The Hacker News - Cybersecurity News and Analysis
The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Cybersecurity News and Analysis

New Wi-Fi Encryption Vulnerability Affects Over A Billion Devices

New Wi-Fi Encryption Vulnerability Affects Over A Billion Devices

February 26, 2020Mohit Kumar
Cybersecurity researchers today uncovered a new high-severity hardware vulnerability residing in the widely-used Wi-Fi chips manufactured by Broadcom and Cypress—apparently powering over a billion devices, including smartphones, tablets, laptops, routers, and IoT gadgets. Dubbed ' Kr00k ' and tracked as CVE-2019-15126 , the flaw could let nearby remote attackers intercept and decrypt some wireless network packets transmitted over-the-air by a vulnerable device. The attacker does not need to be connected to the victim's wireless network and the flaw works against vulnerable devices using WPA2-Personal or WPA2-Enterprise protocols, with AES-CCMP encryption, to protect their network traffic. "Our tests confirmed some client devices by Amazon (Echo, Kindle), Apple (iPhone, iPad, MacBook), Google (Nexus), Samsung (Galaxy), Raspberry (Pi 3), Xiaomi (RedMi), as well as some access points by Asus and Huawei, were vulnerable to Kr00k," ESET researchers said. Acc
New LTE Network Flaw Could Let Attackers Impersonate 4G Mobile Users

New LTE Network Flaw Could Let Attackers Impersonate 4G Mobile Users

February 26, 2020Ravie Lakshmanan
A group of academics from Ruhr University Bochum and New York University Abu Dhabi have uncovered security flaws in 4G LTE and 5G networks that could potentially allow hackers to impersonate users on the network and even sign up for paid subscriptions on their behalf. The impersonation attack — named " IMPersonation Attacks in 4G NeTworks " (or IMP4GT ) — exploits the mutual authentication method used by the mobile phone and the network's base station to verify their respective identities to manipulate data packets in transit. "The IMP4GT attacks exploit the missing integrity protection for user data, and a reflection mechanism of the IP stack mobile operating system. We can make use of the reflection mechanism to build an encryption and decryption oracle. Along with the lack of integrity protection, this allows to inject arbitrary packets and to decrypt packets," the researchers explained. The research was presented at the Network Distributed System Se
Google Advises Android Developers to Encrypt App Data On Device

Google Advises Android Developers to Encrypt App Data On Device

February 26, 2020Ravie Lakshmanan
Google today published a blog post recommending mobile app developers to encrypt data that their apps generate on the users' devices, especially when they use unprotected external storage that's prone to hijacking. Moreover, considering that there are not many reference frameworks available for the same, Google also advised using an easy-to-implement security library available as part of its Jetpack software suite. The open-sourced Jetpack Security (aka JetSec) library lets Android app developers easily read and write encrypted files by following best security practices , including storing cryptographic keys and protecting files that may contain sensitive data, API keys, OAuth tokens. To give a bit of context, Android offers developers two different ways to save app data. The first one is app-specific storage, also known as internal storage, where the files are stored in a sandboxed folder meant for a specific app's use and inaccessible to other apps on the same
Firefox enables DNS-over-HTTPS by default (with Cloudflare) for all U.S. users

Firefox enables DNS-over-HTTPS by default (with Cloudflare) for all U.S. users

February 25, 2020Mohit Kumar
If you use the Firefox web browser, here's an important update that you need to be aware of. Starting today, Mozilla is activating the DNS-over-HTTPS security feature by default for all Firefox users in the U.S. by automatically changing their DNS server configuration in the settings. That means, from now onwards, Firefox will send all your DNS queries to the Cloudflare DNS servers instead of the default DNS servers set by your operating system, router, or network provider. As you may know, DNS-over-HTTPS (DoH) protocol performs DNS lookups — i.e., finding the server I.P. address of a certain domain name — over an encrypted connection to a DNS server rather than sending queries in the plaintext. This privacy-focused technology makes it harder for man-in-the-middle attackers, including your ISPs, to manipulate DNS queries, eavesdrop on your Internet connection, or learning what sites you visit. "This helps hide your browsing history from attackers on the network,
Free Download: The Ultimate Security Pros' Checklist

Free Download: The Ultimate Security Pros' Checklist

February 25, 2020The Hacker News
You are a cybersecurity professional with the responsibility to keep your organization secured, you know your job chapter and verse, from high level reporting duties to the bits and bytes of what malware targeted your endpoints a week ago. But it's a lot to hold in one's mind, so to make your life easier, The Ultimate Security Pros' Checklist , created by Cynet, provides you with a concise and actionable checklist enabling you to keep track of all your operational, management and reporting tasks. 'We are constantly interacting with the security managers of our customers,' says Eyal Gruner, founder, and CEO of Cynet, 'and this gives us a unique perspective on what are the core duties they all care about. So, you can think of the checklist templates as an aggregated crowd-sourcing from the numerous CISOs, security directors, architects, and SOC managers we have worked with across the years.' The Ultimate Security Pros' Checklist fully maps the co
Install Latest Chrome Update to Patch 0-Day Bug Under Active Attacks

Install Latest Chrome Update to Patch 0-Day Bug Under Active Attacks

February 25, 2020Ravie Lakshmanan
Google yesterday released a new critical software update for its Chrome web browser for desktops that will be rolled out to Windows, Mac, and Linux users over the next few days. The latest Chrome 80.0.3987.122 includes security fixes for three new vulnerabilities , all of which have been marked 'HIGH' in severity, including one that (CVE-2020-6418) has been reportedly exploited in the wild. The brief description of the Chrome bugs, which impose a significant risk to your systems if left unpatched, are as follows: Integer overflow in ICU — Reported by AndrĂ© Bargull on 2020-01-22 Out of bounds memory access in streams (CVE-2020-6407) — Reported by Sergei Glazunov of Google Project Zero on 2020-01-27 Type confusion in V8 (CVE-2020-6418) — Reported by Clement Lecigne of Google's Threat Analysis Group on 2020-02-18 The Integer Overflow vulnerability was disclosed by AndrĂ© Bargull privately to Google last month, earning him $5,000 in rewards, while the other two
New OpenSMTPD RCE Flaw Affects Linux and OpenBSD Email Servers

New OpenSMTPD RCE Flaw Affects Linux and OpenBSD Email Servers

February 25, 2020Mohit Kumar
OpenSMTPD has been found vulnerable to yet another critical vulnerability that could allow remote attackers to take complete control over email servers running BSD or Linux operating systems. OpenSMTPD , also known as OpenBSD SMTP Server, is an open-source implementation of the Simple Mail Transfer Protocol (SMTP) to deliver messages on a local machine or to relay them to other SMTP servers. It was initially developed as part of the OpenBSD project but now comes pre-installed on many UNIX-based systems. Discovered by experts at Qualys Research Labs, who also reported a similar RCE flaw in the email server application last month, the latest out-of-bounds read issue, tracked as  CVE-2020-8794 , resides in a component of the OpenSMTPD's client-side code that was introduced nearly 5 years ago. Just like the previous issue, which attackers started exploiting in the wild just a day after its public disclosure, the new OpenSMTPD flaw could also let remote hackers execute arbit
Exclusive Offers

Cybersecurity Newsletter — Stay Informed

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.