Darren Pauli

Contact Mail Follow Twitter RSS feed

Outlook for iOS does security STUPIDLY, says dev

Big Blue boffin Rene Winkelwyer has taken aim at Microsoft's iOS Outlook app, launched overnight, claiming it stores credentials in the cloud potentially even after delete requests, and does not observe known good security practices. The spray against the House That Bill Built followed an examination into the way the app handles …
Darren Pauli, 30 Jan 2015
Spying image

A docket, tweet and selfie can reveal your identity, boffins find

Scientists have revealed it is possible to determine the identity of shoppers using credit card purchase and location metadata, in research that throws a spanner into national privacy laws. The research published in the journal Science found shopping receipts could be matched with four sources of external location data acquired …
Darren Pauli, 30 Jan 2015

iTunes Connect does developer shuffle

Apple has kicked off an impromptu game of musical chairs on iTunes Connect dropping developers into random accounts including one lucky punter who was allegedly handed Blackberry's portal. The glitch, which surfaced a few hours ago at the time of writing, has since been resolved after developers were randomly logged into …
Darren Pauli, 30 Jan 2015
iPad Psycho image

Top smut site Flashes visitors, leaves behind nasty virus

A massive malvertising campaign leveraging the recent Adobe Flash zero day vulnerability has surfaced on popular* adult site xHamster, analysts say. The attack served the Bedep Trojan to the site's 500 million viewers a month through a surreptitious exploit on the landing page. It did not take advantage of the Angler exploit …
Darren Pauli, 29 Jan 2015

Mozilla dusts off old servers, lights up Tor relays

Mozilla has given the Tor network a capacity kick with the launch of 14 relays that will help distribute user traffic. Engineers working under the Foundation's Polaris Project inked in November pulled Mozilla's spare and decommissioned hardware out of the cupboard for dedicated use in the Tor network. It included a pair of …
Darren Pauli, 29 Jan 2015

Researcher says Aussie spooks help code Five Eyes mega malware

The Australian Signals Directorate (ASD) has refused to comment on allegations it had a hand in the creation of a keylogging module used by global spookhauses and considered almost identical to parts of the complex Regin malware. Security bods fingered its involvement due to a file path in the malware's code that referenced the …
Darren Pauli, 29 Jan 2015

Regin super-malware has Five Eyes fingerprints all over it says Kaspersky

The Regin malware, often described as the devil spawn of Stuxnet and Duqu, is the handiwork of the Five Eyes nation state spy apparatus, analysis reveals. The malware was named in November by researchers impressed with the smarts that helped it hide in plain sight for up to six years. Analysis overnight by Kaspersky malware …
Darren Pauli, 28 Jan 2015

Oz spooks hack, try to fry Middle East servers – report

Oz spies have reached across the Indian Ocean and meddled with the cooling controls of an unnamed Middle Eastern nation's servers hostile to Australia, according to reports. The Australian Financial Review offered scant detail on the attack that was based on multiple intelligence sources. The report claims the Australian …
Darren Pauli, 28 Jan 2015

'Super-secure' BlackPhone pwned by super-silly txt msg bug

Exclusive The maker of BlackPhone – a mobile marketed as offering unusually high levels of security – has patched a critical vulnerability that allows hackers to run malicious code on the handsets. Attackers need little more than a phone number to send a message that can compromise the devices via the Silent Text application. The impact …
Darren Pauli, 27 Jan 2015

Apple patch shields Macs from Thunderstrike

Apple will mute the Thunderstrike attack in an upcoming OS X patch, according to a report. Beta developers told iMore the OSX 10.10.2 release stops the attack and prevents firmware downgrades which could re-enable the vulnerability on patched machines. The Thunderstrike attack was revealed earlier this month by reverse engineer …
Darren Pauli, 27 Jan 2015

Jellybean upgrade too hard for Choc Factory, but not for YOU

Google says it won't patch Android Jellybean because it's too hard. The company revealed earlier this month that it would not fix vulnerabilities found in WebView, the core component used to render web pages on older Android devices. Android engineer lead Adrian Ludwig said it was too hard to squeeze a patch into Webview's …
Darren Pauli, 27 Jan 2015

P0wning for the fjords: Malware turns drones into DEAD PARROT

Hacker Rahul Sasi has found and exploited a backdoor in Parrot AR Drones that allows the flying machines to be remotely hijacked. The Citrix engineer developed what he said was the first malware dubbed Maldrone which exploited a new backdoor in the drones. Sasi (@fb1h2s) said the backdoor could be exploited for Parrot drones …
Darren Pauli, 27 Jan 2015
Privacy image

Snoopy Fujitsu tech KNOWS you'll click that link – before YOU do

The next time you hover over a suspicious link a little too long, or download from a questionable site, you might get a nudge from Fujitsu. The Japanese tech giant has, from the back of a 2000-head study, developed a tool capable of determining if a user was likely to be scammed and delivering a custom warning. Together with a …
Darren Pauli, 23 Jan 2015

Symantec data centre security software has security holes

Security bod Stefan Viehböck has detailed holes in Symantec's data centre security platforms that the company plugged this week because they allowed hackers to gain privilege access to management servers. The patches fix holes in the management server for Symantec Critical System Protection (SCSP) 5.2.9 and its predecessor Data …
Darren Pauli, 23 Jan 2015

Adobe finds, patches ANOTHER exploited Flash 0day

Another exploited zero-day vulnerability has been uncovered and patched in Adobe Flash, 24 hours after a second flaw in the popular web trinket was found being used in attack kits. Adobe is examining yesterday's zero day, picked up by French researcher Kafeine who spotted it after analysing a version of the popular Angler …
Darren Pauli, 23 Jan 2015
Rickmote

Google splashes $80k on Chrome 40 bug splatting

Google has patched 62 security vulnerabilities in Chrome 40 and handed out US$88,500 to bug hunters who spotted the problems. Of those fixes, 17 swatted dangerous memory corruption and use-after-free vulnerabilities in Chrome elements including FFmpeg, ICU and DOM. The Chocolate Factory's digital guardians pushed the flagship …
Darren Pauli, 23 Jan 2015

Netadmin wanted for 'terrible, terrible, awful job nobody wants'

Calling network administrators: do you want more stress? A fuller inbox? More demanding and ever-moving objectives?Then apply to be the next network administrator at the Children's Specialty Center of Nevada! The position offers generous benefit packages --and you'll need it for the extra cost of counselling and tissues to wipe …
Darren Pauli, 22 Jan 2015

Flash zero day under attack

A zero day Flash vulnerability is being actively exploited by criminals using the popular Angler exploit kit. Adobe is investigating the report by respected French malware researcher Kafeine, who found the exploit kit circulating on cybercrime forums. The vulnerabilities affected Flash Player versions up to 15.0.0.223 and the …
Darren Pauli, 22 Jan 2015

Remote code execution vulns hit Atlassian kit

Software development software house Atlassian has patched critical vulnerabilities found in all versions of its Confluence, Bamboo, FishEye, and Crucible products. The company sent an email to its customers alerting them of the flaw that affected versions of Confluenceup to 5.6.5, Bambooup to 5.7, and FishEye and Crucible up to …
Darren Pauli, 22 Jan 2015

It's 2015 and default creds can brick SOHO routers

A hacker has detailed a series of tricks that can silently reboot or brick routers or activate admins functions. Many routers including Netgear and Surfboard models look to be affected, with most attacks requiring just victims' default universal credentials to be applied. Applications security bod Joseph Giron detailed how …
Darren Pauli, 21 Jan 2015

SoShabby GoDaddy flings patch at domain hijack hole

Domain goliaths GoDaddy has rushed to plug a vulnerability that allowed attackers to hijack registered sites. Pen tester Dylan Saccomanni dropped the Cross-Site Request Forgery (CSRF) bug on his blog after the company said there was no timeline for a fix. GoDaddy applied a fix less than 24 hours after the blog was published. " …
Darren Pauli, 21 Jan 2015

Google reveals bug Microsoft says is mere gnat

Google has reported a local file flaw affecting Windows 7 and 8.1 32 and 64 -bit systems in the third vulnerability dropped since a spat with Microsoft erupted last week. The vulnerability that allowed a malicious Server Message Block version 2 server to force a client to open arbitrary local files was marked high severity by …
Darren Pauli, 20 Jan 2015
Traffic cones by Squire Morley. licensed under creative commons 2.0 https://creativecommons.org/licenses/by/2.0/

Video nasty: Two big bugs in VLC media player's core library

A Turkish hacker has revealed two zero-day vulnerabilities in library code used by the popular VLC media player and others. The data execution prevention (CVE-2014-9597) and write access (CVE-2014-9598) violation vulnerabilities could lead to arbitrary code execution, researcher Veysel Hatas said in a post. "VLC Media Player …
Darren Pauli, 20 Jan 2015

Possible Lizard Squad members claim hack of Oz travel insurer

Nearly 900,000 client records including names, addresses, and phone numbers have been stolen from travel insurer Aussie Travel Cover by a suspected member of the Lizard Squad hacking crew. The hacker released databases including those detailing customer policies and travel dates along with a list of partial credit card …
Darren Pauli, 20 Jan 2015

NSA: We're in YOUR BOTNET

The NSA quietly commandeered a botnet targeting US Defence agencies to attack other victims including Chinese and Vietnamese dissidents, Snowden documents reveal. The allegation is among the latest in a cache of revelations dropped by Der Spiegel that revealed more about the spy agency. The "Boxingrumble" botnet was detected …
Darren Pauli, 19 Jan 2015
Mozilla Firefox Fox sitting down

Firefox 35 stamps out critical bugs

Mozilla has crushed nine bugs, some rather dangerous, in the latest version of its flagship browser. The fixes include a patch for a critical sandbox escape (CVE-2014-8643) in the Gecko Media Plugin used for h.264 video playback affecting Windows machines (but not OS X or Linux). Another critical hole addressed a read-after- …
Darren Pauli, 19 Jan 2015

AT LAST: Australia gets its very own malware

Australians are being targeted by a new variant of the Carberp malware under what appears to be renewed criminal interest in the antipodes. The modified trojan, Carberp.C, was spread through a spam operation masquerading as a payment invoice. Virus writers pushed the malware out a day after coding it, Symantec researcher …
Darren Pauli, 19 Jan 2015

Dongle bingle makes two MEELLION cars open to exploit

A bluetooth dongle used to track driver habits for insurance purposes has been hacked potentially allowing cars to be remotely hijacked, researcher Corey Thuen says. The attack targeted the SnapShot dongle offered by US company Progressive Insurance and used by two million American drivers which collected vehicle location and …
Darren Pauli, 19 Jan 2015

Verizon sprints to crush FiOS account exposure hole

Up to five million user accounts, including email inboxes and private messages of Verizon's FiOS application, were exposed thanks to a flaw reported today. XDA senior software developer Randy Westergren said the FiOS API flaw since fixed allowed any account to be accessed by manipulating user identification numbers in web …
Darren Pauli, 19 Jan 2015

Please use TWO HANDS to access AdultFriendFinder

Four hosts are behind one in two typosquatting attacks against the top 500 websites, research has found. The hosts and their fellow fraudsters had registered domain names mimicking three-quarters of the internet's 500 most popular websites, say University of Leuven researchers Pieter Agten, Wouter Joosen, and Frank Piessens, who …
Darren Pauli, 16 Jan 2015

GRENADE! Project Zero pops pin on ANOTHER WINDOWS 0-DAY

Google has once again decided Microsoft's moving too slowly on the security front – by dropping yet another proof-of-concept attack against a Windows 7 and 8.1 bug that Redmond tried and failed to fix this week. The flaw is present in Windows on 32- and 64-bit architectures, and can accidentally disclose sensitive information or …
Darren Pauli, 16 Jan 2015

Apple wants your fingerprints in the cloud

Apple wants to collect and store your fingerprints to spread its payment service and simplify download authorisation. Cupertino aspires to upgrade its TouchID with the capability to collect, encrypt and upload fingerprints to Apple servers so that users can verify their identities with a single print matched to those stored …
Darren Pauli, 16 Jan 2015

Microsoft cracks personalisation without prying

A Microsoft research trio has developed an algorithm capable of eliminating user tracking in web search without the overheads of existing technology. The idea, to be presented next month and titled Bloom Cookies: Web Search Personalisation without User Tracking, uses a new type of flowery cookies that can tightly-encode user …
Darren Pauli, 15 Jan 2015

Got a GE industrial Ethernet switch? Get patching

GE is the latest industrial kit vendor to send users patching to protect against hard-coded credentials in Ethernet switches. IOActive disclosed the vulnerability to ICS-CERT, which issued this advisory (details here CVE-2014-5418 and here CVE-2014-5419). The vulnerability occurs in various GE Multilink managed Ethernet …

Cryptolocker 3.0 scum bounce victims over Invisible net

Cryptowall 3.0 uses Tor and its little sister I2P to carry chatter between victims and controllers keeping it away from researchers and law enforcement, French anti-malware crusaders say. Researchers Kafeine (@Kafeine) and Horgh (@Horgh_RCE) have released a technical analysis on the malware identified by Microsoft late last year …
Darren Pauli, 15 Jan 2015

Change the plan for Sat night, hackers. No more biz meetup eavesdrop LOLs

Cisco has patched four holes in WebEx that allowed attackers to gain access to video conferences and gain other administrative functions. The popular platform contained a cross site request forgery in versions 1.5 and below. Cisco slapped a moderate severity rating on the bug (CVE-2014-8031). "A vulnerability in the web …
Darren Pauli, 14 Jan 2015

Euro security agency says MORE crypto needed in gov policy

Governments need to build more privacy into legislation,technology vendors need to step up and compliance cops should crack down to push privacy-enhancing technologies out of the labs, says the European Union Agency for Network and Information Security (ENISA). The agency has issued a report, Privacy and Data Protection by …
Darren Pauli, 14 Jan 2015

AMD plugs firmware holes that allowed command injection

VID Chip maker AMD has patched holes across its firmware lines that could allow hackers to inject malware. Czech programmer Rudolf Marek reported the holes in the Trinity, Richland, Kaveri, and Kabini silicon series ahead of a disclosure at the Chaos Communications Congress. AMD's System Management Unit (SMU) firmware code within …
Darren Pauli, 14 Jan 2015
Instagram logo

Instagram FLASHED YOUR PRIVATES to picture pervs

Instagram has plugged a flaw that allowed private pictures to be seen by anyone, under certain conditions. The flaw, reported by Quartz and since closed, meant all photos from formerly public accounts later marked private remained open. Photos on other social networks shared through Instagram could also be accessed, as the flaw …
Darren Pauli, 14 Jan 2015

Remember Corel? It's just entered .DLL hell

Local zero day vulnerabilities have been disclosed in Corel applications, potentially affecting more than 100 million users. The holes were dropped by Marcos Accossatto of Core Security after the doodleware company did not respond to his private disclosure. Corel has been contacted for comment. "Given that this is a client- …
Darren Pauli, 13 Jan 2015

This $10 phone charger will wirelessly keylog your boss

MySpace mischief-maker Samy Kamkar has released schematics for a dirt-cheap wireless sniffer capable of plundering keystrokes from office cubicles. The "Keysweeper" looks and functions like a generic USB phone charger, but conceals Arduino-powered sniffing gear within. The device targets Microsoft wireless keyboards and …
Darren Pauli, 13 Jan 2015

Router creds admin/admin? Lizard Squad thanks you

Console DDoSers Lizard Squad are using insecure home routers for a paid service that floods target networks, researchers say. The service crawls the web looking for home and commercial routers secured using lousy default credentials that could easily be brute-forced and then added to its growing botnet. Researchers close to a …
Darren Pauli, 13 Jan 2015

Security's revamped index of pain readies for release

The great unwashed has been afforded an opportunity to comment on a new scheme for classifying the severity of infosec vulnerabilities issued by the National Institute of Standards and Technology. The Common Vulnerability Scoring System (CVSS) is a pain-assessment index that offers a one-to-ten scale to describe vulnerabilities …
Darren Pauli, 12 Jan 2015

Google crashes supposedly secure Aviator browser

A spat between Google and Whitehat Security has erupted after engineers at the search giant revealed dangerous vulnerabilities found in the latter's anti-Google privacy-centric Chrome spin-off browser. The holes in the Aviator browser reported by Google security bods Justin Schuh and Tavis Ormandy described include a remote code …
Darren Pauli, 12 Jan 2015

Malware coders adopt DevOps to target smut sites

Linux-served porn sites may offer devs more than they bargained for after villains behind one of 2014's nastiest malware campaigns changed tactics to hit adult sites with stealthier wares. The Windigo campaign was revealed in March 2014 to have over the previous two years infected 25,000 Unix and Linux servers, with some 10,000 …
Darren Pauli, 12 Jan 2015
Cloud security image

ASUS router-popping exploit on the loose

ASUS routers contain a vulnerability that turns users into admins, researcher Joshua Drake says. The boxes could be exploited by malicious local users, but not those on the wider internet, re-rerouting all users on the network to malicious sites, among other attacks. Drake wrote in an advisory that several popular models were …
Darren Pauli, 09 Jan 2015
Opportunity's View from Atop 'Cape Tribulation': Image Credit: NASA/JPL-Caltech

NASA closing on fix for Opportunity rover's 'amnesia'

NASA says it's close to a fix for the flash memory problems plaguing the plucky Opportunity rover, which is now nearing its eleventh year of Martian trundling. The problems surfaced last year and created a form of amnesia that NASA boffins decided was caused by one of seven memory banks aboard the rover. The good news is that …
Darren Pauli, 09 Jan 2015

Post-POODLE, OpenSSL shakes off some fleas

OpenSSL has squashed eight low severity vulnerabilities bugs that could result in denial of service or the removal of forward secrecy. The holes, two graded "moderate", were addressed in OpenSSL updates 1.0.0p, 0.98zd, and 1.0.1k. Maintainers wrote in an advisory that Cisco warned last October that a crafted Datagram Transport …
Darren Pauli, 09 Jan 2015

Latest NORKS Linux and Android distros leak

The latest copy of North Korea's in-house Red Star Linux has leaked to the internet and it looks a lot like OS X, computer science graduate Will Scott says. An unnamed source contacted Scott ahead of his talk on Red Star and North Korea computing at the Chaos Communications Congress last month and shortly after published the …
Darren Pauli, 09 Jan 2015
close up of glowing green binary in the symbol of contaminent. By Robert van der Steeg

Pastebin: The remote backdoor server for the cheap and lazy

Malware writers are using the Pastebin web clipboard to host backdoor code, researcher Denis Sinegubko suggests. The code-sharing site was used to store code that was later tapped in attacks against websites running a vulnerable instance of the popular RevSlider plugin. Sinegubko, a Sucuri staffer known for his whitehat malware …
Darren Pauli, 08 Jan 2015