Darren Pauli

Contact Mail Follow Twitter RSS feed

Open Web Application Security Project issues new secure coding bible

The Open Web Application Security Project (OWASP) has published the third version of its developer security bible trimming the fat and offering peer-reviewed and tested means of building more secure apps. The Application Security Verification Standard Project (ASVS) is the carrot to OWASP's much-cited stick that is the Top 10 …
Darren Pauli, 12 Jan 2016

Turkish carder scores record 332-year jail term

A 26 year-old Turkish carder has received a record 332-year prison sentence for defrauding 54 customers. Onur Kopçak was charged after he stole and resold customer credit cards to other criminals. Turkish media report the man received a 135-year sentence for stealing 11 credit cards handed down by the Mersin third Criminal …
Darren Pauli, 12 Jan 2016

Drupal uncrosses fingers, promises secured patching

Drupal is switching to secured channels for updating its content management system, after IOActive security bod Fernando Arnaboldi reported it sought patches in the clear. More than a million sites use the popular content management system, making it a significant target for hackers. The vulnerabilities are not earth- …
Darren Pauli, 12 Jan 2016

Exploit kits throw Flash bash party, invite Crypt0l0cker, spam bots

Criminals behind some of the most potent exploit kits, Neutrino and RIG, are ramping up attacks slinging the latest ransomware and hosing users who have not applied recent Adobe Flash patches. The patched vulnerabilities permit code execution and allow the dangerous hacking kits to compromise user machines. The two above- …
Darren Pauli, 11 Jan 2016

Call of Duty terror jabber just mindless banter

Video Eye-watering claims that video games are secure communications hubs for terrorists have been shot down in a demonstration by security wonks who tested claims nation-states could not intercept chatter and that messages can be written in bullet holes. Playstation 4 was last year fingered as a favourite communciations channel for …
Darren Pauli, 08 Jan 2016

Checkpoint chap's hack whacks air-gaps flat

32c3 Checkpoint malware men Yaniv Balmas and Lior Oppenheim have developed an air gap-hopping malware system that can quietly infect, plunder, and maintain persistence on networked and physically separated computers. Yaniv Balmas. The Israel-based duo pried apart and compromised KVMs (keyboard video mouse) units such that they …
Darren Pauli, 08 Jan 2016

Devs get malicious root app militia on Play Store, sell pumped up ratings

Google has punted from its Play Store 13 apps, including one installed a million times and capable of gaining persistent root, downloading additional apps, and leaving fake positive reviews. The Brain Test apps slipped past the Chocolate Factory's Google Verify Apps (formerly Bouncer) vetting system and were downloaded scores …
Darren Pauli, 08 Jan 2016

Plain cruelty: Boffins flay Linux ransomware for the third time

Probably the world's most tragically determined blackhat developers have had their revitalised Linux.Encoder ransomware pwned again by meddling BitDefender whitehats. The third iteration of the Linux.Encoder ransomware was unleashed on the world, infecting a paltry 600 servers before a crack team of security analysts returned …
Darren Pauli, 07 Jan 2016

Reverser laments crypto game protection, says wares dead after 2018

A top video-game cracker says cryptographic anti-reverse-engineering technology could put an end to the prolific rate of game piracy. The Chinese reverser, known affectionately as Bird Sister, Phoenix, or Fifi, has published a short blog noting that the encryption technology protecting the popular Just Cause 3 title. " …
Darren Pauli, 07 Jan 2016

Latvian coder released from clink after mega-millions bank raids

A hacker partly responsible for creating the highly sophisticated Gozi trojan that ripped tens of millions of dollars from victims has walked away with 21 months time served. New York district judge Kimba Wood ruled Deniss Calovskis, 30, had paid sufficient penalty for what is described as his minor role in developing Gozi. …
Darren Pauli, 07 Jan 2016

'You're updated!' Drupal says, with fingers crossed behind back

Drupal installations could be out of date and open to attack thanks to a borked update process that flags unpatched platforms as current. The popular content management system is used by more than a million sites making it a significant target for hackers. Indeed, in October 2014 attackers took mere hours to compromise untold …
Darren Pauli, 07 Jan 2016
Docker logo

Docker proffers guide to better headers

Docker security bod Diogo Monica is offering a guide to help system administrators flip their security header report card marks from a Fs to As. Good security headers do things like ward-off click-jacking and cross-site scripting attacks, malicious certificates, and secure sockets downgrading. Many big e-commerce and banking …
Darren Pauli, 06 Jan 2016

Bash, smash, trash Flash – earn $100k cash

Hackers can score US$100,000 from exploit arbitrage outfit Zerodium if they bypass Adobe's latest Flash heap isolation defence. Hackers will have to craft an exploit that escapes the sandbox to hit the jackpot, because that's more complex than a non-sandbox break which attracts a $65,000 reward. It comes less than a month …
Darren Pauli, 06 Jan 2016

'Wipe everything clean ... Join us ...' Creepy poem turns up in logs of 30 million-ish servers

Sysadmins have woken up to an odd message in their server logs that told them to "delete their installations" and "join us." The poem, injected into web server log files, is like something out of the hacker telly series Mr Robot. It is seemingly the handiwork of wags at the Chaos Communication Congress in Hamburg, Germany, …
Darren Pauli, 06 Jan 2016

Security bod watches heart data flow from her pacemaker to doctor via ... er, SMS? 3G? Email?

A computer security researcher has probed the communication protocols used by her pacemaker – and hopes her findings will raise awareness of just how much info medical devices are emitting. Marie Moe received her pacemaker four years ago after she experienced a form of arrhythmia, and her heart began to slow. Soon after, she …
Darren Pauli, 05 Jan 2016
Onions

Tor launches invite-only exploit bug bounty

Tor will this year investigate an exploit bug bounty paying researchers cash for flaws, lead developer Mike Perry says. The HackerOne invite-only scheme is expected to be opened to the public after Tor finds its feet handling disclosures. Bug bounties are a booming initiative under which tens of thousands of dollars are being …
Darren Pauli, 05 Jan 2016
London Overground and a Southeastern train near Bermondsey. Pic: Matt Buck

Irked train hackers talk derailment flaws, drop SCADA password list

32c3 A trio of Russian hackers say core flaws in rail networks are opening trains to hijacking and derailment and have published dozens of hardcoded industrial control system credentials to kick vendors into action. description Sergey Gordeychik (right), Gleb Gritsai, and Aleksandr Timorin (rear). Industrial control specialist …
Darren Pauli, 04 Jan 2016

BlackEnergy drains files from Ukraine media, energy organisations

Malware writers are wiping hard drives of Ukraine media outlets and energy companies using a cocktail of backdoors. Eset threat bod Anton Cherepanov says VXers are attacking the unnamed organisations with the BlackEnergy trojan's new KillDisk component, capable of destroying some 4000 different file types and rendering …
Darren Pauli, 04 Jan 2016
Credit: Robert O'Neill Licence: https://creativecommons.org/licenses/by-sa/4.0/deed.en

Kiwi judge rules Kim Dotcom can be extradited to USA

A prima facie case can be made for the extradition of Kim Dotcom and others associated with the download site Mega, according to a New Zealand district court judge. We're indebted to the Twitter stream of Radio New Zealand reporter Kate Newton for the news, as she attended today's hearing in Auckland. Newton reported that the …
Darren Pauli, 23 Dec 2015

Mozilla looses Firefox 43, including Windows 64-bit variant

Mozilla has released version 43 of its Firefox web browser, introducing a 64-bit version for Windows and crushing four critical and seven serious vulnerabilities. The browser should now enjoy the security and performance boosts of 64-bit systems with fatter heap sizes to help fire up things like browser games and better …
Darren Pauli, 16 Dec 2015

FireEye flamed: A single email will grant total network access

Researchers at the Google's Project Zero security research team have found a brutal hole in FireEye kit that allows attackers to lay waste to corporate networks with a single email. The flaw, dubbed "666" from its Project Zero vulnerability number, is a passive monitoring hole that respected hacker Tavis Ormandy describes as a …
Darren Pauli, 16 Dec 2015

Ho ho hosed: Asian biz malware pwns air-gaps, thousands of Androids

CloudSek security bod Rahul Sasi says an Asian software development company is stealing sensitive defence software source code from air-gapped computers while also using a malicious Christmas app to hose thousands of Android handsets. The penetration tester found the onslaught from an unnamed software company that was actively …
Darren Pauli, 16 Dec 2015

Who needs CCTV? Get a terrifying slowpoke hoverdrone cam

A slow- and low-flying drone has been developed for security guard personnel that will follow visitors and snap their pictures. Japan's largest security outfit Secom says the drone will attempt to identify and photograph any potential intruder's face as well as the licence plate of their car, Kyodo News reports. The 10kmph …
Darren Pauli, 15 Dec 2015

Cisco forgot to install two LEDs in routers

Cisco has forgotten to install all the light emitting diodes (LEDs) in some routers. The Register understands that the LTE-enabled C800 integrated service routers. models C896, C897, and C898, lack LEDs that indicate traffic is passing over the WAN. Cisco has 'fessed up to the mess in a field notice that says "... two LEDs and …
Darren Pauli, 15 Dec 2015

Cisco starts spewing vuln info everywhere, in a good way

Security folk will be able to suck down Cisco vulnerabilities notices in more ways than ever thanks to a new application programming interface launched today. The Cisco security team's (PSIRT) openvuln plug is a RESTful API supporting standards like Common Vulnerability Reporting Framework (CVRF), Open Vulnerability and …
Darren Pauli, 15 Dec 2015

Patch now! Joomla attacked in remote code execution blitzkrieg

Joomla has slung a patch to crush a critical eight-year-old remote code execution vulnerability under active exploitation by attackers. Sucuri threat man Daniel Cid says hundreds of attacks are now taking place having ramped up from a mere handful Saturday. "This is a serious vulnerability that can be easily exploited and is …
Darren Pauli, 15 Dec 2015
Bookshelf in the British Library basement

Oxford Uni opens infosec ivory tower in Melbourne

The State of Victoria is cementing its place as Australia's security hub with the launch of an Oxford University national infosec risk centre in Melbourne. The Global Cyber Security Capacity Centre will perform "audits of national cyber security risks and capabilities" to help Australia plan investments and strategies. It …
Darren Pauli, 15 Dec 2015

American cyber crims operate popup hack 'n crack sites in plain sight

North American cyber criminals are so blatantly thumbing their noses at law enforcement that their forums have been nicknamed "glass tanks". The selling of malware, stolen credentials, and other crime services are so open they can be found using Google, Trend Micro researchers Kyle Wilhoit and Stephen Hilt say. Moreover, the …
Darren Pauli, 14 Dec 2015

Gamer ransomware grows up, now infecting UK, Euro businesses

Companies across Northern Europe are being smashed by the TeslaCrypt ransomware as net scum switch from extorting individuals to targeting deeper--pocketed organisations. Those worst affected are located in the United Kingdom, France, Italy, and Spain, where a highly capable phishing campaign regularly tosses out juicy baits …
Darren Pauli, 14 Dec 2015

Russian friends make German web scum the 'best' in European Union

The German cyber crime market is an overlooked but unique beast that works in lockstep with Russian veterans to serve fraud-flinging newcomers and hardened carders alike, researchers say. In one of the few examinations into German crime forums a team of Trend Micro threat bods say the scene is the most developed in the …
Darren Pauli, 14 Dec 2015

'Fairly bad core bug' crushed in Linux 4.4-rc5

Linux Lord Linus Torvalds says the fourth release candidate of Linux 4.4 contained “a fairly bad core bug” that's since been squashed, but may not have rung many alarm bells anyway. “Another week, another rc,” Torvalds writes on the Linux Kernel mailing list, before going on to say that development work is progressing as usual …
Darren Pauli, 14 Dec 2015

Hackers add exploit kit to article asking 'Is cyber crime out of control?'

Hackers have hosed an article published by The Guardian using the world's nastiest exploit kit Angler to pop the machines of exposed readers. The attack firmly answers the article's headline positing the question 'is cybercrime out of control', based on arguments in a book by one Misha Glenny. Angler is the most capable and …
Darren Pauli, 11 Dec 2015
Homer Simpson driving

Hundreds of thousands of engine immobilisers hackable over the net

Kiwicon Kiwi hacker Lachlan Temple has found holes in a popular cheap car tracking and immobilisation gadget that can allow remote attackers to locate, eavesdrop, and in some cases cut the fuel intake to hundreds of thousands of vehicles, some while in motion. The gadgets are rebranded white box units from Chinese concern ThinkRace …
Darren Pauli, 11 Dec 2015

Google cloaks Android in Red Screen of malware Dearth

Google has extended its anti-social engineering Chrome tool to Android, making big efforts to reduce blacklists bandwidth costs along the way. The Red Screen of malware Dearth officially branded Safe Browsing has long been a feature of Chrome desktop platforms where bandwidth and processing requirements are much less …
Darren Pauli, 11 Dec 2015

Overhaul Wassenaar or ruin next Heartbleed fix, top policy boffin says

Kiwicon Additional exemptions to the much-feared Wassenaar Arrangement will do nothing to protect far-flung security professionals critical to crushing dangerous Heartbleed-esque bugs, according to infosec policy-buff Katie Moussouris. The Hacker One chief policy officer is spearheading the security industry's global response to the …
Darren Pauli, 11 Dec 2015

Brit-American hacker duo throws pwns on IoT BBQs, grills open admin

Kiwicon American hardware hackers have ruined Christmas cooks ups across Australia, revealing gaping and pwnable vulnerabilities in Internet-connected barbecues. Hardware hackers Matthew Garrett and Paul McMillan revealed how the Internet-of-things CyberQ exposed its remote administration facilities and could be owned over the …
Darren Pauli, 10 Dec 2015

Aussie hacker flips Coin into fraudster fob

Kiwicon Criminals can empty stolen credit cards with new-found stealth using payment gadget Coin, thanks to the device's weak and pwnable authentication checks. Hacker Peter Fillmore (@typhoonfilsy) of Melbourne, Australia, found Coin's weak authentication scheme can be manipulated using man-in-the-middle attacks that allow fraudsters …
Darren Pauli, 09 Dec 2015

Google proffers plugs in Android MMS pwnfest

Google has slung a new set of patches at the vulnerability hub that is Android media processing, fixing four critical flaws and 10 high-severity bugs. The vulnerabilities could allow user phones to be compromised through a variety of means including MMS, email, and following web links. Nexus users get the fixes first along …
Darren Pauli, 08 Dec 2015

Sydney quantum computing wonks get $36M to build god box

Aussie physicists have scored AU$36 million to advance their work on the world's first silicon-based quantum computer. The University of New South Wales wonks scored $26 million over five years from the nation's Federal Government and an in-principle commitment of anotehr $10 million from the Commonwealth Bank to push ahead …
Darren Pauli, 08 Dec 2015

University of New South Wales to offer free online infosec courses

The University of New South Wales (UNSW), often ranked as Australia's top university for information security studies, will next year run free massive open online courses (MOOCS) under creative commons online licences. The University of NSW sec.edu.au courses to launch 28 February will vary in required skill level with some …
Darren Pauli, 08 Dec 2015

Hacker reveals lifestyles of the rich and famous in UAE bank pop

A hacker who appears to have cut and run has reportedly dumped bank information relating to thousands of a cashed-up United Arab Emirates bank customers. The hacker using the handle "Hacker Buba" claimed to local media to have popped Invest Bank before demanding US$3 million in ransom in order to withhold releasing the files …
Darren Pauli, 07 Dec 2015

Russian "Pawn Storm" expands, rains hell on NATO, air-gapped PCs

One of the most prolific and capable Russian malware groups is using a rare module to infect USB sticks and hose air-gapped machines in defence industry organisations. The group, known as "Sofacy" or "Pawn Storm" has been ripping into air gap defence organisations since at least August, demonstrating its skills using zero day …
Darren Pauli, 07 Dec 2015

NBN opens 400 tech jobs in looming second Melbourne security shop

nbn, the company building Australia's national broadband network (NBN), will hire 400 tech bods over the next two years to staff its upcoming Cyber Security Operations Centre in Melbourne's south. The will operate around the clock with infosec bods policing the network. It will operate in addition to the Network and Services …
Darren Pauli, 07 Dec 2015

Infosec bods rate app languages; find Java 'king', put PHP in bin

Java applications have been found to have many fewer common vulnerabilities than those coded using web scripting language. Less than a quarter of Java apps sport sporting SQL injection vulnerabilities, compared to more than three quarters of those written in PHP. So says Veracode's new State of Software Security report (PDF …
Darren Pauli, 04 Dec 2015

Domination: Crims steal admin logins, infect sites, drop Cryptowall 4

Virus slingers who find themselves unsatisfied by merely ruining computers with ransomware are now first stealing a victim's admin passwords to enslave their websites into attack campaigns. The battery starts with the installation of the Pony malware, which in 2013 stole some two million passwords through its global botnet. …
Darren Pauli, 04 Dec 2015

Ponmocup is the '15 million' machine botnet you've never heard of

Botconf One of the world's most successful, oldest, and largest botnets is an underestimated and largely-unknown threat that has over time infected 15 million machines and made millions plundering bank accounts. The findings from a team of eight Fox IT researchers say the 'Ponmocup' botnet controlled 2.4 million infections at its peak …
Darren Pauli, 03 Dec 2015

Darkode 3.0 is so lame it's not worth your time reading this story

The FBI-scuppered Darkode crime forum appears truly dead after a promised resurgent site failed to surface and a recent spin-off has proven horribly insecure. Darkode was the white-hat-infested crime den for English-speaking carders and VXers who bought and sold software and services that plundered the pockets of corporations …
Darren Pauli, 03 Dec 2015

Brit hardware hacker turns Raspberry Pi Zeros into selfie slayers

Kiwicon Hipsters and selfie addicts beware: infosec man Steve Lord has crafted a tool designed to sever your line of addiction to Instagram by quietly blocking it over public Wi-Fi. The British security bod built the Raspberry Pi Zero-powered "hipster slayer" out of nothing more than off-the-shelf components and "questionable life …
Darren Pauli, 02 Dec 2015

50c buys you someone else's password for Netflix, Spotify or ...

Criminals are selling 'lifetime' Netflix, HBO, and cable sports streaming accounts for less than US$10 on sites hidden within Tor. Premium sports accounts sell for about $10 while streaming TV can be bought for as low as 50 cents, far less than the $10 monthly subscription. Comic fans can buy a stolen Marvel Unlimited …
Darren Pauli, 02 Dec 2015

Hong Kong hacks hacked in democracy protest yap flap

Chinese hackers who previously popped Western financial firms are now using Dropbox to target Hong Kong based journalists, FireEye says. The group, suspected to be an outfit known as "admin@338", is using the cloud service to host command and control for its infection operations. Its attacks drop the backdoor payload dubbed …
Darren Pauli, 02 Dec 2015