website security | Breaking Cybersecurity News | The Hacker News

A Large number of WordPress websites were compromised in last two weeks with a new malware campaign spotted in the wild. WordPress , a Free and Open source content management system (CMS) and blogging tool, has been once again targeted by hackers at large scale. Researchers at Sucuri Labs have detected a " Malware Campaign " with an aim of getting access to as many devices they can by making innumerable WordPress websites as its prey. The Malware campaign was operational for more than 14 days ago, but it has experienced a massive increase in the spread of infection in last two days, resulted in affecting more than 5000 Wordpress websites. The Security researchers call this malware attack as " VisitorTracker ", as there exists a javascript function named visitorTracker_isMob() in the malicious code designed by cyber criminals. This new campaign seems to be utilizing the Nuclear Exploit Kit and uses a combination of hacked WordPress sites, hidden iframes and nu

Last fall the non-profit foundation EFF ( Electronic Frontier Foundation ) launched an initiative called Let's Encrypt that aimed at providing Free Digital Cryptographic Certificates (TLS) to any website that needs them. Today, Let's Encrypt – a free automated Open-source Certificate Authority (CA) – has signed its first certificate, hitting what it calls a major milestone to encrypt all of the Web. Let's Encrypt enables any Internet site to protect its users with free SSL/TLS (Secure Socket Layer/Transport Layer Security) certificates that encrypt all the data passed between a website and users. Not just free, but the initiative also makes HTTPS implementation easier for any website or online shopping site owner in order to ensure the security of their customers' data. "Forget about hours (or sometimes days) of muddling through complicated programming to set up encryption on a website, or yearly fees," EFF explains . "Let's Encr

Identities now transcend human boundaries. Within each line of code and every API call lies a non-human identity. These entities act as programmatic access keys, enabling authentication and facilitating interactions among systems and services, which are essential for every API call, database query, or storage account access. As we depend on multi-factor authentication and passwords to safeguard human identities, a pressing question arises: How do we guarantee the security and integrity of these non-human counterparts? How do we authenticate, authorize, and regulate access for entities devoid of life but crucial for the functioning of critical systems? Let's break it down. The challenge Imagine a cloud-native application as a bustling metropolis of tiny neighborhoods known as microservices, all neatly packed into containers. These microservices function akin to diligent worker bees, each diligently performing its designated task, be it processing data, verifying credentials, or

The major tech companies including Google, Facebook, and Yahoo! have joined their hands to launch a new program meant to block fake web traffic by blacklisting flagged IP addresses. Today, majority of data center traffic is non-human or illegitimate, so to fight against this issue the Trustworthy Accountability Group (TAG) has announced a program that will tap into Google's internal data-center blacklist to filter bots. The new pilot program will reject traffic from web robots or bots by making use of a blacklist, cutting a significant portion of web traffic from within data centers, said Google Ad Manager Vegard Johnsen. Google or any other big tech firm maintains a Blacklist that lists suspicious IP addresses of computer systems in data centers that may be trying to trick the human into clicking on advertisements. Google's DoubleClick blacklist alone blocked some 8.9% of data-center traffic back in May. Facebook and Yahoo to Contribute Apart from Goo

The mysterious security vulnerability in the widely used OpenSSL code library is neither HeartBleed nor FREAK, but it's critical enough to be patched by sysadmins without any delay. OpenSSL Foundation released the promised patch against a high severity vulnerability in OpenSSL versions 1.0.1n and 1.0.2b, resolving a certificate forgery issue in the implementations of the crypto protocol. The critical vulnerability could allow man-in-the-middle attackers to impersonate cryptographically protected websites, virtual private networks, or e-mail servers, and snoop on encrypted Internet traffic. The vulnerability, ( CVE-2015-1793 ), is due to a problem lies in the certificate verification process. An error in its implementation skipped some security checks on new, untrusted certificates. By exploiting this vulnerability, an attacker could circumvent certificate warnings that enable them to force applications into treating an invalid certificate as a legitimate Certificat

Let's Encrypt , a project aimed to provide free-of-charge and easier-to-implement way to obtain and use a digital cryptographic certificates (SSL/TLS) to secure HTTPS website, is looking forward to issue its first digital certificates next month. With Let's Encrypt , any webmaster interested in implementing HTTPS for their services can get the certificates for free, which is a great move for encouraging people to encrypt their users' connections to their websites. Let's Encrypt is a combined effort of digital-era rights advocate Electronic Frontier Foundation (EFF), Mozilla Foundation , Cisco Systems , Internet content distributor Akamai Technologies , certificate provider IdenTrust and researchers from the University of Michigan . Generally, the process of implementation of an SSL certificate, including the need to obtain and install a certificate, is complicated for most web developers as it sounds. In most cases, the cost related issues force web adm

The Market of E-commerce websites is at its peak, as today people love to shop online to save their time. However, E-commerce and financial sites stand first in the rundown of potential victims as they manage financial exchanges. The traditional way to target victims of e-commerce sites is to use targeted "phishing" attacks via social media and emails. But… …due to increased awareness among the people about the threat of phishing attacks, hackers have now discovered new way — by malvertising legitimate websites where people assume to be safe and secure. We know: Today, there are many ready-to-use e-commerce platforms available on the Internet that are very easy to install and manage and that too at no extra cost; ' Magento ' is one of the most popular out of them. The most popular, the most targeted: Yes! Security researchers at Sucuri have found a malicious code inside the Magento e-commerce website that was intended to send all the data

Are you aware of everything that your users are accessing from your environment? While most of the time, non-work-related Internet browsing is harmless (looking at pictures of cats, online shopping, social media, etc.) there are some instances where you could be an unknowing and unwilling participant in criminal activity. That is, when users hide that activity via the Tor network , or the Dark Net . The Onion Router , better known as " Tor ", an open source project, launched in 2002, is designed to allow a user to browse the Internet anonymously via a volunteer network of more than 5000 relays. It doesn't share your identifying information like your IP address and physical location with websites or service providers. A user that navigate Internet using Tor , it's quite difficult to trace its activities ensuring his online privacy. There are arguably legitimate uses for this technology, such as providing Internet access in repressively regulated countri

Yahoo! has offered $24,000 to a security researcher for finding out and reporting three critical security vulnerabilities in its products including Yahoo! Stores and Yahoo!-hosted websites. While testing all the company's application, Mark Litchfield , a bug bounty hunter who often works with different companies, discovered three critical vulnerabilities in Yahoo!'s products. All the three vulnerabilities have now been fixed by Yahoo!. THREE CRITICAL SECURITY VULNERABILITIES The first and most critical vulnerability gives hackers full administrator access to Yahoo!'s e-commerce platform, Yahoo! Small Business , a portal that allows small business owners to create their own web stores through Yahoo! and sell merchandise. According to the researcher, the flaw in the service allowed him to fully administrator any Yahoo store and thereby gain access to customers' personally identifiable information, including names, email addresses, telephone numbers.

Good news for Internet folks! Get Ready as the entire web you know is about to change. The new and long-awaited version of HTTP took a major step toward becoming a reality on Wednesday – It is been officially finalized and approved. Mark Nottingham, chairman of the Internet Engineering Task Force (IETF) working group behind creating the standards, announced in a blog post that the HTTP 2.0 specifications have been formally approved. Now, the specifications will go through a last formality – Request for comment and editorial processes – before being published as a standard. LARGEST CHANGE IN HTTP OVER LAST 16 YEARS HTTP, or Hypertext Transfer Protocol, is one of the web standards familiar to most as the https:// at the beginning of a web address. HTTP protocol governs the connections between a user's browser and the server hosting a website, invented by the father of the web Sir Tim Berners-Lee. HTTP/2 is simply an update to the protocol, but is really a huge deal be

The popular copy and paste website ' Pastebin ' created a decade ago for software developers and even by hackers groups to share source code, dumps and stolen data, has more recently been leveraged by cyber criminals to target millions of users. Compromising a website and then hosting malware on it has become an old tactic for hackers, and now they are trying their hands in compromising vast majority of users in a single stroke. Researchers have discovered that hackers are now using Pastebin to spread malicious backdoor code. According to a blog post published yesterday by a senior malware researcher at Sucuri , Denis Sinegubko, the hackers are leveraging the weakness in older versions of the RevSlider , a popular and a premium WordPress plugin. The plugin comes packaged and bundled into the websites' themes in such a way that many website owners don't even know they have it. In order to exploit the vulnerability, first hackers look for a RevSlider plugin i

Many a time we deal with those strange words and phrases that ask us to type them back in plaintext while signing up for an account. Yes, those increasingly annoying CAPTCHAs !!, which are both time-consuming and sometimes very difficult to read. If you really are tired of these distorted series of characters then there is a good news for you. For the convenience of people, Google has re-introduced a new CAPTCHA system with full makeover called reCAPTCHA , in order to make it easy for users who squint their eyes and make errors while typing. This new CAPTCHA-like system will allow people into websites with only a single click. CAPTCHA actually stands for " Completely Automated Public Turing test to tell Computers and Humans Apart " which is used by online services and websites only to verify that you're not a robot and restricts various automated programs to sign-up Email accounts, cracking passwords , spam sending, privacy violation etc. However, now we'l

Another Heartbleed-like vulnerability has been discovered in the decade old but still widely used Secure Sockets Layer ( SSL ) 3.0 cryptographic protocol that could allow an attacker to decrypt contents of encrypted connections to websites. Google's Security Team revealed on Tuesday that the most widely used web encryption standard SSL 3.0 has a major security vulnerability that could be exploited to steal sensitive data. The flaw affects any product that follows the Secure layer version 3, including Chrome, Firefox, and Internet Explorer. Researchers dubbed the attack as " POODLE ," stands for Padding Oracle On Downgraded Legacy Encryption , which allows an attacker to perform a man-in-the-middle attack in order to decrypt HTTP cookies. The POODLE attack can force a connection to "fallback" to SSL 3.0, where it is then possible to steal cookies, which are meant to store personal data, website preferences or even passwords. Three Google security engineers - Bodo Möll

Yahoo! Contributors Network ( contributor.yahoo.com ), the network of authors that generated the contents such as photographs, videos, articles and their knowledge to more than 600 million monthly visitors, was vulnerable to a Time based Blind SQL Injection vulnerability. Behrouz Sadeghipour, a security researcher reported the Blind SQLi vulnerability in Yahoo! 's website that could be exploited by hackers to steal users' and authors' database, containing their personal information. Behrouz reported this flaw to Yahoo! Security team few months back. The team responded positively and within a month they patched the vulnerability successfully. Unfortunately after that Yahoo! announced to shut down ' Yahoo Contributors Network ' due to its decreasing popularity and removed all the contents from the web, except some of the "work for hire" content may remain on the web. The critical vulnerability was able to expose the database which carried sensitive and personal inform

The official website of the popular cross-platform JavaScript library jQuery (jquery.com) has been compromised and redirecting its visitors to a third-party website hosting the RIG exploit kit , in order to distribute information-stealing malware. JQuery is a free and open source JavaScript library designed to simplify the client-side scripting of HTML. It is used to build AJAX applications and other dynamic content easily. The popular JavaScript library is used by 30 percent of websites, including 70 percent of the top 10,000 most visited websites. James Pleger , Director of Research at Risk management software company RiskIQ , reported yesterday that the attack against jQuery.com web servers launched for a short period of time on the afternoon of September 18th. So, the users who visited the website on September 18th may have infected their system with data-stealing malware by redirecting users to the website hosting RIG. Pleger urged those who visited the site durin

Oracle's newly launched Data Redaction security feature in Oracle Database 12c can be easily disrupted by an attacker without any need to use exploit code, a security researcher long known as a thorn in Oracle's side said at Defcon. Data Redaction is one of the new Advanced Security features introduced in Oracle Database 12c. The service is designed to allow administrators to automatically protect sensitive data, such as credit card numbers or health information, during certain operations by either totally obscuring column data or partially masking it. But according to David Litchfield , a self-taught security researcher who found dozens and dozens of critical vulnerabilities in Oracle's products, a close look at this Data Redaction security feature help him found a slew of trivially exploitable vulnerabilities that an attacker don't even need to execute native exploit code to defeat the feature. David Litchfield is a security specialist at Datacomm TSS and th

World's largest Bitcoin poker website ' SealsWithClubs ' has been compromised and around 42,000 users' credentials are at risk. Seals With Club  has issued a  Mandatory Password Reset   warning to their users, according to a statement published on the website. The service admitted their database had been compromised and revealed that the data center used until November was breached, resulting 42,020 hashed password theft. " Passwords were salted and hashed per user, but to be safe every user MUST change their password when they next log in. Please do so at your earliest opportunity. If your Seals password was used for any other purpose you should reset those passwords too as a precaution. " and " Transfers may be disabled for a short period of time.". Seals With Clubs used SHA1 hash functions to encrypt the passwords, but SHA1 is outdated and easy to crack if not salted. ' StacyM ', a user then posted the hashed passwords on a web forum o

A German Security researcher has demonstrated a critical  vulnerability on Ebay website, world's biggest eStore. According to David Vieira-Kurz  discovered Remote code execution flaw " due to a type-cast issue in combination with complex curly syntax ", that allows an attacker to execute arbitrary code on the EBay's web server. In a demo video, he exploited this RCE flaw on EBay website, and managed to display output of phpinfo()  PHP function on the web page, just by modifying the URL and injecting code in that. According to an explanation on his blog , he noticed a legitimate URL on EBay: https://sea.ebay.com/search/?q=david&catidd=1  . . and modified the URL to pass any array values including a payload: https://sea.ebay.com/search/?q[0]=david&q[1]=sec{${ phpinfo() }}&catidd=1 Video Demonstration: But it is not clear at this moment that where the flaw resides on Ebay server, because how a static GET parameter can be converted to accept like an array