The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Better late than never. Google has finally launched a bug bounty program for Android apps on Google Play Store, inviting security researchers to find and report vulnerabilities in some of the most popular Android apps. Dubbed " Google Play Security Reward ," the bug bounty program offers security researchers to work directly with Android app developers to find and fix vulnerabilities in their apps, for which Google will pay $1000 in rewards. "The goal of the program is to further improve app security which will benefit developers, Android users, and the entire Google Play ecosystem," the technology giant says in a blog post published today. Google has collaborated with bug bounty platform, HackerOne, to manage backend for this program, like submitting reports and inviting white-hat hackers and researchers. White-hat hackers who wish to participate can submit their findings directly to the app developers. Once the security vulnerability has been resolved, th...

It is good to be paranoid when it comes to cybersecurity. Google already provides various advanced features such as login alerts and two-factor authentication to keep your Google account secure. However, if you are extra paranoid, Google has just introduced its strongest ever security feature, called " Advanced Protection ," which makes it easier for users, who are usually at high risk of targeted online attacks, to lock down their Google accounts like never before. "We took this unusual step because there is an overlooked minority of our users that are at particularly high risk of targeted online attacks," the company said in a blog post announcing the program on Tuesday.  "For example, these might be campaign staffers preparing for an upcoming election, journalists who need to protect the confidentiality of their sources, or people in abusive relationships seeking safety." Even if a hacker somehow gets your password—using advanced phishing a...

Hacking ATM is now easier than ever before. Usually, hackers exploit hardware and software vulnerabilities to hack ATMs and force them to spit out cash, but now anyone can simply buy a malware to steal millions in cash from ATMs. Hackers are selling ready-made ATM malware on an underground hacking forum that anybody can simply buy for around $5000, researchers at Kaspersky Lab discovered after spotting a forum post advertising the malware, dubbed Cutlet Maker . The forum post provides a brief description and a detailed manual for the malware toolkit designed to target various ATMs models with the help of a vendor API, without interacting with ATM users and their data. Therefore, this malware does not affect bank customers directly; instead, it is intended to trick the bank ATMs from a specific vendor to release cash without authorisation. The manual also mentions an infamous piece of ATM malware, dubbed Tyupkin , which was first analysed in 2014 by Kaspersky Lab and used ...

If you invite guest users into your Entra ID tenant, you may be opening yourself up to a surprising risk.  A gap in access control in Microsoft Entra's subscription handling is allowing guest users to create and transfer subscriptions into the tenant they are invited into, while maintaining full ownership of them.  All the guest user needs are the permissions to create subscriptions in their home tenant, and an invitation as a guest user into an external tenant. Once inside, the guest user can create subscriptions in their home tenant, transfer them into the external tenant, and retain full ownership rights. This stealthy privilege escalation tactic allows a guest user to gain a privileged foothold in an environment where they should only have limited access. Many organizations treat guest accounts as low-risk based on their temporary, limited access, but this behavior, which works as designed, opens the door to known attack paths and lateral movement within the resource t...

With the rise in cyber-crimes, ethical hacking has become a powerful strategy in the fight against online threats. In general terms, ethical hackers are authorised to break into supposedly 'secure' computer systems without malicious intent, but with the aim of discovering vulnerabilities to bring about improved protection. Ethical Hackers are now kind of becoming the alchemists of the 21st century. More and more organisations are being targeted in cyber-attacks, and they must get to know their enemy if they are to protect vital networks. Meet the professional, ethical hacker. Despite this, the common belief among many at-risk companies is that 'to outwit a hacker, you need to hire one'. With so much at stake, even technology providers are turning to those with hacking skills to find the flaws in their products and fix them before the baddies can exploit them. Infamous Apple Hacker Turned Ethical; Hired by Facebook 23-year-old George 'GeoHot' Ho...

It was not just Yahoo among "Fortune 500" companies who tried to keep a major data breach incident secret. Reportedly, Microsoft had also suffered a data breach four and a half years ago (in 2013), when a " highly sophisticated hacking group " breached its bug-reporting and patch-tracking database, but the hack was never made public until today. According to five former employees of the company, interviewed separately by Reuters , revealed that the breached database had been " poorly protected with access possible via little more than a password. " This incident is believed to be the second known breach of such a corporate database after a critical zero-day vulnerability was discovered in Mozilla's Bugzilla bug-tracking software in 2014. As its name suggests, the bug-reporting and patch-tracking database for Windows contained information on critical and unpatched vulnerabilities in some of the most widely used software in the world, includ...

If you think KRACK attack for WiFi is the worst vulnerability of this year, then hold on… ...we have got another one for you which is even worse. Microsoft, Google, Lenovo, HP and Fujitsu are warning their customers of a potentially serious vulnerability in widely used RSA cryptographic library produced by German semiconductor manufacturer Infineon Technologies. It's noteworthy that this crypto-related vulnerability (CVE-2017-15361) doesn't affect elliptic-curve cryptography and the encryption standard itself, rather it resides in the implementation of RSA key pair generation by Infineon's Trusted Platform Module (TPM). Infineon's Trusted Platform Module (TPM) is a widely-used, dedicated microcontroller designed to secure hardware by integrating cryptographic keys into devices and is used for secured crypto processes. This 5-year-old algorithmic vulnerability was discovered by security researchers at Masaryk University in the Czech Republic, who have relea...