Darren Pauli

Contact Mail Follow Twitter RSS feed

Netflix's house of cards to be fortified with HTTPS appliance

Netflix will this year roll out HTTPS to keep customer's viewing habits secret. The streaming company's April earnings letter (PDF) says it will make the move because it "helps protect member privacy, particularly when the network is insecure, such as public wifi, and it helps protect members from eavesdropping by their ISP or …
Darren Pauli, 17 Apr 2015

Governments lodge just 10 subpoenas for GitHub user info

Law enforcement agencies find Github geeks so boring they submitted a paltry ten subpoenas last year to gain information on 40 of the site's eight million active accounts. GithHub's transparency report for requests received during 2014 reveals information was provided to legal requesters in seven of these cases and about half of …
Darren Pauli, 17 Apr 2015

Public exploit crashes Minecraft servers

A huffy hacker has published detailed steps for anyone to pull off an 'easy' Minecraft exploit capable of causing servers to crash. Developer Ammar Askar dropped the hack which allows attackers to send malformed packets that can crash Minecraft servers by exhausting its memory. The exploit publication comes two years after …
Darren Pauli, 17 Apr 2015

India tech firms BAIL OUT of Facebook's free access Internet.org

Indian companies have skedaddled from Facebook's Internet.org initiative to supply free internet to under-served countries on the grounds that the scheme is anti-competitive. The free content ad network's plan aims to offer access for free websites and applications signed onto the scheme over participating internet providers. …
Darren Pauli, 16 Apr 2015

D-Link router patch creates NEW SOHOpeless vuln

Hacker Craig Heffner says D-Link has not only failed in its bid to patch its DIR-890L router but has managed to introduce a new vulnerability instead. The Tactical Network Solutions router wrecker says D-Link's quadcopter-esque AC3200, reviewed elsewhere as " the most insane router in the history of mankind", is open to …
Darren Pauli, 16 Apr 2015

Borg routers open to repeat remote DoS attack

Remote attackers can send some Cisco routers into a continuous denial of service funk by rebooting network processor chips with a crafted attack. The high-severity hole (CVE-2015-0695) affects the IOS XR software in Cisco ASR 9000 Series Aggregation Services routers running Typhoon-based cards, the second-generation of line …
Darren Pauli, 16 Apr 2015

Dropbox launches 'limitless' bug bounty

Dropbox has launched a no-limit bug bounty program, back-paying US$14,875 so far for previously and newly-reported vulnerabilities. The HackerOne bounty, which supplements the company's external penetration testing efforts, is unusual in offering back payment for critical vulnerabilities that white hat hackers had already …
Darren Pauli, 16 Apr 2015

There's TOO MANY data-leaking healthcare firms, growls Symantec

Security software company Symantec is being drenched in calls from breached health organisations that have lost devices or suffered an information security snafu. Some 80 per cent of the calls its incident response team has received since December are from healthcare firms, topping the charts for the number of breach incidents …
Darren Pauli, 15 Apr 2015

Don't collect bugs, invest in fly-spray says bug bounty operator

Kate Moussouris says security defenders should spend cash to acquire and build the tools of the bug hunting trade rather than dole out cash for warm bodies or endless zero day. The chief policy officer for bug bounty outfit Hacker One and former Microsoft security boffin says in new research that defenders need to catch up to …
Darren Pauli, 15 Apr 2015
Don Draper is sad

Verizon, NetFlix, KFC ad-men pay traffic cons $500k a month

Gergő Varga reckons Verizon, Fedex, and Smirnoff are being robbed half a million dollars a month by advertising scammers. The risk boffin and founder of advertising security firm outfit Enbrite.ly says the telco, transport and tipple trio which also includes Netflix and KFC are paying for fraudulent ad clicks. "A relatively …
Darren Pauli, 15 Apr 2015

Apple splats Safari flaw affecting a BEELLION iThings

Jouko Pynnönen, a security chap with Finnish firm Klikki Oy, has found a since patched bug he says could affect a billion Apple iDevices. Pynnönensays the cross-domain vulnerability in Safari's file transfer URL schemes allows attackers to modify website HTTP cookies and have documents loaded from malicious sites. "An attacker …
Darren Pauli, 15 Apr 2015
Game of Thrones Season One Blu-ray disc set

Dev gives HBO free math tips to nail Game of Thrones pirate leakers

Developer Bruno Cauet has offered HBO a series of mathematical equations that could have tracked the Game of Thrones season five leaker, or even killed the leak completely. The massively popular series thought to be HBO's most profitable production was rocked over the weekend when a leaker, thought to be a translator with an …
Darren Pauli, 14 Apr 2015

Android gets biometric voice unlocking

Google is deploying what it calls Trusted Voice to allow Android users to unlock phones using their voice, according to reports. The feature is filed under the Choc Factory's Smart Unlock feature which sports easier unlock mechanisms like Trusted devices, places, and faces. Once activated, it would allow punters to unlock their …
Darren Pauli, 14 Apr 2015

Unpatched 18-year-old Windows man-in-the-middle diddle revived

Security boffin Brian Wallace has revived an 18-year-old Windows bug affecting at least 31 top vendors, which could allow an attacker to steal usernames and passwords from millions of Microsoft boxes. The respun vulnerability, dubbed Redirect to SMB, requires victims to visit or be pushed to a malicious server which could steal …
Darren Pauli, 14 Apr 2015

USA is home to largest number of data perves, study finds

The US is home to the largest number of data perverts, according to research. The research Where's Your Data (pdf) reveals more American Tor dark net lurkers had viewed supposedly 1568 legitimate personal details, and credit card and social security numbers in a spreadsheet than any of the other 22 countries where snoops' …
Darren Pauli, 13 Apr 2015
Lock security

Credit card factories given new secure manufacturing rules

The world's payment card producers have released the latest guidelines to help interested businesses to protect payment data. Version 1.1 of the PCI Card Production Security Requirements (pdf) modifies and introduces features for physical and logical security advising on everything from printing PINs to guarding vaults. The …
Darren Pauli, 13 Apr 2015
australian credit cards fraud contactless

Bulgarian Bill Gates blagger busted, banged up, again: report

A Bulgarian carder has been arrested withdrawing money from stolen cards four years after he was accused of plundering the bank account of Microsoft mogul Bill Gates. Bulgarian national Konstantin Simeonov Kavrakov, 31, was arrested last Thursday in the Philippines pulling cash from ATMs, local media report. Kavrakov was jailed …
Darren Pauli, 13 Apr 2015

Wi-Fi hotspots can put iPhones into ETERNAL super slow-mo

A vulnerability fixed in this week's Apple patch run can easily brick iPhones, researchers say. The flaw (CVE-2015-1118) dubbed "Phantom" allows attackers who can trick users into changing their iDevice proxy settings to tap into multiple use-after-free vulnerabilities. Doing so causes constant ubiquitous app crashing including …
Darren Pauli, 10 Apr 2015

+5 ROOTKIT OF VENGEANCE defeats forces of gaming good

Security boffins Joel St. John and Nicolas Guigo have developed a rootkit-like gaming cheat system they say bests anti-cheating mechanisms. The iSec Partners hackers say the anti-cheating platforms in use by the world's most popular games cannot stop cheating and actually increase the attack surface open to hackers. In a …
Darren Pauli, 10 Apr 2015

All Mac owners should migrate to OS X Yosemite 10.10.3 ASAP

Swedish hacker Emil Kvarnhammar has reported a since-fixed four-year-old local root 'backdoor' OS X that allows remote attackers to increase the damage of their hacks. Kvarnhammar says the unpublished API, which he dubs a backdoor, grants root access to local users on unpatched boxes. The flaw (CVE-2015-1130) is fixed in Apple's …
Darren Pauli, 10 Apr 2015

iOS, OS X apps sent into infinite dizzy DoS by this one weird kernel bug

Kenton Varda has found a 'weird' kernel bug used in Apple gear that could result in trivial denial of service by remote attackers. The hacker and LAN gamer bod says the Darwin kernel vulnerability (CVE-2015-1105) now patched by Cupertino for iOS and OS X is "no Shellshock" but could cause apps like Google Chrome to crash and …
Darren Pauli, 09 Apr 2015
pipes

Denial of service attacks pour through rift in Network Time Protocol

Red Hat security chap Miroslav Lichvar has revealed two vulnerabilities in the widely used and open-source Network Time Protocol daemon (NTPd) that allow attackers to mess up people's clocks. Lichvar reported the two since-patched holes in which packets without proper message authentication codes are accepted regardless (CVE- …
Darren Pauli, 09 Apr 2015

LG monitor software quietly kills UAC, dev says

German developer Christopher Bachner has alleged LG monitor software is quietly disabling User Account Control (UAC), putting Windows punters at risk of malware infection. Introduced with Windows Vista and available on higher Microsoft platforms, UAC boosts security by restricting applications to standard user privileges unless …
Darren Pauli, 09 Apr 2015
Cartoon of  green skeletal figure reaching out of phone

DARPA-funded team says it can SMELL Android malware

A trio of DARPA-backed Iowa State University researchers have developed a tool to help speed up android malware analysis. The Security Toolbox developed by the DARPA blue team uses features including 'smells' which sport stronger heuristics to flag possible signs of hidden malware badness. Benjamin Holland, Tom Deering, and …
Darren Pauli, 09 Apr 2015

Google Ads go NUCLEAR, foist exploit kit

Security bod Maarten van Dantzig says a large number of Google ads sold through Bulgarian reseller EngageLab have been pointing users to the dangerous Nuclear exploit kit. The Fox-IT binary basher found the campaign, which may at the time of writing have been subject to the Choc Factory's boot, could result in a "very large" …
Darren Pauli, 08 Apr 2015
WordPress

FBI to WordPress users: patch now before ISIL defaces you

The United States Federal Bureau of Investigation (FBI) has issued a warning to WordPress users: hurry up and patch your content management system before web site is defaced by ISIL sympathisers. The Bureau has issued a notice titled "ISIL defacements exploiting WordPress vulnerabilities" in which it warns that "Continuous Web …
Darren Pauli, 08 Apr 2015
heartbroken

Most top corporates still Heartbleeding over the internet

A depressing 76 percent of the top 2000 global organisations have public facing systems still exposed to Heartbleed, researchers say. The exposure means attackers could nab passwords, login cookies, private cryptographic keys and more using the vulnerability first disclosed 12 months ago. Australia is the least-repaired nation …
Darren Pauli, 08 Apr 2015
Collection of antique keys

Popular crypto app uses single-byte XOR and nowt else, hacker says

A programmer claims the makers of a popular encryption app have failed to implement its core feature: encryption. The hacker, using the alias NinjaDoge24, analyzed the NQ Vault app, which supposedly encrypts files on smartphones and other gadgets. Ninja claims the software used only XOR (exclusive or) and a single-byte key to …
Darren Pauli, 07 Apr 2015
Close-up of a YouTube logo as viewed on a computer screen in close up...

Choc Factory's king codec serves 25 BEELLION Tube hours

Users have watched 25 billion hours of YouTube videos encoded with Google's VP9 codec, which the company says brings the net closer to instant high-quality bufferless video. The Choc Factory's open source VP9 is designed as a replacement for the popular patented H.264 and HEVC codecs and is particularly valuable for mobile user …
Darren Pauli, 07 Apr 2015
Flytrap

Linux Australia hacked, warns personal details exposed

The names, phone numbers and street and email addresses of delegates for Linux Australia conferences and PyCon have been exposed in a server breach. The March attack was detected two weeks ago and is revealed in an email to Linux Australia members. Linux Australia's server held information on delegates to its popular annual …
Darren Pauli, 07 Apr 2015

This tool detects then ATTACKS evil twin access points

Mohamed Idris has created a tool to help network administrators discover and DoS rogue access points. The EvilAP Defender open source tool published to GitHub can be run by admins at intervals to determine if attackers are attempting to get their users to connect to malicious networks. Those evil twin attack networks are …
Darren Pauli, 02 Apr 2015
Solar panels

Energy utilities targeted by Office-spawned recon attack tool

Malware writers are targeting international energy utilities with a new trojan that creates beachheads to enable subsequent more advanced attacks. Symantec security boffin Christian Tripputi says the campaign, detected in the first two months of 2015, has a particular focus on creating beachheads on petroleum and gas utilities …
Darren Pauli, 02 Apr 2015

Mozilla project spits out threat modelling tool for sysadmins

A trio of university undergraduates have worked with Mozilla to create an online threat modelling tool designed to help system administrators better understand the threats they face. The open source SeaSponge tool, developed under Mozilla's Winter of Security initiative, sports a graphical flow its designers say could be a …
Darren Pauli, 01 Apr 2015

This one weird trick deletes any YouTube flick in just a few clicks

Security bod Kamil Hismatullin has disclosed a simple method to delete any video from YouTube. The Russian software developer and hacker found videos can be instantly nuked by sending the identity number of a video in a post request along with any token. Google paid the bug hunter US$5000 for the find along with $1337 under its …
Darren Pauli, 01 Apr 2015

Ebay snuffs malware upload bug

Hacker Aditya Sood has disclosed two vulnerabilities in eBay that allow hackers to upload files for drive-by-download attacks. The security bod (@AdityaKSood) told ThreatPost the flaws allow attackers to upload malicious content that appear to be benign. Once uploaded to eBay, malware can be sent to victims using direct links …
Darren Pauli, 31 Mar 2015
Rubbish bin

Pre-Snowden NSA grunts wanted to nix phone spying: report

Even before Edward Snowden spilled the beans on the National Security Agency's(NSA's) extensive surveillance programs, high-level US bureaucrats were considering spiking the program. So says The Associated Press, thanks to unnamed sources who told the wire service the mass surveillance was disappointing as a counter-terrorism …
Darren Pauli, 31 Mar 2015

Unlimited stolen Uber accounts flogged for $5

Fraudsters are flogging an 'unlimited' number of stolen Uber accounts containing personal details and limited credit card data for less than $5. The accounts are being flogged on Tor hidden service AlphaBay and have forced the taxi company to investigate a possible breach. Credit cards in the stolen accounts thankfully only show …
Darren Pauli, 30 Mar 2015
Homer Simpson confronts rigged voting machine

Starry-eyed hackers stuff Eurovision's voting app

The Eurovision Song Contest has been targeted by obsessed hackers who stuffed the voting ballots during the final qualifier song performance. Votes flooded into the Melodifestivalen app during the final performance by Jon Henrik Fjällgren, forcing the contest organisers to nix the votes. Head mananger Christel Tholse Willers …
Darren Pauli, 30 Mar 2015

Jailed Brit con phishes prison, gets bail

A convicted British fraudster used a fake website and fake identities to trick prison officers into releasing him. Neil Moore — jailed for fraud worth £1,819,000 — used a smuggled mobile to post a website mirroring that of the Southwark Crown Court. He then emailed prison officers with instructions for his release, according to …
Darren Pauli, 30 Mar 2015

700,000 beautiful women do the bidding of one Twitter-scamming man

Satnam Narang of Symantec says one scammer was so taken with Twitter he established 750,000 accounts. The senior security response manager found the one man spam plague set up the mind boggling number of Twitter accounts he calls 'mockingbirds' to flog Green Coffee Bean Extract earning cash for visitors referrals. Narang said …
Darren Pauli, 27 Mar 2015

Court recording biz with clients EVERYWHERE has forums breached

Australian court transcription company "For The Record" – which bills itself as "The No.1 digital evidence recording platform in the world" and says its products are "used in courtrooms throughout North America, Europe and Asia" – has had its forum hacked. The firm is used by the likes of the Victorian and NSW Supreme courts to …
Darren Pauli, 27 Mar 2015

Optus must hire checkbox champion after epic router, voicemail borking

Optus has escaped a financial penalty imposed Australia's privacy boss and instead must review its internal security measures after it shipped hundreds of thousands of routers with open internet ports and default credentials, opened voice mails, and marked public scores of private phone numbers. The order billed as an ' …
Darren Pauli, 27 Mar 2015
Random numbers

'Bar Mitzvah attack' should see off ancient and crocked RC4 algo

Security boffin Itsik Mantin has found a new attack based on old weaknesses that is the first 'practical' attack on SSL that does not require man-in-the-middle to steal sensitive data from RC4 algorithms. The Imperva bod's research reveals a 13 year-old weakness in the superseded algorithm, which is known to be insecure but is …
Darren Pauli, 27 Mar 2015

I helped Amazon.com find an XSS hole and all I got was this lousy t-shirt

Amazon has patched dangerous cross-site scripting (XSS) vulnerability in its website that exposed accounts to hijacking. A Brazilian hacker using the handle @BruteLogic published the then-zero-day flaw to XSSposed.org Saturday without tipping off the book giant. Amazon swatted the flaws two days later. The time between …
Darren Pauli, 26 Mar 2015

Hacker builds cheatbot for hit app Trivia Crack

Security researcher Randy Westergren has reverse engineered super popular app Trivia Crack, recompiled it to help cheaters and along the way showed how to turn it into nastyware. Trivia Crack has taken the world by storm, accruing some 130 million installs across Android devices and an unknown on iOS units. The app which pits …
Darren Pauli, 26 Mar 2015
Rickmote

Chrome trumps all comers in reported vulnerabilities

More vulnerabilities were discovered in Google Chrome last year than any other piece of core internet software – that's according to research that also found 2014 clocked record numbers of zero-day flaws. The Secunia Vulnerability Review 2015 report [PDF] is built on data harvested by the company's Personal Software Inspector …
Darren Pauli, 26 Mar 2015

Israeli boffins hack air gap, fire missiles on compromised kit

One of the weirder attacks to bridge air gap networks has emerged, and uses heat to transfer data between machines. The command and control mechanism forged by Ben Gurion University researchers could transfer sensitive data through "thermal pings" between two physically close computers. Like many air gap bridges, the so-called …
Darren Pauli, 25 Mar 2015

Favicons used to update world's 'most dangerous' malware

Developer Jakub Kroustek has found new features in the dangerous Vawtrak malware that allow it to send and receive data through encrypted favicons distributed over the Tor network. The AVG security bod reveals the features in a report (pdf) into the malware which is considered one of the worst single threats in existence. He …
Darren Pauli, 25 Mar 2015

Half of Android devices open to silent hijack

Hacker Zhi Xu has found that seemingly legitimate apps can unleash a hidden dark side to compromise almost half of all Android devices. The Palo Alto Networks senior engineer says legitimate Google Play apps can establish a kind of beachhead on devices that can be invaded by a second app installed from legitimate third party …
Darren Pauli, 25 Mar 2015

BlackHat talk hibernated over 0-day in SAP's Afaria mobile manager

Updated Alexander Polyakov has been forced to withdraw a talk detailing dangerous vulnerabilities into SAP's mobile device management product Afaria scheduled to be given at BlackHat Asia Pacific this week. The prolific SAP hacker and chief technology officer of ERPScan says his talk was scuppered after SAP failed to patch the …
Darren Pauli, 24 Mar 2015