The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Cybersecurity researchers have discovered a new critical vulnerability ( CVE-2020-7247 ) in the OpenSMTPD email server that could allow remote attackers to take complete control over BSD and many Linux based servers. OpenSMTPD is an open-source implementation of the server-side SMTP protocol that was initially developed as part of the OpenBSD project but now comes pre-installed on many UNIX-based systems. According to Qualys Research Labs, who discovered this vulnerability, the issue resides in the OpenSMTPD's sender address validation function, called smtp_mailaddr(), which can be exploited to execute arbitrary shell commands with elevated root privileges on a vulnerable server just by sending specially crafted SMTP messages to it. The flaw affects OpenBSD version 6.6 and works against the default configuration for both, the locally enabled interface as well as remotely if the daemon has been enabled to listen on all interfaces and accepts external mail. "Exploit...

Facebook is one of the world's biggest advertising platforms, and that's because it knows a lot about you, me, and everyone. Facebook uses many tools to track people across the Internet, whether they have an account with the social networking site or not, and most of them rely on the online activity data other apps and websites share with Facebook. Everything we do online generates an extensive amount of behavioral data, from buying clothes to looking for hotels, which apps and websites often share with advertising companies, allowing them to build more accurate profiles of your interests and needs. However, after facing worldwide criticism over privacy and data breach controversies, Facebook last summer announced a privacy tool, called Off-Facebook Activity , which gives users more control of their data collected by Facebook. Starting today on Data Privacy Day 2020 , the Off-Facebook Activity feature is now available to every user around the world, which was initiall...

Another month, another speculative execution vulnerability found in Intel processors. If your computer is running any modern Intel CPU built before October 2018, it's likely vulnerable to a newly discovered hardware issue that could allow attackers to leak sensitive data from the OS kernel, co-resident virtual machines, and even from Intel's secured SGX enclave . Dubbed CacheOut a.k.a. L1 Data Eviction Sampling ( L1DES ) and assigned CVE-2020-0549 , the new microarchitectural attack allows an attacker to choose which data to leak from the CPU's L1 Cache, unlike previously demonstrated MDS attacks where attackers need to wait for the targeted data to be available. According to a team of academic researchers, the newly-discovered speculative execution attacks can leak information across multiple security boundaries, including those between hyper-threads, virtual machines, and processes, and between user space and the operating system kernel, and from SGX enclaves. ...

While phishing and ransomware dominate headlines, another critical risk quietly persists across most enterprises: exposed Git repositories leaking sensitive data. A risk that silently creates shadow access into core systems Git is the backbone of modern software development, hosting millions of repositories and serving thousands of organizations worldwide. Yet, amid the daily hustle of shipping code, developers may inadvertently leave behind API keys, tokens, or passwords in configuration files and code files, effectively handing attackers the keys to the kingdom. This isn't just about poor hygiene; it's a systemic and growing supply chain risk. As cyber threats become more sophisticated, so do compliance requirements. Security frameworks like NIS2, SOC2, and ISO 27001 now demand proof that software delivery pipelines are hardened and third-party risk is controlled. The message is clear: securing your Git repositories is no longer optional, it's essential. Below, we look at the ris...

If you use Zoom to host your remote online meetings, you need to read this piece carefully. The massively popular video conferencing software has patched a security loophole that could have allowed anyone to remotely eavesdrop on unprotected active meetings, potentially exposing private audio, video, and documents shared throughout the session. Besides hosting password-protected virtual meetings and webinars, Zoom also allows users to set up a session for non-pre-registered participants who can join an active meeting by entering a unique Meeting ID, without requiring a password or going through the Waiting Rooms. Zoom generates this random meeting ID, comprised of 9, 10, and 11-digit numbers, for each meeting you schedule or create. If leaked beyond an individual or intended group of people, merely knowing Meeting IDs could allow unwelcome guests joining meetings or webinars. This could be bad news for anyone expecting their conversations to be private. To circumvent suc...

The Indonesian National Police in a joint press conference with Interpol and cybersecurity firm Group-IB earlier today announced the arrest of three Magecart-style Indonesian hackers who had compromised hundreds of international e-commerce websites and stolen payment card details of their online shoppers. Dubbed ' Operation Night Fury ,' the investigation was led by Interpol's ASEAN Cyber Capability Desk, a joint initiative by law enforcement agencies of Southeast Asian countries to combat cybercrime. According to the press conference, all three accused (23, 26, and 35 years old) were arrested last year in December from Jakarta and Yogyakarta and charged with criminal laws related to the data theft, fraud, and unauthorized access. "The operation is still ongoing in the other five ASEAN countries with which the intelligence was also shared. This case marks the first successful multi-jurisdictional operation against the operators of JavaScript-sniffers in the re...

Image credit: Times of Israel. Aleksei Burkov, a 29-year-old Russian hacker, on Thursday pleaded guilty to multiple criminal charges for running two illegal websites that helped cyber criminals commit more than $20 million in credit card fraud. The first website Burkov operated was an online marketplace for buying and selling stolen credit card and debit card numbers—called Cardplanet —which roughly hosted 150,000 payment card details between the years 2009 and 2013. Cardplanet marketplace offered stolen payment card details for anywhere between $2.50 and $10 a card, depending on the card type, country of origin, and the availability of card owner information. The carding website even offered a paid service that allowed buyers to instantly verify if a stolen payment card were still valid. "Many of the cards offered for sale belonged to U.S. citizens. The stolen credit card data from more than 150,000 compromised payment cards was allegedly sold on Burkov's site and ...

If you have ever contacted Microsoft for support in the past 14 years, your technical query, along with some personally identifiable information might have been compromised. Microsoft today admitted a security incident that exposed nearly 250 million "Customer Service and Support" (CSS) records on the Internet due to a misconfigured server containing logs of conversations between its support team and customers. According to Bob Diachenko, a cybersecurity researcher who spotted the unprotected database and reported to Microsoft, the logs contained records spanning from 2005 right through to December 2019. In a blog post, Microsoft confirmed that due to misconfigured security rules added to the server in question on December 5, 2019, enabled exposure of the data, which remained the same until engineers remediated the configuration on December 31, 2019. Microsoft also said that the database was redacted using automated tools to remove the personally identifiable info...