The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Cybersecurity News and Analysis: Online security

New Ripple20 Flaws Put Billions of Internet-Connected Devices at Risk of Hacking

New Ripple20 Flaws Put Billions of Internet-Connected Devices at Risk of Hacking
June 16, 2020Mohit Kumar
The Department of Homeland Security and CISA ICS-CERT today issued a critical security advisory warning about over a dozen newly discovered vulnerabilities affecting billions of Internet-connected devices manufactured by many vendors across the globe. Dubbed " Ripple20 ," the set of 19 vulnerabilities resides in a low-level TCP/IP software library developed by Treck, which, if weaponized, could let remote attackers gain complete control over targeted devices—without requiring any user interaction. According to Israeli cybersecurity company JSOF—who discovered these flaws—the affected devices are in use across various industries, ranging from home/consumer devices to medical, healthcare, data centers, enterprises, telecom, oil, gas, nuclear, transportation, and many others across critical infrastructure. "Just a few examples: data could be stolen off of a printer, an infusion pump behavior changed, or industrial control devices could be made to malfunction. An

L1ght Looks to Protect Internet Users from Toxic and Predatory Behavior

L1ght Looks to Protect Internet Users from Toxic and Predatory Behavior
March 11, 2020The Hacker News
Cybersecurity has been regarded as a necessity for all computer users, especially today when data breaches and malware attacks have become rampant. However, one of the more overlooked aspects of cybersecurity is the prevention of other forms of cybercrime, such as the spread of harmful content and predatory behavior. Most current discussions on cybersecurity revolve around organizations needing to protect customer data or for individual users to prevent their sensitive data from being intercepted. However, given the prevalence of toxic behavior, it's about time the cybersecurity community also gives internet safety, especially for children and younger users, its due attention. Israel-based startup L1ght aims to curb the spread of bad behavior online. It uses artificial intelligence (AI) and machine learning (ML) to detect harmful content, hate speech, bullying, and other predatory behavior in social networks, communication applications, and online video games. The firm

Why Minimizing Human Error is the Only Viable Defense Against Spear Phishing

Why Minimizing Human Error is the Only Viable Defense Against Spear Phishing
February 25, 2020The Hacker News
Phishing attacks have become one of the business world's top cybersecurity concerns. These social engineering attacks have been rising over the years, with the most recent report from the Anti-Phishing Working Group coalition identifying over 266,000 active spoofed websites, which is nearly double the number detected during Q4 2018. Hackers have evolved their methods, from regular phishing attacks to spear phishing, where they use email messages disguised as coming from legitimate sources to dupe specific individuals. This is why the global spear phishing protection software market is estimated to reach $1.8 billion by 2025. However, conventional defenses can still fall short due to one particular weakness in the security perimeter – the human factor. Indeed, some 33 percent of 2019's data breaches involved humans falling victim to social engineering attacks. And given how sophisticated and creative the phishing perpetrators have been getting, it's easy to see h

Hackers Exploited Twitter Bug to Find Linked Phone Numbers of Users

Hackers Exploited Twitter Bug to Find Linked Phone Numbers of Users
February 04, 2020Wang Wei
Twitter today issued a warning revealing that attackers abused a legitimate functionality on its platform to unauthorizedly determine phone numbers associated with millions of its users' accounts. According to Twitter, the vulnerability resided in one of the APIs that has been designed to make it easier for users to find people they may already know on Twitter by matching phone numbers saved in their contacts with twitter accounts. To be noted, the feature worked precisely as intended, except someone was not supposed to upload millions of randomly generated phone numbers and abuse Twitter to reveal profiles associated with the contact information users added to Twitter for enabling security features. Though the company is not sure if the bug was exploited by only a single adversary or multiple groups, it has identified several accounts engaged in the attack located in a wide range of countries, primarily from Iran, Israel, and Malaysia. Based on their IP addresses, Twitt

Zoom Bug Could Have Let Uninvited People Join Private Meetings

Zoom Bug Could Have Let Uninvited People Join Private Meetings
January 28, 2020Swati Khandelwal
If you use Zoom to host your remote online meetings, you need to read this piece carefully. The massively popular video conferencing software has patched a security loophole that could have allowed anyone to remotely eavesdrop on unprotected active meetings, potentially exposing private audio, video, and documents shared throughout the session. Besides hosting password-protected virtual meetings and webinars, Zoom also allows users to set up a session for non-pre-registered participants who can join an active meeting by entering a unique Meeting ID, without requiring a password or going through the Waiting Rooms. Zoom generates this random meeting ID, comprised of 9, 10, and 11-digit numbers, for each meeting you schedule or create. If leaked beyond an individual or intended group of people, merely knowing Meeting IDs could allow unwelcome guests joining meetings or webinars. This could be bad news for anyone expecting their conversations to be private. To circumvent suc

BitDam Study Exposes High Miss Rates of Leading Email Security Systems

BitDam Study Exposes High Miss Rates of Leading Email Security Systems
January 21, 2020The Hacker News
Imagine receiving an email from US VP Mike Pence's official email account asking for help because he has been stranded in the Philippines. Actually, you don't have to. This actually happened. Pence's email was hacked when he was still the governor of Indiana, and his account was used to attempt to defraud several people. How did this happen? Is it similar to how the DNC server was hacked? Email hacking is one of the most widespread cyber threats at present. It is estimated that around 8 out of 10 people who use the internet have received some form of phishing attack through their emails. Additionally, according to Avanan's 2019 Global Phish Report , 1 in 99 emails is a phishing attack. BitDam is aware of how critical emails are in modern communication. BitDam published a new study on the email threat detection weaknesses of the leading players in email security, and the findings command attention. The research team discovered how Microsoft's Office365

Use iPhone as Physical Security Key to Protect Your Google Accounts

Use iPhone as Physical Security Key to Protect Your Google Accounts
January 16, 2020Mohit Kumar
Great news for iOS users! You can now use your iPhone or iPad, running iOS 10 or later, as a physical security key for securely logging into your Google account as part of the Advanced Protection Program for two-factor authentication. Android users have had this feature on their smartphones since last year, but now Apple product owners can also use this advanced, phishing-resistant form of authentication as an alternative to a physical security key. Adding extra security later of two-step authentication is one of the more essential steps you can take to secure your online accounts, which makes it harder for attackers to log in to your account, especially when they steal your password. "According to a study we [Google] released last year, people who exclusively used security keys to sign into their accounts never fell victim to targeted phishing attacks," said Shuvo Chatterjee, Product Manager at Google's Advanced Protection Program. Google recently update

How SMBs Can Mitigate the Growing Risk of File-based Attacks

How SMBs Can Mitigate the Growing Risk of File-based Attacks
October 02, 2019The Hacker News
Cases of document-based malware are steadily rising. 59 percent of all malicious files detected in the first quarter of 2019 were contained in documents. Due to how work is done in today's offices and workplaces, companies are among those commonly affected by file-based attacks. Since small to medium businesses (SMBs) usually lack the kind of security that protects their larger counterparts, they have a greater risk of being affected. Falling victim to file-based malware can cause enormous problems for SMBs. An attack can damage critical data stored in the organization's computers. Such loss can force a company to temporarily halt operations, resulting in financial losses. If a customer's private and financial information is compromised, the company may also face compliance inquiries and lawsuits. Their reputations could also take a hit, discouraging customers from doing business with them. But despite these risks, SMBs still invest very little in cybersecurity

Exclusive — Hacker Steals Over 218 Million Zynga 'Words with Friends' Gamers Data

Exclusive — Hacker Steals Over 218 Million Zynga 'Words with Friends' Gamers Data
September 29, 2019Swati Khandelwal
A Pakistani hacker who previously made headlines earlier this year for selling almost a billion user records stolen from nearly 45 popular online services has now claimed to have hacked the popular mobile social game company Zynga Inc . With a current market capitalization of over $5 billion, Zynga is one of the world's most successful social game developers with a collection of hit online games—including FarmVille, Words With Friends, Zynga Poker, Mafia Wars, and Café World—with over a billion players worldwide. Going by the online alias Gnosticplayers, the serial hacker told The Hacker News that this time, he managed to breach " Words With Friends ," a popular Zynga-developed word puzzle game, and unauthorisedly access a massive database of more than 218 million users. According to the hacker, the data breach affected all Android and iOS game players who installed and signed up for the 'Words With Friends' game on and before 2nd September this year.

IT Firm Manager Arrested in the Biggest Data Breach Case of Ecuador's History

IT Firm Manager Arrested in the Biggest Data Breach Case of Ecuador’s History
September 18, 2019Mohit Kumar
Ecuador officials have arrested the general manager of IT consulting firm Novaestrat after the personal details of almost the entire population of the Republic of Ecuador left exposed online in what seems to be the most significant data breach in the country's history. Personal records of more than 20 million adults and children, both dead and alive, were found publicly exposed on an unsecured Elasticsearch server by security firm vpnMentor, which made the discovery during its large-scale mapping project. For a country with a population of over 16 million people, the breach exposed details of almost every Ecuadorian citizen, including President Lenín Moreno as well as WikiLeaks CEO Julian Assange , who was given political asylum in the country in 2012. The unsecured Elasticsearch server, which was based in Miami and owned by Ecuadorian company Novaestrat, contained 18GB cache of data appeared to have come from a variety of sources including government registries, an automot

Mozilla Launches 'Firefox Private Network' VPN Service as a Browser Extension

Mozilla Launches 'Firefox Private Network' VPN Service as a Browser Extension
September 11, 2019Swati Khandelwal
Mozilla has officially launched a new privacy-focused VPN service, called Firefox Private Network , as a browser extension that aims to encrypt your online activity and limit what websites and advertisers know about you. Firefox Private Network service is currently in beta and available only to desktop users in the United States as part of Mozilla's recently expunged "Firefox Test Pilot" program that lets users try out new experimental features before they were officially released. The Firefox Test Pilot program was first launched by the company three years ago but was shut down in January this year. The company now decided to bring the program back but with some changes. "The difference with the newly relaunched Test Pilot program is that these products and services may be outside the Firefox browser, and will be far more polished, and just one step shy of general public release," said Marissa Wood, vice president of product at Mozilla. Firefox

Apple Changes the Way It Listens to Your Siri Recordings Following Privacy Concerns

Apple Changes the Way It Listens to Your Siri Recordings Following Privacy Concerns
August 29, 2019Swati Khandelwal
Apple today announced some major changes to its controversial 'Siri audio grading program' following criticism for employing humans to listen to audio recordings of users collected via its voice-controlled Siri personal assistant without their knowledge or consent. The move came a month after The Guardian reported that third-party contractors were regularly listening to private conversations of Apple users giving voice commands to Siri in a bid to improve the quality of its product's response. While the data received by the contractors were anonymized and not associated to Apple devices, the private conversations—which also includes private discussions between doctors and patients, business deals, seemingly criminal dealings, people having sex and so on—sometimes reveal identifiable details like a person's name or medical records. In response to the backlash Apple received after the report went public, the company initially responded by temporarily suspending

Google, Mozilla, Apple Block Kazakhstan's Root CA Certificate to Prevent Spying

Google, Mozilla, Apple Block Kazakhstan's Root CA Certificate to Prevent Spying
August 21, 2019Mohit Kumar
In a move to protect its users based in Kazakhstan from government surveillance, Google, Apple and Mozilla finally today came forward and blocked Kazakhstan's government-issued root CA certificate within their respective web browsing software. Starting today, Chrome, Safari and Firefox users in Kazakhstan will see an error message stating that the " Qaznet Trust Network " certificate should not be trusted when attempting to access a website that responds with the government-issued certificate. As The Hacker News reported last month , all major Kazakh Internet Service Providers (ISPs) are forcing their customers into installing a government-issued root certificate on their devices in order to regain access to their Internet services. The root certificate in question, labeled as " trusted certificate " or "national security certificate," if installed, allows ISPs to intercept, monitor, and decrypt users' encrypted HTTPS and TLS connections,

Android Users Can Now Log in to Google Services Using Fingerprint

Android Users Can Now Log in to Google Services Using Fingerprint
August 12, 2019Swati Khandelwal
If you're using Chrome on Android, you can now sign-in to your Google account and some of the other Google services by simply using your fingerprint, instead of typing in your password every time. Google is rolling out a new feature, called " local user verification ," that allows you to log in to both native applications and web services by registering your fingerprint or any other method you've set up to unlock your Android device, including pins, pattern or password. The newly introduced mechanism, which has also been named "verify it's you," takes advantage of Android's built-in FIDO2 certified security key feature that Google rolled out earlier this year to all devices running Android version 7.0 Nougat or later. Besides FIDO2 protocol, the feature also relies on W3C WebAuthn (Web Authentication API) and FIDO Client to Authenticator Protocol (CTAP), which are designed to provide simpler and more secure authentication mechanism that sit

Kazakhstan Begins Intercepting HTTPS Internet Traffic Of All Citizens Forcefully

Kazakhstan Begins Intercepting HTTPS Internet Traffic Of All Citizens Forcefully
July 19, 2019Mohit Kumar
If you are in Kazakhstan and unable to access the Internet service without installing a certificate, you're not alone. The Kazakhstan government has once again issued an advisory to all major local Internet Service Providers (ISPs) asking them to make it mandatory for all their customers to install government-issued root certificates on their devices in order to regain access to the Internet services. The root certificate in question, labeled as " trusted certificate " or " national security certificate ," if installed, allows ISPs to intercept and monitor users' encrypted HTTPS and TLS connections, helping the government spy on its citizens and censor content. In other words, the government is essentially launching a "man in the middle" attack on every resident of the country. But how installing a "root certificate" allow ISPs to decrypt HTTPS connection? For those unaware, your device and web browsers automatically trust digi
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.