The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Earlier this year, Facebook came across a bunch of duplicate SSL certificates for some of its own domains and revoked them immediately with the help of its own Certificate Transparency Monitoring Tool service. Digital certificates are the backbone of our secure Internet, which protects sensitive information and communication, as well as authenticate systems and Internet users. The Online Privacy relies heavily on SSL/TLS Certificates and encryption keys to protect millions of websites and applications. As explained in our  previous article on The Hacker News , the current Digital Certificate Management system and trusted Certificate Authorities (CAs) are not enough to prevent misuse of SSL certificates on the internet. In short, there are hundreds of Certificate Authorities, trusted by your web browsers and operating systems, that has the ability to issue certificates for any domain, despite the fact you already have one purchased from another CA. An...

Do you know there is a huge encryption backdoor still exists on the Internet that most people don't know about? I am talking about the traditional Digital Certificate Management System … the weakest link, which is completely based on trust, and it has already been broken several times. To ensure the confidentiality and integrity of their personal data, billions of Internet users blindly rely on hundreds of Certificate Authorities (CA) around the globe. In this article I am going to explain: The structural flaw in current Digital Certificate Management system. Why Certificate Authorities (CA) have lost the Trust. How Certificate Transparency (CT) fixes issues in the SSL certificate system. How to early detect every SSL Certificates issued for your Domain, legitimate or rogue? First, you need to know Certificate Authority and its role: Certificate Authority and its Role A Certificate Authority (CA) is a third-party organization that acts as a centr...

More than 135 Million modems around the world are vulnerable to a flaw that can be exploited remotely to knock them offline by cutting off the Internet access. The simple and easily exploitable vulnerability has been uncovered in one of the most popular and widely-used cable modem, the Arris SURFboard SB6141 , used in Millions of US households. Security researcher David Longenecker discovered a loophole that made these modems vulnerable to unauthenticated reboot attacks. He also released his "exploit" after Arris (formerly Motorola) stopped responding to him despite a responsible disclosure. The Bug is quite silly: No Username and Password Protection. Arris does not provide any password authentication set up on the modem's user interface, thus allowing any local attacker to access the administration web interface at 192.168.100.1 without the need to enter a username and password. This issue allows a local attacker to ' Restart Cable Modem ' ...

Do you own a custom domain or a blog under the wordpress.com domain name? If yes, then there is good news for you. WordPress is bringing free HTTPS to every blog and website that belongs to them in an effort to make the Web more secure. WordPress – free, open source and the most popular a content management system (CMS) system on the Web – is being used by over a quarter of all websites across the world, and this new move represents a massive shift over to a more secure Internet WordPress announced on Friday that it has partnered with the Electronic Frontier Foundation's " Let's Encrypt " project, allowing it to provide reliable and free HTTPS support for all of its customers that use custom domains for their WordPress.com blogs. Now every website hosted on wordpress.com has an SSL certificate and will display a green lock in the address bar. "For you, the users, that means you'll see secure encryption automatically deployed on ev...

Almost two years back, Apple introduced Swift programming language at its World Wide Developers Conference (WWDC) to the developers who build software applications for Apple devices. Swift was designed to make it easier for developers to create apps for Apple's mobile platform. Usually developers write complete app code and then compile it to see output, but Swift helps them see results in real time instantly while writing code. Now, reports have been emerged that the search engine giant is also considering making Swift programming language a "first class" language choice for programmers making apps for its Android platform. In between an ongoing legal battle with Oracle over Android, Google is planning to bring Swift into the Android platform with at least two major third-party developers — Facebook and Uber, reports The Next Web. Around the time when Apple officially made Swift an open source language, executives from Google, Facebook and Uber attended a m...

Although everyone, including Apple, was worried about the iPhone hacking tool used by the Federal Bureau of Investigation (FBI) to access data on iPhone belonged to the San Bernardino shooter, the FBI director said the hack does not work on an iPhone 5S or later. FBI Director James Comey said Wednesday that the agency was able to avoid a prolonged legal battle with Apple by buying a tool from a private source to hack into terrorist Syed Farook's iPhone 5C. Apple was engaged in a legal battle with the Department of Justice (DOJ) for a month over a court order that forces the company to write new software, which could disable passcode protection on Farook's iPhone to help them access data on it. Apple refused to comply with the order, so the FBI worked with a third-party firm, most likely the Israeli mobile forensic firm Cellebrite, and was successfully able to access data on the locked iPhone used in the San Bernardino shooting incident last year. But speaking to the ...

As reported last week, Microsoft will launch an 'Anniversary Update' for Windows 10 that will bring Ubuntu file system, allowing you to use Bash to run command-line Linux applications without a virtual machine. However, you do not have to wait until this summer to run Bash ( Bourne Again Shell ) on your Windows 10 OS, as Microsoft has released the first preview build of the Windows 10 Anniversary Update to the members of its Insider program. Don't expect it to run Ubuntu directly on Windows 10, as this is basically Ubuntu user-space packages running natively on Windows 10 by the company coming up with real-time translation of Linux system calls into Windows system calls. This new Bash Shell support features a full Ubuntu user space complete with support for tools including ssh, apt, rsync, find, grep, awk, sed, sort, xargs, md5sum, gpg, curl, wget, apache, mysql, python, perl, ruby, php, vim, emacs and more. Windows 10 build 14316's biggest addition is...

Hacking Team – the infamous Italy-based spyware company that had more than 400 GB of its confidential data stolen last year – is facing another trouble.  This time not from other hackers, but from its own government. Hacking Team is infamous for selling surveillance spyware to governments and intelligence agencies worldwide, but now it may not be allowed to do so, as the Italian export authorities have revoked the company's license to sell outside of Europe. Almost a year after it was hacked and got all its secrets leaked online , Hacking Team somehow managed to resume its operations and start pitching new hacking tools to help the United States law enforcement gets around their encryption issues. Hacking Team had sold its malware, officially known as the Galileo Remote Control System , to authorities in Egypt, Morocco, Brazil, Malaysia, Thailand, Kazakhstan, Vietnam, Mexico, and Panama. Hacking Team had also signed big contracts with the Federal Burea...

Adobe has been one of the favorite picks of the Hackers to mess with any systems devoid of any operating systems, as Flash Player is a front runner in all the browsers. Hackers have already been targeting Flash Player for long by exploiting known vulnerabilities roaming in the wild. Despite Adobe's efforts, Flash is not safe anymore for Internet security, as one more critical vulnerability had been discovered in the Flash Player that could crash the affected system and potentially allow an attacker to take control of the system. Discovered by a French Researcher Kafeine , FireEye's Genwei Jiang , and Google's Clement Lecigne, the flaw affects Adobe Flash Player 21.0.0.197 and its earlier versions for Windows, Macintosh, Linux and Chrome OS. The vulnerability, assigned under CVE-2016-1019, also expands back to Windows 7 and even towards Windows XP. Adobe had also confirmed that the newly discovered vulnerability in its Flash Player is being exploit...

Today the Internet has become dominated by images, and it's the major feature that got Facebook to a Billion daily users. We can not imagine Facebook without photos, but for Millions of blind and visually impaired people, Facebook without photos has been the reality since its launch. But not now! Facebook has launched a system, dubbed Automatic Alternative Text , which describes the contents of pictures by telling blind and visually-impaired users what appears in them. Blind and visually-impaired people use sophisticated navigation software known as screen readers to make their computers usable. The software turns the contents of the screen into speech, but it can't "read" pictures. However, Facebook's Automatic Alternative Text or AAT uses object recognition technology that can decode and describe photos uploaded to the social network site using artificial intelligence and then provide them in a form that can be readable by a screen reader. V...

Apple gave you a reason to turn your Siri OFF. A critical security flaw in Apple's newest iPhones running the latest version of the iOS operating system allows anyone to bypass the phone's lockscreen and gain access to personal information. The iPhone lockscreen bypass bug only works on the iPhone 6S and iPhone 6S Plus, as these devices take advantage of the 3D Touch functionality that is used to bypass the lockscreen passcode and access photos and contacts. The lockscreen bypass bug is present in iOS 9.2 and later, including the latest iOS 9.3.1 update, released last week. Anyone with physical access to an affected iPhone can gain access to the victim's photos, emails, text and picture messages, contacts, and phone settings, according to the Full Disclosure mailing list. Here's How to bypass iPhone's Lockscreen Step 1: If you own iPhone 6S or 6S Plus, first lock your device. Step 2: Invoke Siri and speak 'Search Twitter.'...

WhatsApp is updating its messaging app so that every text message and voice call will be encrypted for the company's one billion users. Yes, Whatsapp has finally implemented full end-to-end encryption , as promised a year ago. This means, from now every message, image or voice call you made will be secured by end-to-end encryption so that only you and the person you're communicating with can read the content of the message, and nobody in between, not even WhatsApp. In other words, this also means that WhatsApp would not be able to comply with any court order that demands access to the content of any conversation happens over its service. Starting today, you will see a notification on your WhatsApp conversation screen as your messenger becomes end-to-end encrypted, as shown in the screenshot. "Message you send to this chat and calls are now secured with end-to-end encryption. Tap for more info."  "This is because your messages are secured with a lock, ...

An admin of Silk Road 2 , named Brian Farrell , who helped maintain the notorious dark web site by providing customer and technical support, approving and suspending vendors, and promoting staff members, has pleaded guilty and could face 8 years in prison. The 28-year-old man, who used the moniker " DoctorClu ," had been accused last year of being the right-hand to the creator of Silk Road 2.0, the copycat website inspired by the notorious online illegal drug marketplace. Silk Road 2.0 was shuttered in November 2014 after its creator Blake Benthall aka "Defcon" was arrested whose own criminal case is pending in federal court in New York. Silk Road has been described as "one of the most extensive, sophisticated, and widely-used illegal marketplaces on the internet today."  According to the Department of Justice, Silk Road 2.0 had generated "sales of at least approximately $8 Million in the United States currency per month" s...

Personal details of nearly 50 Million Turkish citizens, including the country's President Recep Tayyip Erdogan, have been compromised and posted online in a massive security breach. A database, which contains 49,611,709 records , appeared on the website of an Icelandic group on Monday, offering download links to anyone interested. If confirmed, the data breach would be one of the biggest public breaches of its kind, effectively putting two-thirds of the Nation's population at risk of identity theft and fraud. However, The Associated Press (AP) reported on Monday that it was able to partially verify the authenticity of 8 out of 10 non-public Turkish ID numbers against the names in the data leak. 50 Million Turkish Citizens' Personal Data leaked Online The leaked database (about 6.6 GB file) contains the following information: First and last names National identifier numbers (TC Kimlik No) Gender City of birth Date of birth Full address ID...

A security researcher has won $13,000 bounty from Microsoft for finding a critical flaw in its main authentication system that could allow hackers to gain access to a user's Outlook, Azure and Office accounts. The vulnerability has been uncovered by UK-based security consultant Jack Whitton and is similar to Microsoft's OAuth CSRF (Cross-Site Request Forgery) in Live.com discovered by Synack security researcher Wesley Wineberg. However, the main and only difference between the vulnerabilities is that: Flaw discovered by Wineberg affected Microsoft's OAuth protection mechanism while the one discovered by Whitton affected Microsoft's main authentication system. Microsoft handles authentication across its online services including Outlook, Azure and Office through requests made to login.live.com, login.windows.net, and login.microsoftonline.com. Now, for example, if a user browses to outlook.office.com, he/she redirects to a login.microsoftonline...

Marcel Lazar Lehel aka " Guccifer " – an infamous Romanian hacker who hacked into the emails and social networking accounts of numerous high profile the US and Romanian Politicians – appeared in the United States court for the first time after extradition. Following Romania's top court approval last month, Guccifer was extradited to the United States recently from Romania, his home country, where he had already been serving a hacking sentence. Lehel has been charged with cyber-stalking, unauthorized access to a protected computer and aggravated identity theft in a nine-count indictment filed in 2014 in a federal district court in Alexandria, the U.S. Justice Department said in a statement. Lehel "hacked into the email and social media accounts of high-profile victims, including a family member of two former U.S. presidents, a former U.S. Cabinet member, a former member of the U.S. Joint Chiefs of Staff and a former presidential advisor," acc...