Darren Pauli

Contact Mail Follow Twitter RSS feed

It’s 2015 and we're being told not to send credit cards as cleartext

The payments card industry (PCI) council has reviewed its guidance to encourage businesses to stop slinging credit card data in cleartext by giving the tick to encryption solutions built from different components, rather than products that handle every step of data's journey from merchant to banker. The change is reflected in …
Darren Pauli, 03 Jul 2015

PureVPN calls pure BS on VPN insecurity study

Hong Kong virtual private network provider PureVPN has rejected claims in a study published this week that its service among many other popular providers are open to DNS hijacking and has pushed fixes to shore up security. Research revealed earlier this week ruffled privacy feathers after a five security bods identified that 14 …
Darren Pauli, 03 Jul 2015

Mastercard facial recog-ware will unlock your money using SELFIES

Mastercard will begin using selfies as a means to verify payments, it is being said. The "innovation" will allow some 500 pilot users to take a photo instead of punching in PINs, a move MasterCard chief product security officer Ajay Bhalla says will be popular with youth. Bhalla told CNN Mastercard partnered with all phone …
Darren Pauli, 03 Jul 2015

This box beams cafes' Wi-Fi over 4kms so you can surf in obscurity

Rhino Security founder Benjamin Caudill has created a tool to help privacy pundits (and criminals) connect to wireless networks from a distance of four kilometres, in a bid to foil eavesdropping authorities. The Proxyham Raspberry Pi hardware box is a complement to toolkits such as Tor that mask the source of web traffic. …
Darren Pauli, 03 Jul 2015

FBI updates Most Wanted cyber felons list, offers US$4.2m bounties

The mastermind of the Zeus trojan; a car scamming screwball; an identity thief; a malvertiser, and a keylogger monger: nail these five net crims to the wall and the FBI will pay you US$4.2 million. The agency has updated its 'Cyber Most Wanted'™ with the new hits who join the existing famous five hackers employed in the Chinese …
Darren Pauli, 02 Jul 2015

LG won't fix malware slinging bloatware update hole

The the Budapest University of Technology and Economics' Security Evaluation and Research Laboratory (SEARCH-LAB) says "malicious attackers controlling the network are able to install arbitrary applications" on LG's Android phones, thanks to a flaw in their software update mechanism. The Lab says the flaw impacts "all Android …
Darren Pauli, 02 Jul 2015

20-yr-old Brazilian births 100 banking trojans

A 20 year-old Brazilian kid has pumped out more than 100 banking trojans selling each for around US$300 a pop, Trend Micro researchers say. The computer science student's extracurricular activities landed him the dishonourable title of his country's most prolific banking malware creator. Researchers say "Lordfenix", his chosen …
Darren Pauli, 02 Jul 2015

PeopleSoft p0wnage possible with a day of GPU brute-forcing

ERPScan researcher Alexey Tuyrin says hundreds of Oracle PeopleSoft users, including banks, are running publicly-exposed services that are open to a token-plundering vulnerability. The penetration tester says a breach could be worse than that of the Office of Personnel Management which recently lost millions of records in a hack …
Darren Pauli, 02 Jul 2015

A third of iThings open to VPN-hijacking, app-wrecking attacks

A trio of FireEye researchers have reported twin 'app-demolishing' iOS vulnerabilities Apple has partially fixed in its latest update that could wreck core apps such as the App Store and Settings. Researchers Zhaofeng Chen, Tao Wei, Hui Xue, and Yulong Zhang revealed the latest in five so-called Masque attacks that could wreck …
Darren Pauli, 01 Jul 2015

Script-blocker NoScript lets in ANYTHING from googleapis.com

Detectify security researcher Linus Särud has reported a weakness in popular Firefox security tool NoScript that allows attackers to have their malware whitelisted. The tool is used by some two million security-and-privacy-conscious folk who want to stop active content like JavaScript and Flash getting a foothold in their …
Darren Pauli, 01 Jul 2015
Padlocks by Simon Cocks Flickr CC2 license

Identity protection outfit LifeLock picked, popped

Security researchers Eric Taylor and Blake Welsh have disclosed a cross-site scripting vulnerability in US identity protection company LifeLock. The duo from US outfit Cinder say the vulnerability allows attackers to target the company's three million users with malware and phishing attacks, session jacking, among other acts. …
Darren Pauli, 01 Jul 2015

Intel infosec folk TEE off open source app dev framework

A trio of Intel boffins have broken a vendor lock-down on trusted execution environments (TEEs) with the release of an open source framework that could help developers to build more secure apps. Intel wonks Brian McGillion, Tanel Dettenborn, and Thomas Nyman (plus N. Asokan of Aalto University and University of Helsinki) …
Darren Pauli, 30 Jun 2015

VPNs are so insecure you might as well wear a KICK ME sign

A team of five researchers from universities in London and Rome have identified that 14 of the top commercial virtual private networks in the world leak IP data. Vasile C. Perta, Marco V. Barbera, and Alessandro Mei of Sapienza University of Rome, together with Gareth Tyson, and Hamed Haddadi of the Queen Mary University of …
Darren Pauli, 30 Jun 2015

Amazon douses Fire phone man-in-the-middle diddle

MWR Labs researcher Bernard Wagner has reported three flaws in Amazon's Fire phone that could allow apps to facilitate man-in-the-middle attacks. Wagner says two Certinstaller (the CertInstaller tool enables the installation of certificates via various file formats) flaws allow apps to install certificates such that the large …
Darren Pauli, 30 Jun 2015

Sophos' putrid patch snuffs Citrix kit, kills call centre

A Sophos Web Appliance update has crashed users' PC fleets including knocking offline the Australian call centre of a global company for two days after support was quietly revoked for SSL 3.0 ciphers used in Citrix Receiver. The British security firm pushed out update version 4.0.2.3 last week to correct four non-critical issues …
Darren Pauli, 29 Jun 2015

Ransomware slinging exploit kit targets Flash remote code execution

Attackers have added a recent dangerous Adobe vulnerability to the Magnitude exploit kit, according to respected independent malware researcher "Kafeine". The remote code execution vulnerability (CVE-2015-3113) revealed last week allows attackers to hijack un-patched machines targeting Internet Explorer on Windows 7 and XP. Web …
Darren Pauli, 29 Jun 2015

Blackhats using mystery Magento card stealers

Sucuri infosec researcher Peter Gramantik says carders are exploiting an unknown vulnerability to steal billing information from e-commerce sites that use eBay's Magento platform. Gramantik found an attack script that plunders POST data and identifies valuable payment data before storing it as an encrypted image file. He says …
Darren Pauli, 29 Jun 2015

Rivalry heats up as VXers bake Fobber crypto clobber

A malware development squad is so determined to thwart meddling white hat researchers that it has produced a trojan riddled with obfuscation techniques and neurotic encryption. The Fobber banking trojan is based off Tinba version two, regularly hops between programs, and is distributed through the elusive and dangerous HanJuan …
Darren Pauli, 26 Jun 2015

Vegan eats BeEf, gets hooked

Botnet slaughterer Brian Wallace has created a module to detect when attackers are using the popular browser-busting BeEF hacking framework. The Chrome extension codenamed Vegan allows victims to detect when attackers have hooked their web browser instances using the enormously powerful Browser Exploit Framework. Vegan could …
Darren Pauli, 26 Jun 2015

Facebook! exfiltrates! Yahoo! security! boss!

Facebook has poached NSA-clashing Yahoo! security man Alex Stamos to head up its infosec operations. The hire means Menlo Park has filled a three-month vacancy left when security boss Joe Sullivan who oversaw a crackdown on Facebook scammers and scum left for Uber. Stamos fittingly announced his migration on his Facebook …
Darren Pauli, 26 Jun 2015

Dyre banking VXers LOVE Mondays, Symantec says

Nobody can accuse trojan coders of being lazy; the masterminds behind the Dyre banking malware are putting in full five-day working weeks to maintain some 285 command and control servers handling stolen banking credentials. The malware is one of the worst in circulation using its fleet of command and control servers to handle …
Darren Pauli, 25 Jun 2015

BlackShades privacy raiding web rat gets five years in US cooler

Swedish BlackShades co-creator Alex Yucel has been sentenced to nearly five years in a US cooler for selling and distributing the remote access trojan (RAT). Yucel, 25, pled guilty February in a New York court to slinging the perverted mutation of a legitimate system administration tool and was forced to forfeit $US200,000 in …
Darren Pauli, 25 Jun 2015
Dragon

NOD32 AV remote root wormable hack turns corporate fleets to meat

Google Project Zero bod Tavis Ormandy has disclosed a "trivial" means of remotely hack the ESET NOD32 antivirus platform. Ormandy's finding prompted the Slovak company to rush a patch a day before his disclosure overnight. The remote-root exploit is potentially wormable and, he said, of practical value to criminals. "Any …
Darren Pauli, 25 Jun 2015

Killer ChAraCter HOSES almost all versions of Reader, Windows

Get patching: Google Project Zero hacker Mateusz Jurczyk has dropped 15 remote code execution vulnerabilities, including a single devastating hack against Adobe Reader and Windows he reckons beats all exploit defences. The accomplished offensive security researcher (@j00ru) presented findings at the Recon security conference …
Darren Pauli, 24 Jun 2015
Herdwick sheep walk towards the camera

Triple glitch grounds ALL aircraft in New Zealand

A trinity of network failures led to the grounding of all aircraft in New Zealand yesterday. Just four minutes of outage ended up keeping planes on the ground for two hours, affecting 200 flights on 23 June. It cut off radar systems and forced traffic controllers to revert to manual systems to land some of the fifty aircraft …
Darren Pauli, 24 Jun 2015

RubyGems slings patch at nasty redirect trojan holes

Get patching: new vulns in the RubyGems developer distribution platform could expose millions of users to malicious redirects. The hole (CVE-2015-3900) since patched means clients could be pushed to Gem severs hosting malicious content even if HTTPS is employed. Attackers further benefited since RubyGems Gems Server Discovery …
Darren Pauli, 24 Jun 2015

Feds count Cryptowall cost: $18 million says FBI

Cryptowall authors have wrought some US$18 million in damages on US users and businesses alone, according to the FBI. The Cryptolocker-imitation ransomware family has etched itself as one of the most prolific and capable since it was first detected in April 2014. Global damage reported to the US agency are likely considerably …
Darren Pauli, 24 Jun 2015
Stacks of bitcoin CC2.0 attribution by FD Comite https://www.flickr.com/photos/fdecomite/

Slippery Silk Road spook will plead guilty to duping dealers

A US Secret Service information security bod is going to enter a guilty plea to pilfering US$820,000 in Bitcoins from scuttled drug souk the Silk Road. Shaun W. Bridges admitted to harvesting the anonymous currency before cashing out at the then Mx Gox Bitcoin exchange and going into hiding. “Mr. Bridges has regretted his …
Darren Pauli, 23 Jun 2015
spy_eye_648

Pirate captain blasts Google for its 'mystery' Chrome blob

Pirate Party captain Rick Falkvinge has weighed into the Google Chrome 'listening blob' debate, saying Mountain View silently downloaded an 'eavesdropper' to Chrome users' machines. The row arose last week, when Debian users first noticed that The Chocolate Factory was dropping the blob on their machines. Falkvinge rejects …
Darren Pauli, 23 Jun 2015

Redmond: IE Win 8.1 defence destroying hack ain't worth patch, natch

HP security research bod Dustin Childs says the company couldn't get Microsoft to patch an IE exploit, so it's gone public. Childs says the Address Space Layout Randomisation (ASLR) hole affects millions of 32bit systems and should have been patched. He says his former paymasters at Redmond did not consider the bug 'worth it' …
Darren Pauli, 23 Jun 2015

Phishing gone: eBay patches to block session-jacking Magento holes

Vulnerability Lab researcher Hadji Samir says eBay has squashed three vulnerabilities in its Magento shopping platform that could permit session hijacking and man-in-the-middle attacks. The penetration tester disclosed this month the vulnerabilities along with proof-of-concept videos showing how attackers could steal session …
Darren Pauli, 22 Jun 2015

Dev probes bad proxies, writes white hat checker, black hat DIY guide

Developer Christian Haschek is building an online tool to allow users to check whethre their free proxy is potentially harvesting their details, or is one of the few to be relatively secure. The ProxyChecker service allows users to enter the IP address and port of their favourite free proxy service, to see if it is messing with …
Darren Pauli, 22 Jun 2015
FJ cruiser by https://www.flickr.com/photos/paperstainer/ Cc 2.0 attribution  https://creativecommons.org/licenses/by/2.0/

Two foreigners, a desert and a jeep full of bank statements

On-Call Welcome again to On-Call, our weekend regular in which we share readers' tales of odd things that happen at odd times in odd places. This week, reader Alex tells us he once worked in the Saudi Arabian capital of Riyadh, for a major bank. “There had been a bunch of problems, which meant the customer account statements were …
Darren Pauli, 21 Jun 2015

BIG RED BUTTON exploits Redis flaw to fix Redis flaw

Reckless sys admins rejoice: entrepreneurial security bod Ben Murphy has created a daring quick patch for the popular Redis data structure server. Murphy (@benmmurphy) created an alluring red Hot Patcher™ button that when pushed will exploit a flaw in Redis in order to patch a Lua sandbox bypass vulnerability he disclosed this …
Darren Pauli, 19 Jun 2015

Drupal flicks fix to nix OpenID admin account hijack hole

Drupal has shuttered a flaw in its implementation of OpenID that allows attackers to log in as web site administrators. The flaw (CVE-2015-3234) is the most critical of four and affects versions six and seven of the content management system. Drupal's security team say attackers can target unpatched systems if they hold an …
Darren Pauli, 19 Jun 2015

LinkedIn reveals invitation-only bourgeois bug bounty

LinkedIn has revealed the closed-door bug bounty program it has run for the last eight months, paying out $65,000 in vulnerability rewards along the way. But the company is keeping the door to the scheme firmly closed. The if-you-need-to-ask-you'll-never-know bounty is designed to cut you the noise from the signal so that only …
Darren Pauli, 19 Jun 2015
sap security vulnerabilities

Most SAP HANA installs poppable with default keys, hacker says

ERPScan technology boss Alexander Polyakov says default security settings are exposing passwords and root keys in SAP HANA to external attackers. Attackers can use universal default keys to decrypt encrypted passwords used by the in-memory, column-oriented, relational database management system. Polyakov says administrators are …
Darren Pauli, 19 Jun 2015

Reddit joins the HTTPS-only stampede

Reddit will soon be served over HTTPS only as part of wider moves to secure the web. The Front Page of the Internet™ began serving its user-curated pages over secure sockets layer last September, in an effort that took some nine months to complete. The site has now decided that as of 29 June it will begin pushing all traffic to …
Darren Pauli, 18 Jun 2015
Lightning

Firefox preps processor revamp under Project Electrolysis

Mozilla looks ready to revamp its Firefox web browser so tabs and user interfaces can run in separate processes. The feature has appeared in a nightly testing version of the browser and has been in lengthy development under Project Electrolysis. Developer Dan Mircea says the feature is activated by default in nightly builds and …
Darren Pauli, 18 Jun 2015

DuckDuckGrow: Privacy search soars 600% after Snowden dumps

Privacy-first search aggregator DuckDuckDuckGo has grown a whopping 600 percent since NSA whistleblower Edward Snowden began revealing the extent of the US spying apparatus. The search engine uses sites including Wikipedia, Yandex, Yahoo!, Bing and Yummly and offers users bare-bones search results without the personalisation …
Darren Pauli, 18 Jun 2015

Phone scamming up 30 percent last year: Report

Retail and finance call centre phone scamming in the US is up 30 percent according to research. The 2014 findings are based on some 86 million scam calls a month picked up by Pindrop Security in which attackers aimed to obtain personal information on potential victims. The phone security company says one in 2200 calls are …
Darren Pauli, 18 Jun 2015

Apple CORED: Boffins reveal password-killer 0-days for iOS and OS X

Six university researchers have revealed deadly zero-day flaws in Apple's iOS and OS X, claiming it is possible to crack Apple's password-storing keychain, break app sandboxes, and bypass its App Store security checks. Attackers can exploit these bugs to steal passwords from installed apps, including the native email client, …
Darren Pauli, 17 Jun 2015

Three exposed Brit's privates with sloppy survey code

Hacker Joseph Redfern has reported a privacy flaw at UK telco Three, which exposed names and email addresses in online surveys. The telco shuttered the offending survey site and the exposed API which returned the private information in JSON forms when a user entered data. Refern says the flaw meant any phone number could be …
Darren Pauli, 17 Jun 2015

AdBlock aims to send filthy malverts on one-way LSD trip

Enterprises will be able to stem the remaining revenue stream for online news outlets using a new wide network feature launched today for popular browser extension AdBlock Plus. The extension modified under the ongoing AdBlock Plus for Administrators project will make it easier to deploy across technology device fleets by …
Darren Pauli, 17 Jun 2015

Google to shell out up to $58k for new Nexus epic pwnage

Researchers can score up to US$58,000 for bypassing core Nexus security mechanisms with a remote exploit under an expansion of Google's bug bounty program launched today. The top payments under the Security Rewards program are for bypasses of controls that Google uses to minimise exploitation risks. Hackers can land the most …
Darren Pauli, 17 Jun 2015

Blackhats exploiting MacKeeper hole to foist dangerous trojan

Last month's MacKeeper vulnerability is now being exploited in the wild to hijack Apple machines, according to BAE security researcher Sergei Shevchenko. The hacker says criminals are using social engineering to trick users into installing malware capable of exfiltrating data using a then zero-day vulnerability in the notorious …
Darren Pauli, 16 Jun 2015

British banks consider emoji as password replacement

British outfit Intelligent Environments says it in discussions with online banks to sell what it says is the first authentication scheme to replace passwords with emojis. The company claims emojis have 480 times more permutations than four digit passcode equivalents, a statistic we've struggled to verify independently. …
Darren Pauli, 16 Jun 2015

Bing to encrypt search traffic by default

Microsoft product manager Duane Forrester says it will encrypt all Bing search traffic later this year. Forrester says the move follows Cupertino's 2014 decision to allow users to opt-in to HTTPS for web searches. "Beginning this (Northern hemisphere) summer, we will begin the process of encrypting search traffic by default," …
Darren Pauli, 16 Jun 2015
Crypto fingers

Westpac buys stake in Canberra crypto king QuintessenceLabs

Australian banking goliath Westpac will become a substantial stakeholder in Canberra based QuintessenceLabs (QLabs) and use outfit's quantum key distribution technology for its internal infrastructure. QLabs commercialises research from the Australian National University to produce quantum key distribution (QKD) and random key …
Darren Pauli, 16 Jun 2015

Uber petitions page p0wned, thanks to textbook code

Uber has pulled its petition sites offline after a hacker exploited web vulnerabilities lodging 100,000 fake votes and redirecting visitors to rival Lyft. The hacker known only as "Austin" could not be reached at the time of writing. Uber has been contacted for comment. Austin says the petition site Uber hoped to use to lobby …
Darren Pauli, 15 Jun 2015