The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

As software eats the world, the world faces a software security crisis. The movement to modern software such as cloud technologies and microservice architectures is essential to innovate quickly. Yet, nearly three in four developers say that security slows down Agile and DevOps. Neither developers nor security teams are to blame. DevOps speed is held back by a 15-year-old, scan-based application security (AppSec) model designed for the early 2000s. Traditional security tools cannot keep up with today's rapid development pace or modern application portfolio scale. However, sacrificing security for development speed places critical and confidential personal and business information at risk—from financial to healthcare data—and can disrupt operations or even cause outages. Code Scanners Cannot Meet Modern DevOps Legacy AppSec approaches that rely on point-in-time scanning are plagued by development delays and highly inaccurate results. Scans take many hours, if not days—not id...

Citrix today released patches for multiple new security vulnerabilities affecting its Citrix Endpoint Management (CEM) , also known as XenMobile, a product made for enterprises to help companies manage and secure their employees' mobile devices remotely. Citrix Endpoint Management offers businesses mobile device management (MDM) and mobile application management (MAM) capabilities. It allows companies to control which apps their employees can install while ensuring updates and security settings are applied to keep business information protected. According to Citrix, there are a total of 5 vulnerabilities that affect on-premise instances of XenMobile servers used in enterprises to manage all apps, devices, or platforms from one central location. "Remediations have already been applied to cloud versions, but hybrid rights users need to apply the upgrades to any on-premises instance," the company sai d in a post today. If left unpatched and exploited successfully,...

If you haven't recently updated your Chrome, Opera, or Edge web browser to the latest available version, it would be an excellent idea to do so as quickly as possible. Cybersecurity researchers on Monday disclosed details about a zero-day flaw in Chromium-based web browsers for Windows, Mac and Android that could have allowed attackers to entirely bypass Content Security Policy (CSP) rules since Chrome 73. Tracked as CVE-2020-6519 (rated 6.5 on the CVSS scale), the issue stems from a CSP bypass that results in arbitrary execution of malicious code on target websites. According to PerimeterX, some of the most popular websites, including Facebook, Wells Fargo, Zoom, Gmail, WhatsApp, Investopedia, ESPN, Roblox, Indeed, TikTok, Instagram, Blogger, and Quora, were susceptible to the CSP bypass. Interestingly, it appears that the same flaw was also highlighted by Tencent Security Xuanwu Lab more than a year ago, just a month after the release of Chrome 73 in March 2019, but...

A newly released report by cybersecurity firm CTM360 reveals a large-scale scam operation utilizing fake news websites—known as Baiting News Sites (BNS)—to deceive users into online investment fraud across 50 countries. These BNS pages are made to look like real news outlets: CNN, BBC, CNBC, or regional media. They publish fake stories that feature public figures, central banks, or financial brands, all claiming to back new ways to earn passive income. The goal? Build trust quickly and steer readers toward professional-looking scam platforms like Trap10, Solara Vynex, or Eclipse Earn. Scammers use sponsored ads on Google, Meta, and blog networks to push traffic to these sites. Ads often carry clickbait headlines—"You won't believe what a prominent public figure just revealed"—paired with official photos or national flags to make them feel legit. Clicking the ad directs users to a fake article, which then redirects them to a fraudulent trading platform. Many of these scams follow a...

A security researcher earlier today publicly revealed details and proof-of-concept exploit code for an unpatched, critical zero-day remote code execution vulnerability affecting the widely used internet forum software vBulletin that's already under active exploitation in the wild. vBulletin is a widely used proprietary Internet forum software package based on PHP and MySQL database server that powers over 100,000 websites on the Internet, including Fortune 500 and Alexa Top 1 million companies websites and forums. In September last year, a separate anonymous security researcher publicly disclosed a then-zero-day RCE vulnerability in vBulletin , identified as CVE-2019-16759 , and received a critical severity rating of 9.8, allowing attackers to execute malicious commands on the remote server without requiring any authentication to log into the forum. A day after the disclosure of CVE-2019-16759, the vBulletin team released security patches that resolved the issue, but it t...

If you are using TeamViewer, then beware and make sure you're running the latest version of the popular remote desktop connection software for Windows. TeamViewer team recently released a new version of its software that includes a patch for a severe vulnerability ( CVE 2020-13699 ), which, if exploited, could let remote attackers steal your system password and eventually compromise it. What's more worrisome is that the attack can be executed almost automatically without requiring much interaction of the victims and just by convincing them to visit a malicious web page once. For those unaware, TeamViewer is a popular remote-support software that allows users to securely share their desktop or take full control of other's PC over the Internet from anywhere in the world. The remote access software is available for desktop and mobile operating systems, including Windows, macOS, Linux, Chrome OS, iOS, Android, Windows RT Windows Phone 8, and BlackBerry. Discovered b...

Popular video conferencing app Zoom has addressed several security vulnerabilities, two of which affect its Linux client that could have allowed an attacker with access to a compromised system to read and exfiltrate Zoom user data—and even run stealthy malware as a sub-process of a trusted application. According to cybersecurity researcher Mazin Ahmed , who presented his findings at DEF CON 2020 yesterday, the company also left a misconfigured development instance exposed that wasn't updated since September 2019, indicating the server could be susceptible to flaws that were left unpatched. After Ahmed privately reported the issues to Zoom in April and subsequently in July, the company issued a fix on August 3 (version 5.2.4). It's worth noting that for some of these attacks to happen, an attacker would need to have already compromised the victim's device by other means. But that doesn't take away the significance of the flaws. In one scenario, Ahmed uncov...

A United States regulator has fined the credit card provider Capital One Financial Corp with $80 million over last year's data breach that exposed the personal information of more than 100 million credit card applicants of Americans. The fine was imposed by the Office of the Comptroller of the Currency (OCC), an independent bureau within the United States Department of the Treasury that governs the execution of laws relating to national banks. According to a press release published by the OCC on Thursday, Capital One failed to establish appropriate risk management before migrating its IT operations to a public cloud-based service, which included appropriate design and implementation of certain network security controls, adequate data loss prevention controls, and effective dispositioning of alerts. The OCC also said that the credit card provider also left numerous weaknesses in its cloud-based data storage in an internal audit in 2015 as well as failed to patch security ...