The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Cross-site scripting (XSS) Vulnerability reported on Paypal Paypal is affected by an XSS vulnerability where it fails to validate input on URL shown in above image. PayPal fixed the vulnerability shortly after being notified that its publicly posted. XSS, in general is a vulnerability that allows hackers to inject client side script on webpages and can modify how a user sees the webpage An attacker able to trick a user with a valid Paypal session into clicking a crafted version of the link below (wouldn't be hard, think a link on an eBay auction listing or a phishing e-mail for example) could hijack the user's session and initiate financial transactions on their behalf including money transfers. Alternatively this legitimate URL could be used to redirect the user to a spoofed PayPal web site designed to steal user credentials, which is a fairly common scam except in this case more effective as the user would see an actual PayPal URL to click on. [ Source ]

US Army's CECOM Data leaked by Hacker Hacker Black Jester recently published contract information from a Web site connected to the U.S. Army Communications and Electronics Command (CECOM). " 30 record sets that include names, user IDs, physical addresses, email addresses, telephone numbers, and clear-text passwords were published in a Pastebin document ," writes Softpedia . "' Old crappy server, but has good info inside it. The list is not complete due the lazy condition and msaccess db , enjoy!' the hacker wrote next to the data dump ," Kovacs writes. The Pastebin post doesn't contain the name of the site from where the data was leaked, but the hacker provided us with the IP address associated with it. That IP address led us to a Software Engineering Services site on which only "eligible users" may register.

Carberp Banking Trojan Scam - 8 Arrested in Russia 8 Men suspected of being involved in the Carberp phishing scam have been arrested in Russia. The men were arrested after a joint investigation by the Russian Ministry of Internal Affairs (MVD) and Federal Security Service (FSB). According to the MVD, the investigation found that two brothers were the ringleaders of the gang, and developed a plan to steal money from the accounts of online banking customers. The eight suspects allegedly stole more than 60 million Rubles ($2 million) from 90 victims using the Carberp Trojan. Russian security firm who assisted with the investigation, pegged the stolen loot at 130 million Rubles ($4.5 million). Police confiscated computers, bank cards, notary equipment, fake documentation, and more than 7 million Rubles ($240,000) in cash during the raid. The gang used the Carberp and RDP-door Trojans to snare victims. Carberp is a well-known Trojan that was recently seen on Facebook as part ...

Face to Face with Duqu malware Once again we discuss about Stuxnet, cyber weapons and of the malware that appears derivate from the dangerous virus. The international scientific community has defined a Stuxnet deadly weapon because been designed with a detailed analysis of final target environment supported by a meticulous intelligence work that for the first time in history has embraced the world of information technology. The agent was designed with the intent to strike the Iranian nuclear program and even more clear is who has always opposed such a program, U.S. and Israel first, and consider also the technology skill necessary to develope a weapon with the observed architecture is really high. Extremely important two factors af the event: 1. the choose of control systems as target of the malware. 2. the conception of the virus as an open project, a modular system for which it was designed a development platform used to assemble the deadly cyber weapons in relation to the final...

Vulnerability in Google Earth Software exposed by longrifle0x Ucha Gobejishvili, Security researcher also known as Longrifle0x , found another Interesting Security issue in one of the most famous software called,  Google Earth. He found a critical code execution vulnerability on google earth software client. For Proof of Concept , One can download any version of Google Earth, Then open "Click Placemark" , Put a malicious code there as one sample given below and Execute your code. Another past bug hunting by  Longrifle0x : 1.)  Cross Site Scripting (XSS) Vulnerability in Google 2.)  Skype Cross Site Vulnerabilities, user accounts can be Hijacked 3.) [POC] Buffer Overflow Vulnerability in GOM Media Player v. 2.1.37 and More..