The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

A popular Anti-virus software Avira that provides free security software to its customers with Secure Backup service is vulnerable to a critical web application vulnerability that could allow an attacker to take over users' account, putting millions of its users' account at risk. Avira is very popular for their free security software that comes with its own real-time protection module against malware and a secure backup service. Avira was considered to be the sixth largest antivirus vendor in 2012 with over 100 million customers worldwide. A 16 year-old security researcher ' Mazen Gamal ' from Egypt told The Hacker News that Avira Website is vulnerable to CSRF (Cross-site request forgery) vulnerability that allows him to hijack users' accounts and access to their online secure cloud backup files. CSRF VULNERABILITY TO  ACCOUNT TAKEOVER Cross-Site Request Forgery (CSRF or XSRF) is a method of attacking a Web site in which an intruder masquerades as a legitim...

SQL Injection (SQLi) attacks have been around for over a decade. You might wonder why they are still so prevalent. The main reason is that they still work on quite a few web application targets. In fact, according to Veracode's 2014 State of Security Software Report , SQL injection vulnerabilities still plague 32% of all web applications. One of the big reasons is the attractiveness of the target – the database typically contains the interesting and valuable data for the web application. A SQLi attack involves inserting a malformed SQL query into an application via client-side input. The attack perverts the intentions of web programmers who write queries and provide input methods that can be exploited. There is a reason they're on the OWASP Top 10 . Termed " injection flaws ", they can strike not only SQL, but operating systems and LDAP can fall prey to SQLi. They involve sending untrusted data to the interpreter as a part of the query. The attack tricks the interpreter into ...

Home Depot , the nation's largest home improvement retailer, announced on Thursday that a total of 56 million unique payment cards were likely compromised in a data breach at its stores, suggesting that the data breach on Home improvement chain was larger than the Target data breach that occurred last year during Christmas holidays. The data theft occurred between April and September at Home Depot stores in both the United States and Canada, but the confirmation comes less than a week after the retailer first disclosed the possibility of a breach. " We apologize to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges, " Home Depot CEO Frank Blake said in a statement. " From the time this investigation began, our guiding principle has been to put our customers first, and we will continue to do so. " It is believe that the cybercriminals successfully compromised the...

Chinese hackers associated with the Chinese government have successfully infiltrated the computer systems of U.S. defense contractors working with the government agency responsible for the transportation of military troops and goods across the globe, a Senate investigators have found. The Senate Armed Services Committee has been investigating the issue for the past year and found that the U.S. Military's Transportation Command (TRANSCOM) has been infiltrated at least 20 times in a single year, out of which only two were detected. This is probably the most serious allegation yet against China. The successful intrusions attributed to an "advanced persistent threat," a term used to designate sophisticated threats commonly associated with governments. All of those intrusions were attributed to China, the report stated. The investigation was conducted in the 12 months period from June 2012 to June 2013 based on information provided by the Federal Bureau of Investigat...

After a week delay, Adobe has finally pushed out critical security updates for its frequently-attacked Reader and Acrobat PDF software packages to patch serious vulnerabilities that could lead to computers being compromised. The new versions of Adobe Reader and Acrobat released Tuesday for both Windows and Macintosh computers address eight vulnerabilities, five of which could allow for remote code execution . The remaining three vulnerabilities involve a sandbox bypass vulnerability that can be exploited to escalate an attacker's privileges on Windows, a denial-of-service (DoS) vulnerability related to memory corruption, and a cross-site scripting (XSS) flaw that only affects the programs on the Mac platform. According to Adobe's advisory , applying the patches will involve a system restart. The affected versions are: Adobe Reader XI (11.0.08) and earlier 11.x versions for Windows Adobe Reader XI (11.0.07) and earlier 11.x versions for Macintosh Adobe Reade...

Apple has finally released iOS 8 , the latest version of its operating system, for free to iPhone, iPad and iPod touch users. The company has assured that the latest iOS 8 update is a significant step away up from iOS 7. You can grab the new update through an over-the-air update accessible by going to Settings > General > Software Update . If you don't want to download the update wirelessly due to a limited or restricted data plan, you can also download the update by connecting your phone to the latest version of iTunes . iOS 8 was first revealed publicly at the Apple's Worldwide Developer Conference (WWDC) in June, showing off an improved Notification Centre. Apart from the security patches, iOS 8 has a number of new features and functions tied to your location. Additionally, it has new privacy settings, which allow users to limit how long data is stored for, such as message expiry features and new private browsing settings. VULNERABILITIES PATCHED A ...