Darren Pauli

Contact Mail Follow Twitter RSS feed

Alibaba security fail: Brute-force bonanza yields 21m logins

Up to 21 million accounts on Alibaba e-commerce site TaoBao may have been compromised thanks to stolen credentials reused on breached third-party sites. TaoBao is a seller-to-seller commerce site like Gumtree or eBay where users rely on reputation to secure the most sales. Reuters reports that China's Ministry of Public …
Darren Pauli, 08 Feb 2016

Celeb gossip site TMZ was pushing malware at innocent surfers

Celeb goss and dross site TMZ has been serving the world's worst exploit kit to its 30 million monthly visitors after malvertising scum compromised its advertising chain. Readers of the site can be automatically redirected to malicious pages that serve the brutal Angler exploit kit which loads malware capable of all manner of …
Darren Pauli, 08 Feb 2016

Reports: First death from meteorite impact recorded in India

One man is dead and three injured following a reported meteorite strike in India. Indian media report police officials saying the death was the result of an explosion on university grounds in the Southern town of Vellore that shattered windows and killed the unnamed bus driver. If confirmed it would be the first recorded …
Darren Pauli, 08 Feb 2016

Boffins smear circuitry onto contact lenses

University of South Australia associate professor Drew Evans has created proof-of-concept work that could in the future lead to computerised contact lenses. The conducting polymer lens is an early step into what could lead to circuitry being etched into contact lenses. The work is combination of the University's Future …
Darren Pauli, 05 Feb 2016

Avast forked up its Chrome fork, so flings fix after Google goggles

Antivirus vendor Avast has patched a vulnerability in its very own fork of the Chrome browser. And a good job too: the vuln allowed remote attackers to completely compromise the platform. Avast's SafeZone browser is bundled with its 2016 security products. It's based on the Avastium fork of Chrome, which is of course Google- …
Darren Pauli, 05 Feb 2016

Go phish your own staff: Dev builds open-source fool-testing tool

Security-oriented programmer Jordan Wright has published a capable and slick open source framework to help businesses defend against phishing attacks. The anti-phishing tool runs on 64-and-32-bit Windows, Mac, and Linux, and allows tech shops to send benign phishing emails to their staff in a bid to track which employees fall …
Darren Pauli, 04 Feb 2016

Microsoft's malware mitigator refreshed, but even Redmond says it's no longer needed

Microsoft's enhanced mitigation toolkit (EMET) has been updated with support for Windows 10, but the company says you don't really need to download it any more. The defence tool is Microsoft's way of re-enforcing Windows versions from Vista to 8.1. Available since 2009, the tool has introduced the latest mitigation techniques …
Darren Pauli, 04 Feb 2016

Pentagon can't check F-35 maintenance thanks to insecure database

The US Pentagon is unable to check in on key maintenance of the hugely expensive F-35 Joint Strike Fighter (JSF) thanks to information security failings with a Lockheed Martin database. Engine and airframe maintenance data contained in the database is inaccessible because it is non-compliant with US Cyber Command's security …
Darren Pauli, 03 Feb 2016

Internet idiots make hoax bomb threats to UK, Aus, French schools

A gang of internet idiots are using voice-over-internet-protocol (VoIP) services to phone-in fake bomb threats to schools across the UK, France, and Australia in exchange for Bitcoins. The group operating under the scuppered @Ev4cuati0nSquad Twitter account have called in fake bomb threats to dozens of schools in those …
Darren Pauli, 03 Feb 2016

WordPress under attack by whack-a-mole ad-scam malware

Sucuri threat researcher Denis Sinegubko says a "massive" advertising scam campaign is affecting users visiting WordPress sites, injecting backdoors and constantly re-infecting sites. The prolific virus-destroyer (@unmaskparasites) says writers are injecting code into all JavaScript files on a targeted WordPress sites. …
Darren Pauli, 03 Feb 2016

Brit boffins get green light to edit human genome

UK scientists have been given the green light to use the CRISPR gene editing technique to experiment on unused human embryos in what is described in a boon to biological research. The Human Fertilisation and Embryology Authority (HFEA) granted approval to London's Francis Crick Institute to explore the earliest moments of …
Darren Pauli, 02 Feb 2016

Chip chomped after debug backdoor found in Android phones

Budget smartphones from Lenovo, Huawei, and other largely Chinese brands contain an accidental backdoor that grants intruders root access. The confirmed affected smartphones run Chinese company MediaTek's MT6582 chipset and are exposed to unauthorised root access thanks to a debugging feature left over from development. The …
Darren Pauli, 02 Feb 2016

A RAT and a spammer both avoid the slammer

Two US hackers have escaped prison, receiving probation instead of time in federal coolers. Blackshades remote access trojan (RAT) co-creator Michael Hogue, 25, of Arizona, could have stared down five years prison for his role in developing the BlackShades remote access trojan but instead received the time on probation. His …
Darren Pauli, 01 Feb 2016

Netflix picks up Molly at university, scores harsh character assessment

Video streamer Netflix has deployed a prototype University of California, Berkley, fault generating platform to find and fix five problems that otherwise could have affected users. The platform, dubbed MOLLY, is described in a 2015 Berkeley paper Lineage-driven Fault Injection [pdf] as a "novel approach for discovering bugs in …
Darren Pauli, 01 Feb 2016

VirusTotal bashes bad BIOSes with forensic firmware fossicker

VirusTotal can now analyse firmware for known malware, prying inside almost-hard-coded code for hidden executables. The service allows users to search for low-level infections in embedded devices and BIOS which could represent the handiwork of sophisticated malware or well-resourced or dedicated attackers. Security engineer …
Darren Pauli, 29 Jan 2016

Cisco drops 11 clock-crashing patches for 46 things, probes 142 more

Cisco has patched 11 remote denial-of-service and network time protocol vulnerabilities spanning at least 46 products and is investigating a further 142 offerings which may be affected. The patch bomb is an ongoing effort to crush the medium-severity CVEs that can allow unauthenticated attackers to mess with NTP servers …
Darren Pauli, 29 Jan 2016

Angler exploit kit now hooking execs with Xmas Flash hole

The Angler exploit kit is again sailing the cyber seas and pillaging with impunity, adding one of the more recent machine-hijacking Flash holes to its arsenal. The integration of Adobe Flash vulnerability (CVE-2015-8651) patched last month solidifies Angler's position as the most popular and effective exploit kit on …
Darren Pauli, 28 Jan 2016

Would you like fraud with that? Burger chain giant Wendy's 'hacked'

Wendy's – the third largest fast-food chain in the world – has become the latest retail giant to lose customers' credit card numbers to crooks, it appears. The possible security breach was flagged up today by investigative journalist Brian Krebs. We're told fraudulent activity on people's payment cards led bank staff to …
Darren Pauli, 27 Jan 2016

Medical data experiment goes horribly wrong: 950,000 records lost

American health insurer Centene Corp says it has lost 950,000 sensitive customer records stored on six hard drives. The drives hold customers' name and address, date of birth, Social Security numbers, and health information. Centene Corp boss Michael Neidorff says the company does not know if the information has been …
Darren Pauli, 27 Jan 2016

500Gbps DDoS attack flattens world record

The world's largest distributed denial of service attack has been clocked at 500Gbps, according to Arbor Networks. The attack was reported by a third party and is yet to be analysed, other than in terms of its size. British teen Seth Nolan-Mcdonagh likely held the title for the previous largest DDoS, which came in at 300Gbps …
Darren Pauli, 27 Jan 2016

Sena's multi-action camera monster, or Cardo's PackTalk club rider juggernaut?

Review Riding the twisties on a motorbike is the great escape for some of us; the scent of the air, the rush of wind, the push through the corners, and the sound of the engine. But it's not always an escape. The daily commute on a straight-as-a-board freeway is not much better than the bus, and it can be irritating to try to talk to …
Darren Pauli, 24 Jan 2016
Boba Fett

Bounty hunters won't blink until you dangle US$1500 bug reward

Organisations that aspire to operate bug bounty programs should be prepared to pay at least $1500 for impactful vulnerability reports, according to Bug Crowd. A document and questionnaire published today by the managed bug bounty platform offers businesses the ability to pair their current security postures, revenue, and staff …
Darren Pauli, 22 Jan 2016

That one weird trick fails: Google binned 780 million ads last year

Google blocked 780 million malicious and annoying advertisements last year, up from 256 million in 2014. The company says it has destroyed more than 10,000 sites foisting software like download wrappers, which install adware and the like. This, it says, reduced the total unwanted downloads through Google ads by 99 percent. …
Darren Pauli, 22 Jan 2016
karven_648

Ukraine energy utilities attacked again with open source Trojan backdoor

Battered Ukrainian electricity utilities are being targeted with backdoors in attacks possibly linked to those fingered for recent blackouts. The phishing attacks are attempting to get backdoors installed on utility company computers using techniques similar to those seen in the BlackEnergy attacks. BlackEnergy ripped through …
Darren Pauli, 21 Jan 2016

FireEye buys iSight Partners for $200M

Security giant FireEye has bought threat company iSight Partners for US$200 million, marking a notable consolidation in the sector. It brings the threat intel company, notable for its research into sophisticated and nation-state attacks, into the fold of the network security mammoth. FireEye will pay another $75 million in …
Darren Pauli, 21 Jan 2016

Drydex malware busting bursting British business bank balances

IBM threat analyst Limor Kessem says the Dridex trojan has been revamped and for the last fortnight has targeted rich UK bank accounts in an expensive and well-resourced campaign. The gang behind the malware, dubbed Evil Corp, released the update to Dridex detected 6 January such that it would go after the richest British …
Darren Pauli, 21 Jan 2016

Hot Potato exploit mashes old vulns into Windows System 'sploit

Shmoocon Foxglove Security bod Stephen Breen has strung together dusty unpatched Windows vulnerabilities to gain local system-level access on Windows versions up to 8.1. The unholy zero-day concoction, reported to Microsoft in September and still unpatched, is a reliable way of p0wning Windows for attackers that have managed to pop …
Darren Pauli, 20 Jan 2016

Ad-clicking bots predicted to rip US$7.2 billion from Mad Men

Botnets will inflict a massive US$7.2 billion in damages against online advertisers this year according to research by ad security company White Ops. Last year the industry was said to have lost US$5 billion, close to the $6.3 billion White Ops predicted in December 2014, thanks to the scourge of botnets that hugely inflate …
Darren Pauli, 20 Jan 2016

US publishes guide to hardening your arteries, security-wise, that is

The US Food and Drug Administration has issued draft guidance requiring medical device manufacturers to up their security game and report major incidents to the agency. Organisations building pacemakers, defibrillators, insulin pumps, and other hackable medical systems will need to be able to identify; protect; detect; respond …
Darren Pauli, 19 Jan 2016

Adblock Plus blocked from attending ad industry talkfest

Content crasher Adblock Plus says it has been uninvited from an advertising industry confab after paying a pricey entrance fee. The online advertising scrubber will have to stay home and sob after the Interactive Advertising Bureau reneged on its approval for the Annual Leadership bash in California this weekend. Adblock Plus …
Darren Pauli, 19 Jan 2016

20KB trojan turns on bank customers in Singapore, Indonesia

The infamous Tinba trojan has been updated and is now targeting people using online banking in the Asia Pacific region. Malware bods from security company F5 refer to the fifth iteration of the Windows software nasty as Tinbapore since it began moving 70 percent of its infection base to the region. About 30 percent of …
Darren Pauli, 19 Jan 2016

Zombie OS lurches through Royal Melbourne Hospital spreading virus

The pathology wing of the Royal Melbourne Hospital in the Australian state of Victoria is suffering from an virus infection on its Windows XP PCs. The hospital runs one of the southern state's largest networks and emergency departments. Its blood bank has fallen back to manual processes for processing blood, tissue, and urine …
Darren Pauli, 19 Jan 2016

KeysForge will give you printable key blueprints using a photo of a lock

32c3 Hackers have been gifted with an online web service that can produce blueprints for 3D printed keys from nothing more than a photograph of a lock. Eric Wustrow The KeysForge application developed by an academic trio drastically simplifies the complexities in developing keys, allowing amateurs to snap a photo of a lock and …
Darren Pauli, 18 Jan 2016

LastPass in 2FA lock down after 'fessing up to phishing attack

Shmoocon Cloud castle for passwords LastPass has introduced mandatory sign in requirements for all new devices after security researcher Sean Cassidy dropped code allowing criminals to plunder vaults with mirror-perfect phishing attacks. As of today, users who set two factor authentication will need to hop to their registered email …
Darren Pauli, 18 Jan 2016

Kiwi hackers crack crap algo, showcase 40c-a-litre DIY fuel discounts

Kiwicon New Zealanders could print their own non-expiring 40c fuel discount vouchers thanks to a shoddy algorithm that a hacking duo has broken. The algorithm developed by Countdown affects petrol stations operated by national energy provider Z and is designed as an incentive for consumers who shop at various supermarkets. Countdown …
Darren Pauli, 15 Jan 2016

Malware 'clearly' behind Ukraine power outage, SANS utility expert says

It is 'clear' the power outages experienced in the Ukraine last December were caused by a series of network-centric attacks against multiple utilities, says SANS industrial control system expert Michael J. Assante. The former chief security officer of the North American Electric Reliability Corporation, who previously oversaw …
Darren Pauli, 15 Jan 2016

Debug code cracked case in hunt for mystery Silverlight zero day

Kaspersky has revealed how it tracked an exploit developer's debug signature over months to find and report to Microsoft a dangerous, then zero-day vulnerability in Silverlight that could have placed millions of users at risk of compromise. The Russian security outfit reported (CVE-2016-0034) the bug late last year which was …
Darren Pauli, 14 Jan 2016

Brazilian whacks: as economy tanks, cyber-crooks samba

Brazil's economy may be hurtling towards recession but its online criminal underground is booming with wannabe hackers and carders racing to get a cut, research finds. Trend Micro's work is the latest in a series of papers it has published in recent months that examine regional online crime economies including North America, …
Darren Pauli, 13 Jan 2016

$30 webcam spun into persistent network backdoor

Vectra Networks security wonks have spun a cheap webcam into a backdoor to persistently p0wn PCs. The junk hacking expedition led Vectra's chief security chap Gunter Ollman into the internals of the D-Link DCS 930L, a network camera that can be had for US$30. The attacks are useful as an alternative backdoor for targeted …
Darren Pauli, 13 Jan 2016

Open Web Application Security Project issues new secure coding bible

The Open Web Application Security Project (OWASP) has published the third version of its developer security bible trimming the fat and offering peer-reviewed and tested means of building more secure apps. The Application Security Verification Standard Project (ASVS) is the carrot to OWASP's much-cited stick that is the Top 10 …
Darren Pauli, 12 Jan 2016

Turkish carder scores record 332-year jail term

A 26 year-old Turkish carder has received a record 332-year prison sentence for defrauding 54 customers. Onur Kopçak was charged after he stole and resold customer credit cards to other criminals. Turkish media report the man received a 135-year sentence for stealing 11 credit cards handed down by the Mersin third Criminal …
Darren Pauli, 12 Jan 2016

Drupal uncrosses fingers, promises secured patching

Drupal is switching to secured channels for updating its content management system, after IOActive security bod Fernando Arnaboldi reported it sought patches in the clear. More than a million sites use the popular content management system, making it a significant target for hackers. The vulnerabilities are not earth- …
Darren Pauli, 12 Jan 2016

Exploit kits throw Flash bash party, invite Crypt0l0cker, spam bots

Criminals behind some of the most potent exploit kits, Neutrino and RIG, are ramping up attacks slinging the latest ransomware and hosing users who have not applied recent Adobe Flash patches. The patched vulnerabilities permit code execution and allow the dangerous hacking kits to compromise user machines. The two above- …
Darren Pauli, 11 Jan 2016

Call of Duty terror jabber just mindless banter

Video Eye-watering claims that video games are secure communications hubs for terrorists have been shot down in a demonstration by security wonks who tested claims nation-states could not intercept chatter and that messages can be written in bullet holes. Playstation 4 was last year fingered as a favourite communciations channel for …
Darren Pauli, 08 Jan 2016

Checkpoint chap's hack whacks air-gaps flat

32c3 Checkpoint malware men Yaniv Balmas and Lior Oppenheim have developed an air gap-hopping malware system that can quietly infect, plunder, and maintain persistence on networked and physically separated computers. Yaniv Balmas. The Israel-based duo pried apart and compromised KVMs (keyboard video mouse) units such that they …
Darren Pauli, 08 Jan 2016

Devs get malicious root app militia on Play Store, sell pumped up ratings

Google has punted from its Play Store 13 apps, including one installed a million times and capable of gaining persistent root, downloading additional apps, and leaving fake positive reviews. The Brain Test apps slipped past the Chocolate Factory's Google Verify Apps (formerly Bouncer) vetting system and were downloaded scores …
Darren Pauli, 08 Jan 2016

Plain cruelty: Boffins flay Linux ransomware for the third time

Probably the world's most tragically determined blackhat developers have had their revitalised Linux.Encoder ransomware pwned again by meddling BitDefender whitehats. The third iteration of the Linux.Encoder ransomware was unleashed on the world, infecting a paltry 600 servers before a crack team of security analysts returned …
Darren Pauli, 07 Jan 2016

Reverser laments crypto game protection, says wares dead after 2018

A top video-game cracker says cryptographic anti-reverse-engineering technology could put an end to the prolific rate of game piracy. The Chinese reverser, known affectionately as Bird Sister, Phoenix, or Fifi, has published a short blog noting that the encryption technology protecting the popular Just Cause 3 title. " …
Darren Pauli, 07 Jan 2016

Latvian coder released from clink after mega-millions bank raids

A hacker partly responsible for creating the highly sophisticated Gozi trojan that ripped tens of millions of dollars from victims has walked away with 21 months time served. New York district judge Kimba Wood ruled Deniss Calovskis, 30, had paid sufficient penalty for what is described as his minor role in developing Gozi. …
Darren Pauli, 07 Jan 2016

'You're updated!' Drupal says, with fingers crossed behind back

Drupal installations could be out of date and open to attack thanks to a borked update process that flags unpatched platforms as current. The popular content management system is used by more than a million sites making it a significant target for hackers. Indeed, in October 2014 attackers took mere hours to compromise untold …
Darren Pauli, 07 Jan 2016