Snatching the login credentials of a locked computer just got easier and faster, thanks to a technique that requires only $50 worth of hardware and takes less than 30 seconds to carry out.

Rob Fuller, a principal security engineer at R5 Industries, said the hack works reliably on Windows devices and has also succeeded on OS X, although he's working with others to determine if it's just his setup that's vulnerable. The hack works by plugging a flash-sized minicomputer into an unattended computer that's logged in but currently locked. In about 20 seconds, the USB device will obtain the user name and password hash used to log into the computer. Fuller, who is better known by his hacker handle mubix, said the technique works using both the Hak5 Turtle ($50) and USB Armory ($155), both of which are USB-mounted computers that run Linux.

"First off, this is dead simple and shouldn’t work, but it does," mubix wrote in a blog post published Tuesday. "Also, there is no possible way that I’m the first one that has identified this, but here it is (trust me, I tested it so many ways to confirm it because I couldn’t believe it was true)."

Read 6 remaining paragraphs | Comments

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Enlarge (credit: NBCUniversal)

Warning: This piece contains minor spoilers for the most recent episode of Mr. Robot (S2E9)

Time and time again, Mr. Robot has proven to be a show that prides itself on extreme attention to detail. Whether it involves hiring ex-FBI employees as consultants or tracking down the duo behind the Full House theme, the series wants to ground its high-stakes story in a healthy dose of realism. 

“The notion of there being an E-Corp, a conglomerate in charge of 70 percent of the world’s debt, is a big pill to swallow," Kor Adana, staff writer and the show's lead tech producer, told Ars recently. "The way I see it, anything we can do to ground the show in reality with all the other tools at our disposal, the better it is to sell this version of reality."

Read 12 remaining paragraphs | Comments

HTTPS CVE-2016-7152 Information Disclosure Vulnerability
HTTP/2 CVE-2016-7153 Information Disclosure Vulnerability
Fortinet FortiWAN CVE-2016-4966 Authentication Bypass Vulnerability

Earlier today, I updated how our block list is generated. The idea behind this is to avoid some false positives and to make the list more meaningful. As usual, please note that this list is as is and use it at your risk. There will likely be some false positives from time to time, and of course, your definition of false positives may be different than ours.

The list, like before, lists /24 networks. We found in the past that this network size provides a reasonable balance between false positives and blocking sets of known misbehaving IPs efficiently.

Networks will be de-listed on request. We will not review the request for maliciousness. But if you know you are listed, and you ask us to remove you, we will do so as soon as possible.

To compile the list, we rank /24 networks based on the number of targets they attack. We only include reports if we received them from multiple submitters. Some common false positives are removed and not included in the ranking.

Of course, you can make up your lists using whatever data we provide. But please be aware that the purpose of our data is research, not blocking. We do not filter data displayed on our site for false positives. It is up to you to decide what is a false positive. For example, we do include research scans in our data, and even in our blocklists. Some may consider this a false positive.

Top 10 blocklistdo block Internet-wide, common scans. They will not protect you from targeted scans, and they will not protect you from all scans of this type. Please understand these limitations before applying this blocklist. The block list is updated once an hour.

URL of our blocklist: https://isc.sans.edu/feeds/block.txt

For more detailed data, use our API: https://isc.sans.edu/api

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Linux Kernel CVE-2016-3951 Null Pointer Deference Local Denial of Service Vulnerability
Linux Kernel Local Memory Corruption and Integer Overflow Vulnerabilities

OPM officials did nearly everything wrong as far as security goes and then lied about it, House Oversight Committee Republicans said in a final report on the OPM breach. (credit: Photo illustration by Sean Gallagher, based on image by Colin)

A report from the Republican majority on the House Oversight and Government Reform Committee published today places blame for the 2014 and 2015 data breaches at the Office of Personnel Management squarely on the OPM's leadership. The report finds that the long-time network infiltration that exposed sensitive personal information on about 21.5 million individuals could have been prevented but for "the longstanding failure of OPM's leadership to implement basic cyber hygiene."

"Tools were available that could have prevented the breaches, but OPM failed to leverage those tools to mitigate the agency's extensive responsibilities," the report concluded. And the committee's majority report also asserted that former OPM Chief Information Officer Donna Seymour lied repeatedly during her testimony, misstating how the agency responded to the breach and misleading Congress and the public about the damage done by the attack. Ars extensively covered the shortfalls in OPM's security last year.

The House Oversight report reveals that there were two separate extensive breaches—one beginning as early as November of 2013, which went undiscovered until March 2014 and was finally shut down completely two months later, allowed attackers to obtain manuals and technical information about the types of data stored in OPM systems. A second attack began shortly afterward, targeting background investigation data, personnel records, and fingerprint data. These breaches were determined to be likely conducted by the "Axiom Group" and "Deep Panda," respectively, two China-based hacking groups alleged to have ties to the Chinese government. The attacks used a series of domains—some with OPM-related names (opmsecurity.org and opmlearning.org) and registered under the names of Marvel superheroes Tony Stark (Iron Man) and Steve Rogers (Captain America)—to control malware and exfiltrate stolen data.

Read 8 remaining paragraphs | Comments

QEMU 'pvscsi_convert_sglist()' Function Local Denial of Service Vulnerability
QEMU 'hw/scsi/mptconfig.c' Multiple Local Denial of Service Vulnerabilities

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Enlarge / The US Navy Bombe used during World War II to break Germany's Enigma encryption system. (credit: National Security Agency)

When you're an applied cryptographer, teaching your preteen daughters what you do for a living isn't easy. That's why Justin Troutman developed PocketBlock, a visual, gamified curriculum that makes cryptographic engineering fun.

In its current form, PocketBlock is a series of board-like grids that allows players to transform plaintext messages into secret ciphertext and convert it back again, one move at a time. By restricting the operations to little more than addition and subtraction performed by rearranging squares on a piece of paper, PocketBlock helps students understand the fundamentals of encryption without requiring a formal background in mathematics. At the same time, it stays true to the principles of modern cryptography and goes well beyond the classical cryptographic concepts, like the Caesar cipher, reserved for the most kid-centric material on cryptography today.

"The goal is for kids to feel like they've worked with something of substance, to an extent that intrigues them," Troutman, a trained cryptographer who is currently the project manager at the Freedom of the Press Foundation, told Ars. "[PocketBlock] introduces cryptography as everything from a pillar of the modern Web to the tradecraft of spies past. It introduces the same cryptographic concepts that I work with as a cryptographer in industry—the same underpinnings you'll find in academic papers. It reduces these concepts to easy-to-solve problems and uses a visual language to map what happens to bits as they travel through a cryptographic algorithm."

Read 6 remaining paragraphs | Comments

Huawei eSpace IAD Remote Information Disclosure Vulnerability
Fortinet FortiWAN VU#724487 Multiple Security Vulnerabilities
QEMU '/scsi/vmw_pvscsi.c' Local Denial of Service Vulnerability
CVE-2016-6920 ffmpeg exr file Heap Overflow
Infoblox Cross-site scripting vulnerabilities
[SECURITY] [DSA 3661-1] charybdis security update
[CVE-2016-6484] Infoblox Network Automation CRLF Injection/ HTTP splitting
Trend Micro Control Manager Multiple Security Vulnerabilities
Internet Storm Center Infocon Status