News & Updates

Behold, Xiaomi’s Mi Mix. (video link)

SPECS AT A GLANCE: XIAOMI MI MIX
SCREEN 2040×1080 6.4″ (362ppi) IPS LCD
OS Android 6.0 with Miui 8
CPU Quad-core Qualcomm Snapdragon 821 (two 2.35GHz Kryo cores and two 2.12 GHz Kryo cores)
RAM Standard: 4GB

“18K” version: 6GB

GPU Adreno 530
STORAGE Standard: 128GB”18K” version: 256GB
NETWORKING 802.11b/g/n/ac, Bluetooth 4.2, GPS, NFC
BANDS GSM: B2, 3, 5, 8
WCDMA: B1, 2, 5, 8
CDMA: BC0
TD-SCDMA: B34, 39
FDD-LTE: B1, 2, 3, 4, 5, 7, 8
TD-LTE: B38, 39, 40, 41
PORTS USB Type-C, 3.5mm headphone jack
CAMERA 16MP rear camera, 5MP front camera
SIZE 158.8 x 81.9 x 7.9 mm (6.25 x 3.22 x 0.31 in)
WEIGHT 209 g (7.37 oz)
BATTERY 4400 mAh
STARTING PRICE Standard: ~ $516

“18K” version: ~$590

OTHER PERKS Fingerprint sensor, notification LED

Smartphone design has stagnated. If you’re using Apple as a measuring stick for the industry, we’re going to have three years of iPhones that use an identical case design. If you’re going by Samsung, the company hasn’t tweaked its front design since the Galaxy S5 in 2014. Google just produced its first self-branded smartphone hardware ever, and it didn’t have anything significant to say when it comes to smartphone design either.

Not everyone in the industry seems so content with the status quo, though. For a different take on smartphone design, we look to China, where Xiaomi has just introduced a phone with a jaw-dropping design that maximizes screen real estate above all else. The Xiaomi Mi Mix is the company’s look at “the future of smartphones.” While it’s being called a “concept phone,” it’s actually for sale for the shockingly low price of $516. Forget about buying it, though—Xiaomi is selling the Mi Mix in China only. Even if you could pay a premium to import it, it sadly lacks important LTE bands for service in the US.

Read 63 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Intel is working on an array of overclocking chips based on their forthcoming Kaby Lake architecture. While you have probably already seen the Core i7 and Core i5 K-Series processor, new leaks are suggesting that Intel also intends to roll out at least one i3 K-series chip. The Intel Core i3-7350K is undoubtedly an interesting […]

The post Intel’s Unlocked Core i3-7350K Processor For Entry Level Overclockers: Specs, Price Detailed appeared first on MobiPicker.

Source: http://www.mobipicker.com/feed/

Strangely, the answer is a thundering PROBABLY. This probably will shake the mountains and rattle the heavens. You will tell your grandchildren of this probably. This is the probably heard ’round the world. Fallout 5, y’all. Is Fallout 5 already in development? According to game guide, Fallout 5 is in the development and will make a […]

The post Fallout 5 Release Date, Latest News & Updates – Bethesda Already Working On Sequel? appeared first on MobiPicker.

Source: http://www.mobipicker.com/feed/

A new flaw allows to bypass the iPhone Passcode protection, even when Touch ID is properly configured, and access photos and messages stored on the device.

The use passcode for the protection of users’ data on iPhone Smartphone doesn’t protect users from the possibility that local ill-intentioned will access their data.

A new flaw allows to bypass the passcode protection, even when Touch ID is properly configured, and access photos and messages stored on the device.

The critical vulnerability affects the iOS 8 and newer versions of the Apple OS, including 10.2 beta 3. An attacker can bypass iPhone passcode and gain access to personal data on the device by exploiting the Apple personal assistant Siri.

The security issue has been discovered by EverythingApplePro and iDeviceHelps who made public it and published a video PoC of the hack.

 

The attacker needs the phone number of the target iPhone and access to the phone for a few minutes. If he doesn’t know the phone number, well Siri will reveal it with a simple query, “Who am I?

  • When the attacker has the number of the device he needs to follow simple steps in order to bypass the iPhone passcode protection.
  • Once you got the phone number, follow these simple steps to read personal data on the Smartphone, including messages and photos.
  • Call on target’s phone number, it is also works making a FaceTime call.
  • The target iPhone screen will show a message icon, just click on ‘Message icon’ and then ‘Custom Message’ to go to the New Message screen, in this way, the user can type a reply.
  • Activate Siri by long-pressing the Home button and say “Turn on Voice Over,” and Siri will do it.
  • Go back to the message screen and double tap the bar where the user is required to enter the caller’s name and then hold, while immediately click on the keyboard. This may not produce the expected effect in the first time, so repeat the action until a slide-in effect appears on the iPhone’s screen above the keyboard.
  • Ask Siri to “Turn off VoiceOver,” come back to messages and simply type in the first letter of a caller’s name in the top bar, tap ⓘ icon next to it, and then add a new contact.
  • Select add photo and choose a photo, you will get the access to the entire photo gallery even if the device is locked.
  • Select any contact on the iPhone to visualize all previous conversations of the target with this specific contact.

iPhone Passcode

Waiting for a fix, it is possible to protect the user’s device by disabling Siri on the lock screen, this means that the personal assistant will be accessible only after providing the iPhone passcode or the fingerprint.

Go to the Settings Touch ID & Passcode and Disable Siri on the Lockscreen by toggling the switch to disable.

Another possibility consists in removing Photos access from Siri in this way:

Go to Settings Privacy Photos and then prevent Siri from accessing pictures.

Experts believe Apple will fix the issue in the next version of iOS 10.2.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs –  iPhone 7, mobile)

The post How to Bypass iPhone Passcode and access personal data on the device appeared first on Security Affairs.

Source: Security affairs

The Mini NES Classic Edition is sold out. The miniature version of the groundbreaking NES originally released in 1985 is now scarcely available. It’s becoming increasingly difficult to get hands on the classic edition. The console that brings the 80’s nostalgia got sold out within just a day of its release. We aren’t surprised about […]

The post Mini NES Classic Edition News: Where to Buy ‘Mini NES Classic Edition’ After It Sold Out – Try These Alternatives appeared first on MobiPicker.

Source: http://www.mobipicker.com/feed/

Enlarge / Don’t you even think about not dragging the Earth, son. Google’s telling you to. (credit: Sam Machkovech)

I stood at the peak of Mount Rainier, the tallest mountain in Washington state. The sounds of wind whipped past my ears, and mountains and valleys filled a seemingly endless horizon in every direction. I’d never seen anything like it—until I grabbed the sun.

Using my HTC Vive virtual reality wand, I reached into the heavens in order to spin the Earth along its normal rotational axis, until I set the horizon on fire with a sunset. I breathed deeply at the sight, then spun our planet just a little more, until I filled the sky with a heaping helping of the Milky Way Galaxy.

Virtual reality has exposed me to some pretty incredible experiences, but I’ve grown ever so jaded in the past few years of testing consumer-grade headsets. Google Earth VR, however, has dropped my jaw anew. This, more than any other game or app for SteamVR’s “room scale” system, makes me want to call every friend and loved one I know and tell them to come over, put on a headset, and warp anywhere on Earth that they please.

Read 14 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Setting a passcode on your iPhone is the first line of defense to help prevent other people from accessing your personal details.

However, it’s pretty much easy for anyone with access to your iPhone to bypass the passcode protection (doesn’t matter if you configured Touch ID or not) and access your personal photos and messages.

A new critical security flaw discovered in iOS 8 and newer,


Source: http://feeds.feedburner.com/TheHackersNews

Today we will speak with Kapustkiy, which continues to be in the headlines due to the recent strings of attacks against embassies.

Kapustkiy is a pentester that is targeting organizations and embassies across the world. Recently he breached the Paraguay Embassy of Taiwan (www.embapartwroc.com.tw), while a few days ago the hacker and his friend Kasimierz (@Kasimierz_) hacked the Indian Embassies in Switzerland, Mali, Romania, Italy, Malawi, and LibyaKapustkiy and his friend Kasimierz (@Kasimierz_).

The last victims of the hacker are two subdomains of Virginia University & Sub domain of University of Wisconsin (http://pastebin.com/i1wmM5D1 ) and another embassy, the Indian Embassy in New York (http://pastebin.com/Akm9x4dD )

Enjoy the interview.

kapustkiy-interview

You are a talented cyber security expert, Could you tell me which his your technical background and when you started hacking? Please ould you tell me more about.

My name is Kapustkiy and I’m 17 years old.  I started “hacking” when I was 13 years old and I was inspired by LulzSec.
They had breached a lot of high profiles and I also wanted to become like them, but I didn’t want to be a Black Hat.

 

What scares you more on the internet and why? • We often hear about cyber weapons and cyber attacks against critical infrastructure. Do you believe it is real the risk of a major and lethal cyber attack against a critical infrastructure? Thanks a lot again, please send me just a couple of statements about the introduction that want to include in the post (including media reference) and a picture of you (otherwise I’ll take it on the internet).

Could you tell me which his your technical background and when you started hacking? Which are your motivations?

My motivation is that I like to help administrators to fix their websites so they can secure them. In the future, I want to have a job in the cyber security industry.

When I was 13 years old I started the basic things like SQL and LFI. At that moment I’m doing some research to find some websites that were vulnerable and I found a big University in England who had an SQLi flaw. I breached its database and the website was offline for around 3 days. When I saw that the website was down I started to change my mind and I don’t want to do any damage again for leaking all the personal information.

What was your greatest hacking challenge? Which was your latest hack? Can you describe me it?

At this moment, nothing special in my opinion. Because all the websites that I was managed to breach were just simple a “SQLi”

What are the 4 tools that cannot be missed in the hacker’s arsenal and why?

I don’t know which tools cannot be missed. Everyone has his own tools to hack something. I (Kapustkiy) don’t describe myself as a hacker but as a Security pentester. I use pentestbox. Which is very easy to use for people who also want to become a Pentester.

Which are the most interesting hacking communities on the web today, why?

The most interesting community on the web? I don’t know, to be honest. There are many hacking communities such as Hackforums that attract a lot of hackers and wannabe experts.

Which is the industry (healthcare, automotive, telecommunication, banking, and so on) most exposed to cyber attacks and why?

In my opinion, I think that Government agencies are most exposed to cyber attacks. The reason behind my statement is that I think that hackers are targeting them to express their dissent and to protest against their politics. Like anonymous always does. They attack websites to fight corruption.

What scares you more on the internet and why?

I think that cyber attacks could be very dangerous for industry, especially the economic. A few years ago the Syrian Electronic Army managed to hack the Associated Press, and started to send a fake tweet which led the stock market tipped down a lot. I think that most of those attacks will happen a lot in the future.

How do you select your targets? Why main embassies?

I started to focus on embassies because I was shocked about the low security in Asia. Most of the embassies in Europe are better protected against this kind of hacks. But the main thing is that it is very dangerous to have a bad security especially when you are managing the kind of data accessed by internal staff of an “Embassy”. A lot of personal information is avaible on their websites, this data could be used for further attacks by nation-state actors.

I also wanted to add that I was inspired by an other hacker named CyberZeist which is a former member of the UGNazi hacker group.

Thanks a lot!

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs –  Hacker, Kapustkiy)

The post Hacker Interview – Kapustkiy appeared first on Security Affairs.

Source: Security affairs

The notorious Carbanak cybercrime gang is now changing strategy and it is targeting the hospitality and restaurant industries.

The notorious Carbanak cybercrime gang that allegedly stole $1 billion from financial institutions worldwide is now changing strategy and target and it is targeting the hospitality and restaurant industries.

“In the last month Trustwave was engaged by two separate hospitality clients, and one restaurant chain for investigations by an unknown attacker or attackers. The modus operandi for all three investigations were very similar and appear to be a new Carbanak gang attack methodology, focused on the hospitality industry. ” reported Trustwave.

According to security experts at Trustwave, the Carbanak gang in the last week started adopting new techniques and malware. The hackers launched a spear-phishing campaign on people in the industry in the attempt to trick victims into reading emails with malicious macro-laced documents.

In the attacks observed by the security firm, the attacker called the customer contact line saying that they are facing problems using their online services and requested to send their information to the agent via email. The attacker stayed on the line until the agent opened the attachment contained in the email, then he hung up when the victims have opened the malicious message.

“The email attachment was a malicious Word Document that contained an encoded .VBS script capable of stealing system information, desktop screenshots, and to download additional malware.”reads the analysis of the Carbanak attack. “The malicious VB Script will use macros to search for instances of Microsoft Word running on the system, if found, it will clear the existing text and replace it with the following text.”

carbanak-malicious-email

The hackers first download a malware used as a reconnaissance tool in a first stage of the attack, it is able to download popular hacking tools, including Nmap, FreeRDP, NCat and NPing.

Later it also downloads additional payloads that allow to carry on the next stage of the attack.

The final target is to steal sensitive information and credit card data scraped from the memory of the infected machines, including point-of-sale systems with a recompiled version of the Carbanak malware that is hard to detect.

“This malware may steal credit card data, as well as screen captures, keylogger information, email addresses from the PST file, enable RDP or VNC sessions, or to obtain additional system information.”

This malware establishes a backdoor on the victim’s machine in order to gain full control on it. It communicates via an encrypted tunnel on port 443 with the following IP addresses:

  • 5.45.179.173
  • 92.215.45.94

All exfiltrated information is encrypted with base64+RC2 and sent via HTTP POST messages.

The new campaign started about six weeks ago, Trustwave also published a list of fresh IoCs (indicators of compromise) that could help administrators and security experts to detect the threat.

“the persistence, professionalism, and pervasiveness of this campaign is at a level rarely seen by Trustwave. The malware used is very multifaceted and still not caught by most (if any) antivirus engines. The social engineering is highly targeted, conducted via direct phone calls by threat actors with excellent English skills. The network reconnaissance and lateral movement is rapid and highly effective. Finally, the data exfiltration methodology is stealthy and efficient.” reads the conclusion of the Trustwave report.

The fact that a criminal gang like Carbanak is changing tactic targeting the healthcare industry represent a clear indicator of the profitability of the industry for crooks.

It’s not the first time that criminal organizations target the hospitality sector,

In November 2014 Kaspersky spotted the activity of a group of cyber criminals dubbed Darkhotel that was targeting executives traveling across Asia through hotel internet networks.

The DarkHotel campaign was ongoing for at least four years while targeting selected corporate executives traveling abroad. According to the experts, threat actors aimed to steal sensitive data from the victims while they were in luxury hotels.

The attackers appear high skilled professionals that were exfiltrate data of interest with a surgical precision and deleting any trace of their activity.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Edited by Pierluigi Paganini

(Security Affairs – Healthcare Industry, cybersecurity)

The post The Carbanak gang is now targeting the hospitality industry appeared first on Security Affairs.

Source: Security affairs

CryptoLuck ransomware is a new strain of malware discovered by the researcher Kafeine, that is being distributed via the RIG-E exploit kit.

The notorious researcher Kafeine has spotted a new strain of ransomware dubbed CryptoLuck. The malware leverages DLL hijacking and exploits the legitimate GoogleUpdate.exe executable to infect computers.

The ransomware appends the .[victim_id]_luck extension to the encrypted files, it is able to lock hundreds of file extensions. It skips files that contain specific strings: Windows, Program Files, Program Files (x86), ProgramData, AppData, Application Data, Temporary Internet Files, Temp, Games, nvidia, intel, $Recycle.Bin, and Cookies.

The malware asks victims to pay a 2.1 Bitcoin (around $1,500) ransom within 72 hours in order to rescue the encrypted files.

The CryptoLuck ransomware is delivered through the RIG-Empire (RIG-E) exploit kit. Crooks leverages malvertising campaigns through adult websites, but likely they will adopt other infection vectors.

The ransomware is spread using a RAR SFX file which contains the crp.cfgGoogleUpdate.exe, and goopdata.dll files, along with instructions to extract these into the %AppData%ff folder and to silently execute GoogleUpdate.exe.

The advantage for abusing the GoogleUpdate.exe is that is a legitimate Google program that is signed by Google.

The authors of the CryptoLuck ransomware have included a malicious goopdate.dll file in the package for the legitimate program to load into memory.

“When the GoogleUpdate.exe program is run, it will look for a DLL file called goopdate.dll file and load it. The problem is that it will first look for this file in the same folder that the GoogleUpdate.exe resides in. This allows a malware developer to create their own malicious goopdate.dll file and have it loaded by GoogleUpdate.” reads the analysis published by Lawrence Abrams from the BleepingComputer.com.

The CryptoLuck ransomware implements mechanisms to avoid analysis from security firms. It is able to determine if it is running in a virtual machine, and in this case, it halts itself. Once executed it scans all mounted drives and unmapped network shares for files to encrypt.

The ransomware uses an AES-256 encryption with a unique AES encryption key for each of file to encrypt. The key is encrypted with an embedded public RSA key and the resulting encrypted AES key is embedded in the encrypted file.

When the ransomware has completed the encryption of the files, it displays a ransom note that contains the instructions for the payment of the ransom.

cryptoluck-ransomware

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – CryptoLuck ransomware , cybercrime)

The post CryptoLuck Ransomware spread through the RIG-E Exploit Kit appeared first on Security Affairs.

Source: Security affairs