The Hacker News | #1 Trusted Cybersecurity News Site — Index Page

Smart hackers could exploit a loophole that could allow them to steal a significant amount of cash from Google, Microsoft and Instagram using a Premium rate phone number. Security researcher Arne Swinnen from Belgium has discovered an ingenious way to steal money from big tech companies like Google, Microsoft, and Instagram using their two-factor authentication (2FA) voice-based token distribution systems. Swinnen argues that any attacker with malicious intent could create fake Google, Microsoft or Instagram accounts, as well as premium phone services, and then link them together. The attacker could then request 2FA voice-based tokens for all fake accounts using an automated scripts, placing legitimate phone calls to his service to earn him quite a nice profit. Swinnen created accounts on Google, Microsoft Office 365 and Instagram and then tied them to a premium phone number instead of a regular one. As a result, whenever one of these three services would call the account'

Pokémon GO launched just two weeks ago, and people have been getting crazy to catch 'em all. Users, on an average, are spending more time engaged with the new Pokémon GO app than any other apps like Snapchat. But, before downloading and playing Nintendo's new location-based augmented reality game, users are required to keep the following points in their minds: 1. Unofficial Pokémon GO app might contain Malware Since Pokémon GO is currently available in only a few countries, many third-party gaming websites are offering tutorials due to huge interest surrounding the app, recommending users to download the APK from a non-Google Play link. Users need to "side-load" the malicious app to install the APK by modifying their Android core security settings, which allows their device's OS to install apps from " untrusted sources ." However, researchers have discovered that many of these online tutorials are linked to malicious versions of the Pokém

Identities now transcend human boundaries. Within each line of code and every API call lies a non-human identity. These entities act as programmatic access keys, enabling authentication and facilitating interactions among systems and services, which are essential for every API call, database query, or storage account access. As we depend on multi-factor authentication and passwords to safeguard human identities, a pressing question arises: How do we guarantee the security and integrity of these non-human counterparts? How do we authenticate, authorize, and regulate access for entities devoid of life but crucial for the functioning of critical systems? Let's break it down. The challenge Imagine a cloud-native application as a bustling metropolis of tiny neighborhoods known as microservices, all neatly packed into containers. These microservices function akin to diligent worker bees, each diligently performing its designated task, be it processing data, verifying credentials, or

Online privacy is an Internet buzzword nowadays. If you are also concerned about the privacy of your web surfing, the most efficient way is to use TOR – a free software that lets users communicate anonymously by hiding their actual location from snoopers. Although TOR is a great anonymous network, it has some limitations that could still allow a motivated hacker to compromise the anonymity of legions of users, including dark web criminals as well as privacy-minded innocents. Moreover, TOR (The Onion Network) has likely been targeted by the FBI to arrest criminals , including the alleged Silk Road 2 lieutenant Brian Richard Farrell, who was arrested in January 2014. Even the TOR Project accused the FBI of paying the researchers of Carnegie Mellon University (CMU) at least $1 Million to disclose a technique that could help the agency unmask TOR users and reveal their IP addresses as part of a criminal investigation. So, what's next? Is there an alternative? Well, most p

No software is immune to being Hacked! Not even Linux. The Ubuntu online forums have been hacked, and data belonging to over 2 Million users have been compromised, Canonical just announced. The compromised users' data include their IP addresses, usernames, and email addresses, according to the company, who failed to apply a patch to secure its users' data. However, users should keep in mind that the hack did not affect the Ubuntu operating system, or it was not due to a vulnerability or weakness in the OS. Instead, the breach only affected the Ubuntu online forums that people use to discuss the OS, said BetaNews, who initially reported the news. "There has been a security breach on the Ubuntu Forums site," Jane Silber, Chief Executive Officer at Canonical wrote in a blog post . "We take information security and user privacy very seriously, follow a strict set of security practices and this incident has triggered a thorough investigation." "C

Especially after the Snowden revelations of global  mass surveillance by US intelligence agencies at home and abroad, various countries demanded tech companies including Google, Apple, and Microsoft to set-up and maintain their servers in respective countries in order to keep their citizen data within boundaries. The US government has powers to comply US-based tech companies with the court orders to hand over their customers' data stored on servers, even if the data centers are beyond US borders. Now, the recent court decision has proven that the data centers and servers located outside the US boundaries are safe haven. The Second Circuit Court of Appeals in New York ruled Thursday that the United States government cannot force tech companies to give the FBI or other federal authorities access to their non-US customers' data stored on servers located in other countries. US Government Can't go Beyond its Boundaries to Collect Data Yes, the Stored Communicatio

Yes, you heard it right. If I tell you not to visit my website, but you still visit it knowing you are disapproved, you are committing a federal crime, and I have the authority to sue you. Wait! I haven't disapproved you yet. Rather I'm making you aware of a new court decision that may trouble you and could have big implications going forward. The United States Court of Appeals for the Ninth Circuit has taken a critical decision on the Computer Fraud and Abuse Act (CFAA): Companies can seek civil and criminal penalties against people who access or visit their websites without their permission. Even Sharing Password is also a Federal Crime... Yes, a similar weird decision was taken last week when the Ninth Circuit Court of Appeals ruled that sharing passwords can be a violation of the CFAA, making Millions of people who share their passwords "unwitting federal criminals." Now, you might be wondering how visiting a publically open website could be a crime. We

Just yesterday, I wrote a warning article announcing that Drupal – the popular open source content management system – will release patches for several highly critical Remote Code Execution (RCE) bugs that could allow attackers to fully take over any affected site. Below are the three separate Drupal modules that affect up to 10,000 websites: 1. RESTful Web Services – a popular module used for creating REST APIs, which is currently installed on at least 5,804 websites. The vulnerability in RESTWS alters the default page callbacks for entities to provide additional functionality, allowing attackers to "send specially crafted requests resulting in arbitrary PHP execution." Since anonymous users can exploit this vulnerability and there isn't any mitigating factor, users are advised to patch their websites as soon as possible. Admins using RESTful Web Services versions 7.x-2.x prior to 7.x-2.6 and versions 7.x-1.x prior to 7.x-1.7 for their Drupal websites are

Why we can't detect all security loopholes and patch them before hackers exploit them? Because... we know that humans are too slow at finding and fixing security bugs, which is why vulnerabilities like Heartbleed , POODLE and GHOST remained undetected for decades and rendered almost half of the Internet vulnerable to theft by the time patches were rolled out. Now to solve this hurdle, DARPA has come up with an idea: To build a smart Artificial Intelligence System that will automatically detect and even patch security flaws in a system. Isn't it a revolutionary idea for Internet Security? The Defense Advanced Research Projects Agency (DARPA) has selected seven teams of finalists who will face off in a historic battle, as each tries to defend themselves and find out flaws without any human control. The DARPA Cyber Grand Challenge will be held at the annual DEF CON hacking conference in Las Vegas next month. Must Read : Artificial Intelligence System that can detec

The extraordinary ' Panama Papers leak ' from Law firm Mossack Fonseca that exposed the tax-avoiding efforts by the world's richest and most influential members was initially believed to be the result of an unpatched vulnerability in the popular content management systems: Drupal and WordPress. Now, we are quite sure that the Panama Papers, which implicated 72 current and former heads of state, was due to vulnerabilities in Drupal and WordPress that allowed hackers to get into the law firm's system and stole over 11.5 Million files (around 2.6 Terabytes of data). The Drupal Security Team has announced that critical patches to address several security issues in Drupal contributed modules, including several highly critical Remote Code Execution (RCE) vulnerabilities, will be released today at 16:00 UTC. According to an advisory, the critical arbitrary remote PHP code execution vulnerability ( PSA-2016-001 ) affects up to 10000 Drupal websites. However, "Drupal c

Security researchers have discovered a new campaign targeting energy companies in Western Europe with a sophisticated malware that almost goes to great lengths in order to remain undetected while targeting energy companies. Researchers from SentinelOne Labs discovered the malware, which has already infected at least one European energy company, is so sneaky and advanced that it is likely believed to be the work of a wealthy nation. The malware, dubbed ' SFG ', contains about 280 kilobytes of code, featuring a vast arsenal of tools rarely seen in ordinary malware samples. It takes " extreme measures " to cleverly and stealthily evade a large number of security defenses before it drops its payload. The malware dismantles antiviruses processes one-by-one until the malware is finally safe to uninstall them all. It also encrypts key features of its code so that it could not be discovered and analyzed. It'll not execute itself if it senses it's being run in