The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

With so many data breaches happening almost every week, it has become difficult for users to know if their credentials are already in possession of hackers or being circulated freely across the Internet. Thankfully, Google has a solution. Today, February 5, on Safer Internet Day, Google launches a new service that has been designed to alert users when they use an exact combination of username and password for any website that has previously been exposed in any third-party data breach. The new service, which has initially been made available as a free Chrome browser extension called Password Checkup , works by automatically comparing the user's entered credential on any site to an encrypted database that contains over 4 billion compromised credentials. If the credentials are found in the list of compromised ones, Password Checkup will prompt users to change their password. Wondering if Google can see your login credentials? No, the company has used a privacy-oriented i...

It's 2019, and just opening an innocent looking office document file on your system can still allow hackers to compromise your computer. No, I'm not talking about yet another vulnerability in Microsoft Office, but in two other most popular alternatives— LibreOffice and Apache OpenOffice —free, open source office software used by millions of Windows, MacOS and Linux users. Security researcher Alex Inführ has discovered a severe remote code execution (RCE) vulnerability in these two open source office suites that could be triggered just by opening a maliciously-crafted ODT (OpenDocument Text) file. The attack relies on exploiting a directory traversal flaw, identified as CVE-2018-16858, to automatically execute a specific python library bundled within the software using a hidden onmouseover event. To exploit this vulnerability, Inführ created  an ODT file with a white-colored hyperlink (so it can't be seen) that has an "onmouseover" event to trick victim...

QuadrigaCX, the largest bitcoin exchange in Canada, has claimed to have lost CAD 190 million (nearly USD 145 million) worth of cryptocurrency after the exchange lost access to its cold (offline) storage wallets. Reason? Unfortunately, the only person with access to the company's offline wallet, founder of the cryptocurrency exchange, is dead. Following the sudden death of Gerry Cotten , founder and chief executive officer QuadrigaCX, the Canadian exchange this week filed for legal protection from creditors in the Nova Scotia Supreme Court until it locates and secures access to the lost funds. In a sworn affidavit filed by Cotten's widow Jennifer Robertson and obtained by Coindesk , Robertson said QuadrigaCX owes its customers some CAD 260 million (USD 198 Million) in both cryptocurrencies, including Bitcoin, Bitcoin Cash, Litecoin, and Ethereum, as well as fiat money. However, Robertson said the cryptocurrency exchange only has smaller amount in a 'hot wallet' (U...

Just because an app is available on Google Play Store doesn't mean that it is a legitimate app. Despite so many efforts by Google, some fake and malicious apps do sneak in and land millions of unaware users on the hunting ground of scammers and hackers. Cybersecurity firm Trend Micro uncovered at least 29 devious photo apps that managed to make its way onto Google Play Store and have been downloaded more than 4 million times before Google removed them from its app store. The mobile apps in question disguised as photo editing and beauty apps purporting to use your mobile phone's camera to take better pictures or beautify the snaps you shoot, but were found including code that performs malicious activities on their users' smartphone. Three of the rogue apps—Pro Camera Beauty, Cartoon Art Photo and Emoji Camera—have been downloaded more than a million times each, with Artistic Effect Filter being installed over 500,000 times and another seven apps in the list over 100...

A 20-year-old college student who stole cryptocurrency worth more than $5 million by hijacking victims' phone numbers has pleaded guilty and accepted a sentence of 10 years in prison. Ortiz was arrested last year on charges of siphoning millions of dollars in cryptocurrency from around 40 victims using a method commonly known as " SIM swapping ," which typically involves fraudulently porting of the same number to a new SIM card belonging to the attacker. In SIM swapping, attackers social engineer a victim's mobile phone provider by making a phony call posing as their target and claiming that their SIM card has been lost and that they would like to request a SIM swap. The attackers attempt to convince the target's telecommunications company that they are the actual owner of the phone number they want to swap by providing required personal information on the target, like their SSNs and addresses, eventually tricking the telecoms to port the target's pho...

Many of you might have this question in your mind: "Is it illegal to test a website for vulnerability without permission from the owner?" Or… "Is it illegal to disclose a vulnerability publicly?" Well, the answer is YES, it's illegal most of the times and doing so could backfire even when you have good intentions. Last year, Hungarian police arrested a 20-year-old ethical hacker accused of finding and exploiting serious vulnerabilities in Magyar Telekom, the largest Hungarian telecommunication company, who is now facing up to 8 years in prison. According to local Hungarian media , the defender first discovered a severe vulnerability in Magyar Telekom systems in April 2018 and reported it to the company officials, who later invited him to a meeting. Reportedly, the hacker then traveled to Budapest for the meeting, which didn't go well as he expected, and apparently, the company did not permit him to test its systems further. However, the man conti...

Mac users need to beware of a newly discovered piece of malware that steals their web browser cookies and credentials in an attempt to withdraw funds from their cryptocurrency exchange accounts. Dubbed CookieMiner due to its capability of stealing cookies-related to cryptocurrency exchanges, the malware has specifically been designed to target Mac users and is believed to be based on DarthMiner, another Mac malware that was detected in December last year. Uncovered by Palo Alto Networks' Unit 42 security research team, CookieMiner also covertly installs coin mining software onto the infected Mac machines to secretly mine for additional cryptocurrency by consuming the targeted Mac's system resources. In the case of CookieMiner, the software is apparently geared toward mining "Koto," a lesser-known, privacy-oriented cryptocurrency which is mostly used in Japan. However, the most interesting capabilities of the new Mac malware is to steal: Both Google Chro...