The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

A recently reported flaw that allowed an attacker to drastically reduce the number of attempts needed to guess the WPS PIN of a wireless router isn't necessary for some Arcadyan based routers anymore. Last year it was exposed that the WiFi Protected Setup (WPS) PIN is susceptible to a brute force attack. A design flaw that exists in the WPS specification for the PIN authentication significantly reduces the time required to brute force the entire PIN because it allows an attacker to know when the first half of the 8 digit PIN is correct. The lack of a proper lock out policy after a certain number of failed attempts to guess the PIN on many wireless routers makes this brute force attack that much more feasible. Some 100,000 routers of type Speedport W921V, W504V and W723V are affected in Germany alone. What makes things worse is the fact that in order to exploit the backdoor, no button has to be pushed on the device itself and on some of the affected routers, the backdoor PIN (...

Security Expert from Coresec explains the use of a Permanent Reverse TCP Backdoor " sbd-1.36 " for IPhone and IPad developed by Michel Blomgren. sbd is a Netcat-clone, designed to be portable and offer strong encryption. It runs on Unix-like operating systems and on Microsoft Win32. sbd features AES-128-CBC + HMAC-SHA1 encryption (by Christophe Devine), program execution (-e option), choosing source port, continuous reconnection with delay, and some other nice features. Only TCP/IP communication is supported. Steps to pwn the Iphone: 1. Install packages iphone-gcc using " apt-get install iphone-gcc " & make " apt-get install make " 2. Download sbd backdoor to the device using Wget from here  & Untar - " tar -zxvf sbd-1.36.tar.gz " 3.) Sbd configuration before the compilation, See details here . 4.) Compilation process - " make darwin " 5. Configuration to RunAtLoad using LaunchDaemons (for permanent access) 6. Gaining acces...

Software development student Glenn Mangham, 26, was freed earlier this month after appeal judges halved the eight-month prison sentence he was given for infiltrating and nearly bringing down the multi-million-dollar site. Glenn Mangham, of York, England, posted a lengthy writeup on his blog and a video, saying that he accepts full responsibility for his actions and that he did not think through the potential ramifications. " Strictly speaking what I did broke the law because at the time and subsequently it was not authorised, " Mangham wrote. " I was working under the premise that sometimes it is better to seek forgiveness than to ask permission ." Initially convicted to 8 months in prison, the Court of Appeal in London decided that there weren’t any ill intentions on the hacker’s behalf, the judges deciding not only to release him, but also to allow him to use the Internet once again. After criticizing the CSO for attacking him while he was locked up, Mang...

Thirty-six websites used to sell stolen bank account details have been taken down following an investigation by the Serious Organised Crime Agency ( SOCA ). The arrest of two men in the UK and another in Macedonia is the result of an international operation in which 36 web domains, used to trade compromised banking data, were taken offline. SOCA has been tracking the development of AVCs and monitoring their use by cyber criminals, who support payment card and online banking fraud on a global scale. Working with the FBI, the BKA in Germany, the KLPD in the Netherlands, the Ukraine Ministry of Internal Affairs, the Australian Federal Police, and the Romanian National Police, SOCA has recovered over 2.5 million items of compromised personal and financial information over the past 2 years. Lee Miles, head of cyber operations for SOCA, said: “ Our activities have saved business, online retailers and financial institutions potential fraud losses estimated at more than half a billion pounds...

Microsoft’s MSN Hotmail (Live) email service currently hosts over 350 million unique users. A Vulnerability Laboratory senior researcher, Benjamin Kunz Mejri, identified a critical security vulnerability in Microsoft’s official MSN Hotmail (Live) service. A critical vulnerability was found in the password reset functionality of Microsoft’s official MSN Hotmail service. The vulnerability allows an attacker to reset the Hotmail/MSN password with attacker chosen values. Remote attackers can bypass the password recovery service to setup a new password and bypass in place protections (token based). The token protection only checks if a value is empty then blocks or closes the web session. A remote attacker can, for example bypass the token protection with values “+++)-“. Successful exploitation results in unauthorized MSN or Hotmail account access. An attacker can decode CAPTCHA & send automated values over the MSN Hotmail module. Regarding the consequences it was a win for Micr...