The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

An election campaigning website operated by Likud―the ruling political party of Israeli Prime Minister Benjamin Netanyahu―inadvertently exposed personal information of all 6.5 million eligible Israeli voters on the Internet, just three weeks before the country is going to have a legislative election. In Israel, all political parties receive personal details of voters before the election, which they can't share with any third party and are responsible for protecting the privacy of their citizens and erasing it after the elections are over. Reportedly, Likud shared the entire voter registry with Feed-b, a software development company, who then uploaded it a website (elector.co.il) designed to promote the voting management app called 'Elector.' According to Ran Bar-Zik , a web security researcher who disclosed the issue, the voters' data was not leaked using any security vulnerability in the Elector app; instead, the incident occurred due to negligence by the softw...

The United States Department of Justice today announced charges against 4 Chinese military hackers who were allegedly behind the Equifax data breach that exposed the personal and financial data of nearly 150 million Americans. In a joint press conference held today with the Attorney General William Barr and FBI Deputy Director David Bowdich, the DoJ officials labeled the state-sponsored hacking campaign as the largest hacking case ever uncovered of this type. The four accused, Wu Zhiyong (吴志勇), Wang Qian (王乾), Xu Ke (许可) and Liu Lei (刘磊), have also been indicted for their involvement in hacking and stealing trade secrets, intellectual property and confidential information from several other U.S. businesses in recent years. In September 2017, credit reporting agency Equifax disclosed it had become a victim of a massive cyberattack that left highly sensitive data of nearly half of the U.S. population in the hands of hackers. As The Hacker News reported earlier, hackers compr...

Can you imagine launching a global bug bounty platform with almost 500,000 submissions and 13,000 researchers without consuming a cent from venture capitalists? If not, this success story is for you. The once skyrocketing bug bounty industry seems to be not in the best shape today. While prominent security researchers are talking about a growing multitude of hurdles they experience with the leading commercial bug bounty platforms, the latter are trying to reinvent themselves as "next-generation penetration testing" or similar services. You be the judge of how successful they will be. Generous venture funds have poured many millions into rapidly spending bug bounty startups that have not replaced Managed Penetration Testing (MPT) services (as some declared). However, these startups have positively improved the price/quality ratio of pen testing services on the global market. Amid the uncertainty for the future of commercial bug bounty platforms, the not-for-profit Op...

If you invite guest users into your Entra ID tenant, you may be opening yourself up to a surprising risk.  A gap in access control in Microsoft Entra's subscription handling is allowing guest users to create and transfer subscriptions into the tenant they are invited into, while maintaining full ownership of them.  All the guest user needs are the permissions to create subscriptions in their home tenant, and an invitation as a guest user into an external tenant. Once inside, the guest user can create subscriptions in their home tenant, transfer them into the external tenant, and retain full ownership rights. This stealthy privilege escalation tactic allows a guest user to gain a privileged foothold in an environment where they should only have limited access. Many organizations treat guest accounts as low-risk based on their temporary, limited access, but this behavior, which works as designed, opens the door to known attack paths and lateral movement within the resource t...

Several Cisco-manufactured network equipments have been found vulnerable to five new security vulnerabilities that could allow hackers to take complete control over them, and subsequently, over the enterprise networks they power. Four of the five high-severity bugs are remote code execution issues affecting Cisco routers, switches, and IP cameras, whereas the fifth vulnerability is a denial-of-service issue affecting Cisco IP phones. Collectively dubbed ' CDPwn ,' the reported vulnerabilities reside in the various implementations of the Cisco Discovery Protocol (CDP) that comes enabled by default on virtually all Cisco devices and can not be turned OFF. Cisco Discovery Protocol (CDP) is an administrative protocol that works at Layer 2 of the Internet Protocol (IP) stack. The protocol has been designed to let devices discover information about other locally attached Cisco equipment in the same network. According to a report Armis research team shared with The Hacker N...

It may sound creepy and unreal, but hackers can also exfiltrate sensitive data from your computer by simply changing the brightness of the screen, new cybersecurity research shared with The Hacker News revealed. In recent years, several cybersecurity researchers demonstrated innovative ways to covertly exfiltrate data from a physically isolated air-gapped computer that can't connect wirelessly or physically with other computers or network devices. These clever ideas rely on exploiting little-noticed emissions of a computer's components, such as light, sound , heat , radio frequencies , or ultrasonic waves , and even using the current fluctuations in the power lines. For instance, potential attackers could sabotage supply chains to infect an air-gapped computer, but they can't always count on an insider to unknowingly carry a USB with the data back out of a targeted facility. When it comes to high-value targets, these unusual techniques, which may sound theoretica...

Exams are pretty important in professional IT. You can have all the practical knowledge in the world, but technical recruiters want to see certificates. If you want to improve your resume, the Complete 2020 IT Certification Exam Prep Mega Bundle will help you ace nine of the most important exams. You can pick up the training now for only $39 via THN Deals. Over the next few years, the areas of greatest demand in IT will be networking, cloud computing, and cybersecurity. This bundle covers all three topics, with over 100 hours of training. The courses on cloud computing focus on AWS and Microsoft Azure, which are the two biggest platforms right now. You get full prep for four Azure exams and one AWS exam. The bundle also helps you pass three Cisco CCNA exams. If you plan to work with networks at any time, these certifications will serve you well. The final course works towards CompTIA Security+, which covers all the fundamentals of cybersecurity. Many companies now expect ...

There are over a hundred potential ways hackers can ruin your life by having access to your WiFi network that's also connected to your computers, smartphones, and other smart devices. Whether it's about exploiting operating system and software vulnerabilities or manipulating network traffic, every attack relies on the reachability between an attacker and the targeted devices. In recent years, we have seen how hundreds of widely used smart-but-insecure devices made it easier for remote attackers to sneak into connected networks without breaking WiFi passwords. In the latest research shared with The Hacker News, Check Point experts today revealed a new high-severity vulnerability affecting Philips Hue Smart Light Bulbs that can be exploited over-the-air from over 100 meters away to gain entry into a targeted WiFi network. The underlying high-severity vulnerability, tracked as CVE-2020-6007 , resides in the way Philips implemented the Zigbee communication protocol in it...