Feeds
The Register Columnists

Darren Pauli

Contact Mail Follow Twitter RSS feed

China hacked US Army transport orgs TWENTY TIMES in ONE YEAR

Sophisticated Beijing-backed hackers raided civilian organisations responsible for the movements of US troops and equipment 20 times in one year of which only two were detected by the responsible agency, an audit report has found. Contractors underneath the US Transportation Command (TRANSCOM) agency were hacked a total of 50 …
Darren Pauli, 18 Sep 2014

Comprehensive guide to obliterating web apps published

The global security community has completed an 18-month effort to produce a guide it is hoped will boost the standard of web application testing and address new and dangerous technologies. Version 4 of the Open Web App Security Project's (OWASP's) Testing Guide [pdf] was produced by more than 60 security bods from around the …
Darren Pauli, 18 Sep 2014

Student pleads guilty to Frances Abbott 'secret' scholarship leak

Sydney student Freya Newman has pled guilty to illegally using a colleagues' login credentials to access and leak documents about a scholarship awarded to the daughter of Australian Prime Minister Tony Abbott. Newman was charged with unauthorised access to restricted data after she accessed a email system owned by the Whitehouse …
Darren Pauli, 18 Sep 2014

Citadel Trojan phishes its way into petrochem firm's webmail

Trusteer researchers are saying that the victims of the latest round of Citadel trojan infections includes one of the largest petrochemical companies in the world. The attacks, like so many others, targeted critical infrastructure organisations using phishing campaigns to steal network credentials. Researcher Dana Tamir said …
Darren Pauli, 17 Sep 2014
australian credit cards fraud contactless

Credit card cutting flaw could have killed EVERY AD on Twitter

Twitter has patched a flaw in its service that allowed unauthorised users to delete every credit card from all accounts, potentially relieving the company of its advertising revenue, security researcher Ahmed Aboul-Ela says. The attacks worked through a direct object reference vulnerability and involved the manipulation of …
Darren Pauli, 17 Sep 2014

Amazon REINTRODUCES Kindle swindle vulnerability

Amazon has reintroduced and again fixed a flaw into its Kindle management page that allows attackers to commandeer accounts by booby trapping pirated books, researcher Benjamin Mussler says. The flaw was first discovered and fixed last October, when Amazon closed off the ability for bad guys to inject nasty script into eBook …
Darren Pauli, 17 Sep 2014

Rejoice, Blighty! UK is the TOP of the WHOLE WORLD ... for PHISHING

British punters are being served three times as many phishing links to trojans and exploit kits than the US, and five times more than the Germans, according to a ProofPoint study. The security researchers say that while the English were being served more malicious links, Germans were hit with the greatest amount of unsolicited …
Darren Pauli, 16 Sep 2014

THREE QUARTERS of Android mobes open to web page spy bug

A Metasploit module has been developed to easily exploit a dangerous flaw in 75 percent of Android devices that allows attackers to hijack a users' open websites. The exploit targets vulnerability (CVE-2014-6041) in Android versions 4.2.1 and below and was disclosed without fanfare on 1 September, but had since gathered dust, …
Darren Pauli, 16 Sep 2014

Hackers-for-hire raided 300 banks, corporates for TWELVE YEARS

A band of hackers for hire have raided some 300 banks, corporations and governments undetected for 12 years, possibly the longest campaign of its kind. The German hackers registered 800 front businesses in the UK to target and fully compromise organisations in Germany, Switzerland, and Austria at the request of customers. Elite …
Darren Pauli, 16 Sep 2014
Arrow quiver

Hey, scammers. Google's FINE with your dodgy look-a-like apps

Attackers can easily craft third party scripts to imitate Google to trick users into granting authorisation to their email accounts, says infosec chap Andrew Cantino. The Mavenlink engineer said Mountain View did not make it sufficiently clear when users were approving third party access to their data, thus making social …
Darren Pauli, 15 Sep 2014
Brute Force

Hackers pop Brazil newspaper to root home routers

A popular Brazilian newspaper has been hacked by attackers who used code that attacked readers' home routers, says researcher Fioravante Souza of web security outfit Sucuri. Attackers implanted iFrames into the website of Politica Estadao, which, when loaded, began brute force password guessing attacks against users. Souza says …
Darren Pauli, 15 Sep 2014
Spam image

spɹɐʍʞɔɐB writing is spammers' new mail filter avoidance trick

Spammers are writing emails backwards in an attempt to sneak past spam filters, security researcher Brian Bebeau has found. The pests were using left-to-right override code intended to facilitate the use of bi-direction text, such as a document that included English and Hebrew. The Trustwave researcher said the tactic had a …
Darren Pauli, 12 Sep 2014

Hacker publishes tech support phone scammer slammer

Security pro Matthew Weeks has released a Metasploit module that can take over computers running the Ammyy Admin remote control software popular among "Hi this is Microsoft, there's a problem with your computer" tech support scammers. Weeks' day job is director at Root9b, but he's taken time to detail a zero-day flaw in Ammyy …
Darren Pauli, 12 Sep 2014

Satellite weather forecast: Cloudy with a chance of p0wnage

Weather predictions could be thrown into chaos if miscreants exploited a litany of dangerous and years-old holes reported in ground control for the Joint Polar Satellite System (JPSS). The flaws, of which 12,703 are considered high risk, have been detailed in a US Government audit report that examined the state of security of …
Darren Pauli, 11 Sep 2014

TorrentLocker unpicked: Crypto coding shocker defeats extortionists

Crooks have borked the encryption behind the TorrentLocker ransomware, meaning victims can avoid paying the extortionists and unlock their data for free. TorrentLocker was regarded as the demonic spawn of CryptoLocker and CryptoWall which made killings last year by encrypting valuable data owned by individuals and organisations …
Darren Pauli, 11 Sep 2014
Rubbish bin

Webmin hole allows attackers to wipe servers clean

Holes in the Webmin Unix management tool - thankfully since patched - could allow attackers to delete data on servers, says security researcher John Gordon of the University of Texas. The remote root access server tool contained vulnerabilities in newly-created cron module environment variables that could erase data through …
Darren Pauli, 11 Sep 2014

Troll or thief? User claims Bitcoin founder Satoshi Nakamoto dox sabotage

An internet user has claimed to have hacked the email account of the entity thought to be behind the Bitcoin - Satoshi Nakamoto -and has offered to release personal details for $12,000. Nothing is known about the identity of the claimed hacker and there is little evidence that they had details of Nakamoto to hand. Evidence for …
Darren Pauli, 10 Sep 2014

Australian whistleblower laws weaker than China's, report finds

Australia's private sector whistleblower laws are weaker than those in most G20 countries including Turkey, China, and Indonesia, according to researchers at Melbourne and Griffith universities. The report Whistleblower Protection Rules in G20 Countries: The Next Action Plan found while in roads had been made to improve whistle …
Darren Pauli, 10 Sep 2014

Ultimate hardware hack: Home Depot nailed by vice merchants

Do-it-yourself kingpin Home Depot has confirmed a report it was breached indicating the compromise occurred in April this year. The US retail chain was working with law enforcement over compromise of payment terminals across stores in the country. Chief executive of the hacked firm Frank Blake admitted the breach in a terse …
Darren Pauli, 09 Sep 2014

Enigmail PGP plugin forgets to encrypt mail sent as blind copies

Enigmail has patched a hole in the world's most popular PGP email platform that caused mail to be sent unencrypted when all security check boxes were ticked. The dangerous hole in the Mozilla Thunderbird extension affected email that was sent only to blind carbon copy recipients on all versions below 1.7.2 released last month. …
Darren Pauli, 09 Sep 2014

China is now 99.8% sure you're you, thanks to world's-best facial recognition wares

Chinese researchers have developed a facial recognition system that can pick faces from a crowd with 99.8 percent accuracy from 91 angles. The platform can distinguish between identical twins, unravel layers of makeup and still identify an individual if they've packed on or shed kilos. Researcher Zhou Xi of the Chinese Academy …
Darren Pauli, 09 Sep 2014

Mozilla certification revocation: 107,000 websites sunk by untrusted torpedo

Over 107,000 websites have been consigned to the depths of the untrusted internet after Mozilla's move last week to allow its 1024-bit certificates to expire. The latest shipment of Firefox 32 improved security by killing support for the 1024-bit certificate authority (CA) certificates within the browser's trusted store. Google' …
Darren Pauli, 08 Sep 2014

Doubts cast over FBI 'leaky CAPTCHA' Silk Road rapture

Rather than a conspiracy involving NSA wiretaps, the FBI claims the downfall of Silk Road begun with a leaky CAPTCHA. Responding to a request for information from former kingpin Ross Ulbricht's defence lawyers, the Feds says the CAPTCHA left a trail from the TOR-protected Silk Road servers to the public Internet. That revealed …
Darren Pauli, 08 Sep 2014

Google recommends pronounceable passwords

Google has updated its password manager to recommend pronounceable passwords within its flagship Chrome browser. The experimental feature was the latest development which could make it into the regular versions of Chrome as part of steady improvements to its password capture, storage and generation. Chrome evangelist and …
Darren Pauli, 07 Sep 2014

Robin Hood virus: Chinese hackers target nation's wealthy

It seems China's state-supported hackers are being overshadowed by the black hat scene as the latter appears to have doubled in size – with some brazen crackers turning to carding the nation's wealthiest. A Trend Micro report dubbed The Chinese Underground in 2013 [PDF] issued this week reveals the black hat hacking scene has …
Darren Pauli, 05 Sep 2014

Microsoft, eBay apps open to man-in-the-middle diddle

At least 350 Android apps are open to man-in-the-middle MITM attacks, thanks to code that fails to validate certificates over secure sockets layer (SSL), says US Computer Emergency Response (CERT) security pro Will Dormann. The apps can be found in the Google Play and Amazon stores and have been included in a continually updated …
Darren Pauli, 05 Sep 2014

Scared of brute force password attacks? Just 'GIVE UP' says Microsoft

Sysadmins trying to harden user passwords against brute force attacks, or everyday folk trying to make sure their passwords don't lead to nude selfie leaks may not need to bother, according to the latest research from Microsoft mavericks. Redmond password provocateurs Dinei Florencio and Cormac Herley say password hardening isn' …
Darren Pauli, 04 Sep 2014
VirusTotal

VirusTotal mess means YOU TOO can track Comment Crew!

Security researcher Brandon Dixon has used Google's VirusTotal malware analysis tool to spy on what he claims are state-sponsored Chinese and Iranian elite hacking crews. Dixon (@9bplus) used the paid version of VirusTotal to watch as a subgroup of the Chinese hacker group Comment Crew and an unnamed Iranian mob developed, …
Darren Pauli, 04 Sep 2014

Twitter launches beer-money bug bounty

Twitter has announced it will begin paying for newly-found vulnerabilities under a bug bounty that has quietly run since June. The program, launched through third-party bounty outfit HackerOne, has so far garnered 44 reports, none of which were eligible for payments since they were submitted prior to today. Twitter says it is …
Darren Pauli, 04 Sep 2014

Are you a HOT CELEB? Think your SEXY PICS are safe? Maybe NOT

Rather than a single iCloud hack, this week's furore over celebrity nude pics looks more like the work of one or many "secret circles" of hackers whose members mingle on anarchic messageboard 4Chan to share their digital loot from computers and phones they've cracked over a period of years. The photos were, according to one …
Darren Pauli, 03 Sep 2014
Malware

Car makers, space craft manufacturers infected with targeted recon tool

Researcher James Blasco is warning the auto and aerospace industries against engineering software that's been compromised by keystroke-logging and reconnaissance malware. Blasco says an un-named provider of such software was compromised after a staffer visited a watering hole website that was established specifically to lure …
Darren Pauli, 03 Sep 2014
anonymity

iOS phone phlaw can UNMASK anonymous users on social media

Apple iThing users can be identified, images of their faces captured and their phones forced to call numbers – all thanks to coding schemes affecting Facebook, Google, and Twitter, among other sites and services, security researchers say. Attackers and pranksters can force iOS coding schemes to send an SMS or an instant message …
Darren Pauli, 02 Sep 2014
iCloud brute force

Apple, FBI: YES we're, er, looking into the NAKED CELEBRITY PICS. Aren't you?

The Federal Bureau of Investigation and Apple are examining the theft of a large cache of naked celebrity photos, thought by many to have been snaffled from the fruity firm's iCloud backup silos. As El Reg reported yesterday, the photos depict Jennifer Lawrence, Kate Upton and around 100 others are thought to have been stolen …
Darren Pauli, 02 Sep 2014
Whale Oil

NZ Justice Minister scalped as hacker leaks emails

A hacker has claimed the scalp of New Zealand Justice Minister Judith Collins by releasing information showing a purported campaign to undermine government officials. The revelations, revealed last month, came from a hacker known as RawShark (@whaledump), who broke into the email account of conservative blogger Cameron Slater. …
Darren Pauli, 01 Sep 2014

Rubbish WPS config sees WiFi router keys popped in seconds

Passwords within routers sold by chipset manufacturer Broadcom and another unnamed vendor can be accessed within seconds thanks to weak or absent key randomisation, security bod Dominique Bongard has claimed. The weakness relates to the implementation of WiFi Protected Setup (WPS) which allows attackers to calculate the correct …
Darren Pauli, 01 Sep 2014
Brute Force

iCloud fiasco: 100 FAMOUS WOMEN exposed NUDE online

Naked photos of celebrities including Sports Illustrated model Kate Upton, Jennifer Lawrence and Ariana Grande have been published online by an anonymous hacker who reportedly obtained the explicit pics from the victims' Apple iCloud accounts. Nude photos of 17 celebrities have been published online. The anonymous hacker posting …
Darren Pauli, 31 Aug 2014
Ice cream

Ice cream headache as black hat hacks sack Dairy Queen

Ice cream mogul Dairy Queen appears to have been breached with hackers likely stealing credit cards from some of its many US stores. The chilling news comes from sources within the US banking sector who separately told cyber-crime prober Brian Krebs that fraudulent transactions on credit cards appeared to have stemmed from a …
Darren Pauli, 29 Aug 2014
Julie Bishop & Marty Natelagawa

Australia makes pinkie-promise to end Indonesia spying

Australia has signed a code of conduct to promise not to spy on Indonesia's elected officials in a bid to heal seeping wounds opened by NSA leaks. In November 2013, documents leaked by NSA whistleblower Edward Snowden revealed Australia had spied on the mobile phone of then-Indonesian-leader Susilo Bambang Yudhoyono (SBY), his …
Darren Pauli, 29 Aug 2014
Bees

Researchers camouflage haxxor traps with fake application traffic

Honeypots just got sweeter after researchers cooked up new digital bait designed to tempt hackers into revealing themselves by tapping into what are faked communications between an enterprise application and its users. The idea behind the new creation is to lure seasoned bad guys into honeypots and in doing so reveal their …
Darren Pauli, 28 Aug 2014
netflix

Netflix releases home-grown DDoS detectors

NetFlix's security team has given the open source treatment to three tools it uses to monitor the internet and gather evidence of planned attacks against its infrastructure. "Scumblr" and "Sketchy", plus the "Workflowable" tool both rely on, are now on GitHub for any security teams to use. Scumblr sifts through forums and …
Darren Pauli, 28 Aug 2014
australian credit cards fraud contactless

PCI Council wants YOU to give it things to DO

Crusaders at the Payment Card Industry Security Standards Council have called for submissions into projects for 2015. The council is responsible for PCI Data Security Standards (PCI DSS), a - to date - largely failed initiative to impose better credit card processing security by retailers. A Special Interest Group is accepting …
Darren Pauli, 27 Aug 2014

Goog says patch⁵⁰ your Chrome

Google has dropped 50 patches for its flagship Chrome browser plugging holes and handed $30,000 to a lone bug hunter who reported a dangerous sandbox-busting attack. A clever chained combo of multiple flaws, reported to Google and patched, allowed attackers to crawl out of Chrome's security sandbox and execute code remotely. It …
Darren Pauli, 27 Aug 2014

Google ghostly graphics haunt Image search

A slam dunking NBA star and a fatal car crash isn't normally what you'd expect to find when Googling for puppies, but it is exactly what users have received overnight due to some unknown perversion of Google Images. The bug affected a scattering of users from dozens of countries. Australia, the US, the UK and many others noticed …
Darren Pauli, 27 Aug 2014
Toy Story

Researcher details how malware gives AV the slip

Researcher James Wyke has discovered throw-off tactics used by malware to frustrate investigators. These tactics were part of a suite of impressive methods VXers used to find technical artifacts that could help them distinguish between computers belonging to victims and those used by malware researchers. While malware writers …
Darren Pauli, 26 Aug 2014
Social media buttons

Attack flogged through shiny-clicky social media buttons

Web admins beware: social media buttons that load scripts from unknown external sites could see your sites foisting the FlashPack exploit kit to visitors. Several sources warn that popular JavaScript social media panels are being modified to load external resources that pulled down FlashPack, formerly known as SafePack, which …
Darren Pauli, 26 Aug 2014
south korea

Three quarters of South Korea popped in online gaming raids

Three quarters of South Korea's population have been compromised in a massive data breach affecting 27 million people. The nearly incomprehensible breach was revealed when 16 individual were arrested after selling the records relating to victims aged between 15 and 65 years-old. The records included names account logins …
Darren Pauli, 26 Aug 2014
Moments of perspiration

Hack skirmish grounded Sony exec's flight after FAKE bomb scare

As Distributed Denial of Service (DDoS) attacks hosed not only Playstation Network but also XBox and Battle.net networks, it has emerged that a fake bomb threat grounded US flight 362, while Sony Entertainment Online chief John Smedley was aboard the aircraft. A group (@LizardSquad was tweeting threats and invective in the …
Darren Pauli, 25 Aug 2014
Ross Ulbricht

Three new charges laid against alleged Silk Road kingpin

Three additional charges have been laid against alleged Silk Road kingpin Ross Ulbricht including narcotics trafficking and identity fraud, according to an indictment filed Thursday. Ulbricht faces life in prison for his alleged running of internet drug den Silk Road through which buyers and sellers sent hard and soft drugs to …
Darren Pauli, 25 Aug 2014
Precog Minority Report

Security precogs divine web vulnerabilities BEFORE THEY EXIST

Three million webpages are set to become hacker fodder according to research that could predict what websites will become vulnerable ahead of time. The research by Kyle Soska and Nicolas Christin of Carnegie Mellon University used an engine which divined the future by looking at the past - more specifically, by trawling the Way …
Darren Pauli, 22 Aug 2014
Facebook security

Facebook slings $50k Internet Defense Prize™ at bug hunter duo

Facebook and Usenix have together created the Internet Defense Prize™ – and awarded its first gong to security bods Johannes Dahse and Thorsten Holz. The pair, of Ruhr University Bochum in Germany, received $50,000 from Facebook's prize-giving committee for their paper, Static Detection of Second-Order Vulnerabilities in Web …
Darren Pauli, 21 Aug 2014