Feeds

Darren Pauli

Contact Mail Follow Twitter RSS feed

Humanity now making about 41 mobes EACH SECOND

The world is now manufacturing just under 42 mobile phones a second thanks to an uptick in global production, IDC's presumably-very-tired handset-counters say. The firm's latest quarterly phone count found shipped 327 million mobiles in the year's third quarter. Do the math: there's 7,862,400 seconds in 91 days. Divide 327m by …
Darren Pauli, 30 Oct 2014

Carders offer malware with the human touch to defeat fraud detection

A new cybercrime tool promises to use credit card numbers in a more human way that is less likely to attract the attention of fraud-detection systems, and therefore be more lucrative for those who seek to profit from events like the Target breach. The "Voxis Platform" is billed as "advanced cash out software" that promises to …
Darren Pauli, 30 Oct 2014

Drupalocalypse! Devs say it's best to assume your CMS is owned

Drupal websites that had not patched seven hours after the disclosure on a 'highly critical' SQL injection (SQLi) hole disclosed 15 October are hosed, the content management tool's developers say. Attacks against the vulnerability (CVE-2014-3704) in version seven of the content management system began "hours" after announcement …
Darren Pauli, 30 Oct 2014

BlackEnergy crimeware coursing through US control systems

Industrial control systems in the United States have been compromised by the BlackEnergy malware toolkit for at least three years in a campaign the US Computer Emergency Response Team has dubbed "ongoing" and sophisticated. Attackers had compromised unnamed industrial control system operators and implanted BlackEnergy on …
Darren Pauli, 29 Oct 2014

Cisco: We made UCS secure but need your help to finish the job

Cisco has released a hardening guide for its unified computing system (UCS) that reveals the company's servers do most things right - all manner of potentially-insecure services are off by default - but also offers plenty of suggestions to make sure risks don't increase during production. The document centres on hardening the …
Darren Pauli, 29 Oct 2014

Find My Phone does just one thing but Samsung's messed it up

Researcher Mohamed Baset has reported a zero day flaw that allows hackers to lock a host of Samsung phones with the lost device feature. Baset (@SymbianSyMoh) uploaded a proof of concept video to YouTube showing how to lock a Samsung phone using a cross site request forgery vulnerability in the Find My Mobile feature. Phones …
Darren Pauli, 29 Oct 2014

EvilToss and Sourface hacker crew 'likely' backed by Kremlin – FireEye

Russia is "likely" sponsoring a hacking outfit that targets foreign governments and security organisations, the US intelligence firm FireEye claims. "APT28", a group operating for possibly more than a decade, has attacked governments in Georgia, Eastern Europe, as well as NATO and the Organisation for Security and Co-operation …
Darren Pauli, 28 Oct 2014
Ceremony to mark ARM's decision to open a CPU dev centre in Taiwan

Microsoft has Windows Server running on ARM: report

Microsoft looks to have created a version of Windows Server that runs on ARM processors. Loquacious sources close to Microsoft confirmed a "test version" of Windows Server is up and running, but the report from newswire Bloomberg was scant on other details. That's not a stunning feat: having developed Windows RT – a version of …
Darren Pauli, 28 Oct 2014

Intel bods to detail RSA birko crypto man-in-the-middle diddle

A pair of Intel security researchers will tomorrow delve into a class of dangerous vulnerabilities they found last month that allowed forged RSA certificates to be created by abusing the Mozilla Network Security Services (NSS) cryptographic library. Attendees at a Buenos Aires event will be walked through the fine points of how …
Darren Pauli, 28 Oct 2014

Knock Knock tool makes a joke of Mac AV

Security research and development bod Patrick Wardle has released a tool to reveal executables that automatically boot in Mac OS X. The Knock Knock tool was open source and built on an extensible framework to encourage the community to evolve the platform. Wardle, of consultancy Synack, said he designed the tool because he was …
Darren Pauli, 28 Oct 2014

Tor exit node mashes malware into downloads

A Tor exit node has been found slapping malware onto downloads as users exit the hidden network and enter the public web. Leviathan Security Group researcher Josh Pitts found the operator of the Russia-based node compromising binaries only a month after raising concerns of the possible attack. He created the Backdoor Factory …
Darren Pauli, 27 Oct 2014

Verizon Wireless token tracker triggers tech transparency tempest

Verizon Wireless is monitoring users' mobile internet traffic, using a token slapped onto web requests, to facilitate targeted advertising even if a user has opted out. The unique identifier token header (UIDH) was launched two years ago, and has caused an uproar in tech circles after it was re-discovered Thursday by Electronic …
Darren Pauli, 27 Oct 2014

Cisco patches three-year-old remote code-execution hole

A three-year-old dangerous remote code execution hole affecting Cisco kit has been patched. Researcher Glafkos Charalambous discovered the Telnet vulnerability (CVE-2011-4862), which was first reported by the FreeBSD Project in 2011. It was left unpatched up prior to 15 October this year in Cisco appliances. The International …
Darren Pauli, 24 Oct 2014

Yahoo! Timestamps! Now! Block! Facebook! Email! Snoops!

Facebook has begun using a Yahoo! email standard created in August last year to prevent snooping through the acquisition of old addresses. The standard dubbed dryly Require-Recipient-Valid-Since (RRVS) informs Facebook and others of the last point in time ownership of an email address was known. Facebook software engineer …
Darren Pauli, 24 Oct 2014

Moscow, Beijing poised to sign deal on joint cyber security ops

Moscow and Beijing will next month sign a deal to commence joint information security projects and operations, and to increase cooperation in the space, according to a popular Russian newspaper with ties to President Vladimir Putin. Kommersant owned by Russia's richest man and President Putin ally Alisher Usmanov reported ( …
Darren Pauli, 24 Oct 2014

Are there sounds on Mars? NASA launches audio athenaeum

Audiophiles at NASA have published more than 60 samples of historical space artefacts to the administration's Soundcloud account. The athenaeum opens up the opportunity to listen to some of space exploration's idiosyncratic oddities, including quips and musings between Houston and astronauts, pings from the distant Kepler, or …
Darren Pauli, 23 Oct 2014

Quick PHP patch beats slow research reveal

Patches have been flung out to cover vulnerabilities in PHP that led to remote code execution and buffer overflows. The flaws were detailed this week by Swiss researchers High-Tech Bridge in versions 5.4.33, 5.5.17 and 5.6.1 on a machine running Ubuntu 14.04.1 LTS and the Radamsa fuzzer. A patch issued last month for CVE-2014- …
Darren Pauli, 23 Oct 2014
gavel_judgment_channel

Whistleblower behind PM's daughter scholarship leak must wait for fate

Freya Newman, the Sydney student who pled guilty to illegally using login credentials to leak documents about a scholarship awarded to the daughter of Australian Prime Minister Tony Abbott, won't learn her fate until November 25th. Magistrate Theresa O'Sullivan was due to sentence Newman at a packed Sydney court house at noon …
Darren Pauli, 23 Oct 2014

Pagers shout data center creds, pop star airport arrivals

Anyone wanting to know the time world leaders arrive in Australia for the coming G20 summit need only listen to broadcasts from Aussie airports, researcher Ed Farrell has claimed at the Ruxcon conference. News of VIP airport arrivals are just one of the interesting pieces of information the Sydney security consultant monitored …
Darren Pauli, 22 Oct 2014

Apple grapple: Congress kills FBI's Cupertino crypto kybosh plan

The FBI director James Comey's bid to have Congress kibosh default encryption appears to have publicly failed after senators said the proposal would be rejected. Republication and anti-surveillance crusader Zoe Lofgren told The Hill the G-Men's bid to have Congress wind back the crypto clocks would have "zero chance" of passing …
Darren Pauli, 22 Oct 2014

Chinese APT groups targeting Australian lawyers

Law firms are among Australian businesses being targeted by at least 13 Chinese advanced malware groups in a bid to steal intelligence from big business, says forensics bod and Mandiant man Mark Goudie. The attacks are well planned and rely on a combination of stealth and persistence in order to extract any and all valuable …
Darren Pauli, 21 Oct 2014

Carders punch holes through Staples

US office giant Staples is investigating a possible credit and debit card breach of its Northeastern stores. Evidence for the hack, reported by cybercrime and prolific breach blower Brian Krebs, is apparently based on a dozen fraud monitor sources within different US banks. Staples has contacted police and said it was …
Darren Pauli, 21 Oct 2014

Palo Alto Networks boxes spray firewall creds across the net

Misconfigured user identities for Palo Alto Networks firewalls are leaking onto the public web potentially exposing customer services including VPN and webmail, says security luminary HD Moore. The mess is a result of a user control module being allowed to operate in untrusted zones, rather than a vulnerability in Palo's kit. …
Darren Pauli, 21 Oct 2014
Brute Force

Visual voicemail hack makes your messages a snack

Sydney penetration tester Shubham 'Shubs' Shah has urged US and European researchers to probe their telco's voicemail security after he found accounts held by local telcos Vodafone and Optus were open to attack. The two telcos were vulnerable because design flaws mean neither limited the number of password guessing attempts in …
Darren Pauli, 20 Oct 2014
Hacked sarcasm

Oz privacy comish says breaches could double this year

The office of Australia's Federal Privacy Commissioner has received 60 voluntary data breach notifications in the six months since 12 March compared to 71 received in the 2014 financial year. The statistics provide to Vulture South and repeated at the Australian Information Security Association conference include all manner of …
Darren Pauli, 20 Oct 2014

FIRST standards to clean up messy CERTs

The global gathering of incident responders FIRST is spearheading a global standards effort to reform and unify the operations of government and large enterprise computer emergency response teams (CERTs). The Forum of Incident Response and Security Teams (FIRST) has tipped US$500,000 into the effort and has received backing from …
Darren Pauli, 20 Oct 2014
Facebook privacy image

Facebook doubles ad-hacking bounty

Facebook has doubled the cash it will pay out to folks who report holes in its advertising code. The bounty will rise in a bid to entice hackers to report bugs found in its ads code following an internal security audit that squashed an undisclosed number of vulnerabilities. Security engineer Collin Greene said the Zucker-empire …
Darren Pauli, 17 Oct 2014

Securobods RAGE over $600k Kickstarter Tor box components

The developer behind Tor privacy router Anonabox has defended the product — which has so far attracted $600,000 in crowd funding — following allegations it was little more than a commercial off-the-shelf circuit board. August Gemar asked for $7,500 via Kickstarter to build the open source router box commercially. Accusations …
Darren Pauli, 16 Oct 2014

Adobe CSO offers Oracle security lesson: Go click-to-play

Oracle could have saved mountains of cash and bad press if Click-to-Play was enabled before Java was hosed by an armada of zero day vulnerabilities, Adobe security boss Brad Arkin says. The simple fix introduced into browsers over the last year stopped the then zero day blitzkrieg in its tracks by forcing users to click a button …
Darren Pauli, 16 Oct 2014

Vulnerable utilities, telcos, top of new Aussie natsec centre's to-do list

The Australian Cyber Security Centre (ACSC) will increase its headcount from 90 to 150 as soon as possible, then grow to full capacity of 300 seats by year's end. The centre's opening was delayed to allow staff to move into the new Australian Security Intelligence Organisation (ASIO) ASIO building to avoid burning taxpayer dosh …
Darren Pauli, 16 Oct 2014
Bitcoin bloodbath

Roll your own Bitcoin client? Prepare to be raided

The engineer behind the Heartbleed checker has created a tool to hunt down wallets from poorly secured transactions that leak private keys. Filippo Valsorda released the Blockchainer tool to Github following a presentation at the Hack in the Box conference in Malaysia today. The CloudFlare engineer demonstrated how known flaws …
Darren Pauli, 15 Oct 2014

Forget passwords, let's use SELFIES, says Obama's cyber tsar

US cyber security tsar Michael Daniel wants passwords to die in a fire and be replaced by other mechanisms, including selfies. In an interview with the Christian Science Monitor Daniel said the death of passwords could signal a useful purpose for the much-beleaguered selfie. "Frankly I would really love to kill the password …
Darren Pauli, 15 Oct 2014

Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE

As warned by The Register, researchers have discovered a security vulnerability in SSL 3.0 that allows attackers to decrypt encrypted website connections. Miscreants can exploit a weakness in the protocol's design to grab victims' secret session cookies. These can be used to log into online accounts, such as webmail, social …
Darren Pauli, 14 Oct 2014
pipes

NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)

Gird your loins, sysadmins: The Register has learned that news of yet another security vulnerability - this time in SSL 3.0 - is probably imminent. (And indeed so it turned out to be - the Poodle vuln. You heard it here first. - Ed) Maintainers have kept quiet about the vulnerability in the lead-up to a patch release, which is …
Darren Pauli, 14 Oct 2014

NSA Sentry Eagle placed spies in private companies

The National Security Agency (NSA) has since 2004 sent spies into private companies in a bid to compromise networks from within, according to documents leaked by Edward Snowden. Agents sent in by the NSA targeted global communications firms under a highly classified 'core secrets' program dubbed Sentry Eagle previously known …
Darren Pauli, 14 Oct 2014
A boat full of Fail

'Dropbox passwords' for sale are all EXPIRED: Bitcoin buyers beware

Yet another fraudster is struggling to relieve suckers of their Bitcoin after publicly posting what's purported to be a cache of no less than 7 meellion Dropbox login credentials. A guest poster on Pastebin posted three documents, all claiming to be a subset of "the massive hack of 7,000,000 accounts". The posts said there are " …
Darren Pauli, 14 Oct 2014

VMware's tool to harden virtual networks: a spreadsheet

VMware has released a guide to hardening its NSX virtual networking and product. The guide published online by VMware information security professional Pravin Goyal, covers management, control and data planes. It recommends including audit logs and system events in backups, enabling and securing remote logging for the NSX …
Darren Pauli, 14 Oct 2014

Android's Cyanogenmod open to MitM attacks

More than 10 million users of the popular Cyanogen build of Android are exposed to man-in-the-middle (MitM) attacks thanks to reuse of vulnerable sample code. The zero day vulnerability makes it possible to target any browser used on the popular Android distribution. A security researcher who works for a top-tier vendor, but …
Darren Pauli, 13 Oct 2014

Heistmeisters crack cost of safecrackers with $150 widget

A pair of Melbourne security professionals have developed a $150 auto-dialer safe cracker that replicates a machine worth tens of thousands of dollars and sold only to military customers. The unit launches automatic brute force attacks against group two combination locks used in high-security environments like ATMs and gun safes …
Darren Pauli, 13 Oct 2014

US astrophysicist Neil deGrasse Tyson: US is losing science race

Rock star astrophysicist Neil Tyson says the United States has lost pole position in scientific research and its people must refocus on innovation rather than wait for "the next app". Tyson (@neiltyson), Carl Sagan's former student and the narrator of recent popular documentary series Cosmos: A Spacetime Odyssey, said …
Darren Pauli, 10 Oct 2014

Put down that shotgun: Wi-Fi's the way to beat Zombies

When the zombie apocalypse strikes, your saviour will be 802.11x, not Rick Grimes, hacker Tim Fowler says. While holed-up in an apartment block, survivors could locate nearby smart phones detected by their wireless mesh network of CreepyDOL sensors fortuitously purchased before the outbreak. The sensors would reveal MAC address …
Darren Pauli, 10 Oct 2014

Malware analysts tell crooks to shape up and write decent code

Blackhats beware: reverse engineers are laughing at your buggy advanced persistent threat (APT) malware. You've done pretty well though: your custom payloads were effective at breaking into enterprises and the damage it did was quite devastating. But many were being found and added to anti-malware signatures all too quickly. …
Darren Pauli, 10 Oct 2014

Pen-testers outline golden rules to make hacks more €xpen$ive

Not one administrator to rule them all, but a few: that's the advice offered by seasoned penetration testers Aaron Beuhring and Kyle Salous to enterprises wanting to be less attractive to hackers. In a presentation at the MIRCon 2014 conference in Washington the duo listed a series of low cost changes to access controls, …
Darren Pauli, 09 Oct 2014

Chatting to Al Qaeda? Try not to do that – Ex spy chief defends post-Snowden NSA

You have nothing to fear from the NSA: that is unless you're from outside the United States, or you arouse the agency's suspicion by chatting to Al Qaeda. "Try not to do that," was the advice given. The warnings come from former NSA chief General Keith Alexander, who told delegates at a security conference that the National …
Darren Pauli, 08 Oct 2014
australian credit cards fraud contactless

Credit card thieves setting up safe seller certifications

In the world of carding, you get what you pay for: stolen cards are cheaper on riskier public trading forums and more pricey on closed more reliable markets, according to recent analysis. Since 2007, Michigan State University associate professor Thomas Holt, University of North Carolina assistant professor Olga Smirnova and Yi- …
Darren Pauli, 08 Oct 2014

Mandiant to probe gaps in rusty unpatchable utility systems

Mandiant has launched a managed gap assessment for industrial control systems (ICS) it says will help administrators deal with temperamental systems. It was a "light touch" for legacy or leviathan systems that could fall over in the event of tinkering or patching. Mandiant SCADA bod Dan Scali said the system was geared to …
Darren Pauli, 08 Oct 2014

What's happened since Beijing's hacker unit was exposed? Nothing

Chinese hacker unit PLA 61398 is hacking US companies harder than ever after bilateral talks between Beijing and Washington were interrupted by Snowden leaks, according to Mandiant boss Kevin Mandia. The hack squad, also known as APT1, was subject to a high profile exposure by the company in February last year. Its state- …
Darren Pauli, 08 Oct 2014

Aussie builds contactless card cloner app, shops at Woolies with fake card

Money hacker Peter Fillmore has created an Android app that can clone some of Australia's most popular contactless credit cards. In attacks that slipped beneath banks' and credit card providers' radars, the Aussie boffin probed the protocols behind Visa and Mastercard payment cards and proved the viability of an attack by …
Darren Pauli, 07 Oct 2014

FireEye, Singtel pull on SOCs in Sydney and Singapore

Telco and security giants SingTel and FireEye have injected $US50 million to establish two security operations centres (SOCs) in Sydney and Singapore as part of a new deal between the two companies to offer managed security services. The SOCs will run out of SingTel's network operation centre (NOCs) to leverage the telcos' …
Darren Pauli, 07 Oct 2014
Sad cloud

Chinese researchers develop fuzzy search algorithm for encrypted cloud data

Chinese researchers from Nanjing University have developed an encrypted search mechanism which they say is both more productive and secure than existing systems. Existing systems can search encrypted data only for exact keyword matches and nothing similar. Authors of such systems can employ fuzziness to detect phrases (such as “ …
Darren Pauli, 06 Oct 2014