The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

A years-old vulnerability has been discovered in the way several security products for Mac implement Apple's code-signing API that could make it easier for malicious programs to bypass the security check, potentially leaving millions of Apple users vulnerable to hackers. Josh Pitts, a researcher from security firm Okta, discovered that several third-party security products for Mac—including Little Snitch, F-Secure xFence, VirusTotal, Google Santa, and Facebook OSQuery—could be tricked into believing that an unsigned malicious code is signed by Apple. Code-signing mechanism is a vital weapon in the fight against malware, which helps users identify who has signed the app and also provides reasonable proof that it has not been altered. However, Pitts found that the mechanism used by most products to check digital signatures is trivial to bypass, allowing malicious files bundle with a legitimate Apple-signed code to effectively make the malware look like it has been signed by...

Despite warnings about the threat of leaving insecure remote services enabled on Android devices, manufacturers continue to ship devices with open ADB debug port setups that leave Android-based devices exposed to hackers. Android Debug Bridge (ADB) is a command-line feature that generally uses for diagnostic and debugging purposes by helping app developers communicate with Android devices remotely to execute commands and, if necessary, completely control a device. Usually, developers connect to ADB service installed on Android devices using a USB cable, but it is also possible to use ADB wirelessly by enabling a daemon server at TCP port 5555 on the device. If left enabled, unauthorized remote attackers can scan the Internet to find a list of insecure Android devices running ADB debug interface over port 5555, remotely access them with highest "root" privileges, and then silently install malware without any authentication. Therefore, vendors are recommended to make...

Due to the surge in cryptocurrency prices, not only hackers but also legitimate websites and mobile apps are increasingly using cryptocurrency miners to monetize by levying the CPU power of your PC and phones to mine cryptocurrencies. However, Apple wants to protect your Mac and iPhone battery from shady cryptocurrency mining apps, and therefore, the company has put restrictions on such apps by disallowing them in its official App Store. The company has updated the Hardware Compatibility section of its App Store guidelines, which now explicitly restrict iOS and Mac apps and ads from mining cryptocurrency in the background. "Apps, including any third party advertisements displayed with them, may not run unrelated background processes, such as cryptocurrency mining," the updated guidelines read. The update reportedly occurred last week, possibly in response to popular Mac app Calendar 2 that bundled a Monero (XMR) miner in with its premium upgrade that unlocked ...

The United States Department of Justice announced Monday the arrest of 74 email fraudsters across three continents in a global crackdown on a large-scale business email compromise (BEC) scheme. The arrest was the result of a six-month-long operation dubbed " Operation Wire Wire " that involved the US Department of Justice, the US Department of Homeland Security, the US Treasury, and the US Postal Inspection Service. The international law enforcement authorities led by the FBI arrested 42 of the total 74 individuals involved in BEC scheme in the United States, 29 in Nigeria and 3 each in Canada, Mauritius, and Poland. "Foreign citizens perpetrate many BEC scams. Those individuals are often members of transnational criminal organizations, which originated in Nigeria but have spread throughout the world," the DoJ says. Moreover, the authorities seized nearly $2.4 million and recovered about $14 million in fraudulent transfers, according to the FBI, which estima...

China no longer owns the fastest supercomputer in the world; It is the United States now. Though China still has more supercomputers on the Top 500 list, the USA takes the crown of "world's fastest supercomputer" from China after IBM and the U.S. Department of Energy's Oak Ridge National Laboratory (ORNL) unveiled " Summit ." Summit is claimed to be more than twice as powerful as the current world leader with a peak performance of a whopping 200,000 trillion calculations per second—that's as fast as each 7.6 billion people of this planet doing 26.3 million calculations per second on a calculator. Until now the world's most powerful supercomputer was China's Sunway TaihuLight with the processing power of 93 petaflops (93,000 trillion calculations per second). Since June 2012, the U.S. has not possessed the world's most powerful supercomputer, but if Summit performs as claimed by IBM, it will be made straight to the top of the Top5...

It's no secret that expecting security controls to block every infection vector is unrealistic. For most organizations, the chances are very high that threats have already penetrated their defenses and are lurking in their network. Pinpointing such threats quickly is essential, but traditional approaches to finding these needles in the haystack often fall short. Now there is a unique opportunity for more feasible, more effective threat hunting capabilities, and it stems from a most unusual effort: rethinking the approach to wide area networking. When we look at the cyber kill-chain today, there are two major phases—infection and post-infection. Security experts acknowledge that organizations can get infected no matter how good their security controls are. The simple fact is, infection vectors change rapidly and continuously. Attackers use new delivery methods – everything from social engineering to zero-day exploits – and they often are effective. In most cases, an infecti...

Security researchers have been warning about cybercriminals who have made over 20 million dollars in just past few months by hijacking insecurely configured Ethereum nodes exposed on the Internet. Qihoo 360 Netlab in March tweeted about a group of cybercriminals who were scanning the Internet for port 8545 to find insecure geth clients running Ethereum nodes and, at that time, stole 3.96234 units of Ethereum cryptocurrency (Ether). However, researchers now noticed that another cybercriminal group have managed to steal a total 38,642 Ether, worth more than $20,500,000 at the time of writing, in past few months by hijacking Ethereum wallets of users who had opened their JSON-RPC port 8545 to the outside world. Geth is one of the most popular clients for running Ethereum node and enabling JSON-RPC interface on it allows users to remotely access the Ethereum blockchain and node functionalities, including the ability to send transactions from any account which has been unlocked b...

Have you recently bought a OnePlus 6? Don't leave your phone unattended. A serious vulnerability has been discovered in the OnePlus 6 bootloader that makes it possible for someone to boot arbitrary or modified images to take full admin control of your phone—even if the bootloader is locked. A bootloader is part of the phone's built-in firmware and locking it down stops users from replacing or modifying the phone's operating system with any uncertified third-party ROMs, ensuring the system boots into the right operating system. Discovered by security researcher Jason Donenfeld of Edge Security , the bootloader on OnePlus 6 is not entirely locked, allowing anyone to flash any modified boot image on to the handset and take full control of your phone. In a video demonstration, Donenfeld showed how it is possible for an attacker with physical access to OnePlus 6 to boot any malicious image using the ADB tool's fastboot command, giving the attacker complete control ove...

In its years-long efforts to censor the Internet by blocking access to a large number of websites in the country, Russia has now approved a new bill introducing fines for search engines that provide links to banned sites, VPN services , and anonymization tools . VPNs, or Virtual Private Networks , are third-party services that help users access block banned websites by encrypting users' Internet traffic and routing it through a distant connection, hiding their location data and access sites that are usually restricted or censored by a specific country. According to the amendments to the Code of Administrative Offenses of the Russian Federation, besides introducing fines for providing links to banned resources, the lower house of Russian parliament, the State Duma, will also impose fines on search engines if they fail to stop issuing links to resources providing up-to-date database of blocked domains upon users request. According to the bill, individuals who break the law ...

Facebook admits as many as 14 millions of its users who thought they're sharing content privately with only friends may have inadvertently shared their posts with everyone because of a software bug. Facebook said in front of Congress in March over the Cambridge Analytica scandal that "every piece of content that you share on Facebook you own, you have complete control over who sees it and how you share it," but the news came out to be another failure of the company to keep the information of millions of users private. Facebook typically allows users to select the audiences who can see their posts, and that privacy setting remains the default until the user itself manually updates it. However, the social media giant revealed Thursday that it recently found a bug that automatically updated the default audience setting for 14 million users' Facebook posts to "Public," even if they had intended to share them just with their friends, or a smaller group...

If you have already uninstalled Flash player, well done! But if you haven't, here's another great reason for ditching it. Adobe has released a security patch update for a critical vulnerability in its Flash Player software that is actively being exploited in the wild by hackers in targeted attacks against Windows users. Independently discovered last week by several security firms—including ICEBRG ,  Qihoo 360  and Tencent—the Adobe Flash player zero-day attacks have primarily been targeting users in the Middle East using a specially crafted Excel spreadsheet. "The hackers carefully constructed an Office document that remotely loaded Flash vulnerability. When the document was opened, all the exploit code and malicious payload were delivered through remote servers," Qihoo 360 published vulnerability analysis in a blog post. The stack-based buffer overflow vulnerability, tracked as CVE-2018-5002, impacts Adobe Flash Player 29.0.0.171 and earlier versions on ...

Marcus Hutchins , the British malware analyst who helped stop global Wannacry menace , is now facing four new charges related to malware he allegedly created and promoted it online to steal financial information. Hutchins, the 24-year-old better known as MalwareTech, was arrested by the FBI last year as he was headed home to England from the DefCon conference in Las Vegas for his alleged role in creating and distributing Kronos between 2014 and 2015. Kronos is a Banking Trojan designed to steal banking credentials and personal information from victims' computers, which was sold for $7,000 on Russian online forums, and the FBI accused Hutchins of writing and promoting it online, including via YouTube. Hutchins pleaded not guilty at a court hearing in August 2017 in Milwaukee and release on $30,000 bail. However, earlier this week, a revised superseding indictment [ PDF ] was filed with the Wisconsin Eastern District Court, under which Hutchins faces four new charges alo...