EMBED THIS INFOGRAPHIC ON YOUR SITE
(use this code to ensure proper source attribution)
EMBED THIS INFOGRAPHIC ON YOUR SITE
(use this code to ensure proper source attribution)
(use this code to ensure proper source attribution)
Humans are inherently social creatures who have developed a world strongly based on interacting with others. Just like the world of information technology, the human social protocols are a complex series of rules and guidelines for how people behave when interacting with each other, and just like any other system, there are methods to use and abuse it once you understand the rules that govern it. Social engineering is a broad subject, but in this article we will focus mostly on social engineering as it is used to gain access to social groups and sensitive information.
Social Engineer is one of the few blogs dedicated to the topic.
Table of Contents
Social engineering is using the common tendencies of how people interact with others in order to gain information or a benefit of some kind. Effectively, social engineering can be referred to as the hacking of people. Before the Internet age, social engineering would more likely be referred to as conning, but the scope of social engineering’s applications goes beyond tricking people out of money. It is about causing people to act according to your wishes. Getting someone to say yes to a date is social engineering. So is getting your company a contract from a tough client. In regards to information security, social engineering is getting people to give up protected information.
A social engineering definition can be found here.
Even companies that place a high focus on securing their information networks can prove extremely vulnerable to social engineering attacks. DefCon, one of the largest hacking conferences in the world, routinely features a social engineering competition that has demonstrated over and over again that simple tactics can be used to get enough information to potentially do harm to a company. Position in the company also seems to have almost no effect on how susceptible a person is to social engineering; a big wig is just as likely to give up information as a cashier, but the big wig also usually has access to more pertinent info.
Social engineering is gaining attention for its insidious effectiveness, and is starting to get recognized in the media and the corporate world. Check out these news articles for an idea of how it is being perceived:
Smooth-Talking Hackers Test Hi-Tech Titan’s Skills – A look at DefCon hacking competitions, utilizing social engineering within legal boundaries to ferret out intelligence designed to weaken a company’s security.
Social engineering to blame in Syrian Electronic Army hijack of the Onion – The targets of these sorts of attacks aren’t always the ones you might expect, the Onion was a recent victim of a phishing scheme.
Facebook Social Engineering Attack Strikes NATO – Often, the targets are important, such as this attack against NATO. Every organization contains a human element, the target of savvy social engineers.
How a lying ‘social engineer’ hacked Wal-Mart – Many people are naturally biased to trust based on a set of subtle criteria; a tone of voice, a style of dress, even word choices can lead people to give credence to otherwise nonsensical ideas or situations, like this Wal-Mart store manager being duped into giving away company data in exchange for a non-existent contract possibility.
These are common guidelines and methods used by social engineers before and during any assignment on which they are working. These focus more on the preparation and mindset of the social engineer than the actual attack methods that are used.
Take a look at this seminar on social engineering strategies.
Information is everywhere. If there is a topic you want to know about, you usually only need to glance at the Internet. Reading the news and press releases from a company can give you a firm background history from which to work. A social media site may give you insights into the temperament of a person or give you an idea of the social scene in which they operate. If you are trying to infiltrate a group or become closer to a person with any notable focus, then the Internet can be used to familiarize yourself with the topic.
Hackers may go above and beyond in this regard. If they manage to gain access to someone’s email account or messaging service, there may be records of conversations that can be used to mimic the person in electronic communications or learn about key topics that anyone on the inside should know about.
Imagine for a moment that you are watching a movie set in modern times and focused on the happenings in a government or business office. If there was someone dressed in jeans and a hoodie in the middle of a meeting of executives or elected officials, you would likely immediately feel the character was out of place or at least question why they were there. The same holds true whenever you want to interface with another social group, whether it is a company or a club.
Also worth noting is that looking professional – wearing a nicely tailored and well-kept business suit – can generate an obscene level of trust in your social interactions. The suit conveys a lot of subtle messages: this person is a successful member of society, they likely have money, and you can trust then a bit more than the average person. You may not gain complete trust and unlimited access, but the difference between the trust levels shown to someone in a suit and someone in casual clothing is palpable.
This article gives you a glimpse into the advancement of research into the integration of robotics and emotions.
If computers are getting to the point that they can recognize and react to the emotional displays of people, then there is no reason that a person should not be able to better do the same task. Taking the time to read on facial expression theory and other psychological articles can help point you in the right direction, but the only way to really learn is to go out and talk with people. Doing this with new people consistently will also give you practice on learning how to pick up the subtleties in a new person’s expression and tone.
Just having an idea of how to work a plan does not mean you should ignore contingency plans. Even if a failure in one portion of a plan only leaves breaking off the attempt, you should be prepared for the possibility and have a clear idea of how you will break it off. This is not going to eliminate having to think on your feet, but having a guideline for your actions can mean the difference between a smooth response and something haphazard that sends the wrong signal.
Unlike the world of open conflict, more numbers on the side of the target can be a firm advantage. Working your way into a small firm can be a dogged task, but it can be easy to turn into “just another suit” at larger offices. It is almost always easier to work your way into social situations when the target has a larger number of people involved.
If you were to take movies and shows as fact, you would think social engineers waltz into a business with a suit and savvy and somehow manage to make their way into the confidence of the boss or gain access to sensitive areas within a few minutes. A real social engineering effort may take weeks or months to accomplish properly.
A number of techniques have become common practice for social engineers. The list here is not exhaustive, and the variations on these techniques makes covering them all a task better suited for a textbook.
This rainbow of techniques is typically meant to refer to scenarios where the attacker poses as a person or service the target already knows via electronic communications. One of the most common phishing emails is one that mimics the company’s style and email address while telling the target that their account has been locked out due to potentially malicious activity. A link is supplied to the target to reset their password. The site looks like the company’s to the smallest degree, but the reset instead sends your old and new passwords to the phisher.
The delineation between the terms is based on the attack vector. Phishing is done through the computer, vishing is done through the phone, and SMiShing is done through text messaging.
Pretexting is the art of constructing a scenario in which the target is more inclined to go along with the wishes of the attacker. The most common example of this in action might be taken from the ways people try to convince traffic cops to not give them tickets: “My friend is in the hospital”, “My wife is delivering our baby”, or “I’m on my way to stop the love of my life from getting on a plane and never coming back.” In the movie Live Free or Die Hard, a character uses the pretext of his grandfather in the hospital to get an OnStar agent to activate a car he wants to steal.
There is always a host of information for any company that is not considered protected, but social engineers can piece these bits together to create the façade that they are a member of the company or an associate. For example, instead of just sending an email to the tech support desk for a password reset, a social engineer might send it directly to one of the IT staff members with a message stating that there is a vital report wanted immediately by a big name at the company on that computer, and you need your password reset immediately.
When dealing with a pretty face, a person can become distracted and lose focus on the things that matter. Not every social engineer will be a model, but you can expect the ones that have been favored with good looks and charm to use the advantage.
Most people simply have no idea what is going on with their computers beyond interfacing with the applications they use to work. Computers also have an unfortunate tendency to break down due to misuse or just over time. In larger companies, it may not be uncommon for the IT department to be behind on fixing all the computer issues that are active. By masquerading as tech support, savvy social engineers can troubleshoot for the employee while also placing themselves in a trusted position to ask for personal information like passwords.
Coming up to a person directly and asking them about secure, private topics may immediately trigger warning signals. If the social engineer instead approaches a person via a secondary topic and befriends them, then later probing for the information has a higher chance of success due to the longer time for which trust has developed. As an example, if the target is an avid golfer, then a social engineer might find a way to arrange for them to end up playing together. This would let the engineer strike up a conversation naturally due to the common event.
It is nigh on impossible to stamp out the threat that social engineering represents even when utilizing proper security methods at a business or simply trying to avoid falling victim to it yourself. Much of the research and the supported methods for handling the threat of social engineering are to educate people on the dangers of it, develop security policies based on what needs to be protected, install Data Leak Prevention (DLP) software, and do penetration testing to get a real idea of the level of security in place.
Both in your personal life and in the business world, sensitive information should be treated with respect and controlled properly. That does not mean you have to give someone trouble every time they ask for personal information, but taking the time to double check that the person is who they say they are and that you can feel comfortable handing over sensitive information can be done with a high degree of trust.
To use an analogy, the human minds that reside within a social group can be thought of as computers on that social network. Where you would patch a computer, you would educate a mind. The ways in which you can be educated are numerous: you could have an article on social engineering (like this one) made mandatory reading, make social engineering news part of your company newsletter, or hold a class every couple of months. At the very least, people should be aware of the information policy on which you decide. The patch may not take on every person, but you should at least try.
An up and coming type of software is joining the ranks of applications like antivirus and firewalls on the list of things any network trying to be secure should have: Data Leak Prevention (DLP) tools. The software can monitor data in storage, in use, or going over the network, and it can perform tasks like preventing the data from sending or triggering an alert if something is sent. This is limited to just helping to prevent social engineering mishaps on computer networks, but social engineers are likely to use a combination of methods to try and gain access to the most valuable information.
Just like your hardware and software, your people can benefit from penetration testing in order to ascertain their awareness of social engineering as a threat and the information security policies that protect from it. This usually requires the aid of an outside entity to get a proper simulation of an attack from someone currently outside the company.
Social Engineering Fundamentals: Part II: Combat Strategies – An article on preventative measures against social engineering from Symantec, a notable information security software company.
You may not want to con someone out of their account passwords or savings fund, but that does not mean that the methods of social engineering cannot find their place in your life. They can even be used effectively for altruistic purposes. For example, making new friends can benefit from the inclusion of social engineering information.
Social engineering as a way to gain access to secure information is a threat of which everyone should be aware. Like almost any form of science or technology, it can be used for good and for evil. Taking the time to learn social engineering methods is the best way to use them to your benefit and know how to defend against them. Unless you move to a deserted island with no technology, you are going to be subject to the designs of social engineering, so you may as well stay informed on the subject.
The Internet provides endless convenience. You can find pretty much anything you could need with just a few clicks of a button. Whether it is a pair of shoes, groceries, furniture, a personal assistant, a copy of episode 67 of the 1980s hit show Three’s Company, a job, a nanny, a date — you name it, it’s all there. It’s so simple to find what you need that many people go to the Internet before going anywhere else. And where do they do their research before making a big purchase or hiring decision? The Internet.
According to a December 2012 Pew study, 81% of American adults use the Internet, and of those in 2010 and 2011:
Prior to the World Wide Web, when someone needed a product or service, they likely turned to friends, family, and colleagues for referrals. This way, there was a direct human connection to that person, increasing trustworthiness. But today, none of us really know who’s on the other side of that computer screen. It’s easier to lie when you’re not looking someone in the face. It’s even easier for a criminal to lie.
There’s a ton of horror stories out there about hiring nannies and employees, answering to Craigslist ads, and online dating. Although it’s frightening, when you think about it, these horror stories make up a very small percentage of transactions that occur on the Internet every single day. We don’t ask that you quit taking advantage of the convenience offered by today’s technology, we just ask that you’re careful and consider doing a little research about a persona or seller before risking your life, and wallet.
8 Potentially Life-Threatening Situations in Everyday Life – An infographic by the team at BackgroundChecks.org
8 Potentially Life-Threatening Situations in Everyday Life – An infographic by the team at BackgroundChecks.org
A great number of excellent PI and related blogs have fallen in the last few years, but there are still quite a few worthy of perusing. They are pretty evenly divided between a focus on other PI’s and educated potential clientele. Most of the quality PI blogs come from professional investigative firms, but some are from individual PIs. This list also includes interesting criminal justice blogs from the perspective of police investigators as well as detective and murder mystery oriented writing blogs, as they often pull heavily from real investigation and often contain interesting or useful information.
Table of Contents
Information theft and the damage it can cause to consumers and businesses have been featured extensively in the news for most of the past decade as we move to an almost entirely online way of doing business. The usage of the Internet for business has changed the landscape of the commercial world for the better, but it does provide an avenue of attack that allows malicious entities to acquire sensitive data without ever stepping foot inside an office. For this reason, the PCI DSS was created.
Chances are high that, as a modern business owner, you at least have a passing knowledge of the need for PCI compliance. For those less technologically savvy or who do not have the time to read through extensive regulations, this need can seem like an unnecessary burden, both to your budget and your time. To help you at least become more familiar with the PCI DSS, this guide will give a high level overview of the purpose and requirements of the regulations and provide advice and resources for becoming PCI compliant.
Table of Contents
PCI stands for “Payment Card Information,” and the appended DSS often seen accompanying it stands for “Data Security Standards.” The PCI DSS was created by the PCI Security Standards Council, which consists of the five largest credit card companies: MasterCard, Visa, JCB, American Express, and Discover. Its intent was to establish a system for protecting payment card data which can be used for malicious purposes easily once it is in the hands of unauthorized persons. It details the baseline security procedures that companies who interact with payment card information should follow, assists in providing information so the companies can do so, and establishes penalties for noncompliance.
The PCI security guidelines apply to anyone who stores, processes, or transmits consumer payment card data. It does not matter if you run a restaurant, work from home, or have a small chain of stores. If you directly interact with payment card data in any fashion, even by just processing one payment, you are almost assuredly under the purview of PCI DSS. Even if you utilize a payment gateway or merchant account service, your business is responsible for adhering to the regulations as long as it interacts with the payment data in any fashion.
This is a general, step-by-step guide to becoming compliant with the PCI DSS. The PCI regulations themselves outline this process, though the sections are broken down a bit further. These steps do not address every action you need to take through the process. For the exact details on how to follow these steps, consult the PCI DSS version 2.0, available on the PCI security standards site. This especially applies to the more technical sections of firewall and encryption usage.
Firewalls are used to monitor and manage the network traffic running through a system. There are a number of free software firewalls available online, but a high quality, commercial firewall is typically going to be more secure. You can also opt for a hardware firewall for increased security.
Password policy is a simple security procedure that many people fail on regularly. A complex password system may be inconvenient, but when people use generic passwords such as “firstnamelastnamenumber,” “password1,” “qwerty,” or “abc123,” it becomes easier for rudimentary cracking programs to bypass this first level of defense and even makes it so an account could be accessed by an unauthorized user without the use of such a program. Passwords should be case sensitive and use a mixture of upper case letters, lower case letters, and numbers. They should also avoid common dictionary words and should not be recycled.
Data encryption renders a file virtually unreadable without a proper decryption key. Encryption technology has evolved to the point where, even if a hacker somehow accesses the encrypted data, decrypting the data is still a difficult task. The method is not foolproof, and you cannot store certain pieces of information even if you encrypt it.
Viruses and malware can find their way onto a computer through a number of seemingly harmless methods, such as installing a new program or browsing a website. Once compromised, an infected system may be more easily subjected to hacker attacks or the activity on that system, including network traffic that contains payment data, can be monitored remotely. The capabilities of these malicious programs are extensive, making the use of software to detect and remove them essential for information security.
Limiting the ability of unauthorized personnel to gain access to sensitive information is aided intuitively by limiting who can access it, both electronically and physically. With more people who can access the data through normal operations, the risk of a security breach increases. Payment data access should be restricted to specific user accounts based on need, and you should not utilize any group or public access accounts on sensitive systems. The physical access to the data should be limited as well and be situated in a secure and monitored area. Additional levels of access control such as managing user accounts, password cycling, secondary login verification methods like biometric data or access cards, and lockouts on repeated login attempts are also required.
Keeping track of the systems which interact with sensitive data can be useful in determining intrusion attempts or discovering the source of a data breach. All activities should ideally be monitored, but the PCI DSS specifically calls for keeping logs of access attempts, creation of system-level objects, the activities of root and administrator accounts, any accessing of payment card data, and audit trails with specific attention paid to recording the time, outcome, origin, type, and effected components of the event.
Once all the security measures are in place, the PCI DSS necessitates a variety of regular testing procedures. Quarterly procedures include penetration testing performed by an Approved Scanning Vendor (ASV), scanning for unauthorized access points, and vulnerability scans. Extensive penetration testing is required at least once per year, and additional testing should be performed after any significant changes to your systems.
This is one of the more detailed and overarching requirements of the DSS. Put simply, it requires that your business has established operating procedures relating to information security. Obviously, part one of this policy is to ensure that your systems remain PCI DSS compliant. Other considerations include maintaining a list of approved electronic devices for your systems and clear information as to who and what the devices are intended. The responsibilities of “information security manager” should be assigned to an individual or group, which can be an outside security provider. These responsibilities include account management, educating personnel on information security procedures, and monitoring the company’s networks. Security procedures should be discussed with any third-party vendors the company uses, and a formal, written agreement should be composed. The plan should also specify when testing procedures should take place, and the plan itself should be subject to testing and scrutiny.
Also, bear in mind that the individual payment card companies may place extra requirements onto merchants. For example, this is a list of Visa’s requirements. While not too far off from the main PCI DSS, it is important to be aware of these requirements to avoid issues.
While the PCI regulations are not enforced by law, the major credit card companies and banks level fines that are tiered to the volume of transactions a company processes. The exact amount of the penalty also varies based on a case by case basis, but they can range from $5,000 to $500,000. They may also continue fines on a monthly basis if non-compliance is not rectified.
While the overall concept of becoming PCI compliant is fairly straightforward, the intricacies of actually adhering to all the various guidelines and regulations can be difficult for small business owners to handle, and it can often eat up the limited time of the fewer employees that the smaller companies possess. Enlisting the help of companies certified to validate and assist with PCI compliance is recommended by the PCI regulatory body and is required in some cases, such as the regular testing by an ASV made necessary in the regulations. QSAs (Qualified Security Assessors) can be used to verify that you are adhering to the PCI DSS.
Aside from the companies directly related to PCI compliance, the help of a Managed Security Service Provider (MSSP) is good practice for enhancing your general security and thus helping your systems to comply with PCI guidelines. These organizations are experienced in setting up information security functions for businesses and individuals, and utilizing them is often more inexpensive for small businesses who cannot afford to bring on several IT staff members just to handle information security. Many MSSPs can also function as QSAs, but it is better practice to use different companies for these services, even if it is not required to do so.
A report detailing some of the best MSSPs based on various criteria can be found here and the lists of PCI Security Standards Council approved QSAs and ASFs are located in the resource section at the bottom of this guide.
You can also engage in further reading with tools like this free PCI for Dummies ebook, courtesy of Qualys.
PCI represents a baseline level of security that should be adhered to by companies that handle sensitive data. While it may seem to be an unnecessary burden, information security breaches have been responsible for trillions of dollars lost through fraud and secondary expenses. Even if your business does not handle high volumes of transactions from a number of different customers, neglecting to properly secure your information systems can result in data breaches that put you and your customers at risk and do extensive monetary damage. It is in your best interest to take information security extremely serious and even go beyond the security standards set by the PCI DSS.
PCI Security Standards – The main PCI DSS site. It contains the regulations, supplemental information, links to certified assistant companies, and more.
Approved Scanning Vendors – The official list of ASVs certified by the PCI regulatory body.
QSA List – A searchable database of QSAs certified by the PCI regulatory body.
PCI Compliance Guide – A helpful reference for PCI compliance questions and information.
Emerging Managed Security Service Providers, Q1 2013 – A detailed analsys provided by Forrester of the most promising MSSPs.
Becoming ‘PCI Compliant’ If You Accept Credit Cards – A checklist of tasks for becoming PCI compliant from the BBB.
The information technology age has brought with it a new opportunity for the criminally minded. Unfortunately, our government agencies and corporations have not always been as guarded as they could be against those determined to gain access to the vital data they store. Through a combination of hacking and social engineering techniques, digital thieves have made off with identity information, hampered affairs of state, and even stolen millions of dollars. Here are 20 of some of the most damaging, notorious, or notable data breaches presented in chronological order.
Card Systems is a third-party processor of credit card information based in Tuscon, AZ. In June of 2010, a hacker slipped a data-mining bug into their system through security holes and stole data over time from roughly 40 million cards. This data breach happened in large part because the company was storing cardholder’s account numbers and their security codes, in direct violation of MasterCard rules, which allowed the hacker to collect it. The information gathered was suitable only to steal money from the credit holder’s accounts, not to steal identities. At the time, it was the largest data breach to date.
In 2006, burglars broke into the home of a VA employee who had taken his company laptop home, in violation of that agency’s regulations. Fortunately, the thieves responsible for stealing the laptop in question had no idea what they had gotten their hands on and deleted all the relevant information. When FBI agents recovered the laptop, they found it had been cleared and reformatted for quick resale, thus protecting the millions of veterans whose information had been stored. The data in question included Social Security numbers, names, addresses, and birthdays for millions of veterans, current service members, reservists, and their spouses. It did represent the largest data breach from a government agency in US history, and raised a lot of questions about how we enforce and protect the highly sensitive data government employees have access to.
TJX Companies is a large retailer that includes a number of retail chains like HomeGoods, Marshalls, T.J. Max, and others. Over the course of several years, predominantly in 2003 and 2006, an unknown number of hackers made stole millions of transaction data. Of note, it took TJX over two months after the data breach was discovered to talk about the true size and scope of what occurred with the media, and even delayed discussing their awareness of it with affected banks and customers. In the end, 45.6 million card numbers were stolen and data from over 450,000 merchandise return receipts were also taken. This represented another major wake-up call for the industry. It took TJX seven months after the theft to recognize it, and retracing the hacker’s steps proved challenging since they lost much of the trail in normal data purges.
Once again, a company with a major data leak chooses to withhold this information to its customers for half a year before disclosing it. In this case, AmeriTrade was made aware at least as early as October of 2006 when customers began to complain of stock-related spam emails. That led to a lawsuit in May of 2007 when two of its customers actually sued the company for the breach. Each client had an email addressed used exclusively with TD AmeriTrade and when those inboxes began to fill up with unwanted ads, they immediately knew where the leak had come. The problem was even noted on BoingBoing in June of that same year, when they featured a review of AmeriTrade which noted similar email spam to their dedicated address. Despite this, the company kept the information close to the chest until September when a court order would have forced them to step forward anyway. The lawsuit suggested that the data breach could have potentially leaked sensitive customer data like Social Security numbers and other information that could be used in identity theft. There was also a concern that the company might attempt to destroy information that would display their negligence. The company then requested a two week break from court proceedings, was granted it, and used that time frame to ‘discover’ the breach and notify the press and their clients. It became very clear that they choose to respond not out of a sense of responsibility to their clientele, but purely because they’d been caught and could no longer contain the story.
This case was pretty much a cut-and-dry case of more traditional data theft – a disgruntled employee sold information to a data broker. The details that make this case worth examining is how the company presented the scope of the problem initially and how they recovered. They claimed after it happened that only 2.3 million records were stolen and that the public should not be concerned, because these records were all going to ‘legitimate marketing firms.’ A few months later it was revealed through a filing with the Securities and Exchange Commission that the true number of stolen records was in the range of 8.5 million. Of those records, roughly 5.7 million included checking account records, and 1.5 million included credit card records that could be used for identity theft and fraud. In the end through a settlement with the Florida Attorney General, consumers were granted a two year period to report and receive reimbursement for expenses related to theft from the incident, and they were given credit monitoring at the company’s expense. Further, the company restructured how it handled information security, doing a comprehensive review of internal and external risk, implementing a range of safeguards, and scheduling regular tests and monitoring programs to detect weaknesses and catch issues before they became problems.
Monster actually had a recurring problem with data breaches between 2007 and 2009. Three separate times they suffered data breaches in which millions of customer’s personal data was stolen or had their job listings infected with malware. Users affected also saw targeted phishing emails encouraging them to download malicious software or tempting them to accept jobs working as mules for online criminal organizations. One of the malicious Trojans left behind by the attacker’s encrypted files on the affected user’s computer and left a text file demanding payment to the attackers to recover the data. Each attack was perpetrated by hackers abusing security weaknesses in their information security structure. Each time, Monster delayed informing its users that there was a breach after becoming aware of it. Each time, Monster swore to do better. Unfortunately, as Monster learned, big talk is not enough to deter hackers. Actual improvements in infrastructure actually have to be accomplished, not just discussed.
Another case of traditional theft leading to a massive data leak, Bank of New York Mellon discovered a missing box of data storage tapes in February and again in April of 2008. Each time, these tapes were being transported by third party vendors from one location to another when they went missing. Surprisingly, these tapes containing vital customer information were not at all encrypted. In addition, the bank did not inform potentially affected customers for three months. Initially, the breach was believed to have affected over 4 million individuals and included names, addresses, and Social Security numbers. Later that year, the bank notified 12 and a half million customers that their data had been stolen. All affected customers were offered two years of free credit monitoring and identity theft insurance worth up to $25,000.
At the time of the attack, CheckFree was the largest e-bill payment system on the internet, controlling between 70-80% of the US online bill pay market. This made it a prime target for smart hackers. For several hours, hackers managed to redirect visitors from the legitimate site login page to a site based in Ukraine that attempted to install software designed to steal customer’s passwords. CheckFree at the time had more than 24 million users, so the attack had the potential to be devastatingly effective. This attack was not due to a problematic infrastructure on CheckFree’s part. The hackers had legitimate codes to access CheckFree’s website, suggesting they either successfully phished that information from a CheckFree employee or utilized password-stealing malware. This same website in Ukraine attacked at least 71 other domains at the same time. The attack was noticed and responded to promptly by CheckFree, who had plugged the leak the same day. They promptly informed their customer base, instructed them how to detect malware infection, and arranged for every affected customer to receive a free copy of VirusScan Plus from McAfee.
In another phishing scam, about 10,000 Hotmail users had their passwords stolen. Much like the CheckFree incident, users were redirected to a site resembling the Windows Live Hotmail login screen. Users who were fooled into entering in their password and user account found their information later posted on Pastebin.com, a site originally designed to allow web developers to easily share tidbits of code. This same site had a list of over 30,000 Gmail, Yahoo! Mail, AOL, Comcast, and Earthlink email accounts and passwords. Microsoft responded quickly upon learning of the breach, sending out emails to warn affected customers of the potential problem and forcing password resets on all affected accounts. As with CheckFree, this was not a failure of Hotmail’s own data security, but a successful phishing venture.
Thought to be the largest data breach of a payment processor, the 2008 attack of Heartland Payment Systems affected roughly 130 million customers and raised a few questions about the effectiveness of PCI standards of the time. The CEO Robert Carr adamantly reported that Heartland was in full compliance with PCI standards and was certified as such. The PCI Security Council contested his claims, suggesting that the breach was a result of an SQL injection error. Even still, the company was certified as fully compliant, leading many to conclude that companies should go beyond the basic requirements of PCI to protect customer data. Particularly with regards to tracking security standards over time, as errors creep into systems and hackers gain more sophisticated tools. Heartland developed an E3 end-to-end encryption service to monitor and secure the whole payment process from point-of-sale all the way through authorization and approval. The PCI Security council also began looking into technologies like card tokenization to improve their own standards. The end result was more focus on a layered approach to information security. In the end, Heartland paid more than $110 million to Visa, MasterCard, American Express, and other card companies to settle claims related to the breach, customers were notified and offered credit monitoring, and companies gained a sobering check about the state of their data security.
Once again, the VA put data from roughly 76 million veterans at risk through employee negligence. In this case, the breach started with a faulty hard drive in a database RAID array. Employees arranged for a contractor to repair the disc and neglected to erase the encrypted data stored on the disc. When the contractor failed to repair it, the disc was recycled, leaving the data accessible to whoever next claimed the disc.
Much like Heartland, Hannaford Bros. supermarket chain appeared to be following PCI compliance standards when they were hit with a massive data breach. Despite their compliance, a sophisticated hacking attack exposed over 4 million credit and debit card numbers to potential identity theft risk, and resulted in almost two thousand cases of fraud. Later that year, Albert “Segvec” Gonzalez was indicted by a federal grand jury in New Jersey, along with two co-conspirators, on charges of hacking into Hannaford Brothers, Heartland Payment Systems, 7-Eleven, T.J. Maxx, and other unnamed national retailers. This individual and his small team were accused of stealing over 130 million credit and debit card numbers, the biggest fraud case of its kind in history. He was eventually sentenced to 20 years in federal prison for his crimes.
The VeriSign attack was notable both for the severity of potential complications such a breach could have caused, and for the astounding lack of communication happening within the company. The data breach was first discovered by their security team in 2010, but this was not reported at all to management until September of 2011. An SEC filing made public the data breach, forcing the company to acknowledge the situation, though initially the upper level management seemed to have little knowledge of the incident beyond what was included in the filing. At the time of the attack, VeriSign was one of the largest providers of SSL certificates, which browsers use to identify secure sites like financial sites and communication portals. VeriSign also housed sensitive information on customers and the registry service used to create website addresses also a potential target. The big fear was that the certificate system was compromised; this would have allowed hackers to forge certificates (an event that had already occurred) and thus trick users into believing a phishing site was completely legitimate. Stewart Baker, former assistant secretary of the Department of Homeland Security responded to the event by saying, “Oh my God. That could allow people to imitate almost any company on the Net.”
Gawker Media’s security breach was a lesson in humility, the internet’s version of being publicly tarred and feathered. A feud between online message board 4Chan and Gawker (who is responsible for Kotaku, Gizmodo, Jezebel, Jalopnik, Lifehacker, Deadspin, Fleshbot, and io9) developed as the web publisher trashed 4chan’s antics. This was swiftly followed by denial-of-service attacks perpetrated by 4chan members. Shortly thereafter, a group with loose affiliation to 4chan who called themselves Gnosis began to infiltrate the Gawker’s content management system, internal communications systems, and user databases. There they sat for a period of time, during which Gawker’s founder was notified that his account was logged into their internal system when he was not. He ordered the account shut off, but did not bother to change his password. In a stunning display of stupidity, it turned out that he used the same password for everything. After playing around internally for a bit, Gnosis began to get public. They posted a snarky message via Gawker’s Twitter account suggesting that user accounts might be compromised. When a Gawker employee assured people that their information was safe, Gnosis responded by posting a meme and a message on Gawker’s site directing people to a Pirate Bay torrent containing a massive data dump that included internal conversations, user names and passwords for a number of employees and many site commenters, FTB account access, and the source code for their content management system (allowing hackers to dig through for weakness). It also revealed that they were three years out of date on their server’s security patches, were using horrendously out of date encryption on user passwords, and had zero protocol established for password creation; nearly 2,000 Gawker users has ‘password’ as their password. Gawker’s response was incredibly poor. Not only did Neck Denton, the founder, fail to respond in a sensible manner after being originally made aware of the problem, they then refused to admit that there was a problem because their passwords were ‘encrypted’ and then waited over a day before notifying users there was a breach. When they did notify customers, it was done with a message on their site, not via email, ensuring many users would never know there was an issue.
ESTsoft is a general purpose software company operating in South Korea. In 2011, they were the target of a devastating attack that impacted nearly the entirety of South Korea’s population. Hackers gained access to one of ESTsoft’s update servers and loaded malware that attached itself to their ALZip compression application, which subsequently infected 62 computers at SK Communications that made use of the ESTsoft program. The infected computers were then able to steal complete customer databases including addresses, contact information, passwords, and gender of roughly 35 million individuals in a nation with a total population of 49 million. The company apologized, the primary web portal for Korea, NHN, ordered employees to delete ESTsoft programs, and lawsuits were filed. The company never disclosed the financial cost of the breach.
In one of the largest data breaches of its kind, Epsilon was hacked in March of 2011. Epsilon handles over 40 billion emails annually and services more than 2,200 clients around the world. The information stored was primarily email addresses and names, including those of customers who had opted-out of marketing mailers, opening up all of those customers to phishing attempts. In addition, some users member points were accessed, giving thieves an upper hand when creating believable scam emails. Included in the many companies that sent out warnings to their clientele were major retailers, financial companies, cellular phone companies, banking institutions, and more. Roughly 3% of Epsilon’s clientele was effected. The Secret Service investigated the breach which is estimated to potentially cost Epsilon up to $225 million in damages.
SecurID tokens, used in a two-factor authentication system which is designed to create a layered and stronger security system, were compromised in March of 2011 when RSA Security was hacked. Initially, RSA claimed that the hack would in no way allow any “direct attack” on the tokens. Then a few months later, the defense contractor Lockheed Martin fended off a hacking attempt in which the tokens failed to offer any layer of protection. In June RSA released a statement acknowledging the failure. Their Chairman, Art Coviello, claimed that the reason it took them 3 months to disclose the full scope of the breach was to protect other customers from attacks similar to what Lockheed Martin experienced. There were claims that Northrop Grumman and L-3 Communications faced similar attacks. The delay caused many to question the reliability of RSA’s system and certainly to worry that withholding that information put their customers at risk. Some choose to switch to a new token provider, but many remained with RSA because the cost of switching was much more expensive and time intensive than simply gaining new tokens (which RSA provided). In a rather ballsy gesture, RSA encouraged its customer base to increase the layers of RSA security to create redundancy layers. One product fails, so we’ll switch that one out and sell you two more.
Some 77 million user accounts on Sony’s PlayStation Network were compromised after a large scale hack accessed the Sony database. It took the company seven days to notify their customers that data was stolen during the breach that caused their massive shutdown. Names, email addresses, passwords, security questions, birth dates, and addresses were accessed, and Sony warned customers that credit and debit card information may also have been stolen, though no cases of identity theft or fraud were reported as a result. The company was fined £250,000 (approximately $400,000 USD) by Information Commissioner’s Office, a UK based watchdog group, naming the clear negligence on Sony’s part as the reason for the fine.
Bitcoin offered the internet world a unique form of new currency. The nature of Bitcoins makes it an irresistible target for hackers, as a key feature is the permanency of the peer-to-peer transaction style. While it protects merchants from chargebacks, it also means that a successful theft of the currency is one that cannot be reversed. Once a hacker gains access to the private keys, what they steal is theirs to keep. Bitcoin has see a lot of growth in recent years as it has become a haven for both criminal activity and as a sort of virtual stock market. It has also seen a rash of hacking attacks targeting trading platforms like Bitcoinia, who lost $87,000 worth of currency in an attack against their production servers and BitFloor, the largest Bitcoin exchange in the US, who lost $250,000 in a successful hack against an unencrypted storage server. Bt Gox, Instawallet, and other Bitcoin-supporting companies have also seen successful thefts. These thefts have considerably increased the risk of investment in Bitcoins, stalling what had been a dramatic growth in value in 2012.
With a pricetag of $92.7 million in damages, investigation costs, lost business, and remediation expenses, the Global Payments data breach put at risk more than 7 million card numbers. The data that was stolen in the breach included full Track 1 and Track 2 data, usable by thieves to counterfeit new cards. Union Savings Bank was just one among a number of financial institutions affected by exactly that tactic. In March of 2012, thieves began purchasing small denomination Safeway-branded prepaid debit cards. They would then encode Union Savings Bank issued debit card accounts to the magnetic strip on these cards, use them to purchase high value prepaid cards, and spend the money buying high ticket electronics and other items from other retailers. USB alone suffered roughly $85,000 in expenses related to the theft. Some, like Fulton Bank of New Jersey were harder hit, seeing roughly one thousand stolen accounts every week. Visa and MasterCard promptly revoked their certification of Global Payments. Javelin estimated that $707 million in fraudulent charges will occur to the 1.5 million cards that were known to be compromised, with an end cost to consumers of roughly $152 million.
On Laws and Home-Brewed Espionage
The laws regarding eavesdropping and spying on family vary on a state-by-state basis and in many cases the legality is not extremely clear. There are cases to support, for example, a husband using GPS software to track his wife’s car without her knowledge or keylogging his home computer to spy on his wife without legal repercussion. Conversely, some have been convicted and jailed for keylogging family computers. Particularly with regard to information gathered with the intent to go to court, it is wise to seek legal counsel before beginning. Be aware that encouraging others to spy on your behalf using illegal methods, whether they are friends or professional investigators, may still leave you legally culpable. Play it safe and educate yourself.
On the subject of digital spying:
Keylogging has become a very popular activity for keeping track of your loved ones and colleagues. Be aware that it is a felony offense to be caught keylogging in the US. It is legal only if an employer has reason to believe an employee may be divulging trade secrets, when a company policy allows for workplace surveillance, if a computer user is clearly notified that their online activities may be monitored, or to track children’s activities online and protect them from predators and other risks. Use against a spouse is legally murky, as seen in the previous examples, and has the potential to land the spy in legal hot water.
Legitimate Cases for Becoming a Spy
There are a multitude of reasons people choose to spy on one another: parents keeping track of suddenly independent teenage children, spouses concerned with infidelity, or perhaps someone requires evidence that a friend has sticky fingers. Perhaps it is simply fun and games – a child play-acting as Bond, James Bond. Whatever the reason, it is important to examine motivations before engaging in spying. In many cases it constitutes a major invasion of privacy as well as being potentially illegal depending on the tools and strategies used, and many would view it as highly unethical. Be sure of what you are doing before you begin. For spouses who may be dealing with infidelity, particularly those with a lot of assets or prenuptial agreements on the line, espionage can be a highly effective means of ensuring smooth divorce proceedings should it become necessary. For parents, it is a surefire way to ensure a child’s online safety. In these cases in particular, the sense of security born from an unalterable truth may outweigh the ethical and moral concerns.
The Value of Social Engineering
Fortunately, there is a tried and true method of gathering information that is wholly legal and requires only a bit of charm and planning. Social engineering has gotten a lot of attention recently for its role in major hacking attempts, but it is equally useful to those seeking information. People are, by and large, inclined to be helpful to someone that does not appear alarming. Take some time to read up on social engineering in depth to make the most of it, here are a few books worth acquiring on the subject.
1) Influence: Science and Practice by Robert B. Cialdini – This book is written in an approachable tone and combines research with experience as a salesperson to instruct its readers in the art of getting a ‘yes’. All about the power of persuasion. Offered on Amazon in paperback for $19.20 or on Kindle for $6.99.
2) Social Engineering: The Art of Human Hacking by Christopher Hadnagy – This book, written by the man who coined the phrase ‘social engineering’, explains through personal experience, real-world examples, and the science that drives it, how social engineering works. It explains how to utilize social engineering and how to minimize risks associated with it. Amazon offers it for $19.12 in paperback or $18.16 on Kindle.
3) What Every BODY is Saying: An Ex-FBI Agent’s Guide to Speed-Reading People by Joe Navarro – Written by a former FBI counterintelligence officer, this book instructs its readers on how to pick up on and translate non-verbal cues as well as how to maximize your own non-verbal cues to subtly influence people. Offered for $13.98 in paperback form on Amazon or $9.99 on Kindle.
4) Introducing NLP: Psychological Skills for Understanding and Influencing People by Joseph O’Conner – This book is well known for its ability to effectively teach the subtle ways in which people can be influenced in the reader’s favor. Written in an accessible style with a clear progression from basics to more challenging concepts, it is considered one of the most definitive NLP texts available. Offered for $10.28 on Amazon.com
– Private places are the most likely to get you into legal trouble, so be aware before you start spying within businesses or private homes. You will need to pick a location that is extremely unlikely to be examined or disturbed by others but that is close enough to main activity centers to pick up useful sound. High shelves, beneath coffee and end tables, behind sofas and chairs pressed against walls.
– Placing a listening device in a public location is primarily about determining a place that will usefully return you interesting tidbits of conversation without being drowned out by ambient noise like the sound of traffic, the movement of people, and group conversation. Place microphones, if possible, as far from ambient noise sources as you can be and preferably in enclosed spaces.
On Your Person
– Clothing often muffles the sound incoming, so hiding listening devices on the body can be tricky. You must balance sound quality with visibility. There are listening devices meant to be worn visibly and go unnoticed, meant to resemble buttons or Bluetooth devices. You can also transform your cellphone or similar electronic devices into spy gear and most people will never question it, given the commonality of having such a device at the ready these days.
– Many listening devices are designed to pick up sound through vibrations, so can be safely tucked away within items that have a solid exterior. So long as the device is secured against the internal wall, it can detect and record sound from without. If the device in question can play sound, it will mask any other noise, so items like computers, stereos, cell phones, and TVs are useful to hide devices in but may occasionally interfere as well.
Social Engineering Strategies
5) Dress well – People are much more inclined to be friendly towards someone who looks like they might be important or well connected. Dress the part.
6) Be pleasant – Charm is disarming. Playful flattery of a casual nature, genuine attention, and a warm smile can go a long way towards making another comfortable enough to share information with you.
7) Ask appropriate questions – If you are trying to find out, for example, if your wife is leaving work early it would make sense to ask a company receptionist about her hours so you could schedule a meeting with her. Have a suitable reason for wanting the meeting. Tailor your questions and background to the environment and your needs.
8) Have a reason! – This follows up on the previous idea, but expands it to include accessing private journals or other personal items. If you wish to acquire something in a space you do not belong in, find a good, justifiable reason for you to be rooting around in there. If it is a child, bring them folded clothes to put away. A husband? Dust the shelves in his office. Make it an action that would not be out of place for your behavior. If you never clean, a sudden interest in dusting his things is going to create red flags.
9) If you are intending to actively listen in, there is the chance that someone may encounter you. Dress appropriate to the environment you are in, and be prepared with a good excuse. Despite the title of this section, wearing –actual- camouflage is almost never a good idea.
10) Some of this has already been addressed in ‘Planting Devices’ but be aware that eyes may settle on your device. To increase effectiveness, it is best to conceal the device is possible. Some devices are already meant to appear to be something other than they are – a pen, an innocuous electronic device, a button, or similar. If you are hiding a listening device on a high shelf, consider hiding it within a junk book hollowed out.
11) Target – Have a clear idea of who you need to speak to, or where you need to be, to obtain the information or items you are after.
12) Goal – Know precisely what you are interested in obtaining. Fishing aimlessly is a sure way to stumble and raise triggers in other people. If you know what you need, you can determine the most likely avenue to acquire that information before you begin speaking. You gain control of the conversation before it begins.
Audio & Video Surveillance
13) USB Drive Voice Recorder – This useful little devices looks like a sleek USB stick, but has the added capacity to record up to 45 or 90 minutes of audio with a 15 hours of battery life. It recharges as soon as its insert into a USB port. It does not flash or have any visible notification when it is actively recording and it features incredibly simple operation. $$44.95 for the 4GB (45 minute) option from Pen Recorder Pro.
14) 2.5” HD Dashcam – Designed to affix to your windshield via suction, this camera records clear, quality images even at night. It supports Micro SD cards from 1-32 GB and charges while you are driving with an included cord for your cigarette lighter. It automatically begins recording when you turn it on and includes a date and time stamp (handy if the footage ends up in court proceedings). Just $99.00 from Proof Pronto.
15) Wall Listening Ninja Spy Device – This small tool is designed to be pressed against a solid surface with the intent of picking up sound from the other side. It can ‘hear’ through up to 20cm of thickness and includes a built-in rechargeable battery and an audio jack. It comes with a headset, but you could also conceal the device within an object and connect it to an audio recorder with the right cabling. It costs $49.50 from DX.
16) 500 Meter Spying Transmitter and Receiver Set – This set includes a micro audio spying bug that can be concealed easily and transmits up to 500 meters away. It has adjustable volume and allows for active remote listening with the included reciever or recording on micro SD cards up to 8 GB. It uses a built-in rechargeable battery. Just $90.30 from DX.
17) Cigarette Lighter Hidden Camera Recorder – This faux lighter includes a rechargeable li-ion battery and has the capacity to capture video and picture. It features sound-triggered recording and offers a simple and subtle manual recording mode. It can support MicroSD cards up to 16GB, though they do not include one with the device. The lens is located on the bottom of the lighter. The button that you would normally use to strike the lighter turns it on, and the top removes to access the USB port to upload images to a PC or Mac. Amazon offers it for $99.99, and it is currently on sale for $20.99.
18) Orbiter Electronic Listening Device – This thing isn’t going to win points for stealth, but it is highly effective at detecting audio from up to 300 feet away. It comes with quality headphones and allows for digital recording with a 120 second playback features. It also includes a view finder that can magnify up to 10x.
19) Mini Spy Cam Pen – This executive-style pen in black and gold conceals a HD 3 megapixel camera capable of producing high res color photographs in JPG format or recording video at 1280×960 resolution at 30 FPS. It has a concealed USB 2.0 interface at its end and has driver support for Windows, Linux, and Mac computers. It comes standard with 2 GB of memory and can be upgraded up to 8 GB with a microSD chip. It has a built-in rechargeable lithium ion battery capable of recording up to 100 minutes of video or 6+ hours of photography. Offered for $23.90.
20) Avangard Optics Waterproof Spy Watch – This clever watch features a built-in HD camera recorder, capable of capturing video or stills with 640×480 resolution at 30 FPS. It includes an onboard mic, date and time stamp, with 4GB of built-in NAND flash memory, and connects via USB to a PC to capture gathered data. The watch itself is dust and water resistant and uses a rechargeable lithium battery which lasts for about an hour with a full charge. Priced at $35.00 from B&H.
21) Concealed Camera within a Toyota Car Key – This key records video at 640×480 resolution with 30 FPS and allows storage up to 16GB via MicroSD. It uses a high capacity lithium polymer battery to support roughly one hour of life from a full charge. It connects to a PC with a USB cable for data extraction. Priced at $65.95 from Sears.
22) Spy Clock Camera with Motion Detection – This innocuous camera comes in the form of a sleek and fashionable bedside alarm clock. The concealed HD 2.0 megapixel camera is capable of recording at 1280×960 resolution up to 30FPS. It begins recording when activated via motion detection and can record continuously for up to 2 hours. The AVI files can be transferred directly to a microSD (it comes with a 4GB SD card that can be upgraded for more storage). Costs $48.95 from Newegg.
23) Super High Gain Microphone – This microphone is incredibly lightweight and miniscule, making it easy to conceal nearly anywhere. It weighs less than half an ounce, and the preamp features low noise, powerful high gain and automatic level adjustment with its onboard IC. The output is line level and the device comes with 6 feet of power/audio cables so you can connect it anywhere you need. It needs a 6-15 volts DC battery. Offered for $37.50 from Spy Associates.
24) Coat Hook Hidden Camera – Cleverly hidden, this camera is situated at the top of this hook, ensuring that it will function even while in use. The camera can be activated manually or automatically start when it senses motion. Video is recorded in 1280 x 960 resolution. Available in white or black for $49.95 from Brickhouse Security.
25) Sonic Sleuth Parabolic Microphone – Parabolic microphones help you pick up and isolate sounds at a distance. This particular one is designed for children so the cost is not prohibitive. It can pick up sounds up to 300 feet away and offers a frequency controller to remove unnecessary background noise. It comes with a set of headphones but not the necessary 9-volt battery. Offered by Amazon for $23.21.
26) Uzi Parabolic Microphone – This parabolic microphone also features a monocular capable of viewing up to 8x. The microphone can pick up sounds up to 100 meters (roughly 328 feet) away. It features an integrated chip to record sounds. It includes high quality headphones, but not the necessary 9-volt battery. Offered for $42.95 from Amazon.
27) Sonic Sound Amplifier – While still not necessarily subtle, this sound amplifier is much less obvious to the casual observer than a parabolic microphone. The handheld device can detect sounds up to 300 feet away and can attach via clip to a pocket, belt, and many binoculars. It includes the necessary ‘AAA’ battery and stereo headphones. Offered for $22.95 from Amazon.
28) Smoke Detector Hidden Camera – This pinhole camera is tucked within a nonfunctional smoke detector casing. The camera itself utilizes a CCD (charged coupled device) solid-state imaging device, ensuring top quality image capturing and exceptional reliability. It features auto-white balancing and automatic gain control to provide clear images under normal lighting conditions. It adjusts automatically based on light levels, but will not function well in a dark room. Users will need to acquire power supply and cable separately. Currently on sale at Amazon.com for $34.99.
29) Miniature Wireless Color Camera Set – This set includes a miniature wireless camera with microphone pickup that allows for quality color imaging at a range of 150’ with no obstacles. The camera runs on a 9-volt battery or an AC adapter. The receiving tuner can be fine-tuned to acquire a better picture. The receiver can be set up to record, and can mount on a wall or lay flat for a more permanent set up. Price is just $22.64 via Amazon.
30) Wireless Pan/Tilt/Nightvision Camera with Remote Monitoring – This remote camera can pickup quality images even at night and allows remote access to its pan and tilt functions. It requires a power connection and access to a network and it comes with a power adapter and network cable. Offered for $59.99 from Amazon.
31) Mirror Spy – This security mirror holds a powerful secret camera capable of recording color footage at a 420 TVL resolution. It has a wide angle lens and a coverage range of 82 degrees, ensuring that it can cover an average sized room or hallway. It requires access to a power plug, but does not rely on batteries so once it is installed you can let it run without fear that it will die at a critical moment.
32) Right Angle Mirrored Lens – This nifty lens attachment will fit any lens with a 58 mm filter thread. It’s simple to install – just screw on and you are ready to use it. It allows you to snap pictures around corners easily without raising attention to yourself. $28.99 from Amazon.com.
33) Telescoping Mirror – These delightful tools generally feature a telescoping handle and flexible neck, allowing you to peak into hard to access places or around the corner without being obtrusive. Generally, they cost a little less than $10. This model from Amazon sells for just $7.29
34) Spy Periscope – While you can make your own simple periscope with a cardboard tube, small inexpensive mirrors, and a hot glue gun, the more dedicated might want to put up the cash for this professional-grade periscope. It makes it easy to see around corners, over, and under all kinds of obstacles and allows magnification up to 5x. Its design ensures that the picture is always displayed right side up regardless of how the periscope itself is set up. SpyVille offers it for $119.99 (on sale for $79.99 at the time of this article).
35) ViewPoint Mirror – Now you too can have eyes in the back of your head, motherhood not required! This handy little mirror is meant to adhere to the inside of your sunglasses and grants users a clear view of what is behind them. Discrete and inexpensive, at just $15.00 from CycleAware.
36) “Safe” Books – A two-piece false book set to conceal your valuables, or a hidden observation device, within. Each book features faux-leather spine and felt lining within the concealed compartments. They are large enough to easily conceal pinhole miniature cameras or listening devices as well as extended media storage or other accessories. The set is currently on sale on Amazon for $29.98.
37) Hide-A-Mic Rocks – Fashioned to resemble a rock, this concealed compartment is designed to secure an extra key, but it can easily be used to conceal a hidden audio recording device designed to pick up sound via vibration through a solid surface. It would not be a challenge to conceal cabling leading to the false rock beneath the ground surface. Currently on sale for $6.02 from Amazon.
38) Make your own false compartment – Any container can easily be provided with a false bottom. There are a number of quick how-to guides online that can walk you through the process. Pick a new item or one that does not get used much. A bedside drawer that is rarely opened or an inexpensive jewelry box. Match the interior when you prepare the false addition. Make sure your measurements are absolutely correct. Create just enough hidden space to conceal your device; the larger the compartment, the more likely it is to be noticed.
39) Concealed pocket clothing – When you are attempting to walk out with potentially incriminating items, or walk in with bugging devices, having concealed pockets can come in handy. Even those with minimal sewing skill can create simple pockets tucked away inside waistbands or jeans. There are also many styles of clothing that come with an abundance of pockets that are easily accessible. Take advantage of functional fashion.
40) Spy Coin (MicroSD concealment) – This realistic looking coin comes in a variety of denominations – A U.S. Nickel, Half Dollar, or Dollar, a British Pound, a 50 cent Euro piece, or an Aussie 20 cent piece. They seal tightly and are completely undetectable from a typical coin and require a special device (included with purchase) to open them once more. Each will fit a microSD card (the U.S. quarter will not, which they also offer). Available for just $18.49 from Amazon.
41) BIC Lighter Secret Stash – This non-functional lighter offers subtle concealment for small items. The size makes it perfect for a microSD card, which is what many spy devices utilize. It looks identical to a typical lighter. Offered for $9.95 via Amazon.
42) Wireless Network Detector Keychain – This simple keychain device detects and displays wireless networks and displays their signal strength via visible LED lights. It comes with batteries. Costs just $5.55 from DX.
43) Wireless Scanning Pen – This silver and purple pen allows users to scan up to 1000 pictures or voice memos up to 1 minute long. It syncs with Evernote and features a storage capacity of 1GB. Offered for $87.73 from DX.
44) Mini Portable Document Scanner – When a pen-sized scanner won’t cut it, this portable scanner can step in. It allows fast scanning of standard sized documents, up to 2 seconds per page with lower resolution. It can scan high resolution images at a slower rate. It stores data on a Micro SD slot and is powered by 2 AA batteries. Costs $54.50 from DX.
45) Spy Remote Control Helicopter – This helicopter can serve as your own personal flying spy. It obviously requires that your target be viewable from an outdoors location. The RC ‘copter can fly for roughly 10 minutes full charged and features a 1G Micro SD card, which can be upgraded. It has a hi-res built-in camera and has a solid state gyroscope for stable control when in use. Users can take snapshots or record video in flight. The RC has an integrated rechargeable LiPo battery that comes included, and the transmitter requires 6 ‘AA’ batteries that are not. It costs $59.95 from Hobby Tron.
46) Spy Mini RC Drone Helicopter – This miniature RC helicopter can fly for 20-30 minutes with a full charge and has a range of 100’ from the transmitter. Multiple bands allow up to 3 RC helicopters to be flown at once. It includes 2 LED search lights, built in gyro for stability, and a mini HD camera to capture and record visual information. The receiver requires ‘AA’ batteries, not included. It costs just $59.98 from Trend Times.
47) Make Your Own Drone – DIY Drones has a ton of information for those interested in crafting their own miniature drones. With the assortment of miniscule audio and visual recording devices on the market and accessible miniaturized RC components, a little technical knowledge and a penchant for DIY is all one needs to create their own spy drone at home. Check out this site for inspiration.
48) 8 Piece Spring Steel Lock Pick Set – This is a good starter set of quality lockpicking tools. It comes with a double ball lock pick, two different hook lock picks, a snake rake lock pick, a jagged rake lock pick, two different single sided lock picks, and a double ended tension wrench. Each piece is made with black diamond spring steel and have re-enforced handles. Costs $24.95 from Newegg.
49) Super Lock Pick Set – For the more demanding lock-picker, this set includes any style pick you might need, all wrapped up in a faux-leather case. It includes a guide-book to walk you through most lock styles. Costs $96.59 from WayFair Supply.
50) Practical Lock Picking – This guide walks even newbie lock picks through the process of breaking through most lock styles. It includes detailed, full-color diagrams and step by step instructions using a multitude of the most common techniques and tools. Amazon offers this book for $32.72 in paperback and $31.08 on Kindle.
51) ISpy Connect – iSpy connects your existing cameras, webcams, microphones and other related equipment into a dynamic surveillance system. Users can set up three types of motion detection and four types of motion processing, with record automated upon detection, or scheduled recording with audio and remote access. It also offers desktop recording and SMS/MMS/emailed alerts. It can be run across multiple computers simultaneously and can even be integrated into iOS devices.
52) I-Can-See-You WebCam Spy Software – This sneaky software runs silently on your PC and allows you to remotely watch it. Whenever your computer goes online, the program sends you an email with an address to connect and watch live. Offered for $29.99.
53) Real Time GPS Tracker App – This application sends an exact location of the mobile device to Google Maps, but only works if the user keeps the program running. Good for tracking children, not good for tracking stealthily. Offered for free for Android devices.
54) GPS Tracking Pro – Another GPS-enabled mobile tracking app, it works best for children as it requires the user to keep the application running on their device. It uses proprietary maps that display local safety points like hospitals and police stations. For any of the GPS phone trackers, you can conceal a locked phone in a vehicle to track its movements more stealthily. This application is free and available for Android devices.
55) Follow Mee – This application turns a smartphone or tablet into a GPS tracker. The app records whatever location the device goes to periodically and sends that data to a secured server. Users can track location data from any browser. It can track multiple devices, establish geo-fences for children, and it runs silently and starts up automatically when the device is turned on. It is designed to stealthily monitor the whereabouts of children, spouses, employees, or stolen devices.
56) Mobistealth – This service offers stealth applications for your computer and mobile device designed to monitor all activities and provide you with a comprehensive report. Cell phone monitoring can allow you to listen in on calls, read text messages, and view videos and pictures sent to and from the phone being monitored. Similarly, the computer program allows you to read emails sent and received, as well as record and listen in on Skype calls, and monitor online chatting. Both can be set up to track GPS coordinates in the case of laptops and mobile phones. Available for Android, iOS, BlackBerry, and Nokia/Symbian phones and Windows and Mac computers.
57) Stealth Genie – This application lets you record and intercept live calls, review call history, redirect or view sent and received SMS messages, view incoming and outgoing emails, and track GPS coordinates. The GPS tracking allows you get updates if it enters ‘restricted areas’ or ‘safe areas’. You are also able to view an assortment of instant message chats, photos, music, videos, and voice recordings as well as view their phone’s calendar and internet activities. Phones can even be bugged to pick up the surroundings and record them or allow you to listen live. Available for nearly any mobile phone and network.
58) XPCspy – A simple to use PC surveillance software. It monitors and reports on all activities on the target computer while running unobtrusively. It allows you to review the log at any time, from any location. Recorded activities including keystrokes, web browsing history, application usage, clipboard history, system activities, emails, and chat conversations. Free trial, $59.95 to purchase after that.
59) IamBigBrother – This keylogging software is designed to run quietly without alerting users and protect against attempts to disable it. It does not show up in the start menu, nor will it be visible in the Task Manager. It can be set up to capture screen shots when certain keywords are typed, it creates a list of all web sites visited, with a title, and the length of the visit. It records everything typed, including incoming and outgoing emails and web chats, and records passwords.
60) SniperSpy7 – This remote computer surveillance software allows users to watch live what is happening on the computer it is installed to. It allows you to browse file systems remotely, view chats, visited websites, keystrokes (in any language), and capture screen shots. You can install it to your computer via email and it is compatible with any firewall. It allows you to remotely download files from the computer, to view and kill active processes, control the mouse, restart or shutdown the computer, and much more. A single 3 month user license costs $39.97.
61) eBlaster7 – Designed to monitor the activities of children and employees, this program is designed to record everything being done on the computer it is installed into, report the activities in an organized fashion to your email as often as you wish, forward to you every email and online conversation, and alert you when certain keywords (pulled from a list you create) are detected, and block web sites or individuals. Costs $99.95.
62) Refog Personal Monitor 7 – Another stealthy program designed to run in the background and monitor the activities of your children. It captures both sides of chats from IM programs, blogs, forums, chatrooms, and more. It can automatically capture screen shots, send alerts when configurable keywords are triggered, and update you via email so you can remotely monitor activities. They offer a free trial version and the cost is $69.95 for the full-featured version.
63) Elite Keylogger Pro – This program claims to be completely invisible when running, able to avoid detection from anti-virus and anti-keylogging software and not show up through any method to computer users. It records keystrokes, including passwords, monitors emails and online chats and allows you to search and analyze online communication, and allows you to capture automatic screen shots. It also offers a deployment installation method, granting you the right to remotely install the software. Monitoring one PC costs $79.
64) Spector Pro – One of the better known computer surveillance programs, Spector Pro offers a completely undectable software package capable of recording and analyzing everything any user on a monitored computer does in a format that is easy to review, search, and analyze. You can receive remote access and get alerted when certain keywords or sites are accessed. It grants you the control to block websites or access to individuals on the web. You can watch live or use the video-style playback of what they are doing online. Offered for $99.95.
65) PC Pandora 7 – Another stealthy keylogger, PC Pandora’s ability to avoid detection begins with purchase – billing shows up from Click Bank, a common processor for thousands of online shops. When it is installed, it deletes all web browsing history related to PCPandora.com as well. It offers all the typical keylogging functions including web history tracking, silent monitoring, keystroke recording, conversation logs, remote viewing and control, and the ability to block specified websites or individuals online. Costs $69.95 for one year of customer support and access to one computer.
66) WebWatcher 8 – PCMag.com gave WebWatcher a top rating in 2013, and it has gotten great reviews from a number of other sources for good reason. Web Watcher protects PCs, laptops, and mobile devices. You don’t need to have physical access to monitor any device after installation. You can set up your own custom triggers for instant alerts and get near real-time access to everything occurring on your device from any remote location with internet access. It records activities and allows you to review or search through them at your leisure from anywhere. It allows you to view search terms, web history, online conversations, program activity, and record passwords. You can also set up triggered screenshots based on your customized trigger words. Costs $97.00 for Windows or Mac.
67) Spy Agent – A slightly less expensive but very robust keylogger that offers some powerful parental control features, Spy Agent is a good choice for parents or partners wanting to track online activity. Along with monitoring web history, application use, file access and downloads, and online communication, along with triggered screenshot captures and alerts it offers content filtering. This can be used to filter online chats, websites, or applications based on criteria you establish, and notify you and begin automatically logging based on specific keywords, applications, windows, or screenshots. Plus it offers excellent tools for managing the data gathered, including automatically generated reports, top 10 feeds, cross-referencing, filtering, and searching capabilities. It costs $79.95. Not available for the most recent iterations of Windows or Macs.
Just Plain Cool
68) Eviltron – This nifty little device is just a tad bit larger than a US quarter, and includes an embedded rare-earth magnet to make it a snap to hide. The included battery lasts 1 month or more with continuous use. It comes with five scary sounds, and a ‘random’ feature to cycle through them. Use it to draw a person away from a place you need to gain access to. Offered from ThinkGeek Labs via Amazon.com for just $12.95.
69) CheckMate, 5 Minute Infidelity Test Kit – This simple kit makes it easy to collect samples from clothing and linen to locate traces of semen stains. The testing can be done from home and takes minutes to get results. Simply wet the stain, blot the area with a test pad, allow to try, then mix the provided bottle with provided reagents and drop mixture onto the test pad. A positive result turns the sample purple. Costs just $39.99 from Spy Emporium.
70) Data Encryption Key – To secure sensitive information, use this USB 2.0 device to encrypt and decrypt any file or files you please. It has 128 bit AES hardware protection, and attaches to your keychain so you can always keep it with you. Costs $18.50 from DX.
71) Anti-Spy Bug Detector Pen – This pen flashes an LED light whenever it encounters wireless frequencies common to spy cameras and audio recorders. It is not as sensitive as professional level scanners, but is considerably more subtle. It is a functional ball pen and comes with dozens of spare batteries in its included case. The UV LED also works to track blood stains and validate watermarks on documents, bank notes, and money. Costs $13.95 from DX.
72) Anti-Spy Laser Wireless Signal Detector – A professional version of the bug detector pen, this device is capable of pecking up a wide variety of espionage equipment, sometimes as far away as 10 meters. It prevents users from unknowingly being observed or recorded by listening devices, eavesdroppers, or hidden cameras. DX offers it for $44.70.
73) Cyber Spying: Tracking Your Family’s (sometimes) Secret Online Lives – This book is designed to instruct readers in exactly how to spy on someone online. It helpfully covers motivations and the ethics involved, as well as the psychology involved in spying. It gives an introduction to computers and networking basics, teaches readers about online activities and how they can be compromised, and how to prevent being spied on as well. It is designed to help concerned parents and partners check up on online activities. Costs $39.85 for the Amazon paperback edition and $33.56 for the Kindle edition.
74) The Spy’s Guide: Office Espionage – This book is written to help modern day business professional gain the most valuable tools in today’s fast paced world – information. With step-by-step instructions on everything from phone tapping to social engineering strategies, this book helps professionals get ahead. It includes real life stories demonstrating how these techniques have been used successfully by spies in Fortune 500 companies, the CIA, the KGB, and more. Costs $3.38 from Amazon.
75) The Official CIA Manual of Trickery and Deception – Written as a training manual for CIA operatives during the Cold War Era, this manual describes step-by-step instructions on how to gather covert intelligence with sleight of hand and other tricks. Offered for $11.56 from Amazon in paperback.
76) Top Secret: A Handbook of Codes, Ciphers, and Secret Writing – All you need to know on how to create, break, and utilize secret codes and complicated ciphers. Lots of hands on practice, tips for creating your own code-making kit, and tidbits discussing the use of ciphers throughout history. Offered for $6.91 in paperback from Amazon.
77) 101 Spy Gadgets for the Evil Genius – As the title suggests, this is a book with over a hundred projects that you can construct using inexpensive and easy to obtain parts that will allow you to gather intel and conduct surveillance. Projects range from easy to challenging and include a complete list of tools and parts with illustrated guides and step by step instructions. Costs $39.70 in paperback from Amazon, or $14.72 on Kindle.
78) Covert Persuasion: Psychological Tactics and Tricks to Win the Game – Using skills developed with a firm understanding of psychology, linguistics, sales tactics, and human communication strategies, this book teaches you how to become a master of persuasion. Designed especially for sales professionals, but useful for anyone who can make use of a silver-tongue. Offered in paperback for $24.99 from Amazon, and $13.72 from Kindle.
Kid-Friendly Spy Gear
79) Bionic Ear – This simple listening device allows kids to listen through walls, windows and doors. The device works well through glass, sheetrock, and wood. It includes a simple audio earphone. Designed for children aged 8 and up. Priced at $9.39 from Amazon.
80) Amateur Spy Micro Listener Toy – Used to eavesdrop on conversations on the other side of a thin wall or barrier or held at a distance across open space. Includes its necessary LR44 (AG13) battery. Designed for children. Just $2.95 from DX.
81) Spy Net Recording Pen – This recording pen features a secret audio recorder. Stored audio can be accessed via the concealed USB connection. It utilizes 3 ‘button cell’ batteries and unlocks access to the Lie Detector on SpyNetHQ.com. Designed for children 8 and up and offered from Amazon for $17.95.
82) Master Spy Kit – This top secret spy kit comes with an RC car capable of picking up audio and visual signals, a spy pen, two walkie talkies, perimeter motion alarms, and a portable scope. It requires 3 ‘AAA’ batteries that are not included. All of this comes in a hard black case. Toys suitable for ages 6 and up. Offered for $49.99 from Meijer.
83) Top Secret Spy Kit – This professional looking case includes fingerprinting tools, spy glasses, a code book and kit, and more. Meant for ages 8 and up and offered for $39.00 from Land of Nod.
84) RC Spy Tank – This iOS operated RC car features a camera capable of streaming live video of taking photographs. It can travel up to 20 meters without obstacle and up to 10 meters around walls and other obstacles. The car generates is own wireless connection and runs on 6 ‘AA’ batteries which are not included. The controlling app is available free from the iTunes app store. Costs $79.95 from NitroRCX.
85) Long Range Walkie Talkie – Designed for children, these long-range walkie talkies can work up to 2 miles apart. They have a special code button meant to send and receive coded messages, and can also transmit spoken messages. They require 6 ‘AAA’ batteries that are not included. Offered from Amazon for $26.99.
86) Spy Gear Lie Detector Kit – This kit uses a simple finger sensor to pick up the subject’s truthfulness. Indicator lights make note of when the subject is lying. Includes a Lie Detector Handbook. Offered for $12.66 from Amazon.
87) Spy Gear Night Scope – This hi-tech looking night scope allows vision up to 25’ in the dark, includes a spring-activated mechanism to activate a spotlight. It offers a ‘stealth mode’ beam. Offered for $23.99 from Amazon.
88) Multi Voice Changer – A voice changer which offers 8 different voice modifiers and adjustable levers to create a hundreds of modulation options. It requires a 9 volt battery which is not included. Offered for $10.03 from Amazon.
89) Video Recording Watch with Night Vision – This spy watch features a 1.4” full color screen to watch recorded videos and get live playback from the included camera. It includes a rechargeable battery and USB connection and is compatible with both Mac and PCs. It comes preloaded with apps and games, including ‘Spy Detector’ and ‘Lie Detector’ apps from SpyNetHQ. More can be downloaded from SpyNetHQ. Offered from Amazon for $37.69.
90) Stealth Video Recording Glasses – These sleek black-framed spy glasses conceal a camera behind the lenses capable of recording up to 20 minutes of video or capturing over 2,000 pictures. Evidence gathered can be uploaded to PC or Mac with the included USB connection and uploaded to SpyNetHQ.com. Offered from Amazon for $34.34.
91) Color Code Message Kit – This nifty kit includes a decoder filter, message code pad, 4 colored pencils and an instruction manual teaching users how to create and decode color-hidden secret messages. Offered for $5.98 from Amazon.
92) Copper Decoder Ring – This small copper ring contains a basic decoder. The top dial rotates 360 degrees to make it easy to encode or decode a message. Weighs just over an ounch and is only 1-1/2” in diameter. Features geocaching clues. Offered for $14.99 from Amazon.
93) Jefferson Style Cylinder Decoder Wheel – This solid wood decoder wheel allows users to create a message and select their array of encoded letters. High quality and attractive method of sending and receiving secret ciphers. Offered for $23.99 from Amazon.
94) Spy Science Intruder Alarm – This simple device allows kids to create an intruder alert by connecting simple electrical circuits to a door buzzer. Requires two “AA” batteries that are not included. Only $10.49 from Nature Pavilion.
95) EIN-O’s Burglar Alarm Kit – This electronic kit allows children to build their own burglar alarm. Designed for children 7 and up and includes all the parts necessary to make a functional device. Only $7.83 from Newegg.
96) Vanishing Ink Pen – Sometimes you want to leave a message with a built-in self-destruct feature. Exploding messages are hazardous, so the next best thing is vanishing ink. This pen, which appears to be completely normal, features ink that fades after 12 hours. It writes normally on any paper and the ink appears to be typical. Just $4.00 from CrimeScene.
97) Invisible Ink (Homemade) – A good spy knows how to make use of the tools at hand. Invisible ink is a good way to share intel with your fellow spies. Most of us have chemicals at home that we can use to create heat, black light, or chemical reaction based invisible inks. This includes milk, tonic water, laundry detergent diluted, table sugar solution, vinegar, and acidic fruit juices. About.com has a great article on homemade invisible ink that can get you started.
98) Permanent Invisible Ink Marking System – Of course, if you want to ensure the longevity of your invisible message and be sure you have a way to review it later, you may want to purchase this pen. The invisible ink is permanent and waterproof, ensuring its longevity on non-porous surfaces. It includes a UV light so you can check the message after it has been written. Costs $11.99 from Whatever Works.
99) Invisible Ink Pen & UV Light – This less expensive pen allows users to write secret messages that can be revealed with the included UV light. It’s only 5 inches long, so easy to conceal, and priced at just $1.49 from Lazerpoint it is inexpensive enough to stock up on them.
100) CSI: Fingerprinting Analysis Kit – This kit, available from Toys-R-Us for just $17.99, contains everything a budding investigator needs to examine evidence. It includes tools to gather and analyze fingerprints and other data. It is targeted towards forensic analysis but could be adapted for the budding spy.
101) Spy Gear Evidence Kit – Made specifically for young spies, this kit comes in a professional-looking black hardcase and contains a UV blacklight, a functional 30x microscope, a 10-piece fingerprint kid, and an LED flashlight. Priced at $20.38 from Amazon.