The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Cybersecurity News and Analysis: software development

Hackers Turning to 'Exotic' Programming Languages for Malware Development

Hackers Turning to 'Exotic' Programming Languages for Malware Development

July 27, 2021Ravie Lakshmanan
Threat actors are increasingly shifting to "exotic" programming languages such as Go, Rust, Nim, and Dlang that can better circumvent conventional security protections, evade analysis, and hamper reverse engineering efforts. "Malware authors are known for their ability to adapt and modify their skills and behaviors to take advantage of newer technologies,"  said  Eric Milam, Vice President of threat research at BlackBerry. "That tactic has multiple benefits from the development cycle and inherent lack of coverage from protective products." On the one hand, languages like Rust are more secure as they offer guarantees like  memory-safe programming , but they can also be a double-edged sword when malware engineers abuse the same features designed to offer increased safeguards to their advantage, thereby making malware less susceptible to exploitation and thwart attempts to  activate a kill-switch  and render them powerless. Noting that binaries written i
Google now requires app developers to verify their address and use 2FA

Google now requires app developers to verify their address and use 2FA

June 29, 2021Ravie Lakshmanan
Google on Monday announced  new measures  for the Play Store, including requiring developer accounts to turn on 2-Step Verification (2SV), provide an address, and verify their contact details later this year. The new identification and two-factor authentication requirements are a step towards strengthening account security and ensuring a safe and secure app marketplace, Google Play Trust and Safety team said. As part of the changes, individual users and businesses in possession of Google Play developer accounts will be asked to specify an account type (personal or organization), a contact name, their physical address, as well as verifying the email address and phone number provided during account creation. In addition, the search giant is also mandating users of Google Play Console to sign in using Google's 2-Step Verification to prevent account takeover attacks. According to the timeline shared by Google, developer account owners will be able to declare their account type a
One-Click Exploit Could Have Let Attackers Hijack Any Atlassian Account

One-Click Exploit Could Have Let Attackers Hijack Any Atlassian Account

June 24, 2021Ravie Lakshmanan
Cybersecurity researchers on Wednesday disclosed critical flaws in the Atlassian project and software development platform that could be exploited to take over an account and control some of the apps connected through its single sign-on ( SSO ) capability. "With just one click, an attacker could have used the flaws to get access to Atlassian's publish Jira system and get sensitive information, such as security issues on Atlassian cloud, Bitbucket and on premise products," Check Point Research said in an analysis shared with The Hacker News. After the issues were reported to Atlassian on Jan. 8, 2021, the Australian company deployed a fix as part of its  updates  rolled out on  May 18 . The sub-domains affected by the flaws include -  jira.atlassian.com confluence.atlassian.com getsupport.atlassian.com partners.atlassian.com developer.atlassian.com support.atlassian.com training.atlassian.com Successful exploitation of these flaws could result in a supply-ch
Google Releases New Framework to Prevent Software Supply Chain Attacks

Google Releases New Framework to Prevent Software Supply Chain Attacks

June 18, 2021Ravie Lakshmanan
As software supply chain attacks emerge as a point of concern in the wake of SolarWinds and Codecov  security incidents, Google is proposing a solution to ensure the integrity of software packages and prevent unauthorized modifications.  Called " Supply chain Levels for Software Artifacts " (SLSA, and pronounced "salsa"), the end-to-end framework aims to secure the software development and deployment pipeline — i.e., the source ➞ build ➞ publish workflow — and  mitigate threats  that arise out of tampering with the source code, the build platform, and the artifact repository at every link in the chain. Google said SLSA is inspired by the company's own internal enforcement mechanism called Binary Authorization for Borg , a set of auditing tools that verifies code provenance and implements code identity to ascertain that the deployed production software is properly reviewed and authorized. "In its current state, SLSA is a set of incrementally adoptable
Newly Discovered Bugs in VSCode Extensions Could Lead to Supply Chain Attacks

Newly Discovered Bugs in VSCode Extensions Could Lead to Supply Chain Attacks

May 26, 2021Ravie Lakshmanan
Severe security flaws uncovered in popular Visual Studio Code extensions could enable attackers to compromise local machines as well as build and deployment systems through a developer's integrated development environment (IDE). The vulnerable extensions could be exploited to run arbitrary code on a developer's system remotely, in what could ultimately pave the way for supply chain attacks. Some of the extensions in question are "LaTeX Workshop," "Rainbow Fart," "Open in Default Browser," and "Instant Markdown," all of which have cumulatively racked up about two million installations between them. "Developer machines usually hold significant credentials, allowing them (directly or indirectly) to interact with many parts of the product," researchers from open-source security platform Snyk  said  in a deep-dive published on May 26. "Leaking a developer's private key can allow a malicious stakeholder to clone important
Hackers Infecting Apple App Developers With Trojanized Xcode Projects

Hackers Infecting Apple App Developers With Trojanized Xcode Projects

March 19, 2021Ravie Lakshmanan
Cybersecurity researchers on Thursday disclosed a new attack wherein threat actors are leveraging Xcode as an attack vector to compromise Apple platform developers with a backdoor, adding to a growing trend that involves targeting developers and researchers with malicious attacks. Dubbed "XcodeSpy," the trojanized Xcode project is a tainted version of a legitimate, open-source project available on GitHub called TabBarInteraction that's used by developers to animate iOS tab bars based on user interaction. "XcodeSpy is a malicious Xcode project that installs a custom variant of the EggShell backdoor on the developer's macOS computer along with a persistence mechanism," SentinelOne researchers  said . Xcode is Apple's integrated development environment (IDE) for macOS, used to develop software for macOS, iOS, iPadOS, watchOS, and tvOS. Earlier this year, Google's Threat Analysis group  uncovered  a North Korean campaign aimed at security researche
Over 700 Malicious Typosquatted Libraries Found On RubyGems Repository

Over 700 Malicious Typosquatted Libraries Found On RubyGems Repository

April 16, 2020Ravie Lakshmanan
As developers increasingly embrace off-the-shelf software components into their apps and services, threat actors are abusing open-source repositories such as RubyGems to distribute malicious packages, intended to compromise their computers or backdoor software projects they work on. In the latest research shared with The Hacker News, cybersecurity experts at ReversingLabs revealed over 700 malicious gems — packages written in Ruby programming language — that supply chain attackers were caught recently distributing through the RubyGems repository. The malicious campaign leveraged the typosquatting technique where attackers uploaded intentionally misspelled legitimate packages in hopes that unwitting developers will mistype the name and unintentionally install the malicious library instead. ReversingLabs said the typosquatted packages in question were uploaded to RubyGems between February 16 and February 25, and that most of them have been designed to secretly steal funds by r
Remotely Exploitable Flaw Puts Millions of Internet-Connected Devices at Risk

Remotely Exploitable Flaw Puts Millions of Internet-Connected Devices at Risk

July 18, 2017Swati Khandelwal
Security researchers have discovered a critical remotely exploitable vulnerability in an open-source software development library used by major manufacturers of the Internet-of-Thing devices that eventually left millions of devices vulnerable to hacking. The vulnerability (CVE-2017-9765), discovered by researchers at the IoT-focused security firm Senrio, resides in the software development library called gSOAP toolkit (Simple Object Access Protocol) — an advanced C/C++ auto-coding tool for developing XML Web services and XML application. Dubbed " Devil's Ivy ," the stack buffer overflow vulnerability allows a remote attacker to crash the SOAP WebServices daemon and could be exploited to execute arbitrary code on the vulnerable devices. The Devil's Ivy vulnerability was discovered by researchers while analysing an Internet-connected security camera manufactured by Axis Communications. "When exploited, it allows an attacker to remotely access a video
NSA Opens Github Account — Lists 32 Projects Developed by the Agency

NSA Opens Github Account — Lists 32 Projects Developed by the Agency

June 21, 2017Swati Khandelwal
The National Security Agency (NSA) — the United States intelligence agency which is known for its secrecy and working in the dark — has finally joined GitHub and launched an official GitHub page. The NSA employs genius-level coders and brightest mathematicians, who continually work to break codes, gather intelligence on everyone, and develop hacking tools like EternalBlu e that was leaked by the Shadow Brokers in April and abused by the WannaCry ransomware last month to wreak havoc worldwide. The intelligence agency mostly works in secret, but after Edward Snowden leaks in 2013, the NSA has started (slowly) opening itself to the world. It joined Twitter in the same year after Snowden leaks and now opened a Github account. GitHub is an online service designed for sharing code amongst programmers and open source community, and so far, the NSA is sharing 32 different projects as part of the NSA Technology Transfer Program ( TTP ), while some of these are 'coming soon.'
Bulgaria passes Law that mandates Government Software must be Open Source

Bulgaria passes Law that mandates Government Software must be Open Source

July 07, 2016Mohit Kumar
Do you have any idea what the software you have installed is doing stealthily in the background? If it's not an open source software, can you find out? Usually, the answer is no. After Edward Snowden's revelations, it's clear that how desperately government agencies wants to put secret backdoors in your network, devices, and software. However, Bulgaria has come forward with an all new set of laws that would be appreciated by privacy lovers and open-source community. Also Read:  Top Best Password Managers . The Bulgarian Parliament has passed legislative amendments to its Electronic Governance Act that require all software written for the country's government to be fully open-sourced and developed in the public Github repository . This means that source code of software developed for the Bulgarian government would be accessible to everyone and provided free for use without limitations. Article 58A of the Electronic Governance Act states that administrative
FBI Director — "What If Apple Engineers are Kidnapped and Forced to Write (Exploit) Code?"

FBI Director — "What If Apple Engineers are Kidnapped and Forced to Write (Exploit) Code?"

March 02, 2016Swati Khandelwal
What If Apple Engineers are Kidnapped and Forced to Write (Exploit) Code? Exactly this was what FBI Director James Comey asked in the congressional hearing on Tuesday. The House Judiciary Committee hearing on "The Encryption Tightrope: Balancing Americans' Security and Privacy" over the ongoing battle between Apple and the FBI ended up being full of drama. The key to the dispute is whether the Federal Bureau of Investigation (FBI) can force Apple to develop a special version of its mobile operating system that would help the agency unlock an iPhone  belonged to San Bernardino shooter Syed Farook . FBI Director James Comey was there with a prepared testimony about why the FBI wants Apple to create a backdoor into the killer's iPhone. Comey: Encryption is a Long-Term Threat to Law Enforcement Yesterday, a New York magistrate judge refused a similar order in a drug case in which the authorities asked Apple to help with the data stored in an
Jail Authorities Mistakenly Early Released 3,200 Prisoners due to a Silly Software Bug

Jail Authorities Mistakenly Early Released 3,200 Prisoners due to a Silly Software Bug

December 29, 2015Swati Khandelwal
Washington State Department of Corrections (DoC) is facing an investigation after it early released around 3,200 prisoners over the course of 13 years , since 2002, when a bug was introduced in the software used to calculate time credits for inmates' good behavior. The software glitch led to a miscalculation of sentence reductions that US prisoners were receiving for their good behaviour. Over the next 13 years, the median number of days of those released early from prison was 49 days before their correct release date. "This problem was allowed to continue for 13 years is deeply disappointing to me, totally unacceptable and, frankly, maddening," Washington State Governor Jay Inslee said in a statement . "I've [many] questions about how and why this happened, and I understand that members of the public will have those same queries." What's the Bug and How did it Remain Undetected for 13 Years? The issue lies in DoC software that is
Facebook Opens Free Internet to Developers, But won't Support HTTPS Encryption

Facebook Opens Free Internet to Developers, But won't Support HTTPS Encryption

May 05, 2015Swati Khandelwal
After facing much criticism for violation of Net Neutrality, Facebook has opened up its new Internet.org platform to developers for creating their apps and services in India and other countries. Facebook's Internet.org aims at offering free Internet access to " the next 5 billion " impoverished people around the world who currently don't have it. This current move now would potentially allow any website to be accessed for free via the Internet.org service, but only in the case, if the website ditches the encrypted communications (HTTPS), JavaScript, and other important things. Internet for All: Facebook offers free mobile Internet access to people in India , Zambia , Colombia, Tanzania, Kenya, Ghana, Philippines and Indonesia . However, in order to access the free Internet, users must have special Android apps, Internet.org's website, the Opera Mini web browser or Facebook's Android app. Until now, the Internet.org scheme had been
Internet Explorer Developer Channel - Early Access to Next-Generation Features For Developers

Internet Explorer Developer Channel - Early Access to Next-Generation Features For Developers

June 16, 2014Swati Khandelwal
In an effort to create more open and accessible atmosphere between the Internet Explorer team and the Web development community, Microsoft today announced the launch of The Developer Channel for Internet Explorer . Internet Explorer Developer Channel is a fully-functioning browser designed to provide Web programmers and early adopters an advance and better understanding of the features the team is currently working on and let them offer feedback before it reaches the broader public. " Today we're excited to announce the release of the Internet Explorer Developer Channel, a fully functioning browser designed to give Web developers and early adopters a sneak peek at the Web platform features we're working on, " Microsoft said in a blog post . Thankfully, Internet Explorer Developer Channel runs independently of the user's copy of IE and allows Web programmers to test newest Web technology and browser features without disrupting their current browser set
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.