The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Cybersecurity News and Analysis: hacking server

Critical OpenSSH Flaw Leaks Private Crypto Keys to Hackers

Critical OpenSSH Flaw Leaks Private Crypto Keys to Hackers

January 15, 2016Swati Khandelwal
A 'Serious' security vulnerability has been discovered and fixed in OpenSSH – one of the most widely used open-source implementations of the Secure Shell (SSH) Protocol. The critical vulnerability could be exploited by hackers to force clients to leak their secret private cryptographic keys, potentially exposing users to Man-in-the-Middle (MITM) attacks. What Causes the Flaw to occur? The serious bug was actually the result of a code that enables an experimental " roaming " feature in the OpenSSH versions 5.4 to 7.1 in order to let users resume connections. However, The roaming feature contains two different vulnerabilities: An information sharing flaw ( CVE-2016-0777 ) A less harmless buffer overflow flaw ( CVE-2016-0778 ) The vulnerability does not have any catchy name like some previous OpenSSH flaws. Impact of the Vulnerability This new feature can be exploited by hackers, who could use a malicious OpenSSH server to trick a
How to Protect yourself from the 'Heartbleed' Bug

How to Protect yourself from the 'Heartbleed' Bug

April 10, 2014Swati Khandelwal
Millions of websites, users' passwords, credit card numbers and other personal information may be at risk as a result of the Heartbleed security flaw , a vulnerability in widely used cryptographic library ' OpenSSL '. [ READ DETAILS HERE ] Netcraft survey says that about half a million widely trusted active websites on the internet are vulnerable to the heartbleed bug, which means the information transmitting through hundreds of thousands of websites could be vulnerable, despite the protection offered by encryption techniques. According to Netcraft, " the heartbeat extension was enabled on 17.5% of SSL sites, accounting for around half a million certificates issued by trusted certificate authorities. These certificates are consequently vulnerable to being spoofed (through private key disclosure), allowing an attacker to impersonate the affected websites without raising any browser warnings. " Among the trusted names running OpenSSL is Yahoo!, which has been
How Heartbleed Bug Exposes Your Passwords to Hackers

How Heartbleed Bug Exposes Your Passwords to Hackers

April 10, 2014Swati Khandelwal
Are you safe from the critical bug Heartbleed?? OpenSSL- the encryption technology used by millions of websites to encrypt the communication and is also used to protect our sensitive data such as e-mails, passwords or banking information.  But a tiny, but most critical flaw called " Heartbleed " in the widely used OpenSSL opened doors for the cyber criminals to extract sensitive data from the system memory. WHAT IS HEARTBLEED? SSL and TLS are known to provide communication security and privacy over the Internet for applications such as websites, email, instant messaging (IM), including some virtual private networks (VPNs). Heartbleed is a critical bug ( CVE-2014-0160 ) is in the popular OpenSSL cryptographic software library, that actually resides in the OpenSSL's implementation of the TLS (transport layer security protocols) and DTLS ( Datagram TLS ) heartbeat extension (RFC6520). This bug was independently discovered by a team of security enginee
Yahoo fixes Critical Remote Command Execution vulnerability

Yahoo fixes Critical Remote Command Execution vulnerability

January 25, 2014Mohit Kumar
Cyber Security Expert and Penetration tester, Ebrahim Hegazy has found a serious vulnerability in Yahoo's website that allows an attacker to remotely execute any commands on the server i.e. Remote Command Execution vulnerability. According to Ebrahim blog post , the vulnerability resides in a Chinese subdomin of Yahoo website i.e. https://tw.user.mall.yahoo.com/rating/list?sid= $Vulnerability Any remote user can manipulate the input to the sid parameter in the above URL, that passes the parameter value to an eval() PHP function on the server end. If an attacker is able to inject a PHP code into this web application, it forces the server to execute it, but this method only limited by what PHP is capable of. In a POC Video he has successfully demonstrated few Payloads: Example-1: https://tw.user.mall.yahoo.com/rating/list?sid= ${@print(system("dir"))} Example-2: https://tw.user.mall.yahoo.com/rating/list?sid= ${@print(system("ps"))} Last week, He
The Pirate Bay Cofounder 'Gottfrid Svartholm Warg' will be extradited to Denmark

The Pirate Bay Cofounder 'Gottfrid Svartholm Warg' will be extradited to Denmark

November 21, 2013Wang Wei
Sweden today has announced the extradition of 30-year-old  The Pirate Bay Cofounder ' Gottfrid Svartholm Warg ' to Denmark where he is wanted for questioning on alleged hacking charges. He was living in Cambodia last year but was later arrested and deported to Sweden. Currently he is serving a one-year sentence in Sweden for hacking into the computer systems of contractors working for the national tax authority. His extradition will take place on 27th November . Along with a 20-year-old Dane, they are accused of hacking into the servers of a Denmark government contractor and stealing police files files between April and August 2012. The motivation for the hacks remains unknown, but the police say it can't be ruled out that changes were made to the records. There are, however, no indications that any of the downloaded files have been exploited. Even, The Pirate Bay may no longer be safe to use. It is no longer in the hands of the original owners. An Anonymous act
Google engineers over surveillance scandal: 'Fuck you NSA'

Google engineers over surveillance scandal: 'Fuck you NSA'

November 06, 2013Mohit Kumar
On Tuesday, the Washington Post revealed a few more NSA slides released by Edward Snowden, which revealed that the spy agency NSA was infiltrating the private data links between Google and Yahoo data centers as part of a program called MUSCULAR . Chairman and former CEO of Google Eric Schmidt says the company's executives are shocked by allegations that the National Security Agency has been collecting data from the search engine's servers. " It's really outrageous that the NSA was looking between the Google data centers, if that's true ," he said. Overnight, Two Google's Security engineers -  Mike Hearn and   Brandon Downey expressed reasonable anger about the news on Google+, said " Fuck these guys ", where these represent NSA and GCHQ. I've spent the last ten years of my life trying to keep Google's users safe and secure from the many diverse threats Google faces. Fuck You to the people who made these slides. I am not American, I am a Brit, but i
Ubisoft's uPlay service hacked, Far Cry 3 Blood Dragon Leaked

Ubisoft's uPlay service hacked, Far Cry 3 Blood Dragon Leaked

April 10, 2013Mohit Kumar
Russian hackers have figured out a way to download free games from Ubisoft's servers, exploiting an existing vulnerability in Ubisoft's uPlay launcher. According to reports, the copies of Far Cry 3 Blood Dragon that are available on torrent sites are the result of a hack of Ubisoft's uPlay service. The hack has allowed users to download advance copies of Far Cry 3: Blood Dragon, a game which has yet to be officially released. Blood Dragon will be officially released on 1st May, for Xbox 360, PS3 and PC. As a proof of the exploit, hackers even posted an 1 hour 30 mins long footage of the game. A Ubisoft spokesman said that the company was aware of the issue and was working to resolve it quickly.  An earlier tweet on their account attributed yesterday's outage to hackers as well, saying " Servers were attacked which limited service from 2:30PM to 9:00PM Paris time [8:30AM to 3:00PM EST]. " The hackers developed a piece of software which tricks
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.