Darren Pauli

Contact Mail Follow Twitter RSS feed
Image: Serazetdinov http://www.shutterstock.com/fr/pic-114819721/stock-vector-illustration-of-a-strong-blast-of-brain.html

Security analyst says Yahoo!, Dropbox, LinkedIn, Tumblr all popped by same gang

Five hackers are said to be behind breaches totalling up to a staggering three billion credentials from some of the world's biggest tech companies including the Yahoo! breach that led to the loss of 500 million credentials. The claims, made to The Reg by recognised threat intelligence boffin Andrew Komarov, pin the world's …
Darren Pauli, 30 Sep 2016

Tokyo man arrested for selling jailbroken iPhones

A 24 year-old Tokyo man has been arrested on suspicion of trademark violation for allegedly selling five jailbroken iPhones, local media report. Daisuke Ikeda of Toyama prefecture allegedly sold the phones for a total of US$1186 (£915, A$1556) between 26 March and 23 May. He is alleged to have sold up to 200 iPhones over the …
Darren Pauli, 30 Sep 2016

Want to make US$1.5m this weekend? Just jailbreak iOS

Exploit broker Zerodium has tripled its bug bounty for a remote iOS 10 jailbreak vulnerability to US$1.5 million. The outfit previously offered US$500,000 for remote iOS 9 jailbreaks, which was temporarily increased last year when a US$1 million reward was paid out in November to an unnamed hacker group. The increase is …
Darren Pauli, 30 Sep 2016

Researchers crack Oz Govt medical data in 'easy' attack with PCs

Australian researchers have laid waste to the Federal Government's plan to criminalise the decryption of anonymised state data sets, just a day after it was announced, by 'easily' cracking government-held medical data. Federal attorney-general George Brandis yesterday announced that it would accept recommendations from the …
Darren Pauli, 29 Sep 2016
Image: Majivecka and Slobodan Djajic / Shutterstock

Google tries to cross out XSS attacks by releasing its own test tool

Google has spent more than US$1.2 million (£920,400, A$1.6 million) in the last two years paying researchers for reporting cross-site scripting (XSS) attacks and has kicked off an effort to help crush the threat. XSS attacks are one of the most pervasive and enduring web application security threats because they allow …
Darren Pauli, 27 Sep 2016
Image by Lana839 http://www.shutterstock.com/gallery-2897530p1.html

Suspected Russian DNC hackers brew Mac trojan

Suspected Russian hackers fingered for hacking the United States Democratic National Committee (DNC) have brewed a trojan targeting Mac OS X machines in the aerospace sector, says Palo Alto researcher Ryan Olson. The malware relies on social engineering and exploits a well-known vulnerability in the MacKeeper security software …
Darren Pauli, 27 Sep 2016

Apple to crunch iOS 10 local backup password brute force hole

Apple is brewing a fix to patch an iOS password flaw that allows credentials to be stolen from backups. Elcomsoft researcher Oleg Afonin says the flaws mean cracking efforts against iOS 10 backups are 2500 times faster compared to similar efforts against iOS 9. If successful, the attack will grant access to device keychains. …
Darren Pauli, 26 Sep 2016
Value pack of two tins of Spam

Dev teaches bot to talk spammers' ears off

Brian Weinreich has been trolling spammers for two years using a bot that fires realistic and ridiculous replies to the pervasive online salespeople. The noted security developer created the bot as a means to waste the time of the blowflies of the internet after being affronted by a deluge of unsolicited sales pitches directed …
Darren Pauli, 26 Sep 2016
Image by robodread http://www.shutterstock.com/gallery-529180p1.html

Google rushes in where Akamai fears to tread, shields Krebs after world's-worst DDoS

Google has provided free distributed denial of service attack (DDoS) mitigation services to security publication Krebs on Security, stepping in after Akamai withdrew support. The information security site was last week hammered with a 620Gbps DDoS attack, widely rated one of the world's largest by volume of junk data. …
Darren Pauli, 26 Sep 2016

Australian Signals Directorate seeks offensive people

The antipodean spy agency the Australian Signals Directorate is seeking cleaning staff information security personnel for offensive and defensive operations. The Department of Defence agency is seeking warm bodies for "offensive cyber operators", penetration testing, vulnerability research, and development and support roles. …
Darren Pauli, 26 Sep 2016

Safe browsing checks fail as 16,000 WordPress sites hacked this year

At least 15,769 WordPress websites - and probably more - have been compromised this year, half slipping past Google's Safe Browsing checks, says security researcher Daniel Cid. The world's most popular content management system represented the lion's share of some 21,821 sites studied in the second 2016 Sucuri report on …
Darren Pauli, 23 Sep 2016

Malware figures out it's running on VMs and refuses to execute

Malware writers are looking for the absence of documents to figure out which PCs are potential victims and which are virtual machines being used by white hats. SentinelOne senior researcher Caleb Fenton found the novel technique while attempting to coax the malware into activating so it could be analysed. The worm he was …
Darren Pauli, 23 Sep 2016
image by Alexander_P http://www.shutterstock.com/gallery-493324p1.html

SWIFT warns of more 'sophisticated' attacks, readies anti-fraud tool

The chief information security officer for global money transfer network SWIFT says banks are still under attack from fraudsters hoping to cash in on identified security gaps to steal millions of dollars. Alain Desausoi, security head of the Society for Worldwide Interbank Financial Telecom made the comments at the Financial …
Darren Pauli, 22 Sep 2016
facebook_shock_648

10-second hijack hole could kill any Facebook profile

University student Arun S Kumar has scored US$16,000 (£12,312, A$21,200) for finding and reporting a Facebook vulnerability that led to account hijacking. The flaw in Facebook's Business Manager reported through BugCrowd late last month and since patched was a form of direct object reference vulnerability which bypassed normal …
Darren Pauli, 21 Sep 2016
Person using a card reader

Hackers claim they breached Aussie point-of-sale tech firm, try to sell 'customer DB'

Exclusive Hackers are claiming to have hacked Australian point-of-sale technology (PoS) company H&L Australia, and have been claiming to potential buyers that they had lifted its customer database. They were already offering it for sale for AU$22,000 ($16,580, £12,723) more than two months ago. If indeed they have hacked into H&L, …
Darren Pauli, 20 Sep 2016

Microsoft lets Beijing fondle its bits in new source code audit hub

Microsoft has opened a technology centre in China to reassure Beijing it does not have backdoors in its software. The so-called Transparency Centre is the third Redmond has opened to reassure governments that Microsoft's wares are secure. Redmond's trustworthy computing corporate veep Scott Charney says the centre will allow …
Darren Pauli, 20 Sep 2016
Keen Security Lab senior researcher Sen Nie (left) with director Samuel Lv

Hackers hijack Tesla Model S from afar, while the cars are moving

Video Chinese hackers have attacked Tesla electric cars from afar, using exploits that can activate brakes, unlock doors, and fold mirrors from up to 20 kilometres (12 miles) away while the cars are in motion. Keen Security Lab senior researchers Sen Nie, Ling Liu, and Wen Lu, along with director Samuel Lv, demonstrated the hacks …
Darren Pauli, 20 Sep 2016
Security guard watches footage from hundreds of camera. Photo by Shutterstock

Dark web drug sellers shutter location-tracking EXIF data from photos

Criminals have started to aggressively erase EXIF metadata from their photos to make it harder for authorities to locate them, Harvard University students Paul Lisker and Michael Rose find. Unbeknownst to most, digital cameras and smartphones that shoot in JPG or TIFF formats write information on where a photograph was taken, …
Darren Pauli, 19 Sep 2016

Mozilla will patch zero-day Firefox bug to fizzle man-in-the-middle diddle

Mozilla will patch a flaw in Firefox that can be exploited by well-resourced attackers to impersonate the browser's software update servers – and thus inject malicious code into victims' computers. This vulnerability can, for one thing, be exploited to unmask people using the Tor project's Firefox-based anonymizing web browser …
Darren Pauli, 18 Sep 2016

Researcher says Patch Tuesday fix should have been made earlier

Security researcher Kafeine says one of this week's Microsoft patches addresses a vulnerability it knew of since last year, and may only have pulled the patching trigger after a spate of banking trojan attacks. The attacks utilised the low-level flaw (CVE-2016-3351) for cloaking purposes among an arsenal of exploits. The …
Darren Pauli, 16 Sep 2016
Image composite: Microsoft and StudioLondon http://www.shutterstock.com/gallery-893620p1.html

Remote hacker nabs Win10 logins in 'won't-fix' Safe Mode* attack

Security researcher Doron Naim has cooked an attack that abuses Windows 10's Safe Mode to help hackers steal logins. The Cyberark man says remote attackers need to have access to a PC before they can spring this trap, which involves rebooting a machine into Safe Mode to take advantage of the lesser security controls offered in …
Darren Pauli, 16 Sep 2016

Cisco drops patch for nasty WebEx remote code execution hole

Cisco is warning admins to apply a patch for a critical WebEx vulnerability, one of nine fixed this week. The remote code execution flaw (CVE-2016-1482) could allow attackers to execute arbitrary commands on WebEx servers. Admins can only apply the patch and do not have an option to deploy work-around mitigations. "A …
Darren Pauli, 16 Sep 2016
Image by Walther S http://www.shutterstock.com/gallery-955900p1.html

Gutted: 6.6M cleartext creds, dox, breached in ClixSense site hack

Cleartext passwords, real names and user names, email addresses plus and IP addresses for 2.2 million users of cash-for-surveys site ClixSense have been dumped online, with a further alleged 4.4 million up for sale. The records also include the pay outs the site has handed each breached user, Australian researcher Troy Hunt …
Darren Pauli, 15 Sep 2016

Double-dipping malware steals iOS creds and roots Android

A newly-outed trojan is exploiting iOS and Android devices, ripping iCloud credentials abusing the trusted link between phones and PCs, says Palo Alto security researcher Claud Xiao. The attack appears to have failed in most circumstances, thanks to iOS' sandboxing security controls, hardened modern Android operating systems, …
Darren Pauli, 15 Sep 2016

35,000 ARRIS cable modems at risk from firmware dumper bot

Hackers have exploited a back door in more than 35,000 ARRIS modems, making off with firmware and certificates, according to security researcher Bernardo Rodrigues. ARRIS makes cable modems and associated home networking kit. It recently shipped a patch to address 2015 zero day which at the time of disclosure impacted 600,000 …
Darren Pauli, 15 Sep 2016