The Hacker News | #1 Trusted Cybersecurity News Site — Index Page

Microsoft's July Patch Tuesday offers 11 security bulletins with six rated critical resolving almost 50 security holes in its software. The company has patched a security flaw in the Windows Print Spooler service that affects all supported versions of Windows ever released, which if exploited could allow an attacker to take over a device via a simple mechanism. The "critical" flaw ( CVE-2016-3238 ) actually resides in the way Windows handles printer driver installations as well as the way end users connect to printers. The flaw could allow an attacker to install malware remotely on victim machine that can be used to view, modify or delete data, or create new accounts with full user rights; Microsoft said in MS16-087 bulletin posted Tuesday. Users who are logged in with fewer user rights on the system are less impacted than users who operate with administrative user rights, such as some home accounts and server users. Microsoft said the critical flaw could

Millions of Xiaomi smartphones are vulnerable to a dangerous remote code execution (RCE) vulnerability that could grant attackers complete control of handsets. The vulnerability, now patched, exists in MIUI – Xiaomi's own implementation of the Android operating system – in versions prior to MIUI Global Stable 7.2 which is based on Android 6.0. The flaw, discovered by IBM X-Force researcher David Kaplan, potentially allows attackers with privileged network access, such as cafe Wi-Fi, to install malware remotely on the affected devices and fully compromise them. Researchers found some apps in the analytics package in MIUI, which can be abused to provide malicious ROM updates remotely through a man-in-the-middle attack. " The vulnerability we discovered allows for a man-in-the-middle attacker to execute arbitrary code as the highly privileged Android 'system' user, " researchers say. Researchers say they discovered vulnerable analytics packages in at lea

The introduction of Open AI's ChatGPT was a defining moment for the software industry, touching off a GenAI race with its November 2022 release. SaaS vendors are now rushing to upgrade tools with enhanced productivity capabilities that are driven by generative AI. Among a wide range of uses, GenAI tools make it easier for developers to build software, assist sales teams in mundane email writing, help marketers produce unique content at low cost, and enable teams and creatives to brainstorm new ideas.  Recent significant GenAI product launches include Microsoft 365 Copilot, GitHub Copilot, and Salesforce Einstein GPT. Notably, these GenAI tools from leading SaaS providers are paid enhancements, a clear sign that no SaaS provider will want to miss out on cashing in on the GenAI transformation. Google will soon launch its SGE "Search Generative Experience" platform for premium AI-generated summaries rather than a list of websites.  At this pace, it's just a matter of a short time befo

You might be aware of Microsoft and Canonical's partnership to integrate " Bash on Ubuntu on Windows 10 ," which is typically a non-graphical Ubuntu running over Windows Subsystem for Linux . Windows 10 doesn't officially support graphical Linux desktop applications. But, now we have noticed a very interesting ticket titled "Run Any Desktop Environment in WSL" raised at Github  repository, in which a user who goes by name Guerra24 has managed to run the graphical version of Ubuntu Linux, i.e. Ubuntu Unity on Windows 10. It's not " Microsoft Linux ." BASH or Bourne Again Shell is capable of handling advanced command line functionalities. Microsoft has provided support for Bash on Windows 10 as an expansion of its command-line tool family, so don't get confused. The Bash on Windows 10 feature is designed only for developers who want to run Linux terminal utilities without any OS dependencies. However, this feature downloads and installs

Nintendo's new location-based augmented reality game Pokémon GO has been making rounds since its launch just a few days ago. People are so excited to catch 'em all that brought Nintendo's market-value gains to $7.5 Billion (£5.8 Billion) in just two days – the highest surge since 1983. Due to the huge interest surrounding Pokémon GO, even hackers are using the game's popularity to distribute malicious versions of Pokémon GO that could install DroidJack malware on Android phones, allowing them to compromise user's devices completely. However, the latest threat is related to the privacy concerns raised about the iOS version of the official Pokémon GO app. Pokémon GO – A Huge Security Risk Adam Reeve labeled the game "malware," saying that Pokémon GO is a "huge security risk" as the game, for some reason, grants itself "full account access" to your Google account when you sign into the app via Google on iPhone or iPad. Ye

" Pokémon Go " has become the hottest iPhone and Android game to hit the market in forever with enormous popularity and massive social impact. The app has taken the world by storm since its launch this week. Nintendo's new location-based augmented reality game allows players to catch Pokémon in the real life using their device's camera and is currently only officially available in the United States, New Zealand, UK and Australia. On an average, users are spending twice the amount of time engaged with the new Pokémon Go app than on apps like Snapchat. In fact Pokémon Go is experiencing massive server overload in just few days of launch. Due to the huge interest surrounding Pokémon Go, many gaming and tutorial websites have offered tutorials recommending users to download the APK from a non-Google Play link. In order to download the APK, users are required to " side-load " the malicious app by modifying their Android core security settings, allowing

Twitter account of another high profile has been hacked! This time, it's Twitter CEO Jack Dorsey. OurMine claimed responsibility for the hack, which was spotted after the group managed to post some benign video clips. The team also tweeted at 2:50 AM ET today saying " Hey, its OurMine,we are testing your security, " with a link to their website that promotes and sells its own "services" for which it has already made $16,500. Although the tweets posted by the group did not contain any harmful content, both the tweet and linked to a short Vine video clip have immediately been removed. Ourmine is the same group of hackers from Saudi Arabia that previously compromised some social media accounts of other CEOs including: Google's CEO Sundar Pichai Facebook's CEO Mark Zuckerberg Twitter's ex-CEO Dick Costolo Facebook-owned virtual reality company Oculus CEO Brendan Iribe Since all tweets posted to Dorsey's account came through Vine,

Whistleblower and ex-NSA employee Edward Snowden has criticized a new anti-terror law introduced on Thursday by Russian President Vladimir Putin, referring it as "repressive" and noting that it is a " dark day for Russia ." The new legislation signed by Putin would compel the country's telephone carriers and Internet providers to record and store the private communications of each and every one of their customers for six months – and turn them over to the government if requested. The data collected on customers would include phone calls, text messages, photographs, and Internet activities that would be stored for six months, and "metadata" would be stored up to 3 years. Moreover, Instant messaging services that make use of encryption, including WhatsApp, Telegram, and Viber, could face heavy fines of thousands of pounds if these services continue to operate in Russia without handing over their encryption keys to the government. "Putin

Facebook has begun rolling out end-to-end encryption for its Messenger app, thus making its users' conversations completely private. The end-to-end encryption feature, dubbed " Secret Conversations ," will allow Messenger users to send and receive messages in a way that no one, including the FBI with a warrant, hackers and not even Facebook itself, can intercept them. But, this new feature will currently be available only to a small number of users for testing. So if you are one of those lucky users, you will be able to send end-to-end encrypted Secret Conversations through your Messenger app. Rest of the Messenger users will get Secret Conversations feature later this summer or in early fall, the company wrote in a Facebook newsroom post published today. Sounds exciting, right? But, there's a catch: Your conversations on Messenger will not be end-to-end encrypted by default, like what WhatsApp and Apple are offering. Instead, Facebook will require

The Popular fast-food restaurant chain Wendy's on Thursday admitted that a massive cyber attack had hit more than 1,000 of its restaurants across the country. The burger chain did not speculate how many people may have been affected, though it did confirm that the hackers were able to steal its customers' credit and debit card information. The data breach is more than three times bigger than initially thought. The original data breach was believed to have affected " fewer than 300 " of its 5,144 franchised locations in the United States when the malware was discovered in May. The Malware had been installed on Point-of-Sale (PoS) systems in the affected restaurants and was able to obtain cardholder's name, payment card number, expiration date, service code, cardholder verification value, among other data. The data breach began in fall 2015 and discovered in February this year, and the company went public with in May. Just last month, Wendy's s

As your day-to-day apparel and accessories are turning into networked mobile electronic devices that attach to your body like smartwatch or fitness band, the threat to our personal data these devices collect has risen exponentially. A recent study from Binghamton University also suggests your smartwatch or fitness tracker is not as secure as you think – and it could be used to steal your ATM PIN code. The risk lies in the motion sensors used by these wearable devices. The sensors also collect information about your hand movements among other data, making it possible for "attackers to reproduce the trajectories" of your hand and "recover secret key entries." In the paper, titled " Friend or Foe?: Your Wearable Devices Reveal Your Personal PIN," computer scientists from the Stevens Institute of Technology and Binghamton University used a computer algorithm that can guess your password and PIN with about 80% success rate on the first attempt, and

The Internet of things or connected devices are the next big concerns, as more Internet connectivity means more access points which mean more opportunities for hackers. When it comes to the threat to Internet of Things, Car Hacking is a hot topic. Since many automobiles companies are offering cars that run mostly on the drive-by-wire system, a majority of functions are electronically controlled, like instrument cluster, steering, brakes, and accelerator. No doubt these auto-control systems in vehicles improve your driving experience, but at the same time increase the risk of getting hacked. Recently, security researcher Benjamin Kunz Mejri  have disclosed zero-day vulnerabilities that reside the official BMW web domain and ConnectedDrive portal and the worst part: the vulnerabilities remain unpatched and open for hackers. Benjamin from Vulnerability-Labs has discovered both the vulnerabilities. The first one is a VIN ( Vehicle Identification Number ) session vulnerabil

Do you have any idea what the software you have installed is doing stealthily in the background? If it's not an open source software, can you find out? Usually, the answer is no. After Edward Snowden's revelations, it's clear that how desperately government agencies wants to put secret backdoors in your network, devices, and software. However, Bulgaria has come forward with an all new set of laws that would be appreciated by privacy lovers and open-source community. Also Read:  Top Best Password Managers . The Bulgarian Parliament has passed legislative amendments to its Electronic Governance Act that require all software written for the country's government to be fully open-sourced and developed in the public Github repository . This means that source code of software developed for the Bulgarian government would be accessible to everyone and provided free for use without limitations. Article 58A of the Electronic Governance Act states that administrative

Breaking News for Today: Antivirus company Avast Software is planning to acquire Dutch rival AVG Technologies for $1.3 Billion in cash. Avast announced today that it would buy Amsterdam-based AVG Technologies for $25 per share in an all-cash transaction valued at $1.3 Billion in an aim to expand its presence in the emerging markets. With more than 230 Million users worldwide, Avast provides free and paid security software packages for both PCs as well as mobile devices to businesses and individuals. The deal between the two popular security software companies will provide Avast with 400 Million endpoints -- devices that have some form of Avast or AVG application installed. Around 160 Million of those are mobile. However, AVG technologies was in controversies for updating its policy that clearly said that the company will be allowed to collect and sell users' "non-personal data" to online advertisers in order to "make money" from their "free of

Big technology companies are in the race of bringing Internet connectivity to unconnected parts of the world through flying drones , high-altitude balloons, and laser beams , but Facebook has announced a far less expensive method to provide connectivity to rural areas. Facebook CEO Mark Zuckerberg announced Wednesday the creation of a new open-source wireless communication platform called OpenCellular that can be easily deployed in remote locations by anyone. OpenCellular is a doorbell-sized hardware device that could be attached to a pole or tree at a range of heights from where it can deliver a wireless network, from 2G cell-phone networks to higher speed LTE, and Wi-Fi networks like those inside your home, or local coffee shop. The device is designed to work in rural locations in conditions, including high winds, extreme temperatures, and harsh climates. But, wait! This doesn't mean that Facebook is rolling out its own broadband services. Facebook to Open-Source

To make the configuration of routers easier, hardware vendors instruct users to browse to a domain name rather than numeric IP addresses. Networking equipment vendor TP-LINK uses either tplinklogin.net or tplinkextender.net for its routers configuration. Although users can also access their router administration panel through local IP address (i.e. 192.168.1.1). The first domain offered by the company is used to configure TP-LINK routers and the second is used for TP-LINK Wi-Fi extenders. Here's the Blunder: TP-Link has reportedly " forgotten " to renew both domains that are used to configure its routers and access administrative panels of its devices. Both domains have now been re-registered using an anonymous registration service by an unknown entity and are being offered for sale online at US$2.5 Million each. This latest TP-Link oversight, which was first spotted by Cybermoon CEO Amitay Dan, could lead its users to potential problems. However, it

An Android-based malware campaign has been found to control as many as 85 million Android devices globally and is making its gang an estimated $300,000 per month in fraudulent ad revenue. A Chinese advertising company called Yingmob is responsible for distributing the malware on a massive scale and would appear to be the same firm behind Yispecter iOS malware , cybersecurity company Check Point revealed. Yingmob, based in Chongqing, China, markets itself as an advertising firm, claiming to provide easy-to-deploy ads support (text, pictures and video ads), without affecting the user experience. The service offers pop-up, sidebar, and in-app ads. However, Check Point researchers claim that the company's "Development Team for Overseas Platform" is responsible for two of the biggest waves of malware: HummingBad for Android and Yispecter for iOS. "Yingmob runs alongside a legitimate Chinese advertising analytics company, sharing its resources and technolog

A second man has pleaded guilty for his role in ' The Fappening ' breach of 2014, in which the Internet was flooded with thousands of photographs of popular celebrities, including Jennifer Lawrence , Kim Kardashian , Kate Upton and Kirsten Dunst. Edward Majerczyk (28) of Chicago, Illinois agreed to plead guilty last Friday to hacking into the Apple iCloud and Gmail accounts of more than 300 victims, including 30 celebrities, between November 2013 and August 2014, federal prosecutors said. Like Ryan Collins , Majerczyk used phishing scheme to trick celebrities into entering their account credentials into bogus 'security' sites and then accessed private and photographs and videos of celebrities. The hackers then leaked hundreds of thousands of explicit photos of Hollywood actresses on the Internet in September 2014 that later known as The Fappening (or 'Celebgate') breach. "This defendant not only hacked into email accounts — he hacked into his

A former United States undercover agent who stole hundreds of thousands of dollars worth of Bitcoins during an investigation into the underground drug marketplace Silk Road is now suspected of stealing even more of the cryptocurrency from two other cases. Shaun Bridges is one of two former US agents who pleaded guilty last year and was sentenced in December to almost six years in prison for stealing over $800,000 in Bitcoin while investigating the Darknet marketplace. Bridges and his partner stole money from Silk Road accounts and framed someone else for it, which lead the Silk Road chief Ross Ulbricht to plan a murder. Ulbricht is now serving life in prison sentence . Ulbricht was convicted in February 2015 of running the underground black market . According to court filings unsealed on Thursday, Bridges is believed to have stolen additional funds from a Secret Service account on two different occasions months after he was initially charged. Bridges and 46-year-old fo

Own an Android smartphone? Hackers can secretly install malicious apps, games, and pop-up adverts on your smartphone remotely in order to make large sums of money. Security researchers at Cheetah Mobile have uncovered one of the world's largest and most prolific Trojan families, infecting millions of Android devices around the world. Dubbed Hummer , the notorious mobile trojan stealthily installs malicious apps, games, or even porn apps onto victim's phones and yields its creators more than $500,000 (£375,252) on a daily basis. First discovered in 2014 by Cheetah Mobile, Hummer gained traction in early 2016 when the Trojan family was infecting "nearly 1.4 Million devices daily at its peak" with 63,000 infections occurring daily in China, according to researchers at Cheetah Mobile Security Research Lab. "This Trojan continually pops up ads on victims' phones, which is extremely annoying," researchers wrote in a blog post. "It also pushe

The heated battle between Apple and the FBI provoked a lot of talk about Encryption – the technology that has been used to keep all your bits and bytes as safe as possible. We can not say a lot about Apple's users, but Android users are at severe risk when it comes to encryption of their personal and sensitive data. Android's full-disk encryption can be cracked much more easily than expected with brute force attack and some patience, affecting potentially hundreds of millions of mobile devices. And the worst part: There may not be a full fix available for current Android handsets in the market. Google started implementing Full Disk Encryption on Android by default with Android 5.0 Lollipop. Full disk encryption (FDE) can prevent both hackers and even powerful law enforcement agencies from gaining unauthorized access to device's data. Android's disk encryption, in short, is the process of encoding all user's data on an Android device before ever wri