The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

A security researcher has discovered several critical vulnerabilities in one of the most popular embedded real-time operating systems—called FreeRTOS—and its other variants, exposing a wide range of IoT devices and critical infrastructure systems to hackers. What is FreeRTOS (Amazon, WHIS OpenRTOS, SafeRTOS)? FreeRTOS is a leading open source real-time operating system (RTOS) for embedded systems that has been ported to over 40 microcontrollers, which are being used in IoT, aerospace, medical, automotive industries, and more. RTOS has specifically been designed to carefully run applications with very precise timing and a high degree of reliability, every time. A pacemaker is an excellent example of the real-time embedded system that contracts heart muscle at the right time, a process that can't afford delays, to keep a person alive. Since late last year, FreeRTOS project is being managed by Amazon, who created Amazon FreeRTOS (a:FreeRTOS) IoT operating system for mic...

Tumblr today published a report admitting the presence of a security vulnerability in its website that could have allowed hackers to steal login credentials and other private information for users' accounts. The affected information included users email addresses, protected (hashed and salted) account passwords, self-reported location (a feature no longer available), previously used email addresses, last login IP addresses, and names of the blog associated with every account. According to the company, a security researcher discovered a critical vulnerability in the desktop version of its website and responsibly reported it to the Tumblr security team via its bug bounty program. Though the company has not revealed the researcher's name or any technical details about the vulnerability, Tumblr has disclosed that the flaw resided in the "Recommended Blogs" feature of its website. Recommended Blogs has been designed to display a short, rotating list of blogs o...

A 21-year-old Kentucky man who previously pleaded guilty to developing, marketing, and selling an infamous remote access trojan (RAT) called LuminosityLink has now been sentenced to 30 months in prison. According to a press release published Monday by U.S. Attorney's Office, Colton Grubbs, who used online moniker 'KFC Watermelon,' was pleaded guilty for three counts--unlawfully accessing computers in furtherance of a criminal act, money laundering, and illegal removal of property to prevent its lawful seizure. First surfaced in April 2015, the  LuminosityLink RAT  (Remote Access Trojan), also known as Luminosity, was a hacking tool that was sold for $40, marketing itself as a legitimate tool for Windows administrators to "manage a large number of computers concurrently." However, in reality, LuminosityLink was designed to be a dangerous, remote access trojan that among other malicious features, allowed Grubbs' customers to: Record the keys that victims ...

A four-year-old severe vulnerability has been discovered in the Secure Shell (SSH) implementation library known as Libssh that could allow anyone to completely bypass authentication and gain unfettered administrative control over a vulnerable server without requiring a password. The security vulnerability, tracked as CVE-2018-10933 , is an authentication-bypass issue that was introduced in Libssh version 0.6 released earlier 2014, leaving thousands of enterprise servers open to hackers for the last four years. But before you get frightened, you should know that neither the widely used OpenSSH nor Github's implementation of libssh was affected by the vulnerability. The vulnerability resides due to a coding error in Libssh and is "ridiculously simple" to exploit. According to a security advisory published Tuesday, all an attacker needs to do is sending an "SSH2_MSG_USERAUTH_SUCCESS" message to a server with an SSH connection enabled when it expects an ...

Would you prefer purchasing an Android device that doesn't have any apps or services from Google? No Google Maps, No Gmail, No YouTube! And NOT even the Google Play Store—from where you could have installed any Android apps you want Because if you live in Europe, from now on, you have to spend some extra cash on a smartphone with built-in Google services, which were otherwise until now freely available and already included in the cost of your smartphone. For the very first time, Google has announced its plans to charge a fee to European Android phone manufacturers who want to include a free version of Google apps on their Android handsets. In short, Android phone makers will now have to pay Google for installing the Play store, Gmail, YouTube, Maps, and Chrome, that are usually considered to be core parts of the Android operating system, but are actually Google services. "Since the pre-installation of Google Search and Chrome together with our other apps helped us...

A security enthusiast who discovered a passcode bypass vulnerability in Apple's iOS 12 late last month has now dropped another passcode bypass bug that works on the latest iOS 12.0.1 that was released last week. Jose Rodriguez, a Spanish amateur security researcher, discovered a bug in iOS 12 in late September that allows attackers with physical access to your iPhone to access your contacts and photos. The bug was patched in iOS 12.0.1, but he now discovered a similar iPhone passcode bypass hack that works in 12.0.1 and is easier to execute than the bug Rodriguez discovered and reported two weeks ago. The new hack allows anyone with physical access to your locked iPhone to access your photo album, select photos and send them to anyone using Apple Messages. Since the new hack requires much less effort than the previous one, it leaves any iPhone user vulnerable to a skeptic or distrustful partner, curious college, friend or roommate who could access your iPhone's photo...