The USB Killer exploits a vulnerability manufacturers haven’t bothered fixing.
Whatever you do, don’t mistake this USB stick for the one holding your Powerpoint.
When plugged into any device, The USB Killer, released earlier this summer, rapidly draws power from the hardware, then returns that power in an overloading burst. According to the makers, this “instantly and permanently disables unprotected hardware.” Potential targets include not just PCs, but TVs, copy machines—anything with a USB port.
The device, marketed as a testing tool for administrators looking to protect their systems, sells for 49.95 Euros, or around $56 dollars. Demand has apparently been high, with the manufacturers reporting backorders.
Despite the obvious nefarious potential for the tool, its public release at least appears well-intentioned. The USB Killer was developed by a security hardware team based in Hong Kong, who first publicized the vulnerability it targets over a year ago, and developed an early prototype.
But the team was deeply frustrated to see manufacturers take little action on closing the vulnerability. According to the team, Apple is to date the only manufacturer that protects their devices against this so-called USB surge attack.
This USB Stick Will Instantly Destroy Your Computer
You’d think protecting your computer with a strong password can keep it safe, but apparently, all it takes to steal your log-in credentials is a $50 piece of hardware and an app. According to R5 Industries principal security engineer Rob Fuller, he was able to pilfer usernames and passwords from locked computers using a USB device loaded with a hacking app called Responder. The stolen passwords are encoded, sure, but once they’re in another person’s possession, they can be cracked. One of the small, Linux-powered computers he used (USB Armory) costs $155, but the other (Hak5 Turtle) costs only $50. Computers share log-in credentials with them, because they recognize the devices as trusted Ethernet adapters.
Fuller said the combination worked on all versions of Windows and even on El Capitan, though he still needs to check whether his Mac experiment was a fluke. He also said that the hack was so easy to pull off, he “tested it so many ways to confirm” since he had such a hard time believing it was possible.
A $50 device and an app can easily steal your PC’s log-in
Chrome is getting serious about websites that don’t use encryption. The next version of Chrome will include a new warning for unencrypted login sites, according to a post today on the Google Security Blog. Chrome 56, which is planned to launch in January, will mark HTTP login pages as “not secure” in a window next to the address bar. Unencrypted HTTP is particularly dangerous for login pages, as it could allow an attacker to intercept passwords as they travel across the network.
The post also lays out Chrome’s long term plan for discouraging unencrypted web connections. In the years to come, the team plans to warn Chrome users away from all sites served over unencrypted HTTP, beginning with Incognito mode “where users may have higher expectations of privacy.” Planned changes include labeling all HTTP pages with the red triangle warning symbol, currently only used for irregularities in HTTPS.
“Chrome currently indicates HTTP connections with a neutral indicator,” writes Emily Schechter of the Chrome Security team. “This doesn’t reflect the true lack of security for HTTP connections. When you load a website over HTTP, someone else on the network can look at or modify the site before it gets to you.” That weakness can be used to inject malware seamlessly into unencrypted web traffic, commonly known as an injection attack.
Chrome is stepping up its war on the unencrypted web
After a series of high-profile cyberattacks against individuals and organisations in the US, the FBI is increasing its efforts to combat cybercrime, including adopting a new approach to recruiting hackers.
The agency has had long-standing issues attracting people from the hacking community to work for them, over staying independent or working in the private sector. But, in a recent speech, FBI director James Comey said the agency is now “working very hard” to “be a whole lot cooler than you may think we are”, in efforts to get people with cyberattack and cyberdefence skills to work for them.
Comey said that the FBI is looking to staff its cyberattack response teams, specifically the Cyber Threat Team and the Cyber Act Team (CAT) – which he called the “fly team” – who are deployed “at a moment’s notice” to provide on-location support during investigations.
Mission Impossible? FBI wants to be cool enough to recruit hackers
As a general rule, anyone who posts pictures of money and talks about investment opportunities is probably trouble. Those are the hallmarks of the “money flipper” scam, a criminal scheme that’s been troubling Instagram for years. The accounts boast a mysterious investment system, posting cash and other luxury goods as proof that it works. Then, in a direct message, they’ll offer to cut followers in on the deal. Sometimes the offer is to split a money order, other times it’s for access to an empty debit card account — but either way, the scammer abruptly walks off with a few hundred dollars and the mark is left to pick up the tab.
It’s a simple scam, but it’s become remarkably popular on Instagram. A report released today by the threat intelligence firm ZeroFox found a total of 4,574 unique instances of the scam on Instagram since 2013, spread across 1,386 different accounts. That’s just a fraction of the 2 million posts scanned by ZeroFOX, and an even smaller fraction of the 30 billion posts on the platform itself. Still, it suggests the scam has found a persistent niche on Instagram, and according to ZeroFox, it could present a long-term problem for any financial companies looking to use Instagram for more than just marketing.
How to spot an Instagram scammer
Opera previously launched an unlimited VPN service for iOS earlier this year as a result of its 2015 acquisition of SurfEasy, and now it’s doing the same for Android users.
Opera VPN will let you appear as if you’re in a different country such as the US, Canada, Singapore, Germany and the Netherlands in addition to allowing you to block ad trackers. You can effectively bypass content restricted by location with the VPN, and without a data limit you can use it as much as you want.
If you’re not well-versed in VPNs, the app automatically handles setting Android VPN settings for you and will also check the security and integrity of your current Wi-Fi connection. This feature may slow down your internet speed while you’re using it, as TechCrunch attests, but not so much that it’s too problematic to use while surfing.
If you’re interested in trying out the app, you can pick it up via the Google Play Store now.
Opera’s free unlimited VPN service is coming to Android
IT’S GETTING EASIER to secure your digital privacy. iPhones now encrypt a great deal of personal information; hard drives on Mac and Windows 8.1 computers are now automatically locked down; even Facebook, which made a fortune on open sharing, is providing end-to-end encryption in the chat tool WhatsApp. But none of this technology offers as much protection as you may think if you don’t know how to come up with a good passphrase.
A passphrase is like a password, but longer and more secure. In essence, it’s an encryption key that you memorize. Once you start caring more deeply about your privacy and improving your computer security habits, one of the first roadblocks you’ll run into is having to create a passphrase. You can’t secure much without one.
In this post, I outline a simple way to come up with easy-to-memorize but very secure passphrases. It’s the latest entry in an ongoing series of stories offering solutions — partial and imperfect but useful solutions — to the many surveillance-related problems we aggressively report about here at The Intercept.
Passphrases That You Can Memorize — But That Even the NSA Can’t Guess
There’s a lot of misinformation about security online. The truth is that by taking a few simple steps you can make yourself much safer. Here are the basic, super easy ways to do it:
Use a unique Password, but don’t worry too much about complexity
Conventional wisdom says that if you use a long password with crazy letters, numbers, and symbols, your account is safe. The fact is, a password like “annexrubykneadtone” is just as secure as “J+e}F*b>J*S;36fSvbSLX)R}” as long as it’s unique. When a hacker is trying to break into your account, the first thing they’ll probably do is search through previous database dumps for your email address. If you’re using the same password across multiple services, a hacker who finds it can access many of your accounts.
Use two-factor authentication whenever possible
Two-factor authentication has made the internet much more secure. Generally, two-factor authentication requires that you enter a code generated by an app on your phone or sent to you via text message, in addition to your account password. It ensures that even if a hacker has your password, they can’t get into your account. You should use two-factor authentication on everything you can, from your bank account to your social media accounts to your email. Sure, it can sometimes be a pain in the ass, but it is so worth it.
Use an ad blocker
Ads are known to spread malware. For that reason alone, you should block all of them. Seriously! I say this as someone whose rent is, in part, paid by ad revenue. With ads, there is no upside when it comes to your security online.
Three Easy Tricks to Improve Your Online Security
Symantec and Kaspersky Lab last week separately announced the discovery of a highly sophisticated advanced persistent threat that had eluded security researchers for at least five years.
A previously unknown group called “Strider” has been using Remsec, an advanced tool that seems to be designed primarily for spying. Its code contains a reference to Sauron, the main villain in The Lord of the Rings, according to Symantec.
The APT spyware is called “ProjectSauron” or “Strider” in Kaspersky’s report.
The malware has been active since at least October 2011, Symantec said. It obtained a sample after its behavioral engine detected it on a customer’s systems.
Kaspersky found out about ProjectSauron when its software caught an executable library registered as a Windows password filter loaded in the memory of a Windows domain controller. The library had access to sensitive data in cleartext.
“Learning that some sophisticated malware has been running in your infrastructure for half a decade without detection is certainly painful,” said Sándor Bálint, security lead for applied data science at Balabit.
“Installing antivirus software and running a personal firewall provide only a bare minimum of protection,” he told TechNewsWorld.
Antimalware systems “stop 99.999 percent of known attacks,” claimed Balabit CEO Zoltán Györkő.
However, the Strider APT mimicked a password filter module, which “is yet another clear sign that passwords are dead and behavior is the new authentication,” he told TechNewsWorld. “The only way to catch these attacks is to spot changes in the behavior of users at the end points.”
Super-Sophisticated Spyware Spotted After 5-Year Run
Four newly identified vulnerabilities could affect 900 million Android devices, Check Point researchers told attendees at the DEF CON 24 security conference in Las Vegas this past weekend.
The vulnerabilities, which the researchers dubbed “QuadRooter,” affect Android devices that use Qualcomm chipsets. They exist in the chipset software drivers.
The drivers, which control communications between chipset components, are incorporated into Android builds manufacturers develop for their devices, so they’re preinstalled on devices and can be fixed only through installation of a patch from the distributor or carrier.
Exploiting any of the four vulnerabilities will let attackers trigger privilege escalations and get root access to the targeted device, Check Point said.
Attackers can exploit the vulnerabilities using a malicious app. Such an app would not require special permissions, and thus would not be easily detected.
900 Million Androids Could Be Easy Prey for QuadRooter Exploits