The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

After providing the glimpses of the next Windows, one of the screenshot leakers has now obtained a short video showing off a build of the very new Windows 9 , aka "Threshold , " features as well as how users can expect to use it. Two German sites, ComputerBase and WinFuture , posted 20 screenshots on Thursday of what purports to be next major version of Windows, presumably called Windows Threshold that Microsoft recently distributed to its partners, giving us a closer look at Microsoft's next platform. Now, there's a video on YouTube , provided by German publication WinFuture, which shows how the returning feature might work in the next iteration of the Operating System. As calculated from the screenshots, the video doesn't provide any major new information about Windows 9, but pretty much confirms what we expected. The video gives Windows' users a first look at the new Start menu in action. It also shows off three new features in Windows 9: ...

Yahoo! has broke its silence and explained why it handed over its users' data to United States federal officials, thereby promising to expose those court documents which ordered the snooping. The US government threatened Internet giant with a $250,000 fine per day several years ago if it failed to comply with National Security Agency 's notorious PRISM Surveillance program, according to unclassified court documents released by Yahoo! on Thursday. " The released documents underscore how we had to fight every step of the way to challenge the US Government's surveillance efforts ," the company's general counsel Ron Bell said on Yahoo's Tumblr page . " At one point, the US Government threatened the imposition of $250,000 in fines per day if we refused to comply. " The documents released by Yahoo! shed new lights on the NSA's secret surveillance program PRISM, which was previously leaked from the agency's confidential documents provided by Global su...

Gmail credentials leaked online? Oh my God! Again I have to change my password…!! Yes, you heard right. Millions of Gmail account credentials (email address and password) have been stolen and made publicly available through an online forum, causing a large number of users worldwide to change their Gmail password again. The website that published the email addresses with matching passwords is Russian. The credentials seem to be old and likely sourced from multiple data breaches. It is believed that the leaked passwords are not necessarily those used to access Gmail accounts, but seem to have been gathered from other websites where users used their Gmail addresses to register. 5 MILLION GMAIL CREDENTIALS LEAKED ONLINE The news broke when a user posted a link to the log-in credentials on Reddit frequented by hackers, professional and aspiring. But the archive file containing nearly 5 million Gmail addresses and plain text passwords was posted on Russian Bitcoin secur...

If you invite guest users into your Entra ID tenant, you may be opening yourself up to a surprising risk.  A gap in access control in Microsoft Entra's subscription handling is allowing guest users to create and transfer subscriptions into the tenant they are invited into, while maintaining full ownership of them.  All the guest user needs are the permissions to create subscriptions in their home tenant, and an invitation as a guest user into an external tenant. Once inside, the guest user can create subscriptions in their home tenant, transfer them into the external tenant, and retain full ownership rights. This stealthy privilege escalation tactic allows a guest user to gain a privileged foothold in an environment where they should only have limited access. Many organizations treat guest accounts as low-risk based on their temporary, limited access, but this behavior, which works as designed, opens the door to known attack paths and lateral movement within the resource t...

The informational systems that the National Oceanic and Atmospheric Administration (NOAA) run are loaded with several critical vulnerabilities that could leave it vulnerable to cyber attacks. According to the findings of an audit recently conducted by the Department of Commerce's Office of the Inspector General (OIG), the Joint Polar Satellite System's (JPSS) ground system is vulnerable to a large number of high-risk vulnerabilities. The JPSS ground system is used to collect data from several polar-orbiting weather satellites, and distribute the information to users worldwide. This system also provides command, control and data processing for current and future weather satellites. But, the vulnerabilities identified in the system could impair technology controlling the United States' next generation of polar-orbiting environmental satellites. " Our analysis of the JPSS program's assessments of system vulnerabilities found that, since FY 2012, the number of high-ris...

In an intent to move one step forward from others, China is planning to launch a facial recognition payment application with near-perfect accuracy that enables users to authorize their online transactions just by showing a picture of themselves. Chinese researchers from the Chongqing-based research institute have developed a facial recognition system that can pick faces from a crowd with 99.8 percent accuracy from 91 angles. CHINA FACE-RECOGNITION PAYMENT SYSTEM TO LAUNCH IN 2015 Academic at the Chongqing Institute of Green has set up the world's biggest Asian face database displaying more than 50 million Chinese faces. The database was compiled with help from the University of Illinois and the National University of Singapore. The face-recognition payment system is not completely developed at the moment and will come into application by the Chinese Academy of Science (CAS) in 2015. This system will let users to interlink their bank accounts or credit cards with ...

Researcher has discovered a new Timing attack that could unmask Google users under some special conditions. Andrew Cantino, the vice president of engineering at Mavenlink, detailed his attack in a blogpost st week. According to him, the attack could be used by an attacker to target a particular person or organization. A cyber criminal could share a Google document with an email address, un-checking the option by which Google sends the recipient a notification. TIMING ATTACK USED TO DE-MASK TOR USER'S IDENTITY Now, using timing attack exploit technique, a cyber criminal could figure out when someone logged into any one of the shared addresses visits the their site, Cantino said. An attacker could even use this attack in spear phishing campaigns or even could unmask the identity of Tor users if they're logged in to Google while using the Tor browser . Timing attack can allow to unmask targeted Google users as they browse the web. Cantino said the attack is straightforwa...

The official website of a prominent Israel-based, Middle East foreign policy-focused think tank, the Jerusalem Center for Public Affairs (JCPA) , has been compromised and abused by attackers to distribute malware . The Israeli think tank website JCPA – an independent research institute focusing on Israeli security, regional diplomacy and international law – was serving the Sweet Orange exploit kit via drive-by downloads to push malware onto the computers of the website's visitors by exploiting software vulnerabilities, researchers from security firm Cyphort reported on Friday. The Sweet Orange is one of the most recently released web malware exploitation kits, available for sale at selected invite-only cyber crime friendly communities and has been around for quite some time. However, Sweet Orange has also disappeared but in October 2013, shortly after the arrest of Paunch, the author of BlackHole , experts observed a major increase in the use of Sweet Orange. The ...

So far, we all are well aware of the fact that Chinese have had a past filled with cases of Cyber Crime. China is the world's largest exporter of IT goods, but it has been criticized by many countries due to suspected backdoors in its products, including United States which has banned its several major government departments, including NASA, Justice and Commerce Departments, from purchasing Chinese products and computer technology. The new exposure indicates the same. Chinese Government is running a man-in-the-middle (MitM) cyber attack campaign on SSL encrypted traffic between the country's education network and Google. In an effort to monitor its users of China Education and Research Network (CERNET) , Chinese authorities has started intercepting encrypted traffic to and from Google's servers, the non-profit organization GreatFire reported on Thursday. However, just like many other foreign websites, Google is blocked in China. Because Google is one of the vast and v...

As far, you have probably heard about the biggest digital exposure of private and very personal nude photographs of as many as 100 female celebrities including Jenny McCarthy, Kristin Dunst, Mary E Winstead, and Oscar winner Lawrence and Kate Upton, that was surfaced on notorious bulletin-board 4chan, and anonymous image board AnonIB over the weekend. It was believed that the group of hackers allegedly taken celebrities photos from their Apple iCloud backups after their iCloud accounts were compromised, but users of devices running Google's Android could have been targeted too. A forum post on anonymous image board AnonIP shows that the group of hackers may have used a cloned Flappy Bird app to steal and collect the naked photos of females from their Android devices and then send them to remote servers. Experts believe that the group may have been stealing and trading nude and very personal photos of more than 100 female celebrities for more than two years, gather...

Likes.com, one of the emerging social networking site and popular image browsing platform, is found vulnerable to several critical vulnerabilities that could allow an attacker to completely delete users' account in just one click. Likes.com is a social networking website that helps you to connect with people you like and make new friends for free. Just like any other social place, users can always follow their favorite tag or people who catch their fancy. It is much easier to use and is designed for those who want to look at pictures different people upload. An independent security researcher Mohamed M. Fouad from Egypt has found a series of critical security vulnerabilities in the Likes website that really pose danger to its users. The vulnerabilities he found not only have capability to add any post, comment to users' account as well as delete users' account, but the vulnerabilities can be escalated to deface entire website by posting malicious URLs and delete all use...

In the wake of the biggest digital exposure of personal nude selfies belonging to as many as 100 high-profile celebrities, Apple said the company plans to add extra security measures to keep hackers out of user accounts. Not just this, the company also plans to extend its two-factor authentication (2FA) feature to account logins to the iCloud service from mobile device in order to avoid future intrusions. APPLE BROADEN SECURITY WITH NEW RELEASE The company's chief executive, Tim Cook told the Wall Street Journal in an interview that the company will introduce more features to tighten up the security of its users' online accounts, but he " aggressively encourage " users to be more alert to the risks posed by cyber criminals, as you can't leave everything on the service providers. " We want to do everything we can do to protect our customers, because we are as outraged if not more so than they are, " Cook told the Journal. Apple will give alerts to users via emails a...

Researchers have uncovered a new social engineering trick that leads users to a malicious extension from Google Chrome impersonating to deliver Adobe's Flash Player in order to lure victims in a click fraud campaign. Security experts at TrendMicro believe that the malware is triggered by opening Facebook or Twitter via shortened links provided in any social networking websites. Once clicked, the links may lead victims to a site that automatically downloads the malicious browser extension . MALWARE INVOLVES DOWNLOADING MULTIPLE MALICIOUS FILES The process is quite complicated as the malware drops a downloader file which downloads multiple malicious files on the victim's computer. Moreover, the malicious program also has ability to bypass Google's recent security protection added to Chrome against installation of browser extensions that are not in Chrome Web Store. Researchers came across a baiting tweet that advertises " Facebook Secrets ", claiming to show videos...