Vulnerability | Breaking Cybersecurity News | The Hacker News

As much as you protect your electronics from being hacked, hackers are clever enough at finding new ways to get into your devices. But, you would hope that once a flaw discovered it would at least be fixed in few days or weeks, but that's not always the case. A three-year-old security vulnerability within a software component used by more than 6.1 Million smart devices still remains unpatched by many vendors, thereby placing Smart TVs, Routers, Smartphones, and other Internet of Things (IoT) products at risk of exploit. Security researchers at Trend Micro have brought the flaw to light that has been known since 2012 but has not been patched yet. Remote Code Execution Vulnerabilities  Researchers discovered a collection of Remote Code Execution (RCE) vulnerabilities in the Portable SDK for UPnP , or libupnp component – a software library used by mobile devices, routers, smart TVs, and other IoT devices to stream media files over a network. The flaws occur du

A new research showed that Scripting languages, in general, give birth to more security vulnerabilities in web applications, which raised concerns over potential security bugs in millions of websites. The app security firm Veracode has released its State of Software Security: Focus on Application Development report ( PDF ), analyzing more than 200,000 separate applications from October 1, 2013, through March 31, 2015. The security researchers crawled popular web scripting languages including PHP, Java, JavaScript, Ruby, .NET, C and C++, Microsoft Classic ASP, Android, iOS, and COBOL, scanning hundreds of thousands of applications over the last 18 months. Also Read:  A Step-by-Step Guide — How to Install Free SSL Certificate On Your Website Researchers found that PHP – and less popular Web development languages Classic ASP and ColdFusion – are the riskiest programming languages for the Internet, while Java and .NET are the safest. Here's the Top 10 List:

In today's digital world, where connectivity is rules all, endpoints serve as the gateway to a business's digital kingdom. And because of this, endpoints are one of hackers' favorite targets.  According to the IDC,  70% of successful breaches start at the endpoint . Unprotected endpoints provide vulnerable entry points to launch devastating cyberattacks. With IT teams needing to protect more endpoints—and more kinds of endpoints—than ever before, that perimeter has become more challenging to defend. You need to improve your endpoint security, but where do you start? That's where this guide comes in.  We've curated the top 10 must-know endpoint security tips that every IT and security professional should have in their arsenal. From identifying entry points to implementing EDR solutions, we'll dive into the insights you need to defend your endpoints with confidence.  1. Know Thy Endpoints: Identifying and Understanding Your Entry Points Understanding your network's

A newly discovered flaw affecting all VPN protocols and operating systems has the capability to reveal the real IP-addresses of users' computers, including BitTorrent users, with relative ease. The vulnerability, dubbed Port Fail by VPN provider Perfect Privacy (PP) who discovered the issue, is a simple port forwarding trick and affects those services that: Allow port forwarding Have no protection against this specific attack Port Forwarding trick means if an attacker uses the same VPN ( Virtual Private Network ) as the victim, then the real IP-address of the victim can be exposed by forwarding Internet traffic to a specific port. "The crucial issue here is that a VPN user connecting to his own VPN server will use his default route with his real IP address, as this is required for the VPN connection to work," Perfect Privacy wrote in a blog post on Thursday. Also Read:  This Secure Operating System Can Protect You Even if You Get Hacked . Port Fail

Yes, you heard it right. Mark Zuckerberg has left his job at Facebook. Don't believe me? I can prove it to you. —  Check this Facebook Post by yourself  — This is weird, Isn't it? But, don't be surprised or shocked, because what you just saw was only an illusion. This is actually a minor bug in the popular social media website that allows anyone to manipulate the life event of any user who has his work status posted on Facebook. The bug, uncovered by the independent hacker Sachin Thakuri , is not a technical flaw. So how was he able to do this? All Thakuri did is took the original URL of Mark Zuckerberg life event: https://www.facebook.com/zuck/timeline/story?ut=32&wstart=-2051193600&wend=2147483647&hash=971179541251&pagefilter=3 &ustart=1 &__mref=message_bubble ...and remove the ustart=1 parameter, which left him with: https://www.facebook.com/zuck/timeline/story?ut=32&wstart=-2051193600&wend=2147483647&ha

Simply put, threat intelligence is knowledge that helps you identify security threats and make informed decisions. Threat intelligence can help you solve the following problems: How do I keep up to date on the overwhelming amount of information on security threats…including bad actors, methods, vulnerabilities, targets, etc.? How do I get more proactive about future security threats? How do I inform my leaders about the dangers and repercussions of specific security threats? Threat Intelligence: What is it? Threat intelligence has received a lot of attention lately. While there are many different definitions, here are a few that get quoted often: Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard. – Gartner   The set of data collected, assessed and app

Police have arrested a fourth person, a 16-year-old boy , from London in connection with the high-profile hack of British telecoms giant TalkTalk. The investigating officers from the Metropolitan Police Cyber Crime Unit (MPCCU) arrested the teenager at his home in Norwich on suspicion of Computer Misuse Act offences. TalkTalk was subjected to a ' significant and sustained ' hacking attack on its official website two weeks back, which put the Bank Details and Personally Identifiable Information (PII) of its 4 Million customers at risk. The telco confirmed last week that at most 1.2 Million names, email addresses and phone numbers and around 21,000 unique bank account numbers and sort codes were compromised in the attack. However, TalkTalk said that the stolen credit card details were incomplete, so the payment cards could not be used for any false financial transactions. But, the company advised customers to remain vigilant against financial fraud. S

Well, here's some terrible news for all Apple iOS users… Someone just found an iOS zero-day vulnerability that could allow an attacker to remotely hack your iPhone running the latest version of iOS, i.e. iOS 9. Yes, an unknown group of hackers has sold a zero-day vulnerability to Zerodium , a startup by French-based company Vupen that Buys and Sells zero-day exploits. And Guess what, in How much? $1,000,000. Yes, $1 Million. Last month, a Bug bounty challenge was announced by Zerodium for finding a hack that must allow an attacker to remotely compromise a non-jailbroken Apple device through: A web page on Safari or Chrome browser, In-app browsing action, or Text message or MMS. Zerodium's Founder Chaouki Bekrar confirmed on Twitter that an unnamed group of hackers has won this $1 Million Bounty for sufficiently submitting a remote browser-based iOS 9.1/9.2b Jailbreak (untethered) Exploit. NO More Fun. It's Serious Threat to iOS Use

Do you need a FitBit Tracker while jogging or running or even sleeping? Bad News! FitBit can be hacked that could allow hackers to infect any PC connected to it. What's more surprising? Hacking FitBit doesn't take more than just 10 Seconds . Axelle Aprville , a researcher at the security company Fortinet, demonstrated "How to hack a Fitbit in only 10 seconds," at the Hack.Lu conference in Luxembourg. Aprville's test was a proof of concept (POC) that did not actually focus on executing malicious payload, rather a logical attack. By using only Bluetooth, Aprville was able to modify data on steps and distance. However, she said it is possible to infect the device in an attempt to spread malware to synced devices. Fitbit Flex tracker is a flexible wristband that measures health statistics, such as blood pressure and heart rate. The Flex is a product of Fitbit, and its salient features are: It can wake you up with a silent vibrati

Joomla – one of the most popular open source Content Management System (CMS) software packages, has reportedly patched three critical vulnerabilities in its software. The flaws, exist in the Joomla version 3.2 to 3.4.4, include SQL injection vulnerabilities that could allow hackers to take admin privileges on most customer websites. The patch was an upgrade to Joomla version 3.4.5  and only contained security fixes. The vulnerability, discovered by Trustwave SpiderLabs researcher Asaf Orpani and Netanel Rubin of PerimeterX, could be exploited to attack a website with SQL injections. SQL injection ( SQLi ) is an injection attack wherein a bad actor can inject/insert malicious SQL commands/query (malicious payloads) through the input data from the client to the application. The vulnerability is one of the oldest, most powerful and most dangerous flaw that could affect any website or web application that uses an SQL-based database. The recent SQLi in Jooml

Two days ago, The Hacker News (THN) reported about the Zero-day vulnerability in the freshly patched Adobe Flash Player . The vulnerability was exploited in the wild by a well-known group of Russian hackers, named " Pawn Storm ," to target several foreign affairs ministries worldwide. The zero-day flaw allowed hackers to have complete control of the users' machine, potentially putting all the Flash Player users at a potentially high risk. Since then, there was no patch available to make flawed utility safe. However, Adobe has now patched the zero-day vulnerability, along with some critical vulnerabilities whose details are yet to be disclosed. Yesterday, the company published a post on their official security bulletin ( APSB15-27 ) detailing the risks associated with the zero-day and how a user can get rid of them. The critical vulnerabilities are assigned following CVE numbers: CVE-2015-7645 CVE-2015-7647 CVE-2015-7648 Also, Adobe is kn

Does Adobe Flash , the standard that animated the early Web, needs to Die? Unfortunately, Yes. Despite Adobe's best efforts, Flash is not safe anymore for Internet security, as a recent zero-day Flash exploit has been identified. Just Yesterday Adobe released its monthly patch update that addressed a total of 69 critical vulnerabilities in Reader, Acrobat, including 13 critical patches for Flash Player. Now today, Security researchers have disclosed a new zero-day vulnerability in fully patched versions of Adobe Flash, which is currently being exploited in the wild by a Russian state-sponsored hacking groups, named " Pawn Storm ". NO Patch For Latest Flash Exploit That means, even users with an entirely up-to-date installation ( versions 19.0.0.185 and 19.0.0.207 ) of the Flash software are also vulnerable to the latest zero-day exploit. Luckily, for the time being, this exploit is only being used against Government agencies and several foreign affairs

Microsoft has rolled out six security updates this Patch Tuesday , out of which three are considered to be " critical, " while the rest are marked as " important. " Bulletin MS15-106 is considered to be critical for Internet Explorer (IE) and affects absolutely all versions of Windows operating system. The update addresses a flaw in the way IE handles objects in memory. The flaw could be exploited to gain access to an affected system, allowing hackers to gain the same access rights as the logged-in user. A hacker could " take advantage of compromised websites, and websites that accept or host user-provided content or advertisements ," the advisory states. " These websites could contain specially crafted content that could exploit the vulnerabilities. " Therefore, the dependency here is that an IE user must knowingly click on the malicious link, which then be leveraged by an attacker to get the full control over a computer t

Apple has removed several apps from its official iOS App Store that have the ability to compromise encrypted connections between the servers and the end-users. Apple has officially said: We have removed a "few" apps from the iOS App Store that could install root certificates and allow monitoring your data. It's like- they have analyzed and admitted that they lacked in the auditing of the App Store hosted Apps. The company is also advising its users to uninstall the malicious apps from their iPhones, iPads and iPods in order to prevent themselves from monitoring, though it has yet to name the offending apps. App Store Apps Spy on Encrypted Traffic The challenge that stood before Apple was, they discovered that "few" of the Apps in the iOS App Store were capable of spying on the users by compromising SSL/TLS security solutions of their online communication. Root certificates are the fundamental part of how encrypted connections like HTT