The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Two Researchers have discovered a couple of vulnerabilities in Signal , the popular end-to-end encrypted messaging app recommended by whistleblower Edward Snowden. One of those vulnerabilities could allow potential attackers to add random data to the attachments of encrypted messages sent by Android users, while another bug could allow hackers to remotely crash vulnerable devices. The vulnerabilities have just been patched, but the updated version of Signal is yet available on the Github open source repository, and not on the Google's official Play Store for Android apps, leaving millions of privacy conscious people vulnerable to attacks. That means, if you have installed Signal messaging app via Google Play Store, like other millions of Android users, you are still vulnerable to hackers. Developed by open source software group Open Whisper System, Signal is a free and open source messaging application specifically designed for Android and iOS users to make secure and e...

Note — Don't miss an important update at the bottom of this article, which includes an official statement from Xiaomi . Do you own an Android Smartphone from Xiaomi, HTC, Samsung, or OnePlus? If yes, then you must be aware that almost all smartphone manufacturers provide custom ROMs like CyanogenMod, Paranoid Android, MIUI and others with some pre-loaded themes and applications to increase the device's performance. But do you have any idea about the pre-installed apps and services your manufacturer has installed on your device?, What are their purposes? And, Do they pose any threat to your security or privacy? With the same curiosity to find answers to these questions, a Computer Science student and security enthusiast from Netherlands who own a Xiaomi Mi4 smartphone started an investigation to know the purpose of a mysterious pre-installed app, dubbed AnalyticsCore.apk , that runs 24x7 in the background and reappeared even if you delete it. Xiaomi is one of the ...

Should you put a tape or a sticker over the lens of your laptop's webcam? Yes, even Facebook CEO Mark Zuckerberg and FBI Director James Comey do that. Covering your laptop's webcam might be a hell cheap and good idea to guard against hackers and intruders who might want to watch your private life and environment through your devices. In fact, Comey recently came out defending his own use of tape to cover his personal laptop's webcam. People Are Responsible for Their Safety, Security & Privacy During a conference at the Center for Strategic and International Studies, when Comey was asked that he still put tape over his cameras at home, he replied: "Heck yeah, heck yeah. And also, I get mocked for a lot of things, and I am much mocked for that, but I hope people lock their cars… lock your doors at night. I have an alarm system. If you have an alarm system you should use it, I use mine." Comey went on to explain that it was common practice at ...

If you invite guest users into your Entra ID tenant, you may be opening yourself up to a surprising risk.  A gap in access control in Microsoft Entra's subscription handling is allowing guest users to create and transfer subscriptions into the tenant they are invited into, while maintaining full ownership of them.  All the guest user needs are the permissions to create subscriptions in their home tenant, and an invitation as a guest user into an external tenant. Once inside, the guest user can create subscriptions in their home tenant, transfer them into the external tenant, and retain full ownership rights. This stealthy privilege escalation tactic allows a guest user to gain a privileged foothold in an environment where they should only have limited access. Many organizations treat guest accounts as low-risk based on their temporary, limited access, but this behavior, which works as designed, opens the door to known attack paths and lateral movement within the resource t...

Another Day, Another Data Breach! And this time, it's worse than any recent data breaches. Why? Because the data breach has exposed plaintext passwords, usernames, email addresses, and a large trove of other personal information of more than 6.6 Million ClixSense users. ClixSense, a website that claims to pay users for viewing advertisements and completing online surveys, is the latest victim to join the list of " Mega-Breaches " revealed in recent months, including LinkedIn , MySpace , VK.com , Tumblr , and Dropbox . Hackers are Selling Plaintext Passwords and Complete Website Source Code More than 2.2 Million people have already had their personal and sensitive data posted to PasteBin over the weekend. The hackers who dumped the data has put another 4.4 Million accounts up for sale. In addition to un-hashed passwords and email addresses, the dump database includes first and last names, dates of birth, sex, home addresses, IP addresses, payment histories,...

Why waiting for researchers and bug hunters to know vulnerabilities in your products, when you can just throw a contest for that. Google has launched its own Android hacking contest with the first prize winner receiving $200,000 in cash. That's a Hefty Sum! The contest is a way to find and destroy dangerous Android vulnerabilities before hackers exploit them in the wild. The competition, dubbed ' The Project Zero Prize ,' is being run by Google's Project Zero, a team of security researchers dedicated to documenting critical bugs and making the web a safer place for everyone. What's the Requirements? Starting Tuesday and ending on March 14, 2017, the contest will only award cash prizes to contestants who can successfully hack any version of Android Nougat on Nexus 5X and 6P devices. However, the catch here is that Google wants you to hack the devices knowing only the devices' phone numbers and email addresses. For working of their exploits, contes...

In Brief You should not miss this month's Patch Updates, as it brings fixes for critical issues in Adobe Flash Player, iOS, Xcode, the Apple Watch, Windows, Internet Explorer, and the Edge browser. Adobe has rolled out a critical update to address several issues, most of which are Remote Code Execution flaws, in its widely-used Adobe Flash Player for Windows, Macintosh, Linux and ChromeOS. Whereas, Microsoft has released 14 security updates to fix a total of 50 vulnerabilities in Windows and related software. First of all, if you have Adobe Flash Player installed and have not yet updated your software plugin, you are playing with fire. Critical Flash Vulnerabilities Affect Windows, Mac, Linux and ChromeOS Adobe has released its l atest round of security patches to address critical vulnerabilities in Adobe Flash Player for Windows, Mac OS X, Linux and ChromeOS. The Flash vulnerabilities could potentially allow an attacker to take control of the vulnerable system. So, users are ...

Around 324,000 users have likely had their payment records stolen either from payment processor BlueSnap or its customer Regpack ; however, neither of the company has admitted a data breach. BlueSnap is a payment provider which allows websites to take payments from customers by offering merchant facilities, whereas RegPack is a global online enrollment platform that uses BlueSnap to process the financial transactions for its online enrollments. The data breach was initially reported on July 10, when a hacker published a link on Twitter, pointing to a file containing roughly 324,000 records allegedly stolen from Waltham, Massachusetts-based BlueSnap. The tweet has since been deleted, but Australian security expert Troy Hunt took a copy of it for later review to analyze the data and after analyzing, he discovered that the leaked payment records are most likely legitimate. Payment Card Data Including CVV Codes Leaked The data contains users' details registred between 10...

Bluetooth Low Energy, also known as Bluetooth Smart or Bluetooth 4, is the leading protocol designed for connecting IoT devices, medical equipment, smart homes and like most emerging technologies, security is often an afterthought. As devices become more and more embedded in our daily lives, vulnerabilities have real impact on our digital and physical security. Enter the Bluetooth lock, promising digital key convenience with temporary and Internet shareable access. The problem is, almost all of these locks have vulnerabilities, easily exploited via Bluetooth! DEF CON always has the coolest new hacks and security news, and this year was no exception. The hacking conferences are a great way to get a pulse on the general status of the security world, what people are interested in, worried about, or looking to exploit. This year clearly had an uptick in Internet of Things (IoT) devices and ways to hack them. Obviously, we had to go and take a look at the Bluetooth lock hack, and...

What would it take for hackers to significantly disrupt the US' 911 emergency call system? It only takes 6,000 Smartphones. Yes, you heard it right! According to new research published last week, a malicious attacker can leverage a botnet of infected smartphone devices located throughout the country to knock the 911 service offline in an entire state, and possibly the whole United States, for days. The attacker would only need 6,000 infected smartphones to launch automated Distributed Denial of Service (DDoS) attacks against 911 service in an entire state by placing simultaneous calls from the botnet devices to the emergency numbers. However, as little as 200,000 infected mobile phones could knock the 911 emergency call system offline across the entire US. Where does the Problem Lies? Researchers from Ben-Gurion University of the Negev's Cyber-Security Research Center say the problem is in the fact that current US Federal Communications Commission (FCC) regula...

Two critical zero-day vulnerabilities have been discovered in the world's 2nd most popular database management software MySQL that could allow an attacker to take full control over the database. Polish security researcher Dawid Golunski has discovered two zero-days, CVE-2016-6662 and CVE-2016-6663, that affect all currently supported MySQL versions as well as its forked such as MariaDB and PerconaDB. Golunski further went on to publish details and a proof-of-concept exploit code for CVE-2016-6662 after informing Oracle of both issues, along with vendors of MariaDB and PerconaDB. Both MariaDB and PerconaDB had fixed the vulnerabilities, but Oracle had not. The vulnerability (CVE-2016-6662) can be exploited by hackers to inject malicious settings into MySQL configuration files or create their own malicious ones. Exploitation Vector The above flaw could be exploited either via SQL Injection or by hackers with authenticated access to MySQL database (via a network conne...