The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

We live in an age where data flows like water, becoming the new life source of our everyday ventures. As such, you can just imagine what all of that entails and the weight that data receive, especially when it comes to a decision making on how to handle this fairly new and arguably invaluable resource. Of course, we are well aware from a very young age that our water needs to be pure, filtered and possibly protected, so this pops the question and makes us wonder: How exactly does all of this translate for our data, its handling processes and ultimately our Security? It is no secret that our personal information is as valuable if not more than actual currency. Imagining your social security number, medical bills or paycheck amounts flowing through vast amounts of seemingly random servers all across the globe can be unnerving. It brings out the same questions that we would have for anything else of value: Where is it going? Who can see it? Why are they holding it? ... Is ...

A security researcher has disclosed details of a critical vulnerability in one of the popular and widely active plugins for WordPress that could allow a low-privileged attacker to inject malicious code on AMP pages of the targeted website. The vulnerable WordPress plugin in question is " AMP for WP – Accelerated Mobile Pages " that lets websites automatically generate valid accelerated mobile pages for their blog posts and other web pages. AMP , stands for Accelerated Mobile Page s , is an open-source technology that has been designed by Google to allow websites build and server faster web pages to mobile visitors. Though I am pretty sure the main version of "The Hacker News" website is enough fast for both desktop and mobile device users, you can also check the AMP version for this specific article here . Out of hundreds of plugins that allows WordPress websites to create Google-optimize AMP pages, "AMP for WP" is the most popular among others...

At Pwn2Own 2018 mobile hacking competition held in Tokyo on November 13-14, white hat hackers once again demonstrated that even the fully patched smartphones running the latest version of software from popular smartphone manufacturers can be hacked. Three major flagship smartphones—iPhone X, Samsung Galaxy S9, and Xiaomi Mi6—were among the devices that successfully got hacked at the annual mobile hacking contest organized by Trend Micro's Zero Day Initiative (ZDI), earning white hat hackers a total of $325,000 in reward. Teams of hackers participated from different countries or representing different cybersecurity companies disclosed a total of 18 zero-day vulnerabilities in mobile devices made by Apple, Samsung, and Xiaomi, as well as crafted exploits that allowed them to completely take over the targeted devices. Apple iPhone X Running iOS 12.1 — GOT HACKED! A team of two researchers, Richard Zhu and Amat Cama, who named themselves Fluoroacetate, discovered and managed to ...

SaaS Adoption is Skyrocketing, Resilience Hasn't Kept Pace SaaS platforms have revolutionized how businesses operate. They simplify collaboration, accelerate deployment, and reduce the overhead of managing infrastructure. But with their rise comes a subtle, dangerous assumption: that the convenience of SaaS extends to resilience. It doesn't. These platforms weren't built with full-scale data protection in mind . Most follow a shared responsibility model — wherein the provider ensures uptime and application security, but the data inside is your responsibility. In a world of hybrid architectures, global teams, and relentless cyber threats, that responsibility is harder than ever to manage. Modern organizations are being stretched across: Hybrid and multi-cloud environments with decentralized data sprawl Complex integration layers between IaaS, SaaS, and legacy systems Expanding regulatory pressure with steeper penalties for noncompliance Escalating ransomware threats and inside...

Disclosed earlier this year, potentially dangerous Meltdown and Spectre vulnerabilities that affected a large family of modern processors proven that speculative execution attacks can be exploited in a trivial way to access highly sensitive information. Since then, several more variants of speculative execution attacks have been discovered, including Spectre-NG , SpectreRSB, Spectre 1.1, Spectre1.2, TLBleed , Lazy FP , NetSpectre and Foreshadow , patches for which were released by affected vendors time-to-time. Speculative execution is a core component of modern processors design that speculatively executes instructions based on assumptions that are considered likely to be true. If the assumptions come out to be valid, the execution continues, otherwise discarded. Now, the same team of cybersecurity researchers who discovered original Meltdown and Spectre vulnerabilities have uncovered 7 new transient execution attacks affecting 3 major processor vendors—Intel, AMD, ARM. W...

It's Patch Tuesday once again…time for another round of security updates for the Windows operating system and other Microsoft products. This month Windows users and system administrators need to immediately take care of a total of 63 security vulnerabilities, of which 12 are rated critical, 49 important and one moderate and one low in severity. Two of the vulnerabilities patched by the tech giant this month are listed as publicly known at the time of release, and one flaw is reported as being actively exploited in the wild by multiple cybercriminal groups. Zero-Day Vulnerability Being Exploited by Cyber Criminals The zero-day vulnerability, tracked as CVE-2018-8589 , which is being exploited in the wild by multiple advanced persistent threat groups was first spotted and reported by security researchers from Kaspersky Labs. The flaw resides in the Win32k component (win32k.sys), which if exploited successfully, could allow a malicious program to execute arbitrary code...

Another security vulnerability has been reported in Facebook that could have allowed attackers to obtain certain personal information about users and their friends, potentially putting the privacy of users of the world's most popular social network at risk. Discovered by cybersecurity researchers from Imperva, the vulnerability resides in the way Facebook search feature displays results for entered queries. According to Imperva researcher Ron Masas, the page that displays search results includes iFrame elements associated with each outcome, where the endpoint URLs of those iFrames did not have any protection mechanisms in place to protect against cross-site request forgery (CSRF) attacks. It should be noted that the newly reported vulnerability has already been patched, and unlike previously disclosed flaw in Facebook that exposed personal information of 30 million users , it did not allow attackers to extract information from mass accounts at once. How Does the Facebo...

In 1999, Bruce Schneier wrote, "Complexity is the worst enemy of security." That was 19 years ago (!) and since then, cyber security has only become more complex. Today, controls dramatically outnumber staff available to support them. The Bank of America has a $400-million cyber budget to hire security staff and implement a broad array of products. But what if your budget and sophistication is just a tiny fraction of the Bank of America's? The remaining 99% of organizations understand that they don't have sufficient protection for their internal network, but they also realize that to be sufficiently secured they need to buy multiple solutions and hire a large team to maintain it – which isn't an option. So they either stay with just an AV or buy a point solution to defend a specific part of their internal environment from particular types of attacks – only to later find out it doesn't meet what they really need. Cynet wants to change all that. ...

Our partner Springboard, which provides online courses to help you advance your cybersecurity career with personalized mentorship from industry experts, recently researched current cybersecurity salaries and future earning potential in order to trace a path to how much money you can make. Here's what they found were the most important factors for making sure you earn as much as possible: 1) Choosing the right type of cybersecurity role and building your skill set The cybersecurity role you're in clearly makes a difference: the average salary for penetration testers is $55,000 according to U.S. data from Glassdoor. But cybersecurity engineers should expect to earn about $140,000—and engineers have a more natural path to becoming architects, who can earn even more. Cybersecurity analysts are somewhere in between, averaging about $80,000 a year. Of course, becoming a cybersecurity engineer requires more skills and experience than becoming a penetration tester, but you...

Windows 10 users don't have to wait much longer for the support of latest WPA3 Wi-Fi security standard , a new blog post from Microsoft apparently revealed. The third version of Wi-Fi Protected Access, in-short WPA3, is the next generation of the wireless security protocol that has been designed to make it harder for attackers to hack WiFi password . WPA3 was officially launched earlier this year, but the new WiFi security standard won't arrive overnight. Most device manufacturers could take months to get their new routers and networking devices certified by the Wi-Fi Alliance to support WPA3. Meanwhile, technology providers have already started working on software and firmware updates to support the new WPA3 standard, including Microsoft. WPA3-Personal (SAE) Support in Windows 10 Though Microsoft hasn't yet officially announced WPA3 support for its Windows 10 operating system, new APIs introduced in the newly released Windows 10 SDK Preview build 18272 , as ma...

A 23-year-old hacker from Utah pleaded guilty this week to launching a series of denial-of-service (DoS) attacks against multiple online services, websites, and online gaming companies between 2013 and 2014. According to a Justice Department (DoJ) press release, Austin Thompson , a.k.a. "DerpTroll," took down servers of several major gaming platforms including Electronic Arts' Origin service, the Sony PlayStation network , and Valve Software's Steam, between December 2013 and January 2014, by flooding them with enough internet traffic. Thompson then typically used the Twitter account the @DerpTrolling handle to announce his attacks, subsequently posting screenshots or other photos of the server being unavailable after launching DDoS attacks. The attacks usually took down game servers and related computers of the victim companies for at least a few hours at a time, causing at least $95,000 in damages to the gaming companies around the world. "Denial-of...

Cybersecurity researchers at Check Point today revealed details of a potential dangerous vulnerability in DJI Drone web app that could have allowed attackers access user accounts and synced sensitive information within it, including flight records, location, live video camera feed, and photos taken during a flight. Thought the vulnerability was discovered and responsibly reported by the security firm Check Point to the DJI security team in March this year, the popular China-based drone manufacturing company fixed the issue after almost six months in September. The account takeover attack takes advantage of a total of three vulnerabilities in the DJI infrastructure, including a Secure Cookie bug in the DJI identification process, a cross-site scripting (XSS) flaw in its Forum and a SSL Pinning issue in its mobile app. The first vulnerability, i.e. not having the "secure" and "httponly" cookie flag enabled, allowed attackers to steal login cookies of a user b...