The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Sandcat Browser, The fastest web browser with many useful security and developer oriented tools updated to version 4.0 with the fastest scripting language packed with features for pen-testers. Sandcat 4 adds a large number of enhancements, new features, extensions and bug fixes, and provides a dramatically improved user experience on several fronts.  Sandcat 4 adds several new pen-tester extensions as part of the new incarnation of its Pen-Tester Tools extension pack. This includes: a Request Loader, a XHR Editor, a XHR Fuzzer, a CGI Scanner, a HTTP Brute Force extension, enhanced request editors, enhanced script runners, and more. New versions comes with a revamped and enhanced Live Headers. You can now view not only the request headers and response headers but the response of HTTP requests and XHR calls. The captured requests can be viewed, exported to and imported from individual files via its Live Headers bar. It adds the ability to save the full request details of captured ...

ModSecurity is an open source web application firewall. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis. ModSecurity developers team recently fixed a vulnerability ( CVE-2013-2765 ) which could be exploited by attackers to crash the firewall . The vulnerability is caused due to an error when processing the " forceRequestBodyVariable " action and can be exploited to cause a NULL pointer dereference via specially crafted HTTP requests.  Flaw was reported by Younes Jaaidi, according to him an attacker can exploit this issue using a web browser. He also released an Exploit for this flaw, which is publicly available at  Github  for download. Through the program to upgrade to version 2.7.4 fixes this problem, this version also fixes some minor bug and lib injection used to identify SQL injection attacks, while the development team also announced its portable version of N...

If you're making a lot of money and you want to keep records of your transactions, then using PayPal 's Reporting system you can effectively measure and manage your business. Nir Goldshlager , founder of Breaksec and Security Researcher reported  critical flaws in Paypal Reporting system that allowed him to steal private data of any PayPal account. Exploiting the  vulnerabilities  he discovered, allowed him to access the financial information of any PayPal user including victim's shipping address Email addresses, Phone Number, Item name, Item Amount, Full name, Transaction ID, Invoice ID,  Transaction, Subject, Account ID, Paypal Reference ID etc. He found that PayPal is using the Actuate Iportal Application (a third party app) to display customer reports, so Nir downloaded the trial version of this app for testing purpose from its official website. After going deeply through the source code of trial version, Nir located a file named get...

AI agents promise to automate everything from financial reconciliations to incident response. Yet every time an AI agent spins up a workflow, it has to authenticate somewhere; often with a high-privilege API key, OAuth token, or service account that defenders can't easily see. These "invisible" non-human identities (NHIs) now outnumber human accounts in most cloud environments, and they have become one of the ripest targets for attackers. Astrix's Field CTO Jonathan Sander put it bluntly in a recent Hacker News webinar : "One dangerous habit we've had for a long time is trusting application logic to act as the guardrails. That doesn't work when your AI agent is powered by LLMs that don't stop and think when they're about to do something wrong. They just do it." Why AI Agents Redefine Identity Risk Autonomy changes everything: An AI agent can chain multiple API calls and modify data without a human in the loop. If the underlying credential is exposed or overprivileged, each addit...

A computer hacker linked to the group known as Anonymous and LulzSec  pleaded guilty on Tuesday to breaking into Stratfor , a global intelligence company.  Hammond, 28, was arrested last March and charged with hacking into the computers of Stratfor. Jeremy Hammond and other members of AntiSec , stole confidential information, defaced websites and temporarily put some victims out of business. Authorities say their crimes affected more than 1 million people. Hammond was charged under the controversial 1984 Computer Fraud and Abuse Act, the same law used to charge the late Aaron Swartz and other cyber-activists. The plea agreement could carry a sentence of as much as 10 years in prison, as well as millions of dollars in restitution payments, though Hammond's official sentence won't be handed down until September. Beyond Stratfor, Hammond took responsibility for eight other hacks, all of which involved either law enforcement, intelligence firms or defense c...

According to report published by for the Defense Department and government and defense industry officials, Chinese hackers have gained access to the designs of many of the nation's most sensitive advanced weapons systems. The compromised U.S. designs included those for combat aircraft and ships, as well as missile defenses vital for Europe, Asia and the Gulf, including the advanced Patriot missile system, the Navy's Aegis ballistic missile defense systems, the F/A-18 fighter jet, the V-22 Osprey, the Black Hawk helicopter and the F-35 Joint Strike Fighter. The report comes a month before President Obama meets with visiting Chinese President Xi Jinping in California. The report did not specify the extent or time of the cyber-thefts, but the espionage would give China knowledge that could be exploited in a conflict, such as the ability to knock out communications and corrupting data. For the first time, the Pentagon specifically named the Chinese government a...

In the constant battle between illegal file sharers (Pirates) and the entertainment industry (Hollywood) supplying the protected digital materials, the pirates have been staying one step ahead, although the industry may soon have a powerful new weapon in their arsenal. A new report released by the Commission on the Theft of American Intellectual Property suggests the use of malware to fight piracy. In a report, the Commission on the Theft of American Intellectual Property proposed many ways piracy can be combated, including infecting alleged violators' computers with malware that can wreck havoc, including and up to destroying the user's computer. It would also give the entertainment industry the advantage of tracking those who commit IP theft on-line no matter their location. Though it sounds reasonable on the surface, it is really a bad idea due to the challenge of correctly identifying a cyber attacker, as well as the unavoidable risk of collateral damage. If you want to read ...

When coders and online security researchers find errors in websites or software, the companies behind the programs will often pay out a bounty to the person who discovered the issue. The programs are intended to create an incentive for researchers to privately report issues and allow vendors to release fixes before hackers take advantage of flaws. A 17-year-old German student says he found a security flaw in PayPal's website but was denied a reward because he's too young. On PayPal's website, the company lists the terms for rewarding people who find bugs, but mentions nothing about the age of the discoverer.  The details of the vulnerability, i.e cross-site scripting flaw (XSS), is posted on Full Disclosure section. In Past we have seen that many times PayPal tried to cheat with new security researchers by replying various reasons on reporting bugs i.e "already reported by someone else", "domain / sub-domain is not under bounty program", ...

Researchers at the Technion-Israel Institute of Technology in Haifa have created an advanced biological computer using only bio molecules such as DNA and enzymes.  There's no traditional CPU or hard drive powering the bio-computer, no hardware or software, nor is there any tangible interface to the system. The computing devices having ability to interact directly with biological systems and even living organisms. No interface is required since all components of molecular computers, including hardware, software, input and output, are molecules that interact in solution along a cascade of programmable chemical events. Researchers believe that a sufficiently advanced biological computer could have the computational power of a universal Turing machine, able to simulate other computers. This would allow for simple customization of such processors. In addition to enhanced computation power, this DNA based transducer offers multiple benefits, including the abili...

Secret and highly sensitive and $630 million building blueprints outlining the layout of Australia's top spy agency's new headquarters have been stolen by Chinese hackers. According to a report by the ABC 's Four Corners, the blueprints included floor plans, communications cabling, server locations and the security systems. The cyber attack, launched on a contractor involved in work at the site, is one of the reasons completion of the new building has been delayed. Companies including BlueScope Steel and Adelaide-based Codan, which makes radios for military and intelligence agencies, are also said have been targeted by the Chinese. Under this major hacking operations, hackers successfully breached the Defence Department's classified email system, the Department of Prime Minister and Cabinet, and the Department of Foreign Affairs and Trade. A separate attack on the Defence Department involved an employee sending a highly classified document from his des...

For all the talk about China and the Syrian Electronic Army, it seems there's another threat to U.S. cyber interests i.e Iran. Series of potentially destructive computer attacks that have been targeting American oil, gas and electricity companies tracked back to Iran. Iranian hackers were able to gain access to control-system software that could allow them to manipulate oil or gas pipelines. Malware have been found in the power grid that could be used to deliver malicious software to damage plants. The targets have included several American oil, gas and electricity companies, which government officials have refused to identify. The officials stated that the goal of the Iranian attacks is sabotage rather than espionage . Whereas, The cyber attacks from China however, are more aimed at stealing information from the U.S. government that is confidential, as well as from private business.  Mandiant announced that the Chinese government was backing the attacks. However, of...

Liberty Reserve , a payment processor similar to Paypal was down on Saturday after the founder of Liberty Reserve, Arthur Budovsky Belanchuk , 39, on Friday was reportedly arrested in Spain by Costa Rican authorities after his they raided suspect´s home and offices in San José and Heredia. Mr. Belanchuk, a Costa Rican citizen of Ukrainian origin, was under investigation since 2011 after authorities flagged his firm for money laundering . Investigators say that Budovsky's businesses in Costa Rica , including Liberty Reserve , were used to launder money for child pornography websites and drug trafficking. Liberty Reserve is a largely unregulated money transfer business that allows customers to open accounts using little more than a valid email address, and this relative anonymity has attracted a huge number of customers from underground economies, particularly cyber crime . It allowing users to nearly anonymously open accounts with limited documentation of identity. Dep...

Skype … once upon a time a VOIP application considered very secure and wiretap-proof, it was the common belief that no one could intercept such communications due a complex mechanism for the management of audio / video and text streams. One day, Microsoft decided to buy the product, according to many to catch a significant portion of users fond of Skype, but according many experts the company of Redmond wasn't interested only to acquire new market share. The architecture of the popular VOIP infrastructure was improved according Microsoft, in reality it is common thought that it was implemented the possibility to intercept every conversation, as requested by US government to major service providers. The claim is that Law enforcement and intelligence agencies are today able to access the communications exchanged by Skype users and Microsoft has still not been adequately answered to various question on the matter. The German associates to H security magazine at heise Security have be...

A Google security engineer has not only discovered a Windows zero-day flaw, but has also stated that Microsoft has a knack of treating outside researchers with great hostility. Tavis Ormandy , a Google security engineer, exposed the flaw on Full Disclosure , that could be used to crash PCs or gain additional access rights. The issue is less critical than other flaws as it's not a remotely exploitable one. Ormandy said on Full Disclosure, " I don't have much free time to work on silly Microsoft code, so I'm looking for ideas on how to fix the final obstacle for exploitation. ". He's been working on it for months, and according to a later post, he has now a working exploit that " grants SYSTEM on all currently supported versions of Windows. "  " I have a working exploit that grants SYSTEM on all currently supported versions of Windows. Code is available on request to students from reputable schools ," Ormandy adds. Microsoft acknowledged...

A new type of Android malware that can intercept text messages and forwarding to hackers is discovered by  the Russian firm Doctor Web . This is a very serious threat to users, because using this malware attackers can easily get two factor authentication code of your Email or bank accounts. The malware, dubbed as Android.Pincer.2.origin , is the second form of the original Android.Pincer  malware and is distributed as security certificates that the user must install. Upon launching Android.Pincer.2.origin , the user will see a fake notification about the certificate's successful installation but after that, the Trojan will not perform any noticeable activities for a while.  Android.Pincer.2.origin connects to a server and send text messages in addition to the other information as the smartphone model, serial, IMEI and phone number and the Android version is used. To malware then receive instructions from commands in the following format:  start_sms_f...

For millions of low income families, the federal government's Lifeline program offers affordable phone service. But an online security lapse has exposed tens of thousands of them to an increased risk of identity theft, after their Social Security numbers, birth dates and other pieces of highly sensitive information were included in files posted publicly online. Reporters with Scripps were investigating Lifeline, a government benefit-program that provides low-income Americans with discounted phone service, when they came across the sensitive data. They discovered 170,000 Lifeline phone customer records online through a basic Google search that contained everything needed for identity theft. They asked for an interview with the COO of TerraCom and YourTel, which are the telcos who look after Lifeline,but they threatened reporters who found a security hole in their Lifeline phone system with charges under the Computer Fraud and Abuse Act. Then, the blame-the...

The Hacker Conference partnered up with CTF365 to provide the best CTF experience during the conference. While trying to find out more about their product and also about their CTF surprise, I got an interview with Marius Corici Co-founder and CEO for CTF365. Q: November 2012 was when you first announced about this project which was supposed to start at the begin-ning of 2013. What happened that made you delay the starting date? A: Well, we're definitely enthusiastic about making CTF365 the greatest CTF platform out there, and this proves to be much more difficult than initially anticipated. I won't get into detail, because, as it happens, the story is like something pulled out from the theater of the absurd. If we would ever get a chance to make a making-of- CTF365 movie, I'm sure it would be amusing and tragic at the same time. What I will say [and repeat], is that we are putting our best efforts into making CTF365 work, we are a small and committed team, which is a problem [for...

In 2010, as part of what has been dubbed as Operation Aurora , Chinese hackers infiltrated a special database within Google's systems and gained access to a sensitive database worth of information about American surveillance targets.  Google reported the hack publicly years ago, saying that the sophisticated attack resulted in the theft of Google intellectual property and the partial compromise of some human rights activists' email accounts. When the news first surfaced in 2010, Google said hackers stole the source code behind its search engine, and targeted email accounts of activists critical of China's human rights record. But recently discovered that the hackers also obtained surveillance information, including emails belonging to suspected spies, diplomats and terrorists which law enforcement officials had been monitoring. Google reported this breach to the FBI, resulting in a national security investigation. According to the sources, hackers were after the names of ...

A website that can be described as " DDoS for hire " is perfectly legitimate, according to the owner. Malicious sites that offer attack services are not strangers on the Internet, but web sites sponsored by law enforcement is another story altogether. Ragebooter, is one of many sites that accepts payment through PayPal in order to flood sites with junk traffic, overloading servers and denying others access. The service uses a technique called DNS reflection to flood a website and amplify the amount of traffic directed at an address. Unlike other existing sites that offer similar services, the Ragebooter have particularly interesting back door leading directly to the FBI. It seems that the Federal Investigation Bureau uses the site to monitor the activity of users on the network, and that added to the site IP Logger that keeps the IP addresses of all users coming to the site. Investigation shows the site operator is a guy named Justin Folland located in M...

Cyber Security researchers have discovered a family of information stealing malware targeting Pakistan that originates out of India.  Norman Shark, the global security leader in malware analysis solutions for enterprises, service providers and government, today released a report detailing a large and sophisticated cyber-attack infrastructure that appears to have originated from India. The attacks, conducted by private threat actors over a period of three years and still ongoing, showed no evidence of state sponsorship but the primary purpose of the global command-and-control network appears to be intelligence gathering from a combination of national security targets and private sector companies. Attackers used known vulnerabilities in Microsoft software, chucking malware dubbed HangOver onto target machines, most of which were based in Pakistan, where 511 infections associated with the campaign were detected. HangOver installs keyloggers , takes screenshots and...

A Romanian man serving a five-year jail sentence in Romania for his involvement in an ATM skimming scheme, has developed a device designed to protect ATMs from such attacks. 33-year-old Valentin Boanta who is being detained in a prison from Vaslui, Romania, after he was convicted on charges of bank card fraud in 2009, developed what he calls the SRS (Secure Revolving System) which changes the way ATM machines read bank cards to prevent the operation of skimming devices that criminals hide inside ATMs. " When I got caught I became happy. This liberation opened the way to working for the good side ," Boanta said. " Crime was like a drug for me. After I was caught, I was happy I escaped from this adrenaline addiction ," Boanta said. Boanta began working on SRS during his trial. SRS, Boanta says, can be installed into any ATM. ATM skimmers work by installing a second, concealed card reader over the one that's built into the ATM. When an unsuspecting bank customer...