, I have come to realize that I take many things for granted. After speaking to my wife and daughter, it has become alarmingly clear that my personal safety is clearly one of those things. I don’t worry about walking alone at night and I don’t have to have my keys, flashlight and pepper spray handy as I approach my door. As a wireless tech expert, inventor and CEO of my own wireless security company, I am painfully aware of the problems associated with a new breed of low-cost, personal trackers being used to track more than just personal belongings. People are being increasingly stalked, robbed and assaulted thanks in part to technology we all use.

It’s no secret that tech companies like Google and Facebook track our every move. It’s just a part of consumerism in modern digital life so it’s consensual – consumers give up a degree of personal privacy in exchange for services that connect us all. These services are mostly bankrolled by advertisers and retailers looking to find new customers. But what happens when individual users are able to do the tracking instead of advertisers?

Stalking goes way back so you would think that by now, people would have a clear understanding of the patterns, perpetrators and causes behind it all but that doesn’t seem to be the case. National Stalking Awareness Month has been publicly observed since 2004, but some of the statistics they publish continue to be stark reminders that not only is this problem not going away, this problem is growing due to advances in wireless technology.

I met with my engineers and we came up with a product solution that addressed the problem but at 1/12th the price of our best-selling professional solution. After a few moments of worrying about cannibalizing our own profits, we decided to take the leap and go for it. But we weren’t just breaking with our own business model by offering the cheapest product we’ve ever made to a market that we’ve never even served before. We also decided to crowdfund some of our R&D using Kickstarter. Sure we’ve designed many products based upon customer feedback over the years, but we’ve never taken their money until the finished product shipped. Kickstarter was an entirely new paradigm for an old school business like mine. I might run a wireless tech company but it’s a 50 year  old one!

Prototype features some digital manipulation but this is essentially the final product

BlueSleuth-Lite was first conceived only a few months ago but we’ve been detecting bluetooth and BLE (Bluetooth Low Energy) devices now for years using our BlueSleuth and BlueSleuth-Pro products. The device had to be small enough to fit comfortably into a pocket but also operate in that pocket all day without losing power. In order to keep the price down, we used LCD displays, components and interface buttons we had used in previous products. However, we did design our first wireless charging system integrated directly into BlueSleuth-Lite to give it that consumer experience one might expect. Once we perfected the algorithms and features, BlueSleuth-Lite was ready for the world of Kickstarter.

As I write, our Kickstarter campaign is roughly half way through and we are also half way to our funding goal. With Kickstarter, it’s all or nothing so it’s too close to call right now. Regardless of the outcome, my mission remains the same; protect people’s privacy and security through wireless solutions. Based upon estimates that wireless devices will grow to 3x the world population sometime this year, I’d say I have my work cut out for me.

Please check out the BlueSleuth-Lite Kickstarter here and watch the video for more details on how stalking is made easier through ubiquitous technology we all use.

The post Stalking has never been easier so let’s change that appeared first on Scott Schober.

Three years ago, former President Trump tweeted this image along with a denial of the U.S.’ involvement with a launch accident involving Iran’s Safir SLV rocket. Now, this image has been officially declassified so why are Pentagon and intelligence officials so disturbed?

Trump’s controversial handling of classified documents is nothing new. When his Mar-a-Lago home was raided back in August, piles of classified and declassified papers were discovered. Trump offered several explanations (some of them contradictory) for the appearance of these documents in his personal office and home. That investigation is ongoing but this tweet in question is over 3 years old so why is the intelligence community speaking out now? While political motivations are likely behind many of these concerns, there are also legitimate concerns over the handling of sensitive information by anyone, even the most powerful person in government.

Looking at Trump’s own tweet (see image below), it becomes clear that he (or someone using his phone) simply snapped a pic during a classified debriefing. The glare in the center of the photo (I’ve added red circle and arrow) and shadow are a dead giveaway that this image was either re-photographed or projected against a wall as indicated by the glare from an overhead light or reflected light from a projector. Once the image ended up in the President’s phone’s camera roll, it was a simple matter of inserting it into a tweet for the world to see.

Classified photo was clearly re-photographed and posted on Twitter

We’ve had years of media speculation as to why Trump flouted security protocol the way he did so I don’t want to revisit those arguments, but as a cybersecurity expert and CEO of a wireless security company that deals with Dept. of Defense agencies and customers everyday, I want to touch upon a few basic security tenets.

According to Business Insider, Trump asked to keep a copy of this photo he first saw during a daily intelligence briefing. An hour later, the photo and his tweet went out to his 60 million Twitter followers. Trump claimed to do nothing wrong at the time but I’m more interested in how we even got to this point.

Classified data and briefings are generally communicated through SCIFs (Sensitive Compartmentalized Information Facility) within secure facilities. SCIFs (learn all about SCIFs here) are generally small enclosures sealed off and air-gapped from all electronic communications. All wireless communications inside and around the SCIF are monitored for any transmissions and the entire SCIF is swept for bugs and any rogue PEDs (Personal Electronic Devices) prior to any debriefing. Finally, everyone entering the SCIF is searched and asked to relinquish any PEDs on their person. This includes the President of the United States of America.

These layers of security and protocol have been followed by the intelligence community for decades for good reason. Bringing an unsecured consumer smartphone into a classified meeting puts everyone in danger. Wi-Fi, Bluetooth, BLE, 5G and any wireless communication standard – none are truly secure. We know this because we have manufactured and sold tens of thousands of wireless security tools to law enforcement, government agencies and private companies over the past decade. Through malware, hackers have repeatedly demonstrated the ability to hijack phones and steal data without their owner’s knowledge. Once they acquire that data, hackers have all the power by selling state secrets to enemies or by making demands through ransomware already installed on the insecure devices.

Security portals stop all personal electronic devices (powered on or off) at the door and handheld receivers sweep secure facilities for hidden bugs and nearby active rogue devices but these tools are only as good as their operators and security protocols in place. All security personnel must follow best practices in detection, location and seizure of all personal electronic devices in order to avoid leaks, hacks and theft of classified information. These rules apply to everyone in an organization, even the President.

The post This is why nobody is allowed a cell phone in classified debriefings appeared first on Scott Schober.

Trust can be a hard thing to come by in this world but in the world of cybersecurity, trust is virtually non-existent, or at least it should be. VPNs got us all from crawling to walking in the early days of the internet, but security needs have outpaced VPNs’ abilities to deliver true security and privacy for users and organizations so we now look to more advanced solutions to keep us cybersafe.

Back in 1996, a Microsoft, Ascend and 3Com developed the peer-to-peer tunneling protocol or PPTP. PPTP was created in order to ensure a more secure and private connection between the user and the internet. As the internet rapidly expanded, so did viruses, malware and a plethora of attacks targeting end users and even their networks. It became clear that not only a more secure method of connection was in order but also a more convenient one too. In the early 2000s, internet users were becoming increasingly on-the-go and required the ability to connect remotely to a private network over a public connection.

This called for a standard that not only maintained privacy through encryption but also prevented malware all while affording users the ability to connect to their sensitive data from anywhere in the world. VPNs or Virtual Private Networks were born out of necessity for businesses to keep their data safe while employees accessed these private networks.

Unlike the original PPTP protocol, VPN allows many users and devices simultaneous access to private networks across a very public internet. This is accomplished using a three-layered approach involving tunneling, authentication and encryption. This was sufficient for its time, but the internet has exploded in use since the early 2000s and not just by business users.

Billions of internet users including consumers, journalists and gamers regularly connect using VPNs but the same convenience that allows them to connect from anywhere using any device also carries risks that stem from traffic that VPNs were never designed to handle. The rise of cloud computing among all internet users has revealed cracks in the surface of these networks that VPNs worked so hard to conceal and remediate.

Many free VPNs collect vast amounts data on their users that they then turn around and sell to advertisers. And while encrypted VPN data cannot be read by your internet service provider, they can determine that you are using a VPN and even the nature of the encrypted data since it all passes through their pipes. This can become an issue for users who are bound by agreements restricting internet use outside their own country for something as harmless as streaming a show on Netflix to something as serious as reporting human rights violations from within China.

The final nail in the coffin of VPN came in early 2020. The COVID-19 pandemic changed so many things about our daily lives especially remote working. Seemingly overnight, the remote workforce went from roughly 6% to over one-third of workers. Flexible remote work opportunities exploded during the pandemic so much so that many bosses and companies have resigned to the fact that many of these workers will never be stepping foot into their employers’ offices again. Many other companies have adopted hybrid-remote policies in an attempt to keep an eye on employees while also affording them work-from-home independence. Unfortunately, all of these approaches collectively expand an ever-increasing attack surface that VPNs were not designed to handle.

Zero Trust Network Access or ZTNA isn’t a new concept, but security providers have been quick to adopt it due to urgent needs both during and post-pandemic. The essential difference between ZTNA solutions and VPNs is that ZTNA models utilize a “never trust, always verify” approach to each user before granting access. If we liken users and data to a two-way spigot extending off a giant network barrel, ZTNA offers unlimited spigots (one for each user) while VPN offers just one giant spigot for everyone. Zero Trust, as implied by the name, not only requires robust authentication but also segments users with granular access to specific apps. This limits their exposure to the network and minimizes risks to all users and networks.  ZTNA is implemented with the security designed around users so when employees are connected both your network and your employees are protected.

And since ZTNA is a cloud-based solution, it scales globally all while implementing posture checks before connecting devices, privatizing user access with multi-factor authentication and allows user and network management all from a single platform. Due to the physicality of VPN firewalls, similar scalability is more expensive, more time consuming and decidedly less secure.

ZTNA providers allow any organization a flexible, 360-degree view of all access and security. See all the benefits of ZTNA vs On-Premises Firewall VPN for the Remote Workspace so you can keep your organization cybersafe.

This blog was sponsored by Perimeter 81

The post Death of the VPN: A Security Eulogy appeared first on Scott Schober.