The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

After HeartBleed , POODLE and FREAK  encryption flaws, a new encryption attack has been emerged over the Internet that allows attackers to read and modify the sensitive data passing through encrypted connections, potentially affecting hundreds of thousands of HTTPS-protected sites, mail servers, and other widely used Internet services. A team of security researchers has discovered a new attack, dubbed Logjam , that allows a man-in-the-middle (MitM) to downgrade encrypted connections between a user and a Web or email server to use extremely weaker 512-bit keys which can be easily decrypted. Johns Hopkins crypto researcher Matthew Green along with security experts from the University of Michigan and the French research institute Inria has discovered LogJam a few months ago and published a technical report that details the flaw. Logjam — Cousin of FREAK Logjam encryption flaw sounds just like FREAK vulnerability disclosed at the beginning of March.  ...

A simple but shockingly dangerous vulnerability has been uncovered in the NetUSB component, putting Millions of modern routers and other embedded devices across the globe at risk of being compromised by hackers. The security vulnerability, assigned CVE-2015-3036 , is a remotely exploitable kernel stack buffer overflow flaw resides in Taiwan-based KCodes NetUSB . NetUSB is a Linux kernel module that allows for users to flash drives, plug printers and other USB-connected devices into their routers so that they can be accessed over the local network. NetUSB component is integrated into modern routers sold by some major manufacturers including D-Link, Netgear, TP-Link, ZyXEL and TrendNet. The security flaw, reported by Stefan Viehbock of Austria-based SEC Consult Vulnerability Lab, can be triggered when a client sends the computer name to the server deployed on the networking device (TCP port 20005) in order to establish a connection. However, if a connecting comp...

Good news for Gamers! Users of Facebook Messenger may soon be able to play games on the messaging platform . Nearly two months ago, Facebook launched its Messenger platform , inviting developers to create apps that allow you to send and receive GIFs, sound clips, and other artistic creations within Messenger, but the social network giant don't want the fun for users to end here. Facebook has confirmed that the company is actively discussing plans with several game developers to create games that work on its Messenger platform, to make its users' experience a lot more fun and potentially more lucrative. More user engagement, More Revenue: First reported on Monday by The Information , Facebook's plan for gamification is a way to get more user engagement and more revenue. Although there are not many details about Facebook's gaming initiative, the idea sounds really interesting, as we already have our social network established over Messenger that could make ...

SaaS Adoption is Skyrocketing, Resilience Hasn't Kept Pace SaaS platforms have revolutionized how businesses operate. They simplify collaboration, accelerate deployment, and reduce the overhead of managing infrastructure. But with their rise comes a subtle, dangerous assumption: that the convenience of SaaS extends to resilience. It doesn't. These platforms weren't built with full-scale data protection in mind . Most follow a shared responsibility model — wherein the provider ensures uptime and application security, but the data inside is your responsibility. In a world of hybrid architectures, global teams, and relentless cyber threats, that responsibility is harder than ever to manage. Modern organizations are being stretched across: Hybrid and multi-cloud environments with decentralized data sprawl Complex integration layers between IaaS, SaaS, and legacy systems Expanding regulatory pressure with steeper penalties for noncompliance Escalating ransomware threats and inside...

A serious security vulnerability has been uncovered in Apple's Safari web browser that could trick Safari users into visiting a malicious website with the genuine web address. A group of researchers, known as Deusen , has demonstrated how the address spoofing vulnerability could be exploited by hackers to fool victim into thinking they are visiting a trusted website when actually the Safari browser is connected to an entirely different address. This flaw could let an attacker lead Safari users to a malicious site instead of a trusted website they willing to connect to install malicious software and steal their login credentials. The vulnerability was discovered by the same group who reported a Universal Cross Site Scripting (XSS) flaw in all the latest patched versions of Microsoft's Internet Explorer in February this year that put IE users' credentials and other sensitive information at risk. The group recently published a proof-of-concept exploit code that makes...

The UK Government has quietly changed the Anti-Hacking Laws quietly that exempt GCHQ , police, and other electronic intelligence agencies from criminal prosecution for hacking into computers and mobile phones and carrying out its controversial surveillance practices. The details of the changes were disclosed at the Investigatory Powers Tribunal , which is currently hearing a challenge to the legality of computer hacking by UK law enforcement and its intelligence agencies. About a year ago, a coalition of Internet service providers teamed up with Privacy International to take a legal action against GCHQ for its unlawful hacking activities. However, the Government amended the Computer Misuse Act (CMA) two months ago to give GCHQ and other intelligence agencies more protection through a little-noticed addition to the Serious Crime Bill. The change was introduced on June 6, just weeks after the complaint was filed by Privacy International that GCHQ had conducted compu...

A security researcher who was pulled out from a United Airlines flight last month had previously admitted to Federal Bureau of Investigation (FBI) that he had taken control of an airplane and made it fly briefly sideways. Chris Roberts, the founder of One World Labs , was recently detained, questioned and had his equipment taken by federal agents after he landed on a United flight from Chicago to Syracuse, New York following his tweet suggesting he might hack into the plane's in-flight entertainment system. In that particular tweet, Roberts joked: " Find me on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? 'PASS OXYGEN ON' Anyone? :) " The federal agents addressed the tweet immediately and took it seriously following the Roberts' capabilities of such hacking tactics. In the FBI affidavit first made public Friday - first obtained by APTN National News - Roberts told the FBI earlier this year about not once, b...

If you are one of those using cocaine, law enforcement officials may soon catch you by simply examining your fingerprints. Scientists have developed a new type of drug test that can tell whether you have taken cocaine by analyzing chemical traces left behind in your fingerprint. A team of scientists led by the University of Surrey discovered a test that makes use of the Mass spectrometry chemical analysis technique – a method proved more accurate than those currently used saliva, blood or urine samples relied on by authorities. " When someone has taken cocaine, they excrete traces of benzoylecgonine and methylecgonine as they metabolize the drug, and these chemical indicators are present in fingerprint residue ," said Dr. Melanie Bailey, the lead researcher from the University of Surrey. How is it all done? A person's fingerprint sample is treated with a mixture of methanol and water in an attempt to locate the traces. A mass spectrometer is then used to ...

Be careful while leaving your important and valuable stuff in your lockers. A 3D printed robot has arrived that can crack a combination lock in as little as 30 seconds. So, it's time to ditch your modern combination locks and started keeping your valuable things in a good old-fashioned locker with keys. A well-known California hacker Samy Kamkar who is expert in cracking locks has built a 3D-printed machine, calling his gadget the " Combo Breaker ," that can crack Master Lock combination padlocks – used on hundreds of thousands of school lockers – in less than 30 seconds. A couple of weeks ago, Kamkar introduced the world how a manufacturing flaw in Master Lock combination locks can easily reveal the full combination by carefully measuring the dial interaction with the shackle in eight or fewer attempts. However, it requires some software and things to do, and who has that much of time? So to make it simple for everyone – On Thursday, the hacker showe...

If you are a security researcher and fond of traveling from one conference to another, then United Airlines' bug bounty program would be of great interest for you. United Airlines has launched a new bug bounty program inviting security researchers and bug hunters to report vulnerabilities in its websites, apps and web portals. Bug bounty programs are very common among technology firms, including Google and Facebook, who offer you hundreds of thousands of dollars as rewards for exposing security flaws and errors in their products. So, what's different in United Airlines new bug bounty? The most interesting part of this bug bounty program is – Instead of offering cold, hard cash, United Airlines is offering air miles as the reward for yours . Let's see what United Airlines says about its bug bounty program: " At United, we take your safety, security and privacy seriously. We utilize best practices and are confident that our systems are secure ," ...

Target's data breach is a chilling example: After the widely publicized hack, 12% of loyal shoppers no longer shop at that retailer, and 36% shop at the retailer less frequently. For those who continue to shop, 79% are more likely to use cash instead of credit cards.  According to DeMeo, Vice President of Global Marketing and Analytics at Interactions Marketing Group, shoppers who use cash statistically spend less money, hurting the company. Indeed, 26% say they will knowingly spend less than before. So, why did Target get hacked? There could be two reasons, either they (or one of their vendors) lacked in their IT Security implementation or their employees were not stepped through effective security awareness training. In Target's case, an employee at one of their vendors was tricked into clicking on a phishing link. Now, let's have a look at what Target affirmed: "Target was certified as meeting the standard for the payment card industry in Septembe...

Just after a new security vulnerability surfaced Wednesday, many tech outlets started comparing it with HeartBleed, the serious security glitch uncovered last year that rendered communications with many well-known web services insecure, potentially exposing Millions of plain-text passwords. But don't panic. Though the recent vulnerability has a more terrific name than HeartBleed , it is not going to cause as much danger as HeartBleed did. Dubbed VENOM , stands for Virtualized Environment Neglected Operations Manipulation , is a virtual machine security flaw uncovered by security firm CrowdStrike that could expose most of the data centers to malware attacks, but in theory. Yes, the risk of Venom vulnerability is theoretical as there is no real-time exploitation seen yet, while, on the other hand, last year's HeartBleed bug was practically exploited by hackers unknown number of times, leading to the theft of critical personal information. Now let's know more about Ven...

This week you have quite a long list of updates to follow from Microsoft, Adobe as well as Firefox. Despite announcing plans to kill its monthly patch notification for Windows 10, the tech giant has issued its May 2015 Patch Tuesday , releasing 13 security bulletins that addresses a total of 48 security vulnerabilities in many of their products. Separately, Adobe has also pushed a massive security update to fix a total of 52 vulnerabilities in its Flash Player, Reader, AIR and Acrobat software. Moreover, Mozilla has fixed 13 security flaws in its latest stable release of Firefox web browser, Firefox 38, including five critical flaws. First from the Microsoft's side: MICROSOFT PATCH TUESDAY Three out of 13 security bulletins issued by the company are rated as 'critical', while the rest are 'important' in severity, with none of these vulnerabilities are actively exploited at this time. The affected products include Internet Explorer (IE), ...

Small office and home office (SOHO) routers are an increasingly common target for cybercriminals, not because of any vulnerability, but because most routers are loosely managed and often deployed with default administrator credentials. A new report suggests that hackers are using large botnet of tens of thousands of insecure home and office-based routers to launch Distributed Denial-of-Service ( DDoS ) attacks . Security researchers from DDoS protection firm Incapsula uncovered a router-based botnet, still largely active while investigating a series of DDoS attacks against its customers that have been underway since at least last December, 2014. Over the past four months, researchers have recorded malicious traffic targeting 60 of its clients came from some 40,269 IP addresses belonging to 1,600 ISPs around the world. Almost all of the infected routers that were part of the botnet appear to be ARM-based models from a California-based networking company Ubiquiti Net...

Last week, I have to communicate with my friend overseas in China. We both were aware that our email communications were being monitored. So, we both were forced to install and use a fully-fledged encrypted email system. Although it appeared to be very secure, it was quite cumbersome to handle. If you are ever faced with the same situation, I am here to introduce you a very simple and easy-to-use approach to encrypt your files and send them to the person you want to communicate with. Here's the Kicker: You don't even need to install any software or sign up to any website in order to use the file encryption service. So, what do I have today in my box? " Otr.to " — an open-source peer-to-peer browser-based messaging application that offers secure communication by making use of "Off-the-Record" (OTR) Messaging, a cryptographic protocol for encrypting instant messaging applications. We first introduced you Otr.to two months ago. At that time,...

Wait! What? A $9 computer? This is something magical. A Californian startup lead by Dave Rauchwerk is currently seeking crowdfunding on Kickstarter to create a computer that will cost as much as $9 (or £6). The new microcomputer, dubbed CHIP, is a tiny, Linux-based, super-cheap computer that's described as being "built for work, play, and everything in between!" Project 'Chip' that hit Kickstarter on Thursday has already blown its target goal of $50,000 to raise over $1 Million from almost 19,638 people at the time of writing with 26 days left in its campaign. Let's have a look on what does this $9 buy you? And the answer is a lot — more than what you could expect for just $9 . CHIP packs a 1GHz R8 ARM processor, 4GB of internal flash storage, 512MB of DDR3 RAM, Bluetooth, and Wi-Fi — something you do not find in even the modern microcomputer, Raspberry Pi. If look at the output front of the CHIP, it features a single full-sized US...

A controversial piece of security and maintenance software for Mac OS X computers, known as MacKeeper, has been found to be vulnerable to a critical remote code execution vulnerability. MacKeeper antivirus software for Mac OS X is designed to improve Mac performance and security, but it is infamous for its noisy "clean up your Mac" pop-under ads that stress the need for a system cleanup. If you try to close the ad, the software will prompt you to " Leave Page/Stay on This Page " dialogues. The vulnerability details were disclosed on Friday after the patch release, which allows an attacker to execute remotely malicious commands with root privileges on Mac OS X systems when a victim visits specially crafted Web pages. MacKeeper Versions Earlier to 3.4.1 are Affected The remote code execution flaw, affecting the versions earlier to 3.4.1, caused due to the way MacKeeper malware removal software handles its custom URLs, security researchers at Secure...