The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Bought a brand new Android Smartphone? Don't expect it to be a clean slate. A new report claims that some rogue retailers are selling brand-new Android smartphones loaded with pre-installed software. Security firm G Data has uncovered more than two dozens of Android smartphones from popular smartphone manufacturers — including Xiaomi , Huawei and Lenovo — that have pre-installed spyware in the firmware. G Data is a German security firm that disclosed last year the Star N9500 Smartphone's capability to spy on users, thereby comprising their personal data and conversations without any restrictions and users knowledge. Removal of Spyware Not Possible The pre-installed spyware, disguised in popular Android apps such as Facebook and Google Drive , can not be removed without unlocking the phone since it resides inside the phone's firmware. "Over the past year, we have seen a significant [growth] in devices that are equipped with firmware-level [m...

Widely popular AppLock for Android by DoMobile Ltd. is claimed to be vulnerable to hackers. Having an applock for iPhone or Android device is useful. It is suitable for security and keeping people out of your business. But when it comes to how to password protect apps on Android? How to put passwords on apps? — the one app that comes to mind is AppLock. What is AppLock? AppLock is a lightweight Android app that enables users to apply a lock on almost any type of file or app on their devices, preventing access to your locked apps and private data without a password. The most basic functionality of the security feature is to lock your Android apps so that nobody can access or uninstall them, but applock can hide pictures and videos, and even contacts and individual messages. For example, if you have an app lock on WhatsApp, one of your friends borrow your phone to play games cannot get into your WhatsApp app without a password you have set for the locked app. App Lock si...

Back in July, a security researcher disclosed a zero-day vulnerability in Mac OS X that allowed attackers to obtain unrestricted root user privileges with the help of code that even fits in a tweet . The same vulnerability has now been upgraded to again infect Mac OS X machines even after Apple fixed the issue last month. The privilege-escalation bug was once used to circumvent security protections and gain full control of Mac computers. Thanks to the environment variable DYLD_PRINT_TO_FILE Apple added to the code of OS X 10.10 Yosemite. The vulnerability then allowed attackers to install malware and adware onto a target Mac, running OS X 10.10 (Yosemite), without requiring victims to enter system passwords. However, the company fixed the critical issue in the Mac OS X 10.11 El Capitan Beta builds as well as the latest stable version of Mac OS X – Version 10.10.5 . Mac Keychain Flaw Now, security researchers from anti-malware firm MalwareBytes spotted t...

SaaS Adoption is Skyrocketing, Resilience Hasn't Kept Pace SaaS platforms have revolutionized how businesses operate. They simplify collaboration, accelerate deployment, and reduce the overhead of managing infrastructure. But with their rise comes a subtle, dangerous assumption: that the convenience of SaaS extends to resilience. It doesn't. These platforms weren't built with full-scale data protection in mind . Most follow a shared responsibility model — wherein the provider ensures uptime and application security, but the data inside is your responsibility. In a world of hybrid architectures, global teams, and relentless cyber threats, that responsibility is harder than ever to manage. Modern organizations are being stretched across: Hybrid and multi-cloud environments with decentralized data sprawl Complex integration layers between IaaS, SaaS, and legacy systems Expanding regulatory pressure with steeper penalties for noncompliance Escalating ransomware threats and inside...

In both April and June this year, a series of cyber attacks was conducted against the United States Office of Personnel Management (OPM) . These attacks resulted in 21 million current and former Federal government employees' information being stolen. After months of investigation, the FBI's Cyber Task Force identified several Remote Access Tools (RATs) that were used to carry out the attack. One of the more effective tools discovered is named ' FF-RAT '. FF-RAT evades endpoint detection through stealth tactics, including the ability to download DLLs remotely and execute them in memory only. Hackers use RATs to gain unlimited access to infected endpoints. Once the victim's access privilege is acquired, it is then used for malware deployment, command and control (C&C) server communication, and data exfiltration. Most Advanced Persistent Threat (APT) attacks also take advantage of RAT functionality for bypassing strong authentication, reconnaissance, spreading...

No plan to install Windows 10 due to Microsoft's controversial data mining and privacy invasions within the operating system? Well, Windows 7 and Windows 8 OS users should also be worried as Windows 10 spying is now headed their way too… Microsoft has been caught installing latest updates onto Windows 7 and Windows 8 computers that effectively introduce the same data collecting and user behavior tracking features used in Windows 10. Under the new updates, the operating systems indiscriminately upload data to Microsoft's servers, which might be a major privacy concern for many users. Creepy Updates The updates in question are: KB3068708 – This update introduces the Diagnostics and Telemetry tracking service to existing devices. KB3022345 (replaced by KB3068708 ) – This update adds the Diagnostics and Telemetry tracking service to in-market devices. KB3075249 – This update adds telemetry points to the User Account Control (UAC) feature in order to collect data on ele...

Drones also known as Unmanned Aerial Vehicles (UAVs) have contributed enormously by acting as an interface for conducting surveillance operations, or delivering products, or attacking a war site to name a few. We have seen Drones like ' Snoopy ' that are capable to intercept data from your Smartphones, even without authentication or interaction, using spoofed wireless networks. And now the reports depict... The first U.S. state to get permission for flying drones with "less lethal weapons" is North Dakota. It now has the powers to grant permissions to the local police departments to attach weapons like: rubber bullets, pepper spray, tear gas, sound cannons, and tasers. Earlier, the law's author Rick Becker had restricted the police to get a warrant for conducting drone surveillance. However, the things didn't turn up his way as, an officer from the North Dakota Peace Officers Association Bruce Burkett , controlled things his way by get...

Hackers are getting smarter in fooling us all , and now they are using sophisticated hacking schemes to get into your Gmail. Yes, Iranian hackers have now discovered a new way to fool Gmail's tight security system by bypassing its two-step verification – a security process that requires a security code (generally sent via SMS) along with the password in order to log into Gmail account. Researchers at Citizen Lab released a report on Thursday which shows how the hackers are using text messages and phone-based phishing attacks to circumvent Gmail's security and take over the Gmail accounts of their targets, specifically political dissidents. The report detailed and elaborated three types of phishing attacks aimed at Iranian activists. Researchers also found one such attack targeting Jillian York , the Director for International Freedom of Expression at the Electronic Frontier Foundation . Here's How the Attack Works Via Text Messages: In some case...

Only 9 days are left for Apple's annual new iPhone launch event, where the company will bring its various new products but the obvious stars of the show will be the iPhone 6s and the iPhone 6s Plus . The company has not officially announced the iPhone 6S and iPhone 6S Plus yet, but a series of new, high-resolution photographs obtained by 9to5Mac show some new features coming to its next-generation iPhone. The new iPhones – likely called the iPhone 6S and 6S Plus – will be introduced at Apple's fall event on September 9. The leaked photos give us a closer look at two of the iPhone's key new features: Force Touch and a larger FaceTime camera. Here are the list of features the new iPhone 6S and iPhone 6S Plus include: Force Touch The new iPhone 6S would include Force Touch technology that Apple introduced with the Apple Watch, and haptic feedback. Here's how it works: When a user press slightly harder on the screen, sensors in the scre...

Six British teenagers arrested and released on bail on suspicion of launching cyber attacks on websites and services with the help of Lizard Squad DDoS attack tool, called Lizard Stresser . Lizard Squad is infamous for hacking and knocking down the largest online gaming networks – PlayStation Network and Xbox Live – last year by launching massive Distributed Denial-of-Service (DDoS) attacks. The notorious hacker group set up a website to let customers use its Lizard-branded DDoS-for-hire tool Lizard Stresser to launch similar DDoS attacks. The six teens, arrested by the National Crime Agency , are accused of using Lizard Stresser DDoS tool to launch cyber attacks against a school, a national newspaper, gaming companies and a number of online retailers. However, according to the law enforcement, none of the teenagers are believed to be the member of Lizard Squad, nor had any connection with the last year's Christmas hack against Sony and Microsoft's gami...

Two weeks ago, we reported how a serious flaw in the popular peer-to-peer BitTorrent file sharing protocols could be exploited to carry out a devastating distributed denial of service (DDoS) attack, allowing lone hackers with limited resources to take down large websites. Good news is that the developers of BitTorrent have fixed the security issue in its service that is being used by hundreds of Millions of users worldwide. In a blog post published Thursday, BitTorrent announced that the flaw was resided in a reference implementation of the Micro Transport Protocol (uTP) called libuTP , which is used by many widely used BitTorrent clients such as μTorrent , Vuze and Mainline . The San Francisco company also announced that it has rolled out a patch for its libuTP software that will stop miscreants from abusing the p2p protocol to conduct Distributed Reflective Denial-of-Service (DRDoS) attacks. DRDoS attack is a more sophisticated form of conventional DDoS att...

Facebook bounty hunter Laxman Muthiyah from India has recently discovered his third bug of this year in the widely popular social network website that just made a new record by touching 1 Billion users in a single day. At the beginning of the year, Laxman discovered a serious flaw in Facebook graphs that allowed him to view or probably delete others photo album on Facebook, even without having authentication. Just after a month, Laxman uncovered another critical vulnerability in the social network platform that resided in the Facebook Photo Sync feature , that automatically uploads photos from your mobile device to a private Facebook album, which isn't visible to any of your Facebook friends or other Facebook users. However, the flaw discovered by Laxman could allowed any third-party app to access and steal your personal photographs from the hidden Facebook Photo Sync album. Hacking Any Facebook Page Now, the latest bug in Laxman's list could allow atta...

Yesterday, Facebook Co-founder and Chairman Mark Zuckerberg broadcast in his Facebook post, that Monday Facebook made a record by counting ONE BILLION people accessing Facebook in a single day. Zuckerberg shared his happiness and thanked the world. He was overwhelmed with the milestone Facebook has touched and even shared a video expressing his emotions. "[Facebook] just passed an important milestone," Zuckerberg wrote in a Facebook post on Thursday. "For the first time ever, one billion people used Facebook in a single day." That means roughly 1 in 7 people on Earth connected with their friends and family using Facebook in a single day. Feeling Connected Indeed! So far, Facebook is the world's largest online social networking website with 1.5 Billion monthly active users . Comparatively, Twitter has 316 Million monthly active users . Zuckerberg felt proud of the Facebook community. As they are the ones, who helped him to reach such...

We could expect Ashley Madison to cross any limits when it comes to cheating, but this is WORSE . After all the revelations made by the Impact Team past week, this was something different from the leaked data that had names, password and other details of Ashley Madison client s. A dump from the leaked files unfold awful strategy of Avid Life Media (ALM), Ashley Madison's parent company, to launch an app called " What's your wife worth ." As the name says it all, the app allows men to Rate each others Wives. Know Your Wife Worth ' What's your wife worth ' was discovered in a June 2013 email exchanged between Noel Biderman , ALM's chief executive and Brian Offenheim , ALM's vice president of creative and design, which said that Biderman suggested Offenheim about the probable outlook of the app. He suggested options like " Choice should be 'post your wife' and 'bid on someone's wife' ," also ...

This is Really Insane!! Germany's top intelligence agency handed over details related to German citizen metadata just in order to obtain a copy of the National Security Agency's Main XKeyscore software , which was first revealed by Edward Snowden in 2013. According to the new documents obtained by the German newspaper Die Zeit, the Federal Office for the Protection of the Constitution ( BfV - Bundesamtes für Verfassungsschutz ) traded data of its citizens for surveillance software from their US counterparts. Germany and the United States signed an agreement that would allow German spies to obtain a copy of the NSA's flagship tool Xkeyscore, to analyse data gathered in Germany. So they covertly illegally traded access to Germans' data with the NSA. XKeyscore surveillance software program was designed by the National Security Agency to collect and analyse intercepted data it obtains traveling over a network. The surveillance software is powerful...

A critical security vulnerability has been discovered in the global e-commerce business PayPal that could allow attackers to steal your login credentials , and even your credit card details in unencrypted format. Egypt-based researcher Ebrahim Hegazy discovered a Stored Cross Site Scripting (XSS) vulnerability in the Paypal's Secure Payments domain. As it sounds, the domain is used to conduct secure online payments when purchasing from any online shopping website. It enables buyers to pay with their payment cards or PayPal accounts, eliminating the need to store sensitive payment information. However, it is possible for an attacker to set up a rogue online store or hijacked a legitimate shopping website, to trick users into handing over their personal and financial details. How the Stored XSS Attack Works? Hegazy explains a step by step process in his blog post , which gives a detailed explanation of the attack. Here's what the researcher calls the worst attack scenario:...

Remember Team Poison ?  The hackers group that was active in 2012, and was known for gaining access to the former Prime Minister Tony Blair's address book and then publishing information from it. The British hacker who actually obtained the Prime Minister's address book and was jailed for six months in 2012, named Junaid Hussain , has been killed in a United States drone strike in Syria, a source familiar with the matter said on Wednesday. Hussain was a British hacker who rose to prominence within Islamic State group in Syria as a top cyber expert to mastermind the ISIS online war. The U.S. military conducted the operation; no involvement of the British government in the killing of Hussain, a British citizen from Birmingham. Junaid Hussain Killed in Raqqa Hussain was killed in Raqqa, located in northern Syria, which has been treated as a safe place by ISIS. The United States has yet to officially announce Hussain's death, which is not veri...

Microsoft's 'Cortana', Google's 'Google Now', Apple's 'Siri', Now meet Facebook's 'M.' Facebook's announcement to introduce their Personal Digital Assistant "M" comes with powers within the Facebook Messenger. It is a similar virtual assistant like Google Now, Apple's Siri and Microsoft's smart digital assistant Cortana. It seems that all the intelligence that resides within the personal digital assistants already in the market are nothing in front of M's capabilities, according to the Facebook post by David Marcus , Vice President of Messaging Products at Facebook. Three days ago, Microsoft had boosted the powers of Android users by making Cortana accessible on Android devices. Now listening to Facebook's launch of 'M', rival companies would have definitely face-palmed! What Can I Help You With? The virtual assistant software "M" is truly going to support you by doing the ...

Jailbreakers Beware! Some shady tweaks that you installed on their jailbroken devices are looking to steal your iCloud login credentials, a report said. The iCloud account details, including email addresses and passwords, of nearly 220,000 jailbreak users have been breached , an online Chinese vulnerability-reporting platform WooYun reported . WooYun is an information security platform where researchers report vulnerabilities and vendors give their feedbacks. Backdoor Privacy Attack The security breach, according to the website, was a result of ' backdoor privacy attack ' caused by the installation of a malicious jailbreak tweak. It appears that Hackers are using a variety of " built-in backdoors " that could be numerous of malicious jailbreak tweaks in an effort to acquire victim's iCloud account information. Once installed, these malicious tweaks transferred the iCloud login details of the jailbreak users to an unknown remote se...

Cheaters Exposed! Would it be  the Impact Team or a woman ex-employee who worked for Avid Life Media (as per John McAfee claims ), the hackers that breached the cheater's dating website Ashley Madison has made the world aware of a lot of unfaithful people. The data crunching firm Dadaviz has analysed the leaked information of the Ashley Madison website and  revealed that thousands of the cheating website customers are from the large tech companies. Among those large tech companies, IBM and HP have the highest number of employees using the online infidelity website. Also, the list included Cisco, Apple, Intel and Microsoft employees. Top 10 Big Tech Companies that Love to Cheat Here is the list of Top 10 Big Tech Companies where Ashley Madison is the most popular: IBM HP Cisco Apple Intel Microsoft Samsung SAP Oracle Qualcomm Dadaviz found that one-third (34 percent) of all the Ashley Madison accounts were fake. Of course, there wou...

Earlier this year, Microsoft had announced to bring its Office 2016 soon to the world. Also, Office 2016 software version for Mac was released in July 2015. Now speculations gearing up are hinting towards a final release date of Office 2016 for Windows as 22nd September 2015. Though, for Window users it may not be quite a change, because in the new Office suite as compared to its predecessor Office 2013 no such major improvements are visible. Office 2016 for Windows is supposedly debuting in less than a month away and will be available for home and professional users initially. Improvements in Office 2016 Office 2016 is going to be more colorful, with bright and dark colored theme options. Also, this time Microsoft has made it pretty clear that people are required to have Office 365 subscriptions because this time Microsoft is going to send new updates of Office along with the updates of Office 365. Mostly, modifications are done in the Outlook applicat...