World's Smallest MAME Arcade Cabinet

Originally a weekend project, this MAME cabinet is a few inches tall and uses a screen about as big as a thumbnail. The kit is far from complete and the screen is too small to be really usable for most games. However with a little downsampling and some judicious game choices you can play some Pac-Man or Dig Dug on this minuscule machine.

The cabinet uses the .96-inch RGB OLED display and a Raspberry Pi Zero. The creator, Phillip Burgess used a tool called Nanoscreen to downsample and display the game frames on the tiny, tiny screen.

MAME cabinetry – essentially a subculture of arcade lovers who build amazing cabinets for their emulators – the goal is usually to either recreate the arcade games of yore or build something really wild. Adafruit built something really wild.



source: adafruit

Read More

Never lose your AirPods for $10 will get you a wire for your wireless headphone

If you buy a $160 pair of wireless headphones, and all you want to is find a way to add another wire to the thing.

$10 might be a small price to pay, if it stands between you and losing one of those precious new fully wireless AirPods that Apple announced earlier this week – far and away the largest complaint among internet pundits that didn’t involve their slightly awkward form factor.

Case maker Spigen has rushed to the rescue with a solution of sorts that have managed the fairly impressive feat of being even more polarizing than the headphones themselves. The AirPods Strap is, quite literally, a strap for AirPods (it’s there in the name, really).

AirPods Strap, Spigen [Never Lose Your AirPods] (PATENT PENDING) iPhone 7 & iPhone 7 Plus Air Pods Strap Wire Cable Connector for Apple Airpods - Exclusive for Apple iPhone 7 & iPhone 7 Plus  Available on Amazon


 

Apple's New AirPods Ad

It snaps onto the pods and makes them that much harder to lose. It’s “Compact, lightweight, and extremely durable,” according to the company’s press material.

Read More

Microsoft will now allow third-party desktop apps to the Windows Store

Microsoft will now allow third-party developers to bring existing desktop apps into the Windows Store. While the store was mostly an emporium for Microsoft's own universal apps in the past, this week's update makes a push towards one unified store for everything Windows.

In the first rollout, Microsoft worked with developers to bring apps like Evernote, Arduino IDE, doubleTwist, PhotoScape, MAGIX Movie Edit Pro, Virtual Robotics Kit and more into the store.

As Microsoft's VP of Windows Developer Kevin Gallo notes in his blog post, "these are the same apps that customers know and love," only now they get the added security that comes with MSFT's store management. Most importantly, by opening up the store, third-party developers now have the ability to easily port apps to all devices in the Windows ecosystem from PCs and phones to XBox One and HoloLens. Essentially, the Desktop Bridge gives all developers the ability to create Universal Windows Platform apps and make use of all the APIs that come with it, including Cortana and the Action Center.

Finally, to make things even easier for developers, Microsoft is announcing new Desktop Bridge support from three of the most popular installer technologies: InstallShield, WiX and Advanced Installer. The Desktop App Converter itself is currently available for download directly from the Windows Store.

Read More

Google Safe Browsing Warning While Accessing The Pirate Bay Download Pages

Rather than internet providers blocking access to the URL (currently thepiratebay.org), certain web browsers are flagging torrent download pages with variations on the following message:

Mozzila Firefox Warning!

Reported Unwanted Software Page!

This web page at thepiratebay.org has been reported to contain unwanted software and has been blocked based on your security preferences.
Unwanted software pages try to install software that can be deceptive and affect your system in unexpected ways.

Google Chrome Warning!

The site ahead contains harmful programs

Attackers on thepiratebay.org might attempt to trick you into installing programs that harm your browsing experience (for example, by changing your homepage or showing extra ads on sites you visit).

If you click the Details  this is the message :

"Google Safe Browsing recently found harmful programs on thepiratebay.org.
If you understand the risks to your security, you may visit this site before the harmful programs have been removed."

It sounds like there may be a bad ad network on the torrent site and that Google isn't blocking the media repository itself. So, if the bright red screen has you worried, this problem should resolve itself fairly soon. Or if you're impatient, you can deal with false warnings from The Pirate Bay that your Flash player is out of date.

The website itself is not block although when you click the Magnet Link or download link the Red Warning appear.

 
While in MS Edge  I can browse easily which is my search engine is MSN.

I experience this red flag too when one of my ad networks has malware problem which I remove the source ads. I posted -> http://www.blogmytuts.net/2015/09/how-to-troubleshoot-blog-site-with.html

Read More

Xiaomi Can Silently Install Any App On your Device

A Computer Science student and security enthusiast from Netherlands who own a Xiaomi Mi4 smartphone started an investigation to know the purpose of a mysterious pre-installed app, dubbed AnalyticsCore.apk, that runs 24x7 in the background and reappeared even if you delete it.

Xiaomi is one of the world's largest smartphone manufacturers, which has previously been criticized for spreading malware, shipping handsets with pre-loaded spyware/adware and forked version of Android OS, and secretly stealing users' data from the device without their permission.

After asking about the purpose of AnalyticsCore app on company’s support forum and getting no response, Thijs Broenink reverse engineered the code and found that the app checks for a new update from the company's official server every 24 hours.

While making these requests, the app sends device identification information with it, including phone's IMEI, Model, MAC address, Nonce, Package name as well as signature.

If there is an updated app available on the server with the filename "Analytics.apk," it will automatically get downloaded and installed in the background without user interaction.

Broenink found that there is no validation at all to check which APK is getting installed to user's phone, which means there is a way for hackers to exploit this loophole.

This also means Xiaomi can remotely and silently install any application on your device just by renaming it to "Analytics.apk" and hosting it on the server.

Since the researcher didn't find the actual purpose of the AnalyticsCore app, neither on Googling nor on the company's website, it is hard to say why Xiaomi has kept this mysterious "backdoor" on its millions of devices.


Even on the Xiaomi discussion forum, multiple users have shown their concerns about the existence of this mysterious APK and its purpose.
 
What if hackers or any intelligence agency figure out how to exploit this backdoor to silently push malware onto millions of Xiaomi devices within just 24 hours?

Ironically, the device connects and receive updates over HTTP connection, exposing the whole process to Man-in-the-Middle attacks.

source: thijsbroenink.com

Read More

Massive Data Breach Exposes 6.6 Million Plaintext Passwords from ClixSense users

ClixSense, a website that claims to pay users for viewing advertisements and completing online surveys, is the latest victim to join the list of "Mega-Breaches" revealed in recent months, including LinkedIn, MySpace, VK.com, Tumblr, and Dropbox.

More than 2.2 Million people have already had their personal and sensitive data posted to PasteBin over the weekend. The hackers who dumped the data has put another 4.4 Million accounts up for sale.

In addition to un-hashed passwords and email addresses, the dump database includes first and last names, dates of birth, sex, home addresses, IP addresses, payment histories, and other banking details of Millions of users.

Troy Hunt, operator of Have I Been Pwned? breach notification service, verified the authenticity of the data taken from ClixSense.

Besides giving away 4.4 Million accounts to the highest bidder, the hackers are also offering social security numbers of compromised users, along with the complete source code of the ClixSense website and "70,000 emails" from the company's internal email server, according to a Pastebin message advertising the stolen database.

ClixSense admitted the data breach and said some unknown hackers were able to get access to its main database through an old server which the firm was no longer using, but at the time, still networked to its main database server.

After gaining access, the hacker was able "to copy most, if not all" of the ClixSense users table, ran SQL code to change account names to "hacked account," deleted several forum posts, as well as set account balances of users to $0.00.

ClixSense owner Jim Grago admitted that the database contained entries for roughly 6.6 Million accounts and that the company became aware of the breach on September 4 and managed to regain control of their DNS over the weekend. 

Users are strongly advised to change their passwords for ClixSence account immediately, and it would also be a good idea to reset passwords for all of your other online services, especially those using the same passwords.

Since ClixSense uses a large trove of personal information on its users, make sure you change your security questions, if it uses any of the information you provided to ClixSense, such as your address, date of birth, or other identifying information.

source:  www.clixsense.com

Read More

Tutorial How To Download Facebook Videos From A Profile With IDM

On this tutorial I'll show you how to download videos from a Facebook profile not only in Page.

Due to Facebook Privacy some videos can not be download even if you have IDM or any free web download site but you can bypass that.

 
Download Blogmytuts IDM Here ->>http://www.blogmytuts.net/search/label/IDM?&max-results=8

1. Copy the link to the video and paste it into another browser.
2. Change the www to m to make it mobile

3. Click the "Download this video" button on the right. You will be prompted to choose the format and quality of the video file to download. Select available format and then download 

 Now enjoy downloading

Read More

Google has launched its own Android hacking contest with the first prize winner receiving $200,000

The company has taken this initiative to run its own hacking contest in search of severe Android security vulnerabilities. 

The contest is a way to find and destroy dangerous Android vulnerabilities before hackers exploit them in the wild.

The competition,  'The Project Zero Prize,' is being run by Google’s Project Zero, a team of security researchers dedicated to documenting critical bugs and making the web a safer place for everyone.

Starting Tuesday and ending on March 14, 2017, the contest will only award cash prizes to contestants who can successfully hack any version of Android Nougat on Nexus 5X and 6P devices.

Sponsor: Google Inc., located at 1600 Amphitheatre Parkway, Mountain View, CA 94043, is the sponsor of this Contest ("Google").

Eligible participants may enter by completing the tasks as detailed in the entry requirements, and emailing project-zero-prize@google.com.

Contest Cash Prizes

• First Prize: worth $200,000 USD will be awarded to the first winning entry.
• Second Prize: worth $100,000 USD will be awarded to the second winning entry.
• Third Prize: At least $50,000 USD will be awarded to additional winning entries.

However, the catch here is that Google wants you to hack the devices knowing only the devices' phone numbers and email addresses.

For working of their exploits, contestants are allowed to trick a user into open an email in Gmail or an SMS text message in Messenger, but no other user interaction beyond this is allowed.

So, if you want to participate in 'The Project Zero Prize' contest, you are advised to focus on flaws or bug chains that would allow you to perform Remote Code Execution (RCE) on multiple Android devices.

For more info : https://googleprojectzero.blogspot.in/p/project-zero-security-contest-official.html

Read More

The first trailer for 'MegaBots' season one has arrived

The men behind the MegaBots Kickstarter have released the first trailer for their upcoming web series that follows the trials and tribulations of building a 10-ton, 350HP combat robot. The team hired an Emmy-nominated video team to capture all the gory details, and it sounds like the main event -- a hand-to-hand battle against Japan's Kuratas robot -- will be the season finale.

The first episode of real-life Titanfall will drop September 28th on the MegaBots YouTube channel and Facebook page. After that, release cadence will be every two weeks.

Check out the video below for your first taste of the chaos.

Read More

The Pwn Phone by Pwnie Express on Mr.Robot a "Dream Device For Pentester" is a Real Thing

Throughout season 1 and season 2, we have seen that connected devices are the entry point of choice of Elliot and fsociety to breach networks and traditional security controls.

Viewers may have noticed the show's protagonist Elliot Alderson executing a complicated hack with the help of a device called a Pwn Phone. Now, hackers and Mr. Robot diehards can imitate their favorite revolutionary by getting one of their own.

Security pros have long know about the Pwn Phone as a powerful mobile platform for penetration testing and security assessments, so it is not surprising to see it on Mr. Robot. 

The coolest part is that Pwnie Express is giving away a Pwn Phone, just like the one used in the show.

The Pwn Phone is a real-life product made by a Boston-based startup called Pwnie Express. The "dream device for hackers" allows users to check if there are any vulnerabilities in wired, wireless, or Bluetooth networks, and it looks like a regular cell phone. If you have a spare $1,095 sitting around, you can buy one here.

In the 8/31 episode of Mr. Robot, Elliot uses a Pwn Phone as a mobile platform to run a custom script he has written, CrackSIM.  CrackSim’s goal is to find vulnerable SIM cards and then cracking the DES encryption of that card.  Elliot then loads a malicious payload onto the SIM card, to Pwn the phone.

The Pwn Phone is a mobile pentesting device that makes it incredibly easy to evaluate wired, wireless and Bluetooth networks. It is built on Kali Linux that comes pre-packaged with over 100 built-in and ‘one-click’ tools, and it can run third-party scripts.

The Pwn Pad exists for security pros who want a tablet version, and it’s also available via the Android Open Pwn Project.

The Pwn Phone is the latest in a series of connected device hacks on Mr. Robot that have included a Femtocell, a Raspberry Pi, and Bluetooth sniffers, along with the hack of an E-Corp exec’s connected home and the crucial meltdown of E-Corp’s data center by using a connected HVAC system.

These are real threats that are being exploited by criminals to gain unauthorized access and steal data from companies today.

The company's CEO Paul Paget talked to Mashable about the device.

"A lot of times if you’re trying to audit something and checking the facility, everybody gets a little suspicious," he explained. "This is like sending mystery shoppers around the store or what you see in Undercover Boss."

In the past, Pwnie has made it clear that they do not condone the criminal use of penetration testing tools and devices. But pentesting is important, and having the tools to do it properly is part of that process.

Sometimes you need to break things to find and fix serious security vulnerabilities in the devices and networks that permeate nearly every facet of our daily lives. The bad guys have every tool available to them; white hats should be equally well-equipped.


 

Read More

unSend, Self-Destuct or Edit any SMS text message after you sent it

Unsend It™ is an encrypted messaging app allowing users to unsend, edit & self-destruct text messages at ANY time (even after being read/opened by the recipient). This app is wonderful can cancel or edit the message even if the recipient has read.

Ever wish you could unsend a text? Whether it be a typo, autocorrect blunder, texting the wrong pic, or sending the text to the wrong person...unSend.it is the solution! 

What's really cool is that only the sender needs the app and the recipient can receive my message even if they do not have unsend.

On Mr. Robot Season2 Episode 8 djmobley use a self destruct txt message

Wickr auto-deletes the texts then factory reset his device.

With unSend you can use it on similar way.
This app is fully-loaded with additional features including customizable photo avatars, screen names that you can change on the fly (so you can control what/how your name appears to any recipient when sending a text), PIN-locking, audio messaging, screenshot detection & more!

• unSend or Edit any SMS text messages at any time (even after being opened by the recipient)
• Share photos and voice messages with your friends.
• With end-to-end encryption your data is safe. Even if we wanted to we can't share it with 3rd parties.
• Auto-unSend your messages on read, in one hour or in a day. It will be destroyed automatically.
• detect screenshots & much more.

Above all, it has high security. I advise people to use unsend right now.
Available on iPhone : https://itunes.apple.com/us/app/id1090666384

Read More

MagSpoof a device that can spoof credit cards/magstripes, disable Chip & PIN

MagSpoof is a device that can spoof/emulate any magnetic stripe or credit card. It can work "wirelessly", even on standard magstripe/credit card readers, by generating a strong electromagnetic field that emulates a traditional magnetic stripe card.

On Mr. Robot Season 6 we seen Darlene break into a hotel room using a combination of wigs, gadgets, and sleight of hand. It all happens pretty fast, and the upshot is basically "she got into the room with technology," but what she’s doing is a lot more grounded and plausible than you might think.

 (print screen from samy kamkar youtube)


The core trick here is cloning the maid’s hotel key, which can open any room in the hotel. The card itself is just a number encoded on a magnetic stripe. Getting the number is as simple as swiping the card, which we see Darlene doing with what looks like a Square reader. Most credit card readers don’t store the number after it’s gone through (that would be asking for fraud), but there’s no technical measure stopping them from storing the number and reproducing. That’s how most ATM fraud happens, and as long as you’re dealing with magnetic stripes, this kind of attack will be a problem.

MagSpoof can be used as a traditional credit card and simply store all of your credit cards (and with modification, can technically disable chip requirements) in various impressive and exciting form factors, or can be used for security research in any area that would traditionally require a magstripe, such as readers for credit cards, drivers licenses, hotel room keys, automated parking lot tickets, etc.

Live demonstration and more details available in the video: 




MagSpoof - "wireless" credit card/magstripe spoofer

• Allows you to store all of your credit cards and magstripes in one device
• Works on traditional magstripe readers wirelessly (no NFC/RFID required)
• Can disable Chip-and-PIN
• Correctly predicts Amex credit card numbers + expirations from previous card number (code not included)
• Supports all three magnetic stripe tracks, and even supports Track 1+2 simultaneously
• Easy to build using Arduino or other common parts

By @SamyKamkar  he aslo talk at DefCon 18
  MagSpoof does not enable you to use credit cards that you are not legally authorized to use. The Chip-and-PIN and Amex information is not implemented and using MagSpoof requires you to have/own the magstripes that you wish to emulate. Simply having a credit card number and expiration is not enough to perform transactions. MagSpoof does allow you to perform research in other areas of magstripes, microcontrollers, and electromagnetism, as well as learn about and create your own devices similar to other existing, commercial technologies such as Samsung MST, Squareup and Coin.


source: http://samy.pl/magspoof/

Read More

The upcoming all-electric Chevy Bolt can go 238 miles without recharging

The upcoming GM all-electric Chevy Bolt will sport an electric range of 238 miles according to estimates by the EPA. Chevy had previously said only that the car would have a range in excess of 200 miles.

This will make the car the first truly affordable electric vehicle with a range over 200 miles, a range Chevy believes is essential to widespread adoption of electric vehicles. The company has said the vehicle will have a base price of less than $37,500, meaning the actual price will be less than $30,000 after a US federal tax credit of $7,500 (receiving the full credit requires making enough money to pay $7,500 in tax, however). Several states offer additional tax credits, as well. The actual price of the Bolt will be announced later this fall.

The 238 mile range is an estimate of the number of miles the vehicle should be able to travel in combined city and highway driving from a full charge. An extended 70 mph drive down the highway will drain the battery in a significantly shorter distance, while city-only driving will likely enable a longer range.

The Tesla Model S is the only other electric car to have a total range of more than 200 miles. The entry-level model has a 60 kWh battery (the same size as the Bolt) with an EPA estimated range of 210 miles. That car starts at $66,000 before tax credits. Tesla offers a number of other battery capacities as well, including a new 100 kWh offering that the EPA says can exceed 300 miles of range, though it starts at $134,500 — almost four times that of the base Bolt, which will only come with one battery option.

Read More

Netflix pushing for the US government to make some data caps illegal

Netflix wants you to be able to stream plenty of TV shows whether you’re at home or on a mobile connection.

In a letter sent to the Federal Communications Commission last week, Netflix said that the commission should consider banning data caps on wired internet connections and banning "low" data caps on mobile connections.

"Data caps (especially low data caps) and usage based pricing discourage a consumer’s consumption of broadband and may impede the ability of some households to watch internet television in a manner and amount that they would like," Netflix writes.

It argues that data caps on wired internet lines — like the home service provided by Comcast — "do not appear to serve a legitimate purpose." They are an "ineffective" tool for managing network congestion, Netflix writes.

Similarly, Netflix argues, "usage based pricing" — that is, charing by the gigabyte — is meant simply to get more money out of consumers. "Data caps and [usage based pricing] raise the cost of using the connections that consumers have paid for, making it more expensive to watch internet television," it says.

Netflix is concerned about that, but it’s also worried that data caps could soon become widespread on fixed internet lines, too.

The initial cap, Netflix writes, is only enough to meet "the internet television needs of an average American," and that’s if you count out all other web browsing. A higher limit is necessary, it says, for families and 4K streaming.

Netflix’s letter is particularly interesting in light of the FCC’s revamped set-top box plan (which was announced after Netflix’s filing). The plan requires cable companies to build TV streaming apps for their subscribers to use; that’s totally fine on an internet connection without data caps, but on a capped connection, it’d limit how much someone is able to watch. At the same time, if TV and cable providers zero rate their own streams, so that they don't count against data caps, services like Netflix would be put at a huge disadvantage.

The FCC’s set-top box proposal doesn’t touch the issue of data caps at all. "If an issue should emerge, we would monitor possible consumer harm and could address under the general conduct standard of the Open Internet rules," Kim Hart, the FCC’s press secretary, tells The Verge in an email. "We recognize that different pay-TV providers will take different approaches. Some providers have indicated that they will transmit the video over different capacity than that used for internet access."

Access to streaming TV is something the commission is already keeping a close eye on. In approving Charter’s acquisition of Time Warner Cable, the FCC imposed conditions that limited the combined company’s ability to harm streaming services like Netflix. It also banned data caps or usage-based pricing for seven years, out of concern that these would curtail the rise of online TV just as it was getting started. Those restrictions were also enough to scare Comcast into raising its own data caps from 300GB to 1TB.

Read More

Google Chrome will Label Sensitive HTTP Pages as "Not Secure"

Starting in January of 2017, the world's most popular web browser Chrome will begin labeling HTTP sites that transmit passwords or ask for credit card details as "Not Secure" — the first step in Google's plan to discourage the use of sites that don't use encryption.

The change will take effect with the release of Chrome 56 in January 2017 and affect certain unsecured web pages that feature entry fields for sensitive data, like passwords and payment card numbers, according to a post today on the Google Security Blog.

Last month, Google also implemented HTTP Strict Transport Security (HSTS) on its main domain (google.com) in an effort to prevent users from navigating to websites using the insecure HTTP.

Unencrypted HTTP has been considered dangerous particularly for login pages and payment forms, as it could allow a man-in-the-middle attacker to intercept passwords, login session, cookies and credit card data as they travel across the network.

In the following release, Chrome will flag HTTP pages as "Not secure" with a neutral indicator in the address bar of incognito mode, where users may have higher expectations of privacy.

"Chrome currently indicates HTTP connections with a neutral indicator," Emily Schechter wrote in a blog post. "This doesn't reflect the true lack of security for HTTP connections. When you load a website over HTTP, someone else on the network can look at or modify the site before it gets to you."

This isn't the first time when Google is taking steps to encourage site owners to switch to HTTPS. Two years back, Google also made some changes to its search engine algorithm in an effort to give a ranking boost to the websites that use encrypted HTTPS connections.

Google reported that today, more than half of the websites visited by Chrome users are already encrypted.
Not only Google, but Mozilla has also been encouraging users to adopt HTTPS through its Let's Encrypt project that provides free SSL/TSL certificates for website owners to help them implement HTTPS for their services.

Read More

USB credential stealing while Windows/Mac OS X screen is locked in just 13 seconds

A Security researcher has discovered a unique attack method that can be used to steal credentials from a locked computer (but, logged-in) and works on both Windows as well as Mac OS X systems.

Security expert Rob Fuller demonstrated and explained how to exploit a USB SoC-based device to turn it into a credential-sniffer that works even on a locked computer or laptop.
Fuller modified the firmware code of USB dongle in such a way that when it is plugged into an Ethernet adapter, the plug-and-play USB device installs and acts itself as the network gateway, DNS server, and Web Proxy Auto-discovery Protocol (WPAD) server for the victim's machine.

The attack is possible because most PCs automatically install Plug-and-Play USB devices, meaning "even if a system is locked out, the device [dongle] still gets installed."

"Now, I believe there are restrictions on what types of devices are allowed to install at a locked out state on newer operating systems (Win10/El Capitan), but Ethernet/LAN is definitely on the white list."

Why your computer automatically share Windows credentials with any connected device?
That is because of the default behavior of Microsoft Window’s name resolution services, which can be abused to steal authentication credentials.

The modified plug-and-play USB Ethernet adapter includes a piece of software, i.e. Responder (available at github), which spoofs the network to intercept hashed credentials and then stored them in an SQLite database.

USB Armory ($155)
Debian/Jessie - https://github.com/inversepath/usbarmory/wiki/Starting#preparing-your-own-microsd-card
Kali on USB Armory - http://docs.kali.org/kali-on-arm/kali-linux-on-usb-armory
Resizing the SD partition - http://base16.io/?p=61

Hak5 Turtle ($49.99)
Turtle video guides and wiki: https://lanturtle.com/wiki/#!videos.md


The hashed credentials collected by the network exploitation tool can later be easily brute-forced to get clear text passwords.

If you watch Mr. Robot Season 2 Episode 9  USB Rubber Duckie is similar to this method  with Angela venturing onto the FBI floor of the Evil Corp offices to plant the exploit-laced femtocell.

 

Apparently, to conduct this attack, attackers would require physical access to a target computer, so that they can plug in the evil USB Ethernet adapter. However, Fuller says the average time required for a successful attack is just 13 seconds.

Watch the video demonstration below that shows Fuller's attack in action.





Fuller successfully tested his attack against Windows 98 SE, Windows 2000 SP4, Windows XP SP3, Windows 7 SP1, Windows 10 Enterprise and Home (but not Windows 8), as well as OS X El Capitan and OS X Mavericks. He’s also planning to test it against several Linux distros. 

Fuller tuts explains in his blog post.

Read More

Hong Kong-based Technology Manufacturer Is Selling A $49.95 USB Killer Stick

A proof-of-concept USB prototype that was designed by a Russian researcher, Dark Purple, last year, to effectively destroy sensitive components of a computer when plugged in.

Now, someone has actually created the Killer USB stick that destroys almost anything – such as Laptops, PCs, or televisions – it is plugged into.

A Hong Kong-based technology manufacturer is selling a USB thumb drive called USB Kill 2.0 that can fry any unauthorized computer it's plugged into by introducing a power surge via the USB port. It costs $49.95.

As the company explains, when plugged in, the USB Kill 2.0 stick rapidly charges its capacitors via the USB power supply, and then discharges – all in a matter of seconds.


The USB Kill 2.0 is a testing device created to test USB ports against power surge attacks. The USB Kill 2.0 tests your device's resistance against this attack.

The USB Kill collects power from the USB power lines (5V, 1 - 3A) until it reaches ~ -240V, upon which it discharges the stored voltage into the USB data lines.
This charge / discharge cycle is very rapid and happens multiple times per second.
The process of rapid discharging will continue while the device is plugged in, or the device can no longer discharge - that is, the circuit in the host machine is broken.

The USB Kill Tester Shield is a dual purpose device:
- It allows you to test your USB Kill 2.0 without damaging your host device.
- It prevents data theft via 'juice-jacking'

If you use a charger or USB port that is not your own - the device can steal your data while you are charging. Using a USB Kill Shield will prevent devices from having access to your data.
USB Kill Tester Shieldsold for additional $15.70, which is designed to allow testing of the USB Killer stick without destroying the host machine.




USB Kill stick could be a boon for whistleblowers, journalists, activists, and, not to forget, cyber criminals, who want to keep their sensitive data away from law enforcement as well as cyber thieves.

 Mr. Robot use a Microwave oven to destroy evidence..

It is like, if you're caught, kill yourself. In the same fashion as terrorists do. Here I mean to kill the data from your laptop if the law enforcement has caught your laptop. And USB Kill stick does the same for you.


However, the company claims to have developed USB Kill 2.0 stick for the sole purpose of allowing companies to test their devices against USB Power Surge attacks and to prevent data theft via "Juice Jacking" attacks. 

The company claims about 95% of all devices available on the market today are vulnerable to power surge attacks introduced via the USB port.
However, the only devices not vulnerable to USB kill attacks are recent models of Apple's MacBook, which optically isolate the data lines on USB ports.
Juice jacking is a type of cyber attack wherein malware installed on a computer can surreptitiously copy data from a smartphone, tablet or other computers using a USB charging port that doubles as a data connection, typically over USB.

While USB Kill 2.0 has been "designed and tested to be safe," the company warns that the USB stick "is a high-voltage device" and is only meant for "responsible adults." Also, the company's website "strongly condemns the malicious use of its products."


source: www.usbkill.com

Read More

iTrueMart Ph has announced discontinuing sale operation

iTrueMart announced that after almost a year of providing Great Value Everyday, iTrueMart Philippines’ journey comes to an end.

In a post: https://www.facebook.com/iTrueMartPh/photos/a.883231138421895.1073741827.859254984152844/1070286269716380/?type=3

Dear Valued Customers,

With your overwhelming support, we have accomplished a lot in a short span of time. Because of this, our commitment to serve the Filipino consumer is stronger than ever.

Seeing the many areas of underserved needs, we have decided to refocus our efforts. Today, we are announcing that after almost a year of providing Great Value Everyday, iTrueMart Philippines’ journey comes to an end.

www.iTrueMart.ph will discontinue sales starting on September 9, 2016 onwards. If you have order-related inquiries after September 9, 2016, you may still contact us at cs@iTrueMart.ph with the subject title “Order No. XXXXXX Issue” (e.g. Order No. 1234 Cancellations)

Sincerely,
iTrueMart Philippines Team

iTrueMart Philippines is an online shopping retailer for branded products at the best value.

Following its success in Thailand as one of the leading online retailers, with 20,000 product items from over 700 brands and a massive inventory of over 1 million items, iTrueMart is now ready to bring its unique online shopping experience to the Philippines.

iTrueMart is a business unit of Ascend Corporation, which is a subsidiary of C.P. Group, Thailand’s leading corporation and one of the world’s largest conglomerate.

Read More

Google's mobile security team fixes two serious Android security flaws

The company has released an Android update that closes two security holes that could pose a major threat if intruders found a way to exploit them. The first was only designed for "research purposes" and would only have been malicious if modified, Google tells Ars Technica, but it wouldn't have been hard to detect or weaponize.

The other flaw behaved similarly to the well-known Stagefright exploit, letting an attacker send an altered JPEG image through Gmail or Google Talk to hijack your phone. The issue, as SentinelOne researcher Tim Strazzere explains to Threatpost, is that it's both easy to find and capitalize on this vulnerability.

There's more. Security company Check Point also revealed that Google Play had been hosting apps containing two forms of malware (CallJam and DressCode). CallJam both steered phones to websites that made bogus ad revenue and, if you granted permission, would call paid phone numbers. DressCode would also visit shady ad sources, but it could also compromise local networks. Google has since removed the offending apps, but the infection rate may have been high when users downloaded the software hundreds of thousands (or in a few cases, millions) of times.

While the likelihood of running into this malware is relatively small, it underscores an issue with timely Android security updates. Only Nexus owners get first crack at the fixes -- most everyone else will have to wait, provided they're in line in the first place. Google's monthly security updates help, but this won't do much if your phone maker either hasn't committed to those updates or has left you running an older Android version that can't get those patches. You may have to either be patient for a more conventional update or move to a newer device if you're determined to stay current.


Source: Ars Technica, Threatpost,

Read More

Dropbox security fears surrounding its Mac app about the permissions it needs

Users now claim that Dropbox's Mac app asks for overly broad permissions, swipes your password and even hacks the operating system. The cloud storage service is trying to allay those fears, though. Desktop app team member Ben Newhouse has responded to concerns on Hacker News with both an explanation of design decisions and a promise to improve its transparency.

The app only asks for the permissions it needs, Newhouse says. It uses the Mac's accessibility kit for certain tie-ins (such as in Office), and demands elevated access to your OS when standard programming interfaces fall short. The permissions aren't as "granular" as Dropbox would like, the developer adds. He stresses that Dropbox can't see your system's administrator password, and a privilege check on startup is only to make sure the software works consistently, especially across OS versions.

As for what the company will do to turn things around? To start, it wants to do a "better job" explaining what its software is doing and why it needs the permissions it does. Also, it's teaming with Apple to reduce that dependence on elevated access in macOS Sierra, and will respect when people disable Dropbox's accessibility permissions -- currently, it turns the permissions back on.

The effort to come clean may assuage those worried Dropbox is running roughshod over your computer. However, it's not pleasing everyone. Hacker News users want the firm to more explicitly outline why it needs the permissions it does, and they're worried that the broad system-level control opens the door to malware that otherwise wouldn't be possible. It's important to stress that Dropbox's requests aren't unique -- apps like Chrome and Steam also demand accessibility permissions for features, such as Steam's screen overlay. However, that might not reassure customers who believe that Dropbox's existing approach is both unnecessary and risky.

source: Hacker News

Read More