A $500 Open Source Tool Lets Anyone Hack Computer Chips With Lasers

IN MODERN MICROCHIPS, where some transistors have been shrunk to less than a 10th of the size of a Covid-19 virus, it doesn't take much to mess with the minuscule electrical charges that serve as the 0s and 1s underpinning all computing. 

A few photons from a stray beam of light can be enough to knock those electrons out of place and glitch a computer's programming. Or that same optical glitching can be achieved more purposefully—say, with a very precisely targeted and well timed blast from a laser. Now that physics-bending feat of computer exploitation is about to become available to far more hardware hackers than ever before.

At the Black Hat cybersecurity conference in Las Vegas next week, Sam Beaumont and Larry “Patch” Trowell, both hackers at the security firm NetSPI, plan to present a new laser hacking device they're calling the RayV Lite. 

Their tool, whose design and component list they plan to release open source, aims to let anyone achieve arcane laser-based tricks to reverse engineer chips, trigger their vulnerabilities, and expose their secrets—methods that have historically only been available to researchers inside of well-funded companies, academic labs, and government agencies. more

This Week in Spy News

• Canada women advance in Olympic soccer as emails show their coach supported spying. more

• Like a spy thriller: Amazing details about assassination of Hamas leader Haniyeh in Tehran start to emerge. more

• Moldova expels Russian diplomat and calls in envoy amid spy case. more

• Suspected Russian spy locked up in Brooklyn freed in prisoner swap for Evan Gershovich, Paul Whelan more

• Chinese Woman, 20, Reports Parents To Police After They Install Spy Camera In Her Bedroom more

• Slovenian court convicts two Russians of espionage more

• French citizen accused of espionage in Russia denied bail. more

• The Philippine National Police is looking into the possibility that gadgets seized from a Chinese national were being used for scamming and espionage activities. more  Security Scrapbook Analysis: The equipment appears to have been obtained from pitsms.top, a Chinese manufacturer of a cellular "Fake Base Station" systems. This could be either a cyber-crime story, or a spy story, depending upon the intended use. Stay tuned. We will update you as this develops. You can watch the Fake Base Station being made, here.

Behind the Prisoner Swap: Spies, a Killer, Secret Messages and Unseen Diplomacy

A turning point came on June 25, when a group of C.I.A. officers sat across from their Russian counterparts during a secret meeting in a Middle Eastern capital.

The Americans floated a proposal: an exchange of two dozen prisoners sitting in jails in Russia, the United States and scattered across Europe, a far bigger and more complex deal than either side had previously contemplated but one that would give both Moscow and Western nations more reasons to say yes...

The Russian spies took the proposal back to Moscow, and only days later the C.I.A. director was on the phone with a Russian spy chief agreeing to the broad parameters of a massive prisoner swap. On Thursday, seven different planes touched down in Ankara, Turkey, and exchanged passengers, bringing to a successful close an intensive diplomatic effort that took place almost entirely out of public view. more

Voice Over Wi-Fi Vulnerability Let Attackers Eavesdrop Calls And SMS

IPsec tunnels are employed by Voice over Wi-Fi (VoWiFi) technology to route IP-based telephony from mobile network operators’ core networks via the Evolved Packet Data Gateway (ePDG).

This process consists of two main phases: negotiation of encryption parameters and performing a key exchange using the Internet Key Exchange protocol, followed by authentication....

The risk is that these vulnerabilities could expose VoWiFi communications to MITM attacks, compromising data integrity or confidentiality, which is essential for better security in implementing VoWiFi solutions...

These findings highlight the systemic flaws in the implementation of VoWiFi, which could make users vulnerable to man-in-the-middle attacks, and communication security is compromised on a global scale, consequently requiring better security measures in VoWiFi protocols and implementations. more

$2 billion Corporate Espionage Verdict Overturned by Appeals Court

Software company Pegasystems convinced a Virginia appeals court on Tuesday to throw out a $2 billion jury verdict for rival Appian in a court battle over Pegasystems’ alleged theft of Appian’s trade secrets.

The award from 2022 had been the largest damages verdict in Virginia court history, the Court of Appeals of Virginia said in the decision...

McLean, Virginia-based Appian had said in a 2020 lawsuit that Pegasystems hired a contractor to steal confidential information from Appian’s software platform in order to improve its own products and better train its sales force...

Appian said that Cambridge, Massachusetts-based Pegasystems referred internally to the contractor as a spy and to its scheme as “Project Crush,” with Pegasystems employees using fake credentials to access Appian’s software. Pegasystems characterized “Project Crush” as competitive research in a 2022 statement...

Pegasystems’ CEO said in a statement following the verdict that Appian’s CEO “could not identify one trade secret that Pega had allegedly misappropriated” during the trial. more

Moral: Make sure your "trade secrets" meet the requirements of, and can be clearly identified as, Trade Secrets. more

Interesting: AI Can Reveal What’s on Your Screen (sort of)

Hackers can intercept electromagnetic radiation leaking from the cable between your monitor and computer and decode what you are seeing on screen with the help of artificial intelligence. Such attacks are probably taking place in the real world, says the team behind the work, but ordinary computer users have little to worry about...

Federico Larroca at the University of the Republic in Montevideo, Uruguay, and his colleagues have developed an AI model that can reconstruct an image from digital signals that were intercepted a few metres away from an HDMI cable...

Around 30 per cent of characters were misinterpreted by the eavesdropping process, but that is low enough that humans can read most of the text accurately, the team says. This error rate is about 60 per cent lower than the previous state-of-the-art attack, the researchers add. more

Karma Files: Multi-platform Spyware Provider Spytech Gets Hacked

Second spyware provider hacked this month...

Minnesota-based spyware provider Spytech has been hacked, with files stolen from the company's servers containing detailed device activity logs from a global pool of mostly Windows PCs but also some Macs, Chromebooks, and even Android devices. 

The total number of spyware victims impacted by Spytech and noted by TechCrunch analyzing the scale of the breach is "more than 10,000 devices since 2013," and this cross-platform invasion of privacy stretches across the entire globe, including the US, EU, the Middle East, Africa, Asia, and Australia. 

Spytech provides a brand of spyware best known as "stalkerware" since it's typically installed by a person with physical access to the victim's device. more

Tag You're It

Police departments in the United Kingdom are using a “forensic spray” to tag motorcyclists, e-bikes and other small vehicle riders that are causing a nuisance in Manchester.

The spray, called SmartTag, contains a unique traceable forensic code tied to the bottle, enabling the police department to easily decide where and when the individual was tagged. Only an extremely small amount of liquid is needed to be able to identify whether or not someone or something has been sprayed.

The liquid also cannot be washed off nor can it be detected by the naked eye, making it a suitable tool for law enforcement. more

Previously reported in the Security Scrapbook...
Saturday, May 15, 2010 - SmartWater - "I've been slimed!"

FutureWatch: AI to the Max - Will Intelligent Eavesdropping Bugs Be Possible?

SCIENTISTS ARE GROWING BRAINS IN LABS. COULD THEY BECOME CONSCIOUS? "IT HAS NO EYES, EARS, NOSE OR MOUTH — NOTHING'S COMING IN." (yet)

As scientists continue to make advances using human tissue to grow brains in laboratories, one neuroscientist is naming the existential elephant in the room: could lab-grown brains ever become truly conscious?

In an interview with Live Science, University of California at Santa Barbara neuroscientist Kenneth Kosik explained that as the science stands now, the facsimile brains made in labs aren't likely to achieve consciousness anytime soon. (Nothing to see here, don't worry, move on.)

These brain organoids, as the lab-grown brains are called, are created by taking someone's cells, converting them into stem cells, and differentiating those into neurons. more

Olympics: FIFA Hinders Canada’s chances with Punishments for Drone Spying

FIFA suspended Canada women’s soccer coach Bev Priestman for one year, deducted six points from the team’s Olympic group stage total and issued a fine on Saturday in response to Canada flying a drone over New Zealand’s training sessions before the start of the Games.

The punishment immediately and severely hurt the chances for a second consecutive gold medal for Canada, which won the Olympic tournament in Tokyo in 2021, a run that was immediately questioned as the drone scandal emerged. more

One Way Corporate Espionage Spies Cover Their Tracks

Residential proxy IP: The invisible cloak in corporate espionage.
From the IP vendor's ad...

"In the fiercely competitive business battlefield, information is power, and how to obtain and use this information has become a problem that every company needs to face. In this spy war without gunpowder, residential proxy IP is like an invisible cloak, providing strong protection and support for enterprises.

Imagine that you are an intelligence analyst at an emerging technology company, and your task is to collect and analyze the latest developments of competitors so that the company can make more informed decisions. However, the online world is not a smooth road, and your IP address can easily expose your true identity and intentions, making your actions subject to various restrictions. At this time, residential proxy IP is like a capable assistant, helping you to move forward invisibly in this spy war.

Residential proxy IP, as the name suggests, is to use the IP address of an ordinary home network environment for network access. Because these IP addresses come from real home users, they are difficult to identify and track. By using residential proxy IP, enterprises can hide their real IP address and avoid being discovered by competitors or network monitoring agencies. In this way, enterprises can access target websites, crawl data, analyze competitors' strategies, etc. more freely without worrying about being blocked by anti-crawler mechanisms or IP being blocked." more

Corporate Espionage: Steward Health Care Deployed Spy Outfits to Thwart Critics

Despite its financial turmoil and eventual bankruptcy, Steward Health Care allegedly spent millions spying on its adversaries, hiring intelligence companies to track and intimidate critics worldwide.

In what resembles a poorly written spy novel, Steward's leadership hired agents who placed tracking devices on the car of a financial analyst, accessed a healthcare executive’s phone to potentially blackmail him and circulated an allegedly false wire transfer to frame a politician, a report said.

The videos and documents with the incriminating details were obtained by journalism outfit the Organized Crime and Corruption Reporting Project and shared with the Boston Globe, who investigated the case further.

According to reporters, Steward executives who deployed these intelligence firms prioritized paying their bills over all others, including invoices from vendors and suppliers. Monthly expenses for intelligence services reached as high as $440,000, and from 2019 to 2023, Steward allocated over $7 million to these operations.

As to the legality of all of this, because the spying and fraud took place in various jurisdictions globally, it may not be possible to prosecute anyone responsible. more

The Devil Wears Prada - So Do Spies

Former Government Official Arrested For Acting As Unregistered Agent Of South Korean Government

U.S. Attorney Damian Williams said: “As alleged, Sue Mi Terry, a former CIA and White House employee, subverted foreign agent registration laws in order to provide South Korean intelligence officers with access, information, and advocacy. 

Terry allegedly sold out her positions and influence to the South Korean government in return for luxury handbags, expensive meals, and thousands of dollars of funding for her public policy program. 

 The charges brought should send a clear message to those in public policy who may be tempted to sell their expertise to a foreign government to think twice and ensure you are in accordance with the law.” more

‘His cameras are everywhere’

Clients worry as Martinsville security camera installer investigated for spying...
The owner of a Martinsville security company was in court Friday, facing child pornography charges, including images he may have taken himself. Adam R. Anderson, 42, is pleading not guilty to these felony counts. Court documents reveal he’s also under investigation for allegedly spying on clients using his security systems.

Holly Clark signed up for Anderson Video Security and Alarm LLC after her garage was broken into a few years ago. Holly Clark signed up for Anderson Video Security and Alarm LLC after her garage was broken into a few years ago.

After meeting with tech experts, Clark said she believes he may still have ownership and access to the cameras within his company.

“The thing is, it’s not just me,” she said. “He put cameras in at the library, the city pool, and has allegations of child porn. Do you want his cameras at the city pool? His cameras are everywhere.”

Clark said she and other customers are considering a class action lawsuit against Anderson to get sole ownership of the installed security systems. more

Karma Files: Data Breach Exposes Millions of mSpy Spyware Customers

A data breach at the phone surveillance operation mSpy has exposed millions of its customers who bought access to the phone spyware app over the past decade, as well as the Ukrainian company behind it.

Unknown attackers stole millions of customer support tickets, including personal information, emails to support, and attachments, including personal documents, from mSpy in May 2024. While hacks of spyware purveyors are becoming increasingly common, they remain notable because of the highly sensitive personal information often included in the data, in this case about the customers who use the service.

The hack encompassed customer service records dating back to 2014, which were stolen from the spyware maker’s Zendesk-powered customer support system.

mSpy is a phone surveillance app that promotes itself as a way to track children or monitor employees. Like most spyware, it is also widely used to monitor people without their consent. more