Feeds
The Register Columnists

Darren Pauli

Contact Mail Follow Twitter RSS feed
NICTA's seL4 team

DARPA-derived secure microkernel goes open source tomorrow

A nippy microkernel mathematically proven to be bug free*, and used to protect drones from hacking, will be released as open source tomorrow. The formal-methods-based secure embedded L4 (seL4) microkernel was developed by Australian boffins at National ICT Australia (NICTA) and was part of the US Defense Advanced Research …
Darren Pauli, 28 Jul 2014
Auscert logo

AusCERT chief Ingram steps down

Graham Ingram, the head of Australia's first Computer Emergency Response Team (AusCERT), has stepped down after 12 years in the role. Ingram joined the University of Queensland's AusCERT in 1993 and was on Friday replaced by the university's current incident response chief Thomas King. The incoming director said he wanted to …
Darren Pauli, 28 Jul 2014
Bug bounties

Roll out the welcome mat to hackers and crackers

A clear and easy to read policy is key to developing a good internal bug bounty program, according to BugCrowd which has published guidelines to help businesses encourage the security community to report vulnerabilities. Bug bounties are an increasingly popular means to provide a legally safe avenue for security researchers to …
Darren Pauli, 25 Jul 2014
Bots

Four fake Google haxbots hit YOUR WEBSITE every day

One in every 24 Googlebots is a imitation spam-flinging denial of service villain that masquerades as Mountain View to sneak past web perimeter defences, according to security chaps at Incapsula. Villains spawn the "evil twins" to hack and crack legitimate websites and form what amounted to the third most-popular type of DDoS …
Darren Pauli, 25 Jul 2014
Scrooge McDuck

Boffins build FREE SUPERCOMPUTER from free cloud server trials

Researchers Rob Ragan and Oscar Salazar have built a free LiteCoin-mining botnet that generates $US1750 a week using free cloud signup promotions. The pair will outline the exploit at Black Hat next month, but have blabbed to Wired about how they used automatic tools and processes to spread a currency-mining botnet across some …
Darren Pauli, 25 Jul 2014
The ITMugs Surf for Porn mug

Watching smut at work is bad but emailing it is just fine, says Oz court

Voyeurs rejoice! The Federal Court of Australia has ruled Aussies cannot be easily sacked for emailing porn to work colleagues. The ruling upheld a decision last year by Fair Work Australia which found the nation's mail service Australia Post was wrong to have sacked the three workers at the Dandenong Letter Centre for emailing …
Darren Pauli, 24 Jul 2014
Old computer

Researcher sat on critical IE bugs for THREE YEARS

Security outlet VUPEN has revealed it held onto a critical Internet Explorer vulnerability for three years before disclosing it at the March Pwn2Own hacker competition. The company wrote in a disclosure last week it discovered the vulnerability (CVE-2014-2777) on 12 February 2011 which was patched by Microsoft on 17 June (MS14- …
Darren Pauli, 24 Jul 2014
WordPress

50,000 sites backdoored through shoddy WordPress plugin

Some 50,000 sites have been sprayed with backdoors from shonky malware targeting a popular and vulnerable WordPress plugin, according to researcher Daniel Cid. Sucuri founder Cid says the bodged malware can infect any site that resides on the server of a hacked WordPress website. The flawed plugin allowed attackers to "inject …
Darren Pauli, 24 Jul 2014
pirate ship

Copyright kingpins charged for sailing pirate Android app ships

US prosecutors have unsealed indictments against six men in connection with some of the biggest, albeit now defunct, Android piracy stores. The indictments relate to the operators of once popular pirate platforms Appbucket, Applanet and SnappzMarket which were slick sources of pirate Android apps (Application Package Files) …
Darren Pauli, 24 Jul 2014
Paypal vulnerability

PayPal post-checkout cash slurp a FEATURE not a BUG

An apparent flaw that lets users add any amount of money onto already processed PayPal transactions is a feature, not a bug, according to the payments giant. The function was designed to allow sellers to add additional costs for services like shipping on the top of transaction totals which customers had approved through the …
Darren Pauli, 23 Jul 2014
Malware

Attackers raid SWISS BANKS with DNS and malware bombs

Attackers suspected of residing in Russia are raiding Swiss bank accounts with a multi-faceted attack that intercepts SMS tokens and changes domain name system settings, researchers have warned. The attacks sported a clever implementation of malware that pointed victim machines to replica phishing bank sites when they attempt to …
Darren Pauli, 23 Jul 2014
Canvas fingerprinting

NEW, SINISTER web tracking tech fingerprints your computer by making it draw

A new, persistent web-tracking technology developed has been used to track web users across many of the world's most popular websites, including those of the White House and even wholesale smut platform YouPorn. The canvas fingerprinting technique was described in 2012 by University of California researchers (PDF) as a means to …
Darren Pauli, 22 Jul 2014
Tor

Black Hat anti-Tor talk smashed by lawyers' wrecking ball

Boring Carnegie-Mellon University lawyers have scuppered one of the most hotly anticipated talks at the Black Hat conference – which would have explained how $3,000 of kit could unmask Tor hidden services and user IP addresses. The university did not say why it torpedoed the accepted talk, triggering speculation that it feared …
Darren Pauli, 22 Jul 2014
Snowden image

Snowden wants YOU – yes, YOU – to build spy-busting tech

National Security Agency leaker Edward Snowden wants the geeks of the world to develop anti-spying technology to prevent governments spying on their citizens. In a keynote address delivered to the Hope X hacker conference in New York City on Saturday, Snowden said encryption was the "first step" in fighting against government …
Darren Pauli, 21 Jul 2014
Tesla hack

Students hack Tesla Model S, make all its doors pop open IN MOTION

Zhejiang University students have hacked the Tesla Model S with an attack that enabled them to open its doors and sun roof, switch on the headlights and sound the horn - all while the car was driving along. The hack was part of a competition at the annual Syscan conference in Beijing, where a prize of $US10,000 was offered to …
Darren Pauli, 21 Jul 2014
Routers

L33t haxxors compete to p0wn popular home routers

Gird your loins router-makers: a throng of hackers are set to pry apart your woefully insecure hardware in a competition to expose bad firmware and hard-coded credentials. The competition will take place at the DEF CON 22 conference and glories in the name "SOHOpelessly Broken". The event is the brainchild of the Electronic …
Darren Pauli, 18 Jul 2014
Rickmote

Chromecast hack Rickrolls Google's TV stick

Chromecast-owning households may be set to endure Rick Astley's ghastly oeuvre, thanks to a new device that can hijack victims' TV sticks and insert replacement content. Dan Petro's device, the "Rickmote", is a slick Raspberry Pi box that can knock the Google Chromecast video streaming utility off wireless networks allowing …
Darren Pauli, 18 Jul 2014
Bitdefender security image

Flaws found in Bitdefender enterprise endpoint manager

Holes have been reported in Bitdefender's Gravity end-point protection platform that allow hackers to target corporate infrastructure. Researcher Stefan Viehbock of SEC Consult Vulnerability Lab said the flaw affecting the latest version provided an entry point for attackers to move laterally through the network. "Attackers are …
Darren Pauli, 17 Jul 2014
Typewriter image

German NSA probe chief mulls spy-busting typewriters

Germany's government has mulled a return to typewriters in a bid to evade US spy agencies, according to the head of the nation's National Security Agency inquiry. The incredible decision came in response to a torrent of allegations that the NSA had spied on the German agencies and parties including Chancellor Angela Merkel. It …
Darren Pauli, 17 Jul 2014

Redmond may buy security company it says is wrong about AD flaw

Microsoft is reportedly in talks to buy Israeli security firm Aorato for $200 million after this week pouring cold water on its claim to have discovered a critical flaw in Active Directory. Aorato was founded by former Israeli Defense Force hackers and offers products that detects attacks on against Active Directory. As …
Darren Pauli, 16 Jul 2014
Tommy lee image

Microsoft: You NEED bad passwords and should re-use them a lot

Microsoft has rammed a research rod into the security spokes of the internet by advocating for password reuse in a paper that thoroughly derails the credentials best practise wagon. Password reuse has become a pariah in internet security circles in recent years following a barrage of breaches that prompted pleas from hacked …
Darren Pauli, 16 Jul 2014
Kronos

'Father of Zeus' banking trojan appears at very reasonable price

A banking trojan dubbed the father of the infamous Zeus malware is being flogged on cybercrime marketplaces for a pricey $7000, says fraud specialist Etay Maor. The Kronos malware was sold on a cybercrime forum, pitched particularly to Zeus trojan customers given its capabilities to re-use that trojan's form grabbing templates …
Darren Pauli, 15 Jul 2014
Privacy image

Flaw in Google's Dropcam sees it turned into SPYCAM

Hackers could inject fake video into popular home surveillance kit Dropcam and use the system to attack networks, researchers Patrick Wardle and Colby Moore say. The wide-ranging attacks were tempered by the need for attackers to have physical access to the devices but the exploits offer the chance to inject video frames into …
Darren Pauli, 15 Jul 2014
F-35

FBI: We found US MILITARY AIRCRAFT INTEL during raid on alleged Chinese hacker

A Chinese entrepreneur has been arrested for attempting to steal information on the United States' Lockheed F-22 and F-35 aircraft and Boeing's C-17 cargo plane. Su Bin – along with two uncharged Chinese co-conspirators – is alleged to have hacked into Boeing's corporate network as well as those of defence contractors in the US …
Darren Pauli, 14 Jul 2014

Popular password protection programs p0wnable

Researchers have detailed a series of quickly patched vulnerabilities in five popular password managers that could allow attackers to steal user credentials. "Critical" vulnerabilities were discovered and reported in LastPass, RoboForm, My1Login, PasswordBox and NeedMyPassword in work described by the University of California …
Darren Pauli, 14 Jul 2014
Nyancoin logo

Exploit emerges for LZO algo hole

Security Mouse security researcher Don A Bailey has showcased an exploit of the Lempel-Ziv-Oberhumer (LZ0) compression algorithm running in the Mplayer2 media player and says it could leave some Linuxes vulnerable to attack. The LZO data compression algorithm was created by Markus Oberhumer in 1994 and was discovered to be …
Darren Pauli, 11 Jul 2014
Zombie Zero

Infected Chinese inventory scanners ships off logistics intel

A Chinese manufacturer has been accused of implanting malware that steals supply chain intelligence in its hand-held scanner firmware. Security firm TrapX says infected scanners have been sold to eight unnamed firms including a large robotics company. Variants of the malware broke into enterprise resource planning platforms to …
Darren Pauli, 11 Jul 2014
NSW Police car

Sydney coppers clobber cabbie carder crims

Sydney police have swooped on a fraud ring that implanted skimmers into taxis to clone customers' credit cards. Police on July 1 arrested four men involved in the ring including a 29 year-old taxi driver at Chullora, nabbed a fifth chap later that day, and raided a Sydney CBD unit where 800 credit cards, a laptop and cloning …
Darren Pauli, 11 Jul 2014
Facebook privacy image

Crusty API opened Facebook accounts to hijacking

A leftover API that Facebook forgot to kill has left accounts open to spammers and scammers, says security Stephen Sclafani. The flaw means an attacker could view other users' messages and post status updates. Sclafani found that a then mis-configured endpoint, since patched, allowed legacy REST API calls to be made on behalf of …
Darren Pauli, 10 Jul 2014
Brute force

Brute-force bot busts shonky PoS passwords

A botnet has compromised 60 point of sale (PoS) terminals by brute-force password attacks against poorly-secured connections, FireEye researchers say. The trio including Nart Villeneuve, Joshua Homan and Kyle Wilhoit found 51 of the 60 popped PoS boxes were based in the United States. The attacks were basic and targeted remote …
Darren Pauli, 10 Jul 2014
FireEye image

FireEye patches OS, torpedos Exploit-DB disclosure

FireEye has patched a series of publicly-disclosed flaws in its operating system (FEOS) that facilitated man-in-the-middle attacks and command injection. The vulnerabilities released over June affected versions NX, EX, AX, FX, and CM of the FEOS and were patched in the first individual security bulletin for the system. The …
Darren Pauli, 10 Jul 2014
iPad Psycho image

That 'wiped' Android phone you bought is stuffed with NAKED SELFIES – possibly

It's hard being a security researcher. Several of them just had to view thousands of nude selfies pulled from second-hand phones and tablets for a campaign warning people who sell old devices. The beleaguered infosec bods saw 750 photos of naked women and 250 images of manhood from a pool of 40,000 photos still stored on a mere …
Darren Pauli, 09 Jul 2014
Lecpetex

Facebook scuttles 250k-strong crypto-currency botnet

Facebook has taken down a Greek botnet that at its peak compromised 50,000 accounts and infected 250,000 computers to mine crypto-currencies, steal email and banking details and pump out spam. The scuttled Lecpetex botnet spread malware including the DarkComet remote access trojan by social engineering techniques and was adept …
Darren Pauli, 09 Jul 2014
australian credit cards fraud contactless

Teensy card skimmers found in gullets of ATMs

A series of tiny and sometimes transparent card-skimming devices have been detected in ATMs across Europe, researchers say. Boffins with the European ATM Security Team (EAST) have plucked out and displayed some clever thumb-sized skimmers that hide from victims' view by fitting in cash terminals' gullets. The devices paraded in …
Darren Pauli, 09 Jul 2014
Doctor Who meme

Doctor Who season eight scripts leak online

Scripts for the first five episodes of the yet-to-be-screened and highly-anticipated series eight of Doctor Who have been leaked online. The leak is said to have come from BBC Worldwide's new Miami office, which was arranging translation of the new series for non-English speaking markets. The scripts are said to bear a BBC …
Darren Pauli, 08 Jul 2014
Bloatware foistware

Insecure AVG search tool shoved down users' throats, says US CERT

The US Computer Emergency Response Team (CERT) has warned users about software download sites' practice of including unasked-for downloads, after one such program - AVG's Secure Search toolbar - was found to be insecure. Known as "bloatware" or "foistware", unasked-for software is bundled into to the installation wrappers used …
Darren Pauli, 08 Jul 2014
North Korea South Korea hacking

NORKS hacker corps reaches 5,900 sworn cyber soldiers - report

North Korea has doubled the number of government hackers it employed over the last two years according to military sources from the South. The allegations claim 5900 "elite" personnel were employed in Pyongyang's hacking unit, up from 3000 in 2012. The hackers had their crosshairs firmly fixed on Seoul but operate from bureaux …
Darren Pauli, 07 Jul 2014
management regulation2

Royal Commission probes Cbus over CFMEU privacy leaks

Australia's Royal Commission into union corruption will today examine if superannuation firm Cbus breached the Privacy Act by supplying customer account details to the Construction, Forestry Mining and Energy Union (CFMEU) as part of an alleged union campaign. It has been alleged that Cbus supplied private information on 300 …
Darren Pauli, 07 Jul 2014

Austrian Tor exit relay operator guilty of ferrying child porn

An Austrian man has been found guilty after child sex abuse material transited his Tor exit relay. IT administrator William Weber was charged in November last year after state police raided his home confiscating 20 computers, gaming consoles and devices after one of his seven global Tor exit relays funneled the illicit material …
Darren Pauli, 04 Jul 2014
Spotify

PANDA chomps through Spotify's DRM

Music can be ripped from Spotify using a tool that cracks digital rights management copyright protection, a Georgia Tech University researcher says. Code dubbed Platform for Architecture-Neutral Dynamic Analysis - aka PANDA - posted to GitHub does the job, says researcher Brendan Doln-Gavitt. "[The technique] by itself is just …
Darren Pauli, 04 Jul 2014
Syrian electronic army

Hacked Israel Defence Force Twitter account spruiks nuke leak fears

Hacker outfit the Syrian Electronic Army (SEA) hours ago cracked Israel's Defence Force (IDF) Twitter account where it posted a fake warning of a possible nuclear leak due to rocket strikes. The group posted under the IDF (@IDFSpokesperson) account of a "possible nuclear leak in the region after two rockets hit [the] Dimona …
Darren Pauli, 04 Jul 2014

NSA man says agency can track you through POWER LINES

Forensics and industry experts have cast doubt on an alleged National Security Agency capability to locate whistle blowers appearing in televised interviews based on how the captured background hum of electrical devices affects energy grids. Divining information from electrified wires is a known technique: Network Frequency …
Darren Pauli, 03 Jul 2014
Fail and You

VSANs choking on VMware's recommended components

VMware has changed the recipe for its virtual storage area networks after some components it recommended were found out as not being up to the job. Virtzilla's notification of the change says it is being made because some “low-end IO controllers” it once recommended “offer very low IO throughput”. So low, in fact, that “the …
Darren Pauli, 03 Jul 2014
Brazil flag

Brazilian baddies bank Boleto billions

Brazilian bad guys appear to have made an astonishing $US3.75 billion by scraping a tonne of tiny transactions from a popular payment system used by locals, RSA researcher Eli Marcus says. The carders operating a single fraud ring may have netted enough over the last two years to foot 80 percent of Brazil's $4.7 billion World …
Darren Pauli, 03 Jul 2014
blogspot

MONSTER COOKIES can nom nom nom ALL THE BLOGS

Giant cookies could be used to create a denial of service (DoS) on blog networks, says infosec researcher Bogdan Calin. Such an attack would work by feeding users cookies with header values so large that they trigger web server errors. Calin created a proof of concept attack against the Google Blog Spot network after a customer …
Darren Pauli, 02 Jul 2014
EMET

Redmond's EMET defense tool disabled by exploit torpedo

Microsoft's Enhanced Mitigation Toolkit (EMET) tool can be deactivated andbypassed according to Offensive Security researchers. The exploit struck dead the latest standard and updated version 4.1 of EMET designed to make attacks more complex and expensive through the use of Address Space Layout Randomisation and Data Execution …
Darren Pauli, 02 Jul 2014

New Russian law punishes online 'extremism'

Foreign non-Government organisations, football hooligans and possibly even hacktivists could be jailed for six years for creating or sharing unpalatable content online under new anti-extremism laws signed off by Russian President Vladimir Putin on Monday. The laws use a loose definition of "extremism" that Russia Today reports …
Darren Pauli, 01 Jul 2014
Canada Day celebration

Redmond reinstates infosec mailing list after Canadian law panic

Microsoft has resurrected its Lazarus security mailing list, following apparent confusion over Canada's Anti-Spam Law (CASL) that came into effect on July 1st. Redmond reversed an announcement Friday that it would shutter the Advanced Notification Service mailing list which would have forced email fans to get their infosec fix …
Darren Pauli, 01 Jul 2014
 Dummy hand grenades are used by the Marines from the 3rd Low Altitude Air Defense Battalion, for practice before throwing the M-67 Fragment Grenades at the firing range.jpg

Dropbox used as command and control for Taiwan time bomb

A remote access trojan (RAT) is using Dropbox for command and control in a targeted attack against the Taiwanese Government, malware analyst Maersk Menrige says. The upgraded PlugX RAT is the first targeted attack to use Dropbox to update command and control settings, Menrige said, as distinct from other malware and ransomware …
Darren Pauli, 30 Jun 2014
Nuclear bomb image

Zero-knowledge proof crypto scheme divines truths from nothing

Princeton University scientists have applied a cryptographic proof to verify if nuclear weapons have been disarmed, in a move that could reduce global nuke stockpiles and even help verify electronic voting. The cryptographic scheme is a form of zero-knowledge proof first developed in the 1980s. Such proofs allow a party to prove …
Darren Pauli, 30 Jun 2014