The Hacker News | #1 Trusted Cybersecurity News Site — Index Page

Well, we all are very conscious, when it comes to the security of our personal information, security of our financial data and security of everything related to us. In the world of Smart devices where our Smartphones knows more than we know ourselves. To keep our device protected from harmful viruses, malware or spyware, we totally depend on various security products such as antivirus, firewall and privacy guard apps, that we typically install from some trusted sources, Google Play Store. Most Antivirus apps are available to download for free, but some of them are paid with extra premium features like advance firewall protection, anti theft, App Locker or Cloud Backup etc. But do you believe that just because you're downloading an application from an official app store and also if its a premium paid version, you're safe from malicious software? Think twice. PAID, BUT FAKE ANTIVIRUS APP In Past, Mobile Security Researchers had spotted numerous fake mobile anti

Tomorrow, 8th April could be a sad day for all those who are still using Windows XP, as it is an official assassination day of it, but there is also a good news that Microsoft is going to stop charging for its Windows Operating System on on the devices with screens smaller than nine inches. Yes, Free a Windows OS for the  Internet of Things (IoTs) ,  such as Mobile Devices, Smart thermostats, Smart TVs, wearable devices etc., that was announced by Microsoft at Build 2014 conference on Wednesday. " To accelerate the creation of great mobile devices running Windows and grow our number of users, we announced today that Windows will be available for $0 to hardware partners for Windows Phones and tablets smaller than 9" in size, " said Terry Myerson, executive vice president, OS Group at Microsoft and he also added that it will include a one-year subscription to Office 365. FREE, BUT NOT OPEN SOURCE Free Windows , means the manufacturers of small tablets, phones and any o

It comes as no surprise that today's cyber threats are orders of magnitude more complex than those of the past. And the ever-evolving tactics that attackers use demand the adoption of better, more holistic and consolidated ways to meet this non-stop challenge. Security teams constantly look for ways to reduce risk while improving security posture, but many approaches offer piecemeal solutions – zeroing in on one particular element of the evolving threat landscape challenge – missing the forest for the trees.  In the last few years, Exposure Management has become known as a comprehensive way of reigning in the chaos, giving organizations a true fighting chance to reduce risk and improve posture. In this article I'll cover what Exposure Management is, how it stacks up against some alternative approaches and why building an Exposure Management program should be on  your 2024 to-do list. What is Exposure Management?  Exposure Management is the systematic identification, evaluation,

A new dangerous variant of ZeuS Banking Trojan has been identified by Comodo AV labs which is signed by stolen Digital Certificate which belongs to Microsoft Developer to avoid detection from Web browsers and anti-virus systems. Every Windows PC in the world is set to accept software " signed " with Microsoft's digital certificates of authenticity, an extremely sensitive cryptography seal. Cyber Criminals somehow managed to hack valid Microsoft digital certificate, used it to trick users and admins into trusting the file. Since the executable is digitally signed by the Microsoft developer no antivirus tool could find it as malicious. Digitally signed malware received a lot of media attention last year. Reportedly, more than 200,000 unique malware binaries were discovered in past two years signed with valid digital signatures. A Comodo User submitted a sample of the malicious software that attempts to trick user by masquerading itself as file of Intern

Is Air Travel expensive for You?? Of course it's costly for Common people. But, hackers have found a way out of it too. If you have an iPhone then there is no need to buy airline tickets, as a simple iPhone hack can fool any modern airport and get you a seat in first class for free. Anthony Hariton , an 18 year-old computer science student at the University of Crete in Greece, claims he has found a plough to fetch free flight tickets across Europe by generating fake boarding passes designed for Apple's Passbook app. The student prepares to give his presentation entitled " Exploiting Passbook to Fly for Free, " in a hacking conference next month, in which he will theoretically demonstrate on how to generate fake boarding passes using only a computer and an iPhone, then get through all the Security Airport checks and then eventually ending up on your first class seat to the destination of your choice. HACKING iPHONE APP TO GET FREE BOARDING PASSES The iO

Pakistan's Federal Investigation Agency (FIA) has arrested a Pakistani Hacker allegedly involved in hacking into a telecom company and uploading their database on his website. With the help of the National Response Center for Cyber Crime (NR3C) of Pakistan's Federal Investigation Agency, the local authorities were able to trace and arrest the hacker suspected of infiltrating into the systems of Warid Telecom, an Abu-Dhabi-based telecoms company that provides services in Congo, Pakistan and Uganda. The suspect, Mubashar Shahzad , a resident of Kasur, is believed to have downloaded Warid Telecom's customer information from the company's databases and exposed it online, which was published on earlysms.com , a site hosted with HosterPK . Investigation started after one of the senior manager of a cellular company filed a complaint saying the ' information of its consumers till 2006 had been exposed over the internet. ' " A technical/forensic analysis found that the web

Do you know, Why another major company is getting hacked every week? Because of poor policies, Laziness to Incident Response and lack in will-power to put efforts on applying important patches. Some companies are not taking their security more seriously, and best suitable example for this is  TxTag,  an electronic toll collection systems in Texas operated by Texas Department of Transportation (TxDOT) . 1.2 MILLION CREDIT CARD ARE AT RISK Security researcher, David Longenecker   claimed a serious flaw at  TxTag website that exposes the active Credit Card Details and Personal Information of 1.2 Million Drivers including active TxTags (vehicle stickers with microchips, which are scanned by electronic readers on toll roads), Names, phone numbers, full residence addresses, email addresses, along with their complete Credit card numbers and Expiration date. According to David, the account names could be easily predictable by anyone, which is typically an 8-digit number that beg

On passed Thursday, Microsoft has released an advance advisory alert for upcoming Patch Tuesday which will address Remote Code Execution vulnerabilities in several Microsoft's products. Microsoft came across a limited targeted attacks directed at their Microsoft Word 2010 because of the vulnerability in the older versions of Microsoft Word. This Tuesday Microsoft will release Security Updates to address four major vulnerabilities, out of which two are labeled as critical and remaining two are Important to patch as the flaws are affecting various Microsoft software such as, Microsoft Office suite, Microsoft web apps, Microsoft Windows, Internet Explorer etc. VULNERABILITY THAT YOU  MUST PATCH Google Security Team has reported a critical Remote code execution vulnerability in Microsoft Word 2010 ( CVE-2014-1761 ) which could be exploited by an attacker to execute the malicious code remotely via a specially crafted RTF file , if opened by a user with an affected vers

Germany has confirmed its biggest Data theft in the country's history with usernames and passwords of some 18 million email accounts stolen and compromised by hackers. The Story broke by the German press, Der Spiegel on Thursday, when German Authorities revealed another mass hacking of private data belonged to German citizens and major Internet companies both in Germany and abroad. 16 MILLION AND NOW 18 MILLION Authorities in the northwestern city of Verden unearthed a treasure of personal information, a list of about 18 million stolen email addresses and passwords, and seized it just after only two months from the previous major data breach, when researchers came across 16 million compromised email accounts of German users while conducting research on a botnet, a network of computers infected with malware.  The accounts were compromised by hackers in the mid of January, and Der Spiegel suggests that the same group of hackers is responsible for both thefts and t

iOS devices have a feature called ' Find My iPhone ', allows device owner to locate their stolen devices using linked Apple ID with iCloud Account. Unfortunately, a security flaw in iOS make it possible to turn off Find My iPhone without a password and enabled thieves to bypass the protection which makes the iPhone  untraceable if lost or stolen. To Set-Up ' Find My iPhone ' feature, users need to link their Apple ID with it and this will not only helps in locating the device but also gives permission to its user to remove all the data, drive direction to the lost device, lock the device by a passcode and displays a custom message on the locked screen. KILL 'Find My iPhone' WITHOUT APPLE PASSWORD Normally, disabling Find My iPhone requires Apple ID password, but according to the vulnerability reported by  Miguel Alvarado,  a thief can bypass all of this security feature without knowing your Apple account's password . In a video demons

Have you noticed a blue color " Free Voice Call " icon that appears next to your Facebook contacts in the iOS and Android Facebook Messenger app? Yes, Facebook has updated their Messenger app that includes the ability to make free voice calls to your online pals and now Facebook users can simply tap the phone icon to call their friends. FACEBOOK DITCH WHATSAPP OVER CALLING FEATURE WhatsApp was reportedly developing voice call feature since last year and when it was acquired by Facebook for $19 billion in February, users estimated that Facebook will add Internet calling feature to Whatsapp soon, rather than to its own Facebook Messenger. However, the WhatsApp VoIP calling is still to come and is expected to launch the update with the feature in the coming weeks, but sadly before that Facebook may leave other popular free calling apps, such as Viber, Line, Google's Hangout, Skype behind. USERS' PRIVACY AT RISK, AS NO ENCRYPTION As expected, Faceboo

Beware! Hackers can cause Traffic jams with just a navigation Smartphone application. Two Israeli students were assigned by college to hack Google-owned Waze GPS app , an Israeli-made Smartphone app that provides directions and alerts drivers to traffic and accidents. Shir Yadid and Meital Ben-Sinai , fourth-year students at Technion-Israel Institute of Technology, with the help of two advisers created a virtual program that successfully caused the popular navigation application Waze to report fake traffic jams,  Haaretz  reported. They successfully launched a demo cyber attack against the popular navigation app, with no evil intention to cause any damage to the app, instead it was a simple assignment handed over to these students to demonstrate up to what a malicious hacker could do by creating a fake traffic jam on any popular app, like Waze that provides real-time traffic updates and notifications to users on the road. HOW TO JAM TRAFFIC? To carry out their proje

A 5-year-old San Diego boy managed to hack one of the most popular gaming systems in the world, Xbox and has now been acknowledged as a security researcher by Microsoft. Kristoffer Von Hassel uncovered a vulnerability in Xbox Live's password system, that would allow someone to log into a Xbox player's account without their password. Kristoffer's parents noticed he was logging into his father's Xbox Live account simply by tapping the space bar. YES, BACKDOOR ENTRY WITH JUST SPACE-BAR His father noticed that Kristoffer logged in as his Xbox Live account to play video games that he wasn't meant to be playing and asked how he had done it.  Kristoffer revealed that by typing in the wrong password and then by pressing the spacebar, he bypassed the password verification through a backdoor, and it was pretty simple! HIS FEELING, "was like yeah!" 5-year-old gamer actually hacked the authentication system of a multi-billion dollar company,

An application layer or 'layer 7' distributed denial of service ( DDoS ) attacks is one of the most complicated web attack that disguised to look like legitimate traffic but targets specific areas of a website, making it even more difficult to detect and mitigate. Just Yesterday Cloud-based security service provider ' Incapsula ' detected a unique application layer DDoS attack, carried out using traffic hijacking techniques. DDoS attack flooded one of their client with over 20 million GET requests, originating from browsers of over 22,000 Internet users. What makes this case especially interesting is the fact that the attack was enabled by persistent XSS vulnerability in one of the world's largest and most popular site - one of the domains on Alexa's " Top 50 " list. XSS  vulnerability  to Large-Scale DDoS Attack Incapsula has not disclosed the name of vulnerable website for security reasons, but mentioned it as a high profile video content provider

ON HIGH-PRIORITY YAHOO! is finally rolling out encryption implementation over their site and services in order to protect users. Yahoo is rapidly becoming one of the most aggressive supporters of encryption, as in January this year Yahoo enabled the HTTPS connections by default, that automatically encrypts the connections between users and its email service. November last year, Yahoo revealed plans to encrypt all information that moves between its data centers and finally from 31st March Yahoo has taken another leap in user-data protection through the deployment of new encryption technologies. NSA TARGET LIST -  GMAIL, YAHOO, ... many more. Last year, It was revealed by  Edward Snowden  that under MUSCULAR program , the spy agency NSA was infiltrating the private data links between Google and Yahoo data centers. After finding themselves in the NSA's target list, Yahoo! and Google forced to think hard about the security and privacy of its users. Google had replied back

A Free Chrome, Firefox and Safari web browser plugin floating around the web, called ' Sell Hack ' allows users to view the hidden email address of any LinkedIn user, means anyone can grab email addresses that we use for professional purposes. When installed, the ' Sell Hack ' plugin will pop up a ' Hack In ' button on LinkedIn profiles and further automatically mines email addresses of LinkedIn users. NOT A SECURITY BREACH It's not a Security breach, LinkedIn has confirmed that no LinkedIn data has been compromised, but rather this free extension rely on an algorithm that checks publicly available data in order to guess users' email addresses. So without exploiting any loophole or vulnerability, Sell Hack is capable of predicting users' email addresses with OSINT (Open-Source Intelligence) techniques i.e. information collected from publicly available sources. It is also possible that, the Sell Hack extension is gathering data from

The Distributed Denial of Service (DDoS) attack is becoming more sophisticated and complex with the increase in the skills of attackers and so, has become one of favorite weapon for the cyber criminals to temporarily suspend or crash the services of a host connected to the Internet and till now nearly every big site had been a victim of this attack. Since 2013, Hackers have adopted new tactics to boost the sizes of Distributed Denial of Service ( DDoS ) attack known as ' Amplification Attack ', leveraging the weakness in the UDP protocols. One of the commonly used by hacker is (Domain Name System) DNS Reflection Denial of Service (DrDoS). WHAT IS DrDoS ATTACK? The DNS Reflection Denial of Service (DrDoS) technique exploits security weaknesses in the Domain Name System (DNS) Internet protocol. Using Internet protocol spoofing, the source address is set to that of the targeted victim, which means all the replies will go to the target and the target of the attack receives re

Hardly two month ago we reported about the first widely spread Android Bootkit malware , dubbed as ' Oldboot.A ', which infected more than 500,000 Smartphone users worldwide with Android operating system in last eight months, especially in China. Oldboot is a piece of Android malware that's designed to re-infect Mobile devices even after a thorough cleanup. It resides in the memory of infected devices;  It modify the devices' boot partition and booting script file to launch system service and extract malicious application during the early stage of system's booting. Yet another alarming report about Oldboot malware has been released by the Chinese Security Researchers from ' 360 Mobile Security '. They have discovered a new variant of the Oldboot family, dubbed as ' Oldboot.B ', designed exactly as Oldboot.A, but new variant has advance stealth techniques. Especially, the defense against with antivirus software, malware analyzer, and automatic a

So, is your Safari Web Browser Updated?? Make sure you have the latest web browser updated for your Apple Macintosh systems, as Apple released Safari 6.1.3 and Safari 7.0.3 with new security updates. These Security updates addresses multiple vulnerabilities in its Safari web browser, which has always been the standard browser for Mac users. This times not five or ten, in fact about two dozen. Apple issued a security update to patch a total of 27 vulnerabilities in Safari web browser, including the one which was highlighted at Pwn2Own 2014 hacking competition. The available updates replace the browser running OSX 10.7 and 10.8 with the latest versions of browser 6.1.3, and OSX 10.9 with 7.0.3. Among the 27 vulnerabilities, the most remarkable vulnerability addressed in the update is CVE-2014-1303 , a heap-based buffer overflow that can be remotely exploited and could lead to bypass a sandbox protection mechanism via unspecified vector. This vulnerability is