The Hacker News | #1 Trusted Cybersecurity News Site — Index Page

Oracle Database new zero day exploit put users at risk Oracle has recommended workarounds for a zero-day Oracle Database flaw that was not fixed in the company's April critical patch update. Oracle issued a security alert for Oracle TNS Poison, the vulnerability, disclosed by researcher Joxean Koret after he mistakenly thought it had been fixed by Oracle, allows an attacker to hijack the information exchanged between clients and databases. Koret originally reported the vulnerability to Oracle in 2008, four years ago! and said he was surprised to see it had been fixed in Oracle's most recent Critical Patch Update without any acknowledgment of his work. " This vulnerability is remotely exploitable without authentication, and if successfully exploited, can result in a full compromise of the targeted Database ," the company warned.  " This security alert addresses the security issue CVE-2012-1675, a vulnerability in the TNS listener which has been recently disclosed as 'TNS

Flashback malware Creater earning $10,000 per day from Google Ads In a recent analysis of the business model behind the Flashback Trojan, Symantec security researchers reported that the main objective of the malware is revenue generation through an ad-clicking component. Security researchers at Symantec are estimating that the cyber-crimibals behind the Flashback Mac OS X botnet may have raked in about $10,000 a day. Dr. Web, the Russian security firm that firm discovered the massive Flashback botnet last month, has provided new data on the number of Macs still infected with the software. The results show that while close to 460,000 machines remain infected, the botnet is shrinking at a rate of close to a hundred thousand machines a week as Mac users get around to downloading Apple's tool for disinfecting their machines or installing antivirus. when an infected user conducts a Google search, Google will return its normal search results. Flashback waits for someone to click on an a

Identities now transcend human boundaries. Within each line of code and every API call lies a non-human identity. These entities act as programmatic access keys, enabling authentication and facilitating interactions among systems and services, which are essential for every API call, database query, or storage account access. As we depend on multi-factor authentication and passwords to safeguard human identities, a pressing question arises: How do we guarantee the security and integrity of these non-human counterparts? How do we authenticate, authorize, and regulate access for entities devoid of life but crucial for the functioning of critical systems? Let's break it down. The challenge Imagine a cloud-native application as a bustling metropolis of tiny neighborhoods known as microservices, all neatly packed into containers. These microservices function akin to diligent worker bees, each diligently performing its designated task, be it processing data, verifying credentials, or

Skype Vulnerability Exposing User IP Addresses Skype is warning users following the launch of a site devoted to harvesting user IP addresses.The Skype IP-Finder site allowed third-parties to see a user's last known IP address by simply typing in a user name. A script has been uploaded to Github that offers these options. According to the page, it can be used to lookup IP addresses of online Skype accounts, and return both the remote and the local IP of that account on a website. The script is for instance available on this site . Just enter the user name of a Skype user, fill out the captcha, and click the search button to initiate the lookup. You will receive the user's remote IP and port, as well as the local IP and port. Adrian Asher, director of product Security, Skype " We are investigating reports of a new tool that captures a Skype user's last known IP address. This is an ongoing, industry-wide issue faced by all peer-to-peer software companies. We are committed to the

Sony Engineers Met With PS3 Hacker - Geohot George Hotz aka " Geohot " first made a name for himself in the PS scene when he not only managed to hack a PlayStation 3, but then proceeded to publish a guide that shared with others how to do it as well. In an effort to improve their security measures, Sony had several of their engineers meet with the computer mastermind to better understand his methods. " We are always interested in exploring all avenues to better safeguard our systems and protect consumers ," said Jim Kennedy, the senior vice-president of strategic communications for Sony Corporation of America. In a story by The New Yorker on the hacker, details were given on the meeting between Sony and Hotz. The two got together after settling things in court, and "Geohot" spoke surprisingly very well of the Sony engineers, noting that they were very "respectful." Geohot once wrote on his blog that " Hacker is to computer as plumber is to pipes ." In the story, Hotz sa

oclHashcat-plus v0.08 Released - fastest password Cracker oclHashcat-plus is Worlds first and only GPGPU based rule engine and Worlds fastest md5crypt, phpass, mscash2 and WPA / WPA2 cracker. Features Free Multi-GPU (up to 16 gpus) Multi-Hash (up to 24 million hashes) Multi-OS (Linux & Windows native binaries) Multi-Platform (OpenCL & CUDA support) Multi-Algo (see below) Low resource utilization, you can still watch movies or play games while cracking Focuses highly iterated, modern hashes Focuses single dictionary based attacks Supports pause / resume while cracking Supports reading words from file Supports reading words from stdin Integrated thermal watchdog 20+ Algorithms implemented with performance in mind ... and much more Algorithms MD5 Joomla osCommerce, xt:Commerce SHA1 SHA-1(Base64), nsldap, Netscape LDAP SHA SSHA-1(Base64), nsldaps, Netscape LDAP SSHA Oracle 11g SMF > v1.1 OSX v10.4, v10.5, v10.6 MSSQL(2000) MSSQL(2005) MySQL