The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Nearly two years back, we warned users about publicly accessible MongoDB instances – almost 600 Terabytes (TB) – over the Internet which require no authentication, potentially leaving websites and servers at risk of hacking. These MongoDB instances weren't exposed due to any flaw in its software, but due to a misconfiguration (bad security practice) that let any remote attacker access MongoDB databases without using any special hacking tool. MongoDB later resolved the issue in the next version of its software by setting unrestricted remote access by default in the configuration, thousands of site administrators have not updated their servers yet. But trust me, they'll now regret this! A Hacker is now hijacking and wiping out unsecured MongoDB databases , but keeping a copy of those databases for asking administrators a ransom of 0.2 Bitcoins (nearly US$211) to return the lost data. So, admins without backups are left in a bind. In fact, the rising price of Bitcoin...

A security researcher recently reported a critical vulnerability in one of the most popular open source PHP libraries used to send emails that allowed a remote attacker to execute arbitrary code in the context of the web server and compromise a web application. Disclosed by Polish security researcher Dawid Golunski of Legal Hackers, the issue ( CVE-2016-10033 ) in PHPMailer used by more than 9 Million users worldwide was thought to be fixed with the release of version 5.2.18. However, Golunski managed to bypass the patched version of PHPMailer that was given a new CVE ( CVE-2016-10045 ), which once again put millions of websites and popular open source web apps, including WordPress, Drupal, 1CRM, SugarCRM, Yii, and Joomla, at risk of remote code execution attack. PHPMailer eventually fixed the issue with an update, version 5.2.20 . All versions of PHPMailer before this critical release are affected, so web administrators and developers are strongly recommended to update to t...

After the lack of supply of cash in India following its Prime Minister step to remove high-denomination banknotes from circulation in November 2016, the country is moving a step closer towards becoming a cashless economy with the launch of Unified Payment Interface ( UPI ). Unified Payment Interface ( UPI ) allows all bank account holders to pay money from their smartphones, both online and offline, without the need to enter credit card details, IFSC code, or net banking userID/passwords. All the users need to do is create a Virtual Payment Address (VPA) of their choice, which will act as their financial address, and link it to their bank account. Now in an effort to boost the adoption of Unified Payments Interface (UPI) as a tool for digital transactions, Indian Government has recently launched a new app called, the Bharat Interface for Money ( BHIM ) app . This new digital payments app, which is believed to be a game-changer for cashless payments in India, is currently av...

The United States has expelled 35 Russian spies in response to Russia's alleged interference in last month's presidential election, further escalating tensions between the countries. The US state department has declared 35 diplomatic intelligence officials from the Russian embassy in Washington DC and the consulate in San Francisco "persona non grata," giving them and their families 72 hours to leave the country. President Barack Obama has also announced the closing of two Russian compounds, in New York and Maryland, used by the Russian officials for intelligence-gathering, from noon on Friday. "I have sanctioned nine entities and individuals: the GRU and the FSB, two Russian intelligence services; four individual officers of the GRU; and three companies that provided material support to the GRU's cyber operations," President Obama said in a statement . "In addition, the Secretary of the Treasury is designating two Russian individuals for ...

Three critical zero-day vulnerabilities have been discovered in PHP 7 that could allow an attacker to take complete control over 80 percent of websites which run on the latest version of the popular web programming language. The critical vulnerabilities reside in the unserialized mechanism in PHP 7 – the same mechanism that was found to be vulnerable in PHP 5 as well, allowing hackers to compromise Drupal, Joomla, Magento, vBulletin and PornHub websites and other web servers in the past years by sending maliciously crafted data in client cookies. Security researchers at Check Point's exploit research team spent several months examining the unserialized mechanism in PHP 7 and discovered "three fresh and previously unknown vulnerabilities" in the mechanism. While researchers discovered flaws in the same mechanism, the vulnerabilities in PHP 7 are different from what was found in PHP 5. Tracked as CVE-2016-7479, CVE-2016-7480, and CVE-2016-7478, the zero-day flaw...