The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

WikiLeaks founder Julian Assange has been arrested at the Ecuadorian Embassy in London—that's almost seven years after he took refuge in the embassy to avoid extradition to Sweden over a sexual assault case. According to a short note released by London's Metropolitan Police Service, Assange was arrested immediately after the Ecuadorian government today withdraws his political asylum. Assange has now been taken into custody at a central London police station, from where he will be presented before Westminster Magistrates' Court as soon as possible. U.S. Department of Justice also confirmed today that Assange would face extradition proceedings for his alleged role in "one of the largest compromises of classified information in the history of the United States." "The indictment [unsealed today] alleges that in March 2010, Assange engaged in a conspiracy with Chelsea Manning, a former intelligence analyst in the U.S. Army, to assist Manning in cracki...

🔥 Breaking — It has been close to just one year since the launch of next-generation Wi-Fi security standard WPA3 and researchers have unveiled several serious vulnerabilities in the wireless security protocol that could allow attackers to recover the password of the Wi-Fi network. WPA, or Wi-Fi Protected Access, is a standard designed to authenticate wireless devices using the Advanced Encryption Standard (AES) protocol and is intended to prevent hackers from eavesdropping on your wireless data. The Wi-Fi Protected Access III (WPA3) protocol was launched in an attempt to address technical shortcomings of the WPA2 protocol from the ground, which has long been considered to be insecure and found vulnerable to KRACK (Key Reinstallation Attack). Though WPA3 relies on a more secure handshake, known as Dragonfly , that aims to protect Wi-Fi networks against offline dictionary attacks, security researchers Mathy Vanhoef and Eyal Ronen found weaknesses in the early implementa...

Cybersecurity researchers yesterday unveiled the existence of a highly sophisticated spyware framework that has been in operation for at least last 5 years—but remained undetected until recently. Dubbed TajMahal by researchers at Kaspersky Lab, the APT framework is a high-tech modular-based malware toolkit that not only supports a vast number of malicious plugins for distinct espionage operations, but also comprises never-before-seen and obscure tricks. Kaspersky named the framework after Taj Mahal, one of the Seven Wonders of the World located in India, not because it found any connection between the malware and the country, but because the stolen data was transferred to the attackers' C&C server in an XML file named TajMahal. TajMahal toolkit was first discovered by security researchers late last year when hackers used it to spy on the computers of a diplomatic organization belonging to a Central Asian country whose nationality and location have not been disclosed...

SaaS Adoption is Skyrocketing, Resilience Hasn't Kept Pace SaaS platforms have revolutionized how businesses operate. They simplify collaboration, accelerate deployment, and reduce the overhead of managing infrastructure. But with their rise comes a subtle, dangerous assumption: that the convenience of SaaS extends to resilience. It doesn't. These platforms weren't built with full-scale data protection in mind . Most follow a shared responsibility model — wherein the provider ensures uptime and application security, but the data inside is your responsibility. In a world of hybrid architectures, global teams, and relentless cyber threats, that responsibility is harder than ever to manage. Modern organizations are being stretched across: Hybrid and multi-cloud environments with decentralized data sprawl Complex integration layers between IaaS, SaaS, and legacy systems Expanding regulatory pressure with steeper penalties for noncompliance Escalating ransomware threats and inside...

Microsoft today released its April 2019 software updates to address a total of 74 CVE-listed vulnerabilities in its Windows operating systems and other products, 13 of which are rated critical and rest are rated Important in severity. April 2019 security updates address flaws in Windows OS, Internet Explorer, Edge, MS Office, and MS Office Services and Web Apps, ChakraCore, Exchange Server, .NET Framework and ASP.NET, Skype for Business, Azure DevOps Server, Open Enclave SDK, Team Foundation Server, and Visual Studio. None of the vulnerabilities addressed this month by the tech giant were disclosed publicly at the time of release, leaving the two recently disclosed zero-day flaws in Internet Explorer and Edge browsers still open for hackers. However, two new privilege escalation vulnerabilities, which affect all supported versions of the Windows operating system, have been reported as being actively exploited in the wild. Both rated as important, the flaws ( CVE-2019-0803 ...

Good morning readers, it's Patch Tuesday again—the day of the month when Adobe and Microsoft release security patches for their software. Adobe just released its monthly security updates to address a total of 40 security vulnerabilities in several of its products, including Flash Player, Adobe Acrobat and Reader, and Shockwave Player. According to an advisory, Adobe Acrobat and Reader applications for Microsoft Windows and Apple macOS operating systems are vulnerable to a total 21 vulnerabilities, 11 of which have been rated as critical in severity. Upon successful exploitation, all critical vulnerabilities in Adobe Acrobat and Reader software lead to arbitrary code execution, allowing attackers to take complete control over targeted systems. Remaining ten vulnerabilities in the most widely used PDF reader are all rated as important and could lead to information disclosure. If your system hasn't yet detected the availability of the new update automatically, you sh...

A cybersecurity researcher at Tenable has discovered multiple security vulnerabilities in Verizon Fios Quantum Gateway Wi-Fi routers that could allow remote attackers to take complete control over the affected routers, exposing every other device connected to it. Currently used by millions of consumers in the United States, Verizon Fios Quantum Gateway Wi-Fi routers have been found vulnerable to three security vulnerabilities, identified as CVE-2019-3914, CVE-2019-3915, and CVE-2019-3916. The flaws in question are authenticated command injection (with root privileges), login replay , and password salt disclosure vulnerabilities in the Verizon Fios Quantum Gateway router (G1100), according to technical details Chris Lyne, a senior research engineer at Tenable, shared with The Hacker News. Authenticated Command Injection Flaw (CVE-2019-3914) When reviewing the log file on his router, Chris noticed that the "Access Control" rules in the Firewall settings, availabl...

Cybersecurity researchers have discovered an iOS version of the powerful mobile phone surveillance app that was initially targeting Android devices through apps on the official Google Play Store. Dubbed Exodus , as the malware is called, the iOS version of the spyware was discovered by security researchers at LookOut during their analysis of its Android samples they had found last year. Unlike its Android variant, the iOS version of Exodus has been distributed outside of the official App Store, primarily through phishing websites that imitate Italian and Turkmenistani mobile carriers. Since Apple restricts direct installation of apps outside of its official app store, the iOS version of Exodus is abusing the Apple Developer Enterprise program, which allows enterprises to distribute their own in-house apps directly to their employees without needing to use the iOS App Store. "Each of the phishing sites contained links to a distribution manifest, which contained metadata...

Microsoft today finally released the first new reborn version of its Edge browser that the company rebuilds from scratch using Chromium engine, the same open-source web rendering engine that powers Google's Chrome browser. However, the Chromium-based Edge browser builds haven't yet entered the stable or even the beta release; instead, Microsoft has released two testing-purpose preview builds for developers. Both previews build— "Canary"  that will be updated daily, and "Developer"  that will be updated every week—are now available for download from the Microsoft's new Edge insider website . Here's how Microsoft differentiates Canary and Developer builds: "Every night, we produce a build of Microsoft Edge — if it passes automated testing, we'll release it to the Canary channel. We use this same channel internally to validate bug fixes and test brand new features. The Canary channel is truly the bleeding edge, so you may discover bugs...

EXCLUSIVE — Beware, if you are using a Xiaomi's Mi or Redmi smartphone, you should immediately update its built-in MI browser or the Mint browser available on Google Play Store for non-Xiaomi Android devices. That's because both web browser apps created by Xiaomi are vulnerable to a critical vulnerability which has not yet been patched even after being privately reported to the company, a researcher told The Hacker News. The vulnerability, identified as CVE-2019-10875 and discovered by security researcher Arif Khan , is a browser address bar spoofing issue that originates because of a logical flaw in the browser's interface, allowing a malicious website to control URLs displayed in the address bar. According to the advisory, affected browsers are not properly handling the "q" query parameter in the URLs, thus fail to display the portion of an https URL before the ?q= substring in the address bar. Since the address bar of a web browser is the most r...

What could be worse than this, if the software that's meant to protect your devices leave backdoors open for hackers or turn into malware? Researchers today revealed that a security app that comes pre-installed on more than 150 million devices manufactured by Xiaomi, China's biggest and world's 4th largest smartphone company, was suffering from multiple issues that could have allowed remote hackers to compromise Xiaomi smartphones. According to CheckPoint, the reported issues resided in one of the pre-installed application called, Guard Provider , a security app developed by Xiaomi that includes three different antivirus programs packed inside it, allowing users to choose between Avast, AVL, and Tencent. Since Guard Provider has been designed to offer multiple 3rd-party programs within a single app, it uses several Software Development Kits (SDKs), which according to researchers is not a great idea because data of one SDK cannot be isolated and any issue in one of ...

Update (4/4/2019) — Great news. NSA today finally released the complete source code for GHIDRA version 9.0.2 which is now available on its Github repository . GHIDRA  is agency's home-grown classified software reverse engineering tool that agency experts have been using internally for over a decade to hunt down security bugs in software and applications. GHIDRA is a Java-based reverse engineering framework that features a graphical user interface (GUI) and has been designed to run on a variety of platforms including Windows, macOS, and Linux. Reverse engineering a program or software involves disassembling, i.e. converting binary instructions into assembly code when its source code is unavailable, helping software engineers, especially malware analysts, understand the functionality of the code and actual design and implementation information. The existence of GHIDRA was first publicly revealed by WikiLeaks in CIA Vault 7 leaks , but the NSA today publicly released t...

It's been a bad week for Facebook users. First, the social media company was caught asking some of its new users to share passwords for their registered email accounts and now… ...the bad week gets worse with a new privacy breach. More than half a billion records of millions of Facebook users have been found exposed on unprotected Amazon cloud servers. The exposed datasets do not directly come from Facebook; instead, they were collected and unsecurely stored online by third-party Facebook app developers. Researchers at the cybersecurity firm UpGuard today revealed that they discovered two datasets—one from a Mexican media company called Cultura Colectiva and another from a Facebook-integrated app called "At the pool"—both left publicly accessible on the Internet. More than 146 GB of data collected by Cultura Colectiva contains over 540 million Facebook user records, including comments, likes, reactions, account names, Facebook user IDs, and more. The ...

If you have a "private" blog with WordPress.com and are using its official iOS app to create or edit posts and pages, the secret authentication token for your admin account might have accidentally been leaked to third-party websites. WordPress has recently patched a severe vulnerability in its iOS application that apparently leaked secret authorization tokens for users whose blogs were using images hosted on third-party sites, a spokesperson for Automattic confirmed The Hacker News in an email. Discovered by the team of WordPress engineers, the vulnerability resided in the way WordPress iOS application was fetching images used by private blogs but hosted outside of WordPress.com, for example, Imgur or Flickr. That means, if an image were hosted on Imgur and then when the WordPress iOS app attempted to fetch the image, it would send along a WordPress.com authorization token to Imgur, leaving a copy of the token in the access logs of the Imgur's web server. It sh...

The Georgia Institute of Technology, well known as Georgia Tech, has confirmed a data breach that has exposed personal information of 1.3 million current and former faculty members, students, staff and student applicants. In a brief note published Tuesday, Georgia Tech says an unknown outside entity gained "unauthorized access" to its web application and accessed the University's central database by exploiting a vulnerability in the web app. Georgia Tech traced the first unauthorized access to its system to December 14, 2018, though it's unclear how long the unknown attacker(s) had access to the university database containing sensitive students and staff information. The database contained names, addresses, social security numbers, internal identification numbers, and date of birth of current and former students, faculty and staff, and student applicants. However, the University has launched a forensic investigation to determine the full extent of the breach. ...

Visibility into an environment attack surface is the fundamental cornerstone to sound security decision making. However, the standard process of 3rd party threat assessment as practiced today is both time consuming and expensive. Cynet changes the rules of the game with a free threat assessment offering based on more than 72 hours of data collection and enabling organizations to benchmark their security posture against their industry vertical peers and take actions accordingly. Cynet Free Threat Assessment (available for organizations with 300 endpoints and above) spotlights critical, exposed attack surfaces and provides actionable knowledge of attacks that are currently alive and active in the environment: ➤ Indication of live attacks: active malware, connection to C&C, data exfiltration, access to phishing links, user credential theft attempts and others: ➤ Host and app attack surfaces: unpatched vulnerabilities rated per criticality: ➤ Benchmark comparing ...

In a world that's growing increasingly digital, Magecart attacks have emerged as a key cybersecurity threat to e-commerce sites. Magecart, which is in the news a lot lately, is an umbrella term given to 12 different cyber criminal groups that are specialized in secretly implanting a special piece of code on compromised e-commerce sites with an intent to steal payment card details of their customers. The malicious code—well known as JS sniffers, JavaScript sniffers, or online credit card skimmers—has been designed to intercept users' input on compromised websites to steal customers' bank card numbers, names, addresses, login details, and passwords in real time. Magecart made headlines last year after cybercriminals conducted several high-profile heists involving major companies including British Airways , Ticketmaster , and Newegg , with online bedding retailers MyPillow and Amerisleep being recent victims of these attacks. The initial success of these attacks alread...

Facebook has been caught practicing the worst ever user-verification mechanism that could put the security of its users at risk. Generally, social media or any other online service asks users to confirm a secret code or a unique URL sent to the email address they provided for the account registration. However, Facebook has been found asking some newly-registered users to provide the social network with the passwords to their email accounts, which according to security experts is a terrible idea that could threaten privacy and security of its users. First noticed by Twitter account e-Sushi using the handle @originalesushi, Facebook has been prompting users to hand over their passwords for third-party email services, so that the company can "automatically" verify their email addresses. However, the prompt only appears for email accounts from certain email providers which Facebook considers to be suspicious. "Tested it myself registering 3 times with 3 differe...