A Montgomery County man, arrested earlier this year for stealing the underwear of a woman he was allegedly stalking, was charged this week with using a hidden camera to film up the skirt of another woman at the King of Prussia Plaza.
Kornwell Chan, of Dresher, was spotted at the Plaza near Lord Taylor on Sunday, May 13, by an undercover officer who noted Chan’s resemblance to a suspect wanted in a up-skirting incident at the nearby J.C. Penney in September 2011, said Risa Vetri Ferman, the Montgomery County District Attorney.
Upper Merion police officers stopped Chan inside the mall and discovered he was carrying a bag with a camera secreted inside it.
Officers reviewed the footagewhich showed Chan following a woman at Penney’s and placing the hidden camera under her skirt, showing her underwear, Ferman said.
Chan, charged Wendesday with invasion of privacy and related counts, was ordered to be held on $500,000 bail.
Chan was previously charged in January with counts of burglary, criminal trespass, stalking and related counts in a separate incident. Chan allegedly had aggressively pursued met a woman at the Oreland train station. After the woman sought ways to avoid him, he broke into her house stealing only her bras and panties. While inside the house he turned all the family photographs of her face-down with the exception of her portrait.
A preliminary hearing before Magisterial District Judge William I. Maruszczak is set for 10 a.m. at 485 South Henderson Road in King of Prussia.
The irony is too significant to ignore: A smartphone app that enables customers to spy on others’ phones may itself be vulnerable to attackers looking to spy on them.
The surveillance app, called “Mobile Spy,” is designed to let its customers monitor the information, including text messages, GPS location and call logs, of other phones installed with the app. That private info is then uploaded to the app user’s account and can be viewed in any Web browser, either on a computer or phone.
Unfortunately for those doing the watching, Mobile Spy contains several security vulnerabilities that allow an attacker to inject malicious code into the target’s phone, via SMS message, and hijack their spy session, according to researchers at Vulnerability Lab, who disclosed the flaws.
Because the developers of Mobile Spy say it is available for iPhone, Android, BlackBerry and Windows Phone, the presence of a security glitch makes it a top target for exploitation.
To make things even more confusing, there are at least five separate Android apps in the Google Play store called “Mobile Spy,” and none of them seem to be the one about which Vulnerability Lab issued its warning. Nor is there any app in the iTunes App Store by that name.
The Mobile Spy website states that iPhones must be jailbroken in order to install Mobile Spy, and hints that Android versions will need to be “side-loaded” from a PC. Usage licenses run from $50 for three months to $100 for a full year.
Anyone who jailbreaks an iPhone or sideloads Android apps is running a big security risk. And from the looks of the “Mobile Spy” apps that are in the official Google Play store, you probably shouldn’t install them either.
The security threat to mobiles has just stepped up.
Phone crashing regularly? Strange SMS bothering you for an update or a juicy link? It’s time to wise up to mobile malware.
Security experts have shown that iPhones and Android phones are vulnerable to the same type of “drive-by” attacks that have long plagued PC users.
A team of researchers infected a Google Android smartphone on Wednesday, live, in front of a packed audience of computer security buffs to prove how mobile malware is now on the cusp of the big time, after so many years of unfulfilled predictions.
Grabbed: a screenshot of the researchers’ Command Control server shows a person with an infected phone traveling around Washigton DC. The blue P pin shows where he placed a phone call. Clicking on this icon would play the recording.
George Kurtz, co-author of Hacking Exposed, former McAfee security champion and now at the helm of CrowdStrike alongside former McAfee leading researcher Dmitri Alperovitch, demonstrated how the team designed a smartphone remote access tool (RAT) and eavesdrop operation.
They then set about buying the necessary items to make it happen, later coding, then executing the attack on their demo phone.
“We believe we are here today and on the cusp of what we’re going to see in the future. If you think of what a smartphone has the capability to do, it’s the ultimate spying tool. Always powered on, always connected, travels around with us at all times,” Kurtz began.
“If you haven’t figured out privacy is dead, this is going to do it for you.”
The scenario was a competitor wanting to intercept calls and text messages on Kurtz’s phone and the attack was Webkit-based. Webkit is a tool used by Apple, Google and RIM to render HTML websites in Safari, Chrome and Android, and the latest versions of the BlackBerry, respectively.
The team bought 20 Webkit vulnerabilities – or bugs – in the underground for $US1400, spent approximately $US14,000 developing the malware code (“weaponisation phase”) and engineering root access, as well as building their own command and control centre to be able to harvest the fruits of their exploits.
The attack followed several steps: the first was a text message delivered to the smartphone appearing to come from the mobile carrier requesting a system update via a link. Once clicked, the drive-by link delivered the first part of the malware to the phone to elevate access (root) privilege, then cause it to crash.
It then automatically rebooted, executing the second part of the malware and hijacking the phone’s communications.
When Kurtz made a call to Alperovitch, the audience could hear the live conversation – as well as what was said before the call connected. On the command and control centre’s screen, a map positioned Kurtz and Alperovitch’s locations, the start of transmission, and the text of a subsequent text message Alperovitch sent Kurtz.
They said the attack did not require a phone be jailbroken and would work on any of the devices using Webkit – although this particular code was customised for the Adroid 2.2 (Froyo) version.
Kurtz told Fairfax Media such an attack would be possible on the iPhone because of the root access obtained via the browser vulnerability.
“We would have to get code execution via the browser, then escalate our privilege to root and totally bypass the app store [as we did] with Android.
“This is the point we are making: drive-by attacks will hit the phone just like the PCs,” he said.
But he said he didn’t want the audience to develop a bout of paranoia.
“The sky is not falling, these are very targeted attacks.”
The Government on Friday denied reports of bugging devices being discovered in some offices in South Block including that of the Defence Minister, Mr A.K. Antony. The offices of Prime Minister, Defence Minister and External Affairs Minister are all located in the South Block.
“Routine checks are conducted in the offices of Defence Minister and other officers in South Block. Nothing has been found in these checks,” the statement said.
This follows reports that the Defence Ministry had detected alleged bugging in the office of Mr Antony and sought a probe. The reports claimed that the Intelligence Bureau was being asked to conduct the probe.
The latest incident was said to have been brought to the notice of authorities by two Army personnel manning the phone lines in South Block after which IB was asked to conduct a probe.
This is not the first time that reports have surfaced about bugging devices being allegedly discovered in the corridors of power in Delhi. Last year, there were reports of alleged bugging devices being found in the office of the Finance Minister, Mr Pranab Mukherjee.
ashphadnis [at] thehindu [dot] co [dot] in
A French security company, linked to allegations that Swedish furniture giant IKEA illegally spied on staff and customers, has denied involvement, blaming a renegade former employee.
Prosecutors have opened an investigation following a complaint from a trade union and a newspaper report which published what it said were email exchanges between the head of the company’s risk management department and Surete International about getting access to the police force files.
IKEA says it’ll examine claims the firm paid for illegal access to secret French police files in order to gain information about its employees, clients and even people who came near its property.
The former management of Surete International, which was wound up in 2011, has denied responsibility for everything attributed to it.
