Blog Archives

Ask an Expert: All About Private Investigation

I just want to thank Lifehacker for inviting me to their Ask an Expert Q & A regarding private investigators. I also want to thank the people who participated in the chat session. I hope you enjoyed it as much as I did.

To read the transcript of the chat session, please head to Lifehacker

 
Regards,

Steven Santarpia

Private Investigator Steven Santarpia On Lifehacker’s-Spy Week 11/12/12

Every Monday, Lifehacker brings in an expert for an hour to answer questions via chat. Next Monday, November 12, 2012 at 3pm, Lifehacker will be kicking off “Spy Week,” dedicated to all things James Bond and mystery.  ICORP Investigations Vice President, Steven Santarpia, will be joining Lifehacker to answer your questions pertaining to private investigations. Licensed Private Investigator Steven Santarpia has been a private detective for over 10 years and has worked many different types of investigations including infidelity/cheating spouse,  industrial espionage, skip tracing and insurance claims.

More information to come including the link to join the chat session on Monday. To view past chats, visit Lifehacker.com.

For more information regarding ICORP Investigations, please visit their website.

ICORP Investigations
245 Park Ave, 24th Floor
New York, NY 10167
(212) 572-4823

DoS vulnerability affects older iPhones, Droids, even a Ford car

Publicly available code allows hackers to disable Wi-Fi in a range of products.

by  – Oct 26 2012, 1:50pm EDT

 

The iPhone 4 and a slew of older devices from Apple, Samsung, HTC, and other manufacturers are vulnerable to attacks that can make it impossible to send or receive data over Wi-Fi networks, a security researcher said.

Proof-of-concept code published online makes it trivial for a moderately skilled hacker to disable older iPhones, HTC Droid Incredible 2s, Motorola Droid X2s, and at least two-dozen other devices, including Edge model cars manufactured by Ford. The Denial-of-Service vulnerability stems from an input-validation error in the firmware of two wireless chips sold by Broadcom: the BCM4325 and theBCM4329. The US Computer Emergency Readiness Team has also issued an advisory warning of the vulnerability.

“The only requirement to exploit the vulnerability is to have a wireless card that supports [the] raw inject of 802.11 frames,” Andrés Blanco one of the researchers from Core Security who discovered the vulnerability, told Ars. “The Backtrack Linux distribution has almost everything you need to execute the POC provided in the advisory.”

The Core Security advisory said that Broadcom has released a firmware update that patches the “out-of-bounds read error condition” in the chips’ firmware. Device manufacturers are making it available to end users on a case-by-case basis since many of the affected products are older and already out of service.

Blanco said the exploit makes it impossible for an affected device to send or receive data over Wi-Fi for as long as the DoS attack lasts. Once the malicious packets subside, the device will work normally. Other device functions are unaffected by the Wi-Fi service interruption. He said it’s possible the bug could be exploited to do more serious things.

“We are not sure that we could retrieve private user data but we are going to look into this,” he said.

 http://arstechnica.com/security/2012/10/dos-vulnerability-affects-older-iphones-androids-even-a-ford-car/

Classes Challenge Internet ‘Investigators’

By JOE HARRIS

CLAYTON, Mo. (CN) – In two class actions on the frontier of Internet law, people claim that Intelius and Digimedia dba Peoplefinder work as private investigators in Missouri without state certification.
Intelius, based in Bellevue, Wash., offers its services through its website intelious.com.
Named plaintiff Michael Brown claims Intelius says its investigations can get information about crimes threatened or committed against the United States; the identity, credibility, habits, business, integrity, credibility, trustworthiness, loyalty, movements, affiliations, and reputation of certain individuals; and information on a person’s address, phone number history, social media history, criminal record, family and financial history.
Brown says Intelius is working as a private investigator without a license.
In the second class action, filed by the same law firm, lead plaintiff Thuy Nguyen makes the same accusation against Digimedia.com dba Peoplefinder.com
“At no pertinent time has defendant ever held a license [to] engage in private investigator business in the State of Missouri, nor has it ever held a license to engage in business in the State of Missouri as a private investigator agency,” Brown says in his complaint in St. Louis County Court. “Moreover, defendant has never applied for any such licenses.
“At no pertinent time have any of defendant’s employees ever been licensed pursuant to RMSo § 324.1104 to engage in private investigator business in the state of Missouri.
“At all pertinent times, defendant’s failure to hold the license(s) … was information that a reasonable consumer would consider important in deciding whether to hire defendant for the purpose of having the defendant or its employees engage in private investigator business.”
The class consists of all Missourians who have bought private investigations from Feb. 1, 2010 to final judgment. The law requiring such a license was passed in 2007, but Brown’s attorney, Michael Kruse, said the state finally got the mechanisms to enforce the law on Feb. 1, 2010.
“We were concerned with the value customers are getting in light of the licensing statue,” Kruse told Courthouse News.
“They have a right to comply with the law. There is a reason why the state of Missouri felt it needed such controls and companies can’t be above the law through their business model using the Internet.”
The classes seek an injunction, rescission of contracts, restitution and actual and punitive damages for breach of contract, negligent misrepresentation by omission, and violations of the Missouri Merchandising Practices Act.
Kruse practices for the law firm Onder, Shelton, O’Leary & Peterson in St. Louis.
Kruse filed the nearly identical class action against Digimedia.com dba Peoplefinder.com.
Kruse said he does not expect his firm to file any more class actions against private investigation companies.
“We were looking at several different companies and those two were the most major violators,” Kruse said. 

Courthouse News Service

iPhone Video Timestamp App For Private Investigators

by Steven Santarpia
ICORP Investigations 

It’s finally here! An app for private investigators to take video on their IPhone with a timestamp. It’s called VideoTimeStamp made by Contraptionz. The cost is $29.99. You can record video at 640×480 or 960×640 resolution, with a time and/or date stamp burned in! IOS 5.0 required.I’ve been using the app for a month and I definitely give it my seal of approval. My private investigators at ICORP Investigations also seem to like the app. I think it works well for claims investigations. For instance, I followed a claimant into a Home Depot not too long ago. I  approached the claimant while I made like I was texting someone on my iPhone. The claimant had no idea I was filming him. That of course, is what its all about.

You can hold your iPhone vertically and horizontally  to take video, which is a great feature. When holding it vertically, you can make like you are texting someone and video the target. When holding it horizontally, you can hold the iPhone down by your side to video while walking. Another great feature the VideoTimeStamp app has is you can tap the iPhone screen twice to make the screen go dark. Thus, your iPhone looks like its inactive. For domestic investigations like a cheating spouse case, this app can also be helpful when trying to obtain hidden video.

Maybe the best aspect of this app is you’ll have your iPhone with you all the time. The investigator no longer has to carry another device to obtain hidden video. Plus, the quality of video and the reliability of the hidden cams most insurance investigators use to obtain hidden video make this app a very welcoming addition to our bag of tricks.

How Are Celebrity Cellphones Hacked?

By Michael Gregg

Celebrities are a perfect target for hackers — they’re highly visible, spend lots of time on their smartphones and they know next to nothing about security. It’s no wonder they’re often victimized by hackers — from lone hackerazzis like the alleged Christopher Chaney to hacker groups like the Anonymous offshoot ‘Hollywood Leaks.’

But how do these hackers actually hack a cell phone?

Many people seem to think it requires a great deal of computer skill to hack a phone; that you have to be some type of hacker mastermind. But the reality is, it’s not that hard.

Here are a few ways:

# 1 — Physical Access to the Phone – Obviously, if a person can get physical access to a cell phone, even for a few seconds, it’s game over. The person can clone it, place a remote spying tool on the phone or download the pictures and information directly to their own account.

TIPS — Make sure your phone has a strong password lock to prevent unauthorized access. Sign up for a mobile phone recovery service — like Where’s My Droid, Find My iPhone, McAfee’s WaveSecure, etc. — that offers GPS tracking, remote freeze and remote wiping in case the phone is ever lost or stolen.

#2 — Hacking Email, Twitter and Apps — Most celebrities are hacked through email, Twitter and other accounts that they use on their phones. This is what happened to Scarlett Johanson, Kreayshawn, Mila Kunis and Christina Aguillera, among others — and it may also be the reason for the more recent hacks on Heather Morris and Christina Hendricks.

Hackers get in by guessing a weak password or bypassing the password altogether by answering a series of cognitive security questions such as mother’s maiden name or what high school they attended. This technique is what is alleged to have been used by Chris Chaney and Hollywood Leaks.

To beat a password, hackers can use special password cracking programs that attempt to “dictionary attack” or “brute force” the account, or they can simply do their homework on the celebrity and use that to guess the passphrase or security questions. Once the hacker gets in to one account, especially email, he can use it to get into other accounts (for example, request the Twitter password reminder be sent to Gmail or other web-based email account).

TIPS — Use a unique password for each online account. Make sure it’s at least 10 characters long and doesn’t make up a real word — use letters, numbers and symbols. Give fake answers to the security questions to make it hard for others to guess. To be extra safe, consider using “two-factor authentication” and PGP encryption with the email account as well.

#3 — Social Engineer the Phone Company — In 2005, hackers stole nude pictures of Paris Hilton by getting access to her T-Mobile Sidekick II, a precursor to today’s smartphones. How did they do it? Theyimpersonated a T-Mobile support tech over the phone and tricked T-Mobile employees into giving them access to the carrier’s intranet site that contained a list of user accounts, which allowed them to reset the password to her account and steal photos and contacts. Today, there’s still a risk hackers could reset accounts or permissions by conning the phone company, but it’s more likely they’ll simply target a person’s accounts directly online.

TIPS – Check your online phone accounts periodically to make sure there haven’t been any unauthorized changes.

#4 — Wi-Fi Spies — Movie stars do a lot of traveling, and while they’re roaming about they’re often connecting their phones to open Wi-Fi networks — whether it’s at the airport, hotel or Starbucks. This puts them at greater risk of being hacked. Using public Wi-Fi puts all of your online accounts, Internet searches, emails and usernames/passwords out in the open where they can be read, copied and hacked by any person with moderate computer skills. In fact, there are special tools available online that do this.

TIPS — Don’t use public Wi-Fi. Stick with 3G or 4G service, as it’s harder to hack. If you must use a public wireless network, only use websites or apps from your phone that offer encryption (‘https’ in the address bar) and don’t save your passwords in a cache. Even better, setup a virtual private network (VPN) that will encrypt your online activity no matter where you are.

#5 — Spyware — Stars who spend a lot of time using open Wi-Fi and chatting with friends or followers on social networks and clicking on shared links are also at risk of spyware. Spyware is malicious software that can infect your phone in order to record the things you type — like usernames and passwords — and it can also be used to steal items from your phone, like photos, contacts and banking data. “FakeToken” is one example of spyware that is currently being found on some Android phones. There’s a good chance some celebrity phones have been infected by spyware.

TIPS — Don’t use public Wi-Fi. Don’t click on suspicious links, whether they’re in email, text messages or tweets.

The bottom line is that most celebrities fall victim to hacks because they use weak passwords and share too much information — and images — through easily hacked accounts. A few basic precautions would fix the problem for many of them; hopefully they’ll learn their lesson.

Huffington Post

Drones Set Sights on U.S. Skies

By  and 
Published: February 17, 2012

WOODLAND HILLS, Calif. — Daniel Gárate’s career came crashing to earth a few weeks ago. That’s when the Los Angeles Police Department warned local real estate agents not to hire photographers like Mr. Gárate, who was helping sell luxury property by using adrone to shoot sumptuous aerial movies. Flying drones for commercial purposes, the police said, violated federal aviation rules.

“I was paying the bills with this,” said Mr. Gárate, who recently gave an unpaid demonstration of his drone in this Southern California suburb.

His career will soon get back on track. A new federal law, signed by the president on Tuesday, compels theFederal Aviation Administration to allow drones to be used for all sorts of commercial endeavors — from selling real estate and dusting crops, to monitoring oil spills and wildlife, even shooting Hollywood films. Local police and emergency services will also be freer to send up their own drones.

But while businesses, and drone manufacturers especially, are celebrating the opening of the skies to these unmanned aerial vehicles, the law raises new worries about how much detail the drones will capture about lives down below — and what will be done with that information. Safety concerns like midair collisions and property damage on the ground are also an issue.

American courts have generally permitted surveillance of private property from public airspace. But scholars of privacy law expect that the likely proliferation of drones will force Americans to re-examine how much surveillance they are comfortable with.

“As privacy law stands today, you don’t have a reasonable expectation of privacy while out in public, nor almost anywhere visible from a public vantage,” said Ryan Calo, director of privacy and robotics at the Center for Internet and Society at Stanford University. “I don’t think this doctrine makes sense, and I think the widespread availability of drones will drive home why to lawmakers, courts and the public.”

Some questions likely to come up: Can a drone flying over a house pick up heat from a lamp used to grow marijuana inside, or take pictures from outside someone’s third-floor fire escape? Can images taken from a drone be sold to a third party, and how long can they be kept?

Drone proponents say the privacy concerns are overblown. Randy McDaniel, chief deputy of the Montgomery County Sheriff’s Department in Conroe, Tex., near Houston, whose agency bought a drone to use for various law enforcement operations, dismissed worries about surveillance, saying everyone everywhere can be photographed with cellphone cameras anyway. “We don’t spy on people,” he said. “We worry about criminal elements.”

Still, the American Civil Liberties Union and other advocacy groups are calling for new protections against what the A.C.L.U. has said could be “routine aerial surveillance of American life.”

Under the new law, within 90 days, the F.A.A. must allow police and first responders to fly drones under 4.4 pounds, as long as they keep them under an altitude of 400 feet and meet other requirements. The agency must also allow for “the safe integration” of all kinds of drones into American airspace, including those for commercial uses, by Sept. 30, 2015. And it must come up with a plan for certifying operators and handling airspace safety issues, among other rules.

The new law, part of a broader financing bill for the F.A.A., came after intense lobbying by drone makers and potential customers.

The agency probably will not be making privacy rules for drones. Although federal law until now had prohibited drones except for recreational use or for some waiver-specific law enforcement purposes, the agency has issued only warnings, never penalties, for unauthorized uses, a spokeswoman said. The agency was reviewing the law’s language, the spokeswoman said.

For drone makers, the change in the law comes at a particularly good time. With the winding-down of the war in Afghanistan, where drones have been used to gather intelligence and fire missiles, these manufacturers have been awaiting lucrative new opportunities at home. The market for drones is valued at $5.9 billion and is expected to double in the next decade, according to industry figures. Drones can cost millions of dollars for the most sophisticated varieties to as little as $300 for one that can be piloted from an iPhone.

“We see a huge potential market,” said Ben Gielow of the Association for Unmanned Vehicle Systems International, a drone maker trade group.

For Patrick Egan, who represents small businesses and others in his work for the Remote Control Aerial Photography Association in Sacramento, the new law also can’t come fast enough. Until 2007, when the federal agency began warning against nonrecreational use of drones, he made up to $2,000 an hour using a drone to photograph crops for farmers, helping them spot irrigation leaks. “I’ve got organic farmers screaming for me to come out,” he said.

The Montgomery County Sheriff’s Department in Texas bought its 50-pound drone in October from Vanguard Defense Industries, a company founded by Michael Buscher, who built drones for the army, and then sold them to an oil company whose ships were threatened by pirates in the Gulf of Aden. The company custom-built the drone, which takes pictures by day and senses heat sources at night. It cost $300,000, a fraction of the cost of a helicopter.

7 Tools to Spy Better Than a CIA Agent

Here are seven spy tools to get you started.

Hackers Reveal Offers to Spy on Corporate Rivals

By ERIC LIPTON and CHARLIE SAVAGE
Published: February 11, 2011

NYTimes

 

WASHINGTON — A fight between a group of pro-WikiLeaks hackers and a California-based Internet security business has opened a window onto the secretive world of private companies that offer to help corporations investigate and discredit their critics.

This week, hackers said they had penetrated the computers of HBGary Federal, a security company that sells investigative services to corporations, and posted tens of thousands of what appear to be its internal company e-mails on the Internet.

The documents appear to include pitches for unseemly ways to undermine adversaries of Bank of America and theU.S. Chamber of Commerce, like doing background research on their critics and then distributing fake documents to embarrass them.

The bank and the chamber do not appear to have directly solicited the spylike services of HBGary Federal. Rather, HBGary Federal offered to do the work for Hunton & Williams, a corporate law firm that has represented them.

A Hunton & Williams spokesman did not comment. But spokesmen for Bank of America and the chamber said Friday that they had not known about the presentations and that HBGary Federal was never hired on their behalf. A chamber spokesman characterized the proposal as “abhorrent.”

Since the hacked e-mails appeared on a file-sharing network several days ago, a broad range of bloggers and journalists have been scouring them and discussing highlights on the Internet. The New York Times also obtained a copy of the archive.

One document that has received particular attention is a PowerPoint presentation that said a trio of data-related companies — HBGary Federal, Palantir Technologies and Berico Technologies — could help attack WikiLeaks, which is rumored to be preparing to release internal e-mails from Bank of America.

One idea was to submit fake documents covertly to WikiLeaks, and then expose them as forgeries to discredit the group. It also suggested pressuring WikiLeaks’ supporters — notably Glenn Greenwald of Salon.com — by threatening their careers.

“Without the support of people like Glenn, WikiLeaks would fold,” the presentation said.

Another set of documents proposed similar ways to embarrass adversaries of the Chamber of Commerce for an initial fee of $200,000 and $2 million later.

The e-mails include what appears to be an exchange on Nov. 9, 2010, between Aaron Barr, HBGary Federal’s chief executive, and John W. Woods, a Hunton & Williams partner who focuses on corporate investigations. Mr. Barr recounted biographical tidbits about the family of a one-time employee of a union-backed group that had challenged the chamber’s opposition to Obama administration initiatives like health care legislation.

“They go to a Jewish church in DC,” Mr. Barr apparently wrote. “They have 2 kids, son and daughter.”

A week later, Mr. Barr submitted a detailed plan to Hunton & Williams for an extensive investigation into U.S. Chamber Watch and other critics of the chamber, including the possible creation of “in-depth target dossiers” and the identification of vulnerabilities in their computer networks that might be exploited.

Another PowerPoint presentation prepared for Hunton & Williams said the research that HBGary Federal and its partners could do for the law firm on behalf of the Chamber of Commerce would “mitigate effect of adversarial groups” like U.S. Chamber Watch. The presentation discussed the alleged criminal record of one leader of an antichamber group, and said the goal of its research would be to “discredit, confuse, shame, combat, infiltrate, fracture” the antichamber organizations.

HBGary acknowledged Tuesday in a statement that it had been the victim of a “criminal cyberattack,” but suggested that documents placed in the public domain might be “falsified.”

The other two businesses referred to in the apparent proposals as planned partners in the corporate investigations put out statements that distanced themselves from HBGary Federal but did not say the documents were fake.

The co-founders of Berico, Guy Filippelli and Nick Hallam, confirmed that Berico had been “asked to develop a proposal to support a law firm” that was helping companies “analyze internal information security and public relations challenges,” but said their proposal had been limited to “analyzing publicly available information.” They called efforts to target people “reprehensible” and said they were breaking all ties to HBGary Federal, a move that Palantir executives also said they were making.

The episode traces back to a dispute in December, when corporations includingMasterCardVisa and PayPal severed ties to WikiLeaks, temporarily cutting off its ability to accept donations. WikiLeaks had just begun releasing leaked State Department cables in conjunction with a consortium of news organizations, including The New York Times.

Calling the companies’ severing of such ties an affront to Internet freedom, a loose-knit group of computer users named Anonymous coordinated attacks on the Web sites of such companies. Mr. Barr apparently began trying to uncover the identities of those involved with Anonymous. But after he boasted of his efforts in a newspaper article, hackers attacked his company’s Web site and made public the e-mails.

Jonathan E. Turner, who runs a Tennessee-based business that gathers intelligence for corporate clients, said that companies nationwide relied on investigators to gather potentially damaging information on possible business partners or rivals. “Information is power,” said Mr. Turner, former chairman of the Association of Certified Fraud Examiners.

He estimated that the “competitive intelligence” industry had 9,700 companies offering these services, with an annual market of more than $2 billion, but said there were limits to what tactics should be used.

Bank of America and the Chamber of Commerce distanced themselves on Friday from any effort to embarrass or collect disparaging information about their critics. “We have not engaged in, nor do we have any plans to engage in, the practices discussed in this alleged presentation by HBGary,” said Lawrence DiRita, a Bank of America spokesman.

Tom Collamore, a chamber spokesman, said, “The leaked e-mails appear to show that HBGary Federal was willing to propose questionable actions in an attempt to drum up business, but the chamber was not aware of these proposals until HBGary’s e-mails leaked.”

 

ICORP Investigations can be your source for Competitive Intelligence. Call 866-984-2677  to speak with a private investigator.

Follow

Get every new post delivered to your Inbox.

Join 5,992 other followers

%d bloggers like this: