The Hacker News - Cybersecurity News and Analysis: pen drive

Remember Killer USB stick ? A proof-of-concept USB prototype that was designed by a Russian researcher, Dark Purple, last year, to effectively destroy sensitive components of a computer when plugged in. Now, someone has actually created the Killer USB stick that destroys almost anything – such as Laptops, PCs, or televisions – it is plugged into. A Hong Kong-based technology manufacturer is selling a USB thumb drive called USB Kill 2.0 that can fry any unauthorized computer it's plugged into by introducing a power surge via the USB port. It costs $49.95 . How does USB Kill 2.0 work? As the company explains, when plugged in, the USB Kill 2.0 stick rapidly charges its capacitors via the USB power supply, and then discharges – all in a matter of seconds. The USB stick discharges 200 volts DC power over the data lines of the host machine and this charge-and-discharge cycle is repeated several numbers of times in just one second, until the USB Kill stick is removed. &

A Security researcher has discovered a unique attack method that can be used to steal credentials from a locked computer ( but, logged-in ) and works on both Windows as well as Mac OS X systems. In his blog post published today, security expert Rob Fuller demonstrated and explained how to exploit a USB SoC-based device to turn it into a credential-sniffer that works even on a locked computer or laptop. Fuller modified the firmware code of USB dongle in such a way that when it is plugged into an Ethernet adapter, the plug-and-play USB device installs and acts itself as the network gateway, DNS server, and Web Proxy Auto-discovery Protocol (WPAD) server for the victim's machine. The attack is possible because most PCs automatically install Plug-and-Play USB devices, meaning "even if a system is locked out, the device [dongle] still gets installed," Fuller explains in his blog post . "Now, I believe there are restrictions on what types of devices are allowed to

Air-gapped computers that are isolated from the Internet or other networks and believed to be the most secure computers on the planet have become a regular target in recent years. A team of researchers from Ben-Gurion University in Israel has discovered a way to extract sensitive information from air-gapped computers – this time using radio frequency transmissions from USB connectors without any need of specialized hardware mounted on the USB. Dubbed USBee , the attack is a significant improvement over the NSA-made USB exfiltrator called CottonMouth that was mentioned in a document leaked by former NSA employee Edward Snowden. Unlike CottonMouth , USBee doesn't require an attacker to smuggle a modified USB device into the facility housing the air-gapped computer being targeted; rather the technique turns USB devices already inside the facility into an RF transmitter with no hardware modification required. Must Read: BadUSB Code Released – Turn USB Drives Into Undete

Two Google engineers have developed a draft version of an API called WebUSB that would allow you to connect your USB devices to the Web safely and securely, bypassing the need for native drivers. WebUSB – developed by Reilly Grant and Ken Rockot – has been introduced to the World Wide Web Consortium's Web Incubator Community Group (W3C WICG), is build to offer a universal platform that could be adopted by browser makers in future versions of their software. Connecting USB Devices to the Web WebUSB API allows USB-connected devices, from keyboards, mice, 3D printers and hard drives to complex Internet of Things (IoTs) appliances, to be addressed by Web pages. The aim is to help hardware manufacturers have their USB devices work on any platform, including Web, without having any need to write native drivers or SDKs for a dedicated platform. Besides controlling the hardware, a Web page could also install firmware updates as well as perform other essential tasks. Howev