The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Over the past three days, the European Union, the U.S., and NATO have approved new plans to combat cybercrime. On Monday, the European Commission announced its proposals to develop three systems aimed at enhancing cybersecurity for citizens and businesses. First, the E.U. plans to establish a cybercrime center by 2013 to coordinate cooperation between member states, E.U. institutions, and international partners. Second, a European information sharing and alert system, also set for 2013, will facilitate communication between rapid-response teams and law enforcement authorities. Third, the Commission aims to create a network of Computer Emergency Response Teams (CERTs) by 2012, with a CERT in every E.U. country. Home Affairs Commissioner Cecilia Malmström assured that these systems would not lead to the creation of another citizens' information database. She emphasized that the goal is to manage the flow of information to prevent cyber-attacks, not to store data. Meanwhile, follo...

The crystal ball gazing has started early this year. Typically, tech prediction pieces emerge after Christmas, but the first 'security trends for 2011' missive has already dropped into my inbox. So, what does the somewhat premature Imperva Application Defense Center think will worry us the most on the IT security front next year? I predict the list will include more Stuxnet-like attacks, insights on the cloud's benefits or drawbacks, and concerns about mobile device security. Let's see if my crystal ball accurately predicts the predictions. Imperva ADC says the top 10 IT security trends for 2011 will be, with my comments in parentheses: Nation-Sponsored Hacking : (Yay, strike one - Stuxnet worm clones prediction right at the top.) These attacks will build on concepts and techniques from the commercial hacker industry to create more powerful Advanced Persistent Threats. (I predict someone will get a Buzzword Bingo full house with that one.) Insider Threat Awarenes...

Facebook is set to launch an integrated email service on Monday, aiming to compete with Gmail and Yahoo Mail. This move will position Facebook as the largest email service provider in the world, serving its 500 million users. TechCrunch, a prominent Silicon Valley technology blog, reported that Facebook plans to announce a web-based email service featuring @facebook.com addresses at an event in San Francisco. This initiative, part of a secret project known as ‘Project Titan,’ is internally referred to as its ‘Gmail killer.’ Yahoo, Google, and Microsoft are already enhancing their email services to emphasize social connections. However, Facebook holds a significant advantage due to its extensive data on user relationships, making it easier to integrate email with its existing social services like photo-sharing. Facebook's new email service will seamlessly integrate with the social network, utilizing its network of friends model. The goal is to create a communic...

On-demand cloud computing is a valuable tool for companies needing temporary computing capacity without long-term investment in fixed capital. However, this same convenience makes cloud computing useful to hackers. Many hacking activities involve cracking passwords , keys, or other forms of brute force attacks. These processes are computationally intensive but highly parallelizable. Hackers have two main sources for on-demand computing: botnets made of consumer PCs and infrastructure-as-a-service (IaaS) from service providers. Both can deliver computing power on demand for brute force attacks. Botnets are unreliable and heterogeneous, taking longer to "provision." However, they are free to use and can scale to enormous sizes, with some botnets comprising hundreds of thousands of PCs. On the other hand, commercial cloud computing offers faster provisioning, predictable performance, and can be billed to a stolen credit card . The balance of power between security controls ...

Computer security firms and military personnel have issued warnings about certain Facebook features that could compromise both personal and national security. On Thursday, Sophos, a computer security developer, warned that Facebook's new online messaging service could increase users' vulnerability to identity theft. John Leyden of The Register reported that the service, which combines site updates, instant messaging chat, and SMS messages in one place, is an attractive target for cybercriminals. According to Leyden, spammers can easily target accounts, or they can be compromised to create Web 2.0 botnets. "Users need to realize that these new features increase the attack surface on the Facebook platform, making personal accounts more attractive to cybercriminals," said Graham Cluley, Sophos' senior technology consultant, to AFP. "Facebook accounts will now be linked with more people in users' social circles, creating new opportunities for identity fraud...

Criminals are posing as IT support staff, calling unsuspecting U.K. internet users to push rogue antivirus software. GetSafeOnline.org reports this as part of their Internet safety week campaign. These scam operations often involve up to 400 people using sales techniques and social engineering to deceive victims. The goal is to obtain credit card information through the sale of rogue antivirus software or gain remote access to the victim's system for future use. Typically, the scam begins with an unexpected call. The caller, pretending to be an IT helpdesk technician, builds rapport with the victim, presenting themselves as trustworthy by using personal information available online. The victim is then questioned about computer problems like slow email or internet browsing. Once the victim admits to an issue, the caller exaggerates the problem and offers a solution for a small fee. The caller might say, “For a small fee, we can install something to fix your system and clean it c...

Facebook has confirmed that the recent issue with posts was on their end. A representative told SecurityWeek via email, "We began removing the posts immediately upon discovering them and shortly after they were made. They were caused by a temporary bug on Facebook that allowed certain posts requested by an application to be rendered when they shouldn't have. Upon discovering the bug, we immediately began work to fix it. It's now been resolved, and these posts can no longer be made. We're not aware of any cases in which the bug was used maliciously." A representative from Sendible stated that they had discussed the issue with Facebook over the phone. Facebook acknowledged the problem but could not reproduce it on their end. "They've agreed to patch the issue by the end of the day. In the meantime, we've agreed to remove the feature on Sendible that allows fans of Facebook pages to automate posts." Several Facebook Pages, including those of large...

Barracuda Networks announced on Tuesday that it will pay over $3,100 to anyone who can hack into its security products. This bug bounty program is the first of its kind from a pure-play security vendor. “This initiative reflects our commitment to our customers and the security community at large,” said Paul Judge, Chief Research Officer at Barracuda. The security firm has included its Spam & Virus Firewall, Web Filter, Web Application Firewall, and NG Firewall in the bug bounty program. Patch or Public Disclosure Last week, Google launched a bug bounty program to pay for vulnerabilities, joining many other vendors willing to pay security researchers for information about vulnerabilities. These efforts aim to fix flaws as soon as possible to prevent exploitation as zero-day attacks. Barracuda's bug bounty program will pay up to $3,133.70 for "particularly severe bugs," a nod to the slang "leet" number 31337, meaning "elite" in the security commu...

China is taking decisive action against computer hacking with a new law set to govern the sentencing of hackers and other internet offenders. This initiative, announced by the Ministry of Public Security, aims to enhance cybersecurity in response to the growing threat of cybercrime. Lawmakers are currently working on judicial interpretations of these new regulations. Gu Jian, deputy director of the Ministry's Network Security Protection Bureau, stated that these rules are expected to be released by the end of the year. This development represents China's latest effort to strengthen security against cybercrime. Since 2004, more than 1.64 million online offenses have been reported to China's Internet Illegal Information Reporting Center. Although 80% of these cases involve online pornography and scams, hacking incidents are on the rise. Gu noted that eight out of ten computers with internet access in China are now suffering from "botnet attacks." In these attacks...

Police in India report that 97 percent of cyber crimes remain unreported in Gurgaon, a city less than 20 miles from New Delhi. Industry representatives are now collaborating with law enforcement to tackle this issue, according to Times of India. Last week, the IT and business process outsourcing (BPO) industry in Gurgaon met with Joint Commissioner of Police Alok Mittal and Inderjit Singh, chairman of the parliamentary committee on IT, to discuss cyber crime. When asked if the city police and its cyber cell could handle cyber crime, Singh emphasized that the entire system requires an overhaul. This overhaul should start with a new cadre dedicated to solving Internet-related cases. He also stressed the importance of protecting the complainants’ identities in such cases. Industry representatives proposed working directly with the police. "We will provide the police with technical expertise or any other assistance," stated Deepak Kapoor, a BPO industry representative, accord...

We’ve received several rapid-fire tips indicating a major compromise in the Facebook app Sendible. Several prominent Facebook Pages, including Google, Coca-Cola, YouTube, South Park, The Daily Show, and Team Coco, are sending out a malicious link to their followers. The link reads, "Change Your Facebook Background Here!" It's crucial not to click on this link. Those who clicked on the link reported being redirected to a page outside Facebook that asked for personal information. The bottom of this page reads, "Powered By AWeber Email Marketing." Oddly, many other Facebook users are "liking" these links. We’ve contacted Facebook about the issue and will update once we receive their response. The compromised accounts suggest that this malicious link is appearing in tens of millions of feeds right now. Most of the malicious links have been removed, but tips indicate the attack is ongoing, with new links continuing to appear. We still have not heard bac...

A vulnerability has been identified in Microsoft Internet Information Services (IIS) that causes the server to incorrectly handle files with multiple extensions separated by the “;” character. For instance, a file named “malicious.asp;.jpg” is treated as an ASP file. This flaw allows attackers to upload malicious executables to a vulnerable web server, bypassing file extension protections and restrictions. Notably, ASP.Net is NOT affected by this vulnerability. Impact and Versions Affected This vulnerability affects all versions of Microsoft IIS. It works successfully on IIS 6 and earlier versions. IIS 7 has not been tested, but it does not work on IIS 7.5. The vulnerability was discovered in April 2008 but reported in December 2009. Severity and Exploitation The impact on IIS is significant, as attackers can bypass file extension protections using a semi-colon after an executable extension, such as “.asp”, “.cer”, “.asa”,...