The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

In November I was contacted for first time by the Egyptian Hacker named ViruS_HimA who announced me to have hacked into Adobe servers and leaked private data. The hacker violated Adobe servers gaining full access and dumping the entire database with more of 150,000 emails and hashed passwords of Adobe employees and customers/partner of the firm such as US Military, USAF, Google, Nasa DHL and many other companies. ViruS_HimA specifically addressed the inefficient and slow patch management process that leaves exposed for long period “big companies”.  " When someone report vulnerability to them, It take 5-7 days for the notification that they've received your report!! It even takes 3-4 months to patch the vulnerabilities! Such big companies should really respond very fast and fix the security issues as fast as they can .” Like , we reported two days before that one month old reported critical vulnerability of account hijacking in Outlook and Hotmail  is sti...

Mohamed Ramadan from Attack-Secure discovered a critical vulnerability in Etsy's iPhone application. Etsy is a social commerce website focused on handmade or vintage items as well as art and craft supplies. Any attacker on the same network can sniff traffic (including user password) invisibly without any warning from Etsy app. Its is very similar to the man in the middle attack reported in iPhone Instagram app a few days back. Bug Hunting ! Because Etsy having a Security Bug Bounty Program , so first Mohamed was trying to find a vulnerability in Etsy website , later he found that they have enough good security. Because Etsy mobile apps are eligible in bug bounty program, so next try was on Mobile apps. Mohamed finally  downloaded the latest version 2.2 and installed that on his iPhone 4S with iOS 6 and also on his ipad. Then he configured his Burp Suite proxy 1.5 to listen on all interfaces on port 8080 in invisible mode....

Cui, a fifth year grad student from the Columbia University Intrusion Detection Systems Lab and co-founder of Red Balloon Security, has demonstrated an attack on common Cisco-branded Voice over IP (VoIP) phones that could easily eavesdrop on private conversations remotely. The vulnerability Cui demonstrated was based on work he did over the last year on what he called ‘ Project Gunman v2 ’, where a laser printer firmware update could be compromised to include additional, and potentially malicious, code. The latest vulnerability is based on a lack of input validation at the syscall interface. Cui said, “ allows arbitrary modification of kernel memory from userland, as well as arbitrary code execution within the kernel. This, in turn, allows the attacker to become root, gain control over the DSP , buttons, and LEDs on the phone. ” While he did not specify the precise vulnerability, Cui said it allowed him to patch the phone's software with arbitrary pieces of code, and that t...

A vulnerability in different versions of Microsoft‘s widely used browser Internet Explorer can allow hackers to track the movements of your mouse. Microsoft is investigating reports of a mouse-tracking flaw that puts virtual keyboards and keypads at risk to remote monitoring. Spider.io, a UK-based company in the advertising analytics field, alleged that two unnamed companies are improperly using a flaw that allows them to track whether display advertisements, sometimes buried far down in web pages, are actually viewed by users. Almost every US-based user of Internet Explorer will have their mouse cursor tracked via this exploit almost every day they browse the web. Microsoft has confirmed that every version of Internet Explorer, from version 6 dating back to 2001 up to 10, released this year, is vulnerable. How this works ? All a hacker needs to do is, buy a ad space on any webpage and wait until a user visits it. If the tab remains open, the hacker has continuous access to use...

This Friday I was working with my co-security researcher " Christy Philip Mathew " in +The Hacker News  Lab for testing the Cookie Handling Vulnerabilities in the most famous email services i.e Hotmail and Outlook. Well, both are merged now and part of the same parent company - Microsoft, the software giant.  Vulnerability allows an attacker to Hijack accounts in a very simple way, by just exporting & importing cookies of an user account from one system to attacker's system, and our results shows that even after logout by victim, the attacker is still able to reuse cookies at his end. There are different way of stealing cookies, that we will discuss below. In May 2012, another Indian security researcher Rishi Narang claimed similar vulnerability in Linkedin website. Vulnerability Details Many websites including Microsoft services uses cookies to store the session information in the user's web browser. Cookies are responsible for main...

A former University of Georgia (UGA) student under investigation for allegedly hacking into the school’s computerized personnel records system committed suicide last month. Stell attended classes at UGA between 2005 and 2007. The Data breach was carried out around two months back near 15th October and that may have led to compromised Full names and Social Security numbers, along with additional sensitive data of 8,500 current and former school employees. According to reports , an investigation into the security breach was ongoing when the suspect, Charles Staples Stell , 26, was found dead at his home in Athens on Nov. 7. The UGA Police Department's computer forensics team was investigating the hack. They said, There is no evidence that the compromised data were used to commit additional crimes. The employee files involved in the security breach were found under the control of Stell during the ensuing forensic evaluation of evidence obtained during the course of the invest...

Japan's National Police Agency has offered a monetary reward for a wanted hacker, use programming languages like C# to create a virus called " iesys.exe " and Hijack systems of innocent people to post aggressive messages on Internet on behalf of Users.  Method called a " Syberian Post Office " to post messages to popular Japanese bulletin board. Hacker use cross-site request forgery exploit, that allow hackers to making online postings via innocent users automatically. The messages included warnings of plans for mass killings at an elementary school posted to a city website. It is the first time that Japan's National Police Agency has offered a monetary reward for a wanted hacker  and will pay up to 3 million yen (US$36,000). The case is an embarrassing one for the police, in which earlier this year four individuals were wrongly arrested after their PCs were hacked and used to post  such messages on public bulletin boards. " Up until now t...