Feeds

Darren Pauli

Contact Mail Follow Twitter RSS feed
Paypal vulnerability

PayPal takes 18 months to patch critical remote code execution hole

Paypal has closed a remote code execution vulnerability in its service some 18 months after it was reported. The flaws reported earlier this month rated critical by Vulnerability Lab affected a core Paypal profile application. "A system specific arbitrary code execution vulnerability has been discovered in the official in the …
Darren Pauli, 21 Nov 2014

GCHQ and Cable and Wireless teamed as Masters of the Internet™

Cable and Wireless provided UK intelligence agency GCHQ with access to the internet connections of millions of global users, going as far as to tap India's second largest telco, Snowden documents reveal. The telco, since acquired by Vodafone, operated under the GCHQ pseudonym "Gerontic" when it opened and managed a secret fibre …
Darren Pauli, 21 Nov 2014
Kill Captchas

CAPTCHA rapture as 'thousands' affected by seven year-old bug

A reflected cross site scripting flaw patched overnight may affect millions of websites due to a seven-year-old flaw in a jQuery validation plugin demo script used for CAPTCHA, Dutch penetration tester Sijmen Ruwhof says. The "severe" vulnerability appeared to have existed in CAPTCHA since 2007 and could lead to session …
Darren Pauli, 20 Nov 2014

Azure TITSUP caused by INFINITE LOOP

The post via Tor (right) and what Aussies saw. The post via Tor (right) and what Aussies saw. © The Register A global balls-up of Redmond's Azure's caused by an infinite loop bug might have crept by those dwelling in the antipodes thanks to a seemingly fat-fingered admin who geo-blocked the region from reading the news. The …
Darren Pauli, 20 Nov 2014

GOTCHA: Google caught STRIPPING SSL from BT Wi-Fi users' searches

Google's "encryption everywhere" claim has been undermined by Mountain View stripping secure search functions for BT WiFi subscribers piggy-backing off wireless connections, sysadmin Alex Forbes has found. The move described as 'privacy seppuku' by Forbes (@al4) meant that BT customer searches were broadcast in clear text and …
Darren Pauli, 20 Nov 2014
DDoS image

Asian mobiles the DDOS threat of 2015, security mob says

Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles, according to DDoS security bod Shawn Marck. Vietnam clocked in fifth place in the firm's latest threat report, in which India and Indonesia did not feature, outpaced by China, the US, Russia and …
Darren Pauli, 19 Nov 2014
spark fun electronics rotary dial mobile phone

Lame phone dodgers fleece finance's foolish and fat fingered

Scammers are attempting to fleece a hundred top US financial companies by registering phone numbers close to those in use by the firms, engineer Scott Strong says. Of some 600 top financial institutions across the US, 103 or about 20 percent had scammers register their numbers with only the last few digits altered in a bid to …
Darren Pauli, 19 Nov 2014
Micro SIM Card

SMS pwnage on MEELLIONS of flawed SIM cards, popular 4G modems

A Russian research team has found vulnerabilities in millions of the world's SIM cards, and separate flaws in common 4G modem platforms. Together, the bugs could allow attackers to send crafted SMS text messages to gain access to critical systems and install malware on connected computers. In one dramatic and hypothetical …
Darren Pauli, 19 Nov 2014
Dougevault image

Gee THANKS: Cryptoscum offer a free decrypt in latest ransomware racket

Dougevault image Ransomware thieves are taking a leaf from the greasy salesperson's handbook and offering customers victims a free decryption of a file of their choosing, malware researcher Tyler Moffitt says. Scammers would foist the CoinVault ransomware on victims through a variety of attack vectors and encrypt their files …
Darren Pauli, 18 Nov 2014
Bittorrent logo detail

Cries of spies as audit group finds possible 'backdoor' in Bittorrent Sync

Popular file sharing platform BitTorrent Sync is 'probably' leaking hashes to its website and access to shared data, a group audit has found. The platform downloaded some 10 million times allowed users to synchronise data over networks using encrypted peer-to-peer at speeds said to be 16 times faster than Dropbox, using …
Darren Pauli, 18 Nov 2014
The standard USB 3 connector

USB coding anarchy: Consider all sticks licked

Thumb drives are so inconsistently manufactured it is all but impossible to know if any unit could be reprogrammed to own computers, researcher Karsten Nohl says. The conditions that determined if a unit could be hacked varied not only between vendors but also within product unit lines due to manufacturers buying different …
Darren Pauli, 18 Nov 2014
Tor

Attack reveals 81 percent of Tor users but admins call for calm

The Tor project has urged calm after new research found 81 percent of users could be identified using Cisco's NetFlow tool. A research effort led by professor Sambuddah Chakravarty from the Indraprastha Institute of Information Technology in Delhi found that well-resourced attackers such as a nation-state could effectively …
Darren Pauli, 17 Nov 2014

LSI driver bug is breaking VSANs, endangering data

VMware says its VSAN virtual storage array is selling well, earning hardware-makers' attention and making plain the wisdom of the software-defined data centre. It may well be, but VSAN is also having some teething problems. Back in July, VMware was forced to change its recommended VSAN system configurationsbecause VSANs were …
Darren Pauli, 17 Nov 2014

VXers Shellshocking embedded BusyBox boxen

Malware writers have crafted new wares to attack embedded devices running BusyBox and not yet patched against the ShellShock vulnerability, researcher Rhena Inocencio says. Miscreants' tool of choice for such attacks is malware called "Bashlite" that, once executed on a victim machine, probes for devices such as routers and …
Darren Pauli, 17 Nov 2014

You really need to do some tech support for Aunty Agnes

Users who don't update their anti-virus may as well uninstall it according to infection rate statistics published by Microsoft. Redmond said in the seventeenth installment of its Security Intelligence Report that machines with outdated, deactivated or expired anti-virus platforms were just as prone to infection as those without …
Darren Pauli, 17 Nov 2014

Poll trolls' GCHQ script sock puppets manipulate muppets

A group of security professionals/online miscreants have found and themselves created thousands of online accounts to manipulate forum posts, popular news articles and mailing lists using techniques pioneered by the UK's GCHQ spy agency. Researchers Azhar Desa, Harron Meer and Marco Slaviero of Thinkst found posts created around …
Darren Pauli, 14 Nov 2014

Dormant IP addresses RIPE for hijacking

Spammers are using loop holes in the internet routing registry to commandeer address space and pump out junk mail, and potentially launch denial of service attacks and steal traffic. As explained by cyber crime reporter Brian Krebs and Cisco researcher Jaeson Schultz, IP addresses can be snatched by scammers who establish bogus …
Darren Pauli, 14 Nov 2014

US carder gets nine years in cooler, must pay back $50 MEELLION

Georgia carder Cameron Harrison has been sentenced to nine years jail and ordered to pay US$50.8 million in restitution for purchasing stolen credit cards from scuttled website carder.su. Harrison, 28, who used the handle Kilobit pleaded guilty to three charges and was sentenced overnight by Nevada District Judge Andrew Gordon …
Darren Pauli, 14 Nov 2014

Pay-by-bonk chip lets hackers pop all your favourite phones

Blood is flowing on the floor of the Pwn2Own challenge slaughterhouse, after whitehats hacked their way through an Apple iPhone 5S, Samsung Galaxy S5, LG Nexus 5 and Amazon Fire, most often by using Near Field Communications. The annual contest backed by mobile giants BlackBerry and Google and run by HP's Zero Day Initiative …
Darren Pauli, 13 Nov 2014

'Chinese hackers' pop US weather bureau, flatten forecast feeds

Chinese hackers have breached the USA's weather forecasting systems, disrupting emergency and disaster planning in a hack one US congressman described as a cover-up, the Washington Post reports. The September hack was not discussed internally by the National Oceanic and Atmospheric Administration (NOAA) until 20 October and even …
Darren Pauli, 13 Nov 2014

DAY ZERO, and COUNTING: EVIL 'UNICORN' all-Windows vuln - are YOU patched?

Security researcher Robert Freeman has discovered an 18-year-old, critical, remotely-exploitable vulnerability di tutti vulnerabiliti which affects just about ALL versions of Windows - all the way back to Windows 95. The vulnerability (CVE-2014-6332) rated a critical score of 9.3 in all versions of Windows and was described as a …
Darren Pauli, 12 Nov 2014

Iranian contractor named as Stuxnet 'patient zero'

Malware researchers have named five Iranian companies infected with Stuxnet , identifying one as 'patient zero' from which the worm leaked to the world after causing havoc in the Natanz uranium plant. Joint research by Kaspersky Lab and Symantec found the organisations, contractors to Natanz, were targeted between June 2009 and …
Darren Pauli, 12 Nov 2014

EMET 5.0 crashes Patch Tuesday party

Microsoft has issued a new version of its Enhanced Mitigation Toolkit (EMET) to address a variety of compatibility issues in the system-hardening environment. Version 5.1 fixed compatibility and Export Address Table Filtering Plus (EAF+) issues with security updates for 64-bit Internet Explorer version 11, Adobe Reader, Adobe …
Darren Pauli, 11 Nov 2014

Hacker Hammond's laptop protected by pet password

Former LulzSec member Jeremy Hammond - once the FBI's most wanted and charged with hacking security firm Stratfor - seems to have failed to prevent police accessing his laptop due to a poor password. During a police raid in March 2012 he raced through a friend's Chicago home to shut and lock his laptop. But the effort appeared …
Darren Pauli, 11 Nov 2014

Mozilla makeover to boost Tor torque, capacity

Mozilla will tweak its flagship Firefox browser and host relays to speed up and boost the capacity of Tor under the Polaris project launched today. The browser baron joined the Tor Project and the Centre for Democracy and Technology, under the Polaris initiative, to create warmer, fuzzier relationships between the organisations …
Darren Pauli, 11 Nov 2014
Tommy lee image

Aussie feds consider job offer to 'LulzSec leader' who wasn't

Shackled hacker and supposed "leader of Lulzsec" Matthew Flannery is welcome to apply for a job with the Australian Federal Police (AFP_, the force says. Flannery was arrested last April as one of two crackers behind the defacement of the then-unpatched Narrabri shire council. He's since been sentenced to, and is serving, 15 …
Darren Pauli, 10 Nov 2014

Emoticons blast three security holes in Pidgin :-(

Cisco researchers have reported a trio of vulnerabilities in popular instant messaging client Pidgin that allow for denial of service by way of emoticon abuse and remote arbitrary file creation. Researchers Yves Younan and Richard Johnson say the flaws have since been quietly patched, but rated a maximum CVSS score of 6.4 but …
Darren Pauli, 10 Nov 2014

Russian internet traffic detours through China's Frankfurt outpost

Russian domestic internet traffic has in the past year sailed through Shanghai due to routing errors by China Telecom, network boffin Doug Madory says. The apparent networking gaffe appeared to stem from a BGP peering deal between the telco and top Russian mobile provider Vimpelcom to save money on transit operators. Dyn …
Darren Pauli, 10 Nov 2014
NHS Files on a desk

TORpedo'd dev dumps Doxbin files after police raids

An administrator of Tor hidden service site Doxbin taken down by the FBI last week has released log files in a bid to crowd-source an analysis of how the sites were captured. Former Doxbin admin NaChash (@loldoxbin) released the website files in hopes users would discover how it was discovered and shut down. His site was …
Darren Pauli, 09 Nov 2014
Routers

Belkin flings out patch after Metasploit module turns guests to admins

Belkin has patched a vulnerability in a dual band router that allowed attackers on guest networks to gain root access using an automated tool. The flaw reported overnight targeted the Belkin N750 dual-band router – which was launched in 2011 and is still sold by the company and other commerce sites. IntegrityPT consultant Marco …
Darren Pauli, 07 Nov 2014

By the way, Home Depot hackers also grabbed 53 million email addresses

Hackers made off with a whopping 53 million email addresses as part of the high profile April breach of Home Depot in which 56 million credit cards were compromised, the company says. The haul bagged enough email addresses to contact everyone in England, but it was unknown if the information had been implicated in further …
Darren Pauli, 07 Nov 2014

Aussie spooks warn of state-sponsored online attacks during G20

Australia's top spy agency has warned of 'real and persistent' threats to organisations, agencies and individuals linked to the G20 leaders conference in to be held down under next week. The advice issued by the Australian Signals Directorate (ASD) warns that large diplomatic and defence conferences attract attacks such as …
Darren Pauli, 07 Nov 2014

Hide your Macs, iPhones and iPads: WireLurker nasty 'heralds new era'

The largest-scale attack of its kind on Apple Macs, phones and tablets – and believed the first to maliciously target non-jailbroken iPhones – has been detected. And it's hit thousands and thousands of devices in the wild. WireLurker infects OS X computers, and lies in wait for USB connections to Apple iPads and iPhones. It then …
Darren Pauli, 06 Nov 2014

NSA director: We share most of the [crap] bugs we find!

The National Security Agency (NSA) is only holding back a teeny, tiny number of code secrets, with director Admiral Mike Rogers promising the world the spook collective shares 'most' of the vulnerabilities it finds. The agency head made the remarks on his second visit to Silicon Valley since his appointment in April this year. …
Darren Pauli, 06 Nov 2014
Malware

158 new malware created EVERY MINUTE

Malware monitors PandaLabs says 227,747 new malware samples are released every day. The findings from its recent survey found 20 million samples were created in the third quarter of 2014. Three quarters of infections were trojans while only 9 percent were viruses and 4 percent worms. The number of trojans rose 13 percent over …
Darren Pauli, 06 Nov 2014

Huffy BlackEnergy vxers cry: 'f*ck U Kaspersky', thank Cisco for 0-days

Developers of the maturing malware weapon BlackEnergy have written a personal message for Kaspersky reverse engineers and Cisco developers in new code that targets Linux and router kit. Pesky malware researchers have kept an eye on BlackEnergy since it evolved from a denial-of-service attack tool to version two kit used by …
Darren Pauli, 05 Nov 2014

Google puts down POODLE, now wants to eradicate breed

A trio of Googlers have released a tool to help sysadmins identify applications and services open to nasty transport layer security vulnerabilities such as POODLE, Heartbleed and Apple's gotofail. The dryly named nogotofail tool, written by Android engineers Chad Brubaker, Alex Klyubin and Geremy Condra, allows devs to set up a …
Darren Pauli, 05 Nov 2014

Hackers plunder Hilton 'HHonors' rewards points, go on shopping spree

Millions of Hilton HHonors* rewards points are being stolen and sold online traded in by scammers for gift cards and goods. Points appear to be stolen through brute force attacks. One user on a forum has released simple capture code alleged to have been used to breach accounts protected only with a four-digit PIN on the Hilton …
Darren Pauli, 05 Nov 2014

Forging administrator cookies and crocking crypto ... for dummies

Security pro Laurens Van Houtven has created a free introduction cryptography course to help programmers lift their infosec game. The Crypto 101 book contained everything needed to understand complete systems including block and stream ciphers; hash functions; message authentication codes; public key encryption; key agreement …
Darren Pauli, 04 Nov 2014

Auditors find encrypted chat client TextSecure is secure

Popular text and instant messaging client TextSecure would offer excellent security ... if it patched an attack vector found by a German research team conducting the first audit of the software. The app was downloaded half a million times from the Android play store and was built into the popular Cyanogenmod Android operating …
Darren Pauli, 03 Nov 2014

NSW Govt spends half a million dollars on XP support

The government in the Australian state of New South Wales (NSW) has spent more than half a million dollars to allow eight state agencies to persist with Windows XP. Extended support for the operating system famously ended in April this year, four and a half years after the release of Windows 7, the Windows release often …
Darren Pauli, 03 Nov 2014

Remote code execution flaws fixed in tnftp and wget

The maintainer of the tnftp FTP client has patched a remote code execution vulnerability which affected operating systems including NetBSD, FreeBSD and Mac OS X. The flaw (CVE-2014-8517), which did not affect OpenBSD due to modifications, was patched over the weekend. Maintainer Luke Mewburn notified NetBSD (which ships tnftp) …
Darren Pauli, 03 Nov 2014

LastPass releases Open Source command line client

LastPass has published an open source command line application to provide terminal-loving devs with alternative access to their passwords and login data. The outfit says the app improves user security, with a growing list of commands that lets users edit their LastPass data. It also supports functions such as regular automated …
Darren Pauli, 02 Nov 2014
Cloud security image

Microsoft patches GroupMe 'full account' hijack hole

Microsoft has patched a simple 'full-account takeover' flaw in its popular iOS and Android messaging client GroupMe. The app once described as "utterly indispensable" had of 2012 processed a whopping 550 million messages a month, and was downloaded 76,000 times from Google's Play Store. New York hacker Dylan Saccomanni said in …
Darren Pauli, 31 Oct 2014

Free government-penned crypto can swipe identities

The PLAID (Protocol for Lightweight Authentication of Identity) cryptography kit appears to be insecure. PLAID is a homebrew cryptography system designed by Centrelink - the Australian government agency that shovels out tens of billions a year in welfare payments. The system has been considered for use by US government agencies …
Darren Pauli, 31 Oct 2014

Google heads out the back with rifle, puts down POODLE

Google will destroy vicious POODLE in a pending update to its flagship Chrome browser. Update 40 will remove SSLv3 and the hard-to-exploit cookie-stealing Padding Oracle on Downgraded Legacy Encryption (POODLE) attack. Mountain View followed Redmond in its browser POODLE put-down after a single click FixIt SSLv3 disabler was …
Darren Pauli, 31 Oct 2014

Humanity now making about 41 mobes EACH SECOND

The world is now manufacturing just under 42 mobile phones a second thanks to an uptick in global production, IDC's presumably-very-tired handset-counters say. The firm's latest quarterly phone count found shipped 327 million mobiles in the year's third quarter. Do the math: there's 7,862,400 seconds in 91 days. Divide 327m by …
Darren Pauli, 30 Oct 2014

Carders offer malware with the human touch to defeat fraud detection

A new cybercrime tool promises to use credit card numbers in a more human way that is less likely to attract the attention of fraud-detection systems, and therefore be more lucrative for those who seek to profit from events like the Target breach. The "Voxis Platform" is billed as "advanced cash out software" that promises to …
Darren Pauli, 30 Oct 2014

DRUPAL-OPCALYPSE! Devs say best assume your CMS is owned

Drupal websites that had not patched seven hours after the disclosure on a "highly critical" SQL injection (SQLi) hole disclosed on 15 October are essentially hosed, the content management tool's developers say. Attacks against the vulnerability (CVE-2014-3704) in version seven of the content management system began "hours" …
Darren Pauli, 30 Oct 2014

BlackEnergy crimeware coursing through US control systems

Industrial control systems in the United States have been compromised by the BlackEnergy malware toolkit for at least three years in a campaign the US Computer Emergency Response Team has dubbed "ongoing" and sophisticated. Attackers had compromised unnamed industrial control system operators and implanted BlackEnergy on …
Darren Pauli, 29 Oct 2014