The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Critical Sqli Vulnerability in channel [V] Website A 16 years old White Hat Hacker " Arjun Siyag " from India discover a Critical Sqli Vulnerability in channel [V] Website ( https://www.channelv.in ). Proof of the hack is as shown in above image. Hacker disclose only the admin username and password, which will not effect the admin panel directly,because for login Email ID is required.  SQL Injection is one of the many web attack mechanisms used by hackers to steal data from organisations. It is perhaps one of the most common application layer attack techniques used today. Through SQL Injection, the hacker may input specifically crafted SQL commands with the intent of bypassing the login form barrier and seeing what lies behind it. This is only possible if the inputs are not properly sanitised (i.e., made invulnerable) and sent directly with the SQL query to the database. SQL Injection vulnerabilities provide the means for a hacker to communicate directly to the database. ...

Serious Tumblr Cross Site Scripting Vulnerability can be used to Spread Worms Two Indian Security Researchers Aditya Gupta ( @adi1391 ) and Subho Halder ( @sunnyrockzzs ) have found a serious Cross Site Scripting vulnerability in one of the most famous social networking websites Tumblr. This could be used to steal the cookies of the authenticated user, as well as could be used to make a worm, like the one seen in MySpace (Samy Worm) and Orkut (Bom Sabado) earlier. " We have also tried to contact them via Twitter and mail earlier, but no response from their side. So we have decided to release it. Well, not exactly, where the vulnerability is, but just to let them know that it is vulnerable ." Tumblr is the one of the most popular social networking websites worldwide, and is ranked 37th by Alexa.

Last.fm Confirms They Were Hacked , Change Your Passwords Now After this week's LinkedIn fiasco, it appears the latest tech giant to fall to bored hackers is Last.fm. Music-streaming website Last.fm is the latest organisation to urge its users to change their passwords immediately. The London-based site, owned by CBS, said in an advisory that it was currently investigating a possible leak of passwords but did not provide any further details. The dating site said it is "continuing to investigate" but "as a precaution" has reset affected members passwords.Affected members will receive an email with instructions on how to reset their passwords.eHarmoney, which brands itself as "#1 Trusted Online Dating Site for Singles" has around 20 million registered online users. The breach was confirmed by Last.fm on their official Twitter account overnight, and comes amidst a backdrop of similar breaches, including at LinkedIn where up to 8 million passwords may ha...

Anonymous India takes down MTNL website The hacker-group Anonymous has struck again in India. This time the victim is the MTNL website. The group posted on their website, saying, " We are against Internet Cencorship. Instead of blocking few URLs the ISP blocked the whole domain of various file sharing websites. The HC Madras, DoT didn't isssue any list of websites to be blocked still ISP supported internet censorship. " MTNL's corporate website could not be accessed, following the attack since afternoon and officials said efforts were underway to restore it. MTNL Delhi, Deputy - GM (Internet), Deepak Sharma said it was not hacking but 'denial of service attack' under which the server is unable to provide services to the customers. Anonymous has called for non-violent protests across several cities in India on June 9 to protest against what it alleges as 'censorship' of the internet. It accused the department of telecom of instructing the Internet Service Providers (I...

LinkedIn Confirms Millions of Account Passwords Hacked LinkedIn Wednesday confirmed that at least some passwords compromised in a major security breach correspond to LinkedIn accounts. Norweigan IT website Dagens IT first reported the breach, noting that "Two days ago a package on the 6.5 million encrypted passwords posted on a Russian hacker site. Vicente Silveira, Director at LinkedIn, confirmed the hack on the company's blog Wednesday afternoon and outlined steps that LinkedIn is taking to deal with the situation. He wrote that those with compromised passwords will notice that their LinkedIn account password is no longer valid. "It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases," Linkedn director Vicente Silveira said in the blog post. The file only contains password...

Researchers bypass Google Bouncer Android Security Google's Android platform has become the most popular mobile operating system both among consumers and malware writers, and the company earlier this year introduced the Bouncer system to look for malicious apps in the Google Play market. Bouncer, which checks for malicious apps and known malware, is a good first step, but as new work from researchers Jon Oberheide and Charlie Miller shows, it can be bypassed quite easily and in ways that will be difficult for Google to address in the long term. Bouncer is an automated process that scans apps for known malware, spyware, and Trojans, and looks for suspicious behaviors and compares them against previously analyzed apps. If malicious code or behavior is detected, the app is flagged for manual confirmation that it is malware. " This screencast shows our submitted app handing us a connect-back shell on the Bouncer infrastructure so that we can explore and fingerprint its envir...

Flame Malware Spread Via Rogue Microsoft Security Certificates Microsoft released an emergency Windows update on Sunday after revealing that one of its trusted digital signatures was being abused to certify the validity of the Flame malware that has infected computers in Iran and other Middle Eastern Countries. The patch revoked three intermediate Microsoft certificates used in active attacks to "spoof content, perform phishing attacks, or perform man-in-the-middle attacks".Microsoft also killed off certificates that were usable for code signing via Microsoft's Terminal Services licensing certification authority (CA) that ultimately "chained up" to the Microsoft Root Authority.The authority issued certificates for users to authorise Remote Desktop services in their enterprises. The Microsoft blog post explains that a vulnerability in an old cryptography algorithm is exploited by some elements of Flame to make them appear as if they originated from Microsoft. Most systems around t...

SwaggSec gained access to China Telecom and Warner Bros A hacking group is claiming to have breached the networks of Warner Bros. and China Telecom, releasing documents and publishing login credentials. Swagg Security, or SwaggSec, the same hacker collective that breached Foxconn a few months ago to highlight the poor working conditions, has made its comeback. The hacking group posted on their Twitter account (under the name Swagg Security) that they had acquired access to the databases of both sites, as well as posted a statement on Pastebin . The group has allegedly stolen documents and login credentials, which were then posted to Pirate Bay . The torrent file posted by SwaggSec on The Pirate Bay doesn't contain only the administrator details from China Telecom, but also some other information taken from their databases. SwaggSec said the China Telecom data is 900 user names and passwords for administrators on the company's network. The information was obtained through an in...

UGNazi hackers attack on CloudFlare via a flaw in Google After the FBI arrested Cosmo, the alleged leader of the UGNazi hacking group, the hackers attacked CloudFlare via a flaw in Google's two-factor authentication system. The CloudFlare hack allowed UGNazi to change the DNS for 4chan, so visitors to the site were redirected to a UGNazis Twitter account. Hackers were able to infiltrate the personal Gmail account of CloudFlare CEO Matthew Prince. "The attack was the result a compromise of Google's account security procedures that allowed the hacker to eventually access to my CloudFlare.com email addresses, which runs on Google Apps," CloudFare's CEO Matthew Prince shared . According to the statement on Pastebin , the hackers are not sorry for attacking 4chan.  4chan.org is the playground that allows pedophiles to share their "collections" and the disgusting bronies to hang out. The site is loosely monitored and child porn threads are allowed to ...

The Deep Web (or Invisible web) is the set of information resources on the World Wide Web not reported by normal search engines. According several researches the principal search engines index only a small portion of the overall web content, the remaining part is unknown to the majority of web users. What do you think if you were told that under our feet, there is a world larger than ours and much more crowded? We will literally be shocked, and this is the reaction of those individual who can understand the existence of the Deep Web , a network of interconnected systems, are not indexed, having a size hundreds of times higher than the current web, around 500 times. Very exhaustive is the definition provided by the founder of BrightPlanet, Mike Bergman, that compared searching on the Internet today to dragging a net across the surface of the ocean: a great deal may be caught in the net, but there is a wealth of information that is deep and therefore missed. Ordinary...

NSA intercepting 1.7 billion American electronic communications daily Since 9/11, the Agency has been able to "spy" on electronic communications without the need for court-approved warrants. The group has a large complex in Utah that cost $2 billion and holds the data. In 2006 the New York Times revealed that the Bush administration was eavesdropping on the electronic communications of Americans without the warrants required by law. The American Civil Liberties Union has created an infographic for mass distribution that shows some scary figures related to the U.S. National Security Agency. Four years ago Congress authorized the electronic surveillance of suspected terrorists and foreign agents located outside the United States, with provisions that supporters said would adequately protect the privacy of Americans. The only positive aspect of the FISA Amendments Act of 2008 was that the Congress imposed a four-year sunset provision on the powers it authorized. That sunse...

New Jersey mayor arrested for hacking recall website The FBI last week arrested the mayor of the northern New Jersey town of West New York, together with his son, on charges of hacking into a website and a related email account that called for the mayor's recall. Felix Roque, 55, the mayor of West New York, N.J., was arrested with his son, Joseph Roque, 22. They were released on $100,000 personal bond after neither entered a plea. According to the criminal complaint filed against Felix Roque and his son, on 2 February 2012 the two men began to conspire to hack into and disable a website called www.recallroque.com. Joseph Roque then allegedly performed a password reset for the Go Daddy account used to administer recallroque.com. This allowed him to cancel the domain name and effectively disable the website, the FBI agent said in the affidavit. The conspiracy and unauthorised computer access charges each carry a maximum possible sentence of five years in prison and a fine of u...