The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Attention! Are you using Firefox as your web browsing software on your Windows, Linux, or Mac systems? If yes, you should immediately update your free and open-source Firefox web browser to the latest version available on Mozilla's website. Why the urgency? Mozilla earlier today released Firefox 72.0.1 and Firefox ESR 68.4.1 versions to patch a critical zero-day vulnerability in its browsing software that an undisclosed group of hackers is actively exploiting in the wild. Tracked as ' CVE-2019-17026 ,' the bug is a critical 'type confusion vulnerability' that resides in the IonMonkey just-in-time (JIT) compiler of the Mozilla's JavaScript engine SpiderMonkey. In general, a type confusion vulnerability occurs when the code doesn't verify what objects it is passed to and blindly uses it without checking its type, allowing attackers to crash the application or achieve code execution. Without revealing details about the security flaw and any det...

TikTok , the 3rd most downloaded app in 2019, is under intense scrutiny over users' privacy, censoring politically controversial content and on national-security grounds—but it's not over yet, as the security of billions of TikTok users would be now under question. The famous Chinese viral video-sharing app contained potentially dangerous vulnerabilities that could have allowed remote attackers to hijack any user account just by knowing the mobile number of targeted victims. In a report privately shared with The Hacker News, cybersecurity researchers at Check Point revealed that chaining multiple vulnerabilities allowed them to remotely execute malicious code and perform unwanted actions on behalf of the victims without their consent. The reported vulnerabilities include low severity issues like SMS link spoofing, open redirection, and cross-site scripting (XSS) that when combined could allow a remote attacker to perform high impact attacks, including: delete any video...

Watch out! If you have any of the below-mentioned file managers and photography apps installed on your Android phone—even if downloaded from the official Google Store store⁠—you have been hacked and being tracked. These newly detected malicious Android apps are Camero , FileCrypt , and callCam that are believed to be linked to Sidewinder APT, a sophisticated hacking group specialized in cyber espionage attacks. According to cybersecurity researchers at Trend Micro, these apps were exploiting a critical use-after-free vulnerability in Android at least since March last year⁠—that's 7 months before the same flaw was first discovered as zero-day when Google researcher analysed a separate attack developed by Israeli surveillance vendor NSO Group. "We speculate that these apps have been active since March 2019 based on the certificate information on one of the apps," the researchers said . Tracked as CVE-2019-2215 , the vulnerability is a local privilege escalation...

January 14, 2020, is a day cybersecurity stakeholders should pay attention to, as it marks the end of Microsoft support in Windows 7. From a security perspective, both the routine monthly security patches as well as hotfixes for attacks in the wild will not be available, effectively making any newly discovered vulnerability a Windows 7 zero-day. Cynet 360 autonomous breach protection is a good example of a multilayered advanced protection solution that can enable organizations who run Windows 7 to remain secure despite the end of support ( to learn more click here ). Let's dig a bit deeper to understand the risk. The reality is that all software contains bugs. Ideally, these bugs are discovered during the development process. In practice, many of them surface only following the product release in the course of their interactions with real users. Bugs that can be exploited for malicious purposes are called vulnerabilities. Microsoft conducts rigorous and ongoing research ...

Internet-connected devices have been one of the most remarkable developments that have happened to humankind in the last decade. Although this development is a good thing, it also stipulates a high security and privacy risk to personal information. In one such recent privacy mishap, smart IP cameras manufactured by Chinese smartphone maker Xiaomi found mistakenly sharing surveillance footage of Xiaomi users with other random users without any permission. The issue appears to affect Xiaomi IP cameras only when streamed through connected Google's Nest Hub, which came into light when a Reddit user claimed that his Google Nest Hub is apparently pulling random feeds from other users instead of his own Xiaomi Mijia cameras. The Reddit user also shared some photos showing other people's homes, an older adult sleeping on a chair, and a baby sleeping in its crib that appeared on his Nest Hub screen. It appears the issue doesn't reside in Google products; instead, it c...

Landry's, a popular restaurant chain in the United States, has announced a malware attack on its point of sale (POS) systems that allowed cybercriminals to steal customers' payment card information. Landry's owns and operates more than 600 bars, restaurants, hotels, casinos, food and beverage outlets with over 60 different brands such as Landry's Seafood, Chart House, Saltgrass Steak House, Claim Jumper, Morton's The Steakhouse, Mastro's Restaurants, and Rainforest Cafe. According to the  breach notification published this week, the malware was designed to search for and likely steal sensitive customer credit card data, including credit card numbers, expiration dates, verification codes and, in some cases, cardholder names. The PoS malware infected point-of-sale terminals at all Landry's owned locations, but, fortunately, due to end-to-end encryption technology used by the company, attackers failed to steal payment card data from cards swiped at its...

Advanced persistent threats (APTs) have emerged to be legitimate concerns for all organizations. APTs are threat actors that breach networks and infrastructures and stealthily lurk within them over extended spans of time. They typically perform complex hacks that allow them to steal or destroy data and resources. According to Accenture , APTs have been organizing themselves into groups that enable them to share tactics and tools to carry out attacks at scale. Russian group Silence APT, for instance, has been reported to be actively targeting financial institutions and have successfully stolen millions of dollars from various banks worldwide. Smaller organizations also need to be wary of such threats. APT groups also use automated tools and botnets to gain access to networks, and these tactics don't discriminate based on size, industry, or value. Any vulnerable infrastructure can be breached. It is now critical for all organizations to understand how APTs operate and impleme...

The cybersecurity of a company is heavily reliant upon the skills and knowledge of the people who install, manage, and operate its security products. This means that recruiting and nurturing the best security team possible should be a CISO's top priority. Cynet's Ultimate Cybersecurity Job Posting Templates ( download here ) provide a list of the main responsibilities and skills for typical security positions, built upon research and providing IT and security managers with pre-set template job descriptions so that there is no need to create them from scratch. Because of the fact that there are many different cybersecurity job titles, with much overlap between job descriptions and responsibilities, the creation of the inclusion criteria for these positions required significant review and consideration. Six positions are included in the following job templates, including all integral aspects of the responsibility cycle in product deployment, integration, and operation, p...