Darren Pauli

Contact Mail Follow Twitter RSS feed
casino_security

Iran hacks America where it hurts: Las Vegas casinos

US director of National Intelligence James Clapper has accused Iran of orchestrating a 2014 hack of the Las Vegas Sands casino. The attack crippled the magnificent cultural institution's IT infrastructure. Clapper told a US Senate Armed Services Committee Thursday (US time) that the hack of the US$14 billion casino was the …
Darren Pauli, 27 Feb 2015
Hacker, Hoaxer, Whistleblower, Spy book cover

Alleged Aussie Anon hauled in for Indonesia phone tap hacking spat

A Melbourne man has been charged with instigating an Indonesian-led hack of Australian intelligence websites as an alleged member of the Anonymous collective. Matthew John Hutchison, 21, faced Melbourne Magistrates Court this week over allegations he convinced Indonesian Anonymous hackers angry over October 2013 revelations that …
Darren Pauli, 27 Feb 2015

Firefox 36 swats bugs, adds HTTP2 and gets certifiably serious

Mozilla has outfoxed three critical and six high severity flaws in its latest round of patches for its flagship browser. It stomps out memory safety bugs, exploitable use-after-free crashes, and a buffer overflow. Of the critical crashes, bad guys could potentially craft attacks targeting MP4 video playback through a buffer …
Darren Pauli, 26 Feb 2015

And the buggiest OS provider award goes to ... APPLE?

Apple's operating systems and Linux racked up more vulnerability reports than Windows during 2014, according to research from security outfit GFI. Cupertino's OS X and iOS platforms topped the 2014 bug charts with 147 and 127 holes disclosed in each, nudging out the Linux Kernel with 119 flagged flaws, the National Vulnerability …
Darren Pauli, 26 Feb 2015
Smilin' Marv

P0wned plug-in puts a million WordPress sites at risk of attack

Up to a million WordPress websites could be open to full compromise through a vulnerability in the WP-Slimstat plug-in, security bod Marc-Alexandre Montpas says. The weak key flaw can expose admin credentials; bad news for the folks who've downloaded the plug-in 1.3 million times. A patched version of the plug-in has been …
Darren Pauli, 26 Feb 2015
Dog's backside and tail

Bad dog! PrivDog chews HTTPS, hurls clear text

Sysadmin Hanno Böck has scratched a few more holes in the PrivDog privacy tool, reporting it tracks and sends in clear text a users' visited web URLs to creator AdTrustMedia. The company says the data is anonymous and is used to help prevent attacks such as click fraud, to identify automated bots, and other unspecified threats, …
Darren Pauli, 26 Feb 2015

Zeus scumbag infects itself, buddies, with rival Trojan

A Zeus hacker cabal has infected itself and its colleagues with a rival malware in an act of poetic justice noticed by RSA researcher Lior Ben-Porat. The blackhat developed a custom Zeus panel for the infamous trojan by the same name which was found compromised Ramnit worm. Ben-Porat says the malware muck up happened after the …
Darren Pauli, 25 Feb 2015

Google offers 'INFINITY MILLION DOLLARS' for bugs in Chrome

Google is vastly expanding its popular annual Pwnium hack fest, by allowing hackers to vie try for limitless amounts of cash every day of the year. The contest was previously held once a year at the CanSecWest conference in Canada, with millions in cash on offer to hackers who can take the shine off its Chromium project. The …
Darren Pauli, 25 Feb 2015

Visa's tokenisation scheme to debut in Australia

Australian and European shoppers will be able to use a throwaway Visa card token to shop online in a bid to reduce fraud. The scheme is being rolled out across Australia and Europe to Visa-allied banks and merchants. Shoppers will be issued tokens that will be matched to their cards. Validated transactions will map tokens to …
Darren Pauli, 25 Feb 2015

Redmond boffins build coffins for exploit kits

Microsoft boffins have crafted what they say is the world's first platform specifically designed to kill exploit kits. The tool goes by the name "Kizzle" and is a fast signature compiler that targeted the common practise of code-reuse by malware authors, and could generate identifying signatures weeks ahead of current anti-virus …
Darren Pauli, 24 Feb 2015

Cert-slurping security firms chop super-fishy features

Security companies Lavasoft and AdTrustMedia, have been found using the SSL slurping certificate - or something very similar - made infamous by the Lenovo-Superfish debacle. Lavasoft used the certificate in its web inspection software Ad-Aware Web Companion and the Alpha testing version of AdBlocker. The software was restricted …
Darren Pauli, 24 Feb 2015

Burning Man hackers get burnt

Hundreds of entrepreneurial and impatient hackers have exploited a loophole to purchase early tickets to the Burning Man festival. Geeks meddled with Ticketfly's first-in-best-dressed system to jump the queue and push in ahead of the hordes hoping to attend the counter-cultural event. The Cosmic Corporation, the event's …
Darren Pauli, 24 Feb 2015

Debian on track to prove binaries' origins

Debian is on its way to becoming what could be the first operating system to prove the origin of its binaries, technologist Micah Lee says. The feat will allow anyone to independently confirm that Debian binaries were built from a reported source package. So far a project team devoted to confirming the reproducibility of builds …
Darren Pauli, 23 Feb 2015

Leaky battery attack reveals the paths you walk in life

More than 100 mobile apps leak users' location regardless of whether they opt to keep the information private, according to researchers. Power consumption data is the source of the leaks, which make it possible to determine users' whereabouts with 90 percent accuracy. A quartet from Stanford University and Israeli defence …
Darren Pauli, 23 Feb 2015

Mozilla mulls Superfish torpedo

Firefox-maker Mozilla may neuter the likes of Superfish by blacklisting dangerous root certificates revealed less than a week ago to be used in Lenovo laptops. The move will be another blow against Superfish, which is under a sustained barrage of criticism for its use of a root certificate to launch man-in-the-middle attacks …
Darren Pauli, 23 Feb 2015

Hackers now popping Cisco VPN portals

Crackers are popping customised Cisco virtual private networks, stealing credentials and spraying malware using a flaw reported by Aussie hacker Alec Stuart-Muirk, the company warns. Organisations running the Cisco Clientless SSL VPN portal in customised configurations risk attack if they do not update to versions released 8 …
Darren Pauli, 20 Feb 2015
Cloud security image

Horrors of murky TrueCrypt to be probed once more

The gears of the TrueCrypt audit have whirred into life overnight with boffins poised to again probe the open source crypto tool after nearly a year of waiting. A tiny team will fondle the tool's random number generators, cipher suites and key algorithms in a bid to pull the internet's favourite crypto suite out of the pariah …
Darren Pauli, 20 Feb 2015

Shodan boss finds 250,000 routers have common keys

More than 250,000 routers used in Spain, and thousands more used in other countries, are using the same SSH key says Shodan kingpin John Matherly. The routers appear to be sold by Telefónica de España, according to Matherly, and are pre-configured with a single operating system image. The gaffe means the probable small …
Darren Pauli, 20 Feb 2015
Close-up of the flu virus (artist's impression) - Shutterstock

Google unleashes tame botnet to hunt XSS in cloudy code

Google has unleashed its own application security scanner, potentially rescuing admins from 'fiddly' existing offerings. The scanner will check code running in App Engine for cross-site scripting (XSS) and mixed content vulnerabilities. Choc Factory engineering head Rob Mann says its scanner uses its Compute Engine to forge a …
Darren Pauli, 20 Feb 2015

So long, Lenovo, and no thanks for all the super-creepy Superfish

+Comment Chinese PC maker Lenovo has published instructions on how to scrape off the Superfish adware it installed on its laptops – but still bizarrely insists it has done nothing wrong. That's despite rating the severity of the deliberate infection as "high" on its own website. Well played, Lenonope. Superfish was bundled on new Lenovo …
Bitcoins

Canuck Bitcoin exchange gives up after security SNAFU

Canadian Bitcoin exchange Cavirtex, said to be the country's largest, will shut its doors after its two factor authentication credentials were probably compromised. The breach, spotted last Sunday, affected two factor secrets and hashed passwords stored in an older database and did not match log in details to identification …
Darren Pauli, 19 Feb 2015

Lenovo shipped lappies with man-in-the-middle ad/mal/bloatware

Lenovo is in hot water after being caught intentionally shipping laptops with software that steals web traffic using man-in-the-middle attacks. The "Superfish" software was present on laptops sold until late last month and stole all manner of web traffic using fake, self-signed, root certificates to inject advertisements into …
Darren Pauli, 19 Feb 2015

This one weird script continually crashes Android email

The email application of Samsung Galaxy 4 Minis can be made to repeatedly crash with a simple email that need not even be opened, according to researcher Hector Marco. A crafted email gobbled up by the native email client running on Android 4.2.2.0400, a superseded operating system that was the latest stock offering for the S4 …
Darren Pauli, 19 Feb 2015

Microsoft updates Outlook app security, but haters still gunna hate

Microsoft has upgraded the security controls of its mobile Outlook app to allow credentials to be kept on its servers rather than Amazon's. Security upgrades detailed in a Redmond blog include PIN lock enforcement and faster remote wiping of application data, some of which will be deployed in coming months, along with …
Darren Pauli, 19 Feb 2015

Raspberry Pi, meet face: You're probably NOT Blighty's biggest PC maker!

The Raspberry Pi Foundation today announced it has sold its five-millionth machine, and said that in so doing it could claim the crown as the UK's best-selling computer ever. That the Pi guys have done well is not in dispute, but the Reg archives cast doubt on the claim it's now the best-selling Brit computer ever. As we wrote …
Darren Pauli, 18 Feb 2015

Jamie Oliver serves up steaming pile of malware

Tousle-haired celebrity chef Jamie Oliver has served up a stomach-churning exploit kit to those who visit his web site. His eponymous .com site, ranked 519 in the UK and drawing some 10 million visitors a month was compromised to plate-up the foul-tasting Fiesta exploit kit to compromise user machines. Malwarebytes senior …
Darren Pauli, 18 Feb 2015
Sydney Opera House Hackathon logo

Cast your vote for the best community speaker at the Sydney VMUG conference

POLL The Register is proud to be helping out with this year's Sydney VMUG user conference, by hosting this poll for the day's best speaker. Voting is easy: just pick your favourite in the widget below. We'll close the poll before the big reveal! Vote early, vote once, and vote with your heart! Sydney Opera House Hackathon logo …
Darren Pauli, 18 Feb 2015

Security hawker gives the bird to mid-east hack group

A team of attackers tagged by Kaspersky as the first "advanced Arab hackers" has passed around malware targeting Middle East governments, the military and others. So far 100 malware samples attributed to the group have been tagged, the hacker branding consultancy claims. Kaspersky Labs researchers revealed the attacks at the …
Darren Pauli, 18 Feb 2015
"Image from the glassbrain project, neuroscapelab.com, UCSF

DARPA's 'Cortical Modem' will plug straight into your BRAIN

The Defense Advanced Research Projects Agency (DARPA) is developing a brain interface it hopes could inject images directly into the visual cortex. news of the "Cortical Modem" project has emerged in transhumanist magazine Humanity Plus, which reports the agency is working on a direct neural interface (DNI) chip that could be …
Darren Pauli, 17 Feb 2015

Fight back against illegal GCHQ spying with PAPERWORK!

Privacy International (PI) is calling on people to sign up to be part of a mass request for confirmation they have been spied on by Five Eyes spy agencies and to demand the removal of captured information. Would-be signatories are being asked to submit their name and email address to the organisation, which will then pass them …
Darren Pauli, 17 Feb 2015

Your hard drives were RIDDLED with NSA SPYWARE for YEARS

The US National Security Agency (NSA) infected hard disk firmware with spyware in a campaign valued as highly as Stuxnet that dates back at least 14 years and possibly up to two decades – all according to an analysis by Kaspersky Labs. The campaign infected possibly tens of thousands of Windows computers in telecommunications …
Darren Pauli, 17 Feb 2015

Hackers fear arms control pact makes exporting flaws illegal

Export regulations that threaten to hinder vulnerability research and exploit development have put hackers on edge ahead of the annual Pwn2Own contest. Operators of the hack-fest have reportedly issued an email warning to researchers to obtain legal advice about how the Wassenaar Arrangement, a 42-nation effort aimed at " …
Darren Pauli, 16 Feb 2015

Hacker catches Apple's Lightning in a jailbroken bottle

Apple's Lightning connector protocols have been pried open in what could be a boon for the jailbreaking community. The hack opens access to Apple's serial kernel debugger, previously available on older iDevices, and reportedly gives jailbreak engineers an improved ability to debug kernel issues and iBoot exploits. Apple …
Darren Pauli, 16 Feb 2015

Hackers break the bank to the tune of $300 MEEELLION

A series of bank hacker heists have hit more than 100 financial institutions, say Kaspersky researchers, and more than US$300 million appears to have walked as a result. The attacks targeted employees at as-yet-unnamed banks with malware dubbed Carbanak that gave access to corporate networks, giving criminals access for more …
Darren Pauli, 16 Feb 2015
Openstack log

OpenStack's AB/CD naming is all in the name of LIBERTY for v 12.0

OpenStack has named its forthcoming twelfth release Liberty. The cloudy effort changes names with each release, advancing one letter in the alphabet each time it shoves software out the door, as reflected in names like Havana, Icehouse, Juno and Kilo. Liberty won the community vote this time around, beating off “Lizard”, “ …
Darren Pauli, 15 Feb 2015

Biter bitten as hacker leaks source code for popular exploit kit

A black hat trouble maker appears to have released recent source code for one of the most popular exploit kits, malware-probers say. The dump was posted online by a user known as (@EkMustDie) before it was removed. The leaker appears to have previously tried to sell access to the exploit kit. Independent malware investigators …
Darren Pauli, 13 Feb 2015
Facebook privacy image

Facebook bug could have ERASED the ENTIRE WORLD

Software engineer Laxman Muthiyah has reported a dangerous vulnerability capable of deleting any photo from Facebook, prompting The Social NetworkTM to patch the hole within two hours and issue one of its biggest bug-spotting cheques ever. The flaw potentially allowed mass deletion of photos using the identification number of a …
Darren Pauli, 13 Feb 2015

CommBank app leaks 2FA tokens says Sydney dev

Sydney programmer Stuart Ryan has chipped Australia's dominant retail bank, the Commonwealth Bank, for allowing two factor authentication codes to be viewable on locked iPhones. The bank sends authentication tokens over push notifications on iOS devices, rather than SMS for users who had activated the second factor account log …
Darren Pauli, 12 Feb 2015
The European flag

EU parliament bans Outlook app over cloudy security: report

The EU Parliament has blocked politicians from using the Microsoft mobile Outlook app in the wake of security and privacy concerns centred on the siphoning of corporate credentials to a third party, according to reports. The Parliament's IT department, DG ITEC, has reportedly told staff to delete the app and reset corporate …
Darren Pauli, 12 Feb 2015

Hacker kicks one bit XP to 10 Windows scroll goal

Windows operating systems from XP to version 10 can be popped with a single bit, researcher Udi Yavo says. The hacker, formerly chief of the electronic warfare unit for Israeli defence contractor Rafael, detailed how the local privilege escalation vulnerability (CVE-2015-0057) fixed in this week's Patch Tuesday update could …
Darren Pauli, 12 Feb 2015
Close-up of the flu virus (artist's impression) - Shutterstock

VirusTotal wants YOU (but not you) to join its epic AV whitelist

Google-owned VirusTotal wants large software houses to send in their software catalogues so it can build what could well end up being one of the world's biggest anti-virus whitelists. The whitelist would clarify to users that software being checked for cleanliness came from a recognised developer, and warn vendors and anti-virus …
Darren Pauli, 12 Feb 2015

REVEALED: TEN MEEELLION pinched passwords and usernames

Security consultant Mark Burnett has dumped 10 million username and passwords onto the world, in what he claims is an effort to improve research. The huge pile, collected from caches revealed after years of breaches, was scrubbed clean of corporate information and domain data before its release. Burnett said he went to " …
Darren Pauli, 11 Feb 2015

Coding Cupid publishes Tinder-ised automatic love machine

Canadian engineer and amateur cupid Justin Long has created a Tinder love machine that can automatically find a face you like and send it alluring love letters. The Tinderbox plugin experiment is built on the the service's API and employs facial recognition to learn a user's romantic preferences before setting loose a bot to …
Darren Pauli, 11 Feb 2015

Air gaps: Happy gas for infosec or a noble but inert idea?

Feature Last year Michael Sikorski of FireEye was sent a very unusual piece of malware. The custom code had jumped an air gap at a defence client and infected what should have been a highly-secure computer. Sikorski's colleagues from an unnamed company plucked the malware and sent it off to FireEye's FLARE team for analysis. "This …
Darren Pauli, 11 Feb 2015

Blackberry hires new security chief

Blackberry has hired security luminary David Kleidermacher to head its security division. Kleidermacher served as the chief technology officer at Green Hills Software which developed secure embedded software for clients in military, industrial and medical industries including the EAL6-rated Integral operating system. He brings …
Darren Pauli, 11 Feb 2015

Governments beg Twitter for more data; network offers birdcage droppings

Governments' demands for data on Twitter users surged 40 per cent in the last six months of 2014, according to a new report by the avian network. America, Turkey, and Russia were behind the lion's share of that increase, with the former increasing its information requests by 29 percent. Turkey upped its demands by 150 per cent, …
Darren Pauli, 10 Feb 2015

Bad romance: Ransomware, exploit kits in criminal cuddle

The lowlifes behind the Cryptowall ransomware seem to have decided it's no longer worth developing their own exploit kits. Instead, according to analysis by Cisco, they're relying on other popular exploits to distribute the malware. The ransomware was considered one of the most effective ransomware offerings that encrypted a …
Darren Pauli, 10 Feb 2015

Received surprise new Redmond licenses? You might be pwned

Black hats are flinging supposedly free licenses at enterprises in a bid to get malware on corporate networks, security bod Martin Nystrom says. They wrote malware that was slightly neurotic in its bid to evade detection and would make use of the Tor network to receive stolen data. The Cisco threat defence man said realistic …
Darren Pauli, 10 Feb 2015
Illegal drugs

Dissidents and dealers rejoice! Droid app hides your stash in plain sight

Dutch researchers have developed an Android app for dissidents and crims-on-the-go, that can not only protect sensitive data behind encryption but make a phone appear as if it has nothing to hide. The app was developed to pass the casual inspection a non-technical copper would give a device when looking for encrypted data that …
Darren Pauli, 09 Feb 2015

Netflix airs its developers' Dirty Laundry

Netflix has developed a platform, using soon-to-be open source tools, that probes for vulnerabilities and monitor data leakage. One initiative dubbed the "Dirty Laundry Project" monitors for Netflix assets unintentionally exposed by its staff. Engineers Scott Behrens and Andy Hoernecke (pictured above) told the Shmoocon …
Darren Pauli, 09 Feb 2015