cyber security | Breaking Cybersecurity News | The Hacker News

Facebook has been caught practicing the worst ever user-verification mechanism that could put the security of its users at risk. Generally, social media or any other online service asks users to confirm a secret code or a unique URL sent to the email address they provided for the account registration. However, Facebook has been found asking some newly-registered users to provide the social network with the passwords to their email accounts, which according to security experts is a terrible idea that could threaten privacy and security of its users. First noticed by Twitter account e-Sushi using the handle @originalesushi, Facebook has been prompting users to hand over their passwords for third-party email services, so that the company can "automatically" verify their email addresses. However, the prompt only appears for email accounts from certain email providers which Facebook considers to be suspicious. "Tested it myself registering 3 times with 3 differe

In today's world, data plays a crucial role in the success of any organization, but if left unprotected, it could be a cybercriminal's dream come true. Poorly protected MongoDB, CouchDB, and Elasticsearch databases recently got a lot more attention from cybersecurity firms and media lately. More than half of the known cases of massive data breaches over the past year originated from unsecured database servers that were accessible to anyone without any password. Since the database of an organization contains its most valuable and easily exploitable data, cybercriminals have also started paying closer attention to find other insecure entry points. Though the problems with unprotected databases are no news and are widely discussed on the Internet, I want cybersecurity community and industry experts to pay some attention to thousands of unsafe Kibana instances that are exposed on the Internet, posing a huge risk to many companies. Kibana is an open-source analytics and visualiz

It comes as no surprise that today's cyber threats are orders of magnitude more complex than those of the past. And the ever-evolving tactics that attackers use demand the adoption of better, more holistic and consolidated ways to meet this non-stop challenge. Security teams constantly look for ways to reduce risk while improving security posture, but many approaches offer piecemeal solutions – zeroing in on one particular element of the evolving threat landscape challenge – missing the forest for the trees.  In the last few years, Exposure Management has become known as a comprehensive way of reigning in the chaos, giving organizations a true fighting chance to reduce risk and improve posture. In this article I'll cover what Exposure Management is, how it stacks up against some alternative approaches and why building an Exposure Management program should be on  your 2024 to-do list. What is Exposure Management?  Exposure Management is the systematic identification, evaluation,

A former National Security Agency contractor—who stole an enormous amount of sensitive information from the agency and then stored it at his home and car for over two decades—today changed his plea to guilty. The theft was labeled as the largest heist of classified government material in America's history. Harold Thomas Martin III, a 54-year-old Navy veteran from Glen Burnie, abused his top-secret security clearances to stole at least 50 terabytes of classified national defense data from government computers over two decades while working for a number of NSA departments between 1996 and 2016. In August 2016, the FBI arrested Martin at his Maryland home and found "six full bankers' boxes" worth of documents, many of which were marked "Secret" and "Top Secret," in his home and car. At the time of his arrest in August 2016, Martin also worked for Booz Allen Hamilton Holding Corp, the same company that previously employed  Edward Snowden  

The U.S. Department of Homeland Security Thursday issued an advisory warning people of severe vulnerabilities in over a dozen heart defibrillators that could allow attackers to fully hijack them remotely, potentially putting lives of millions of patients at risk. Cardioverter Defibrillator is a small surgically implanted device (in patients' chests) that gives a patient's heart an electric shock (often called a countershock) to re-establish a normal heartbeat. While the device has been designed to prevent sudden death, several implanted cardiac defibrillators made by one of the world's largest medical device companies Medtronic have been found vulnerable to two serious vulnerabilities. Discovered by researchers from security firm Clever Security, the vulnerabilities could allow threat actors with knowledge of medical devices to intercept and potentially impact the functionality of these life-saving devices. "Successful exploitation of these vulnerabilities

A hacker who was selling details of nearly 890 million online accounts stolen from 32 popular websites in three separate rounds has now put up a fourth batch of millions of records originating from 6 other sites for sale on the dark web. The Hacker News today received a new email from the Pakistani hacker, who goes by online alias Gnosticplayers and previously claimed to have hacked dozens of popular websites from companies which, according to him, probably had no idea that they were compromised. The hacker last month made three rounds of stolen accounts up for sale on the popular dark web market called Dream Market, posting details of 620 million accounts stolen from 16 websites in the first round, 127 million records from 8 sites in the second, and 92 million from 8 websites in the third. Although while releasing the third round Gnosticplayers told The Hacker News that it would be his last batch of the stolen database, the hacker released the fourth round containing nearl

Adobe users would feel lighter this month, as Adobe has released patches for just two security vulnerability in its March Security Update. The company today released its monthly security updates to address two critical arbitrary code execution vulnerabilities—one in Adobe Photoshop CC and another in Adobe Digital Editions. Upon successful exploitation, both critical vulnerabilities could allow an attacker to achieve arbitrary code execution in the context of the current user and take control of an affected system. However, the good news is that the company found no evidence of any exploits in the wild for these security issues, Adobe said. The vulnerability in Adobe Photoshop CC , discovered by Trend Micro Zero Day Initiative and assigned CVE-2019-7094, is a heap corruption issue which affects Photoshop CC 19.1.7 and earlier 19.x versions as well as Photoshop CC 20.0.2 and earlier 20.x versions for Microsoft Windows and Apple macOS operating systems. Users are recommended

Cybercriminals have actively started exploiting an already patched security vulnerability in the wild to install cryptocurrency miners on vulnerable Drupal websites that have not yet applied patches and are still vulnerable. Last week, developers of the popular open-source content management system Drupal patched a critical remote code execution (RCE) vulnerability (CVE-2019-6340) in Drupal Core that could allow attackers to hack affected websites. Despite releasing no technical details of the security vulnerability, the proof-of-concept (PoC) exploit code for the vulnerability was made publicly available on the Internet just two days after the Drupal security team rolled out the patched version of its software. Now, security researchers at data center security vendor Imperva discovered a series of attacks—that began just a day after the exploit code went public—against its customers' websites using an exploit that leverages the CVE-2019-6340 security flaw. The attacks or

Great news. If you have already installed the latest update of Google Play Services released earlier today, and your Android device is running Android version 7.0 Nougat or above—Congratulations! Your device is now FIDO2 Certified. Are you thinking… what the heck that actually means? It means, instead of remembering complex passwords for your online accounts, you can now actually use your Android's built-in fingerprint sensor or FIDO security keys for secure password-less access to log into apps and websites that support the FIDO2 protocols, Google and the FIDO Alliance—a consortium that develops open source authentication standards—announced Monday. FIDO2 (Fast Identity Online) protocol offers strong passwordless authentication based on standard public key cryptography using hardware FIDO authenticators like security keys, mobile phones, and other built-in devices. FIDO2 protocol is a combination of W3C's WebAuthn API that allows developers to integrate FIDO aut

Why would someone bother to hack a so-called "ultra-secure encrypted database that is being protected behind 13 feet high and 5 feet thick walls," when one can simply fetch a copy of the same data from other sources. French security researcher Baptiste Robert, who goes by the pseudonym "Elliot Alderson" on Twitter, with the help of an Indian researcher, who wants to remain anonymous, discovered that the official website of popular state-owned LPG gas company Indane is leaking personal details of its millions of customers, including their Aadhaar numbers. This is not the first time when an unprotected third-party database has leaked Aadhaar details of Indian citizens, which is a unique number assigned to each citizen as part of India's biometric identity programme maintained by the government's Unique Identification Authority of India (UIDAI). Earlier this week an anonymous Indian researcher initially discovered a loophole in the Indane's online

It's not at all surprising that downloading movies and software from the torrent network could infect your computer with malware, but it's more heartbreaking when a popular, trusted file uploader goes rogue. Popular software cracks/keygens uploader "CracksNow," who had trusted status from many torrent sites, has now been banned from several torrent sites after he was repeatedly found distributing the malware bundled with his uploads. In recent months, according to TorrentFreak , many downloaders complained that the files they downloaded, shared by CracksNow on torrents, found containing GandCrab ransomware and other malware that can do severe damage to computers. Discovered earlier last year, GandCrab is a widespread ransomware threat, like every other ransomware in the market, that encrypts all files on an infected system and blackmails victims to pay a ransom in digital currency to unlock them. GandCrab ransomware was being distributed late last month via a

All these numbers…. "More than 5 billion records from 6,500 data breaches were exposed in 2018" — a report from Risk Based Security says. "More than 59,000 data breaches have been reported across the European since the GDPR came into force in 2018" — a report from DLA Piper says. …came from data breaches that were reported to the public, but in reality, more than half of all data breaches actually go unreported. Just last week, we disclosed the existence of some massive unreported data breaches in two rounds, which a hacker has now started monetizing by selling stolen user databases publicly. Now, a new set of databases containing millions of hacked accounts from several websites has been made available for sale on the dark web marketplace by the same hacker who goes by online alias Gnosticplayers. Gnosticplayers last week made two rounds of stolen accounts up for sale on the popular dark web marketplace called Dream Market , posting details of near

The United States Department of Justice has announced espionage charges against a former US Air Force intelligence officer with the highest level of top-secret clearance for providing the Iranian government classified defense information after she defected to Iran in 2013. Monica Elfriede Witt , 39, was a former U.S. Air Force Intelligence Specialist and Special Agent of the Air Force Office of Special Investigations, who served the Air Force between 1997 and 2008 and Department of Defense (DOD) as a contractor until 2010. The indictment states that Witt once held the highest level of Top Secret security clearance and had access to details of highly classified counterintelligence operations, real names of sources, and the identities of U.S. intelligence officers. In February 2012, Witt allegedly traveled to Iran to attend an all-expenses-paid "Hollywoodism" conference held by the Iranian New Horizon Organization, which DoJ describes as focused on promoting anti-U.S.

A security researcher has discovered yet another cryptocurrency-stealing malware on the official Google Play Store that was designed to secretly steal bitcoin and cryptocurrency from unwitting users. The malware, described as a " Clipper ," masqueraded as a legitimate cryptocurrency app and worked by replacing cryptocurrency wallet addresses copied into the Android clipboard with one belonging to attackers, ESET researcher Lukas Stefanko explained in a blog post . Since cryptocurrency wallet addresses are made up of long strings of characters for security reasons, users usually prefer copying and pasting the wallet addresses using the clipboard over typing them out. The newly discovered clipper malware, dubbed Android/Clipper.C by ESET, took advantage of this behavior to steal users cryptocurrency. To do this, attackers first tricked users into installing the malicious app that impersonated a legitimate cryptocurrency service called MetaMask , claiming to let users

Using an Android device? Beware! You have to remain more caution while opening an image file on your smartphone—downloaded anywhere from the Internet or received through messaging or email apps. Yes, just viewing an innocuous-looking image could hack your Android smartphone—thanks to three newly-discovered critical vulnerabilities that affect millions of devices running recent versions of Google's mobile operating system, ranging from Android 7.0 Nougat to its current Android 9.0 Pie. The vulnerabilities, identified as CVE-2019-1986, CVE-2019-1987, and CVE-2019-1988, have been patched in Android Open Source Project (AOSP) by Google as part of its February Android Security Updates . However, since not every handset manufacturer rolls out security patches every month, it's difficult to determine if your Android device will get these security patches anytime sooner. Although Google engineers have not yet revealed any technical details explaining the vulnerabilities, t

The developers behind the privacy-minded Zcash cryptocurrency have recently discovered and patched a highly dangerous vulnerability in the most secretive way that could have allowed an attacker to coin an infinite number of Zcash (ZEC). Yes, infinite… like a never-ending source of money. Launched in October 2016, Zcash is a privacy-oriented cryptocurrency that claims to be more anonymous than Bitcoin, as the sender, recipient, and value of transactions remain hidden. In a blog post published today, the Zerocoin Electric Coin Company—the startup behind Zcash—revealed that one of its employees, Ariel Gabizon, discovered the vulnerability in its code on 1st March 2018, the night prior to his talk at the Financial Cryptography conference almost a year ago. Gabizon contacted Sean Bowe, a Zcash Company's cryptographer, immediately after discovering the counterfeiting vulnerability, as dubbed by the team, and the team decided to keep the flaw secret in order to avoid the risk o

Many of you might have this question in your mind: "Is it illegal to test a website for vulnerability without permission from the owner?" Or… "Is it illegal to disclose a vulnerability publicly?" Well, the answer is YES, it's illegal most of the times and doing so could backfire even when you have good intentions. Last year, Hungarian police arrested a 20-year-old ethical hacker accused of finding and exploiting serious vulnerabilities in Magyar Telekom, the largest Hungarian telecommunication company, who is now facing up to 8 years in prison. According to local Hungarian media , the defender first discovered a severe vulnerability in Magyar Telekom systems in April 2018 and reported it to the company officials, who later invited him to a meeting. Reportedly, the hacker then traveled to Budapest for the meeting, which didn't go well as he expected, and apparently, the company did not permit him to test its systems further. However, the man conti

If you are thinking that Facebook is sitting quietly after being forced to remove its Onavo VPN app from Apple's App Store, then you are mistaken. It turns out that Facebook is paying teenagers around $20 a month to use its VPN app that aggressively monitors their smartphone and web activity and then sends it back to Facebook. The social media giant was previously caught collecting some of this data through Onavo Protect , a Virtual Private Network (VPN) service that it acquired in 2013. However, the company was forced to pull the app from the App Store in August 2018 after Apple found that Facebook was using the VPN service to track its user activity and data across multiple apps, which clearly violates its App Store guidelines on data collection. Onavo Protect became a data collection tool for Facebook helping the company track smartphone users' activities across multiple different apps to learn insights about how Facebook users use third-party apps. Facebook&#

A team at a robot cybersecurity startup has released a free, open-source tool for information security professionals to help them easily 'footprint' and detect unprotected robots, not only connected to the Internet, but also to the industrial environments where they operate. Dubbed " Aztarna ," the framework has been developed by Alias Robotics , a Spanish cybersecurity firm focused on robots and is capable of detecting vulnerable industrial routers and robots powered by ROS (Robot Operating System), SROS (Secure ROS) and other robot technologies. Written in Python 3, Aztarna is basically a port scanning tool with a built-in database of fingerprints for industrial routers (including Westermo, Moxa, Sierra Wireless, and eWON), and robotic technologies and components, as well as patterns that power the tool to test those devices against various known vulnerabilities and security misconfigurations. Researchers at Alias Robotics told The Hacker News that Aztarna h

A Russian hacker indicted by a United States court for his involvement in online ad fraud schemes that defrauded multiple American companies out of tens of millions of dollars pleaded not guilty on Friday in a courtroom in Brooklyn, New York. Aleksandr Zhukov , 38, was arrested in November last year by Bulgarian authorities after the U.S. issued an international warrant against him, and was extradited by Bulgaria to the United States on Thursday (January 18, 2019). He is currently in prison in Brooklyn. In November 2018, law enforcement and multiple security firms collaborated to shut down one of the largest digital ad-fraud schemes, which they dubbed 3ve , that infected over 1.7 million computers worldwide to generate fake clicks used to defraud digital advertisers for years and made tens of millions of dollars in revenue. Pronounced "Eve," the online ad-fraud campaign was believed to have been active since at least 2014, but its fraudulent activity grew last yea

Even after so many efforts by Google for preventing its Play Store from malware, shady apps somehow managed to fool its anti-malware protections and get into its service to infect Android users with malware. Two such Android apps have recently been spotted on the Google Play Store by security researchers with the Trend Micro malware research team, infecting thousands of Android users who have already downloaded them with banking malware. The apps in question masquerade as a currency exchange app called Currency Converter and battery saver app called BatterySaverMobi , and are using motion-sensor inputs of infected Android devices to monitor them before installing a dangerous banking Trojan called Anubis. The malicious Android apps, with a large number of fake five-star reviews, use this clever trick instead of traditional evasion techniques in order to avoid detection when researchers run emulators (which are less likely to use sensors) to detect such malicious apps. &quo