Darren Pauli

Contact Mail Follow Twitter RSS feed

Hackers pop German steel mill, wreck furnace

Talented hackers have caused "serious damage" after breaching a German steel mill and wrecking one of its blast furnaces. The hack of the unnamed mill, detailed in the annual report of the German Federal Office of Information Security, was pulled off after a victim fell for a phishing email. Hackers then pivoted to the …
Darren Pauli, 22 Dec 2014

STAY AWAY: Popular Tor exit relays look raided

As foreshadowed last week, Tor network exit nodes have gone down after what appear to be raids by law enforcement authorities. Thomas White (@CthulhuSec) warned users to steer clear of his Tor servers after he lost control following what he's called "unusual activity" that meant "I have now lost control of all servers under the …
Darren Pauli, 22 Dec 2014

Dangerous NTP hole ruins your Chrissy lunch

Critical holes have been reported in the implementation of the network time protocol (NTP) that could allow unsophisticated attackers root access on servers. System administrators may need to forego the Christmas beers and roasted beasts until they've updated NTP daemons running versions 4.2.8 and below. The grinch bug was …
Darren Pauli, 22 Dec 2014

Hack hijacks electric skateboards, dumps hipsters in the gutter

A hacker duo have shown how to hijack "Boosted" brand electricity-assisted skateboards. The boards feature small motors to help riders go up hills, or down hills much faster. An app controls the motors over Bluetooth. Stripe security engineer Richo Healey and penetration tester and Bluetooth expert Mike Ryan found a way to …
Darren Pauli, 19 Dec 2014
Lock security

Kiwi hacker 'menace' pops home detention tracker cuffs

Kiwicon Christchurch bus hacker William Turner has demonstrated how to trick home detention ankle monitors used in New Zealand. The monitor hack meant the location of criminals could be falsely reported to contractor G4S, triggering alarms. The feat was a tool of mischief makers and blackmailers, Turner said, but importantly could not …
Darren Pauli, 19 Dec 2014

Security SEE-SAW: $3 MEEELLION needed to fight a $100k hack

It costs a whopping $3.1m to defend against a $100,000 advanced attack, a security duo claims. The imbalance - well-known to security pros - was illustrated in research presented by Microsoft security strategist Paul McKitrick and founder of security startup ICEBRG William Peteroy (@wepiv) at the Kiwicon hacker fest in …
Darren Pauli, 18 Dec 2014

Social sniffer predicts which Nigerian prince has the best chance of scamming you

Kiwi penetration tester Laura Bell has released a social engineering analysis tool to allow analysis of risky behaviour by punters. The platform dubbed "AVA" and billed as an "automated three-phase human vulnerability scanner" will soon be released as open source and made usable for both hackers using Kali Linux and less tech- …
Darren Pauli, 18 Dec 2014
IBM Power S842L server

IBM and Red Hat power up for virtualisation on Power systems

Red Hat has announced that its Enterprise Virtualization product now works on IBM's Power systems. The move's not a colossal surprise: last week Red Hat revealed a beta of Red Hat Linux 7.1 and it included a version running on IBM's recently-revealed POWER8 platform. Red Hat Enterprise Virtualization for Power is a KVM-derived …
Darren Pauli, 17 Dec 2014

Hackable intercom lets you SPY on fellow apartment-dwellers

Kiwicon Kiwi hacker Caleb "alhazred" Anderson has popped a video intercom device that could have allowed him to spy on the 700 apartments in his building. The GrandStream GXV3175 intercom unit has been patched after Anderson - who by day serves as Context Information Security's lead consultant - began the attack while "inspired" by a …
Darren Pauli, 12 Dec 2014

Craft bazaar Etsy's security plan is candy to get devs talking

Kiwicon podcast Etsy's security chieftain Rich Smith has told the hacker faithful to secure their organisations by buttering-up devs with beer and candy. Speaking at the KiwiCon event in Wellington, New Zealand, the guardian of the popular hipster bazaar and co-founder of Iceland consultancy Syndis offered tips from running the fast-spaced …
Darren Pauli, 12 Dec 2014

Your data: Stolen through PIXELS

Kiwicon Data loss prevention has been dealt a coup de grace with the development of a client-less system that can suck corporate data through monitors. The research, to be detailed in a proof of concept at the Kiwicon hackerfest in Wellington on Friday December 12, bypasses all detection methods, its developer says. The attack requires …
Darren Pauli, 11 Dec 2014
philips triplewriter spd7000 blu-ray recorder

Blu-ray region locks popped by hardware hacker

Scores of Blu-ray players from the biggest names in the industry contain security vulnerabilities that allow region coding to be unlocked, hardware hacker Matthew Garrett says. The players use an antiquated digital rights management scheme to control the distribution of movies meaning some films could only be played in the …
Darren Pauli, 11 Dec 2014

Microsoft lets YOU kill POODLE in Protected Mode sites

Microsoft has granted sysadmins the ability to kill exposure to rabid POODLE websites under SSL 3.0 for Internet Explorer Protected Mode sites. The Christmas gift will be switched on by default from February next year as Redmond moves to euthanised the Padding Oracle on Downgrade Legacy Encryption attack across its web presences …
Darren Pauli, 11 Dec 2014
App Engine Logo

Google App Engine has THIRTY flaws, says researcher

Adam Gowdiak of Polish security consultancy and research outfit Security Explorations claims to have found myriad security holes in Google's App Engine. Explained here, Gowdiak says he and his colleagues “discovered multiple security issues in Google App Engine that allow for a complete Java VM security sandbox escape.” Here's …
Darren Pauli, 09 Dec 2014

AliExpress patches account mass harvesting flaw

Global threads bazaar AliExpress, an offshoot of global tat bazaar AliBaba, has patched a URL flaw that allowed attackers to harvest users' personal details including names, shipping addresses and phone numbers. The insecure direct object reference vulnerability reported by an unnamed researcher affected 7.7 million logged-in …
Darren Pauli, 09 Dec 2014

Linux software nasty slithers out of online watering holes

A malware instance built on the shoulders of a trojan so powerful it lead to the creation of the US Cyber Command has been updated with Linux-popping capabilities, Kaspersky researcher Kurt Baumgartner says. The Turla advanced malware is thought to have employed its top notch stealth capabilities to remain hidden on some systems …
Darren Pauli, 09 Dec 2014

Orion hacker sends stowaway into SPAAAAACE

One of the 1.3 million names sent into space aboard NASA's Orion test capsule was a stowaway, uploaded to NASA's database by a security researcher who found and exploited a vulnerability. The name 'Payload1 Payload2' was one of three uploaded to the NASA Orion database that collected names to be later transferred to a chip …
Darren Pauli, 08 Dec 2014

Mighty Blighty filter tilter causes communications chaos

The Great Firewall of Britain, aka the content filters operated by telcos Vodafone and Three, has blocked access to German hacker party the Chaos Communications Congress (CCC) ahead of its annual confab. The block, presumably made in error, prevented punters from accessing the website, buying tickets and perusing the conference …
Darren Pauli, 08 Dec 2014

Kaspersky exposes SONY-CRIPPLING malware DETAILS

Kaspersky bod Kurt Baumgartner has released more details on the Sony-plundering malware and links it to attacks on Saudi Aramco and South Korea. Research conducted in the wake of the epic Sony breach last month had connected those behind the attack known as the Guardians of Peace (GOP) with the 2012 hacking of Saudi Aramco by ' …
Darren Pauli, 08 Dec 2014

'Sign in with LinkedIn' spoof allows baddies to penetrate Slashdot, NASDAQ.com and more

Bigshot online identity providers LinkedIn and Amazon were vulnerable to a novel attack that allowed ID fraudsters potential access to top websites – including Slashdot, NASDAQ.com and Crowdfunder – an IBM security duo have revealed. Or Peles and Roee Hay of IBM Security Systems said the attacks worked because the providers …
Darren Pauli, 05 Dec 2014
Kim Jong-un

Norks: We might be aggressive but we didn't hack Sony!

North Korea has denied it was the entity behind the epic hack of Sony Pictures Entertainment. An unnamed diplomat based in New York told The Voice of America the country was not linked to the attack despite speculation patriotic hackers had targeted the media giant in retaliation for a satirical film mocking leader Kim Jong Un …
Darren Pauli, 05 Dec 2014

Microsoft remote code exec killjoys to dump seven fixes next week

Redmond will fix three critical holes in Internet Explorer, Office and Windows next week. Microsoft's Advanced Notification service details a seven-fix monthly dump. Among the three critical bulletins are a problem that leaves Internet Explorer open to remote code execution (RCE) attacks. Patching for bulletin two required a …
Darren Pauli, 05 Dec 2014

Big Blue patches big blooper in Endpoint Manager for mobes

Big Blue has patched a serious hole in its Endpoint Manager for Mobile Devices that allows attackers to gain remote access and compromise connected mobes. Endpoint Manager appears to have been written with Ruby, and the (flaw) means "attackers can create valid session cookies containing marshalled objects of their choosing," …
Darren Pauli, 04 Dec 2014

Squashed bug opened EVERY PayPal account to hijacking

PayPal has plugged a huge hole that exposed every account to hijacking. The cross-site request forgery (CSRF) flaw reported by Egyptian researcher Yassar H Ali allowed attackers access to any PayPal account of their choosing if they were capable of convincing a target to click a link. A PayPal spokesperson confirmed the flaw to …
Darren Pauli, 04 Dec 2014

Sony Pictures struggles as staff details, salaries and films leaked

It's getting worse for Sony: the latest data dump from the raid that's brought the company to an IT standstill includes the personal details of staff. Documents leaked through BitTorrent show the names, home addresses, salaries (and bonuses), and social security numbers of thousands of staff, including executives. Sony Pictures …
Darren Pauli, 03 Dec 2014

Iranian CLEAVER hacks through airport security, Cisco boxen

An alleged Iranian hacking group whose existence is denied by the state is turning up the heat on its two-year global campaign to pop critical infrastructure systems, Cylance researchers say. The group was tied to Iran by the local infrastructure it was alleged to use in the attacks and appeared to have formed as a response to …
Darren Pauli, 03 Dec 2014

Silver-tongued phish bait lures execs, hooks M&A deals

A hacking group has been stealing identity information and reading emails to get the inside edge on stock markets to buy and sell to make quick profits. Vendor FireEye reckons the group sent articulate phishing emails with malicious attachments demonstrating "deep" knowledge of financial markets and corporate communications. In …
Darren Pauli, 02 Dec 2014

Australian Government funds effort to secure wearable data pulses

Wearable health devices could feed Australians' health data into official databases to improve diagnosis under security research funded by the Federal Government. The researchers want to find ways to secure wearable consumer devices and validate the identity of users in order to enable health practitioners to trust data feeds. …
Darren Pauli, 02 Dec 2014

OpenVPN plugs DoS hole

OpenVPN has patched a denial-of-service vulnerability which authenticated users could trigger by sending malicious packets. The flaw (CVE-2014-8104) is most hurtful to VPN service providers and was reported by researcher Dragana Damjanovic to OpenVPN last month. Maintainers said in an advisory issued this morning that the flaw …
Darren Pauli, 02 Dec 2014

Pay with your credit card at station kiosk? 'Dare Devil' is targeting YOU

A financial malware strain has been found targeting payment systems behind transit systems and kiosks sucking up all manner of junk data, researchers say. The malware dubbed d4re|dev1l (dare devil) has been found in kiosks at Italy's regional transport company Azienda Regionale Sarda Trasporti, as well as at undisclosed …
Darren Pauli, 01 Dec 2014

EVIL researchers dupe EVERY 32 bit GPG print

Researchers have found collision attacks for 32 bit GPG keys leaving the superseded technology well and truly dead. Eric Swanson and Richard Klafter used graphical processing units to clone fingerprints for each 32 bit key id in Web of Trust strong set. The feat took four seconds per key increasing the chance that human error …
Darren Pauli, 01 Dec 2014

Weather Channel forecast: Bleak, with prolonged XSS

The Weather Channel has dammed a downpour of cross-site-scripting vulnerabilities that soaked three quarters of links on the popular site, security bod Wang Jin says. The website received a tsunami of traffic with more than a billion unique visitors checking in each month according to Drupal which noted it was the "highest …
Darren Pauli, 01 Dec 2014

Author fined $500k in first US spyware conviction

A US man has been handed a US$500,000 fine for selling the StealthGenie malware in the first prosecution of a mobile spyware slinger. Police collared Hammad Akbar, 31, in September after he allegedly sold the malware to an undercover agent in 2012. Akbar a Danish citizen, sold the StealthGenie malware capable of intercepting …
Darren Pauli, 30 Nov 2014

World's best threat detection pwned by HOBBIT

Some of the world's best threat detection platforms have been bypassed by custom malware in a demonstration of the fallibility of single defence security. Five un-named top advanced threat detection products were tested against four custom malware samples written by researchers at Crysys Lab, Hungary and MRG-Effitas, UK” The …
Darren Pauli, 28 Nov 2014
Edward Snowden

Edward Snowden: best ... security ... educator ... EVER!

A good deal of folk aware of NSA leaker Edward Snowden have improved the security of their online activity after learning of his exploits, a large survey has found. Researchers from think tank The Centre for International Governance Innovation collected responses from 23,376 users between October and November and found 60 …
Darren Pauli, 28 Nov 2014

Leaked Syrian log files reveal attempts to starve rebels of information

Syria's Bashar al Assad-led regime blocked scores of legitimate services and entire network regions in its bid to scrub out access to sites such as Reddit, Google and Skype, the first analysis of the nation's web filtering reveals. Research by three Sydney researchers from National ICT Australia (NICTA), together with three …
Darren Pauli, 28 Nov 2014

Home Depot hacker hosing cost a wallet-draining $43m (so far)

Hacked hardware mart Home Depot has forked out $43m to quash spot fires emanating from the data breach inferno this year, SEC filing documents show. The payout covered damages from the theft of 56 million payment cards and 53 million email addresses. It covered the cost of investigating this year's five-month-long breach, …
Darren Pauli, 27 Nov 2014

Adobe Reader sandbox popped says Google researcher

The Acrobat Reader Windows sandbox contains a vulnerability that could allow attackers to break out and gain higher privileges, Google security bod James Forshaw claims. The NTFS junction attack is a "race condition" in the handling of the MoveFileEx call hook Forshaw said. While unpatched, subsequent September updates made the …
Darren Pauli, 27 Nov 2014

Hacker dodges FOUR HUNDRED YEARS in cooler for SCANNING sites

A US hacker has dodged 440 years in prison for computer crime offences that amount to scanning sites with automatic tools and filling in web forms with junk data. The charges, since reduced to a misdemeanor, could have seen Fidel Salinas, 28, spending his remaining days working off a 440-year sentence. Salinas was alleged to …
Darren Pauli, 27 Nov 2014

Zero-day hacking group resorts to UNICORN SMUT-SLINGING

Sysadmins who have not yet patched their Windows boxes against the 18-year-old "unicorn-like" OLE bug disclosed last month could expect a deluge of spear phishing smut from a group once confined to lofty targeted zero-day attacks. The talented APT3 group was behind widespread zero-day attacks code-named Clandestine Fox earlier …
Darren Pauli, 26 Nov 2014

Privacy bods Detekt Hacking Team code nasty dressed as bookmark manager

The Detekt privacy tool has discovered Hacking Team's Windows spyware masquerading as a benign bookmark manager. Detekt was launched last week and offers users of Windows systems to inspect their machines for traces of known government spyware. Developer Claudio Guarnieri said on Twitter the tool discovered the malicious …
Darren Pauli, 26 Nov 2014

Security seals clobbered ahead of Black Friday bonanza

This Black Friday, beware the shop with the security seal: researchers have shown that issuers of common good webkeeping seals of approval sometimes miss basic flaws, happily certify phishing sites and inadvertently function as a hackers' black book of vulnerable sites. The research examined the effectiveness of the top 10 …
Darren Pauli, 26 Nov 2014
Rickmote

Who's been writing in my apps? Googlilocks builds new apps-tracker

Google has bolstered the security of its Apps platform with new reports providing insight into the number of devices accessing the account over the past month. The Devices and Activity dashboard displayed all devices active on an account in the last 28 days and those still signed in. Google Apps security. Google Apps security …
Darren Pauli, 25 Nov 2014

Craigslist pushes punters to YouTube, hacker site

Craigslist is asking users to flush their DNS after one or more pranksters twice changed the DNS records of the popular flesh and furniture classifieds site so it redirects users to a website and video. The attack, launched on 23 November, saw some users to some pages redirected to a site previously used in 2008 to sell stolen …
Darren Pauli, 25 Nov 2014
Hacked sarcasm

Sony Pictures in IT lock-down after alleged hacker hosing

Sony Pictures is investigating a breach that has seen hackers supposedly steal reams of internal data and splash defacements across staff computers. The company is now in lock-down as it wrestles with the problem. The beleaguered company, writes Variety, has requested staff disconnect their computers and personal devices from …
Darren Pauli, 25 Nov 2014

Abbott scholarship leaker escapes conviction

Sydney whistleblower Freya Newman has been served a two-year good behaviour bond with no conviction after pleading guilty to illegally accessing and leaking documents about a scholarship awarded to the daughter of Australian Prime Minister Tony Abbott. Newman, 21, in May disclosed documents to journalists alleging Ms Abbott, …
Darren Pauli, 25 Nov 2014

Sony quietly POODLE-proofs Playstations

Sony has patched the POODLE SSL vulnerability in its Playstation 3 and 4 gaming consoles. The rolling patch, introduced over the last fortnight, brings Transport Layer Security into Playstation's browsers and apps. SSL 3.0 is dispelled, off the Padding Oracle on Downgrade Legacy Encryption attack. The patch is a 200MB mandatory …
Darren Pauli, 24 Nov 2014

'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described

A highly advanced malware instance said to be as sophisticated as the famous Stuxnet and Duqu has has been detected. "Regin" has security researchers opining it may be nastier than both. "Regin" malware is thought to have been developed by a nation-state because of the financial clout needed to produce code of this complexity. …
Darren Pauli, 24 Nov 2014
WordPress

DEATH by COMMENTS: WordPress XSS vuln is BIGGEST for YEARS

An estimated 86 per cent of WordPress websites harbour a dangerous cross-site scripting (XSS) hole in the popular comment system plugin, in what researcher Jouko Pynnonen calls the most serious flaw in five years. The bug could provide a pathway for attacking visitors' machines. The WP-Statistics plugin lets attackers inject …
Darren Pauli, 24 Nov 2014
Paypal vulnerability

PayPal takes 18 months to patch critical remote code execution hole

Paypal has closed a remote code execution vulnerability some 18 months after it was reported. The flaws reported earlier this month rated critical by Vulnerability Lab affected a core Paypal profile application. "A system specific arbitrary code execution vulnerability has been discovered in the official in the official PayPal …
Darren Pauli, 21 Nov 2014