The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Apple's operating system is considered to be the most secure operating system whether it's Mac OS X for desktop computers or iOS for iPhones. But believe it or not, they are the most vulnerable operating system of year 2014. MOST VULNERABLE OPERATING SYSTEM  Windows, which is often referred to as the most vulnerable operating system in the world and also an easy pie for hackers, is not even listed on the top three vulnerable OS. According to an analysis by the network and security solutions provider GFI, the top three most vulnerable operating system are: Apple's Mac OS X Apple iOS Linux kernel GFI analysis is based on the data from the US National Vulnerability Database (NVD ), which shows that in 2014, the top three most vulnerable operating systems took owner by the following number of vulnerabilities reported in their software: Mac OS X - Total 147 vulnerabilities were reported, 64 of which were rated as high-severity Apple's iOS - Total 127 vulnerabilities were report...

A critical vulnerability has been fixed in Samba — Open Source standard Windows interoperability suite of programs for Linux and Unix, that could have allowed hackers to remotely execute an arbitrary code in the Samba daemon ( smbd ). Samba is an open source implementation of the SMB/CIFS network file sharing protocol that works on the majority of operating systems available today, which allows a non-Windows server to communicate with the same networking protocol as the Windows products. Samba is supported by many operating systems including Windows 95/98/NT, OS/2, and Linux. smbd is the server daemon of Samba which provides file sharing and printing services to clients using the SMB/CIFS protocol. Samba is also sometimes installed as a component of *BSD and OS X systems. The vulnerability, designated as CVE-2015-0240 , actually resides in this smbd file server daemon. The bug can be exploited by hackers to potentially execute code remotely with root privileges, the ...

'SuperFish' advertising software recently found pre-installed on Lenovo laptops is more widespread than what we all thought. Facebook has discovered at least 12 more titles using the same HTTPS-breaking technology that gave the Superfish malware capability to evade rogue certificate. The Superfish vulnerability affected dozens of consumer-grade Lenovo laptops shipped before January 2015, exposing users to a hijacking technique by sneakily intercepting and decrypting HTTPS connections, tampering with pages and injecting advertisements. Now, it's also thought to affect parental control tools and other adware programmes. Lenovo just released an automated Superfish removal tool to ensure complete removal of Superfish and Certificates for all major browsers. But, what about others? SSL HIJACKING Superfish uses a technique known as " SSL hijacking ", appears to be a framework bought in from a third company, Komodia, according to a blog post written ...

SaaS Adoption is Skyrocketing, Resilience Hasn't Kept Pace SaaS platforms have revolutionized how businesses operate. They simplify collaboration, accelerate deployment, and reduce the overhead of managing infrastructure. But with their rise comes a subtle, dangerous assumption: that the convenience of SaaS extends to resilience. It doesn't. These platforms weren't built with full-scale data protection in mind . Most follow a shared responsibility model — wherein the provider ensures uptime and application security, but the data inside is your responsibility. In a world of hybrid architectures, global teams, and relentless cyber threats, that responsibility is harder than ever to manage. Modern organizations are being stretched across: Hybrid and multi-cloud environments with decentralized data sprawl Complex integration layers between IaaS, SaaS, and legacy systems Expanding regulatory pressure with steeper penalties for noncompliance Escalating ransomware threats and inside...

Cyber criminals have started targeting government enforcement of the Ransomware in an attempt to extort money. Recently, the police department of the Midlothian Village in Illinois has paid a ransom of over $600 in Bitcoins to an unknown hacker after being hit by a popular ransomware attack. The popular Ransomware, dubbed Cryptoware , disabled a police computer in Midlothian — located south of Chicago — by making it inaccessible through its file-encryption capabilities and forced them to pay a ransom in order to restore access to the important police records. The Chicago Tribune reported that the department first encountered Cryptoware in January, when someone in the department opened a spear-phishing email that pointed to the malicious software. Once opened, the email carrying the Cryptoware ransomware immediately encrypts the files on the computer and, in typical ransomware style, displays a message demanding money in exchange for a decrypt code that could free the...

The computer giant Lenovo has released a tool to remove the dangerous "SuperFish" adware program that the company had pre-installed onto many of its consumer-grade Lenovo laptops sold before January 2015. The Superfish removal tool comes few days after the story broke about the nasty Superfish malware that has capability to sneakily intercept and decrypt HTTPS connections, tamper with pages in an attempt to inject advertisements. WE JUST FOUND 'SUPERFISH' - LENOVO The Chinese PC maker attempted to push the perception that Superfish software was not a security concern and avoid the bad news with the claim that it had "stopped Superfish software at beginning in January". However, Lenovo has now admitted that it was caught preloading a piece of adware that installed its own self-signing Man-in-the-Middle (MitM) proxy service that hijacked HTTPS connections. " We did not know about this potential security vulnerability until yesterday ," Lenovo said...

Data leaks through power consumption? Don't be surprised because security researchers have discovered a way to track your every move by looking at your Android smartphone's consumption of the battery power,even if you have GPS access unable. Researchers at Stanford University and Israeli Defense Research Group, Rafael, have developed a new technology, which they have dubbed " PowerSpy ", that have capability to gather the geolocation of Android phones by simply by measuring the battery usage of the phone over a certain time. TRACKING PERMISSION GRANTED BY-DEFAULT Unlike Wi-Fi and GPS access, the battery consumption data does not need the users' permission to be shared and is freely available to any downloaded and installed application. Therefore, this data can be used to track a phone with up to 90 percent accuracy. All an attacker would need to do is use an application — any application you download and installed onto your Android smartphone — to measu...

There is an entire section of the Internet that you probably don't see on daily basis, it's called the " Darknet " or " Deep Web ", where all browsing is done anonymously. About a week ago, we reported about the 'Memex' Deep Web Search Engine , a Defense Advance Research Projects Agency (DARPA) project to create a powerful new search engine that could find things on the deep web that isn't indexed by Google and other commercial search engines, but it isn't available to you and me. Now, there is another search engine that will let anyone easily search the Deep Web for large swaths of information for free, and without an application; you only need is an Internet connection. Onion.City , a new search engine for online underground markets that makes it more easier to find and buy drugs, guns, stolen credit cards directly from your Chrome, Internet Explorer or Firefox browser without installing and browsing via Tor Browser . Just two...

An all new anonymous online underground black market website, DarkLeaks , has been introduced on the Internet where Whistleblowers, blackmailers, hackers and any individual can trade/sell sensitive and valuable data/secrets anonymously in exchange for Bitcoin payments . DarkLeaks is a decentralized underground blackmarket which is built on top of the Bitcoin Blockchain technology and is available on the Internet to download as a free software package together with its source code published openly on code-sharing site Github . TRADE INFORMATION ANONYMOUSLY DarkLeaks underground black market website is masterminded by the members of crypto-anarchist collective System. " There is no identity, no central operator and no interaction between leaker and buyers, " the developers' statement says. " DarkLeaks is a decentralized black market where you can sell information ," according to the blog post about the new site. " It has a mechanism for trust-less authent...

Google on Thursday unleashed its own free web application vulnerability scanner tool, which the search engine giant calls Google Cloud Security Scanner , that will potentially scan developers' applications for common security vulnerabilities on its cloud platform more effectively. SCANNER ADDRESSES TWO MAJOR WEB VULNERABILITIES Google launched the Google Cloud Security Scanner in beta. The New web application vulnerability scanner allows App Engine developers to regularly scan their applications for two common web application vulnerabilities: Cross-Site Scripting (XSS) Mixed Content Scripts Despite several free web application vulnerability scanner and vulnerability assessment tools are available in the market, Google says these website vulnerability scanners are typically hard to set up and " built for security professionals, " not for web application developers that run the apps on the Google App Engine. While Google Cloud Security Scanner will be ea...

Security researchers have unearthed a new Android Trojan that tricks victims into believing they have switched their device off while it continues " spying " on the users' activities in the background. So, next time be very sure while you turn off your Android smartphones. The new Android malware threat, dubbed PowerOffHijack , has been spotted and analyzed by the researchers at the security firm AVG. PowerOffHijack because the nasty malware has a very unique feature - it hijacks the shutdown process of user's mobile phone. MALWARE WORKS AFTER SWITCHING OFF MOBILES When users presses the power button on their device, a fake dialog box is shown. The malware mimics the shutdown animation and the device appears to be off, but actually remains on, giving the malicious program freedom to move around on the device and steal data. "After pressing the power button, you will see the real shutdown animation, and the phone appears off. Although the screen is bl...

Edward Snowden is back with one of the biggest revelations about the government's widespread surveillance program. The US National Security Agency ( NSA ) and British counterpart Government Communications Headquarters ( GCHQ ) hacked into the networks of the world's biggest SIM card manufacturer, according to top-secret documents given to The Intercept by former NSA-contractor-turned-whistle blower, Edward Snowden . OPERATION DAPINO GAMMA The leaked documents suggests that in a joint operation, the NSA and the GCHQ formed the Mobile Handset Exploitation Team (MHET) in April 2010, and as the name suggests, the unit was built to target vulnerabilities in cellphone. Under an operation dubbed DAPINO GAMMA, the unit hacked into a Digital security company Gemalto , the largest SIM card manufacturer in the world, and stole SIM Card Encryption Keys that are used to protect the privacy of cellphone communications. Gemalto, a huge company that operates in 85 countr...

One of the most popular computer manufacturers Lenovo is being criticized for selling laptops pre-installed with invasive marketing software, or malware that, experts say, opens up a door for hackers and cyber crooks. The software, dubbed ' Superfish Malware ', analyzes users' Internet habits and injects third-party advertising into websites on browsers such as Google Chrome and Internet Explorer based on that activities without the user's permission. Security researchers recently discovered  Superfish Malware  presents onto new consumer-grade Lenovo computers sold before January of 2015. When taken out of the box for the first time, the adware gets activated and because it comes pre-installed, Lenovo customers might end up using it inadvertently. SUPERFISH CERTIFICATE PASSWORD CRACKED The  Superfish Malware  raised serious security concerns about the company's move for breaking fundamental web security protocols, carrying out " Man in the Middle " ...

Good news for Internet folks! Get Ready as the entire web you know is about to change. The new and long-awaited version of HTTP took a major step toward becoming a reality on Wednesday – It is been officially finalized and approved. Mark Nottingham, chairman of the Internet Engineering Task Force (IETF) working group behind creating the standards, announced in a blog post that the HTTP 2.0 specifications have been formally approved. Now, the specifications will go through a last formality – Request for comment and editorial processes – before being published as a standard. LARGEST CHANGE IN HTTP OVER LAST 16 YEARS HTTP, or Hypertext Transfer Protocol, is one of the web standards familiar to most as the https:// at the beginning of a web address. HTTP protocol governs the connections between a user's browser and the server hosting a website, invented by the father of the web Sir Tim Berners-Lee. HTTP/2 is simply an update to the protocol, but is really a huge deal be...

Many times organizations, companies and groups of people come across the problem when their social media teams have to work within a single Twitter account or maintain multiple twitter accounts. In this case, either they need to use some third party API-based services or they use TweetDeck software, the official free alternative tool to manage multiple twitter accounts. But the major problem with TweetDeck service is that everyone in the team need to have access to the same TweetDeck account password or multiple Twitter account passwords in order to use multiple accounts at one interface, and this is a known password sharing security issue from past few years. To cope up with these issues, Twitter has started rolling out a new feature called TweetDeck Teams , a new way to let you share your Twitter accounts on TweetDeck to multiple users without sharing passwords. ROLE OF ADMINISTRATORS TweetDeck Teams, which is rolling out to TweetDeck for the web, TweetDeck for Chro...

The Famous Internet entrepreneur and former hacker Kim Dotcom , who introduced legendary Megaupload and MEGA file sharing services to the World, has came up with another crazy idea — To start his very own Internet that uses the "blockchain". Just last month, Kim Dotcom, a German millionaire formerly known as Kim Schmitz , launched the public beta of its end-to-end encrypted video and audio chat service called " MegaChat ", which it says gives better protection than alternatives such as Skype and Google Hangouts. Now, his latest series of tweets referred to Kim Dotcom's supposed " MegaNet " which, he believes, would be immune to the global mass surveillance conducted by governments or corporations and would not be based on IP addresses. MegaNet would be a decentralized, non-IP based network in which the blockchain used by Bitcoin will play an " important role ". Decentralizing the Internet means to take the power of the Web...