Darren Pauli

Contact Mail Follow Twitter RSS feed

Slack whacks global account hijack holes

Hipster collaboration platform Slack has shuttered an access control bypass that allowed users to hijack any account. The flaws reported by security researcher David Viera-Kurz lay in twin path traversal and access control bypasses. Slack paid Viera-Kurz US$9000 for privately reporting two flaws under its bug bounty program …
Darren Pauli, 21 Oct 2016

Fruity hacking group juiced by Microsoft's October patch parade

Kaspersky Labs researcher Anton Ivanov says an advanced threat group was exploiting a Windows zero day vulnerability before Microsoft patched it last week. Microsoft says the graphics device interface vulnerability (CVE-2016-3393) allowed attackers to gain remote code execution and elevation of privilege powers. Ivanov's …
Darren Pauli, 21 Oct 2016

Spam scum ping global blacklists to wreck rep

Malware authors are consulting IP blacklists designed to help fight spam in a bid to avoid detection and increase inbox hit rates. The novel abuse allows malware authors to determine if they have infected clean and benign machines. "This malware is interesting because it contains a hardcoded list of commonly known blacklist …
Darren Pauli, 21 Oct 2016
Image by 9 George http://www.shutterstock.com/gallery-607441p1.html

Google pays $100k to anti-malware crusader Giovanni Vigna

Anti-malware machine and head of the Shellphish DARPA Grand Challenge bronze-medallist team has won US$100,000 from Google for security research efforts. University of California Santa Barbara doctor Giovanni Vigna landed Google's Security, Privacy and Anti-Abuse award for his long line of research into malware detection. …
Darren Pauli, 21 Oct 2016
Riven Media http://www.shutterstock.com/gallery-1141187p1.html

Security research tool had security problem

Security researchers and the networks they rely on were at risk of breach by the hackers they investigate, thanks to now mitigated man-in-the-middle holes in a popular plugin for analysing debugger OllyDbg. The debugger disassembles binaries, making it a handy way to understand an application's workings without having access …
Darren Pauli, 20 Oct 2016
Snake oil salesman

Kids today are so stupid they fall for security scams more often than greybeards

Millennials are more likely to fall for tech support scams than baby boomers, Microsoft says. The findings are revealed in a recent Microsoft study that saw it poll peeps in the United Kingdom, the United States, Australia and nine other countries. Redmond's not revealed the number of respondents. Tech support scams take on …
Darren Pauli, 20 Oct 2016

Reading this? Then you can pop root shells on Markvision enterprises

Lexmark has patched two dangerous vulnerability in its Markvision enterprise IT analysis platform that grants remote attackers god-mode system access over the internet. The platform is used by tech shops to manage thousands of devices. Researchers with San Antonio based securtity consultancy Digital Defence reported the twin …
Darren Pauli, 20 Oct 2016
image by JoeBakal http://www.shutterstock.com/gallery-832894p1.html

Crims cram credit card details into product shots on e-shops

Hackers are going to considerable lengths to hide credit cards stolen from websites victimised in a wave of recent attacks, weaving the data into working images of products sold online. The tricks are part of a wave of attacks targeting some 6000 Magento e-commerce sites The Register reported last week. Sucuri remediation …
Darren Pauli, 19 Oct 2016

Audit sees VeraCrypt kill critical password recovery, cipher flaws

Security researchers have found eight critical, three medium, and 15 low -severity vulnerabilities in a one month audit of popular encryption platform VeraCrypt. The audit is the latest in a series prompted by the shock abandoning of TrueCrypt in May 2014 due to unspecified security concerns claimed by the hitherto trusted …
Darren Pauli, 18 Oct 2016
Riven Media http://www.shutterstock.com/gallery-1141187p1.html

'Dyre' malware re-surfaces as 'TrickBot', targets Australian banks

Malware now targeting Australian users could be based on one of the world's worst banking trojans. Fidelis malware mangler Jason Reaves says the TrickBot malware has strong code similarities to the Dyre trojan, a menace that ripped through Western banks and businesses in the US, the UK, and Australia, inflicting tens of …
Darren Pauli, 18 Oct 2016

ShadowBrokers put US$6m price tag on new hoard of NSA hacks

A group thought linked to a Russian hacking outfit has moved to cash in on its cache of likely NSA exploit tooling, by offering it in exchange for 10,000 Bitcoins. The group known as "ShadowBrokers" wrote that they will release a password to a public encrypted cache of alleged NSA tools and exploits. It is the second cache …
Darren Pauli, 17 Oct 2016

Mozilla users >50% HTTPS

More than half of Mozilla users are now using HTTPs. Mozilla developer Josh Aas says the browser baron's telemetry reveals more than 50 percent of page requests were made via HTTPS, an effort helped along by the Let's Encrypt initiative which hands out free HTTPS certificates. Aas says it was the first time the benchmark had …
Darren Pauli, 17 Oct 2016

Outlook-on-Android alternative 'Nine' leaked Exchange Server creds

Staff logging into Exchange Server through a popular app could have placed their enterprise credentials at risk through a since-closed vulnerability. The Nine app which has clocked up to a million downloads on the Google Play store would shout Microsoft Outlook login credentials over insecure connections thanks to a bug that …
Darren Pauli, 17 Oct 2016

More than half of Androids susceptible to ancient malware

One of the world's most prolific Android malware instances is still the most prevalent piece of malware more than two years after it first emerged. The capable trojan known as Ghost Push infects Android up to version five, aka Lollipop, still employed by about 57 per cent of all users. Ghost Push won't run on Android version …
Darren Pauli, 17 Oct 2016
Facebook Lite app

Facebook's un-Liked ~900 security flaws in five years

Facebook has paid security researchers US$5million in five years, after they found vulnerabilities in its platforms and quietly disclosed them under its bug bounty program. The Social Network™ runs a well oiled bounty program and pays generously when it receives notice of flaws and working proof-of-concepts, provided they are …
Darren Pauli, 14 Oct 2016

'Pork Explosion' flaw splatters Foxconn's Android phones

Security researcher Jon Sawyer says a limited backdoor has been found in some Foxconn-manufactured Android phones, allowing attackers to root phones they have in hand. The backdoor is the result if a debugging function left over in Foxconn apps bootloader code which can be exploited by attackers wielding appropriate software …
Darren Pauli, 14 Oct 2016
Arcady http://www.shutterstock.com/gallery-450076p1.html

Google splats 21 bugs in Chrome 54 patch run

Google has patched 21 bugs in its Chrome web browser, closing six high-severity holes along the way. Mountain View paid US$29,133 for the bugs including a top pay out of US$7500 (CVE-2016-5181) for a universal cross-site scripting hole in Blink, and US$5500 (CVE-2016-5182) for a heap overflow in the same web browser engine. …
Darren Pauli, 14 Oct 2016
Acer XR341CKA gaming monitor

Time to crack down on sales of dragon's gold - securobods

Security researchers have urged gaming companies to crack down on virtual currency auction and sales sites, reckoning criminals are cashing in to launder stolen money. The research team at Trend Micro says most black hats steal the currency using online game exploits or by using malware and phishing to compromise players, …
Darren Pauli, 13 Oct 2016
image by Alexander_P http://www.shutterstock.com/gallery-493324p1.html

Hackers pop 6000 sites on active 18-month carding bonanza

Hackers have installed skimming scripts on more than 6000 online stores and are adding 85 each day in a wide-scale active operation that may have compromised hundreds of thousands of credit cards. Dutch developer Willem de Groot found the malware infecting stores running vulnerable versions of the Magento ecommerce platform. …
Darren Pauli, 13 Oct 2016
Image by LuckyN http://www.shutterstock.com/gallery-1795121p1.html

Carders bag stylish sack shop Vera Bradley

American retail chain Vera Bradley has been breached by hackers who stole a yet unknown number of credit cards. The breaches affect customers shopping at its 112 stores and 44 outlets between 25 July and 23 September this year, but not its website. Attackers of unknown origin broke into the fashionable gravity-defying pouch …
Darren Pauli, 13 Oct 2016

Snowden investigator slams leaker-detector background checks

A former top US Government investigator looking into classified document leaks by Chelsea Manning and Edward Snowden has criticised the effectiveness of background checks - saying such checks will not prevent further leaks. Keith Lowry, formerly US chief of staff to the deputy under secretary of defense for Human intelligence …
Darren Pauli, 12 Oct 2016

NASA opens ISS to private sector modules

NASA has opened the door to allow private sector companies to add modules to the International Space Station (ISS). The US space agency will begin this year to offer private sector organisations the potential to build out the 17-year-old station. Agency administrator Charles Bolden says the effort is a bid to foster a " …
Darren Pauli, 12 Oct 2016

Adobe on patch parade to march out 83 bugs

Adobe has patched 83 vulnerabilities in its Reader, Acrobat, and Flash offerings including remote code execution holes. The former apps soaked up 71 patches centred on use-after-free, memory corruption, and buffer overflow vulnerabilities that lead to code execution. A dozen remote code execution flaws are plugged in Flash …
Darren Pauli, 12 Oct 2016
Image by Maksim Kabakouhttp://www.shutterstock.com/pic-362745248/stock-photo-privacy-concept-broken-shield-on-wall-background.html

Stickers emerge as EU's weapon against dud IoT security

The European Commission is readying a push to get companies to produce labels that reveal the security baked into internet-of-things things. The labelling effort is part of a broader push to drive companies to better handle security controls and privacy data in the notoriously insecure and leaky devices. Deputy head of …
Darren Pauli, 10 Oct 2016

Command line coffee machine: Hacker shuns app so he can stay at the keyboard for longer

Zimperium researcher Simone Margaritelli has hacked his coffee machine finding a way to brew coffee using the command line. Margaritelli (@evilsocket) says he reverse engineered the app used to control the Smarter AM coffee machine. It means hackers can choose to ignore apps when they need a coffee and instead stumble over to …
Darren Pauli, 10 Oct 2016