Search results for invisible | Breaking Cybersecurity News | The Hacker News

If a whistleblower discloses an activity to the public, then there should be a trust-based mechanism that ensure the protection of truth-tellers on an international level by hiding their identities. In an effort to provide this kind of service and security, Security experts grouped together to create a stealthy Internet Messenger (IM) and file transfer client, which is especially designed for whistleblowers. Dubbed as “ ‪invisible.im ” is an anonymous Instant Messenger (IM) that leaves no trace‬. The team behind the project called itself “ The Infosec A-Team ” which includes Metasploit Founder HD Moore , noted infosec and opsec experts The Grugq , an Australian security analyst Patrick Gray , and Richo . Invisible.im aims to serve the rigid anonymity needs of whistleblowers. The project website states: invisible.im was established to develop an instant messenger and file transfer tool that leaves virtually no evidence of conversations or transfers having occurred. Th...

It may sound creepy and unreal, but hackers can also exfiltrate sensitive data from your computer by simply changing the brightness of the screen, new cybersecurity research shared with The Hacker News revealed. In recent years, several cybersecurity researchers demonstrated innovative ways to covertly exfiltrate data from a physically isolated air-gapped computer that can't connect wirelessly or physically with other computers or network devices. These clever ideas rely on exploiting little-noticed emissions of a computer's components, such as light, sound , heat , radio frequencies , or ultrasonic waves , and even using the current fluctuations in the power lines. For instance, potential attackers could sabotage supply chains to infect an air-gapped computer, but they can't always count on an insider to unknowingly carry a USB with the data back out of a targeted facility. When it comes to high-value targets, these unusual techniques, which may sound theoretica...

A team of cybersecurity researchers from the University of New Haven yesterday released a video demonstrating how vulnerabilities that most programmers often underestimate could have allowed hackers to evade privacy and security of your virtual reality experience as well as the real world. According to the researchers—Ibrahim Baggili, Peter Casey and Martin Vondráček—the underlying vulnerabilities, technical details of which are not yet publicly available but shared exclusively with The Hacker News , resided in a popular virtual reality (VR) application called Bigscreen and the Unity game development platform, on which Bigscreen is built. Bigscreen is a popular VR application that describes itself as a "virtual living room," enabling friends to hang out together in virtual world, watch movies in a virtual cinema, chat in the lobby, make private rooms, collaborate on projects together, share their computer screens or control in a virtual environment and more. Scary ...

Security Operations Center (SOC) teams are facing a fundamentally new challenge — traditional cybersecurity tools are failing to detect advanced adversaries who have become experts at evading endpoint-based defenses and signature-based detection systems. The reality of these “invisible intruders” is driving a significant need for a multi-layered approach to detecting threats, including Network Detection and Response (NDR) solutions.  The invisible intruder problem Imagine your network has been compromised — not today or yesterday, but months ago. Despite your significant investments in security tools running 24/7, an advanced adversary has been quietly moving through your systems, carefully avoiding detection. They've stolen credentials, established backdoors, and exfiltrated sensitive data, all while your dashboards showed nothing but green. This scenario is not hypothetical. The average dwell time for attackers — the period between initial compro...

If you are unaware, the security standard HTTP Strict Transport Security (HSTS) can be abused as a 'supercookie' to surreptitiously track users of almost every modern web browser online without their knowledge even when they use "private browsing." Apple has now added mitigations to its open-source browser infrastructure WebKit that underpins its Safari web browser to prevent HSTS abuse after discovering that theoretical attacks demonstrated in 2015 were recently deployed in the wild against Safari users. HSTS—HTTP Strict Transport Security—is a great feature that allows websites to automatically redirects user's web traffic to secure page connections over HTTPS if the user accidentally opens an insecure URL and then remembers to route that user to the secure connection always. Since HSTS does not allow websites to store any information/value on users web browser except remembering the redirect information about turning it on/off for future use, using ...

Threat actors are capitalizing on a popular TikTok challenge to trick users into downloading information-stealing malware, according to new research from Checkmarx. The trend, called  Invisible Challenge , involves applying a filter known as  Invisible Body  that just leaves behind a silhouette of the person's body. But the fact that individuals filming such videos could be undressed has led to a nefarious scheme wherein the attackers post TikTok videos with links to rogue software dubbed "unfilter" that purport to remove the applied filters. "Instructions to get the 'unfilter' software deploy  WASP stealer malware  hiding inside malicious Python packages," Checkmarx researcher Guy Nachshon  said  in a Monday analysis. The WASP stealer (aka W4SP Stealer) is a malware that's designed to steal users' passwords, Discord accounts, cryptocurrency wallets, and other sensitive information. The TikTok videos posted by the attackers, @learncyber an...

Traditional data leakage prevention (DLP) tools aren't keeping pace with the realities of how modern businesses use SaaS applications. Companies today rely heavily on SaaS platforms like Google Workspace, Salesforce, Slack, and generative AI tools, significantly altering the way sensitive information is handled. In these environments, data rarely appears as traditional files or crosses networks in ways endpoint or network-based DLP tools can monitor. Yet, most companies continue using legacy DLP systems, leaving critical security gaps. A new white paper, Rethinking DLP For The SaaS Era: Why Browser-Centric DLP is the New Mandate , identifies precisely why current DLP methods struggle to secure modern SaaS-driven workflows. It also explores how browser-native security addresses these gaps by focusing security efforts exactly where user interactions occur, in the browser. Why Traditional DLP Tools Fall Short Traditional DLP solutions were built for a simpler time when sensitive...

Security researchers have uncovered how marketing companies have started exploiting an 11-year-old bug in browsers' built-in password managers, which allow them to secretly steal your email address for targeted advertising across different browsers and devices. The major concern is that the same loophole could allow malicious actors to steal your saved usernames and passwords from browsers without requiring your interaction. Every modern browser—Google Chrome, Mozilla Firefox, Opera or Microsoft Edge—today comes with a built-in easy-to-use password manager tool that allows you to save your login information for automatic form-filling. These browser-based password managers are designed for convenience, as they automatically detect login form on a webpage and fill-in the saved credentials accordingly. However, a team of researchers from Princeton's Center for Information Technology Policy has discovered that at least two marketing companies, AdThink and OnAudience, a...

Not just Facebook , a new vulnerability discovered in Linkedin's popular AutoFill functionality found leaking its users' sensitive information to third party websites without the user even knowing about it. LinkedIn provides an AutoFill plugin for a long time that other websites can use to let LinkedIn users quickly fill in profile data, including their full name, phone number, email address, ZIP code, company and job title, with a single click. In general, the AutoFill button only works on specifically "whitelisted websites," but 18-year-old security researcher Jack Cable of Lightning Security said it is not just the case. Cable discovered that the feature was plagued with a simple yet important security vulnerability that potentially enabled any website (scrapers) secretly harvest user profile data and the user would not even realize of the event. A legitimate website would likely place a AutoFill button near the fields the button can fill, but accordin...

Trixd00r v0.0.1 - An Invisible TCP/IP based backdoor for UNIX systems NullSecurity Team Releases " Trixd00r v0.0.1 " an advanced and invisible TCP/IP based userlandbackdoor for UNIX systems. It consists of a server and a client. The server sits and waits for magic packets using a sniffer. If a magic packet arrives, it will bind a shell over TCP or UDP on the given port or connecting back to the client again over TCP or UDP.  The client is used to send magic packets to trigger the server and get a shell. You can  Download and Use trixd00r-0.0.1.tar.gz  from NullSecurity Website. Video Demonstration : 

Cybersecurity researchers have demonstrated a new prompt injection technique called PromptFix that tricks a generative artificial intelligence (GenAI) model into carrying out unintended actions by embedding the malicious instruction inside a fake CAPTCHA check on a web page. Described by Guardio Labs an "AI-era take on the ClickFix scam," the attack technique demonstrates how AI-driven browsers, such as Perplexity's Comet , that promise to automate mundane tasks like shopping for items online or handling emails on behalf of users can be deceived into interacting with phishing landing pages or fraudulent lookalike storefronts without the human user's knowledge or intervention. "With PromptFix, the approach is different: We don't try to glitch the model into obedience," Guardio researchers Nati Tal and Shaked Chen said . "Instead, we mislead it using techniques borrowed from the human social engineering playbook – appealing directly to its core d...

The Invisible Half of the Identity Universe Identity used to live in one place - an LDAP directory, an HR system, a single IAM portal. Not anymore. Today, identity is fragmented across SaaS, on-prem, IaaS, PaaS, home-grown, and shadow applications. Each of these environments carries its own accounts, permissions, and authentication flows. Traditional IAM and IGA tools govern only the nearly managed half of this universe - the users and apps that have been fully onboarded, integrated, and mapped. Everything else remains invisible: the unverified, non-human, unprotected mass of identities we call identity dark matter. Every new or modernized app demands onboarding - connectors, schema mapping, entitlement catalogs, and role modeling - work that consumes time, money, and expertise. Many applications never make it that far. The result is fragmentation: unmanaged identities and permissions operating outside corporate governance. And beyond the human layer lies an even larger challenge...

Hackers, Government Agencies and sophisticated malware, are collecting every piece of Digital data that we transmit through our Computers, Smartphones or Internet-enabled Gadgets. No matter how secure you think you might be, something malicious can always happen. Because, " With the right tools and Talent, a Computer is an open book. " Many people ask, How to stay safe and secure online? And, Answer is... ...Knowledge of Cyber threats, little Smartness and a Secure Operating System. Which Operating System is the Most Secure? Nearly every Operating System is designed with Security as a requirement, but believe me… there can't be a truly Secure Operating System. If you are Interested in Security and Hacking, you have probably already heard of various security-focused Operating Systems like Tails , Whonix and Kali Linux . All these operating systems, including Windows, Linux, BSD, even OSX, are all based on a Monolithic Kernels, and it requir...

The concept of "passwordless" authentication has been gaining significant industry and media attention. And for a good reason. Our digital lives are demanding an ever-increasing number of online accounts and services, with security best practices dictating that each requires a strong, unique password in order to ensure data stays safe. Who wouldn't want an easier way? That's the premise behind one-time passwords (OTP), biometrics, pin codes, and other authentication methods presented as passwordless security. Rather than remembering cumbersome passwords, users can authenticate themselves using something they own, know, or are. Some examples include a smartphone, OTP, hardware token, or biometric marker like a fingerprint. While this sounds appealing on the surface, the problem is that, when you dig deeper, these passwordless solutions are still reliant on passwords. This happens in two primary ways: Passwordless Solutions Rely on Passwords as a Fallback If you ha...

AI agents promise to automate everything from financial reconciliations to incident response. Yet every time an AI agent spins up a workflow, it has to authenticate somewhere; often with a high-privilege API key, OAuth token, or service account that defenders can’t easily see. These “invisible” non-human identities (NHIs) now outnumber human accounts in most cloud environments, and they have become one of the ripest targets for attackers. Astrix’s Field CTO Jonathan Sander put it bluntly in a recent Hacker News webinar : “One dangerous habit we’ve had for a long time is trusting application logic to act as the guardrails. That doesn’t work when your AI agent is powered by LLMs that don’t stop and think when they’re about to do something wrong. They just do it.” Why AI Agents Redefine Identity Risk Autonomy changes everything: An AI agent can chain multiple API calls and modify data without a human in the loop. If the underlying credential is exposed or overprivileged, each addit...