The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Possible Credit Card Theft in Steam Website Hacking Valve CEO Gabe Newell has contacted all users of the Steam game distribution platform to let them know that the company has suffered a security breach. Right before going offline, users saw a new category in the forum that directed them to open a site named "Fkn0wned." Many users also complained that their email ids related to Steam accounts were "spammed with ads for the web site. Valve recommends all users to keep closely watched the activity of their credit cards because the hackers had access to that information during the attack. Forums Steam are closed for the moment, but the program itself is running. " We have no evidence that the numbers encrypted credit card or personal identifying information was taken by intruders, or the protection of card numbers or passwords have been cracked . We are still investigating , "Newell wrote. " At the moment we have no evidence of misuse of credit cards b...

Operation Ghost Click by FBI - Online advertising scam taken Down A gang of internet 'cyber bandits' who stole $14 million after hacking into at least 4 million computers in an online advertising scam have been arrested following a joint investigation by the FBI and Nasa. Six men are in custody in Estonia, pending extradition to the United States, following a two-year investigation into an “ intricate international conspiracy ” that “ hijacked ” millions of computers around the world and stole more than US$14-million. The FBI's two-year investigation was dubbed "Operation Ghost Click". Computers in more than 100 countries were infected by the “DNSChanger” malware, which redirected searches for Apple’s iTunes store to fake pages pretending to offer Apple software for sale, as well as sending those searching for information on the U.S. Internal Revenue Service to accounting company H&R Block, which allegedly paid those behind the scam a fee for each visitor...

myOpenID XSS : One of the Largest OpenID provider is Vulnerable One of the One of the Largest Independent OpenID provider " myOpenID " is Vulnerable to Cross Site Scripting (XSS) ,Discovered by " SeeMe " - Member of Inj3ct0r Team. Cross Site Scripting (or XSS) is one of the most common application-layer web attacks. What Hacker can do - "The attackers can steal the session ID of a valid user using XSS. The session ID is very valuable because it is the secret token that the user presents after login as proof of identity until logout. If the session ID is stored in a cookie, the attackers can write a script which will run on the user's browser, query the value in the cookie and send it to the attackers. The attackers can then use the valid session ID to browse the site without logging in. The script could also collect other information from the page, including the entire contents of the page". Proof Of Concept - Click Here

CrySyS Duqu Detector Open source Toolkit Released Two weeks ago Researchers at the Laboratory of Cryptography and System Security (CrySyS) in Hungary confirmed the existence of the zero-day vulnerability in the Windows kernel , according to security researchers tracking the Stuxnet-like cyber-surveillance Trojan. The Laboratory of Cryptography and System Security (CrySyS) has released an open-source toolkit that can find traces of Duqu infections on computer networks.The open-source toolkit, from the Laboratory of Cryptography and System Security (CrySyS), contains signature- and heuristics-based methods that can find traces of Duqu infections where components of the malware are already removed from the system. They make a release that " The toolkit contains signature and heuristics based methods and it is able to find traces of infections where components of the malware are already removed from the system.The intention behind the tools is to find different typ...

w3af v.1.1 - Web Application Attack and Audit Framework Released w3af is a Web Application Attack and Audit Framework. The project's goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend. To read our short and long term objectives. w3af is much more than a piece of software, w3af is a community that breathes Web Application Security. Change Log: * Considerably increased performance by implementing gzip encoding * Enhanced embedded bug report system using Trac's XMLRPC * Fixed hundreds of bugs * Fixed critical bug in auto-update feature * Enhanced integration with other tools (bug fixed and added more info to the file) Download Here Get Video Tutorial and Help to Use w3af here

Cross Site Scripting Vulnerability in Speed Bit Search Engine Debasish Mandal, A hacker from India , Found that there is a XSS through JavaScript Injection vulnerability in the Home page of Speed Bit Search Engine.The XSS filter is filtering normal html /script /iframe tags but XSS can be achieved by injecting JavaScript event "onmouseover()".Technical Description is below. Debasish have reported the vulnerability to the Speed Bit Team but haven't yet got any response from their side. Proof Of Concept: 1) Visit this URL http://search.speedbit.com/?aff=grbr" onmousemove="alert(document.cookie) 2) Bring mouse cursor over the hyperlink shown in the image and you should see a POP up box showing the browser cookies. Submitted By :  Debasish Mandal, India.