The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Millions of WordPress websites are at risks of being completely hijacked by the hackers due to a critical cross-site scripting (XSS) vulnerability present in the default installation of the widely used content management system. The cross-site scripting (XSS) vulnerability, uncovered by the security researcher reported by Robert Abela of Security firm  Netsparker . Wordpress vulnerability resides in Genericons webfont package that is part of default WordPress Twenty Fifteen Theme. Here comes the threat: The XSS vulnerability has been identified as a " DOM-based ," which means the flaw resides in the document object model (DOM) that is responsible for text, images, headers, and links representation in a web browser. The easy-to-exploit DOM-based Cross-Site Scripting (XSS) vulnerability occurred due to an insecure file included with Genericons that allowed the Document Object Model Environment in the victim's browser to be modified. What's DOM-Bas...

Security researchers have discovered a new strain of malware that makes use of extraordinary measures to evade detection and analysis, making the computer it infects unusable. Dubbed Rombertik , which is "unique" among other self-destructing malware samples due to its unique evasion techniques. As soon as any analysis tool is detected, Rombertik attempts to delete the device's Master Boot Record (MBR) and home directories, making the machine constantly restart. Rombertik is a complex piece of spyware designed to "indiscriminately" collect everything a user does online in order to obtain victim's login credentials and other confidential information. Infects users via Phishing campaign: Rombertik typically gets installed on vulnerable machines when users click on malicious attachments included in phishing emails, Cisco security researchers Ben Baker and Alex Chiu said in a blog post  Monday. Once loaded into the system, Rombertik first runs...

Google Chrome browser's new Anti-Phishing Password Alert extension is in controversies right after its launch last Wednesday, but now the search engine giant has effectively pulled off Password Alert from its store. Password Alert was not bypassed once, twice, but every time Google introduced a new updated version of the extension. Google developed this Password Alert Chrome extension in an effort to alert Internet users whenever they accidentally enter their Google password on a carefully crafted phishing website that aimed at hijacking users' account. Here's the worst part: However, the first version of Password Alert was bypassed in less than 24 hours of its launch.  Security expert Paul Moore from UK-based Urity Group quickly circumvented the Anti-Phishing technology by pure JavaScript code of seven lines. Since then Google released Password Alert version 1.4, version 1.5 and version 1.6, but… ...all of them were bypassed, keeping users unaw...

USBkill — A new program that once activated, will instantly disable the laptop or computer if there is any activity on USB port. Hey Wait, don't compare USBkill with the USB Killer stick that destroy sensitive components of a computer when plugged-in. "USBKill" is a new weapon that could be a boon for whistleblowers, journalists, activists, and even cyber criminals who want to keep their information away from police and cyber thieves. It is like, if you are caught, kill yourself. In the same fashion as terrorists do. Here I am not talking about to kill yourself, but to kill the data from your laptop if the law enforcement has caught your laptop. USBkill does exactly this by turning a thumb drive into a kill switch that if unplugged, forces systems to shut down. Hephaestos ( @h3phaestos ), the author of USBkill, reports that the tool will help prevent users from becoming the next Ross Ulbricht , founder of the infamous underground drug marketplace ...

After facing much criticism for violation of Net Neutrality, Facebook has opened up its new Internet.org platform to developers for creating their apps and services in India and other countries. Facebook's Internet.org aims at offering free Internet access to " the next 5 billion " impoverished people around the world who currently don't have it. This current move now would potentially allow any website to be accessed for free via the Internet.org service, but only in the case, if the website ditches the encrypted communications (HTTPS), JavaScript, and other important things. Internet for All: Facebook offers free mobile Internet access to people in India , Zambia , Colombia, Tanzania, Kenya, Ghana, Philippines and Indonesia . However, in order to access the free Internet, users must have special Android apps, Internet.org's website, the Opera Mini web browser or Facebook's Android app. Until now, the Internet.org scheme had been...

The Weakest Link In the Information Security Chain is still – Humans. And this news has ability to prove this fact Right. One of London's busiest railway stations has unwittingly exposed their system credentials during a BBC documentary. The sensitive credentials printed and attached to the top of a station controller's monitor were aired on Wednesday night on BBC. What could be even worse? If you think that the credentials might have been shown off in the documentary for a while or some seconds, then you are still unaware of the limit of their stupidity. The login credentials were visible for about 44 minute in the BBC documentary " Nick and Margaret: The Trouble with Our Trains " on Wednesday night, which featured Nick Hewer and Margaret Mountford – the two business experts, both famous for their supporting role on The Apprentice. The documentary was available on the YouTube , but have now been removed due to security concerns. While ...