Search results for Security | Breaking Cybersecurity News | The Hacker News

Over the past few weeks, the use of Zoom video conferencing software has exploded ever since it emerged the platform of choice to host everything from cabinet meetings to yoga classes amidst the ongoing coronavirus outbreak and work from home became the new normal. The app has skyrocketed to 200 million daily users from an average of 10 million in December — along with a 535 percent increase in daily traffic to its download page in the last month — but it's also seen a massive uptick in Zoom's problems, all of which stem from sloppy design practices and security implementations. Zoom may never have designed its product beyond enterprise chat initially, but with the app now being used in a myriad number of ways and by regular consumers, the company's full scope of gaffes have come into sharp focus — something it was able to avoid all this time. But if this public scrutiny can make it a more secure product, it can only be a good thing in the long run. A Laundry ...

What do you expect a tech giant to protect your backdoor security with? Holy Cow! It's " 12345678 " as a Hard-Coded Password . Yes, Lenovo was using one of the most obvious, awful passwords of all time as a hard-coded password in its file sharing software SHAREit that could be exploited by anyone who can guess '12345678' password. The Chinese largest PC maker made a number of headlines in past for compromising its customers security. It had shipped laptops with the insecure  SuperFish adware , it was  caught using Rootkit  to secretly install unremovable software, its  website was hacked , and it was  caught pre-installing Spyware  on its laptops. Any of these incidences could have been easily prevented. Now, Research center of Core Security CoreLabs issued an advisory on Monday that revealed several software vulnerabilities in Lenovo SHAREit app for Windows and Android that could result in: Information leaks Security protoco...

A security researcher has found four vulnerabilities, including a critical remote code execution bug, in OpenVPN, those were not even caught in the two big security audits of the open source VPN software this year. OpenVPN is one of the most popular and widely used open source VPN software solutions mostly used for various connectivity needs, but it is especially popular for anonymous and private access to the Internet. This year, two independent security audits of OpenVPN were carried out to look for flaws, backdoors, and other defects in the open source software – one conducted by a team led by Johns Hopkins University crypto-boffin Dr. Matthew D. Green. The audits resulted in a patch of a few vulnerabilities in the widely used open source software, giving OpenVPN a clean chit. Researcher Used Fuzzer to find Bugs in OpenVPN Researcher Guido Vranken of Netherlands exclusively used a fuzzer and recently discovered four security holes in OpenVPN that escaped both the secur...

SaaS Adoption is Skyrocketing, Resilience Hasn't Kept Pace SaaS platforms have revolutionized how businesses operate. They simplify collaboration, accelerate deployment, and reduce the overhead of managing infrastructure. But with their rise comes a subtle, dangerous assumption: that the convenience of SaaS extends to resilience. It doesn't. These platforms weren't built with full-scale data protection in mind . Most follow a shared responsibility model — wherein the provider ensures uptime and application security, but the data inside is your responsibility. In a world of hybrid architectures, global teams, and relentless cyber threats, that responsibility is harder than ever to manage. Modern organizations are being stretched across: Hybrid and multi-cloud environments with decentralized data sprawl Complex integration layers between IaaS, SaaS, and legacy systems Expanding regulatory pressure with steeper penalties for noncompliance Escalating ransomware threats and inside...

Learn about critical threats that can impact your organization and the bad actors behind them from Cybersixgill's threat experts. Each story shines a light on underground activities, the threat actors involved, and why you should care, along with what you can do to mitigate risk.  In the current cyber threat landscape, the protection of personal and corporate identities has become vital. Once in the hands of cybercriminals, compromised credentials and accounts provide unauthorized access to corporations' sensitive information and an entry point to launch costly ransomware and other malware attacks. To properly mitigate threats stemming from compromised credentials and accounts, organizations need identity intelligence. Understanding the significance of identity intelligence and the benefits it delivers is foundational to maintaining a secure posture and minimizing risk.  There is a perception that security teams and threat analysts are already overloaded by too much data. ...

Welcome to a world where Generative AI revolutionizes the field of cybersecurity. Generative AI refers to the use of artificial intelligence (AI) techniques to generate or create new data, such as images, text, or sounds. It has gained significant attention in recent years due to its ability to generate realistic and diverse outputs. When it comes to security operations,  Generative AI can play a significant role . It can be used to detect and prevent various threats, including malware, phishing attempts, and data breaches. Analyzing patterns and behaviors in large amounts of data allows it to identify suspicious activities and alert security teams in real-time. Here are seven practical use cases that demonstrate the power of Generative AI. There are more possibilities out there of how you can achieve objectives and fortify security operations, but this list should get your creative juices flowing. 1) Information Management Information security deals with a breadth of data t...

Cybersecurity researchers on Thursday revealed security issues in the Android app developed by Chinese drone-maker Da Jiang Innovations (DJI) that comes with an auto-update mechanism that bypasses Google Play Store and could be used to install malicious applications and transmit sensitive personal information to DJI's servers. The twin reports, courtesy of cybersecurity firms Synacktiv and GRIMM , found that DJI's Go 4 Android app not only asks for extensive permissions and collects personal data (IMSI, IMEI, the serial number of the SIM card), it makes use of anti-debug and encryption techniques to thwart security analysis. "This mechanism is very similar to command and control servers encountered with malware," Synacktiv said. "Given the wide permissions required by DJI GO 4 — contacts, microphone, camera, location, storage, change network connectivity — the DJI or Weibo Chinese servers have almost full control over the user's phone." The ...

Having been at ActiveState for nearly eight years, I've seen many iterations of our product. However, one thing has stayed true over the years: Our commitment to the open source community and companies using open source in their code. ActiveState has been helping enterprises manage open source for over a decade. In the early days, open source was in its infancy. We focused mainly on the developer case, helping to get open source on platforms like Windows. Over time, our focus shifted from helping companies run open source to supporting enterprises managing open source when the community wasn't producing it in the way they needed it. We began managing builds at scale, and supporting enterprises in understanding what open source they're using and if it's compliant and safe. Managing open source at scale in a large organization can be complex. To help companies overcome this and bring structure to their open source DevSecOps practice, we're unveiling our end-to-end platform to help m...

Web applications, often in the form of Software as a Service (SaaS), are now the cornerstone for businesses all over the world. SaaS solutions have revolutionized the way they operate and deliver services, and are essential tools in nearly every industry, from finance and banking to healthcare and education.  Most startup CTOs have an excellent understanding of how to build highly functional SaaS businesses but (as they are not cyber security professionals) need to gain more knowledge of how to secure the web application that underpins it.  Why test your web applications?  If you are a CTO at a SaaS startup, you are probably already aware that just because you are small doesn't mean you're not on the firing line. The size of a startup does not exempt it from cyber-attacks – that's because hackers constantly scan the internet looking for flaws that they can exploit. Additionally, it takes only one weakness, and your customer data could end up on the internet. It takes ...

Today's web has made hackers' tasks remarkably easy. For the most part, hackers don't even have to hide in the dark recesses of the web to take advantage of people any longer; they can be found right in plain sight on social media sites or forums, professionally advertised with their websites, and may even approach you anonymously through such channels as Twitter. Cybercrime has entered a new era where people don't steal just for the thrill of doing it anymore. They make it their business to carry out illegal cyber activities in small groups or individually to earn business from online criminals, selling offensive services like spyware as a service or commercial cybersecurity. For instance, a series of new DDoS for Hire are commoditizing the art of hacking and reducing the barrier to launching  DDoS attacks . Who are Hackers-for-Hire?  Hackers-for-hire are secret cyber experts or groups who specialize in infiltrating organizations to acquire intelligence in one way...

Every once in a while, an industry term will get overused by marketing to the point of becoming a cliche. "Zero Trust" may have reached this threshold. In some ways, we understand why this is happening. Security perimeters have become obsolete as people use mobile devices and cloud applications to work from anywhere. Zero Trust deployment — moving all your apps and data to the cloud and assuming no user or device is trustworthy until proven otherwise in order to gain access — has been rapidly introduced as a result of the pandemic. However, most attempts at achieving Zero Trust access today are a patchwork of disparate products from different vendors connected to virtual private networks (VPN), with rudimentary on-off access controls based on limited visibility. Cloud security company,  Lookout , believes a modern approach to Zero Trust needs to take into account the fact that data has moved to the cloud and users are working from anywhere, on any device, and connecting o...

Learn about critical threats that can impact your organization and the bad actors behind them from Cybersixgill's threat experts. Each story shines a light on underground activities, the threat actors involved, and why you should care, along with what you can do to mitigate risk.  In an increasingly interconnected world, supply chain attacks have emerged as a formidable threat, compromising not just individual organizations but the broader digital ecosystem. The web of interdependencies among businesses, especially for software and IT vendors, provides fertile ground for cybercriminals to exploit vulnerabilities. By targeting one weak link in the supply chain, threat actors can gain unauthorized access to sensitive information and can conduct malicious activities with severe consequences on multiple organizations, from data breaches and financial losses to widespread disruption and reputational damage. Understanding the nature, impact, and mitigation strategies of supply chain...

Ever wonder how to hack Instagram or how to hack a facebook account? Well, someone just did it! But, remember, even responsibly reporting a security vulnerability could end up in taking legal actions against you. An independent security researcher claims he was threatened by Facebook after he responsibly revealed a series of security vulnerabilities and configuration flaws that allowed him to successfully gained access to sensitive data stored on Instagram servers , including: Source Code of Instagram website SSL Certificates and Private Keys for Instagram Keys used to sign authentication cookies Personal details of Instagram Users and Employees Email server credentials Keys for over a half-dozen critical other functions However, instead of paying him a reward, Facebook has threatened to sue the researcher of intentionally withholding flaws and information from its team. Wesley Weinberg , a senior security researcher at Synack, participated in Facebook's b...