The Hacker News | #1 Trusted Cybersecurity News Site — Index Page

There's a good news for app developers. On Wednesday at Twitter's first annual developer conference Flight, the company announced a new tool for developers which will allow users to log-in to mobile applications using their phone numbers rather than a traditional username and password combinations. SAY NO TO PASSWORD The service will be called Digits, aimed at application developers looking for an easier, password-free login option for their mobile applications  – in a similar way to Snapchat , WhatsApp and Viber that rely only on verified users' mobile numbers for sign-in, rather than the traditional ID and password combination. " This is an entirely new native mobile sign up service that makes mobile-first sign-up frictionless, and creates an identity relationship entirely between you and your users ," said Twitter CEO Dick Costolo, speaking at the Twitter Flight developer conference in San Francisco. DEVELOPERS DON'T TRUST TWITTER On one hand, where o

Good news for iOS 8.1 users! The Chinese jailbreaking team Pangu has released a software tool that allows users to Jailbreak their iPhones, iPads and iPods running the latest version of Apple's mobile operating system, iOS 8 and iOS 8.1 . That was really very quick, as iOS users need to wait quite long for the jailbreaks. Pangu developer team is the same group responsible for jailbreaking iOS 7 few months back. The group made its jailbreak tool available by releasing a download link for the developers edition before quickly removing it. The link for the tool on Pangu's site is currently unavailable, with the team noting on their official Twitter account that, " Current Pangu Jailbreak v1.0.0 is disabled remotely because we are fixing bug which may cause lost of your photos. Please wait … " The developer edition of the jailbreak iOS 8 tool didn't come with the Cydia app store , which would make the tool useless for an average iOS users who likes jail

It comes as no surprise that today's cyber threats are orders of magnitude more complex than those of the past. And the ever-evolving tactics that attackers use demand the adoption of better, more holistic and consolidated ways to meet this non-stop challenge. Security teams constantly look for ways to reduce risk while improving security posture, but many approaches offer piecemeal solutions – zeroing in on one particular element of the evolving threat landscape challenge – missing the forest for the trees.  In the last few years, Exposure Management has become known as a comprehensive way of reigning in the chaos, giving organizations a true fighting chance to reduce risk and improve posture. In this article I'll cover what Exposure Management is, how it stacks up against some alternative approaches and why building an Exposure Management program should be on  your 2024 to-do list. What is Exposure Management?  Exposure Management is the systematic identification, evaluation,

Google is offering its users a completely new and better experience of its mailing service. And in an effort to do this, the company has launched a new email service, an alternative to Gmail, called " Inbox " on Wednesday that aims to make email more useful and preview next-generation capabilities. Inbox will not replace Gmail, the company's popular 10-year-old email product, instead it will sit next to its Gmail service and will provide users' better organize their emails with live alerts for appointments, flight bookings and package deliveries in a more user-friendly way. "Years in the making, Inbox is by the same people who brought you Gmail, but it's not Gmail: it's a completely different type of inbox, designed to focus on what really matters," wrote Sundar Pichai, Google's senior vice president of Android , Chrome and apps, in a blog post . According to the company, the Inbox service was designed to deal with the problem of ge

A recently discovered hole in the security of the Bourne-Again Shell (bash) has the majority of Unix/Linux (including OS X) admins sweating bullets. You should be, too--attackers have already developed exploits to unleash on unpatched web servers, network services and daemons that use shell scripts with environment variables ( this can include network equipment, industrial devices, etc .) Jaime Blasco , AlienVault Labs Director, gives a good explanation of the exploit in this blog post . And, the video below gives you a quick overview of how AlienVault Unified Security Management (USM)  can detect malicious traffic on your network trying to locate and exploit this vulnerability. Basically, this vulnerability allows an attacker to execute shell commands on a server due to an issue in how bash interprets environment variables (such as "cookie", "host", "referrer"). Exploiting this allows an attacker to run shell commands directly. Once they have access to run shell comm

It seems that there is no end to the Windows zero-days, as recently Microsoft patched three zero-day vulnerabilities in Windows which were actively exploited in the wild by hackers, and now a new Zero-day vulnerability has been disclosed affecting all supported releases of Windows operating system, excluding Windows Server 2003. Microsoft has issued a temporary security fix for the flaw and also confirmed that the zero-day flaw is being actively exploited by the hackers through limited, targeted attacks using malicious Microsoft PowerPoint documents sent as email attachments. According to the Microsoft Security Advisory published on Tuesday, the zero-day resides within the operating system's code that handles OLE (object linking and embedding) objects. OLE technology is most commonly used by Microsoft Office for embedding data from, for example, an Excel spreadsheet in a Word document. The vulnerability (designated as CVE-2014-6352 ) is triggered when a user is forced

Google is taking its users' privacy very serious and making every possible effort for its users just to make them feel secure when they are online. Today, the tech giant has announced its enhanced two-step verification service that is based on a physical USB key, adding yet another layer of security to protect its users from hackers and other forms of online theft. SECURITY KEY- 2 STEP VERIFICATION USING USB DRIVES The "Security Key" feature will currently work on Chrome and will be free for Google users, but the company also notes that the Security Key is supporting the open Universal 2nd Factor (U2F) protocol from the FIDO Alliance, which will allow users to log in to Google Accounts by inserting a USB device into their systems. By letting users protect their accounts using two-factor authentication based on physical USB keys, it will be no longer any compulsion for you to type in the six-digit authentication code in Google's Gmail or your Google Acco

The Search Engine giant is not going to spare the Pirated content providing sites . Google is ready to fulfill its commitment to downgrade the search rankings of ' notorious ' piracy sites globally that often rank above legal and commercial sites. Google and the Copyright holders are, to some extent, enemies for years, but in Google's ongoing anti-piracy efforts, the company will fight copyright infringement and assure rights holders that their contents will be appeared at the top of its search results and that the search made up only a small portion of pirate traffic. DOWNGRADE PIRATED SITES Google is preparing major tweaks to its search engine, which you'll be able to see this week, to ensure that the 'notorious' piracy sites that enable the downloading or streaming of pirated contents are out of search results when people search for music, movies and other copyrighted content. The announcement of the algorithm update came as Google updated " How Google Fights

Apple's latest desktop operating system, known as Mac OS X 10.10 Yosemite , sends location and search data of users without their knowledge to Apple's remote servers by default whenever a user queries the desktop search tool Spotlight, which questions users' privacy once again. The technology firm faced criticism on Monday when users came to know about the company's About Spotlight & Privacy which clearly states that anyone who uses the Spotlight feature in either Mac OS X 10.10 Yosemite or its newly launched mobile operating system iOS 8 will have their location and search information passed back to Apple's servers to process. APPLE COLLECTS USERS' DATA AND FORWARDS IT TO MICROSOFT AS WELL On one hand, where Apple decided to enable hard drive encryption by default, despite the FBI requests not to do so. But on the other, the company is itself putting its users' privacy on risk. The same data Apple collects from the users' searched te

Apple iCloud users in China are not safe from the hackers — believed to be working for Chinese government — who are trying to wiretap Apple customers in the country. Great Fire , a reputed non-profit organization that monitors Internet censorship in China, claimed that the Chinese authorities have launched a nationwide Man in the Middle (MITM) campaign against users of Apple's iCloud service, designed to steal users' login credentials and access private data. MAN-IN-THE-MIDDLE ATTACK The attacks on the iCloud service was first reported on Saturday and come as Apple begins the official rollout of its latest launched iPhone 6 and 6 Plus on the Chinese mainland. If we talk about less publicized but more danger, Man-in-the-Middle (MitM) attack is the most common one. By attempting MitM attack, a potential attacker could intercept users' internet communication, steal sensitive information and even hijack sessions. ACCESS TO CREDENTIALS AND ALL PERSONAL DATA Usin

After offering chocolate ( Kit-Kat ), now Google is ready to serve you Lollipops. Google on Wednesday finally revealed the official name of its next version Android L — Android 5.0 Lollipop . The newly released Android 5.0 Lollipop ships with the latest Motorola-made Nexus 6 smartphone and Nexus 9 tablet built by HTC, but the company did not make the Lollipop available for download to other users immediately. The older versions of Nexus devices will receive the Lollipop update in the coming weeks. Lollipop features some significant changes to the Android platform with a sleek new user interface, cross platform support and improved performance via the new ART runtime engine. The operating system also offers better battery life, improved notifications, OpenGL ES 3.1 and 64-bit support, among other features. Here are some most notable features of Android 5.0 Lollipop , along with some insight as to when you might be able to get your hands on it. Google describes Lolli

Tor - Privacy oriented encrypted anonymizing service, has announced the launch of its next version of Tor Browser Bundle, Tor version 4.0 , which disables SSL3 to prevent POODLE attack and uses new transports that are intended to defeat the Great Firewall of China and other extremely restrictive firewalls. Tor is generally thought to be a place where users come online to hide their activities and remain anonymous. Tor is an encrypted anonymizing network considered to be one of the most privacy oriented service and is mostly used by activists, journalists to circumvent online censorship and surveillance efforts by various countries. The popularity of the tool can be estimated by the recent announcement of an Internet router called Anonabox which was the highest crowd funded project on Kickstarter this week, generating more than $500,000 in funding since its launch on Monday. Tor privacy router Anonabox is designed to make all your online activity anonymous and conceal yo

After successful in launching reflection and amplification Distributed Denial-of-Service (DDoS) attacks by abusing various protocols such as DNS, NTP and SMTP, hackers are now abusing Simple Service Discovery Protocol (SSDP) – part of the UPnP protocol standard – to target home and office devices, researchers warned. SSDP is a network protocol based on the Internet Protocol Suite that comes enabled on millions of networked devices, such as computers, printers, Internet gateways, Router / Wi-Fi access points, mobile devices, webcams, smart TVs and gaming consoles, to discover each other and automatically establish working configurations that enable data sharing, media streaming, media playback control and other services. FLAW IN UPnP USED IN AMPLIFICATION DDoS ATTACK Prolexic Security Engineering & Response Team (PLXsert) at Akamai Technologies have issued a warning that the devices use in residential or small office environments are being co-opted into reflection

Smart devices are growing at an exponential pace with the increase in connecting devices embedded in cars, retail systems, refrigerators, televisions and countless other things people use in their everyday life, but security and privacy are the key issues for such applications, which still face some enormous number of challenges. Millions of Network-connected electricity meters or Smart meters used in Spain are susceptible to cyberattack by hackers due to lack of basic and essential security controls that could put Millions of homes at risk, according to studies carried out by a pair of security researcher. HACKERS TO CAUSE BLACKOUT AND BILL FRAUD The security vulnerabilities found in the electricity meters could allow an intruder to carry out billing fraud or even shut down electric power to homes and cause blackouts. Poorly protected credentials inside the devices could let attackers take control over the gadgets, warn the researchers. The utility that deployed the

Facebook is moving a step ahead from others and making its social media service as an information sharing platform in serious situations as well. The social networking giant has announced a new tool, which lets users notify their family and friends that they are safe during or after natural disasters. The tool, named " Safety Check, " will soon be available globally to over 1.32 billion Facebook users on Android, iOS, feature phones and the desktops. The tool is designed to be activated after a natural disaster and by using either the city you lived in or your last location - if you have checked in on " Nearby Friends ", it let's you alert your friends and family that you are safe, while also tracking the status of others. " In times of disaster or crisis, people turn to Facebook to check on loved ones and get updates, " wrote the company in a blog post about the feature. " It is in these moments that communication is most critical both for people in the affected

As part of monthly patch update, Microsoft released eight security bulletins on Tuesday that address dozens of vulnerabilities including a zero-day flaw reportedly being exploited by Russian hackers to target NATO computers and a pair of zero-day Windows vulnerabilities that attackers have been exploiting to penetrate major corporations' networks. Just a day before yesterday, our team reported you about a Zero-day vulnerability discovered by the cyber intelligence firm iSight Partners affecting all supported versions of Microsoft Windows and is being exploited in a five-year old cyber-espionage campaign against the Ukrainian government and U.S organisations. Researchers at FireEye found two zero-day flaws, used in separate, unrelated attacks involving exploitation of Windows kernel, just a day after iSight partners disclosed zero-day in Windows. The pair of zero-day vulnerabilities could allow an attacker to access a victim's entire system. According to the res

Another Heartbleed-like vulnerability has been discovered in the decade old but still widely used Secure Sockets Layer ( SSL ) 3.0 cryptographic protocol that could allow an attacker to decrypt contents of encrypted connections to websites. Google's Security Team revealed on Tuesday that the most widely used web encryption standard SSL 3.0 has a major security vulnerability that could be exploited to steal sensitive data. The flaw affects any product that follows the Secure layer version 3, including Chrome, Firefox, and Internet Explorer. Researchers dubbed the attack as " POODLE ," stands for Padding Oracle On Downgraded Legacy Encryption , which allows an attacker to perform a man-in-the-middle attack in order to decrypt HTTP cookies. The POODLE attack can force a connection to "fallback" to SSL 3.0, where it is then possible to steal cookies, which are meant to store personal data, website preferences or even passwords. Three Google security engineers - Bodo Möll