The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

The US-CERT today issued advisory warning users of a new dangerous 17-year-old remote code execution vulnerability affecting the PPP daemon (pppd) software that comes installed on almost all Linux based operating systems, as well as powers the firmware of many other networking devices. The affected pppd software is an implementation of Point-to-Point Protocol (PPP) that enables communication and data transfer between nodes, primarily used to establish internet links such as those over dial-up modems, DSL broadband connections, and Virtual Private Networks. Discovered by IOActive security researcher Ilja Van Sprundel , the critical issue is a stack buffer overflow vulnerability that exists due to a logical error in the Extensible Authentication Protocol (EAP) packet parser of the pppd software, an extension that provides support for additional authentication methods in PPP connections. The vulnerability , tracked as CVE-2020-8597  with CVSS Score 9.8, can be exploited by ...

More than 200 million records containing a wide range of property-related information on US residents were left exposed on a database that was accessible on the web without requiring any password or authentication. The exposed data — a mix of personal and demographic details — included the name, address, email address, age, gender, ethnicity, employment, credit rating, investment preferences, income, net worth, and property information, such as: Market value Property type Mortgage amount, rate, type, and lender Refinance amount, rate, type, and lender Previous owners Year built Number of beds and bathrooms Tax assessment information According to security firm Comparitech , the database, which was hosted on Google Cloud, is said to have been first indexed by search engine BinaryEdge on 26th January and discovered a day later by cybersecurity researcher Bob Diachenko. But after failing to identify the database owner, the server was eventually taken offline more than a...

If you are a T-Mobile customer, this news may concern you. US-based telecom giant T-Mobile has suffered yet another data breach incident that recently exposed personal and accounts information of both its employees and customers to unknown hackers. What happened? In a breach notification posted on its website, T-Mobile today said its cybersecurity team recently discovered a sophisticated cyberattack against the email accounts of some of its employees that resulted in unauthorized access to the sensitive information contained in it, including details for its customers and other employees. Although the telecom company did not disclose how the breach happened, when it happened, and exactly how many employees and users were affected, it did confirm that the leaked information on its users doesn't contain financial information like credit card and Social Security numbers. What type of information was accessed? The exposed data of an undisclosed number of affected users incl...

Not happy with your expensive iPhone and wondered if it's possible to run any other operating system on your iPhone, maybe, how to install Android on an iPhone or Linux for iPhones? Android phones can be rooted, and iPhones can be jailbroken to unlock new features, but so far, it's been close to impossible to get Android running on iPhones, given the mobile device hardware constraints and software limitations. However, it's now possible to smoothly run Android on an iPhone—thanks to a new initiative, dubbed Project Sandcastle . Undertaken by cybersecurity startup Corellium , Project Sandcastle is the consequence of a 13-year-long developmental effort to port Android to iOS and as well as demonstrate that Apple's much-vaunted security barriers can indeed be compromised. "Where sandboxes set limits and boundaries, sandcastles provide an opportunity to create something new from the limitless bounds of your imagination," the project website says. "T...

The most popular free certificate signing authority Let's Encrypt is going to revoke more than 3 million TLS certificates within the next 24 hours that may have been issued wrongfully due to a bug in its Certificate Authority software. The bug, which Let's Encrypt confirmed on February 29 and was fixed two hours after discovery, impacted the way it checked the domain name ownership before issuing new TLS certificates. As a result, the bug opened up a scenario where a certificate could be issued even without adequately validating the holder's control of a domain name. The Certification Authority Authorization (CAA), an internet security policy, allows domain name holders to indicate to certificate authorities (CAs) whether or not they are authorized to issue digital certificates for a specific domain name. Let's Encrypt considers domain validation results good only for 30 days from the time of validation, after which it rechecks the CAA record authorizing t...