The Hacker News | #1 Trusted Cybersecurity News Site — Index Page

Thanks to recent events involving certain celebrities' stolen pictures, "brute-force attack" is now one of the hot buzz words making its rounds. As an IT professional - do you know what a brute force attack is, how to spot one when it happens, and how to prevent it? A brute-force attack is, simply, an attack on a username, password, etc. that systematically checks all possible combinations until the correct one is found. Scripts are usually used in these attacks to automate the process of arriving at the correct username/password combination. This is why time is of the essence when it comes to detecting and stopping a brute force attack – the more time the attacker has, the more passwords can be tried. Brute force attacks are one of the few hacks detectable by their volume, rather than their type. In your web (or proprietary app) logs, you'll usually see a crazy amount of failed login attempts, usually originating from the same IP address. You might even see the same accoun

Google on Tuesday launched a Security testing tool "Firing Range" , which aimed at improving the efficiency of automated Web application security scanners by evaluating them with a wide range of cross-site scripting (XSS) and a few other web vulnerabilities seen in the wild. Firing Range basically provides a synthetic testing environment mostly for cross-site scripting (XSS) vulnerabilities that are seen most frequently in web apps. According to Google security engineer Claudio Criscione, 70 percent of the bugs in Google's Vulnerability Reward Program are cross-site scripting flaws . In addition to XSS vulnerabilities , the new web app scanner also scans for other types of vulnerabilities including reverse clickjacking , Flash injection , mixed content, and cross-origin resource sharing vulnerabilities. Firing Range was developed by Google with the help of security researchers at Politecnico di Milano in an effort to build a test ground for automated scanners

It comes as no surprise that today's cyber threats are orders of magnitude more complex than those of the past. And the ever-evolving tactics that attackers use demand the adoption of better, more holistic and consolidated ways to meet this non-stop challenge. Security teams constantly look for ways to reduce risk while improving security posture, but many approaches offer piecemeal solutions – zeroing in on one particular element of the evolving threat landscape challenge – missing the forest for the trees.  In the last few years, Exposure Management has become known as a comprehensive way of reigning in the chaos, giving organizations a true fighting chance to reduce risk and improve posture. In this article I'll cover what Exposure Management is, how it stacks up against some alternative approaches and why building an Exposure Management program should be on  your 2024 to-do list. What is Exposure Management?  Exposure Management is the systematic identification, evaluation,

A security weakness in Android mobile operating system versions below 5.0 that puts potentially every Android device at risk for privilege escalation attacks, has been patched in  Android 5.0 Lollipop  – the latest version of the mobile operating system. The security vulnerability ( CVE-2014-7911 ), discovered by a security researcher named Jann Horn , could allow any potential attacker to bypass the Address Space Layout Randomization (ASLR) defense and execute arbitrary code of their choice on a target device under certain circumstances. ASLR is a technique involved in protection from buffer overflow attacks. The flaw resides in java.io.ObjectInputStream , which fails to check whether an Object that is being deserialized is actually a serializable object. The vulnerability was reported by the researcher to Google security team earlier this year. According to the security researcher, android apps can communicate with system_service, which runs under admin privileges

As days are passing, encryptio n is becoming a need for every user sitting online. Many tech giants including Google, Apple and Yahoo! are adopting encryption to serve its users security and privacy at its best, but according to Electronic Frontier Foundation (EFF) , the high-tech Web security should not be limited to the wealthiest technology firms. The non-profit foundation EFF has partnered with big and reputed companies including Mozilla, Cisco, and Akamai to offer free HTTPS/SSL certificates for those running servers on the internet at the beginning of 2015, in order to encourage people to encrypt users' connections to their websites. Until now, switching web server over to HTTPS from HTTP is something of a hassle and expense for website operators and notoriously hard to install and maintain it. But, after the launch of this new free certificate authority (CA), called Let's Encrypt , it will be even more easy for people to run encrypted, secure HTTPS websites.

Good news for all Privacy Lovers!! Finally the wildly popular messaging app WhatsApp has made end-to-end encryption a default feature, stepping a way forward for the online privacy of its users around the world. WhatsApp , most popular messaging app with 600 Million users as of October 2014, has partnered with Open Whisper Systems to boost its privacy and security by implementing strong end-to-end encryption on all text messages. The strong end-to-end encryption here means that even Mark Zuckerberg himself can't pry into your conversations, even if asked by law enforcement officials. The app maker describe this move as the " largest deployment of end-to-end encryption ever ." The Open Whisper System is a non-profit software organisation started by security researcher Moxie Marlinspike, who is behind the development of TextSecure app used for encryption. Over the past three years, his team has been in the process of developing a 'modern, open source