Darren Pauli

Contact Mail Follow Twitter RSS feed
Mozilla Firefox Fox sitting down

Mozilla signing vetted add-ons as thoughts turn to security

Mozilla developer Jorge Villalobos claims the web king has begun signing vetted add-ons in a bid to improve security. The move means Mozilla-signed add-ons hosted on its servers will be maintained through automatic updates, while those lacking the signature of approval will be jettisoned into the internet ether. Villalobos says …
Darren Pauli, 29 May 2015
Ransom note saying "Pay Up" in blackmail type

Yay for Tor! It's given us RANSOMWARE-as-a-service

Threat Research head Jim Walter says a virus writer has created a ransomware-as-a-service offering which allows luddite criminals to fleece users. Walter discovered the Tox ransomware on an eponymously named Tor hidden service noting the author required a 30 percent cut of paid Bitcoin ransoms. He says Tox is one of the few …
Darren Pauli, 29 May 2015
Bank vault

Google launches native Android Smart Lock password manager

Google I/O Android users will be able to store passwords in Google's native Smart Lock manager, in a security boon for the masses. The Choc Factory launched the Smart Lock for Passwords at the I/O conference in San Francisco overnight available in the Android M developer preview. It says developers including Orbitz, Netflix, and The New …
Darren Pauli, 29 May 2015

Small businesses trashed in big malware campaign

Kaspersky researcher Ido Noar says attackers have hit hundreds of small and medium businesses, stealing credentials and documents in a noisy smash-and-grab campaign. Noar says criminals have stolen some 10,000 documents from nanotechnology, education, and media outfits in an attack that foists a newly-discovered strain of …
Darren Pauli, 29 May 2015
Brute Force

Password reset sites expose crackable PeopleSoft creds

SAP hackers Alexander Polyakov and Alexey Tyurin say Oracle PeopleSoft contains unpatched vulnerabilities and weaknesses that allow attackers to easily obtain admin passwords. The hackers say the PeopleSofts credential can be yanked from the TokenID contained within password recovery sites and cracked using a cheap graphical …
Darren Pauli, 28 May 2015

Australian Govt to launch cyber sec sharing strategy

Australia's Federal Government will this year deliver its first Cyber Security Strategy to generate 'practical' means to improve security including public-private partnerships. It is the second paper-based initiative designed to help address the unruly state of information security across public and private sectors. The …
Darren Pauli, 28 May 2015

Death-to-passwords FIDO Alliance finds a friend at DOCOMO

Japanese users will be able to log in and make online purchases using iris recognition biometrics after telco giant DOCOMO begins shipping Fujitsu ARROWS phones. The telco's 65 million users will be able to use the biometric verification on the ARROWS F-04G said to be the world's first iris snapper. Fingerprint biometric login …
Darren Pauli, 27 May 2015

Kali Linux gives itself a Docker-cut

Penetration testing gurus Offensive Security have made their popular Kali operating system available for Docker-addicted system administrators. Developer Mati Aharoni acted on a request from a user who asked for a Dockerised image of the Kali penetration testing system platform. "Last week we received an email from a fellow …
Darren Pauli, 27 May 2015
Synology Disk Station 409Slim

Synology slings patch at buggy NAS boxens

Securify co-founder Cengiz Han Sahin says Synology has patched a remote vulnerability that allowed attackers to compromise its storage devices. Sahin reported vulnerabilities that allowed web servers in Synology's Photo Station to be compromised to the vendor . The hacker says Photo Station, which allows users to access their …
Darren Pauli, 27 May 2015
Moose

There's a Moose loose aboot this hoose: Linux worm hijacks Twitter feeds for spam slinging

ESET researchers Olivier Bilodeau and Thomas Dupuy have found malware capable of compromising routers and embedded devices, seizing control of social networking accounts, and booting out competitors. The duo report the Moose malware exploits weak login credentials in the networking gear, and does not require vulnerabilities to …
Darren Pauli, 26 May 2015
Cloud security image

Blackhat hack trick wallops popular routers

A cybercrime vigilante known as Kafeine says criminals are hitting thousands of victims with a hacking tool that targets more than 40 router models. The well-known hacker says the novel attacks use cross-site request forgery and exploits against new and old bugs to change router DNS settings. This bypasses the need to target …
Darren Pauli, 26 May 2015
Train wreck

Boffins silently track train commuters without tripping Android checks

Nanjing University boffins Jingyu Hua, Zhenyu Shen, and Sheng Zhong have tracked commuter train trips with 92 percent accuracy using stolen phone accelerometer data. The trio says tracking users on Android phones is possible in part because the platform does not require permission or consent to access the dataset. Here's the nub …
Darren Pauli, 26 May 2015

Windows and OS X are malware, claims Richard Stallman

Linux GNU firebrand Richard Stallman says Windows and Apple's OS X are malware, Amazon is Orwellian, and anyone who trusts the internet-of-things is an ass. In a column for The Grauniad Stallman preaches to the non-technical masses about the evils of proprietary software and vendor lock-in, and how closed-door coding facilitates …
Darren Pauli, 25 May 2015

2.8 million victims squared up by malicious Minecraft apps

ESET researcher Lukas Stefanko says a whopping 2.8 million users have downloaded malicious Minecraft Android applications. Stefanko found 30 malicious apps uploaded to the Google Play store over nine months masquerading as Minecraft cheats and tip guides. "All of the discovered apps were fake in that they did not contain any of …
Darren Pauli, 25 May 2015

Bank-heist malware's servers phone home to Russian spookhaus

Trend Micro researcher Maxim Goncharov says one of the world's most sophisticated and dangerous bank-robbing trojans is now pointing to Russia's Federal Security Service (FSB). Goncharov says the Carbanak trojan's command and control servers now point to the FSB in what could be a joke or gaffe by malware authors. Carbanak in …
Darren Pauli, 25 May 2015

Factory reset memory wipe FAILS in 500 MEELLION Android mobes

Half a billion Android phones could have data recovered and Google accounts compromised thanks to flaws in the default wiping feature, University of Cambridge scientists Laurent Simon and Ross Anderson have claimed. The gaffe apparently allows tokens for Google and Facebook, among others, to be recovered in 80 per cent of cases …
Darren Pauli, 22 May 2015

Hacker uses Starbucks INFINITE MONEY for free CHICKEN SANDWICH

Sakurity hacker Egor Homakov has found a way to dupe Starbucks into loading free cash onto the "coffee" chain's payment cards. Homakov says a race condition within Starbuck's card purchase system means money can be transferred between cards without it being deducted. The bug hunter exploited the bug and tested it by purchasing …
Darren Pauli, 22 May 2015
'Fresh' by https://www.flickr.com/photos/vintagechica/ cc 2.0 attribution https://creativecommons.org/licenses/by/2.0/

PCI council gives up, dumbs down PCI DSS for small business

The Payment Card Industry Security Standards Council has created a taskforce charged with improving security among small businesses. The prodigious task will be tackled by encouraging small businesses to adopt security best practice and simplified Payment Card Industry Data Security Standards (PCI DSS). Barclaycard payment …
Darren Pauli, 22 May 2015

Hacker launches ransomware rescue kit

Security bod Jada Cyrus has compiled a ransomware rescue kit to help victims decrypt locked files and avoid paying off crooks. The kit sports removal tools for common ransomware variants along with guides for how to perform the necessary tasks. Cyrus recommends users not pay ransoms as doing so sustains the criminal business …
Darren Pauli, 21 May 2015

'Millions' of routers open to absurdly outdated NetUSB hijack

SEC Consult Vulnerability Lab Stefan Viehböck says potentially millions of routers and internet of things devices using KCodes NetUSB could be exposed to remote hijacking or denial of service attacks. The packet fondler says the vulnerability (CVE-2015-3036) hits the Linux kernel module in scores of popular routers which serves …
Darren Pauli, 20 May 2015
Apple Watch Sport

Apple patches FREAK-ed out Watch

Apple has patched a dozen security flaws in Watch, including FREAK and two allowing arbitrary code execution. The updates cover Oracle hacker Marc Schoenefeld's arbitrary code execution which triggers (CVE-2015-1093) when the Apple Watch processes a maliciously crafted font file. It also squashes hacker Loki@ART's bug that …
Darren Pauli, 20 May 2015
Breach

Hackers pop submarine cable operator Pacnet, probe internal networks

Submarine cable and data centre operator Pacnet was breached last month by hackers rummaging through its corporate network accessing emails and administration systems. Pacent was recently acquired by Australia's Telstra, which today disclosed the breach of a "critical server" and is now informing customers and regulators about …
Darren Pauli, 20 May 2015

Hacker data dumps scrape to make huge grey marketing database

Former password collector Steve Thomas plans to tear up the contact broker market by offering a database of 30 million names for free, all built on data sourced by scraping the web. The former PwnedList founder, and now SalesMaple CEO, says the database will soon to balloon to almost 100 million records. Thomas said it will …
Darren Pauli, 20 May 2015

Robots.txt tells hackers the places you don't want them to look

Melbourne penetration tester Thiebaud Weksteen is warning system administrators that robots.txt files can give attackers valuable information on potential targets by giving them clues about directories their owners are trying to protect. Robots.txt files tell search engines which directories on a web server they can and cannot …
Darren Pauli, 19 May 2015
Open-mouthed Burmese python

Oracle releases antidote for VENOM vulnerability

Oracle has released patches for its virtualisation software to crimp the VENOM vulnerability that allows attackers to break out of virtual machines to attack hosts. The company follows a host of others including KVM and Xen which have patched the buffer overflow bug. VMware, Microsoft, and Bochs are immune to the problem. …
Darren Pauli, 19 May 2015
Oil Pump Jack by https://www.flickr.com/photos/paul_lowry/  cc 2.0 attribution

Crude scammer targets Brit oil brokers

Panda Labs researchers have identified a scammer who is fleecing British oil buyers using a malware-free spin on the classic Nigerian scam. They say the scammers steal credentials from oil brokers to swindle buyers across Germany, Spain, and across Asia out of cash. The sting works using a PDF file in the first stage of the …
Darren Pauli, 18 May 2015

Google App Engine Java sandbox is leaking, say researchers

Security Explorations hacker Adam Gowdiak says three partial Java sandbox security holes still exist in Google App Engine. Gowdiak says the problems stem from buggy implementations and lax security checks that mean evildoers could gain access to the Google cloud's Java environment. He dropped exploitation code after the ad …
Darren Pauli, 18 May 2015
Apple Watch Sport

Apple Watch rationing caused by the MOON GOAT, not quality

Apple's Watch may not be a buggy, broken mess after all - and those adjectives can instead be applied to human resources practices at Taiwanese OEM Quanta. That's the inference being drawn after Quanta vice chairman CC Leung uttered the words below to Digitimes: Because of labor shortages during the Lunar New Year holidays, …
Darren Pauli, 18 May 2015
Ghosts 'n Goblins fighting a castle on the Bandai Wonderswan

Docker crocker-blocker aims at stopping Docker shockers

When enthusiasm for a technology reaches fever pitch, as it appears to have done for Docker, it can sometimes be easy to forget that using it securely needs a lot more work than clicking on an installer and getting on with things. Enter VMware, Docker and pals, who have together penned a new security guide, which offers …
Darren Pauli, 08 May 2015
sap security vulnerabilities

Almost EVERY SAP install hackable, researchers say

A staggering 95 percent of enterprise SAP installations contain high-severity vulnerabilities that could allow systems to be hijacked, researchers say. Researchers from SAP security tools vendor Onapsis say attackers can target the SAP installs to pivot from low to high integrity systems, execute admin privilege commands, and …
Darren Pauli, 08 May 2015

Cisco plugs remote code execution flaw in UCS Central control freak

Cisco has patched a remote code execution bug that could give attackers root privileges on its Unified Computing System (UCS) Central software used by more than 30,00 organisations. The UCS data centre server platform joins hardware, virtualisation, networking and software into one system. Versions 1.2 and below are affected. …
Darren Pauli, 08 May 2015

$7500 DDoS extortion hitting Aussie, Kiwi enterprises

New Zealand Internet Task Force (NZITF) chair Barry Brailey is warning Australian and New Zealand enterprises to be on the look out for distributed denial of service extortion attacks demanding payment of up to AU$7500. Brailey says criminals are hitting big organisations on both sides of the Tasman that have a large online …
Darren Pauli, 08 May 2015

Spooks BUSTED: 27,000 profiles reveal new intel ops, home addresses

A trio of transparency boffins have revealed personal details of 27,000 intelligence officers they say are working on surveillance programs. The resulting dump not only names the officers, but in some cases tells you where they live based on data sourced from LinkedIn profiles and other easy-to-access sources. M.C McGrath, …
Darren Pauli, 07 May 2015

Attackers target new XSS in millions of WordPress sites

Sucuri researcher David Dede has uncovered a critical cross-site scripting (XSS) vulnerability in a default WordPress plugin that allows attackers to hijack websites. Dede, part of a consultancy renown for its prolific WordPress popping, found the Twenty Fifteen plugin installed on all WordPress sites is being actively attacked …
Darren Pauli, 07 May 2015

Choc Factory finds 84,000 ad injectors targeting Chrome

Google spam abuse researcher Kurt Thomas says some 84,000 injectors and apps are targeting its Chrome web browser with dodgy advertising. Thomas says the apps include 50,000 browser extensions and 34,000 applications which target Chrome to display revenue-generating ads within the sites that victims browse. About a third of …
Darren Pauli, 07 May 2015

Hey devs! Confused by EU privacy law? Pull out the FLASH CARDS

Microsoft and University of Nottingham researchers say developers should be taught to design privacy and security using flash cards if they find wordy regulation documents onerous. The team including Redmond's Ewa Luger and the University's Lachlan Urquhart, Tom Rodden, and Michael Golembewski say regulation is out-of-touch and …
Darren Pauli, 06 May 2015

DEFCON 23 to host Internet of Things slaughterfest

The Internet of Things (IoT) will, come August, be torn apart in a new hacking slaughterfest announced for DEFCON 23. The contest run by the brains behind the router-smashing SOHOplessly Broken challenge aims to stain the carpet with the blood of internet accessible gadgets and junk as hackers tear apart devices to capture flags …
Darren Pauli, 06 May 2015

Boffins turns landfill WinPhones into microscopes

Four University of Houston researchers say ordinary phone cameras can be turned into microscopes comparable with a US$15,000 device, by using lenses worth three cents apiece . Yu-Lung Sung, Jenn Jeang, Chia-Hsiung Lee, and Wei-Chuan Shih created a budget lens able to hone in on human skin to a magnification level of 120 using a …
Darren Pauli, 06 May 2015
Exit sign. Pic:  Lukas Kästner

Accused Aussie game hacker flees to Europe ahead of trial

An Australian man facing 25 hacking charges has fled to Europe ahead of a court hearing for his alleged involvement in an international hacking operation targeting Microsoft, Valve, Epic, and the US Army, according to reports. The 19 year-old Perth man, who cannot be named as he was arrested as a juvenile in May 2013, is alleged …
Darren Pauli, 05 May 2015
Netflix FIDO logo

Netflix looses FIDO hack attack dog as open source

Netflix has released source code for its automated incident response tool to help organisations cut through the noise of security alerts. Project lead and security boffin Rob Fry together with Brooks Evans, and Jason Chan announced the unleashing of the Fully Integrated Defense Operation (FIDO) saying it has chewed the time to …
Darren Pauli, 05 May 2015

'Rombertik' malware kills host computers if you attempt a cure

Cisco researchers Ben Baker and Alex Chiu have found new malware that destroys a machine's Master Boot Record and home directories if it detects meddling white hats. The pair from the Borg's TALOS malware probing department say the "Rombertik" malware is designed to steal keystrokes and data and targets Windows users through …
Darren Pauli, 05 May 2015

Plod wants your PC? Brick it with a USB stick BEFORE they probe it

Criminals, activists, and whistle-blowers have a new tool to help foil police by shutting down laptops before they are examined. "USBKill" is a script that turns an innocent-looking thumb drive into a kill switch that, when unplugged, forces computers to shut down. Author "Hephaestos" (@h3phaestos) says their tool will prevent …
Darren Pauli, 05 May 2015

Sally Beauty Supply breached AGAIN

Colossal US cosmetics retailer Sally Beauty Supply has broken its silence and admitted it was breached for the second time in a little over a year. The company's admission follows its previous stonewalling of two requests for comment by The Register last Wednesday on the back of a tip off that the FBI was "on-site" at the firm …
Darren Pauli, 05 May 2015
Tiltshift Manipulated Sandpit by https://www.flickr.com/photos/mmichaelis/ cc 2.0 attribution https://creativecommons.org/licenses/by/2.0/

Nasty Dyre malware bests white hat sandboxes

Seculert CTO Aviv Raff says a nasty piece of malware linked to widespread destruction and bank account plundering has become more dangerous with the ability to evade popular sandboxes. Raff says the Dyre malware ducks popular sandbox tools by detecting the number of cores in use. The known but effective and previously unused …
Darren Pauli, 04 May 2015

Mozilla to whack HTTP sites with feature-ban stick

Insecure websites will be barred from using new hardware features and could have existing tools revoked, if Mozilla goes ahead with a push towards HTTPS. Webmasters that don't turn on HTTPS could be excluded from the new features list under a Mozilla initiative designed to rid the net of careless clear text gaffes, sending a " …
Darren Pauli, 04 May 2015

Carders crack Hard Rock casino

Carders have hit the Las Vegas' Hard Rock Hotel and Casino stealing credit card numbers, names, and addresses, according to reports The company says malware found on its systems may have pinched the data from its retail and service locations. Criminals did not make off with PINs or other sensitive information, it says in a …
Darren Pauli, 04 May 2015
Bomba alarm clock

Ubuntu to shutter year-old clock unlock bug

Ubuntu's latest edition contains a local access escalation flaw first reported a year ago that allows users to tinker with the system clock to become a root user. The attack, reported by Linux lover Mark Smith, isn't colossally risky as it impacts only local users; those with existing access to a machine. Smith has chided …
Darren Pauli, 01 May 2015

Oracle paltry patch opens MySQL man-in-the-middle diddle

Adam Goodman of Duo Security has found a vulnerability in the 'vast majority' of Oracle MySQL databases that allows SSL to be stripped, exposing sensitive data to man-in-the-middle attackers. Goodman says Oracle attempted to sling a patch at the problem last year but did so only for some versions and further borked the effort by …
Darren Pauli, 01 May 2015
Cheat by https://www.flickr.com/photos/sohelparvezhaque/ CC 2.0 attribution https://creativecommons.org/licenses/by/2.0/

CHEATER! Test labs out AV vendor for using rival's engine

Chinese anti-virus vendor Qihoo 360 has been caught cheating on benchmarking tests by submitting versions running A-V engines from rival Bitdefender. The company has been reprimanded by established testing outfits Virus Bulletin, Av-Comparatives, and AV-Test which withdrew its 2015 certifications. In a joint statement [PDF] the …
Darren Pauli, 01 May 2015
eBay

eBay year-long patch stall a little XSSive, researcher says

Clarified Security researcher Jaanus Kääp has disclosed a year-old cross-site scripting (XSS) bug in eBay's messaging service that lets attackers target victims through messages. The researcher says he reported the XSS three times over more than a year and says he is surprised to find the bug be describes as dangerous has as of …
Darren Pauli, 30 Apr 2015