The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

The South Carolina Department of Revenue has announced that millions of Social Security numbers and debit/credit card numbers have been compromised. Hackers from outside the United States recently penetrated the website for South Carolina's Department of Revenue and reportedly made off with 3.6 million Social Security numbers and 16,000 unencrypted credit and debit card numbers. According to the statement, investigators discovered that a hacker attempted to access the system several times in August and September. The statement said it is believed the hacker successfully obtained data for the first time in mid-September. " We are taking immediate steps to protect the taxpayers of South Carolina, including providing one year of credit monitoring and identity protection to those affected ." Haley says Friday was the earliest they could announce the breach to allow law enforcement personnel to do their jobs and keep the chance of catching the hacker. Haley says the...

Anonymous hackers claimed that they compromise over 20 million user accounts worldwide this year to promote Operation Jubilee . Large community web sites were targeted to gain access to users' contact information. Many administrators denied that their databases were at risk while all their data was being downloaded. The reason for one of the largest hacking campaigns in history is to rally people to cancel debt and end the economic crisis. Earlier this month Operation Jubilee came into public view after defacing several popular police forums. Members of the police forums received e-mail inviting them to join the Operation. News of the defaces spread quickly with the help of social media platforms. Until these events, Operation Jubilee was virtually unknown to the general population. Unbeknownst to the public, large web sites were already being attacked for months. Operation Jubilee is a peaceful protest to take place on the 5th of November in front of Parliament...

A Hacker going by name - " LegitHacker97 " claiming that he successfully access a NASA subdomain website , that actually belongs to a US Government computer, as mentioned on homepage. ***** WARNING ***** This is a US Government computer Hacker also dump a  82.51 MB (compressed or 337 MB uncompressed) Archive five days ago on internet, includes the complete source code of the website (in ASP). After watching the pastebin note , we tried to contact the hacker for collecting more information about the hack. Hacker describe The Hacker News via mail that," This was hacked by a major LFI vulnerability which allowed me to upload my own shell (backdoor to the site) and I took advantage of it by downloading all off the website ! ". He add ," But now vulnerability is fixed ". I download the dump from the link posetd by hacker in pastebin note and tried to match the files with NASA website and subdomains, and found that these file actually belo...

AI agents promise to automate everything from financial reconciliations to incident response. Yet every time an AI agent spins up a workflow, it has to authenticate somewhere; often with a high-privilege API key, OAuth token, or service account that defenders can't easily see. These "invisible" non-human identities (NHIs) now outnumber human accounts in most cloud environments, and they have become one of the ripest targets for attackers. Astrix's Field CTO Jonathan Sander put it bluntly in a recent Hacker News webinar : "One dangerous habit we've had for a long time is trusting application logic to act as the guardrails. That doesn't work when your AI agent is powered by LLMs that don't stop and think when they're about to do something wrong. They just do it." Why AI Agents Redefine Identity Risk Autonomy changes everything: An AI agent can chain multiple API calls and modify data without a human in the loop. If the underlying credential is exposed or overprivileged, each addit...

Most of the readers have question in mind that, How hackers know everything about their target ? How to DOX (finding personal information) someone ? So answer is --  Open Source Intelligence (OSINT). A Patriot Hacker ' The Jester ' (or "th3j35t3r") who made his name after harassing Anonymous activist group, disrupting WikiLeaks and stalking "jihadist" sites has finally list his all time favorite Open Source Intelligence (OSINT) toolset. Open Source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. Hacker posted list of some free available tools on his blog , includes Maltego, Creepy, Spokeo, CaseFile, FoxOne Scanner (Jester's Edition). OSINT is defined by both the U.S. Director of National Intelligence and the U.S. Department of Defense, as " produced from publicly available information that is co...

Reid Wightman from security firm ioActive reported that there is an undocumented backdoor available in   CoDeSys  software that actually used to manage equipment in power plants, military environments, and nautical ships. The bug allow malicious hackers to access sensitive systems without authorization, Ars said. The CoDeSys tool will grant a command shell to anyone who knows the proper command syntax and inner workings, leaving systems that are connected to the public Internet open to malicious tampering and There is absolutely no authentication needed to perform this privileged command,  Reid mention. This software has been used in industrial control systems sold by 261 different manufacturers. 3S-Smart Software Solutions designs CoDeSys and recently issued an advisory that recommends users set a password, but  he is able to develop two exploit shells , one is  codesys-shell.py (to get the CoDeSys command shell wit...

The whistleblowing website Wikileaks from tonight releasing more than 100 U.S. Defense Department files detailing military detention policies in camps in Iraq and at Guantanamo Bay in the years after the September 11 attacks on U.S. targets - " The Detainee Policies " In a statement , WikiLeaks criticized regulations it said had led to abuse and impunity and urged human rights activists to use the documents to research what it called policies of unaccountability . WikiLeaks says it plans to release the files in chronological order to paint a picture of the evolution of America's military detainee practices. WikiLeaks founder Julian Assange said: " The 'Detainee Policies' show the anatomy of the beast that is post-9/11 detention, the carving out of a dark space where law and rights do not apply, where persons can be detained without a trace at the convenience of the U.S. Department of Defense. It shows the excesses of the early days of war against an unknown...

Security researcher Andres Blanco from CoreSecurity discovered a serious vulnerability in two Wireless Broadcom chipsets used in Smartphones. Broadcom Corporation, a global innovation leader in semiconductor solutions for wired and wireless communications. Broadcom BCM4325 and BCM4329 wireless chipsets have been reported to contain an out-of-bounds read error condition that may be exploited to produce a denial-of-service condition. Other Broadcom chips are not affected. The CVE ID given to issue is  CVE-2012-2619 . In advisory they reported that this error can be leveraged to denial of service attack, and possibly information disclosure. An attacker can send a RSN (802.11i) information element, which causes the Wi-Fi NIC to stop responding. Products containing BCM4325 chipsets: Apple iPhone 3GS Apple iPod 2G HTC Touch Pro 2 HTC Droid Incredible Samsung Spica Acer Liquid Motorola Devour Ford Edge (yes, it's a car) Product...

Italian Anonymous hackers has released 1.35 Gigabyte data from the Italian State Police (Polizia di Stato). The Hack was announced on Monday via The Official Blog of Italy Anonymous . Data uploaded on torrent and available for download . The group has started a campaign named #AntiSecITA. " Anonymous group in Italy appears less active respect other countries, and this has misled those who have been victims of their attacks. Too much Italian security professionals consider the group as a disorganized collective unable to cause serious problems to the political reality of the country ."  Security Affairs  mention. Hacker upload some sample folder which contains assorted material from the archives, like details about wiretaps from Telecom Italia and confidential technical information about interception devices. Information taken from state police servers and portals include police reports, mobile phone numbers, personal email, information on salaries, and s...

If you think that having a USB Token Smartcard is extremely secure for Digital signatures or other activities, you may be wrong! The research done by Paul Rascagneres can remotely give access to victims smartcard! What makes the attack unique is it uses a keylogger to get the PIN or password and exports the complete USB device in raw to a command and control server (C&C) and uses a device driver to let the attacker use the victims smartcard remotely! The attack also impacts the eID (Belgium identity card) and millions of USB Tokens for Digital Signatures in India by Directors, Secretaries and CA firms for filing returns and signing corporate documents! To be showcased at MalCon next month - we asked Paul a few questions: Does the malware infect the PC or the smartcard? - The malware infects the PC not the hardware. So the attacker can use the smartcard of the victim remotely? - Exactly, the attacker can remotely use a smartcard connected to an infected computer. What makes...

Yesterday Anonymous deface the UK Police Online web forum (https://www.ukpoliceonline.co.uk) and stole the private emails addresses of various members. The Metropolitan Police's e-Crime unit is investigating the hack and said that no computer system run by the police force had been hacked. The Hack was originally announced by an Anonymous Twitter account - Operation Jubilee (OpJubilee) , they post a mirror url of defaced page. This hack was one of the part of OpJubilee. ANONYMOUS OPERATION JUBILEE :  Under this there will be Rally of Millions people To Parliament, London on 5th of November 2012. As planned this will be a peaceful gathering at the Parliament Building in London to declare the true jubilee. Hackers send out emails to the former officers whose details were obtained during hack, with a subject line: " A message to the police and armed forces ". Message body: " Hello members of our UK police and armed forces" and called for recipie...