The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

A security researcher has disclosed critical issues in the processes and third-party API used by Symantec certificate resellers to deliver and manage Symantec SSL certificates. The flaw, discovered by Chris Byrne, an information security consultant and instructor for Cloud Harmonics, could allow an unauthenticated attacker to retrieve other persons' SSL certificates, including public and private keys, as well as to reissue or revoke those certificates. Even without revoking and reissuing a certificate, attackers can conduct "man-in-the-middle" attack over the secure connections using stolen SSL certs, tricking users into believing they are on a legitimate site when in fact their SSL traffic is being secretly tampered with and intercepted. "All you had to do was click a link sent in [an] email, and you could retrieve a cert, revoke a cert, and re-issue a cert," Byrne wrote in a Facebook post published over the weekend. Symantec knew of API Flaws Si...

The government has once again started asking for backdoor in encrypted services, arguing that it can not give enough security to its citizens because the terrorists are using encrypted apps to communicate and plot an attack. Following last week's terrorist attack in London, the UK government is accusing technology firms to give terrorists "a place to hide," saying Intelligence agencies must have access to encrypted messaging applications such as WhatsApp to prevent such attacks. According to authorities , the killer, Khalid Masood, 52, was active on WhatsApp messaging app just two minutes before he attacked Britain's Houses of Parliament in Westminster that killed four people. Here's what Amber Rudd, Britain's Home Secretary said while speaking at BBC's Andrew Marr Show on Sunday: "We need to make sure that organizations like WhatsApp, and there are plenty of others like that, don't provide a secret place for terrorists to communicate ...

Data Privacy is a serious concern today with the vast availability of personal data over the Internet – a digital universe where websites collect your personal information and sell them to advertisers for dollars, and where hackers can easily steal your data from the ill-equipped. If this wasn't enough, US Senate voted last week to eliminate privacy rules that would have forced ISPs to get your permission before selling your Web browsing history and app usage history to advertisers. If passed, ISPs like Verizon, Comcast, and AT&T, can collect and sell data on what you buy, where you browse, and what you search, to advertisers all without taking your consent in order to earn more bucks. How to Prevent ISPs And Hackers From Spying On You So, how do you keep your data away from advertisers as well as hackers? Private Browsing! If you're worried about identity thieves or ISPs spying on or throttling your traffic, the most efficient way to secure your privacy on the ...

Internet-of-Things devices are turning every industry into the computer industry, making customers think that their lives would be much easier with smart devices. There are, of course, some really good reasons to connect certain devices to the Internet. For example, remotely switching on your A/C a few minutes before you enter your home, instead of leaving it blasting all day. But does everything need to be connected? Of course, not. One such example is the latest bug report at Full Disclosure, affecting an Internet-connected washer-disinfector appliance by Germany-based manufacturer Miele . The Miele Professional PG 8528 appliance, which is used in medical establishments to clean and properly disinfect laboratory and surgical instruments, is suffering from a Web Server Directory Traversal vulnerability. Jens Regel of German consultancy Schneider & Wulf has discovered the flaw ( CVE-2017-7240 ) that allows an unauthenticated, remote attacker to access directories oth...

Gift cards have once again caused quite a headache for retailers, as cyber criminals are using a botnet to break into and steal cash from money-loaded gift cards provided by major retailers around the globe. Dubbed GiftGhostBot , the new botnet specialized in gift card fraud is an advanced persistent bot (APB) that has been spotted in the wild by cyber security firm Distil Networks. GiftGhostBot has been seen attacking almost 1,000 websites worldwide and defrauding legitimate consumers of the money loaded on gift cards since Distil detected the attack late last month. According to the security firm, any website – from luxury retailers, supermarkets to coffee distributors – that allow their customers to buy products with gift cards could be targeted by the botnet. Operators of the GiftGhostBot botnet launch brute-force attacks against retailer's website to check potential gift card account numbers at a rate of about 1.7 Million numbers per hour, and request the balance f...

Google announced its plans to punish Symantec by gradually distrusting its SSL certificates after the company was caught improperly issuing 30,000 Extended Validation (EV) certificates over the past few years. The Extended Validation (EV) status of all certificates issued by Symantec-owned certificate authorities will no longer be recognized by the Chrome browser for at least a year until Symantec fixes its certificate issuance processes so that it can be trusted again. Extended validation certificates are supposed to provide the highest level of trust and authentication, where before issuing a certificate, Certificate Authority must verify the requesting entity's legal existence and identity. The move came into effect immediately after Ryan Sleevi, a software engineer on the Google Chrome team, made this announcement on Thursday in an online forum . "This is also coupled with a series of failures following the previous set of misissued certificates from Symantec, c...

The ISPs can now sell certain sensitive data like your browsing history without permission, thanks to the US Senate. The US Senate on Wednesday voted, with 50 Republicans for it and 48 Democrats against, to roll back a set of broadband privacy regulations passed by the Federal Communication Commission (FCC) last year when it was under Democratic leadership. In October, the Federal Communications Commission ruled that ISPs would need to get consumers' explicit consent before being allowed to sell their web browsing data to the advertisers or other big data companies. Before the new rules could take effect on March 2, the President Trump's newly appointed FCC chairman Ajit Pai temporarily put a hold on these new privacy rules. Ajit Pai argued that the rules, which are regulated by FTC, unfairly favored companies like Google, Twitter, and Facebook, who have the ability to collect more data than ISPs and thus dominate digital advertising. "All actors in the online...