Enlarge Snatching the login credentials of a locked computer just got easier and faster, thanks to a technique that requires only $50 worth of hardware and takes less than 30 seconds to carry out. Rob Fuller, a principal security engineer at R5 Industries, said the hack works reliably on Windows devices and has also succeeded on OS X, although he’s working with others to determine if it’s just his setup that’s vulnerable. The hack works by plugging a flash-sized minicomputer into an unattended computer that’s logged in but currently locked. In about 20 seconds, the USB device will obtain the user name and password hash used to log into the computer. Fuller, who is better known by his hacker handle mubix, said the technique works using both the Hak5 Turtle ($50) and USB Armory ($155) , both of which are USB-mounted computers that run Linux. “First off, this is dead simple and shouldn’t work, but it does,” mubix wrote in a blog post published Tuesday . “Also, there is no possible way that I’m the first one that has identified this, but here it is (trust me, I tested it so many ways to confirm it because I couldn’t believe it was true).” Read 5 remaining paragraphs | Comments
See more here:
Stealing login credentials from a locked PC or Mac just got easier
An anonymous reader writes: In another installment of “Linux has malware too, ” security researchers have discovered a new trojan that targets Linux servers running Redis, where the trojan installs a cryptocurrency miner. The odd fact about this trojan is that it includes a wormable feature that allows it to spread on its own. The trojan, named Linux.Lady, will look for Redis servers that don’t have an admin account password, access the database, and then download itself on the new target. The trojan mines for the Monero crypto-currency, the same one used by another worm called PhotoMiner, which targets vulnerable FTP servers. According to a recent Risk Based Security report from last month, there are over 30, 000 Redis servers available online without a password, of which 6, 000 have already been compromised by various threat actors. Read more of this story at Slashdot. 
An anonymous reader shares a CNET report: Australia is changing from “down under” to “down under and across a bit”. The country is shifting its longitude and latitude to fix a discrepancy with global satellite navigation systems. Government body Geoscience Australia is updating the Geocentric Datum of Australia, the country’s national coordinate system, to bring it in line with international data. The reason Australia is slightly out of whack with global systems is that the country moves about 7 centimetres (2.75 inches) per year due to the shifting of tectonic plates. Since 1994, when the data was last recorded, that’s added up to a misalignment of about a metre and a half. While that might not seem like much, various new technology requires location data to be pinpoint accurate. Self-driving cars, for example, must have infinitesimally precise location data to avoid accidents. Drones used for package delivery and driverless farming vehicles also require spot-on information.ABC has more details. Read more of this story at Slashdot. 
schwit1 shares an article from The Hill: The Air Force announced on Friday that it has lost thousands of records belonging to the service’s inspector general due to a database crash. “We estimate we’ve lost information for 100, 000 cases dating back to 2004, ” Air Force spokeswoman Ann Stefanek told The Hill in an email. “The database crashed and there is no data…” The database, called the Automated Case Tracking System (ACTS), holds all records related to IG complaints, investigations, appeals and Freedom of Information Act requests…. “We also use ACTS to track congressional/constituent inquiries.” The Air Force said they were “aggressively” trying to recover the data, adding that they had no evidence of malicious intent. Read more of this story at Slashdot. 
An anonymous reader quotes a report from WordPress Tavern: Authorities have not yet identified the hacker behind the Panama Papers breach, nor have they isolated the exact attack vector. It is clear that Mossack Fonseca, the Panamanian law firm that protected the assets of the rich and powerful by setting up shell companies, had employed a dangerously loose policy towards web security and communications. The firm ran its unencrypted emails through an outdated (2009) version of Microsoft’s Outlook Web Access. Outdated open source software running the frontend of the firm’s websites is also now suspected to have provided a vector for the compromise. Forbes has identified outdated WordPress and Drupal installations as security holes that may have led to the data leak. [WordPress Tavern Editor Sarah Gooding] found that the firm’s WordPress-powered site is currently running on version 4.1 (released in December 2014), based on its version of autosave.js, which is identical to the autosave.js file shipped in 4.1. The main site is also loading a number of outdated scripts and plugins. Its active theme is a three-year-old version of Twenty Eleven (1.5), which oddly resides in a directory labeled for /twentyten/. The Mossack Fonseca client portal changelog.txt file is public, showing that its Drupal installation hasn’t been updated for three years. Since the release of version 7.23, the software has received 25 security updates, which means that the version it is running includes highly critical known vulnerabilities that could have given the hacker access to the server. Read more of this story at Slashdot. 
Reader Thelasko writes: The BBC has a story about people with names that break computer databases. “When Jennifer Null tries to buy a plane ticket, she gets an error message on most websites. The site will say she has left the surname field blank and ask her to try again.” Thelasko compares it to the XKCD comic about Bobby Tables, though it’s a real problem that’s also been experienced by a Hawaiian woman named Janice Keihanaikukauakahihulihe’ekahaunaele, whose last name exceeds the 36-character limit on state ID cards. And in 2010, programmer John Graham-Cumming complained about web sites (including Yahoo) which refused to accept hyphenated last names. Programmer Patrick McKenzie pointed the BBC to a 2011 W3C post highlighting the key issues with names, along with his own list of common mistaken assumptions. “They don’t necessarily test for the edge cases, ” McKenzie says, noting that even when filing his own income taxes in Japan, his last name exceeds the number of characters allowed. Read more of this story at Slashdot.