Darren Pauli

Contact Mail Follow Twitter RSS feed

Snapchat slings SMS two-factor authentication

Snapchat has deployed two factor authentication as part of its push to increase security across the popular selfie slinging app. The sexting swap shop allows users to set up SMS log-in verification that makes en-masse account hijacking more difficult, and better protects Snapchat's Snapcash money transfer system. The additional …
Darren Pauli, 15 Jun 2015
Patching celebration

Cisco issues 16 patches to pop pesky peccant packets

Cisco has issued a string of patches for 16 faults including a fix for a possible remote code execution in its IOS and IOS XE routing software. The patches address a generous dollop of security conditions caused by faulty queued packets. One flaw, rated severity 8.3, allows attackers to gain remote code execution in IOS XE by …
Darren Pauli, 15 Jun 2015

Poison résumé attack gives ransomware a gig on the desktop

Security researchers are focussing their crosshairs on what appears to be high-volume spam and exploit campaigns to deliver the latest iteration of the Cryptowall ransomware. Boffins from the SANS Institute, Cisco, and MalwareBytes have identified a dangerous if goofy spam campaign slinging the nasty ransomware masquerading as …
Darren Pauli, 12 Jun 2015

Europol operation crushes phiendish global phishing ring

Police have arrested 49 men from Spain, Nigeria, and Cameroon in connection with electronic bank account raids that plundered some €6 million across Europe. The men were arrested as part of Operation Triangle, an effort involving police from Spain, Italy, and Poland together with authorities in Belgium, the UK, and Georgia. …
Darren Pauli, 12 Jun 2015

OpenSSL releases seven patches for seven vulns

Users are being urged to upgrade OpenSSL to prevent eavesdroppers listening to otherwise encrypted connections undermined through the LogJam vulnerability thought to be the NSA's crypto-cracking tool of choice. OpenSSL maintainers have patched seven vulnerabilities including the LogJam vulnerability (CVE-2015-4000) which allows …
Darren Pauli, 12 Jun 2015

Mozilla doubles bug bounties to $10k

Mozilla has more than doubled the cash rewards under its dusty bug bounty to beyond $10,000. The browser baron has increased the reward for high-severity bugs such as those leading to remote code execution without requiring other vulnerabilities. Engineer Raymond Forbes says the bounty had not been updated in five years and had …
Darren Pauli, 11 Jun 2015

Super Stuxnet's SCADA slaves: security is atrocious

Botnet boffin Peter Kleissner says at least 153 computers are still slaves to Stuxnet. Of those, six are tied to supervisory control and data acquisition (SCADA) systems which the malware is designed to exploit to destroy the attached machinery. Kleissner told a presentation at an information security conference in Vienna last …
Darren Pauli, 11 Jun 2015
Don Draper is Sad

But ... but iOS 9 could BLOCK my Ad-Block, dev squeals

Apple appears to have added an ad-blocking capability to iOS 9, stoking hopes and fears in different quarters. The beta version of the operating system sports a Content Blocking Safari Extensions feature which Apple says will give extensions "a fast and efficient way to block cookies, images, resources, pop-ups, and other …
Darren Pauli, 11 Jun 2015

Trustwave: Here's how to earn $84,000 A MONTH as a blackhat

Exploit kit traders and ransomware slingers are in one of the most profitable industries in the world, landing a whopping 1,425 percent profit margin for raiding legitimate trade. Figures from infosec firm Trustwave show the blackhats who are enjoying what appears to be a current boom can score outrageous amounts of money by …
Darren Pauli, 10 Jun 2015

Password-flogging phishing tool pwns EVERY iOS Mail app

Ernst and Young forensic bod Jan Soucek has created a tool capable of generating slick iCloud password phishing emails he says exploits an unpatched bug affecting millions of Apple users. The researcher created the iOS 8.3 Mail.app inject kit which exploits a bug in the operating system's native email client to produce a …
Darren Pauli, 10 Jun 2015
Bug

United Airlines accounts open to mass lock-outs

A simple brute-force attack is all that's needed to lock users out of their frequent flyer accounts. However, in spite fof the discovery, by Turrisio Cybersecurity security officer Yosi Dahan, being disclosed under the airline's bug bounty in March, the researcher is complaining that United isn't responding to him. Dahan says …
Darren Pauli, 10 Jun 2015

Use SDN to smash tier one 'oligarchy', hacker says

AusCERT IIX security bod David Jorm is urging users and organisations to adopt software-defined networking (SDN) to break up the 'tier one networking oligarchy'. The former Red Hat security bod said SDN establishes peer-to-peer interconnects without the expense and complexity of traditional models, using projects including OpenDaylight …
Darren Pauli, 09 Jun 2015
Australia map and flag pwned theme

iiNet probes WestNet breach

Australian telco iiNet is investigating reports criminals are selling trying to flog online 30,000 customer records swiped from subsidiary Westnet. The breach was reported on Twitter after a security news tweeting service found a user attempting to sell what they said was Westnet's database on an unspecified website. At this …
Darren Pauli, 09 Jun 2015

In the exploit biz? FULL DISCLOSURE is your best friend, boffin says

Auscert Security bod Alfonso De Gregorio says buyers and sellers in the cut-throat exploit marketplace should release their zero-days to the public if they are fleeced. The BeeWise founder says full disclosure of security vulnerabilities helps punish both buyers who fail to pay or on-sell zero-days, and sellers who break contracts and …
Darren Pauli, 05 Jun 2015

Ransomware-as-a-service business up for grabs to highest bidder

A self-aggrandising web skiddie is attempting to sell access to victims of the Tox ransomware. The hacker claims to be a student and says he has been inundated with customers for a ransomware-as-a-service racket that offers to infect victims in return for a 70 percent cut of ransoms (paid as Bitcoin, natch). The scam uses the …
Darren Pauli, 05 Jun 2015

New Firefox, Chrome SRI script whip to foil man-in-the-middle diddle

Scripting will in the next few months become safer with Mozilla and Google adopting a validation mechanism to prevent against man-in-the-middle attacks. The Subresource Integrity (SRI) check is being developed by boffins at Google, Mozilla, and Dropbox under the World Wide Web Consortium. The specification means the integrity …
Darren Pauli, 04 Jun 2015

Security sleuths, sniff out the stupid from your Oracle DBs

Databases remain a security nightmare, says Datacom TSS hacker David Litchfield, so he's built an application to give admins a hand. The Datacom TSS hacker says the Database Security Scorecard will help inform system administrators of security shortfalls in databases and help bridge the language gap between management and tech …
Darren Pauli, 04 Jun 2015
Developer in a rage

Compromised SSH keys used to access Spotify, UK Govt GitHub repos

CloudFlare engineer Ben Cox says the official Github repositories of the UK Government, Spotify, and Python were accessed using likely compromised SSH keys. Cox says the keys revoked this month are subject to a compromised Debian OpenSSL random number generator seed discovered and fixed in early 2008. The security bod …
Darren Pauli, 03 Jun 2015

Vic Govt security standards to launch next month

The data security boss for the Australian state of Victoria David Watts says more than 2,500 state government agencies will be required to comply with security benchmarks to be released next month. Watts says the Victorian Government Protective Data Security Framework (VPDSF) he and his team developed is slated for release on 1 …
Darren Pauli, 03 Jun 2015

Hola! TV geo-block botters open bug bounties

Smarting from a barrage of criticism for botting its customers, VPN service Hola is hoping a bug bounty program will restore its security credentials. The VPN service was caught turning its 9.7 million users into Luminati exit-nodes. It advertised this service as using customers who downloaded Luminati's TV geo-block smasher …
Darren Pauli, 02 Jun 2015

Patch-crazy Aust Govt fought off EVERY hacker since 2013

Australian Signals Directorate deputy director Steve Day says hackers have failed to extract any sensitive information from Federal Government agencies for the last two years despite successfully breaching several networks. Day chalks it up to agencies following the lauded "Top 4 security controls" developed by ASD bod Steve …
Darren Pauli, 02 Jun 2015

Script tool a Docker shocker blocker

Docker security head Diogo Mónica has crafted a defence tool to help admins protect their machine instances. Mónica says the Docker Bench Security script available on GitHub is designed as a complement and check systems against the Docker benchmarks released last month alongside a whitepaper [pdf]. “Having the documents is …
Darren Pauli, 01 Jun 2015

56 MEEELLION credentials exposed by apps say infosec boffins

Researchers from the University of Darmstadt say app developers have exposed 56 million credentials by borking login processes using services from Google, Amazon, and Facebook. The research team tested 750,000 Android and iOS applications, examining the way they used the federated identity services to make authentication smooth …
Darren Pauli, 01 Jun 2015
apple mac malware vxer

Mac bug makes rootkit injection as easy as falling asleep

Respected Apple hacker Pedro Vilaça has uncovered a low-level zero day vulnerability in Mac computers that allows privileged users to more easily install EFI rootkits. Vilaça says the attack, first thought to be an extension of previous research rather than separate zero day, took advantage of unlocked flash protections when …
Darren Pauli, 01 Jun 2015
Mozilla Firefox Fox sitting down

Mozilla signing vetted add-ons as thoughts turn to security

Mozilla developer Jorge Villalobos claims the web king has begun signing vetted add-ons in a bid to improve security. The move means Mozilla-signed add-ons hosted on its servers will be maintained through automatic updates, while those lacking the signature of approval will be jettisoned into the internet ether. Villalobos says …
Darren Pauli, 29 May 2015
Ransom note saying "Pay Up" in blackmail type

Yay for Tor! It's given us RANSOMWARE-as-a-service

Threat Research head Jim Walter says a virus writer has created a ransomware-as-a-service offering which allows luddite criminals to fleece users. Walter discovered the Tox ransomware on an eponymously named Tor hidden service noting the author required a 30 percent cut of paid Bitcoin ransoms. He says Tox is one of the few …
Darren Pauli, 29 May 2015
Bank vault

Google launches native Android Smart Lock password manager

Google I/O Android users will be able to store passwords in Google's native Smart Lock manager, in a security boon for the masses. The Choc Factory launched the Smart Lock for Passwords at the I/O conference in San Francisco overnight available in the Android M developer preview. It says developers including Orbitz, Netflix, and The New …
Darren Pauli, 29 May 2015

Small businesses trashed in big malware campaign

Kaspersky researcher Ido Noar says attackers have hit hundreds of small and medium businesses, stealing credentials and documents in a noisy smash-and-grab campaign. Noar says criminals have stolen some 10,000 documents from nanotechnology, education, and media outfits in an attack that foists a newly-discovered strain of …
Darren Pauli, 29 May 2015
Brute Force

Password reset sites expose crackable PeopleSoft creds

SAP hackers Alexander Polyakov and Alexey Tyurin say Oracle PeopleSoft contains unpatched vulnerabilities and weaknesses that allow attackers to easily obtain admin passwords. The hackers say the PeopleSofts credential can be yanked from the TokenID contained within password recovery sites and cracked using a cheap graphical …
Darren Pauli, 28 May 2015

Australian Govt to launch cyber sec sharing strategy

Australia's Federal Government will this year deliver its first Cyber Security Strategy to generate 'practical' means to improve security including public-private partnerships. It is the second paper-based initiative designed to help address the unruly state of information security across public and private sectors. The …
Darren Pauli, 28 May 2015

Death-to-passwords FIDO Alliance finds a friend at DOCOMO

Japanese users will be able to log in and make online purchases using iris recognition biometrics after telco giant DOCOMO begins shipping Fujitsu ARROWS phones. The telco's 65 million users will be able to use the biometric verification on the ARROWS F-04G said to be the world's first iris snapper. Fingerprint biometric login …
Darren Pauli, 27 May 2015

Kali Linux gives itself a Docker-cut

Penetration testing gurus Offensive Security have made their popular Kali operating system available for Docker-addicted system administrators. Developer Mati Aharoni acted on a request from a user who asked for a Dockerised image of the Kali penetration testing system platform. "Last week we received an email from a fellow …
Darren Pauli, 27 May 2015
Synology Disk Station 409Slim

Synology slings patch at buggy NAS boxens

Securify co-founder Cengiz Han Sahin says Synology has patched a remote vulnerability that allowed attackers to compromise its storage devices. Sahin reported vulnerabilities that allowed web servers in Synology's Photo Station to be compromised to the vendor . The hacker says Photo Station, which allows users to access their …
Darren Pauli, 27 May 2015
Moose

There's a Moose loose aboot this hoose: Linux worm hijacks Twitter feeds for spam slinging

ESET researchers Olivier Bilodeau and Thomas Dupuy have found malware capable of compromising routers and embedded devices, seizing control of social networking accounts, and booting out competitors. The duo report the Moose malware exploits weak login credentials in the networking gear, and does not require vulnerabilities to …
Darren Pauli, 26 May 2015
Cloud security image

Blackhat hack trick wallops popular routers

A cybercrime vigilante known as Kafeine says criminals are hitting thousands of victims with a hacking tool that targets more than 40 router models. The well-known hacker says the novel attacks use cross-site request forgery and exploits against new and old bugs to change router DNS settings. This bypasses the need to target …
Darren Pauli, 26 May 2015
Train wreck

Boffins silently track train commuters without tripping Android checks

Nanjing University boffins Jingyu Hua, Zhenyu Shen, and Sheng Zhong have tracked commuter train trips with 92 percent accuracy using stolen phone accelerometer data. The trio says tracking users on Android phones is possible in part because the platform does not require permission or consent to access the dataset. Here's the nub …
Darren Pauli, 26 May 2015

Windows and OS X are malware, claims Richard Stallman

Linux GNU firebrand Richard Stallman says Windows and Apple's OS X are malware, Amazon is Orwellian, and anyone who trusts the internet-of-things is an ass. In a column for The Grauniad Stallman preaches to the non-technical masses about the evils of proprietary software and vendor lock-in, and how closed-door coding facilitates …
Darren Pauli, 25 May 2015

2.8 million victims squared up by malicious Minecraft apps

ESET researcher Lukas Stefanko says a whopping 2.8 million users have downloaded malicious Minecraft Android applications. Stefanko found 30 malicious apps uploaded to the Google Play store over nine months masquerading as Minecraft cheats and tip guides. "All of the discovered apps were fake in that they did not contain any of …
Darren Pauli, 25 May 2015

Bank-heist malware's servers phone home to Russian spookhaus

Trend Micro researcher Maxim Goncharov says one of the world's most sophisticated and dangerous bank-robbing trojans is now pointing to Russia's Federal Security Service (FSB). Goncharov says the Carbanak trojan's command and control servers now point to the FSB in what could be a joke or gaffe by malware authors. Carbanak in …
Darren Pauli, 25 May 2015

Factory reset memory wipe FAILS in 500 MEELLION Android mobes

Half a billion Android phones could have data recovered and Google accounts compromised thanks to flaws in the default wiping feature, University of Cambridge scientists Laurent Simon and Ross Anderson have claimed. The gaffe apparently allows tokens for Google and Facebook, among others, to be recovered in 80 per cent of cases …
Darren Pauli, 22 May 2015

Hacker uses Starbucks INFINITE MONEY for free CHICKEN SANDWICH

Sakurity hacker Egor Homakov has found a way to dupe Starbucks into loading free cash onto the "coffee" chain's payment cards. Homakov says a race condition within Starbuck's card purchase system means money can be transferred between cards without it being deducted. The bug hunter exploited the bug and tested it by purchasing …
Darren Pauli, 22 May 2015
'Fresh' by https://www.flickr.com/photos/vintagechica/ cc 2.0 attribution https://creativecommons.org/licenses/by/2.0/

PCI council gives up, dumbs down PCI DSS for small business

The Payment Card Industry Security Standards Council has created a taskforce charged with improving security among small businesses. The prodigious task will be tackled by encouraging small businesses to adopt security best practice and simplified Payment Card Industry Data Security Standards (PCI DSS). Barclaycard payment …
Darren Pauli, 22 May 2015

Hacker launches ransomware rescue kit

Security bod Jada Cyrus has compiled a ransomware rescue kit to help victims decrypt locked files and avoid paying off crooks. The kit sports removal tools for common ransomware variants along with guides for how to perform the necessary tasks. Cyrus recommends users not pay ransoms as doing so sustains the criminal business …
Darren Pauli, 21 May 2015

'Millions' of routers open to absurdly outdated NetUSB hijack

SEC Consult Vulnerability Lab Stefan Viehböck says potentially millions of routers and internet of things devices using KCodes NetUSB could be exposed to remote hijacking or denial of service attacks. The packet fondler says the vulnerability (CVE-2015-3036) hits the Linux kernel module in scores of popular routers which serves …
Darren Pauli, 20 May 2015
Apple Watch Sport

Apple patches FREAK-ed out Watch

Apple has patched a dozen security flaws in Watch, including FREAK and two allowing arbitrary code execution. The updates cover Oracle hacker Marc Schoenefeld's arbitrary code execution which triggers (CVE-2015-1093) when the Apple Watch processes a maliciously crafted font file. It also squashes hacker Loki@ART's bug that …
Darren Pauli, 20 May 2015
Breach

Hackers pop submarine cable operator Pacnet, probe internal networks

Submarine cable and data centre operator Pacnet was breached last month by hackers rummaging through its corporate network accessing emails and administration systems. Pacent was recently acquired by Australia's Telstra, which today disclosed the breach of a "critical server" and is now informing customers and regulators about …
Darren Pauli, 20 May 2015

Hacker data dumps scrape to make huge grey marketing database

Former password collector Steve Thomas plans to tear up the contact broker market by offering a database of 30 million names for free, all built on data sourced by scraping the web. The former PwnedList founder, and now SalesMaple CEO, says the database will soon to balloon to almost 100 million records. Thomas said it will …
Darren Pauli, 20 May 2015

Robots.txt tells hackers the places you don't want them to look

Melbourne penetration tester Thiebaud Weksteen is warning system administrators that robots.txt files can give attackers valuable information on potential targets by giving them clues about directories their owners are trying to protect. Robots.txt files tell search engines which directories on a web server they can and cannot …
Darren Pauli, 19 May 2015
Open-mouthed Burmese python

Oracle releases antidote for VENOM vulnerability

Oracle has released patches for its virtualisation software to crimp the VENOM vulnerability that allows attackers to break out of virtual machines to attack hosts. The company follows a host of others including KVM and Xen which have patched the buffer overflow bug. VMware, Microsoft, and Bochs are immune to the problem. …
Darren Pauli, 19 May 2015
Oil Pump Jack by https://www.flickr.com/photos/paul_lowry/  cc 2.0 attribution

Crude scammer targets Brit oil brokers

Panda Labs researchers have identified a scammer who is fleecing British oil buyers using a malware-free spin on the classic Nigerian scam. They say the scammers steal credentials from oil brokers to swindle buyers across Germany, Spain, and across Asia out of cash. The sting works using a PDF file in the first stage of the …
Darren Pauli, 18 May 2015