Chinese Spooks Hacking US Mobile Users in Real Time

Millions of US mobile users could be vulnerable to Chinese government spooks who are apparently desperate to know when they are picking up their snowflakes from school and where they order their pizza...

The US intelligence community briefed six current or former senior US officials about the attack. The Chinese hackers believed to be linked to Beijing's Ministry of State Security, have infiltrated the private wiretapping and surveillance system that American telecom companies built exclusively for US federal law enforcement agencies.

The US government believes the hackers likely still have access to the system. Since the breach was first detected in August, the US government and the telecom companies involved have said very little publicly, leaving the public to rely on details trickling out through leaks.

The lawful-access system breached by the Salt Typhoon hackers was established by telecom carriers after the terrorist attacks of September 11, 2001. It allows federal law enforcement officials to execute legal warrants for records of Americans' phone activity or to wiretap them in real-time, depending on the warrant.

Many of these cases are authorised under the Foreign Intelligence Surveillance Act (FISA), which investigates foreign spying involving contact with US citizens. The system is also used for legal wiretaps related to domestic crimes. more

Student Finds 'Hacker-like' Approach to Bypass Cell Phone Security

Forensic investigators face significant challenges in securing crucial data from criminals' phones. University of Amsterdam PhD candidate Aya Fukami has identified hardware vulnerabilities in phones to bypass the security of modern devices, allowing her to extract data from phones in a way that was previously not possible...

"Traditional methods of hacking or scraping data from phones still often yield only encrypted data. Researchers then face great difficulty making that encrypted data usable," Fukami says. "It's a process that also takes a long time and doesn't always result in usable evidence."

To overcome this, Fukami explored ways to bypass vulnerabilities in phone system security. And she succeeded. more

Chinese Hackers Breached US Court Wiretap Systems

Chinese hackers accessed the networks of U.S. broadband providers and obtained information from systems the federal government uses for court-authorized wiretapping, the Wall Street Journal reported on Saturday.

Verizon Communications, AT&T and Lumen Technologies), are among the telecoms companies whose networks were breached by the recently discovered intrusion, the newspaper said, citing people familiar with the matter.

The hackers might have held access for months to network infrastructure used by the companies to cooperate with court-authorized U.S. requests for communications data, the Journal said. It said the hackers had also accessed other tranches of internet traffic. more

A $500 Open Source Tool Lets Anyone Hack Computer Chips With Lasers

IN MODERN MICROCHIPS, where some transistors have been shrunk to less than a 10th of the size of a Covid-19 virus, it doesn't take much to mess with the minuscule electrical charges that serve as the 0s and 1s underpinning all computing. 

A few photons from a stray beam of light can be enough to knock those electrons out of place and glitch a computer's programming. Or that same optical glitching can be achieved more purposefully—say, with a very precisely targeted and well timed blast from a laser. Now that physics-bending feat of computer exploitation is about to become available to far more hardware hackers than ever before.

At the Black Hat cybersecurity conference in Las Vegas next week, Sam Beaumont and Larry “Patch” Trowell, both hackers at the security firm NetSPI, plan to present a new laser hacking device they're calling the RayV Lite. 

Their tool, whose design and component list they plan to release open source, aims to let anyone achieve arcane laser-based tricks to reverse engineer chips, trigger their vulnerabilities, and expose their secrets—methods that have historically only been available to researchers inside of well-funded companies, academic labs, and government agencies. more

Karma Files: Multi-platform Spyware Provider Spytech Gets Hacked

Second spyware provider hacked this month...

Minnesota-based spyware provider Spytech has been hacked, with files stolen from the company's servers containing detailed device activity logs from a global pool of mostly Windows PCs but also some Macs, Chromebooks, and even Android devices. 

The total number of spyware victims impacted by Spytech and noted by TechCrunch analyzing the scale of the breach is "more than 10,000 devices since 2013," and this cross-platform invasion of privacy stretches across the entire globe, including the US, EU, the Middle East, Africa, Asia, and Australia. 

Spytech provides a brand of spyware best known as "stalkerware" since it's typically installed by a person with physical access to the victim's device. more

Lawsuit Claim: Shopping App Temu - “Dangerous Malware,” Spying on Your Texts

Temu—the Chinese shopping app that has rapidly grown so popular in the US that even Amazon is reportedly trying to copy it—is "dangerous malware" that's secretly monetizing a broad swath of unauthorized user data, Arkansas Attorney General Tim Griffin alleged in a lawsuit filed Tuesday.

Griffin cited research and media reports exposing Temu's allegedly nefarious design, which "purposely" allows Temu to "gain unrestricted access to a user's phone operating system, including, but not limited to, a user's camera, specific location, contacts, text messages, documents, and other applications."

"Temu is designed to make this expansive access undetected, even by sophisticated users," Griffin's complaint said. "Once installed, Temu can recompile itself and change properties, including overriding the data privacy settings users believe they have in place." more

TeamViewer Confirms Cyberattack

TeamViewer, the prominent provider of remote access tools, has confirmed a significant cyberattack on its corporate network. 

This attack has been attributed to APT29, a hacking group allegedly linked to Russian intelligence. The breach, discovered on June 26, involved compromised credentials of an employee account, marking another sophisticated cyber-espionage campaign executed by state-sponsored hackers.

According to TeamViewer’s investigation, the breach began with the compromise of credentials from a standard employee account within their corporate IT environment. 

The company has emphasized that the attack was contained within its corporate network, assuring that their internal network and customer systems are separate...Despite these assurances, the company’s investigation is ongoing. more

Beware the Spies in Disguise

Unethical hackers are often hired by companies for corporate espionage: to infiltrate the IT systems of rival organizations to steal sensitive information, trade secrets, and strategic plans. The information can provide a competitive advantage or be sold for financial gain.

Although getting in touch with these hackers is comparatively easier, they have now resorted to anonymous modes of messaging through discreet texting applications that do not store metadata. Such apps use encrypted chat rooms, which makes it difficult for authorities to trace communications.

The internet is also filled with tutorials providing step-by-step guides for many kinds of unethical hacking tasks, which are often used by tech-savvy anti-social elements.

On the other hand, hacking into social media accounts threatens the individual privacy of creators and is often used for blackmail and extortion. more

This is a major problem on LinkedIn. 

Here are some of the come-ons I receive...

• It's nice to meet new people. Can we talk?
• Hello, it's a pleasure to contact you. Your resume and skills are excellent. I hope to make friends with you.
• I am Sophia, I checked your profile. I saw that your professional field is the talent we are looking for, which will be of great help to the new project I am about to start. If you are interested. You can leave your phone number and contact information, and I will arrange a time with you for a detailed conversation and make an appointment for a telephone conference. When is it convenient for you?
• After reading your resume and work experience, I found that you are a very talented person! can we talk?
• I think your field of work is great. Can we exchange ideas and learn from each other?

Spy Tip: Remember your Stranger Danger training.

NASCAR Radio Comms Hacked - “That Was Some Weird Sh*t”

Unwelcome Participant Eavesdropping on Bubba Wallace...

Remember the 2023 All-Star Race? The No. 23 team and specifically its driver, Bubba Wallace, experienced a bad situation. Somebody hacked into the team’s radio channel and delivered a derogatory message...Although NASCAR investigated the incident, the mysterious voice remained unknown.

A similar situation seems to have propped up at the 2024 Coca-Cola 600 race, but devoid of the hurtful comments. While Bubba Wallace was prying for the lead in stage 2, an unfamiliar voice popped in between his communication with his pit team. The 23XI Racing driver was surprised yet fascinated by this occurrence.

Earlier in 2024, the No. 23 team’s radio buffered during the race at Talladega Superspeedway. As it turned out, not only Bubba Wallace but also other drivers faced a similar problem. Joe Gibbs Racing’s No. 19 driver Martin Truex Jr was audibly frustrated: “All our radios are f***ed up right now.”

Now another mysterious glitch has surfaced in Charlotte, with unfamiliar voices on Wallace’s radio. We can only wait till the end of the weather-delayed race to delve deeper into this curious matter. more

......

Care to eavesdrop yourself? "DOWNLOAD NASCAR MOBILE APP and click on Buy Premium link in the navigation to subscribe for full access on mobile devices." more 

Or... do what that mysterious voice did... Buy a cheap 2-way radio.

Dump of Chinese Hacking Documents - A Window into Surveillance

Chinese police are investigating an unauthorized and highly unusual online dump of documents from a private security contractor linked to the nation’s top policing agency and other parts of its government — a trove that catalogs apparent hacking activity and tools to spy on both Chinese and foreigners...

The dump of scores of documents late last week and subsequent investigation were confirmed by two employees of I-Soon, known as Anxun in Mandarin, which has ties to the powerful Ministry of Public Security... They reveal, in detail, methods used by Chinese authorities used to surveil dissidents overseas, hack other nations and promote pro-Beijing narratives on social media. more

Van Eck Redux: Hackers Can Spy on Cameras Through Walls

Capturing real-time video through walls isn’t hard if you have an antenna and a little bit of engineering know-how. It could be a massive threat to billions of security and phone cameras... 

Kevin Fu, a professor of electrical and computer engineering at Northeastern who specializes in cybersecurity, has figured out a way to eavesdrop on most modern cameras, from home security cameras and dash cams to the camera on your phone. Called EM Eye, short for Electromagnetic Eye, the technique can capture the video from another person’s camera through walls in real time. It redefines the idea of a Peeping Tom...

Results vary on how far away someone would have to be in order to eavesdrop on these different devices. For some, a peeping Tom would have to be less than 1 foot away; for others, they could be as far away as 16 feet...

Fu says. “Maybe you don’t want to put this [camera] on your wall you share with your neighbor.” more
Van Eck  Interesting, but no need for the average person to worry.

Harry Hacking: Payout in Phone-Hacking Case Against Mirror Publisher

Prince Harry has won 15 claims in his case accusing Mirror Group Newspapers of unlawfully gathering information for stories published about him. A judge has ruled in his favour on almost half of the sample of 33 stories used in his claims of phone hacking and other methods.

High Court ruling found evidence of "widespread and habitual" use of phone hacking at the Mirror newspapers... He was awarded £140,600 in damages... more

Weirdest Spy Story of 2023?

NY Attorney Accuses Ben Affleck & Matt Damon of Stalking and Bugging Her Home

A New York attorney is suing actors Ben Affleck and Matt Damon, accusing the besties of stalking her and bugging her home to use private details of her life in their movies.

The attorney is hiding her identity as she moves forward with the bizarre case. The Daily Mail got a hold of court documents that claim the actors also hacked her devices and left the attorney in fear of being kidnapped and raped... She found a bug, saw an owl-shaped camera pointed at her home, woke to find a man in her bedroom and saw a man pointing a telescope at her after an alert that her emails had been hacked, according to the suit.

Also named in the suit are Affleck’s brother, Casey Affleck, his wife, singer/actress Jennifer Lopez, actor Kevin Smith, and disgraced Hollywood producer Harvey Weinstein. The suit is also targeting Dimension Films, Disney, Lionsgate, Warner Bros., and Paramount Pictures, who she is accusing of negligence for allowing harassment and plagiarism to take place. more

How an Indian Startup Hacked the World

Appin was a leading Indian cyberespionage firm that few people even knew existed. 

A Reuters investigation found that the company grew from an educational startup to a hack-for-hire powerhouse that stole secrets from executives, politicians, military officials and wealthy elites around the globe. 

Appin alumni went on to form other firms that are still active...

Chuck Randall was on the verge of unveiling an ambitious real estate deal he hoped would give his small Native American tribe a bigger cut of a potentially lucrative casino project.

A well-timed leak derailed it all.

In July of 2012, printed excerpts from Randall’s private emails were hand-distributed across the Shinnecock Nation’s square-mile reservation, a wooded peninsula hanging off the South Fork of Long Island...  more

Shady Things You Can Do With a Flipper Zero

Since it’s evil week at Lifehacker, let’s take a look at a gadget that can be used for mild evil: the Flipper Zero. Despite its toy-like looks, this pocket-friendly multitool can be used for all kinds of hacking and penetration testing. 

It gives anyone, even newbs, an easy-to-understand way to interact with the invisible waves that surround us, whether they’re RFID, NFC, Bluetooth, wifi, or radio. It’s a like a hacker Swiss army knife that you can buy for less than $200.

You can use a Flipper Zero to control your TV, cheat your Nintendo, replace your work ID, open your hotel room door, and more. I’m sure you could see where the “evil” part could comes in. But on the other hand, it’s just a tool, and its ability to commit crimes is... more

Flipper Zero – Corporate Security Threat

Legacy Systems Threaten Security in Mergers & Acquisitions

Here’s a simple fact: Legacy systems are far more likely to get hacked. This is especially true for companies that become involved in private equity transactions, such as mergers, acquisitions, and divestitures...

We have seen two primary trends throughout 2023:

– Threat groups are closely following news cycles, enabling them to quickly target entire portfolios with zero-day attacks designed to upend aging technologies — disrupting businesses and their supply chains.

– Corporate espionage cases are also on the rise as threat actors embrace longer dwell times and employ greater calculation in methods of monetizing attacks. more

Kevin Mitnick, Hacker Turned Security Consultant, Dies at 59

Kevin Mitnick, who became the country’s most famous cybercriminal after an FBI manhunt and later became a cybersecurity consultant, died on July 16.

Mitnick, who was 59, died of pancreatic cancer, said Kathy Wattman, a spokeswoman for KnowBe4, where Mitnick worked. Mitnick’s survivors include his wife, Kimberley, who is expecting a child this year.

“Mr. Mitnick branded himself the ‘world’s most famous hacker,’ as KnowBe4 called him in a Thursday statement. As the World Wide Web was slowly being adopted across the globe, he broke into the computer systems of companies such as Motorola, Nokia and Sun Microsystems, causing what prosecutors alleged was millions of dollars in damage,” Kelly writes.

“Before he was 30, Mr. Mitnick had already served a brief prison sentence for computer crimes. But his infamy as a hacker was cemented in 1995, when the FBI arrested him in the middle of the night at a North Carolina apartment in a highly publicized raid that capped a 24-hour stakeout outside his home and brought an end to his more than two years as a fugitive.”

Mitnick was a polarizing figure in the cybersecurity community after his release from prison in 2000. “He portrayed himself as a misunderstood ‘genius’ and pioneer, and some supporters said he was a victim of overzealous prosecution and overhyped media coverage,” Kelly writes.

“He became a cause célèbre for the internet,” former federal cybercrime prosecutor Mark Rasch, who investigated Mitnick, told Kelly. “There was this idea that he was liberating data, he was liberating information, and that he was just proving how hacking could be done,” he said. “You had a whole bunch of people in the hacker defense community who thought he was the worst thing in the world, and people in the hacker community who thought he was a demigod.” website

Security Alert: Unsolicited Smartwatches Received by Mail

Service members across the military have reported receiving smartwatches unsolicited in the mail. These smartwatches, when used, have auto-connected to Wi-Fi and began connecting to cell phones unprompted, gaining access to a myriad of user data.

These smartwatches may also contain malware that would grant the sender access to saved data to include banking information, contacts, and account information such as usernames and passwords...

What to do if you receive one of these devices:

• DO NOT turn the device on.
• Report it to your local counterintelligence, security manager, or through our Submit a Tip - Report a Crime reporting portal. more

From the What Goes Around Files: Phone Spy App Hacked

LetMeSpy, a phone tracking app spying on thousands, says it was hacked...

A data breach reveals the spyware is built by a Polish developer hacker has stolen the messages, call logs and locations intercepted by a widely used phone monitoring app called LetMeSpy, according to the company that makes the spyware.

The phone monitoring app, which is used to spy on thousands of people using Android phones around the world, said in a notice on its login page that on June 21, “a security incident occurred involving obtaining unauthorized access to the data of website users​​.”

“As a result of the attack, the criminals gained access to e-mail addresses, telephone numbers and the content of messages collected on accounts,” the notice read.

LetMeSpy is a type of phone monitoring app that is marketed for parental control or employee monitoring. The app is also specifically designed to stay hidden on a phone’s home screen, making it difficult to detect and remove. Also known as stalkerware or spouseware, these kinds of phone monitoring apps are often planted by someone — such as spouses or domestic partners — with physical access to a person’s phone, without their consent or knowledge. more

Hackers Can Open Nexx Garage Doors Remotely...

...and there's no fix!

Multiple vulnerabilities discovered Nexx smart devices can be exploited to control garage doors, disable home alarms, or smart plugs.

There are five security issues disclosed publicly, with severity scores ranging from medium to critical that the vendor has yet to acknowledge and fix. more