The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Important Update (21 June 2019) ➤  The Tor Project on Friday released second update ( Tor Browser 8.5.3 ) for its privacy web-browser that patches the another Firefox zero-day vulnerability patched this week. Following the latest critical update for Firefox, the Tor Project today released an updated version of its anonymity and privacy browser to patch the same Firefox vulnerability in its bundle. Earlier this week, Mozilla released Firefox 67.0.3 and Firefox ESR 60.7.1 versions to patch a critical actively-exploited vulnerability ( CVE-2019-11707 ) that could allow attackers to remotely take full control over systems running the vulnerable browser versions. Besides updating Firefox, the latest Tor Browser 8.5.2 for desktops also includes updated NoScript version 10.6.3 that fixes a few known issues. According to the Tor Project Team, if you are already using Tor browser with "safer" and "safest" security levels, the flaw doesn't affect you. For som...

In today's business environment, data is what matters most. It matters to organizations that monetize it into operational insights and optimisations, and it matters the threat actors that relentlessly seek to achieve similar monetisation by compromising it. In the very common scenario in which organisation A provides services to organization B, it's imperative for the latter to be absolutely sure that the former handles its data in the most secure way. While there's no one-size-fits-all in cybersecurity, there are various frameworks that provide robust guidelines for organizations to see if the security controls in place indeed address their needs. NIST cybersecurity framework is a good example of such guidelines. There are industry specific standards, such as HIPPA for healthcare and PCI-DSS for credit card processing. However, in recent years, SOC 2 is gaining momentum in the US as a general standard for all organizations that store or process data for consumers and busi...

Oracle has released an out-of-band emergency software update to patch a newly discovered critical vulnerability in the WebLogic Server. According to Oracle, the vulnerability—which can be identified as CVE-2019-2729 and has a CVSS score of 9.8 out of 10—is already being exploited in the wild by an unnamed group of attackers. Oracle WebLogic is a Java-based multi-tier enterprise application server that allows businesses to quickly deploy new products and services on the cloud, which is popular across both, cloud environment and conventional environments. The reported vulnerability is a deserialization issue via XMLDecoder in Oracle WebLogic Server Web Services that could allow unauthorized remote attackers to execute arbitrary code on the targeted servers and take control over them. "This remote code execution vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password," the advisor...

Important Update [21 June 2019] — Mozilla on Thursday released another update Firefox version 67.0.4 to patch a second zero-day vulnerability. If you use the Firefox web browser, you need to update it right now. Mozilla earlier today released Firefox 67.0.3 and Firefox ESR 60.7.1 versions to patch a critical zero-day vulnerability in the browsing software that hackers have been found exploiting in the wild. Discovered and reported by Samuel Groß, a cybersecurity researcher at Google Project Zero, the vulnerability could allow attackers to remotely execute arbitrary code on machines running vulnerable Firefox versions and take full control of them. The vulnerability, identified as CVE-2019-11707 , affects anyone who uses Firefox on desktop (Windows, macOS, and Linux) — whereas, Firefox for Android, iOS, and Amazon Fire TV are not affected. According to an advisory , the flaw has been labeled as a type confusion vulnerability in Firefox that can result in an exploitable ...

Cybersecurity isn't easy. If there was a product or service you could buy that would just magically solve all of your cybersecurity problems, everyone would buy that thing, and we could all rest easy. However, that is not the way it works. Technology continues to evolve. Cyber attackers adapt and develop new malicious tools and techniques, and cybersecurity vendors design creative new ways to detect and block those threats. Rinse and repeat. Cybersecurity isn't easy, and there is no magic solution, but there are a handful of things you can do that will greatly reduce your exposure to risk and significantly improve your security posture. The right platform, intelligence, and expertise can help you avoid the vast majority of threats, and help you detect and respond more quickly to the attacks that get through. Challenges of Cybersecurity Effective cybersecurity is challenging for a variety of reasons, but the changing perimeter and the confusing variety of solution...

Cybersecurity researchers have released an updated version of GandCrab ransomware decryption tool that could allow millions of affected users to unlock their encrypted files for free without paying a ransom to the cybercriminals. GandCrab is one of the most prolific families of ransomware to date that has infected over 1.5 million computers since it first emerged in January 2018. Created by BitDefender, the new GandCrab decryption tool [ download ] can now unlock files encrypted by the latest versions of the ransomware, from 5.0 to 5.2, as well as for the older GandCrab ransomware versions. As part of the " No More Ransom " Project, BitDefender works in partnership with the FBI, Europol, London Police, and several other law enforcement agencies across the globe to help ransomware affected users. The cybersecurity company in recent months released ransomware removal tools for some older GandCrab versions that helped nearly 30,000 victims recover their data for free,...

Cybersecurity researchers discover a critical flaw in the popular Evernote Chrome extension that could have allowed hackers to hijack your browser and steal sensitive information from any website you accessed. Evernote is a popular service that helps people taking notes and organize their to-do task lists, and over 4,610,000 users have been using its Evernote Web Clipper Extension for Chrome browser. Discovered by Guardio, the vulnerability ( CVE-2019-12592 ) resided in the ways Evernote Web Clipper extension interacts with websites, iframes and inject scripts, eventually breaking the browser's same-origin policy (SOP) and domain-isolation mechanisms. According to researchers, the vulnerability could allow an attacker-controlled website to execute arbitrary code on the browser in the context of other domains on behalf of users, leading to a Universal Cross-site Scripting (UXSS or Universal XSS) issue. "A full exploit that would allow loading a remote hacker contr...