The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Apple is making it easier for mobile developers to port their iOS apps to the next-generation macOS Mojave desktop platform—a major step in bringing the two platforms closer together. However, at the same time, the company straightforward denied the idea of merging the iPhone and Mac operating systems into one platform, which was being speculated for years. So, Apple made it clear that iOS and macOS will continue to be separate products. Rumors of iOS apps coming to the Mac have been around since 2017, and yesterday at Apple's WWDC 2018 event, Apple senior vice president of software engineering Craig Federighi just confirmed this while concluding his keynote. Though iOS and macOS share similar underlying frameworks, both are separate operating systems with their own separate software libraries, called UIKit used by iOS and AppKit used by macOS, which have made porting iOS apps to Mac difficult, said Federighi. "iOS devices and macOS devices of course are different...

MyHeritage, the Israel-based DNA testing service designed to investigate family history, has disclosed that the company website was breached last year by unknown attackers, who stole login credentials of its more than 92 million customers. The company learned about the breach on June 4, 2018, after an unnamed security researcher discovered a database file named "myheritage" on a private server located outside of the company, and shared it with MyHeritage team. After analyzing the file, the company found that the database, which included the email addresses and hashed passwords of nearly 92.3 million users, are of those customers who signed up for the MyHeritage website before October 27, 2017. While the MyHeritage security team is still investigating the data breach to identify any potential exploitation of its system, the company confirmed that no other data such as credit card details and family trees, genetic data were ever breached and are stored on a separate sy...

Security researchers at British software firm Snyk have revealed details of a critical vulnerability that affects thousands of projects across many ecosystems and can be exploited by attackers to achieve code execution on the target systems. Dubbed " Zip Slip ," the issue is an arbitrary file overwrite vulnerability that triggers from a directory traversal attack while extracting files from an archive and affects numerous archive formats, including tar, jar, war, cpio, apk, rar, and 7z. Thousands of projects written in various programming languages including JavaScript, Ruby, Java, .NET and Go—from Google, Oracle, IBM, Apache, Amazon, Spring/Pivotal, Linkedin, Twitter, Alibaba, Eclipse, OWASP, ElasticSearch, JetBrains and more—contained vulnerable codes and libraries. Went undetected for years, the vulnerability can be exploited using a specially crafted archive file that holds directory traversal filenames, which if extracted by any vulnerable code or a library, wou...

At Worldwide Developer Conference 2018 on Monday, Apple announced the next version of its macOS operating system, and it's called Mojave . Besides introducing new features and improvements of macOS 10.14 Mojave—like Dark Mode, Group FaceTime, Dynamic Desktop, and Finder—at WWDC, Apple also revealed a bunch of new security and privacy features coming with the next major macOS update. Apple CEO Tim Cook said the new features included in Mojave are "inspired by pro users, but designed for everyone," helping you protect from various security threats. Here's a list of all macOS Mojave security and privacy features: Safari's Enhanced "Intelligent Tracking Prevention" It's no longer shocking that your online privacy is being invaded, and everything you search online is being tracked—thanks to third-party trackers present on the Internet in the form of social media like and sharing buttons that marketers and data brokers use to monitor web use...

Not following cybersecurity best practices could not only cost online users but also cost cybercriminals. Yes, sometimes hackers don't take best security measures to keep their infrastructure safe. A variant of IoT botnet, called Owari , that relies on default or weak credentials to hack insecure IoT devices was found itself using default credentials in its MySQL server integrated with command and control (C&C) server, allowing anyone to read/write their database. Ankit Anubhav, the principal security researcher at IoT security firm NewSky Security, who found the botnets, published a blog post about his findings earlier today, detailing how the botnet authors themselves kept an incredibly week username and password combination for their C&C server's database. Guess what the credentials could be? Username: root Password: root These login credentials helped Anubhav gain access to the botnet and fetch details about infected devices, the botnet authors who ...

Hundreds of thousands of websites running on the Drupal CMS—including those of major educational institutions and government organizations around the world—have been found vulnerable to a highly critical flaw for which security patches were released almost two months ago. Security researcher Troy Mursch scanned the whole Internet and found  over 115,000 Drupal websites are still vulnerable to the Drupalgeddon2 flaw despite repetitive warnings. Drupalgeddon2 (CVE-2018-7600) is a highly critical remote code execution vulnerability discovered late March in Drupal CMS software (versions < 7.58 / 8.x < 8.3.9 / 8.4.x < 8.4.6 / 8.5.x < 8.5.1) that could allow attackers to completely take over vulnerable websites. For those unaware, Drupalgeddon2 allows an unauthenticated, remote attacker to execute malicious code on default or standard Drupal installations under the privileges of the user. Since Drupalgeddon2 had much potential to derive attention of motivated att...