The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

A German security researcher has publicly disclosed details of a serious vulnerability in one of the most popular FTP server applications, which is currently being used by more than one million servers worldwide. The vulnerable software in question is ProFTPD , an open source FTP server used by a large number of popular businesses and websites including SourceForge, Samba and Slackware, and comes pre-installed with many Linux and Unix distributions, like Debian. Discovered by Tobias Mädel , the vulnerability resides in the mod_copy module of the ProFTPD application, a component that allows users to copy files/directories from one place to another on a server without having to transfer the data to the client and back. According to Mädel, an incorrect access control issue in the mod_copy module could be exploited by an authenticated user to unauthorizedly copy any file on a specific location of the vulnerable FTP server where the user is otherwise not allowed to write a file. ...

The world of cybersecurity is fast-paced and ever-changing. New attacks are unleashed every day, and companies around the world lose millions of dollars as a result. The only thing standing in the way of cybercrime is a small army of ethical hackers. These cybersecurity experts are employed to find weaknesses before they can be exploited. It's a lucrative career, and anyone can find work after the right training. According to the Bureau of Labor Statistics, demand for cyber security experts will expand rapidly over the next three or four years. If you want to build a career in the industry, now is the time to take action. Do you also want to learn real-world hacking techniques but don't know where to start? This week's THN deal is for you —  2019 Ethical Hacker Master Class Bundle . This latest training bundle includes 10 following-mentioned courses with over 180 hours of  1395 in-depth  online lectures, helping you master all the fundamentals of cyber...

Equifax, one of the three largest credit-reporting firms in the United States, has to pay up to $700 million in fines to settle a series of state and federal investigations into the massive 2017 data breach that exposed the personal and financial data of nearly 150 million Americans—that's almost half the country. According to an official announcement by the U.S. Federal Trade Commission (FTC) today, Equifax has agreed to pay at least $575 million in fines, but this penalty could rise to up to $700 million depending on the amount of compensation people claim. Up to $425 million of the fines will go to a fund that will provide credit monitoring services to affected customers and compensate anyone who bought such services from the company and paid other related expenses as a result of the breach . Rest $175 million and $100 million will go to civil penalties across 50 states and to the Consumer Financial Protection Bureau (CFPB), respectively. Besides the penalty, the co...

SaaS Adoption is Skyrocketing, Resilience Hasn't Kept Pace SaaS platforms have revolutionized how businesses operate. They simplify collaboration, accelerate deployment, and reduce the overhead of managing infrastructure. But with their rise comes a subtle, dangerous assumption: that the convenience of SaaS extends to resilience. It doesn't. These platforms weren't built with full-scale data protection in mind . Most follow a shared responsibility model — wherein the provider ensures uptime and application security, but the data inside is your responsibility. In a world of hybrid architectures, global teams, and relentless cyber threats, that responsibility is harder than ever to manage. Modern organizations are being stretched across: Hybrid and multi-cloud environments with decentralized data sprawl Complex integration layers between IaaS, SaaS, and legacy systems Expanding regulatory pressure with steeper penalties for noncompliance Escalating ransomware threats and inside...

If you are in Kazakhstan and unable to access the Internet service without installing a certificate, you're not alone. The Kazakhstan government has once again issued an advisory to all major local Internet Service Providers (ISPs) asking them to make it mandatory for all their customers to install government-issued root certificates on their devices in order to regain access to the Internet services. The root certificate in question, labeled as " trusted certificate " or " national security certificate ," if installed, allows ISPs to intercept and monitor users' encrypted HTTPS and TLS connections, helping the government spy on its citizens and censor content. In other words, the government is essentially launching a "man in the middle" attack on every resident of the country. But how installing a "root certificate" allow ISPs to decrypt HTTPS connection? For those unaware, your device and web browsers automatically trust digi...

If you use Slack, a popular cloud-based team collaboration server, and recently received an email from the company about a security incident, don't panic and read this article before taking any action. Slack has been sending a "password reset" notification email to all those users who had not yet changed passwords for their Slack accounts since 2015 when the company suffered a massive data breach. For those unaware, in 2015, hackers unauthorisedly gained access to one of the company's databases that stored user profile information, including their usernames, email addresses, and hashed passwords. At that time, attackers also secretly inserted code, probably on the login page, which allowed them to capture plaintext passwords entered by some Slack users during that time. However, immediately following the security incident, the company automatically reset passwords for those small number of Slack users whose plaintext passwords were exposed, but asked other aff...

Eastern European country Bulgaria has suffered the biggest data breach in its history that compromised personal and financial information of 5 million adult citizens out of its total population of 7 million people. According to multiple sources in local Bulgarian media , an unknown hacker earlier this week emailed them download links to 11GB of stolen data which included taxpayer's personal identifiable numbers, addresses, and financial data. In a brief statement released Monday, the National Revenue Agency (NRA) of Bulgaria said the stolen data originates from the country's tax reporting service. The NRA also indicated that the Ministry of the Interior and the State Agency for National Security (SANS) have started taking an assessment of the potential vulnerability in NRA's systems that attackers might have exploited to breach into its databases. It appears that until now, the hacker, who claimed to be a Russian man, has only released 57 out of a total of 110 c...

Security researchers have discovered a rare piece of Linux spyware that's currently fully undetected across all major antivirus security software products, and includes rarely seen functionalities with regards to most Linux malware, The Hacker News learned. It's a known fact that there are a very few strains of Linux malware exist in the wild as compared to Windows viruses because of its core architecture and also due to its low market share, and also many of them don't even have a wide range of functionalities. In recent years, even after the disclosure of severe critical vulnerabilities in various flavors of Linux operating systems and software, cybercriminals failed to leverage most of them in their attacks. Instead, a large number of malware targeting Linux ecosystem is primarily focused on cryptocurrency mining attacks for financial gain and creating DDoS botnets by hijacking vulnerable servers. However, researchers at security firm Intezer Labs recently d...

Earlier this month, The Hacker News covered a story on research revealing how over 1300 Android apps are collecting sensitive data even when users have explicitly denied the required permissions. The research was primarily focused on how app developers abuse multiple ways around to collect location data, phone identifiers, and MAC addresses of their users by exploiting both covert and side channels. Now, a separate team of cybersecurity researchers has successfully demonstrated a new side-channel attack that could allow malicious apps to eavesdrop on the voice coming out of your smartphone's loudspeakers without requiring any device permission. Abusing Android Accelerometer to Capture Loudspeaker Data Dubbed Spearphone , the newly demonstrated attack takes advantage of a hardware-based motion sensor, called an accelerometer, which comes built into most Android devices and can be unrestrictedly accessed by any app installed on a device even with zero permissions. An ...

In every organization, there is a person who's directly accountable for cybersecurity. The name of the role varies per the organization's size and maturity – CISO, CIO, and Director of IT are just a few common examples – but the responsibility is similar in all places. They're the person who understands the risk and exposure, knows how prepared the team and most important – what the gaps are and how they can be best addressed. Apart from actually securing the organization – and losing some sleep over it – this individual has another equally important task: to communicate the security risk, needs, and status to the company's management. After all, the level of security rises in direct proportion to the amount of invested resources, and management people are the ones who decide and allocate them. Since management people are not typically cybersecurity savvy, engaging them can be challenging – one must find the balance between high-level explanations, a direct c...

If you think that the media files you receive on your end-to-end encrypted secure messaging apps can not be tampered with, you need to think again. Security researchers at Symantec yesterday demonstrated multiple interesting attack scenarios against WhatsApp and Telegram Android apps, which could allow malicious actors to spread fake news or scam users into sending payments to wrong accounts. Dubbed " Media File Jacking ," the attack leverages an already known fact that any app installed on a device can access and rewrite files saved in the external storage, including files saved by other apps installed on the same device. WhatsApp and Telegram allow users to choose if they want to save all incoming multimedia files on internal or external storage of their device. However, WhatsApp for Android by default automatically stores media files in the external storage, while Telegram for Android uses internal storage to store users files that are not accessible to any othe...

The same security vulnerabilities that were recently reported in Zoom for macOS also affect two other popular video conferencing software that under the hood, are just a rebranded version of Zoom video conferencing software. Security researchers confirmed The Hacker News that RingCentral, used by over 350,000 businesses, and Zhumu, a Chinese version of Zoom, also runs a hidden local web server on users' computers, just like Zoom for macOS. The controversial local web server that has been designed to offer an automatic click-to-join feature was found vulnerable to remote command injection attacks through 3rd-party websites. Security researcher Jonathan Leitschuh initially provided a proof-of-concept demonstrating how the vulnerable web server  could eventually allow attackers to turn on users laptop's webcam and microphone remotely. The flaw was later escalated to remote code execution attack by another security researcher, Karan Lyons , who has now published a new v...

Security researchers have illustrated a new app-in-the-middle attack that could allow a malicious app installed on your iOS device to steal sensitive information from other apps by exploiting certain implementations of Custom URL Scheme . By default on Apple's iOS operating system, every app runs inside a sandbox of its own, which prevent all apps installed on the same device from accessing each other's data. However, Apple offers some methods that facilitate sending and receiving very limited data between applications. One such mechanism is called URL Scheme, also known as Deep Linking, that allows developers to let users launch their apps through URLs, like facetime:// , whatsapp:// , fb-messenger:// . For example, when you click "Sign in with Facebook" within an e-commerce app, it directly launches the Facebook app installed on your device and automatically process the authentication. In the background, that e-commerce app actually triggers the URL Sch...

Watch out! Facebook-owned photo-sharing service has recently patched a critical vulnerability that could have allowed hackers to compromise any Instagram account without requiring any interaction from the targeted users. Instagram is growing quickly—and with the most popular social media network in the world after Facebook, the photo-sharing network absolutely dominates when it comes to user engagement and interactions. Despite having advanced security mechanisms in place, bigger platforms like Facebook, Google, LinkedIn, and Instagram are not completely immune to hackers and contain severe vulnerabilities. Some vulnerabilities have recently been patched , some are still under the process of being fixed, and many others most likely do exist, but haven't been found just yet. Details of one such critical vulnerability in Instagram surfaced today on the Internet that could have allowed a remote attacker to reset the password for any Instagram account and take complete contr...

The chaos and panic that the disclosure of privacy vulnerability in the highly popular and widely-used Zoom video conferencing software created earlier this week is not over yet. As suspected, it turns out that the core issue—a locally installed web server by the software—was not just allowing any website to turn on your device webcam, but also could allow hackers to take complete control over your Apple's Mac computer remotely. Reportedly, the cloud-based Zoom meeting platform for macOS has also been found vulnerable to another severe flaw (CVE-2019-13567) that could allow remote attackers to execute arbitrary code on a targeted system just by convincing users into visiting an innocent looking web-page. As explained in our previous report by Swati Khandelwal, the Zoom conferencing app contained a critical vulnerability ( CVE-2019-13450 ) that resides in the way its click-to-join feature is implemented, which automatically turns on users' webcam when they visit an in...

After months of negotiations, the United States Federal Trade Commission (FTC) has approved a record $5 billion settlement with Facebook over its privacy investigation into the Cambridge Analytica scandal . The settlement will put an end to a wide-ranging probe that began more than a year ago and centers around the violation of a 2011 agreement Facebook made with the FTC that required Facebook to gain explicit consent from users to share their personal data. The FTC launched an investigation into the social media giant last year after it was revealed that the company allowed Cambridge Analytica access to the personal data of around  87 million Facebook users without their explicit consent. Now, according to a new report published by the Wall Street Journal, the FTC commissioners this week finally voted to approve a $5 billion settlement, with three Republicans voting to approve the deal and two Democrats against it. Facebook anticipated the fine to between $3 billion...

Organizations around the world are wondering how to become immune from cyber attacks which are evolving every day with more sophisticated attack vectors. IT teams are always on the lookout for new ransomware and exploit spreading in the wild, but can all these unforeseen cyber attacks be prevented proactively? That's definitely a 'NO,' which is why there's a reactive approach in place to save organisations from the aftermath of take downs, and with proper cybersecurity practices, one can reduce the chances of becoming a victim. To do that, organizations should follow specific cybersecurity frameworks that will assist them in redefining and reinforcing their IT security and staying vigilant against cyber attacks. In this article, we'll understand what is cybersecurity framework, why they are mandatory for organizations, and what are their types, strategies, benefits, and implementation in detail. What is a Cybersecurity Framework? Cybersecurity framew...