The Hacker News | #1 Trusted Cybersecurity News Site — Index Page

Can you name which Operating System is most Secure ? ...Windows, Mac, Linux or any particular Linux Distribution? Yes, we get that! It's not an easy thing to pick. Besides Windows, Even the so-called ultra-secure Linux Distros were found to be vulnerable to various critical flaws in past years. Because, almost all Linux Distros use the same Kernel, and the most number of cyber attacks target the Kernel of an operating system. So, It doesn't matter which Linux distribution you use. The kernel is the core part an operating system, which handles all the main activities and enforces the security mechanisms to the entire operating system. Making an Operating System secure requires that vulnerabilities shall not exist in the Kernel, which is the communicating interface between the hardware and the user.  To overcome the above situation, Security Researchers, Mathematicians and Aviation gurus from Boeing and Rockwell Collins joined a team of dedicated NIC

It is finally time to say GoodBye to the old and insecure Web security protocols. Citing the long history of weaknesses in the Secure Sockets Layer (SSL) 3.0 cryptographic protocol and the RC4 Cipher Suite, Google plans to disable support for both SSLv3 as well as RC4 stream cipher in its front-end servers. While announcing on its official blog , the Search Engine giant said the company is looking to put away SSLv3 and RC4 in all of its front-end servers, and eventually, in all its software including Chrome, Android, Web crawlers, and email servers. The move by Google came as no surprise, considering the fact that both RC4 and SSLv3 have been deemed unsecure by the Internet Engineering Task Force (IETF). What are the Problems? SSLv3, which was made outdated 16 years ago, has a long history of security problems like BEAST , out of them the most recent one was POODLE ( Padding Oracle On Downgraded Legacy Encryption ) attacks, which lead to the recovery of plaintext communication

It's not every time malware creators have to steal or buy a valid code-signing certificate to sign their malware – Sometimes the manufacturers unknowingly provide themselves . This is what exactly done by a Taiwan-based networking equipment manufacturer D-Link , which accidently published its Private code signing keys inside the company's open source firmware packages. Dutch news site Tweakers made aware of the issue by one of its readers with online moniker " bartvbl " who had bought a D-Link DCS-5020L security camera and downloaded the firmware from D-Link, which open sources its firmware under the GPL license. However, while inspecting the source code of the firmware, the reader found what seemed to be four different private keys used for code signing. Hackers Could Sign Malware After testing, the user managed to successfully create a Windows application , which he was able to sign with one of the four code signing keys belonging to D-Lin

Permissions in SaaS platforms like Salesforce, Workday, and Microsoft 365 are remarkably precise. They spell out exactly which users have access to which data sets. The terminology differs between apps, but each user's base permission is determined by their role, while additional permissions may be granted based on tasks or projects they are involved with. Layered on top of that are custom permissions required by an individual user.  For example, look at a sales rep who is involved in a tiger team investigating churn while also training two new employees. The sales rep's role would grant her one set of permissions to access prospect data, while the tiger team project would grant access to existing customer data. Meanwhile, special permissions are set up, providing the sales rep with visibility into the accounts of the two new employees. While these permissions are precise, however, they are also very complex. Application admins don't have a single screen within these applications th

A Large number of WordPress websites were compromised in last two weeks with a new malware campaign spotted in the wild. WordPress , a Free and Open source content management system (CMS) and blogging tool, has been once again targeted by hackers at large scale. Researchers at Sucuri Labs have detected a " Malware Campaign " with an aim of getting access to as many devices they can by making innumerable WordPress websites as its prey. The Malware campaign was operational for more than 14 days ago, but it has experienced a massive increase in the spread of infection in last two days, resulted in affecting more than 5000 Wordpress websites. The Security researchers call this malware attack as " VisitorTracker ", as there exists a javascript function named visitorTracker_isMob() in the malicious code designed by cyber criminals. This new campaign seems to be utilizing the Nuclear Exploit Kit and uses a combination of hacked WordPress sites, hidden iframes and nu

Sit Tight on your seats, because you're gonna get a Shock. Microsoft has developed an Operating System powered by LINUX. Close your mouth first. It's True! Microsoft has built its own Linux-based operating system called Azure Cloud Switch (ACS ) and believe me, under Satya Nadella, Microsoft has become more open than ever. According to the announcement made through an official blog post on Microsoft website, Azure Cloud Switch (ACS) describes as "cross-platform modular operating system for data center networking built on Linux." or Simply, " Commodity switch software stack for data center networks". The Purpose of developing Linux-based Azure Cloud Switch (ACS) operating system at Microsoft is to make it simpler to control the hardware from multiple vendors ( such as Switches ) that powers their cloud-based services. And here's the Kicker: "Running on Linux, ACS [Azure Cloud Switch] is able to make use of its vibrant eco

Ever registered on StarBucks website? Change your passwords now! If you are one of those Millions Starbucks customers who have registered their accounts and credit card details on StarBucks website, then your banking details are vulnerable to hackers. An Independent Security Researcher, Mohamed M. Fouad from Egypt, has found three critical vulnerabilities on StarBucks website that could have allowed attackers to take over your account in just one click. The vulnerabilities include: Remote Code Execution Remote File Inclusion lead to Phishing Attacks CSRF (Cross Site Request Forgery) Stealing Credit Cards Details In case of Remote File Inclusion flaw, an attacker can inject a file from any location into the target page, which includes as a source code for parsing and execution, allowing attacker to perform: Remote Code Execution on the company's web server Remote Code Execution on the client-side, potentially allowing attacker to perform othe

Whenever you go to Buy any Electronic Gadget — Phone, Tablet, Laptop, Watch — the most important specification isn't its processor speed or its camera quality. It's how long the device's battery backup is. Imagine easy access to such batteries that provide more battery power after charging it once, do not give up in less time and have a life of many years. To achieve this, the researchers at Massachusetts Institute of Technology (MIT) and Samsung , have developed a new material that could potentially revolutionize the Battery industry. Researchers have solved all these Battery issues with just one weird practical approach, called Solid-State Electrolytes . Today the cells we depend on contain Liquid-State Electrolyte , the researchers thought of replacing the one with a Solid form of electrolyte. Solid-State Electrolytes could simultaneously address the greatest challenges associated with improving lithium-ion batteries (LIB) , with the possibility to increas

A Critical vulnerability discovered in Mozilla's popular Bugzilla bug-tracking software , used by hundreds of thousands of prominent software organizations, could potentially expose details of their non-public security vulnerabilities to the Hackers. So it's time for developers and organizations that use Bugzilla open source bug tracking system to upgrade to the latest patched versions – namely 5.0.1, 4.4.10, or 4.2.15 . Bugzilla is a vulnerability database used by Mozilla as well as many open-source projects and private organizations. Besides patched flaws, these databases also contain sensitive information related to unpatched vulnerabilities reported to organizations. Unfortunately, the researchers at security firm PerimeterX have discovered a vulnerability ( CVE-2015-4499 ) in Bugzilla's email-based permissions process that allowed them to gain high-level permissions on Bugzilla. As a result, it is potentially possible for an attacker to easily access u

iOS 9 is out, and it's time to update your iPhone or iPad to the latest version of Apple's mobile operating system. The new iOS is better, faster, and more efficient than its predecessors, with a number of new features and improvements including enhanced multitasking for iPad, Proactive Assistant Siri, new Low Power mode, Transit directions in Maps and many more. You need to download iOS 9 right away. But, after installing it on your iOS device, you should immediately change these security settings to protect your privacy. Besides various new features, iOS 9 also comes with a handful of security and privacy improvements. So, before doing anything like loading new apps, customizing your phone, or syncing your data, you need to check these settings – and if necessary, changed. 1. Locking the Door Boost iOS 9 Security by Setting a Longer 6-digit Passcode When you set up an iOS device, you are asked to create a passcode to encrypt your entire iPho

The Existing Infrastructure used by Financial institutions like Banks is Archaic, Slow, and Costly, with hardly any innovation in the past three decades. Nine of the World's renowned Banks, including JPMorgan , Royal Bank of Scotland , Goldman Sachs and Barclays , are collaborating with New York-based financial tech firm R3 to create a new framework based on Bitcoin's Blockchain. Yes, they are back in the game yet again, but this time officially! Blockchain — the public and decentralized ledger technology that underpins all Bitcoin transactions has been now recognized as " the future for financial services infrastructure ". The blockchain technology is a way of keeping records by listing the owner's name with all the previous and present transaction the client was involved. It is a public ledger where a list of all the transactions ever executed is maintained. The Banks are planning to develop and implement Blockchain-like Technology where distributed/shared

Mandiant , a FireEye sister concern has been involved in researches related to cyber defense. In their recent findings, a backdoor malware named SYNful Knock identified as the one compromising the principles of Cisco routers with features such as... ...Having an everlasting effect, i.e. Serious Persistence. What?- The malicious program is implanted in the router illicitly through the device's firmware (regardless of the vendor). The goal is achieved by modifying the router's firmware image, which exists even after the device gets a reboot. How?- installing SYNful Knock in Cisco 1841 router, Cisco 2811 router, and Cisco 3825 router. Affected areas- 14 instances in 4 countries including India, Mexico, Ukraine, and the Philippines. Impact- the backdoor is backed up with such abilities that can compromise the availability of other hosts and access to sensitive data in an organization. " The theoretical nature of router-focused attacks created a minds

Recently, Microsoft issued an Emergency patch for a zero-day vulnerability in Internet Explorer that is being exploited to deploy Korplug malware on vulnerable PCs. Korplug , a known variant of PlugX , is a Trojan that creates a backdoor used for information stealing on infected computers. In one of the most publicized cases, an evangelical church in Hong Kong was compromised to deliver the malware. Attackers were able to breach the church's website and inject a malicious iFrame overlay designed to look like the site itself. The iFrame was then used to redirect visitors to a site hosting the IE exploit . Once users land on the website, they are served a java.html which installs Korplug on their computers. To defend against Korplug, system administrators, and security engineers should educate users of corporate assets about these types of hacking techniques. In many cases, organizations are breached because of the lack of internal education around how to ident

With the launch of iOS 9, Apple gave us an ultimate reason to upgrade our Apple devices to its new operating system. The latest iOS 9 includes a security update for a nasty bug that could be exploited to take full control of your iPhone or Macs, forcing most of the Apple users to download the latest update. Australian security researcher Mark Dowd has disclosed a serious vulnerability in AirDrop , Apple's over-the-air file sharing service built into iOS and Mac OS X. How the Attack Works? The vulnerability allows anyone within the range of an AirDrop user to silently install a malicious app on a target Apple device by sending an AirDrop file which involves rebooting of the target device. An attacker can exploit this critical bug even if the victim rejects the incoming file sent over AirDrop. After rebooting takes place, the malicious app gains access to Springboard, Apple's software to manage iOS home screen, allowing the app to fool the victim's iP

The Secret Messages are often designed to be destroyed without a trace. In Spy thriller movie " Mission Impossible ", every time Tom Cruise receives a secret message, the last words state - " This Tape message will self-destruct in 5 seconds "...and BOOM ! There's a sudden explosion, and smoke comes out of the device; containing sensitive information few seconds ago. This Self-destructing thing has become a reality now. Palo Alto Research Center Incorporated (PARC) a Xerox company, involved in R&D in IT and hardware has under Defense Advanced Research Projects Agency's (DARPA'S) Vanishing Programmable Resources (VAPR) achieved success in developing Self-Destructing computer chips capable of destruction in 10 seconds. The phenomenon is quite familiar….isn't it? Now, with DARPA's initiative this is soon going to become a reality intended mainly for the military personnel. With the idea of- "Protection of data that once existed." PARC showcased thi

A Security researcher and hacker, named John Gordon , has found an easy way to bypass the security of locked smartphones running Android 5.0 and 5.1 (Build LMY48M). Many of us use various security locks on our devices like Pattern lock, PIN lock and Password lock in order to protect the privacy of our devices. However, a vulnerability could now allow anyone to take your Android smartphone ( 5.0 build LMY48I ) with locked screen, perform a " MAGIC TRICK " and as a result crash the user interface (UI) for the password screen and gain access to your device. The vulnerability, assigned CVE-2015-3860 , has been dubbed as " Elevation of Privilege Vulnerability in Lockscreen ". How the Attack Works? The secret behind the researcher's "MAGIC TRICK" is as follows: Get the device and open the Emergency dialer screen. Type a long string of numbers or special characters in the input field and copy-n-paste a long string continuously til

Last fall the non-profit foundation EFF ( Electronic Frontier Foundation ) launched an initiative called Let's Encrypt that aimed at providing Free Digital Cryptographic Certificates (TLS) to any website that needs them. Today, Let's Encrypt – a free automated Open-source Certificate Authority (CA) – has signed its first certificate, hitting what it calls a major milestone to encrypt all of the Web. Let's Encrypt enables any Internet site to protect its users with free SSL/TLS (Secure Socket Layer/Transport Layer Security) certificates that encrypt all the data passed between a website and users. Not just free, but the initiative also makes HTTPS implementation easier for any website or online shopping site owner in order to ensure the security of their customers' data. "Forget about hours (or sometimes days) of muddling through complicated programming to set up encryption on a website, or yearly fees," EFF explains . "Let's Encr

When a pet dies, or your friend's family member passed away, clicking the 'Like ' button to express your sympathy doesn't feel comfortable. Here a user feels a need of something to express their sadness, disagreement, anger, or something other than 'Like': Facebook should have an empathetic " Dislike " button - or something similar. Is Facebook really thinking about adding a dislike button? The short answer is " YES ." Soon your wish is about to come true. During a question and answer ( Q&A ) session on Tuesday, Facebook CEO Mark Zuckerberg said that the Facebook ' dislike ' button is on the way. "People have asked about the 'dislike' button for many years," Zuckerberg told the audience at Facebook's Menlo Park office. " Today is a special day because today is the day I can say we are working on it and shipping it." Zuck — 'Not every moment is a good moment' Di