The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Security expert Dan Melamed discovered a critical vulnerability in Facebook platform that allow an attacker to take complete control over any account. The vulnerability is considered critical because it would allow a hacker to hack potentially any Facebook account. Dan Melamed presented the discovery on his blog . Dan demonstrated that how a hacker can reset the victim's account password just by tricking him to visit a malicious exploit code. The flaw affects the Facebook " claim email address " component. When an user tries to add an email address already registered to Facebook platform, he has the option to " claim it ". The loophole exists here, when user claim an email address, Facebook did not check from whom the request came from. This allows an email to be claimed on any Facebook account. The exploit is possible provided that: An existing account having the email address that the attacker wants to claim. Another existing account to initiate the claim p...

" Ransomware " may be a term you haven't heard before. This type of criminal malware, which spread around the world on PCs in 2012, encrypts some or all the files on a computer and holds them for ransom and  Cyber thieves have already made millions through such methods. Ransomware is no longer all about computers. It has evolved to now target mobile devices, specifically Androids platform. For a hacker, a pop up message is just one more way to steal money by sending fake alerts and serious warnings that scare a user into making a payment. For example, in the case of PCs, we have encountered malware that encrypts crucial data on a user's hard disk, asking the victim to pay a sum to the attacker in order to recover his/her data. Last year in November at many Hacking Conferences, Security Researcher Mohit Kumar ( @Unix_Root ) already demonstrated one the most sophisticated android malware called " Android Malware Engine ", one of its kind yet ...

According to a secret agreement it signed in 2001 with the FBI and US Department of Justice - Telstra, Australia's largest phone company is storing huge volumes of electronic communications it carried between Asia and the US for potential surveillance by US intelligence agencies. The contract was prompted by Telstra's undersea telecommunications joint venture called Reach . Undersea cabling " physically located in the United States, from which Electronic Surveillance can be conducted pursuant to Lawful US Process. " The document also specifies the facility should be run exclusively by US staff.  The document was signed by Douglas Gration, a barrister who was then Telstra's company secretary and official liaison for law enforcement and national security agencies. The venture also guaranteed it would be able to provide U.S. authorities with copies of stored data, call logs, subscriber information, and billing data, according to the document. Those were to be sto...

Whistleblower Edward Snowden made a public appearance yesterday at a Moscow airport, beside a staff member of the Wikileaks organization, met with representatives of a half-dozen or so human rights groups. Snowden has not been seen in public and was stuck in the transit area of Moscow's Sheremetyevo Airport since arriving there on June 23 from Hong Kong . A 30 second video posted on youtube, which did not name the source for this clip. Notable because no press were permitted inside, and no video was allowed. Snowden said that he wants asylum in Russia before moving on to Latin America and assailing U.S. surveillance programs as illegal and immoral, but Immigration officials in Russia say they've not received any application from Edward Snowden . As Snowden explained it Friday, he disputes the notion that his actions are doing damage to the United States. As a result, Putin's condition doesn't apply. Snowden said that he has received offers of asylum...

In 2010 the Indian authorities threatened to shut down BlackBerry's infrastructure unless it agreed to comply with lawful access requirements providing the government a way to intercept messages in order to prevent terrorist attacks. The long time dispute between the Indian government and BlackBerry over monitoring, tracking and interception is now resolved. Blackberry is ready to provide the Indian authorities with a way to lawful intercept consumers' messages sent and received on its platform including mails and peripherals, chats and browsing history on BlackBerry devices. But BlackBerry Enterprise Server has been left out of the interception solution which means corporate emails won't be under scrutiny. According to an internal document of the Department of Telecommunications (DoT), nine out of 10 telecom networks offering Blackberry services were in the process of making it possible for authorities to carry out intercepts. Blackberry train 5 ...

A Clickjacking vulnerability existed on LinkedIn that allowed an attacker to trick users for sharing and posting links on behalf of victim. Narendra Bhati(R00t Sh3ll), Security Analyst at Cyber Octet informed us about LinkedIn Bug.  Clickjacking , also referred as "User Interface redress attack" is one type of website hacking technique where an attack tricks a web user into clicking a button, a link or a picture, etc. that the web user did not intend to click, typically by overlaying the web page with an iframe. Flaw allows attacker to open LinkedIn page  https://www.linkedin.com/shareArticle? , used to share links and articles summary, in a hidden iframe. Proof of Concept:  1.) Semi Transparent Iframe Layers : 2.) Fully activated page with zero Transparency ifarme: Video Demonstration: Many countermeasures have been described that help web users protect against clickjacking attacks. X-FRAME-OPTIONS is a browser-based defense method. In order to bring...

New top secret documents provided by Edward Snowden exposed that Microsoft worked hand-in-hand with the United States government and handed the NSA access to encrypted messages and built a series of backdoors into Outlook.com, Skype, and SkyDrive to ease difficulties in accessing online communications. Over the last three years, Microsoft has reportedly assisted the FBI and NSA in encryption bypassing its products' encryption that would otherwise prevent the interception of web chats, emails, and user data. The documents obtained by The Guardian show that: Microsoft helped the NSA to circumvent its encryption to address concerns that the agency would be unable to intercept web chats on the new Outlook.com portal; The agency already had pre-encryption stage access to email on Outlook.com, including Hotmail; The company worked with the FBI this year to allow the NSA easier access via Prism to its cloud storage service SkyDrive, which now has more than 250 million users world...

An Android malware is spreading around WhatsApp messenger called ' Priyanka '. It changes all your groups names to Priyanka, and may also change your contact names to Priyanka. Apparently, the malware doesn't actually harm Android devices, but it is very annoying and it spreads manually, relying on victims to accept and install a contact file from a friend, named " Priyanka, ". Just in this week this virus started infecting WhatsApp users. If you receive a contact file from a friend, named 'Priyanka' and install it, your WhatsApp will be infected. If you receive the contact file but don't accept it, nothing will happen. Follow below steps to remove the virus, if your are infected: Go to your contacts, search for Priyanka and DELETE it Go to Settings on your phone Select Apps or App manager and then select Whatsapp from the list Tap on Force stop and then on Clear data Once done. Open Whatsapp on your phone and it'll show up as you've j...

Social networking sites are unfortunately now major interest to malicious cyber criminals, spreading malware and building botnet army to steal money direct from your keyboards. Janne Ahlberg, a security professional from Finland found and analysed an interesting piece of malicious code, offered as browser plugin, and infecting system to steal passwords from user's browser and also modifies the original Pinterest Pins links to spam with malicious links automatically. A diet spam on Pinterest redirecting users to a malicious site with domain name  pinteresf.org , plausible-looking domain name, like original Pinterest with similar appearance. On page load, it triggers a pop up message to all incoming visitors, offering to download " Pinterest Tool " as shown in screenshots " To continue, install our Pinterest Tool and enjoy more features of our site. " Janne's investigation claims that, this fake site offering a fake malware loaded browser plugin,...

Google and Microsoft are at each other's throats again. In a recent statement, Microsoft says hackers have been actively exploiting a vulnerability that was publicly disclosed by a Google researcher,  Tavis Ormandy . Microsoft addressed the vulnerability in its monthly " Patch Tuesday " package of fixes for July. Tavis Ormandy revealed the vulnerability in Windows 7 and 8 allows local users to obtain escalated privileges , making it easier for a hacker to compromise a system. Ormandy has been criticized by Microsoft and some in the security community who subscribe to the practice that a vulnerability shouldn't be made public until a software maker has an opportunity to fix it. Ormandy said that Microsoft " treat vulnerability researchers with great hostility " and are " often very difficult to work with ". He also advised researchers to use pseudonyms when dealing with the software giants. In 2012, Tavis accused Sophos of " poor development prac...

On Tuesday, The Foundation for Internet Domain Registration (.NL) in the Netherlands (SIDN) was compromised and some malicious files were uploaded to their server by hackers. According to a blog post ,  SQL injection vulnerability was used to compromise one of the website ( 25jaarvan.nl ) on same server initially, that allows hacker to temporarily access to the domain name registration system. " The DRS web application was shut down and zone file publication was temporarily suspended. ", company said. " As a result of our precautionary action, some areas of the website that registrars use to download registrarship-related data have been unavailable since Tuesday evening. " In another cyber attack on Tuesday, several Belgium websites was also got defaced by another group of hackers. Domain Registrar behind Belgium i.e DNS.be was compromised by attackers. The hackers were able to infiltrate and modify a DNS server, pointing all of the websites...

A major vulnerability has been discovered in the U.S. Emergency Alert System , researchers have warned.that could allow hackers to break into the system and broadcast fake messages to the United States. According to a new report by security firm IOActive, U.S. Emergency Alert System, the system used to broadcast to the United States in times of national crisis can be hacked remotely by hackers. Recent firmware update of DASDEC-I and DASDEC-II application servers disseminated the secure shell (SSH) keys, that allows anyone with limited knowledge to log in at the root level of the server. Technically, compromising the DASDEC systems doesn't sound too difficult. In that scenario, an attacker could take over the system and issue emergency messages. Monroe Electronics was notified about vulnerabilities in its equipment in January and the company's internal development team developed a software update that was made available in March. The Emergency Alert S...