When plugged into a device, the USB Killer rapidly charges its capacitors from the USB power lines. When the device is charged, -200VDC is discharged over the data lines of the host device. This charge/discharge cycle is repeated many times per second, until the USB Killer is removed. Simply put: used on unprotected equipment, the USB Killer instantly and permanently disables unprotected hardware.
Source: USB Killer – ESD Tester to test and disable USB devices
DeskDock allows you to share your computer’s mouse with your Android devices via a USB cable. The app enables you to control your Android device as if it was an additional monitor for your computer. Simply move your computer’s mouse cursor over the screen boundaries to use it with your Android devices.
Source: DeskDock Free – Android Apps on Google Play
It’s just like synergy but for Android
How hackers broke into millions of US govt personnel files
Source: Read the damning dossier on the security stupidity that let China ransack OPM’s systems
By placing the smartphone next to a printer, if you know the type of printer, you can listen to it and hear what it’s printing. Then you can reassemble 94% of the original design.
Source: Scientists’ sneaky smartphone software steals 3D printer designs
Rosetta’s dust-analysing COSIMA (COmetary Secondary Ion Mass Analyser) instrument has made the first unambiguous detection of solid organic matter in the dust particles ejected by Comet 67P/Churyumov-Gerasimenko, in the form of complex carbon-bearing molecules.
While organics had already been detected in situ on the comet’s surface by instruments on-board Philae and from orbit by Rosetta’s ROSINA , those were both in the form of gases resulting from the sublimation of ices. By contrast, COSIMA has made its detections in solid dust.
Their presence was only ever hinted at in previous comet missions, which flew by their targets at high speed and, as a result, disrupted the particles, making characterisation challenging. But Rosetta is orbiting Comet 67P/C-G and can catch dust particles moving at low speed.
“Our analysis reveals carbon in a far more complex form than expected,” remarked Hervé Cottin, one of the authors of the paper reporting the result that is published in Nature today. “It is so complex, we can’t give it a proper formula or a name!”
Source: Rosetta catches dusty organics
145 public authorities acquired data in 2015, and most of these requests came from the UK’s police forces and law enforcement agencies. Law enforcement officers acquired 93.7 per cent of all data requested by public authorities in 2015. Only 5.7 per cent of data was acquired by the intelligence agencies, and a mere 0.6 by public authorities such as the Financial Conduct Authority, which have the statutory ability to investigate criminal offences.
0.1 per cent of requests came from local authorities such as councils.
1,199 errorsIOCCO conducted 72 inspections in 2015, looking at approximately 15,000 randomly selected applications for communications data in detail, with a further 117,000 applications being subjected to query-based examinations; IOCCO has an internally-developed query method on the records of applications to allow the office to “identify trends, patterns and compliance issues across large volumes of applications.”
[…]
A whopping 1,199 errors were reported in 2015, a 20 per cent increase year-on-year. IOCCO reported:The main causes for the overall rise are a larger number of incorrect identifiers being submitted by applicants on their applications or, both applications and [Single Points of Contact] acquiring data over the incorrect date or time period. Once again we highlight that a significant number of these errors relate to Internet Protocol addresses being incorrectly resolves to subscribers, which can have serious consequences.
23 of these errors were considered “serious” in 2015; nine of them caused by technical system errors and 14 were attributed to human error. The nine technical system errors resulted in “multiple consequences and a large number of erroneous disclosures (2036)” while the human errors were not dissimilar to those reported by IOCCO last year, in which a typo led to a police force raiding the wrong house.
There were 17 search warrants executed at the wrong premises in 2015, which resulted in 13 arrests, although IOCCO did not give any more details on the circumstances of those. Six of those serious consequences involved people unconnected to the investigations being “visited” by police, and on seven occasions—as happened last year—welfare checks on vulnerable people, including children, were delayed.
Joanna Cavan, the head of IOCCO who has just a few weeks left at the oversight body before joining GCHQ’s tech help desk, informed The Register that the most frequent error was caused by transposing the days and months when accommodating the American format of presenting the time.
[…]
Back in February last year IOCCO published an inquiry report [PDF] into police forces acquiring journalists’ communications data to identify and determine journalistic sources. […] IOCCO discovered it had been breached during four investigations, and in one case the commissioner, Sir Stanley Burton, determined that the conduct was serious and reckless.
Source: Brit spies and chums slurped 750k+ bits of info on you last year
It’s hard to detect because once it infects it deletes the files and lays dormant in memory. It executes now and again to find and infect other hosts and can be used as part of a botnet.
Malwaremustdie
Film studio Warner Brothers has asked Google to remove its own website from search results, saying it violates copyright laws.
It also asked the search giant to remove links to legitimate movie streaming websites run by Amazon and Sky, as well as the film database IMDB.
The request was submitted on behalf of Warner Brothers by Vobile, a company that files hundreds of thousands of takedown requests every month.
Source: Warner Brothers reports own site as illegal – BBC News
Google decided to not enforce the DCMA takedown. Which is strange: why should large companies be exempt from DCMA and get a proper hearing, whilst smaller companies just get taken down without any proper judgement?
HITB Florian Lukavsky hacks criminals profiting from out-of-control multi-billion dollar CEO wire transfer scams… and they hate him for it.
The director of SEC Consult’s Singapore office has made a name striking back at so-called “whaling” scammers by sending malicious Word documents that breach their Windows 10 boxes and pass on identity information to police.
Whaling is a well-oiled social engineering scam that sees criminals dupe financial controllers at large lucrative organisations. Whalers’ main method is to send emails that appear to originate from chief executive officers, bearing instructions to wire cash into nominated bank accounts.
It works. The FBI estimates some $2.2bn (£1.7bn, A$2.9bn) in losses have arisen from nearly 14,000 whaling cases in the seven months to May this year. Some $800m (£601m, A$1bn) in losses occurred in the 10 months to August 2015.
Harpooned companies include Mattel, which shipped and by dumb luck recouped $3m its executive sent to a hacker’s Chinese bank account; Ubiquiti, which lost $46.7m in June last year; and Belgian bank Crelan, which lost $78m in January.
They join Accenture, Chanel, Hugo Boss, HSBC, and countless smaller victims.
Lukavsky told The Reg of his work on the back of his presentation at August’s Hack in the Box in Singapore, where he explained that he uses the attacker’s tactics to compromise scammers’ Microsoft accounts.
“Someone impersonated the CEO of an international company requesting urgent wire transfers and a couple of hours later they realise it was a scam … we worked together with law enforcement to trick the fraudsters,” Lukavsky says.
“We sent them a prepared PDF document pretending to be transaction confirmation and they opened it which led to Twitter handles, usernames, and identity information.”
“We were able to get the Windows 10 usernames and hashes which are tied by default to Outlook.”
Those Windows 10 password hashes only last a few hours when subjected to tools like John the Ripper.
The information Lukavsky passed on to police from that attack late last year lead to the arrest of the scammers located in Africa.
Source: Hacker takes down CEO wire transfer scammers, sends their Win 10 creds to the cops
If I plug in a device that masquerades as a USB Ethernet adapter and has a computer on the other end, can I capture credentials from a system, even when locked out (yes, logged in, just locked). (..or do even more, but we’ll save that for another time, this post is already too long)
Source: Snagging creds from locked machines · Room362
One in five firms that pay ransom fail to get their data back, according to new research from Trend Micro.
A poll of IT managers at 300 UK businesses sponsored by Trend Micro found that 44 per cent of UK businesses have been infected by ransomware in the last two years.
The study also found that around two-thirds (65 per cent) of UK companies confronted with a ransomware infected end up paying out in the hopes of getting their data back.
The average amount of ransom requested in the UK was £540, although 20 per cent of companies reported ransoms of more than £1,000. The majority – 57 per cent of companies – reported having been given under 24 hours to pay up.
Organisations affected by ransomware estimate they spent 33 person-hours on average fixing the problem.
The ransomware problem is growing. Trend Micro has identified 79 new ransomware families so far this year, compared to 29 in the whole of the 2015.
Source: When you’ve paid the ransom but you don’t get your data back
That’s a case for not paying the ransom then…
To accomplish the mammoth task of informing about 50 different vendors and various ISPs we teamed up with CERT/CC (VU#566724). We would really like to report that our efforts were successful, but as it turns out the number of devices on the web using known private keys for HTTPS server certificates has gone up by 40% in the last nine months (3.2 million in November 2015 vs. 4.5 million now). There are many explanations for this development. The inability of vendors to provide patches for security vulnerabilities including but not limited to legacy/EoL products might be a significant factor, but even when patches are available, embedded systems are rarely patched. Insufficient firewalling of devices on the WAN side (by users, but also ISPs in case of ISP-supplied customer premises equipment, CPE) and the trend of IoT-enabled products are surely a factor as well.
Source: SEC Consult: House of Keys: 9 Months later… 40% Worse
This means it’s quite easy to listen in and interfere with these devices as well.
Several Inteno routers do not validate the Auto Configuration Server (ACS) certificate (CWE-295). An attacker in a privileged network position can Man-in-the-Middle the connection between the device and the Auto Configuration Server (ACS). If ACS has been preconfigured by the ISP (this is usually the case) no user actions are required for exploitation.
Impact
——The attacker who can intercept the network traffic between the affected
device (CPE) and the Auto Configuration Server (ACS) gains full
administrative access to the device. The attacker can perform arbitrary
administrative operations on the device, such as flashing the device
firmware.
Interno refuses to fix the problem.
The 64-page report details a range of issues. It identifies 76 “capability deficiencies,” of which the Department of Defence (DoD) deems 60 to be “critical.”
[…]
On average, only 3.5 aircraft in the operational fleet of 16 helicopters were available on “any given day in 2015,” says ANAO. This is below targeted readiness of 12 aircraft.
[…]
Sustainment costs are also an issue. Initially, between 2004 and 2019 these were pegged at A$571 million ($431 million). This amount was eclipsed in 2014, and costs mounted to A$921 million in 2016. The cost per flight hour in June 2016 was A$30,335, compared with a target of A$20,000.
[…]
Weapons availability appears to be a challenge. In addition, there have been two incidents – one in Germany, one in Australia – where 70mm rocket pods were jettisoned with no command from the pilot. The cause of this problem has yet to be identified.
Source: Australian government auditor slams Tiger attack helicopter
Music service Last.fm was hacked on March 22nd, 2012 for a total of 43,570,999 users. This data set was provided to us by daykalif@xmpp.jp and Last.fm already knows about the breach but the data is just becoming public now like all the others. Each record contains a username, email address, password, join date, and some other internal data. We verified the legitimacy of this data set with Softpedia reporter Catalin C who was in the breach himself along with his colleagues.
[…]
Passwords were stored using unsalted MD5 hashing. This algorithm is so insecure it took us two hours to crack and convert over 96% of them to visible passwords, a sizeable increase from prior mega breaches made possible because we have significantly invested in our password cracking capabilities for the benefit of our users. Here are the top 50:Rank Password Frequency
1 123456 255,319
2 password 92,652
3 lastfm 66,857
4 123456789 63,984
5 qwerty 46,201
6 abc123 36,367
7 abcdefg 34,050
8 12345 33,785
9 1234 30,938
10 music 27,975
11 12345678 25,876
12 111111 25,313
13 abcdefg123 21,555
14 aaaaaa 19,098
15 123123 18,147
16 123 17,225
17 liverpool 17,191
18 1234567 17,168
19 000000 16,941
20 monkey 16,787
Source: LeakedSource Analysis of Last.fm Hack
(ok, top 20 here, go to leakedsource for the rest)
Have you ever wondered if those miracle sprays that promise to protect the liner of your pickup truck from damage actually work? Here’s proof they do. The amateur scientists at YouTube’s How Ridiculous covered a watermelon in Line-X spray and dropped it off a 150-feet tall tower. Not only did the watermelon survive the fall, it actually bounced on impact. Whoa.
Source: Miraculous Spray-On Coating Protects a Watermelon From a 150-Foot Drop
Dubbed USBee, the technique turns a computer’s USB ports into mini RF transmitters by modulating the data fed at high speed to plugged-in devices. By banging out a string of ‘0’ bits to a USB port, the voltage changes in the interface generate detectable emissions between 240MHz and 480MHz, according to Guri.
Next, by writing sequences of ‘0’ and ‘1’, we’re told you can create a carrier wave from the rapid voltage changes on the interface’s data pins. You can then use binary frequency shift keying (B-FSK) to encode useful information into the wave.
Guri reckons you can beam 80 bytes per second over the air using this technique, which is fast enough to send a 4,096-bit crypto key to a nearby receiver in less than 10 seconds.
Source: USBee stings air-gapped PCs: Wirelessly leak secrets with a file write
A data dump purported to contain 60 million Dropbox user IDs [and passwords] is the real thing, with the company confirming it to The Register, and independent verification from security researcher Troy Hunt.
Source: Dropbox: 2012 credentials file is real
At its then peak, Angler was behind a whopping 40 percent of all exploit kit infections having compromised nearly 100,000 websites and tens of millions of users, generating some US$34 million annually for its authors.
Source: Angler’s obituary: Super exploit kit was the work of Russia’s Lurk group
ReactOS is a free and open source operating system written from scratch. It’s design is based on Windows in the same way Linux is based on Unix, however ReactOS is _not_ linux. ReactOS looks and feels like Windows, is able to your run Windows software and your Windows drivers, and is familiar for Windows users
Source: FAQs | ReactOS Project
Scientists have long known that cells have various types of sensory abilities that are key to their function, such as sensing light, heat, nerve signals, damage, chemicals or other inputs.
In this process, a chemical stimulus called ATP functions as a signaling molecule, which in turn causes calcium levels in a cell to rise and decline, and tells a cell it’s time to do its job – whether that be sending a nerve impulse, seeing a bird in flight or repairing a wound. These sensing processes are fundamental to the function of life.
“The thing is, individual cells don’t always get the message right, their sensory process can be noisy, confusing, and they make mistakes,” Sun said. “But there’s strength in numbers, and the collective sensory ability of many cells working together usually comes up with the right answer. This collective communication is essential to life.”
In this study, researchers helped explain just how that works for animal cells.
When cells meet, a small channel usually forms between them that’s called a gap junction. […] But with gap junction-mediated communications, despite significant variability in sensing from one cell to another, the sensitivity to ATP is increased
This interactive chatter continues, and a preponderance of cells receiving one sensation persuade a lesser number of cells reporting a different sensation that they must be wrong. By working in communication and collaboration, most of the cells eventually decide what the correct sensory input is, and the signal that gets passed along is pretty accurate.
Source: Research outlines cellular communication processes that make life possible
The world’s annual consumption of wine is almost 250 million hectolitres (one hectolitre = 100 litres). That corresponds to the volume of 10,000 Olympic-size swimming pools. The United States accounts for 30 million hectolitres and has, in recent years, become the world’s largest market for wine – a position it took over from France in 2013. However, with an annual consumption per capita of around ten litres, the United States has a lower consumption per capita than almost all other wine-producing countries. France, for example, has a per capita consumption level of 48 litres and even Greece and Belgium outdo the States at 26 litres and 28 litres per capita of consumption respectively.
Source: Wine Worlds – Views of the World
AnyChart is a flexible JavaScript (HTML5) based solution that allows you to create interactive and great looking charts. It is a cross-browser and cross-platform charting solution intended for everybody who deals with creation of dashboard, reporting, analytics, statistical, financial or any other data visualization solutions. PCs, Macs, iPhones, iPads, Android devices – AnyChart works everywhere, you’ll get the same expirience across any devices and browsers!
The explanation is first rate and will allow anyone to perform a non-technical man in the middle attack, going from eavesdropping to exploitation.
Source: Tinder Social Engineering Attack – HERT
Wind map and weather forecast
Source: Windyty, wind map & forecast
Absolutely gorgeous interactive moving windmap