Search results for security | Breaking Cybersecurity News | The Hacker News

Android has Fallen! Yet another set of Android security vulnerabilities has been discovered in Qualcomm chipsets that affect more than 900 Million Android smartphones and tablets worldwide. What's even worse: Most of those affected Android devices will probably never be patched. Dubbed " Quadrooter ," the set of four vulnerabilities discovered in devices running Android Marshmallow and earlier that ship with Qualcomm chip could allow an attacker to gain root-level access to any Qualcomm device. The chip, according to the latest statistics, is found in more than 900 Million Android tablets and smartphones. That's a very big number. The vulnerabilities have been disclosed by a team of Check Point researchers at the DEF CON 24 security conference in Las Vegas. Critical Quadrooter Vulnerabilities: The four security vulnerabilities are: CVE-2016-2503 discovered in Qualcomm's GPU driver and fixed in Google's Android Security Bulletin for July

What is the difference between a penetration test and a red team exercise? The common understanding is that a red team exercise is a pen-test on steroids, but what does that mean? While both programs are performed by ethical hackers, whether they are in-house residents or contracted externally, the difference runs deeper. In a nutshell, a pen-test is performed to discover exploitable vulnerabilities and misconfigurations that would potentially serve unethical hackers. They primarily test the effectiveness of security controls and employee security awareness. The purpose of a red team exercise, in addition to discovering exploitable vulnerabilities, is to exercise the operational effectiveness of the security team, the blue team. A red team exercise challenges the blue team's capabilities and supporting technology to detect, respond, and recover from a breach. The objective is to improve their incident management and response procedures. The challenge with pen-testing and red te

Managing vulnerabilities in the constantly evolving technological landscape is a difficult task. Although vulnerabilities emerge regularly, not all vulnerabilities present the same level of risk. Traditional metrics such as CVSS score or the number of vulnerabilities are insufficient for effective vulnerability management as they lack business context, prioritization, and understanding of attackers' opportunities. Vulnerabilities only represent a small part of the attack surface that attackers can leverage. Initially, organizations used manual methods to address known security weaknesses, but as technology and cyber threats evolved, a more automated and comprehensive approach became necessary. However, legacy vulnerability management tools were designed primarily for compliance and modern tools still face challenges in prioritization and limited resources, especially in dynamic and agile cloud environments. Modern vulnerability management integrates security tools such as scanne

Early in 2024, Wing Security released its State of SaaS Security report , offering surprising insights into emerging threats and best practices in the SaaS domain. Now, halfway through the year, several SaaS threat predictions from the report have already proven accurate. Fortunately, SaaS Security Posture Management (SSPM) solutions have prioritized mitigation capabilities to address many of these issues, ensuring security teams have the necessary tools to face these challenges head-on. In this article, we will revisit our predictions from earlier in the year, showcase real-world examples of these threats in action, and offer practical tips and best practices to help you prevent such incidents in the future. It's also worth noting the overall trend of an increasing frequency of breaches in today's dynamic SaaS landscape, leading organizations to demand timely threat alerts as a vital capability. Industry regulations with upcoming compliance deadlines are demanding similar time-sens

InfoSec leaders tend to be a specific type. Their jobs require them to think of possible threats, take actions that may not pay immediate results, plan for unknown security risks, and react quickly when emergencies arise, often before the morning's first coffee. The high-stakes position also means that CISOs need to keep their knowledge and skills sharp – you can never really know what's around the corner. So, what can security leaders do to make sure they're prepared and hone their skills ahead of the next inevitable threat? Now, they can test themselves and their knowledge at a new website, 'The CISO Challenge' ( visit it here ). The website, launched by XDR provider Cynet, aims to let information security leaders test their cybersecurity mettle. The website features a challenge for InfoSec leaders (and those who are looking to become one) to test their knowledge in an exciting, high-stakes, realistic series of scenarios. The challenge consists of 25 scenario

Today Google has publicly revealed its new initiative called " Project Zero, " a team of Star Hackers and Bug Hunters with the sole mission to improve security and protect the Internet. A team of superheroes in sci-fi movies protect the world from Alien attack or bad actors, likewise  Project Zero is a dedicated team of top security researchers, who have been hired by Google to finding the most severe security flaws in software around the world and fixing them. PROTECT ZERO vs ZERO-DAY Project Zero gets its name from the term " zero-day ," and team will make sure that zero-day vulnerabilities don't let fall into the wrong hands of Criminals, State-sponsored hackers and Intelligence Agencies. " Yet in sophisticated attacks, we see the use of "zero-day" vulnerabilities to target, for example, human rights activists or to conduct industrial espionage. " Chris Evans said , who was leading Google's Chrome security team and now will lead Pro

Security researchers from Ruhr University Bochum have discovered a vulnerability in the Secure Shell ( SSH ) cryptographic network protocol that could allow an attacker to downgrade the connection's security by breaking the integrity of the secure channel. Called  Terrapin  ( CVE-2023-48795 , CVSS score: 5.9), the exploit has been described as the "first ever practically exploitable prefix truncation attack." "By carefully adjusting the sequence numbers during the handshake, an attacker can remove an arbitrary amount of messages sent by the client or server at the beginning of the secure channel without the client or server noticing it," researchers Fabian Bäumer, Marcus Brinkmann, and Jörg Schwenk  said . SSH is a  method  for securely sending commands to a computer over an unsecured network. It relies on cryptography to authenticate and encrypt connections between devices. This is accomplished by means of a handshake in which a client and server agree up

Google has announced a number of user-facing and under-the-hood changes in an attempt to boost privacy and security, including rolling out two-factor authentication automatically to all eligible users and bringing iOS-styled privacy labels to Android app listings. "Today we ask people who have enrolled in  two-step verification  (2SV) to confirm it's really them with a simple tap via a Google prompt on their phone whenever they sign in," the company  said . "Soon we'll start automatically enrolling users in 2SV if their accounts are appropriately configured." Google Play To Get Apple-Like Privacy Labels The Google Play Store for Android is also getting a huge overhaul on the privacy front. The search giant said it plans to include a new  safety section  for app listings that highlights the type of data being collected and stored — such as approximate or precise location, contacts, personal information, photos and videos, and audio files — and how the dat

Microsoft on Tuesday rolled out  security updates  to address a total of 44 security issues affecting its software products and services, one of which it says is an actively exploited zero-day in the wild. The update, which is the smallest release since December 2019, squashes seven Critical and 37 Important bugs in Windows, .NET Core & Visual Studio, Azure, Microsoft Graphics Component, Microsoft Office, Microsoft Scripting Engine, Microsoft Windows Codecs Library, Remote Desktop Client, among others. This is in addition to  seven security flaws  it patched in the Microsoft Edge browser on August 5. Chief among the patched issues is  CVE-2021-36948  (CVSS score: 7.8), an elevation of privilege flaw affecting Windows Update Medic Service — a service that enables remediation and protection of Windows Update components — which could be abused to run malicious programs with escalated permissions. Microsoft's Threat Intelligence Center has been credited with reporting the flaw

Threat actor groups like Wizard Spider and Sandworm have been wreaking havoc over the past few years – developing and deploying cybercrime tools like Conti, Trickbot, and Ryuk ransomware. Most recently, Sandworm (suspected to be a Russian cyber-military unit) unleashed cyberattacks against Ukranian infrastructure targets. To ensure cybersecurity providers are battle ready, MITRE Engenuity uses real-world attack scenarios and tactics implemented by threat groups to test security vendors' capabilities to protect against threats – the MITRE ATT&CK Evaluation. Each vendor's detections and capabilities are assessed within the context of the  MITRE ATT&CK Framework. This year, they used the tactics seen in Wizard Spider and Sandworm's during their evaluation simulations. And MITRE Engenuity didn't go easy on these participating vendors. As mentioned before – the stakes are too high, and risk is growing. The 2022 results overview To think about it simply, this MITRE ATT&CK Ev

Hacker Halted USA 2011 - 10 Reasons Why You Should Attend Hacker Halted is a global series of Computer and Information Security conferences presented by EC-Council. The objective of the Hacker Halted conferences is to raise international awareness towards increased education and ethics in IT Security. The event is currently in its 14th year. Also present at Hacker Halted is EC-Council's H@cker Halted | Academy, trainings and workshops led by EC-Council instructors and trainers. Hacker Halted returns to Miami for the 3rd year in a row will be held in Miami on 25th and 27th October 2011. Participate and be part of one of the world's most recognized information security conference. Gain perspective through keynote addresses on the current state of information security as well as emerging trends and threats. An information security conference with a comprehensive agenda. Choose from the various focused tracks covering critical domains of information security. Match your informati

Arab Countries websites urged to Increase Security Against Israeli Hackers Recent hacking attacks online have gotten the attention of the world's media outlets in a big way. What has been reported as beginning as a youth led hacker attack against an Israeli website quickly escalated when six Israeli hackers decided to strike back. The initial attack was against a sports themed web site based in Israel and exposed the credit card and personal information of a number of nationals in that country.  The response, exposed the credit card and personal details of more than 50,000 people in Arab countries such as Saudi Arabia. While this current episode is rather tame in comparison to the Stuxnet virus which hit Iran in June of 2010, which ended up destroying several centrifuges inside an Iranian nuclear facility. Experts say that the web application security of Arab web sites must be increased if they are to be prepared for the potential cyber warfare that Israeli hackers could one day

Google has started rolling out this month's security updates for its mobile operating system platform to address a total of 33 new security vulnerabilities affecting Android devices, 9 of which have been rated critical in severity. The vulnerabilities affect various Android components, including the Android operating system, framework, library, media framework, as well as Qualcomm components, including closed-source components. Three of the critical vulnerabilities patched this month reside in Android's Media framework, the most severe of which could allow a remote attacker to execute arbitrary code on a targeted device, within the context of a privileged process, by convincing users into opening a specially crafted malicious file. "The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypas

Update: ' Hack The Pentagon ' has opened registration for its pilot bug bounty program of $150,000 for hackers in return for the vulnerabilities they find in its public facing websites. The Defense Department has enlisted the bug bounty startup HackerOne to manage the pilot program. Interested hackers can Register Now to participate in the Bug Bounty program. The United States Department of Defense (DoD) has the plan to boost their internal and network security by announcing what it calls "the first cyber Bug Bounty Program in the history of the federal government," officially inviting hackers to take up the challenge. Dubbed " Hack the Pentagon ," the bug bounty program invites the hackers and security researchers only from the United States to target its networks as well as the public faced websites which are registered under DoD. The bug bounty program will begin in April 2016, and the participants could win money (cash rewards)

You might have heard the latest news about Microsoft blocking new security patches and updates for Windows 7 and Windows 8.1 users running the latest processors from Intel, AMD, Qualcomm, and others. Don't panic, this new policy doesn't mean that all Windows 7 and 8.1 users will not be able to receive latest updates in general because Microsoft has promised to support Windows 7 until 2020 , and Windows 8.1 until 2023. But those who have upgraded their machines running older versions of Windows to the latest processors, or manually downgraded their new laptops to run Windows 7/8.1 would be out of luck. A recently published Microsoft Knowledge Base article suggests that if you are running the older version of operating systems on your computers that feature new processors, including Intel's 7th generation Core i3, i5 and i7 ("Kaby Lake"), AMD Ryzen ("Bristol Ridge") and Qualcomm 8996 chips or later, the security updates will not install. Inste

Is TrueCrypt Audited Yet? Yes, In Part!  One of the world's most-used open source file encryption software trusted by tens of millions of users - TrueCrypt is being audited by a team of experts to assess if it could be easily exploited and cracked. Hopefully it has cleared the first phase of the audit and given a relatively clean bill of health. TrueCrypt is a free, open-source and cross-platform encryption program available for Windows, OSX and Linux that can be used to encrypt individual folders or encrypt entire hard drive partitions including the system partition.  The program is also capable to do some amazing things, such as can create a hidden operating system on a computer, essentially an OS within an OS where users can keep their most secret files. EVERYONE HAS SOMETHING TO HIDE TrueCrypt developers are anonymous and used the aliases " ennead " and " syncon ", perhaps to avoid unwelcome attention from their own governments. But when we talk about Privacy an

#Security Alert : Facebook Two-Factor Authentication fail ! Last year Facebook has launched a security feature called Login Approvals or two-factor authentication. This is a follow-up security update regarding Facebook Login from Facebook. They have already integrated Facebook login email alerts to get notification emails or SMS messages whenever a suspicious person uses your Facebook account from a different location. Christopher Lowson , on his blog explains the Facebook Two-Factor Authentication, which is really another biggest fail of Facebook Security. But that feature is not enough to ensure your account's security and that is why Facebook has launched "Login Approvals". This feature is very similar with Google 2-step verification which associates a mobile device with your Facebook account and authenticates the login by sending a verification code at your mobile phone device. According to this feature, When user will logging into your Facebook account from a new device, a

Apple has announced a new post-quantum cryptographic protocol called  PQ3  that it said will be integrated into iMessage to secure the messaging platform against future attacks arising from the threat of a practical quantum computer. "With compromise-resilient encryption and extensive defenses against even highly sophisticated quantum attacks, PQ3 is the first messaging protocol to reach what we call Level 3 security — providing protocol protections that surpass those in all other widely deployed messaging apps," Apple  said . The iPhone maker described the protocol as "groundbreaking," "state-of-the-art," and as having the "strongest security properties" of any cryptographic convention deployed at scale. PQ3 is the latest security guardrail erected by Apple in iMessage after it switched from  RSA  to Elliptic Curve cryptography ( ECC ), and by protecting encryption keys on devices with the Secure Enclave in 2019. While the current algorith

Chinese hackers not only attacked key federal departments: they also cracked into the computer system of the House of Commons, targeting MPs with large ethnic Chinese constituencies, CTV News has learned. Sources say Canada's secret cyber spy agency -- the Communications Security Establishment -- tracked the hacking operation to the Chinese embassy in Ottawa and to computer servers in Beijing. Toronto MP Derek Lee said Canada needs to show it's capable of fighting back. "It's unacceptable and I think we should hold out some threat -- a counter-strike threat," he said. But Canada might be falling behind when it comes to defending -- and retaliating -- against such attacks. Britain spends $1 billion on cyber security and the United States $55 billion, while Canada has a budget of $90 million. Meanwhile, security experts say the Chinese hackers who have targeted Canadian government computers are just the latest in a wave of cyberspace spies, and Ottawa needs to bols