The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Instagram has recently patched a security issue in its website that might have accidentally exposed some of its users' passwords in plain text. The company recently started notifying affected users of a security bug that resides in a newly offered feature called "Download Your Data" that allows users to download a copy of their data shared on the social media platform, including photos, comments, posts, and other information that they have shared on the platform. To prevent unauthorized users from getting their hands on your personal data, the feature asks you to reconfirm your password before downloading the data. However, according to Instagram, the plaintext passwords for some users who had used the Download Your Data feature were included in the URL and also stored on Facebook's servers due to a security bug that was discovered by the Instagram internal team. The company said the stored data has been deleted from the servers owned by Facebook, Instagra...

Has Wikileaks founder Julian Assange officially been charged with any unspecified criminal offense in the United States? — YES United States prosecutors have accidentally revealed the existence of criminal charges against Wikileaks founder Julian Assange in a recently unsealed court filing in an unrelated ongoing sex crime case in the Eastern District of Virginia. Assistant US Attorney Kellen S. Dwyer, who made this disclosure on August 22, urged the judge to keep the indictment [ pdf ] prepared against Assange sealed (secret) "due to the sophistication of the defendant, and the publicity surrounding the case." Dwyer is assigned to the WikiLeaks case. Dwyer also said the charges would "need to remain sealed until Assange is arrested in connection with the charges" in the indictment and can, therefore "no longer evade or avoid arrest and extradition in this matter." WikiLeaks, the website that published thousands of classified U.S. government do...

We live in an age where data flows like water, becoming the new life source of our everyday ventures. As such, you can just imagine what all of that entails and the weight that data receive, especially when it comes to a decision making on how to handle this fairly new and arguably invaluable resource. Of course, we are well aware from a very young age that our water needs to be pure, filtered and possibly protected, so this pops the question and makes us wonder: How exactly does all of this translate for our data, its handling processes and ultimately our Security? It is no secret that our personal information is as valuable if not more than actual currency. Imagining your social security number, medical bills or paycheck amounts flowing through vast amounts of seemingly random servers all across the globe can be unnerving. It brings out the same questions that we would have for anything else of value: Where is it going? Who can see it? Why are they holding it? ... Is ...

SaaS Adoption is Skyrocketing, Resilience Hasn't Kept Pace SaaS platforms have revolutionized how businesses operate. They simplify collaboration, accelerate deployment, and reduce the overhead of managing infrastructure. But with their rise comes a subtle, dangerous assumption: that the convenience of SaaS extends to resilience. It doesn't. These platforms weren't built with full-scale data protection in mind . Most follow a shared responsibility model — wherein the provider ensures uptime and application security, but the data inside is your responsibility. In a world of hybrid architectures, global teams, and relentless cyber threats, that responsibility is harder than ever to manage. Modern organizations are being stretched across: Hybrid and multi-cloud environments with decentralized data sprawl Complex integration layers between IaaS, SaaS, and legacy systems Expanding regulatory pressure with steeper penalties for noncompliance Escalating ransomware threats and inside...

A security researcher has disclosed details of a critical vulnerability in one of the popular and widely active plugins for WordPress that could allow a low-privileged attacker to inject malicious code on AMP pages of the targeted website. The vulnerable WordPress plugin in question is " AMP for WP – Accelerated Mobile Pages " that lets websites automatically generate valid accelerated mobile pages for their blog posts and other web pages. AMP , stands for Accelerated Mobile Page s , is an open-source technology that has been designed by Google to allow websites build and server faster web pages to mobile visitors. Though I am pretty sure the main version of "The Hacker News" website is enough fast for both desktop and mobile device users, you can also check the AMP version for this specific article here . Out of hundreds of plugins that allows WordPress websites to create Google-optimize AMP pages, "AMP for WP" is the most popular among others...

At Pwn2Own 2018 mobile hacking competition held in Tokyo on November 13-14, white hat hackers once again demonstrated that even the fully patched smartphones running the latest version of software from popular smartphone manufacturers can be hacked. Three major flagship smartphones—iPhone X, Samsung Galaxy S9, and Xiaomi Mi6—were among the devices that successfully got hacked at the annual mobile hacking contest organized by Trend Micro's Zero Day Initiative (ZDI), earning white hat hackers a total of $325,000 in reward. Teams of hackers participated from different countries or representing different cybersecurity companies disclosed a total of 18 zero-day vulnerabilities in mobile devices made by Apple, Samsung, and Xiaomi, as well as crafted exploits that allowed them to completely take over the targeted devices. Apple iPhone X Running iOS 12.1 — GOT HACKED! A team of two researchers, Richard Zhu and Amat Cama, who named themselves Fluoroacetate, discovered and managed to ...

Disclosed earlier this year, potentially dangerous Meltdown and Spectre vulnerabilities that affected a large family of modern processors proven that speculative execution attacks can be exploited in a trivial way to access highly sensitive information. Since then, several more variants of speculative execution attacks have been discovered, including Spectre-NG , SpectreRSB, Spectre 1.1, Spectre1.2, TLBleed , Lazy FP , NetSpectre and Foreshadow , patches for which were released by affected vendors time-to-time. Speculative execution is a core component of modern processors design that speculatively executes instructions based on assumptions that are considered likely to be true. If the assumptions come out to be valid, the execution continues, otherwise discarded. Now, the same team of cybersecurity researchers who discovered original Meltdown and Spectre vulnerabilities have uncovered 7 new transient execution attacks affecting 3 major processor vendors—Intel, AMD, ARM. W...

It's Patch Tuesday once again…time for another round of security updates for the Windows operating system and other Microsoft products. This month Windows users and system administrators need to immediately take care of a total of 63 security vulnerabilities, of which 12 are rated critical, 49 important and one moderate and one low in severity. Two of the vulnerabilities patched by the tech giant this month are listed as publicly known at the time of release, and one flaw is reported as being actively exploited in the wild by multiple cybercriminal groups. Zero-Day Vulnerability Being Exploited by Cyber Criminals The zero-day vulnerability, tracked as CVE-2018-8589 , which is being exploited in the wild by multiple advanced persistent threat groups was first spotted and reported by security researchers from Kaspersky Labs. The flaw resides in the Win32k component (win32k.sys), which if exploited successfully, could allow a malicious program to execute arbitrary code...

Another security vulnerability has been reported in Facebook that could have allowed attackers to obtain certain personal information about users and their friends, potentially putting the privacy of users of the world's most popular social network at risk. Discovered by cybersecurity researchers from Imperva, the vulnerability resides in the way Facebook search feature displays results for entered queries. According to Imperva researcher Ron Masas, the page that displays search results includes iFrame elements associated with each outcome, where the endpoint URLs of those iFrames did not have any protection mechanisms in place to protect against cross-site request forgery (CSRF) attacks. It should be noted that the newly reported vulnerability has already been patched, and unlike previously disclosed flaw in Facebook that exposed personal information of 30 million users , it did not allow attackers to extract information from mass accounts at once. How Does the Facebo...

In 1999, Bruce Schneier wrote, "Complexity is the worst enemy of security." That was 19 years ago (!) and since then, cyber security has only become more complex. Today, controls dramatically outnumber staff available to support them. The Bank of America has a $400-million cyber budget to hire security staff and implement a broad array of products. But what if your budget and sophistication is just a tiny fraction of the Bank of America's? The remaining 99% of organizations understand that they don't have sufficient protection for their internal network, but they also realize that to be sufficiently secured they need to buy multiple solutions and hire a large team to maintain it – which isn't an option. So they either stay with just an AV or buy a point solution to defend a specific part of their internal environment from particular types of attacks – only to later find out it doesn't meet what they really need. Cynet wants to change all that. ...

Our partner Springboard, which provides online courses to help you advance your cybersecurity career with personalized mentorship from industry experts, recently researched current cybersecurity salaries and future earning potential in order to trace a path to how much money you can make. Here's what they found were the most important factors for making sure you earn as much as possible: 1) Choosing the right type of cybersecurity role and building your skill set The cybersecurity role you're in clearly makes a difference: the average salary for penetration testers is $55,000 according to U.S. data from Glassdoor. But cybersecurity engineers should expect to earn about $140,000—and engineers have a more natural path to becoming architects, who can earn even more. Cybersecurity analysts are somewhere in between, averaging about $80,000 a year. Of course, becoming a cybersecurity engineer requires more skills and experience than becoming a penetration tester, but you...

Windows 10 users don't have to wait much longer for the support of latest WPA3 Wi-Fi security standard , a new blog post from Microsoft apparently revealed. The third version of Wi-Fi Protected Access, in-short WPA3, is the next generation of the wireless security protocol that has been designed to make it harder for attackers to hack WiFi password . WPA3 was officially launched earlier this year, but the new WiFi security standard won't arrive overnight. Most device manufacturers could take months to get their new routers and networking devices certified by the Wi-Fi Alliance to support WPA3. Meanwhile, technology providers have already started working on software and firmware updates to support the new WPA3 standard, including Microsoft. WPA3-Personal (SAE) Support in Windows 10 Though Microsoft hasn't yet officially announced WPA3 support for its Windows 10 operating system, new APIs introduced in the newly released Windows 10 SDK Preview build 18272 , as ma...