Showing posts with label #hack. Show all posts
Showing posts with label #hack. Show all posts

Friday, February 23, 2024

Dump of Chinese Hacking Documents - A Window into Surveillance

Chinese police are investigating an unauthorized and highly unusual online dump of documents from a private security contractor
linked to the nation’s top policing agency and other parts of its government — a trove that catalogs apparent hacking activity and tools to spy on both Chinese and foreigners...

The dump of scores of documents late last week and subsequent investigation were confirmed by two employees of I-Soon, known as Anxun in Mandarin, which has ties to the powerful Ministry of Public Security... They reveal, in detail, methods used by Chinese authorities used to surveil dissidents overseas, hack other nations and promote pro-Beijing narratives on social media. more

Thursday, February 8, 2024

Van Eck Redux: Hackers Can Spy on Cameras Through Walls

Capturing real-time video through walls isn’t hard if you have an antenna and a little bit of engineering know-how. It could be a massive threat to billions of security and phone cameras... 
Kevin Fu, a professor of electrical and computer engineering at Northeastern who specializes in cybersecurity, has figured out a way to eavesdrop on most modern cameras, from home security cameras and dash cams to the camera on your phone. Called EM Eye, short for Electromagnetic Eye, the technique can capture the video from another person’s camera through walls in real time. It redefines the idea of a Peeping Tom...

Results vary on how far away someone would have to be in order to eavesdrop on these different devices. For some, a peeping Tom would have to be less than 1 foot away; for others, they could be as far away as 16 feet...

Fu says. “Maybe you don’t want to put this [camera] on your wall you share with your neighbor.” more
Van Eck  Interesting, but no need for the average person to worry.

Saturday, December 16, 2023

Harry Hacking: Payout in Phone-Hacking Case Against Mirror Publisher

Prince Harry has won 15 claims in his case accusing Mirror Group Newspapers
of unlawfully gathering information for stories published about him. A judge has ruled in his favour on almost half of the sample of 33 stories used in his claims of phone hacking and other methods.

High Court ruling found evidence of "widespread and habitual" use of phone hacking at the Mirror newspapers... He was awarded £140,600 in damages... more

Saturday, November 25, 2023

Weirdest Spy Story of 2023?

NY Attorney Accuses Ben Affleck & Matt Damon of Stalking and Bugging Her Home

A New York attorney is suing actors Ben Affleck and Matt Damon, accusing the besties of stalking her and bugging her home to use private details of her life in their movies.


The attorney is hiding her identity as she moves forward with the bizarre case. The Daily Mail got a hold of court documents that claim the actors also hacked her devices and left the attorney in fear of being kidnapped and raped... She found a bug, saw an owl-shaped camera pointed at her home, woke to find a man in her bedroom and saw a man pointing a telescope at her after an alert that her emails had been hacked, according to the suit.

Also named in the suit are Affleck’s brother, Casey Affleck, his wife, singer/actress Jennifer Lopez, actor Kevin Smith, and disgraced Hollywood producer Harvey Weinstein. The suit is also targeting Dimension Films, Disney, Lionsgate, Warner Bros., and Paramount Pictures, who she is accusing of negligence for allowing harassment and plagiarism to take place. more

Saturday, November 18, 2023

How an Indian Startup Hacked the World

Appin was a leading Indian cyberespionage firm that few people even knew existed. 

A Reuters investigation found that the company grew from an educational startup to a hack-for-hire powerhouse that stole secrets from executives, politicians, military officials and wealthy elites around the globe. 

Appin alumni went on to form other firms that are still active...

Chuck Randall was on the verge of unveiling an ambitious real estate deal he hoped would give his small Native American tribe a bigger cut of a potentially lucrative casino project.

A well-timed leak derailed it all.

In July of 2012, printed excerpts from Randall’s private emails were hand-distributed across the Shinnecock Nation’s square-mile reservation, a wooded peninsula hanging off the South Fork of Long Island...  more

Wednesday, November 1, 2023

Shady Things You Can Do With a Flipper Zero

Since it’s evil week at Lifehacker, let’s take a look at a gadget that can be used for mild evil: the Flipper Zero. Despite its toy-like looks, this pocket-friendly multitool can be used for all kinds of hacking and penetration testing. 

It gives anyone, even newbs, an easy-to-understand way to interact with the invisible waves that surround us, whether they’re RFID, NFC, Bluetooth, wifi, or radio. It’s a like a hacker Swiss army knife that you can buy for less than $200.

You can use a Flipper Zero to control your TV, cheat your Nintendo, replace your work ID, open your hotel room door, and more. I’m sure you could see where the “evil” part could comes in. But on the other hand, it’s just a tool, and its ability to commit crimes is... more
Flipper Zero – Corporate Security Threat

Monday, September 25, 2023

Legacy Systems Threaten Security in Mergers & Acquisitions

Here’s a simple fact: Legacy systems are far more likely to get hacked. This is especially true for companies that become involved in private equity transactions, such as mergers, acquisitions, and divestitures...

We have seen two primary trends throughout 2023:

– Threat groups are closely following news cycles, enabling them to quickly target entire portfolios with zero-day attacks designed to upend aging technologies — disrupting businesses and their supply chains.

Corporate espionage cases are also on the rise as threat actors embrace longer dwell times and employ greater calculation in methods of monetizing attacks. more

Thursday, July 20, 2023

Kevin Mitnick, Hacker Turned Security Consultant, Dies at 59

Kevin Mitnick, who became the country’s most famous cybercriminal after an FBI manhunt and later became a cybersecurity consultant, died on July 16.

Mitnick, who was 59, died of pancreatic cancer, said Kathy Wattman, a spokeswoman for KnowBe4, where Mitnick worked. Mitnick’s survivors include his wife, Kimberley, who is expecting a child this year.

“Mr. Mitnick branded himself the ‘world’s most famous hacker,’ as KnowBe4 called him in a Thursday statement. As the World Wide Web was slowly being adopted across the globe, he broke into the computer systems of companies such as Motorola, Nokia and Sun Microsystems, causing what prosecutors alleged was millions of dollars in damage,” Kelly writes.

“Before he was 30, Mr. Mitnick had already served a brief prison sentence for computer crimes. But his infamy as a hacker was cemented in 1995, when the FBI arrested him in the middle of the night at a North Carolina apartment in a highly publicized raid that capped a 24-hour stakeout outside his home and brought an end to his more than two years as a fugitive.”

Mitnick was a polarizing figure in the cybersecurity community after his release from prison in 2000. “He portrayed himself as a misunderstood ‘genius’ and pioneer, and some supporters said he was a victim of overzealous prosecution and overhyped media coverage,” Kelly writes.

“He became a cause célèbre for the internet,” former federal cybercrime prosecutor Mark Rasch, who investigated Mitnick, told Kelly. “There was this idea that he was liberating data, he was liberating information, and that he was just proving how hacking could be done,” he said. “You had a whole bunch of people in the hacker defense community who thought he was the worst thing in the world, and people in the hacker community who thought he was a demigod.” website

Saturday, July 1, 2023

Security Alert: Unsolicited Smartwatches Received by Mail


Service members across the military have reported receiving smartwatches unsolicited in the mail.
These smartwatches, when used, have auto-connected to Wi-Fi and began connecting to cell phones unprompted, gaining access to a myriad of user data.

These smartwatches may also contain malware that would grant the sender access to saved data to include banking information, contacts, and account information such as usernames and passwords...

What to do if you receive one of these devices:

Thursday, June 29, 2023

From the What Goes Around Files: Phone Spy App Hacked

LetMeSpy, a phone tracking app spying on thousands, says it was hacked...

A data breach reveals the spyware is built by a Polish developer hacker has stolen the messages, call logs and locations intercepted by a widely used phone monitoring app called LetMeSpy, according to the company that makes the spyware.

The phone monitoring app, which is used to spy on thousands of people using Android phones around the world, said in a notice on its login page that on June 21, “a security incident occurred involving obtaining unauthorized access to the data of website users​​.”

“As a result of the attack, the criminals gained access to e-mail addresses, telephone numbers and the content of messages collected on accounts,” the notice read.

LetMeSpy is a type of phone monitoring app that is marketed for parental control or employee monitoring. The app is also specifically designed to stay hidden on a phone’s home screen, making it difficult to detect and remove. Also known as stalkerware or spouseware, these kinds of phone monitoring apps are often planted by someone — such as spouses or domestic partners — with physical access to a person’s phone, without their consent or knowledge. more

Thursday, April 6, 2023

Hackers Can Open Nexx Garage Doors Remotely...

...and there's no fix!

Multiple vulnerabilities discovered Nexx smart devices can be exploited to control garage doors, disable home alarms, or smart plugs.

There are five security issues disclosed publicly, with severity scores ranging from medium to critical that the vendor has yet to acknowledge and fix. more

Thursday, March 30, 2023

Prosecutors: Veteran Deputy was Listening in on Jury Deliberations

NY - An Ontario County Sheriff’s Office veteran, Adam Broadwell, pleaded not guilty on Monday to felony charges of eavesdropping, possession of an eavesdropping device, and official misconduct. 

Broadwell is accused of listening in on a jury deliberation by using a device specifically designed for eavesdropping.

According to Assistant District Attorney Kelly Wolford, the jury was deliberating a felony case when Broadwell listened in on the conversation. The eavesdropping charges brought against Broadwell relate to his use of a device to enhance the sound of people talking in his area. 

However, Broadwell’s defense attorney, Clark Zimmermann, argued that the device used was a Bluetooth earbud set linked to an Android phone, which does not match the definition of an eavesdropping device. more

Our previous reports on Bluetooth earbud eavesdropping.

Inaudible Ultrasound Attack Can Control Phones and Smart Speakers

American university researchers have developed a novel attack called "Near-Ultrasound Inaudible Trojan" (NUIT) that can launch silent attacks against devices powered by voice assistants, like smartphones, smart speakers, and other IoTs.

The team demonstrated NUIT attacks against modern voice assistants found inside millions of devices, including Apple's Siri, Google's Assistant, Microsoft's Cortana, and Amazon's Alexa, showing the ability to send malicious commands to those devices.

The main principle that makes NUIT effective and dangerous is that microphones in smart devices can respond to near-ultrasound waves that the human ear cannot, thus performing the attack with minimal risk of exposure while still using conventional speaker technology. more

Friday, March 17, 2023

Getting Clocked Can Disable Your Wi-Fi Cameras

This cheap "watch" is used by hackers and thieves to disable Wi-Fi cameras, and other things connected to Wi-Fi access points. (It has some legitimate uses, too.)

Watch Functions

- Deauther Attack: Disconnect 2.4G WiFi
- Deauther Beacon: Create fake networks
- Deauther Probe: Confuse Wi-Fi trackers
- Packet Monitor: Display Wi-Fi traffic
- Kicks devices off a WiFi network- Spam beacon frames
- Spam probe requests

Additional background information about deauthentication attacks via Atlas VPN...
How Hackers Disable WiFi Cameras
A deauth or deauthentication attack (DoS) disrupts connections between users and Wi-Fi access points. The attackers force devices to lose access and then reconnect to a network they control. Then, perpetrators can track connections, capture login details, or trick users into installing rogue programs... this attack does not need unique skills or elaborate equipment. Deauth attacks could also knock devices offline, like home security software.

How it it Used?
• Forcing hidden cameras to go offline. Over the years, frequent disputes forced Airbnb to forbid the use of cameras in rented apartments or rooms. Yet, more cunning homeowners can conceal cameras from their guests.
• Hotels that push paid Wi-Fi. There have been incidents when hotels employed deauthentication attacks to promote their Wi-Fi services. In fact, the Federal Communications Commission (FCC) issued documents stating that blocking or interfering with Wi-Fi hotspots is illegal. One of the first offenders was the Marriott hotel, with financial motives for disrupting visitors’ access points. However, charging perpetrators with deauthentication attacks is a rare sight. Usually, victims might blame the interruptions on unstable Wi-Fi.
• Susceptible smart devices. Criminals could push connected devices offline for several reasons. One danger is that attackers might disable security systems. Thus, such interruption halts monitoring of the home, office, or another area. In worst-case scenarios, such deauth attacks could facilitate burglars entering buildings. Another example comes from a vulnerability in Ring Video Doorbell Pro (now fixed). The exploited flaw means using a Wi-FI deauthentication attack to force the device to re-enter the configuration mode. Then, eavesdroppers can capture Wi-Fi credentials orchestrated to travel in an unencrypted HTTP.
• Forcing users to join evil twins. Spoofed deauthentication frames force targeted devices to drop their connection. It could be a way to break the legitimate connection and trick users into joining fake hotspots. Deauth attacks could flood the access point so that devices cannot join for a period of time.

Our Tips: How to Make Sure They Don't Disable Your WiFi Cameras
Tip 1. Don't go wireless, use Cat6a shielded cable.
Tip 2. Use Power over Ethernet (PoE). Make sure it is properly grounded.
Tip 3. Make sure the power supply to the network is backed-up (UPS). Power failures do happen.
Tip 4. Hide the cables to deter sabotage.
Tip 5. If you absolutely, positively need a wireless video solution consider using a 4G cellular camera, or a dedicated video link.

WiFi Camera Attack Prevention
The prevention of deauthentication attacks does not offer many options. But there are effective strategies for mitigating their impact. Ensure that your network applies WPA2 encryption. If you use a pre-shared key, it must be complex and lengthy to withstand threats like brute-force attacks. Another improvement might be 802.11w, which validates deauthentication frames and discards spoofed ones. Older hardware and IoT might not support it, raising issues for some Wi-Fi clients.

Furthermore, remember you have minimal control over free public Wi-Fi and its security.

A VPN can assist if deauthentication attacks force clients to connect to evil twins. Atlas VPN creates a secure path between users and access points. Encrypted traffic will prevent attackers from capturing any meaningful communications or data. more

Wednesday, March 15, 2023

KamiKakaBot: Corporate Espionage & Eavesdropping Tool

Suspected government-backed hackers are attacking...with malware called KamiKakaBot that is designed to steal sensitive information.
Researchers from Amsterdam-based cybersecurity firm EclecticIQ attributed the attacks to the advanced persistent threat (APT) group Dark Pink...

Dark Pink's main goals were to conduct corporate espionage, steal documents, capture sound from microphones of infected devices, and exfiltrate messaging data, according to research by cybersecurity firm Group-IB. more

Friday, March 10, 2023

Odd-Ball Spy News

Fifth of Government Workers Don't Care if Employer is Hacked
(Probably true for all businesses.)
Ivanti, the security vendor polled 800 public sector workers worldwide to compile its new Government Cybersecurity Status Report. It found a “not my job” attitude is exposing governments to excessive cyber-risk. Just a third (34%) of workers recognized that their actions impact their organization’s security posture. Nearly two-fifths (36%) said they haven’t reported phishing emails in the past, while a fifth (21%) said they don’t even care if the organization is hacked. more (This may help.)
Extra Credit: Seven years ago this month... Survey revealed 1 in 5 employees would sell their passwords.

Sweaters That Fool Facial Recognition
Protect your facial biometric data with knit wear? As absurd as that sounds, designer Rachele Didero, of the Italian startup Cap_able, has patented textiles that do just that. The patterns trick facial-recognition cameras into thinking it's not looking at a person. The pieces in the Manifesto Collection which include sweaters, pants, a dress, and a shirt, start at ~$300.
The idea has been around for a while.
Cheaper alternate designs; some with next day delivery!

Famed Manhattan Showroom Loses Peephole Camera Appeal
Manhattan appeals court on Thursday revived the brunt of a lawsuit against the renowned New York Design Center over a video camera... Cast your mind back to 2014... A camera hidden in the wall of a ladies' room at the New York Design Center secretly documented customers and employees for a month, a new lawsuit alleges. According to court documents obtained by the Post, the camera was found behind a broken wall tile on the sixth floor bathroom in April; the custodian who discovered it said it was trained on one of the stalls. more

Who Is Anthony Pellicano?
Infamous Hollywood private investigator Anthony Pellicano is the subject of a new documentary Sin Eater: The Crimes of Anthony Pellicano. The two-part special debuts on March 10 at 10 p.m. on FX and will stream on Hulu. Pellicano...gained a reputation as a fixer who could dig up dirt on his clients’ enemies to make them go away. But Pellicano’s ruthless methods were eventually his undoing, as he served extensive prison time for weapons charges as well as racketeering, wiretapping, and other crimes. more & as previously reported here.

Chinese Rocket that Delivered Military Spy Satellites Breaks Up Over Texas
The second stage of a Chinese rocket that delivered a trio of military surveillance satellites in June disintegrated over Texas on Wednesday, USNI News has learned. The four-ton component of a Chang Zheng 2D ‘Long March’ rocket punched through the atmosphere on Wednesday over Texas at 17,000 miles per hour and disintegrated, two defense officials confirmed to USNI News on Thursday... The debris field is over the least populated counties in the state, according to the Texas Demographic Center. more

The 10 Best Spy Movies That Aren't James Bond
When it comes to pure action-packed entertainment, few genres serve up as many thrills as spy movies. Spy films have been a mainstay of cinema all the way back to the medium's earliest days, like 1914's silent film The German Spy Peril. The genre kicked into high gear during the Cold War... more

SafeHouse Chicago, Spy-Themed Restaurant and Bar, Abruptly Closes
After six years of catering to secret agents and curious spies across Chicago, a spy-themed establishment has closed its doors. SafeHouse Chicago, a restaurant and bar featuring all things espionage-related, announced its abrupt closure online Monday, saying the business has "completed its last mission in Chicago." "We want to thank all of the spies who visited our Windy City headquarters and for your loyalty and support. It has been an absolute pleasure to welcome and serve spies from around the globe," SafeHouse said, in part, in a message posted on its website. more
Spybusters Tip #692: Head to Milwaukee. Best kept secret since 1966.

Saturday, March 4, 2023

The Secret, Insecure Life Of Security Cameras

Smart" cameras are one of the most ubiquitous IoT devices in the business world today, but they’re also one of the riskiest regarding cybersecurity.

What makes these devices so problematic—and a hacker’s dream—is that they fail at basic cybersecurity, are often accessible from the internet and almost always have outbound access to the internet, too...

Corporate Espionage
A more serious threat with smart cameras is that hackers can use them to spy on a company through video and audio feeds.

Sophisticated hackers can use this type of access to monitor susceptible areas in the company, such as boardrooms, executive conference rooms and manufacturing facilities. I’ve recently seen over half a dozen corporations compromised this way. The hackers remained undetected for years while they had direct access to important meetings and manufacturing operations.

Sneaky Data Theft
Smart cameras also make it harder for companies to detect stolen data leaving their networks. In a typical IT attack, hackers run the risk of getting caught when they try to exfiltrate data from the network. However, cameras and other types of IoT are a prominent blind spot for IT teams since they typically don’t monitor the cameras’ network traffic or block them from connecting to new IP addresses. This makes cameras a perfect conduit for data theft. more

Friday, January 13, 2023

Corporate Espionage: Newly Identified Hacker Group - Dark Pink

A newly identified hacker group Dark Pink attacked seven high profile targets,
including government and military institutions, in Southeast Asia and Europe from June to December 2022, Russian cybersecurity company Group-IB said.

The main goal of the hacker group is corporate espionage, as criminals are trying to steal documents and record sounds from the electronic devices of the victims, the Russian cybersecurity firm said.

The hackers sent their victims email messages containing a link to a website, according to the statement. When the victim clicked on this link, a malicious file was downloaded, which then stole personal information from devices, including passwords, browser history, and data from Viber and Telegram. more

Friday, December 30, 2022

EarSpy Attack Can Use Motion Sensors Data to Pry on Android Devices

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for eavesdropping on a targeted user’s conversations, according to a team of researchers from several universities in the United States.

The attack method, named EarSpy, is described in a paper published just before Christmas by researchers from Texas A&M University, Temple University, New Jersey Institute of Technology, Rutgers University, and the University of Dayton.

EarSpy relies on the phone’s ear speaker — the speaker at the top of the device that is used when the phone is held to the ear — and the device’s built-in accelerometer for capturing the tiny vibrations generated by the speaker. more

Turning Google Smart Speakers into Wiretaps

I (@downrightnifty4874) was recently rewarded a total of $107,500 by Google for responsibly disclosing security issues in the Google Home smart speaker that allowed an attacker within wireless proximity to install a “backdoor” account on the device, enabling them to send commands to it remotely over the Internet, access its microphone feed, and make arbitrary HTTP requests within the victim’s LAN (which could potentially expose the Wi-Fi password or provide the attacker direct access to the victim’s other devices). These issues have since been fixed. more video