Feeds
The Register Columnists

Darren Pauli

Contact Mail Follow Twitter RSS feed

Enigmail PGP plugin forgets to encrypt mail sent as blind copies

Enigmail has patched a hole in the world's most popular PGP email platform that caused mail to be sent unencrypted when all security check boxes were ticked. The dangerous hole in the Mozilla Thunderbird extension affected email that was sent only to blind carbon copy recipients on all versions below 1.7.2 released last month. …
Darren Pauli, 09 Sep 2014

China is now 99.8% sure you're you, thanks to world's-best facial recognition wares

Chinese researchers have developed a facial recognition system that can pick faces from a crowd with 99.8 percent accuracy from 91 angles. The platform can distinguish between identical twins, unravel layers of makeup and still identify an individual if they've packed on or shed kilos. Researcher Zhou Xi of the Chinese Academy …
Darren Pauli, 09 Sep 2014

Mozilla certification revocation: 107,000 websites sunk by untrusted torpedo

Over 107,000 websites have been consigned to the depths of the untrusted internet after Mozilla's move last week to allow its 1024-bit certificates to expire. The latest shipment of Firefox 32 improved security by killing support for the 1024-bit certificate authority (CA) certificates within the browser's trusted store. Google' …
Darren Pauli, 08 Sep 2014

Doubts cast over FBI 'leaky CAPTCHA' Silk Road rapture

Rather than a conspiracy involving NSA wiretaps, the FBI claims the downfall of Silk Road begun with a leaky CAPTCHA. Responding to a request for information from former kingpin Ross Ulbricht's defence lawyers, the Feds says the CAPTCHA left a trail from the TOR-protected Silk Road servers to the public Internet. That revealed …
Darren Pauli, 08 Sep 2014

Google recommends pronounceable passwords

Google has updated its password manager to recommend pronounceable passwords within its flagship Chrome browser. The experimental feature was the latest development which could make it into the regular versions of Chrome as part of steady improvements to its password capture, storage and generation. Chrome evangelist and …
Darren Pauli, 07 Sep 2014

Robin Hood virus: Chinese hackers target nation's wealthy

It seems China's state-supported hackers are being overshadowed by the black hat scene as the latter appears to have doubled in size – with some brazen crackers turning to carding the nation's wealthiest. A Trend Micro report dubbed The Chinese Underground in 2013 [PDF] issued this week reveals the black hat hacking scene has …
Darren Pauli, 05 Sep 2014

Microsoft, eBay apps open to man-in-the-middle diddle

At least 350 Android apps are open to man-in-the-middle MITM attacks, thanks to code that fails to validate certificates over secure sockets layer (SSL), says US Computer Emergency Response (CERT) security pro Will Dormann. The apps can be found in the Google Play and Amazon stores and have been included in a continually updated …
Darren Pauli, 05 Sep 2014

Scared of brute force password attacks? Just 'GIVE UP' says Microsoft

Sysadmins trying to harden user passwords against brute force attacks, or everyday folk trying to make sure their passwords don't lead to nude selfie leaks may not need to bother, according to the latest research from Microsoft mavericks. Redmond password provocateurs Dinei Florencio and Cormac Herley say password hardening isn' …
Darren Pauli, 04 Sep 2014
VirusTotal

VirusTotal mess means YOU TOO can track Comment Crew!

Security researcher Brandon Dixon has used Google's VirusTotal malware analysis tool to spy on what he claims are state-sponsored Chinese and Iranian elite hacking crews. Dixon (@9bplus) used the paid version of VirusTotal to watch as a subgroup of the Chinese hacker group Comment Crew and an unnamed Iranian mob developed, …
Darren Pauli, 04 Sep 2014

Twitter launches beer-money bug bounty

Twitter has announced it will begin paying for newly-found vulnerabilities under a bug bounty that has quietly run since June. The program, launched through third-party bounty outfit HackerOne, has so far garnered 44 reports, none of which were eligible for payments since they were submitted prior to today. Twitter says it is …
Darren Pauli, 04 Sep 2014

Are you a HOT CELEB? Think your SEXY PICS are safe? Maybe NOT

Rather than a single iCloud hack, this week's furore over celebrity nude pics looks more like the work of one or many "secret circles" of hackers whose members mingle on anarchic messageboard 4Chan to share their digital loot from computers and phones they've cracked over a period of years. The photos were, according to one …
Darren Pauli, 03 Sep 2014
Malware

Car makers, space craft manufacturers infected with targeted recon tool

Researcher James Blasco is warning the auto and aerospace industries against engineering software that's been compromised by keystroke-logging and reconnaissance malware. Blasco says an un-named provider of such software was compromised after a staffer visited a watering hole website that was established specifically to lure …
Darren Pauli, 03 Sep 2014
anonymity

iOS phone phlaw can UNMASK anonymous users on social media

Apple iThing users can be identified, images of their faces captured and their phones forced to call numbers – all thanks to coding schemes affecting Facebook, Google, and Twitter, among other sites and services, security researchers say. Attackers and pranksters can force iOS coding schemes to send an SMS or an instant message …
Darren Pauli, 02 Sep 2014
iCloud brute force

Apple, FBI: YES we're, er, looking into the NAKED CELEBRITY PICS. Aren't you?

The Federal Bureau of Investigation and Apple are examining the theft of a large cache of naked celebrity photos, thought by many to have been snaffled from the fruity firm's iCloud backup silos. As El Reg reported yesterday, the photos depict Jennifer Lawrence, Kate Upton and around 100 others are thought to have been stolen …
Darren Pauli, 02 Sep 2014
Whale Oil

NZ Justice Minister scalped as hacker leaks emails

A hacker has claimed the scalp of New Zealand Justice Minister Judith Collins by releasing information showing a purported campaign to undermine government officials. The revelations, revealed last month, came from a hacker known as RawShark (@whaledump), who broke into the email account of conservative blogger Cameron Slater. …
Darren Pauli, 01 Sep 2014

Rubbish WPS config sees WiFi router keys popped in seconds

Passwords within routers sold by chipset manufacturer Broadcom and another unnamed vendor can be accessed within seconds thanks to weak or absent key randomisation, security bod Dominique Bongard has claimed. The weakness relates to the implementation of WiFi Protected Setup (WPS) which allows attackers to calculate the correct …
Darren Pauli, 01 Sep 2014
Brute Force

iCloud fiasco: 100 FAMOUS WOMEN exposed NUDE online

Naked photos of celebrities including Sports Illustrated model Kate Upton, Jennifer Lawrence and Ariana Grande have been published online by an anonymous hacker who reportedly obtained the explicit pics from the victims' Apple iCloud accounts. Nude photos of 17 celebrities have been published online. The anonymous hacker posting …
Darren Pauli, 31 Aug 2014
Ice cream

Ice cream headache as black hat hacks sack Dairy Queen

Ice cream mogul Dairy Queen appears to have been breached with hackers likely stealing credit cards from some of its many US stores. The chilling news comes from sources within the US banking sector who separately told cyber-crime prober Brian Krebs that fraudulent transactions on credit cards appeared to have stemmed from a …
Darren Pauli, 29 Aug 2014
Julie Bishop & Marty Natelagawa

Australia makes pinkie-promise to end Indonesia spying

Australia has signed a code of conduct to promise not to spy on Indonesia's elected officials in a bid to heal seeping wounds opened by NSA leaks. In November 2013, documents leaked by NSA whistleblower Edward Snowden revealed Australia had spied on the mobile phone of then-Indonesian-leader Susilo Bambang Yudhoyono (SBY), his …
Darren Pauli, 29 Aug 2014
Bees

Researchers camouflage haxxor traps with fake application traffic

Honeypots just got sweeter after researchers cooked up new digital bait designed to tempt hackers into revealing themselves by tapping into what are faked communications between an enterprise application and its users. The idea behind the new creation is to lure seasoned bad guys into honeypots and in doing so reveal their …
Darren Pauli, 28 Aug 2014
netflix

Netflix releases home-grown DDoS detectors

NetFlix's security team has given the open source treatment to three tools it uses to monitor the internet and gather evidence of planned attacks against its infrastructure. "Scumblr" and "Sketchy", plus the "Workflowable" tool both rely on, are now on GitHub for any security teams to use. Scumblr sifts through forums and …
Darren Pauli, 28 Aug 2014
australian credit cards fraud contactless

PCI Council wants YOU to give it things to DO

Crusaders at the Payment Card Industry Security Standards Council have called for submissions into projects for 2015. The council is responsible for PCI Data Security Standards (PCI DSS), a - to date - largely failed initiative to impose better credit card processing security by retailers. A Special Interest Group is accepting …
Darren Pauli, 27 Aug 2014

Goog says patch⁵⁰ your Chrome

Google has dropped 50 patches for its flagship Chrome browser plugging holes and handed $30,000 to a lone bug hunter who reported a dangerous sandbox-busting attack. A clever chained combo of multiple flaws, reported to Google and patched, allowed attackers to crawl out of Chrome's security sandbox and execute code remotely. It …
Darren Pauli, 27 Aug 2014

Google ghostly graphics haunt Image search

A slam dunking NBA star and a fatal car crash isn't normally what you'd expect to find when Googling for puppies, but it is exactly what users have received overnight due to some unknown perversion of Google Images. The bug affected a scattering of users from dozens of countries. Australia, the US, the UK and many others noticed …
Darren Pauli, 27 Aug 2014
Toy Story

Researcher details how malware gives AV the slip

Researcher James Wyke has discovered throw-off tactics used by malware to frustrate investigators. These tactics were part of a suite of impressive methods VXers used to find technical artifacts that could help them distinguish between computers belonging to victims and those used by malware researchers. While malware writers …
Darren Pauli, 26 Aug 2014
Social media buttons

Attack flogged through shiny-clicky social media buttons

Web admins beware: social media buttons that load scripts from unknown external sites could see your sites foisting the FlashPack exploit kit to visitors. Several sources warn that popular JavaScript social media panels are being modified to load external resources that pulled down FlashPack, formerly known as SafePack, which …
Darren Pauli, 26 Aug 2014
south korea

Three quarters of South Korea popped in online gaming raids

Three quarters of South Korea's population have been compromised in a massive data breach affecting 27 million people. The nearly incomprehensible breach was revealed when 16 individual were arrested after selling the records relating to victims aged between 15 and 65 years-old. The records included names account logins …
Darren Pauli, 26 Aug 2014
Moments of perspiration

Hack skirmish grounded Sony exec's flight after FAKE bomb scare

As Distributed Denial of Service (DDoS) attacks hosed not only Playstation Network but also XBox and Battle.net networks, it has emerged that a fake bomb threat grounded US flight 362, while Sony Entertainment Online chief John Smedley was aboard the aircraft. A group (@LizardSquad was tweeting threats and invective in the …
Darren Pauli, 25 Aug 2014
Ross Ulbricht

Three new charges laid against alleged Silk Road kingpin

Three additional charges have been laid against alleged Silk Road kingpin Ross Ulbricht including narcotics trafficking and identity fraud, according to an indictment filed Thursday. Ulbricht faces life in prison for his alleged running of internet drug den Silk Road through which buyers and sellers sent hard and soft drugs to …
Darren Pauli, 25 Aug 2014
Precog Minority Report

Security precogs divine web vulnerabilities BEFORE THEY EXIST

Three million webpages are set to become hacker fodder according to research that could predict what websites will become vulnerable ahead of time. The research by Kyle Soska and Nicolas Christin of Carnegie Mellon University used an engine which divined the future by looking at the past - more specifically, by trawling the Way …
Darren Pauli, 22 Aug 2014
Facebook security

Facebook slings $50k Internet Defense Prize™ at bug hunter duo

Facebook and Usenix have together created the Internet Defense Prize™ – and awarded its first gong to security bods Johannes Dahse and Thorsten Holz. The pair, of Ruhr University Bochum in Germany, received $50,000 from Facebook's prize-giving committee for their paper, Static Detection of Second-Order Vulnerabilities in Web …
Darren Pauli, 21 Aug 2014
Flytrap

New twist as rogue antivirus enters death throes

A rogue anti-virus program called Defru has taken to the browser to find a smarter way of infecting users, Microsoft researchers say. The Defru malware blocks users from visiting certain websites and instead displays warnings about fake perceived threats while the correct intended web address was still displayed. Most victims …
Darren Pauli, 21 Aug 2014
Stuxnet

Oi! Rip Van Winkle: PATCH, already

Nearly 20 million computers remain infected with malware targeting a vulnerability first targeted four years ago by the Stuxnet worm. The flaw (CVE-2010-2568) was a Windows operating system bug in the way shortcuts worked allowing quiet download of the random dynamic library on Win Server 2003 and XP through to version 7. Since …
Darren Pauli, 20 Aug 2014
Mozilla Firefox

Lazy sysadmins rooted in looming Mozilla cert wipeout

Mozilla is about to revoke some weak X.509 PKI certs, and has warned sysadmins that it will affect the Firefox browser and they'll need to assess their infrastructure. The four affected root certificates from Entrust and ValiCert are marked for removal because they contained weak keys. A further seven from CyberTrust, Thawte …
Darren Pauli, 20 Aug 2014

Cryptolocker flogged on YouTube

Cryptolocker is being flogged over YouTube by vxers who have bought advertising space, researchers Vadim Kotov and Rahul Kashyap have found. The researchers made the discovery while monitoring YouTube and website banners for instances where malware writers had actually purchased space to foist their wares on unpatched web users …
Darren Pauli, 20 Aug 2014
Melbourne Central

Aussie telcos to sell user location data to marketers

Two Australian telecommunications providers are seeking to identify and sell the location of their users to advertising companies. One telco was already in early adoption of a big data Hadoop system while a second was considering the platform. The telcos, unnamed due to non-disclosure agreements, were seeking a project similar …
Darren Pauli, 19 Aug 2014
usb nuclear button hub

Nuke regulator hacked three times in three years

The US Nuclear Regulator Commission (NRC) has been hacked three times in as many years, according to documents obtained under freedom of information requests. Unnamed foreign hackers sent hundreds of phishing emails - targeting 215 staff in one incident alone - in what was dubbed a 'credential harvesting campaign', according to …
Darren Pauli, 19 Aug 2014
Malware

VXer fighters get new stealth weapon in war of the (mal)wares

A bare-metal analysis tool developed by University of California researchers promises to help tip the battle between virus writers and black hats by cloaking malware investigation efforts. The tool is the latest weapon in the war between the diaspora of independent and vendor malware researchers and their VXer foes. Their …
Darren Pauli, 18 Aug 2014
Hacked sarcasm

Boffins find hundreds of thousands of woefully insecure IoT devices

More than 140,000 internet-of-things devices, from routers to CCTV systems contain zero-day vulnerabilities, backdoors, hard coded crackable passwords and blurted private keys, according to the first large scale analysis of firmware in embedded devices. Four researchers from EURECOM France found the flaws when conducting a …
Darren Pauli, 17 Aug 2014
blue screen of death

Microsoft cries UNINSTALL in the wake of Blue Screens of Death™

Microsoft has urged users to remove a buggy update as it yanked download links to the offending patch, after reports emerged it caused the dreaded blue screen of death. The fixes issued on Patch Update Tuesday addressed privilege escalation bugs but an apparent font cache clearing issue lead to Windows boxes turning the colour …
Darren Pauli, 17 Aug 2014
GameOver

Insert coin to continue: GameOver ZeuS zombie MUTATES, shuffles back to its feet

The resurfaced GameOver bot is back with a vengeance, having infected 12,000 computers after the network was taken down in June, according to Arbor Networks. The bot was taken out in June in a coordinated and high-profile crackdown by security companies and the FBI and Europol. Servers and domains were seized, disrupting both …
Darren Pauli, 15 Aug 2014
Infosec

Who needs hackers? 'Password1' opens a third of all biz doors

Hundreds of thousands of hashed corporate passwords have been cracked within minutes by penetration testers using graphics processing units. The 626,718 passwords were harvested during penetration tests over the last two years conducted across corporate America by Trustwave infosec geeks. The firm's threat intelligence manager …
Darren Pauli, 15 Aug 2014
ActiveX

Redmond stall means IE Java axe won't swing till September

Microsoft has handed sysadmins a reprieve by delaying the blockage of vulnerable old versions of Java in its flagship Internet Explorer web browser until September. The postponement was made on the back of complaints to Redmond, which only provided a guide to managing the issue on Tuesday. "Based on customer feedback, we have …
Darren Pauli, 14 Aug 2014
Don Draper is sad

We told you jailbreaking your iThing was dangerous

Chinese malware has infected more than 75,000 iPhones and hijacked some 22 million advertisements and stealing revenue from developers on the iOS jailbreak community, virus prober Axelle Apvrille says. The AdThief malware relied on the Cydia Substrate extension present only on jailbroken Apple devices to hijack advertising bucks …
Darren Pauli, 13 Aug 2014
Routers

Fifteen zero days found in hacker router comp romp

Researchers have unveiled 15 zero day vulnerabilities in four home and small business routers as part of the SOHOpelessly Broken hacker competition in DEF CON this week. Four of the 10 routers offered for attack including the ASUS RT-AC66U; Netgear Centria WNDR4700; Belkin N900, and TRENDnet TEW-812DRU were fully compromised. …
Darren Pauli, 13 Aug 2014
Adobe security

You've got three days to patch Adobe Flash, Air, Reader

Adobe has patched seven vulnerabilities in its Flash and Air platforms and one in Reader and Acrobat that is being exploited by attackers. The vulnerabilities could allow attacker to "take control of affected systems" dubbed critical by the company. Administrators were urged to apply the updates within three days on Windows, …
Darren Pauli, 13 Aug 2014
Bitcoin system would kill mammoth mining pools

Fifteen countries KO'd in malware one-two punch

Someone suspected to be backed by a nation state is attacking embassies of former soviet states with a malware tool that has infiltrated networks across more than 15 countries. Hacked embassies of unnamed former soviet states include those located in: France; Belgium; Ukraine; China; Jordan; Greece; Kazakhstan; Armenia; Poland, …
Darren Pauli, 12 Aug 2014
Bitcoins

Chinese Bitcoin farms: From scuzzy to sci-fi

Somewhere in very rural northeast China lies a dusty and dirty factory where the deafening roar of machinery leaks from an armada of Bitcoin mining rigs. Inside a secret north china bitcoin mine. Copyright Jacob Smith (Bitsmith) @ The Coinsman - used with permission Inside the secret north China Bitcoin mine. Copyright Jacob …
Darren Pauli, 12 Aug 2014
Breach

2,285,295 Aussie logins nabbed in Russian password haul

More than two million unique login credentials for Australian internet users were stolen as part of the massive haul of 1.2 billion passwords by a Russian hacker outfit. Earlier this month Hold Security reported that Russian hackers under the group dubbed CyberVors amassed the largest ever cache of stolen website passwords …
Darren Pauli, 11 Aug 2014
DIME

DIME for your TOP SECRET thoughts? Son of Snowden's crypto-chatter client here soon

Lavabit founder Ladar Levison will within six months carve out a military-grade email service from the ashes of Ed Snowden's favourite email client. As many of you will remember, Levison killed the service to prevent his clients' information from getting into the clutches of the Federal Bureau of Investigations. The popular …
Darren Pauli, 11 Aug 2014