The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

British government surveillance agency GCHQ – counterpart of NSA – has fired-up another debate over the Internet by launching Android application to encourage teenagers to tackle emerging cybersecurity threats. The newly launched Android app , dubbed " Cryptoy ", was developed by STEM (science, technology, engineering and maths) students on an industrial year placement at GCHQ. The Cryptoy app was highly appreciated and liked by GCHQ at the Cheltenham Science Festival that they made it available to download today. The app is designed mainly to tempt youngsters between the ages of 14 and 16 into trying their hand in cryptography and code-breaking, but can be used by anyone interested in cryptography. According to GCHQ , Cryptoy app will help users to understand basic encryption methods, teach the codes of the past, and create their own encrypted messages. The app allows users to share these encoded messages by using four code-breaking techniques – Shift, Subs...

Alibaba Group has patched a major security vulnerability in one of its e-commerce portals that exposed account details of tens of millions of Merchants and shoppers to cyber criminals. An Israeli application security firm, AppSec Labs, found a Cross site scripting (XSS) vulnerability in AliExpress, the company's English language e-commerce site that was found vulnerable to similar flaw a week ago that compromised personal information of Alibaba customers. The flaw was fixed shortly after Cybermoon security firm disclosed it to Alibaba. AliExpress is an online marketplace owned by Chinese E-Commerce giant Alibaba.com, also known as Google of China. The company serves more than 300 Million active users from more than 200 countries including the U.S., Russia and Brazil. But the critical vulnerability found by the researcher could allow an attacker to hijack merchant's account. Using AliExpress XSS vulnerability an attacker can inject any malicious payload script as v...

Sony Pictures Entertainment hack that started at the end of the last month and so far has caused a severe damage to its reputation as well as resources, from internal system shutdown to upcoming movies and scripts leak. Now, a similar cyber attack against Casino operator Las Vegas Sands Corp has been revealed that occurred on February 2014. The cyber attack occurred on this year's February but the details of damages to the casino was not publicized until Bloomberg Businessweek exposed it in a story on Thursday. Hackers crippled thousands of servers and computers across the network of the giant Las Vegas Sands Corp. by wiping them with highly destructive malware. The hack attack was believed to be in response to the statement given by the chief executive officer and largest shareholder of Las Vegas Sands Corp., Sheldon Adelson . On October 2013, the billionaire made a statement at the Manhattan campus of Yeshiva University that Iran should be bombed to get the country to ...

We are living in an era of smart devices that we sync with our smartphones and make our lives very simple and easy, but these smart devices that inter-operates with our phones could leave our important and personal data wide open to hackers and cybercriminals. Security researchers have demonstrated that the data sent between a Smartwatch and an Android smartphone is not too secure and could be a subject to brute force hacks by attackers to intercept and decode users' data, including everything from text messages to Google Hangout chats and Facebook conversations. Well this happens because the bluetooth communication between most Smartwatches and Android devices rely on a six-digit PIN code in order to transfer information between them in a secure manner. Six-digit Pin means approx one million possible keys, which can be easily brute-forced by attackers into exposing entire conversations in plain text. Researchers from the Romania-based security firm Bitdefender ca...

The massive hacking attack against Sony Pictures Entertainment has reached a more scarier phase following another huge leak of sensitive, confidential documents revealing celebrity contact details and upcoming film scripts. The so-called Guardians of Peace (GoP) group taking responsibility for the massive hack attack against Sony Pictures Entertainment claimed to have released a new trove of more confidential data including private information of its employees, celebrity phone numbers and their travel aliases, film budgets, upcoming film scripts and many more. By the end of past two weeks before Sony Pictures Entertainment faced cyber attacks that shut down the company's computer system, the group revealed nearly 40 GB of data which contained confidential information of Sony employees such as salaries, addresses, and the US Social Security Numbers. Also, high-quality versions of five newest films distributed by Sony Pictures were also leaked online. On Monday, s...

The Pirate Bay — an infamous Torrent website predominantly used to share copyrighted material such as films, TV shows and music files, free of charge — went dark from the internet on Tuesday after Swedish Police raided the site's server room in Stockholm and seized several servers and other equipment. The piracy site knocked offline worldwide on Tuesday morning and remained unavailable for several hours, but the site appeared back online in the late hours with a new URL hosted under the top-level domain for Costa Rica. Paul Pintér , national coordinator for IP enforcement for the Swedish police, issued only a brief statement on Tuesday, saying that the operation was " a crackdown on a server room in Greater Stockholm" that was "in connection with violations of copyright law. " The raid was also confirmed by Fredrik Ingblad , a prosecutor who specializes in file-sharing cases on behalf of the Swedish government, although he would not share furthe...

Last week Microsoft released its Advance Notification for the month of December 2014 Patch Tuesday Updates, and finally today released a total of seven security bulletins, which will address several vulnerabilities in its products, out of which three are marked 'critical' and rest are 'important' in severity. Last month after a big pile of security patches , the company released an an unusual emergency patch to fix a critical vulnerability in Microsoft Windows Kerberos KBC, authentication system used by default in the operating system, that cybercriminals exploited to compromise whole networks of computers. The three critical bulletins affect Internet Explorer, Office and Windows. All the versions of Microsoft Internet Explorer (IE) are affected except Server Core, which does not include IE. The critical zero-day IE vulnerability (CVE-2014-8967) was discovered by security researcher Arthur Gerkis of Zero Day Initiative (ZDI) in June this year. By explo...

POODLE , a critical SSL flaw discovered in October that was patched and fixed by webmasters around the world after Google alerted software and hardware vendors, has again made its way and this time the vulnerability affects implementations of the newer Transport Layer Security (TLS) protocol . Yes, the serious POODLE vulnerability that affected the most widely used web encryption standard Secure Sockets Layer (SSL) 3.0 has once again returned and is likely to affect some of the most popular web sites in the world — including those owned or operated by Bank of America, the US Department of Veteran's Affairs, and Accenture. POODLE (Padding Oracle On Downgraded Legacy Encryption) flaw, disclosed two months ago by Google security team, allowed attackers to perform Man-in-the-Middle (MitM) attack in order to intercept traffic between a user's browser and an HTTPS website to decrypt sensitive information, like the user's authentication cookies. Now, the dangerous flaw ...

Security researchers have discovered a highly nasty Linux trojan that has been used by cybercriminals in state sponsored attack in order to steal personal, confidential information from government institutions, military and pharmaceutical companies around the world. A previously unknown piece of a larger puzzle called " Turla ," one of the most complex Advanced Persistent Threats (APTs) uncovered by researchers at Kaspersky Lab in August, remained hidden on some systems for at least four years. The malware was notable for its use of a rootkit that made it extremely hard to detect. The German security company G Data believed that Turla campaign is linked to Russia and has in the past exploited a variety of Windows vulnerabilities, at least two of which were zero-days, to infect government institutions, embassies, military, education, research, and pharmaceutical companies in more than 45 countries. Recently, security researchers from Moscow-based Kaspersky Lab...

Security researchers have discovered a number of critical vulnerabilities in the Java environment of the Google App Engine (GAE) that enables attackers to bypass critical security sandbox defenses. Google App Engine is Google's PaaS (Platform as a Service) Cloud computing Platform for developing and hosting web applications in Google-managed data centers. GAE offers to run custom-built programs using a wide variety of popular languages and frameworks, out of which many are built on the Java environment. The vulnerabilities was reported by Security Explorations, the same security research company that carried out multiple researches related to Java in past. The discovery was announced on the Full Disclosure security mailing list by Adam Gowdiak , founder and CEO of Security Explorations. According to the security firm, the flaws can be exploited by attackers to achieve a complete Java VM security sandbox escape, as well as to execute an arbitrary code. The researchers ...

A critical, but easily exploitable personal information disclosure vulnerability has been discovered in the widely popular online marketplace AliExpress website that affects its millions of users worldwide. The reported vulnerability could allow anyone to steal personal information of hundreds of millions of AliExpress users without knowing their account passwords. AliExpress is an online marketplace owned by Chinese E-Commerce giant Alibaba.com , which offers more than 300 Million active users from more than 200 countries and regions to order items in bulk or one at a time at low wholesale prices. Amitay Dan , an Israeli application security researcher working at Cybermoon.cc, reported the vulnerability to The Hacker News after providing full disclosure of the flaw to the AliExpress team and Israeli media. According to the Proof-of-Concept video and screenshots provided by the security researcher to The Hacker News , AliExpress website allows logged in user to add...

Malware authors are trying hard to create malicious software with more innovative ways to infect victims. A new mobile Trojan horse infection has been discovered by security researchers that comes pre-loaded onto low-cost Chinese-made Android smartphones popular in Asia and Africa. The trojan, dubbed DeathRing , is a Chinese Trojan that masquerades as a ringtone app and comes pre-installed onto some cheap Android smartphones most popular in Asian and African countries including Vietnam, Indonesia, India, Nigeria, Taiwan, and China. DeathRing malware app cannot be uninstalled or removed by the end user or by antimalware software because it comes pre-installed in the system directory of the handsets at an unknown point within the supply chain, making the threat even more severe. WHAT DOES DEATHRING DO? Though the malware pretends to be a genuine ringtone app, but actually downloads SMS and WAP content from its command-and-control server to the victim's handset, which ...