The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Hell Yeah! Another security vulnerability has been discovered in Intel chips that affects the processor's speculative execution technology—like Specter and Meltdown —and could potentially be exploited to access sensitive information, including encryption related data. Dubbed Lazy FP State Restore , the vulnerability (CVE-2018-3665) within Intel Core and Xeon processors has just been confirmed by Intel, and vendors are now rushing to roll out security updates in order to fix the flaw and keep their customers protected. The company has not yet released technical details about the vulnerability, but since the vulnerability resides in the CPU, the flaw affects all devices running Intel Core-based microprocessors regardless of the installed operating systems, except some modern versions of Windows and Linux distributions. As the name suggests, the flaw leverages a system performance optimization feature, called Lazy FP state restore, embedded in modern processors, which is resp...

Cortana, an artificial intelligence-based smart assistant that Microsoft has built into every version of Windows 10, could help attackers unlock your system password. With its latest patch Tuesday release , Microsoft has pushed an important update to address an easily exploitable vulnerability in Cortana that could allow hackers to break into a locked Windows 10 system and execute malicious commands with the user's privileges. In worst case scenario, hackers could also compromise the system completely if the user has elevated privileges on the targeted system. The elevation of privilege vulnerability, tracked as CVE-2018-8140 and reported by McAfee security researchers, resides due to Cortana's failure to adequately check command inputs, which eventually leads to code execution with elevated permissions. "An Elevation of Privilege vulnerability exists when Cortana retrieves data from user input services without consideration for status," Microsoft explain...

You probably have come across many websites that let you install browser extensions without ever going to the official Chrome web store. It's a great way for users to install an extension, but now Google has decided to remove the ability for websites to offer "inline installation" of Chrome extensions on all platforms. Google announced today in its Chromium blog that by the end of this year, its Chrome browser will no longer support the installation of extensions from outside the Web Store in an effort to protect its users from shady browser extensions. "We continue to receive large volumes of complaints from users about unwanted extensions causing their Chrome experience to change unexpectedly — and the majority of these complaints are attributed to confusing or deceptive uses of inline installation on websites," says ​James Wagner, Google's extensions platform product manager. Google's browser extensions crackdown will take place in three ph...

It's time to gear up for the latest June 2018 Microsoft security patch updates. Microsoft today released security patch updates for more than 50 vulnerabilities, affecting Windows, Internet Explorer, Edge, MS Office, MS Office Exchange Server, ChakraCore, and Adobe Flash Player—11 of which are rated critical and 39 as important in severity. Only one of these vulnerabilities, a remote code execution flaw ( CVE-2018-8267 ) in the scripting engine, is listed as being publicly known at the time of release. However, none of the flaws are listed as under active attack. Discovered by security researcher Dmitri Kaslov, the publicly known vulnerability is a remote memory-corruption issue affecting Microsoft Internet Explorer. The flaw exists within the IE rendering engine and triggers when it fails to properly handle the error objects, allowing an attacker to execute arbitrary code in the context of the currently logged-in user. Microsoft has also addressed an important vulnera...

A years-old vulnerability has been discovered in the way several security products for Mac implement Apple's code-signing API that could make it easier for malicious programs to bypass the security check, potentially leaving millions of Apple users vulnerable to hackers. Josh Pitts, a researcher from security firm Okta, discovered that several third-party security products for Mac—including Little Snitch, F-Secure xFence, VirusTotal, Google Santa, and Facebook OSQuery—could be tricked into believing that an unsigned malicious code is signed by Apple. Code-signing mechanism is a vital weapon in the fight against malware, which helps users identify who has signed the app and also provides reasonable proof that it has not been altered. However, Pitts found that the mechanism used by most products to check digital signatures is trivial to bypass, allowing malicious files bundle with a legitimate Apple-signed code to effectively make the malware look like it has been signed by...

Despite warnings about the threat of leaving insecure remote services enabled on Android devices, manufacturers continue to ship devices with open ADB debug port setups that leave Android-based devices exposed to hackers. Android Debug Bridge (ADB) is a command-line feature that generally uses for diagnostic and debugging purposes by helping app developers communicate with Android devices remotely to execute commands and, if necessary, completely control a device. Usually, developers connect to ADB service installed on Android devices using a USB cable, but it is also possible to use ADB wirelessly by enabling a daemon server at TCP port 5555 on the device. If left enabled, unauthorized remote attackers can scan the Internet to find a list of insecure Android devices running ADB debug interface over port 5555, remotely access them with highest "root" privileges, and then silently install malware without any authentication. Therefore, vendors are recommended to make...

Due to the surge in cryptocurrency prices, not only hackers but also legitimate websites and mobile apps are increasingly using cryptocurrency miners to monetize by levying the CPU power of your PC and phones to mine cryptocurrencies. However, Apple wants to protect your Mac and iPhone battery from shady cryptocurrency mining apps, and therefore, the company has put restrictions on such apps by disallowing them in its official App Store. The company has updated the Hardware Compatibility section of its App Store guidelines, which now explicitly restrict iOS and Mac apps and ads from mining cryptocurrency in the background. "Apps, including any third party advertisements displayed with them, may not run unrelated background processes, such as cryptocurrency mining," the updated guidelines read. The update reportedly occurred last week, possibly in response to popular Mac app Calendar 2 that bundled a Monero (XMR) miner in with its premium upgrade that unlocked ...

The United States Department of Justice announced Monday the arrest of 74 email fraudsters across three continents in a global crackdown on a large-scale business email compromise (BEC) scheme. The arrest was the result of a six-month-long operation dubbed " Operation Wire Wire " that involved the US Department of Justice, the US Department of Homeland Security, the US Treasury, and the US Postal Inspection Service. The international law enforcement authorities led by the FBI arrested 42 of the total 74 individuals involved in BEC scheme in the United States, 29 in Nigeria and 3 each in Canada, Mauritius, and Poland. "Foreign citizens perpetrate many BEC scams. Those individuals are often members of transnational criminal organizations, which originated in Nigeria but have spread throughout the world," the DoJ says. Moreover, the authorities seized nearly $2.4 million and recovered about $14 million in fraudulent transfers, according to the FBI, which estima...

China no longer owns the fastest supercomputer in the world; It is the United States now. Though China still has more supercomputers on the Top 500 list, the USA takes the crown of "world's fastest supercomputer" from China after IBM and the U.S. Department of Energy's Oak Ridge National Laboratory (ORNL) unveiled " Summit ." Summit is claimed to be more than twice as powerful as the current world leader with a peak performance of a whopping 200,000 trillion calculations per second—that's as fast as each 7.6 billion people of this planet doing 26.3 million calculations per second on a calculator. Until now the world's most powerful supercomputer was China's Sunway TaihuLight with the processing power of 93 petaflops (93,000 trillion calculations per second). Since June 2012, the U.S. has not possessed the world's most powerful supercomputer, but if Summit performs as claimed by IBM, it will be made straight to the top of the Top5...

It's no secret that expecting security controls to block every infection vector is unrealistic. For most organizations, the chances are very high that threats have already penetrated their defenses and are lurking in their network. Pinpointing such threats quickly is essential, but traditional approaches to finding these needles in the haystack often fall short. Now there is a unique opportunity for more feasible, more effective threat hunting capabilities, and it stems from a most unusual effort: rethinking the approach to wide area networking. When we look at the cyber kill-chain today, there are two major phases—infection and post-infection. Security experts acknowledge that organizations can get infected no matter how good their security controls are. The simple fact is, infection vectors change rapidly and continuously. Attackers use new delivery methods – everything from social engineering to zero-day exploits – and they often are effective. In most cases, an infecti...

Security researchers have been warning about cybercriminals who have made over 20 million dollars in just past few months by hijacking insecurely configured Ethereum nodes exposed on the Internet. Qihoo 360 Netlab in March tweeted about a group of cybercriminals who were scanning the Internet for port 8545 to find insecure geth clients running Ethereum nodes and, at that time, stole 3.96234 units of Ethereum cryptocurrency (Ether). However, researchers now noticed that another cybercriminal group have managed to steal a total 38,642 Ether, worth more than $20,500,000 at the time of writing, in past few months by hijacking Ethereum wallets of users who had opened their JSON-RPC port 8545 to the outside world. Geth is one of the most popular clients for running Ethereum node and enabling JSON-RPC interface on it allows users to remotely access the Ethereum blockchain and node functionalities, including the ability to send transactions from any account which has been unlocked b...

Have you recently bought a OnePlus 6? Don't leave your phone unattended. A serious vulnerability has been discovered in the OnePlus 6 bootloader that makes it possible for someone to boot arbitrary or modified images to take full admin control of your phone—even if the bootloader is locked. A bootloader is part of the phone's built-in firmware and locking it down stops users from replacing or modifying the phone's operating system with any uncertified third-party ROMs, ensuring the system boots into the right operating system. Discovered by security researcher Jason Donenfeld of Edge Security , the bootloader on OnePlus 6 is not entirely locked, allowing anyone to flash any modified boot image on to the handset and take full control of your phone. In a video demonstration, Donenfeld showed how it is possible for an attacker with physical access to OnePlus 6 to boot any malicious image using the ADB tool's fastboot command, giving the attacker complete control ove...