Search results for Security | Breaking Cybersecurity News | The Hacker News

Apple on Wednesday  announced  a raft of security measures, including an Advanced Data Protection setting that enables end-to-end encrypted (E2EE) data backups in its iCloud service. The headlining feature, when turned on, is expected to secure 23 data categories using E2EE, including device and message backups, iCloud Drive, Notes, Photos, Reminders, Voice Memos, Safari Bookmarks, Siri Shortcuts, and Wallet Passes. The iPhone maker said the only major iCloud data categories that are still not protected by E2EE are Mail, Contacts, and Calendar because of the "need to interoperate with the global email, contacts, and calendar systems" that use legacy technologies. Advanced Data Protection's E2EE protections for iCloud also mean that users' personal data can only be decrypted on their trusted devices, which retain the encryption keys. "If you enable Advanced Data Protection and then lose access to your account, Apple will not have the encryption keys to help

A security researcher has discovered an interesting loophole in Gmail Android app that lets anyone send an email that looks like it was sent by someone else, potentially opening doors for Phishers. This is something that we call E-mail Spoofing – the forgery of an e-mail header so that the email appears to have originated from someone other than the actual source. Generally, to spoof email addresses, an attacker needs: A working SMTP (Simple Mail Transfer Protocol) server to send email A M ailing Software However, an independent security researcher, Yan Zhu , discovered a similar bug in official Gmail Android app that allowed her to hide her real email address and change her display name in the account settings so that the receiver will not be able to know the actual sender. How to Send Spoofed Emails via Gmail Android App? To demonstrate her finding, Zhu sent an email to someone by changing her display name to yan ""security@google.com" (w

Since cybersecurity is definitely an issue that's here to stay, I've just checked out the recently released first episodes of Cato Networks  Cybersecurity Master Class Series .  According to Cato, the series aims to teach and demonstrate cybersecurity tools and best practices; provide research and real-world case studies on cybersecurity; and bring the voices and opinions of top cybersecurity thought-leaders. Designed for security and IT professionals, C-level managers and security experts, each session contains both theory and hands-on examples about strategic, tactical, and operational issues on a wide range of topics.  The classes are hosted by industry-recognized cybersecurity researcher and keynote speaker, Etay Maor, who is also Senior Director of Security Strategy at Cato. Four out of the planned annual 8-10 episodes are currently available online.  Episode 1 , entitled  How (and Why) to Apply OSINT to Protect your Enterprise  takes an in-depth look at our era of data proli

Microsoft today launched a new bug bounty program for bug hunters and researchers finding security vulnerabilities in its "identity services." Hacking into networks and stealing data have become common and easier than ever but not all data holds the same business value or carries the same risk. Since new security today depends on the collaborative communication of identities and identity data within, and across domains, digital identities of customers are usually the key to accessing services and interacting across the Internet. Microsoft said the company has heavily invested in the "creation, implementation, and improvement of identity-related specifications" that encourage "strong authentication, secure sign-on, sessions, API security, and other critical infrastructure tasks." Therefore, to further bolster its customers' security, the tech giant has launched an all-new, and independent bug bounty program. Dubbed Microsoft Identity Bounty

Microsoft on Tuesday  unveiled   Security Copilot  in limited preview, marking its continued quest to embed AI-oriented features in an attempt to offer "end-to-end defense at machine speed and scale." Powered by OpenAI's GPT-4 generative AI and its own security-specific model, it's billed as a  security analysis tool  that enables cybersecurity analysts to quickly respond to threats, process signals, and assess risk exposure. To that end, it collates insights and data from various products like Microsoft Sentinel, Defender, and Intune to help security teams better understand their environment; determine if they are susceptible to known vulnerabilities and exploits; identify ongoing attacks, their scale, and receive remediation instructions; and summarize incidents. Users, for instance, can ask Security Copilot about suspicious user logins over a specific time period, or even employ it to create a PowerPoint presentation outlining an incident and its attack chain.

If you think that only CPU updates that address this year's major security flaws— Meltdown and Spectre —are the only ones you are advised to grab immediately, there are a handful of major security flaws that you should pay attention to. Microsoft has issued its first Patch Tuesday for 2018 to address 56 CVE-listed flaws, including a zero-day vulnerability in MS Office related that had been actively exploited by several threat groups in the wild. Sixteen of the security updates are listed as critical, 38 are rated important, one is rated moderate, and one is rated as low in severity. The updates address security flaws in Windows, Office, Internet Explorer, Edge, ChakraCore, ASP.NET, and the .NET Framework. The zero-day vulnerability ( CVE-2018-0802 ), described by Microsoft as a memory corruption flaw in Office, is already being targeted in the wild by several threat actor groups in the past few months. The vulnerability, discovered by several researchers from Chinese com

In today's digital age, SaaS applications have become the backbone of modern businesses. They streamline operations, enhance productivity, and foster innovation. But with great power comes great responsibility. As organizations integrate more SaaS applications into their workflows, they inadvertently open the door to a new era of security threats. The stakes? Your invaluable data and the trust of your stakeholders. Historically, SaaS security was about managing misconfigurations. But the landscape has evolved. Now, it's not just about securing the software; it's about safeguarding the very essence of digital identity.  Identity is the new endpoint . If you're not focusing on securing user identity, you're leaving a gaping hole in your security strategy. Traditional threat detection and identity management methods? They're just the tip of the iceberg. To truly fortify your SaaS ecosystem, you need to delve deeper. Enter Maor Bin, the visionary CEO of Adaptive

In today's perilous cyber risk landscape, CISOs and CIOs must defend their organizations against relentless cyber threats, including ransomware, phishing, attacks on infrastructure, supply chain breaches, malicious insiders, and much more. Yet at the same time, security leaders are also under tremendous pressure to reduce costs and invest wisely.  One of the most effective ways for CISOs and CIOs to make the best use of their limited resources to protect their organizations is by conducting a cyber risk assessment. A comprehensive cyber risk assessment can help: Identify vulnerabilities and threats Prioritize security investments Assess cybersecurity maturity Communicate cyber risk to executives Provide the basis for cyber risk quantification A new guide by cybersecurity optimization provider CYE ( download here ) explains how this can be accomplished. The guide outlines several approaches to cyber risk assessments and describes the necessary steps that can yield solid in

Using Popular Online Dating app - Tinder on iPhone ?? Then you are at significant risk that exposed members' private information without their knowledge. Online Dating app Tinder, available for the iPhone from the app store , has become incredibly popular in the past few months. Tinder app allows you to find dates nearby your location within a few miles and connects you with them, but a vulnerability allowed the attacker to potentially pinpoint your exact location to within 100 feet. Security Researchers at Include Security discovered that Tinder GPS vulnerability making members vulnerable to hackers. The Security flaw was discovered by the company last October, that enabled any member with some programming skills to access the app's API (Application Programming Interface) to get the exact latitude and longitude for another member. " Due to Tinder's architecture, it is not possible for one Tinder user to know if another took advantage of this vu

Get your update caps on. Microsoft today released its monthly Patch Tuesday update for September 2019, patching a total of 79 security vulnerabilities in its software, of which 17 are rated critical, 61 as important, and one moderate in severity. Two of the security vulnerabilities patched by the tech giant this month are listed as "publicly known" at the time of release, one of which is an elevation of privilege vulnerability (CVE-2019-1235) in Windows Text Service Framework (TSF), more likely related to a 20-year-old flaw Google security researcher disclosed last month . Two other vulnerabilities patched this month are reported as being actively exploited in the wild by hackers, both are privilege elevation flaws—one resides in the Windows operating system and the other in Windows Common Log File System Driver. Besides these, Microsoft has released patches for four critical RCE vulnerabilities in Windows built-in Remote Desktop Client application that could enabl

One of the most awaited occasions in a year is your birthday, same way we are today celebrating ' The Hacker News ' 2nd Birthday week from on 28th October-3rd November 2012. Originally founded on 1st November 2010 by Mohit Kumar , ' The Hacker News ' was the very First dedicated Hacking and Security News website available on Internet, Now been internationally recognized as a leading news source dedicated to promoting awareness for security experts and hackers. We are happy to announce that this project is now Supported and endorsed by thousands of Security Experts, administrators and members of various underground hacking groups and communities worldwide.  With the need for information security solutions becoming more critical, In these two years we served updates to over 30 Million Readers through various projects including Daily happenings of Hacking & Security community via The Hacker News , A most comprehensive and informative collection of security, hacking, a

The subject of threat visibility is a recurring one in cybersecurity. With an expanding attack surface due to the remote work transformation, cloud and SaaS computing and the proliferation of personal devices, seeing all the threats that are continuously bombarding the company is beyond challenging. This especially rings true for small to medium-sized enterprises with limited security budgets and lean IT security teams. An upcoming webinar ( register here ) tries to help lean security teams understand how to tackle this intractable problem. While adding security solutions to cover blind spots seems logical, the webinar will argue that this just leads to more alarms and more noise. While this approach might be workable for large security teams, smaller teams simply don't have the bandwidth to handle an increase in alerts. Instead, organizations need broad threat visibility to cover the current blind spots, but then needs the ability to combine, rank and filter alarms by importanc

As 2022 comes to an end, now's the time to level up your bug bounty program with Intigriti. Are you experiencing slow bug bounty lead times, gaps in security skills, or low-quality reports from researchers? Intigriti's expert triage team and global community of ethical hackers are enabling businesses to protect themselves against every emerging cybersecurity threat. Join the likes of Intel, Yahoo, and Sixt who levelled up their security with Intigriti to enjoy higher quality bug bounty reports, faster lead times, and an intuitive platform. Our expert triage team, renowned community management, and impact-focused customer support are enabling businesses to protect themselves against emerging cybersecurity threats. Build a better bug bounty program   Intigriti is more than a bug bounty platform. Our managed security service takes the pain out of vulnerability disclosure and uses our active hacking community to suit your exact security needs. Moving bug bounties can feel li

With the growing number of cyber attacks and data breaches, a significant number of companies and organizations have started Bug Bounty Programs to encourage hackers and security researchers to find and responsibly report bugs in their services and get a reward. Now, even pornography sites are starting to embrace bug bounty practices in order to safeguard its user's security. The world's most popular pornography site PornHub has launched a bug bounty program for security researchers and bug hunters who can find and report security vulnerabilities in its website. Partnered with HackerOne, PornHub is offering to pay independent security researchers and bug hunters between $50 and $25,000, depending upon the impact of vulnerabilities they find. Also Read: 10-year-old Boy becomes the youngest Bug Bounty Hacker . HackeOne is a bug bounty startup that operates bug bounty programs for companies including Yahoo, Twitter, Slack, Dropbox, Uber, General Motors – and even th

Researchers have found that even after having an advanced encryption scheme in place, more than 100 million Internet-of-Things (IoT) devices from thousands of vendors are vulnerable to a downgrade attack that could allow attackers to gain unauthorized access to your devices. The issue resides in the implementation of Z-Wave protocol —a wireless, radio frequency (RF) based communications technology that is primarily being used by home automation devices to communicate with each other. Z-Wave protocol has been designed to offer an easy process to set up pairing and remotely control appliances—such as lighting control, security systems, thermostats, windows, locks, swimming pools and garage door openers—over a distance of up to 100 meters (330 feet). The latest security standard for Z-Wave, called S2 security framework, uses an advanced key exchange mechanism, i.e., Elliptic-Curve Diffie-Hellman (ECDH) anonymous key agreement protocol, to share unique network keys between the con

#OpUSA campaign is officially started, the day has come, today May 7 as announced by Anonymous , a coordinated online attack will hit Banking and government websites. The announcement made by popular group of hacktivists is creating great concerns between US security experts in charge of defense the potential targets. The message passed sent by Anonymous to US authorities is eloquent, " We Will Wipe You Off the Cyber Map "  A new wave of attacks, presumably distributed-denial-of-service attack , is expected to hit principal US financial institutions exactly as already happened in the last months. The hacktivists participating to OpUSA campaign protest against the policy of the US Government blamed to have committed war crimes in foreign states and in its countries. "A nonymous will make sure that's this May 7 will be a day to remember. On that day anonymous will start phase one of operation USA. America you have committed multiple war crimes in Iraq, Afg

Microsoft ended its support for Windows XP officially more than a month ago on April 8, 2014 . This made a large number of users to switch to the latest version of Windows, but still a wide portion of users are using Microsoft oldest and most widely used operating system, despite not receiving security updates. While some companies and organizations who were not able to migrate their operating system's running Windows XP to another operating system before the support phase ended, are still receiving updates by paying Microsoft for the security patches and updates. Now a relatively simple method has emerged as a trick for the XP users which makes it possible to receive Windows XP security updates for the next five years i.e. until April 2019. It makes use of updates for Windows Embedded POSReady 2009 based on Windows XP Service Pack 3, because the security updates which are being released for POSReady 2009 are inevitably the same updates Microsoft would have rolled out

zAnti Pentester's Worldcup tournament open for Hackers Today is a great day to be a security enthusiastic since Zimperium kicked off the first ever penetration testing tournament. — Welcome to the Pentester's Worldcup ! Zimperium , a mobile security software start-up was founded by Itzhak " Zuk " Avraham, a world-renowned white-hat hacker, in 2011. The Pentester's World Cup is part of Zimperium's efforts to increase awareness about mobile security, and simultaneously enhance the security of its range of award-winning products. You may recall Anti, The first comprehensive Penetration Testing software offered on Smartphones, Zimperium created a killer mobile app that is so simple to use, any technical person is able to perform pentest on his network to get status of which devices that are attached to the network are vulnerable, what ports are opened and additional information that is a must have for anyone who cares about the safety on his network. Last year at DEFCON, Avraham, also