The Hacker News | #1 Trusted Cybersecurity News Site — Index Page

Car Hacking is a hot topic today. Today, many automobiles companies are offering vehicles that run on the mostly drive-by-wire system, which means that a majority of car's functions are electronically controlled, from instrument cluster to steering, brakes, and accelerator. No doubt these auto-control systems makes your driving experience better, but at the same time they also increase the risk of getting hacked. Previously researchers demonstrated how hackers can remotely hijack your car to control its steering, brakes and transmission. And Now… According to a team of security researchers, Hackers can successfully disable car's airbags – as well as other functions – by exploiting a zero-day vulnerability in third-party software that is commonly used by car mechanics. The team, including András Szijj and Levente Buttyán of CrySyS Lab, and Zsolt Szalay of Budapest University, demonstrated the hack on an Audi TT car sold by Volkswagen, and said any

Do you need a FitBit Tracker while jogging or running or even sleeping? Bad News! FitBit can be hacked that could allow hackers to infect any PC connected to it. What's more surprising? Hacking FitBit doesn't take more than just 10 Seconds . Axelle Aprville , a researcher at the security company Fortinet, demonstrated "How to hack a Fitbit in only 10 seconds," at the Hack.Lu conference in Luxembourg. Aprville's test was a proof of concept (POC) that did not actually focus on executing malicious payload, rather a logical attack. By using only Bluetooth, Aprville was able to modify data on steps and distance. However, she said it is possible to infect the device in an attempt to spread malware to synced devices. Fitbit Flex tracker is a flexible wristband that measures health statistics, such as blood pressure and heart rate. The Flex is a product of Fitbit, and its salient features are: It can wake you up with a silent vibrati

Super Low RPO with Continuous Data Protection: Dial Back to Just Seconds Before an Attack Zerto , a Hewlett Packard Enterprise company, can help you detect and recover from ransomware in near real-time. This solution leverages continuous data protection (CDP) to ensure all workloads have the lowest recovery point objective (RPO) possible. The most valuable thing about CDP is that it does not use snapshots, agents, or any other periodic data protection methodology. Zerto has no impact on production workloads and can achieve RPOs in the region of 5-15 seconds across thousands of virtual machines simultaneously. For example, the environment in the image below has nearly 1,000 VMs being protected with an average RPO of just six seconds! Application-Centric Protection: Group Your VMs to Gain Application-Level Control   You can protect your VMs with the Zerto application-centric approach using Virtual Protection Groups (VPGs). This logical grouping of VMs ensures that your whole applica

TalkTalk , one of the biggest UK-based phone and Internet service provider with more than 4 Million customers, has been hacked again, the company announced late Thursday. TalkTalk is informing its 4 million customers that it has fallen victim to a "significant and sustained cyber attack" and it is possible that sensitive data including bank details have been stolen. In February, TalkTalk suffered a major data breach in which its customer details were stolen and misused by scammers to access additional information as well as steal considerable amount of money. What data might have been Exposed? According to the company, potentially all of its 4 Million customers could be affected by the data breach. However, TalkTalk hasn't specified exactly what kind of data was stolen from its servers, but says that the systems accessed by hackers contained information including: Credit card details and/or bank details Full names Postal addresses Dates

Joomla – one of the most popular open source Content Management System (CMS) software packages, has reportedly patched three critical vulnerabilities in its software. The flaws, exist in the Joomla version 3.2 to 3.4.4, include SQL injection vulnerabilities that could allow hackers to take admin privileges on most customer websites. The patch was an upgrade to Joomla version 3.4.5  and only contained security fixes. The vulnerability, discovered by Trustwave SpiderLabs researcher Asaf Orpani and Netanel Rubin of PerimeterX, could be exploited to attack a website with SQL injections. SQL injection ( SQLi ) is an injection attack wherein a bad actor can inject/insert malicious SQL commands/query (malicious payloads) through the input data from the client to the application. The vulnerability is one of the oldest, most powerful and most dangerous flaw that could affect any website or web application that uses an SQL-based database. The recent SQLi in Jooml

The connected devices, better known as the Internet of Things , have been attracting the significant interest of, not only users but also cyber criminals that are turning them into weapons for cyber war. Due to the insecure implementation of Internet-connected embedded devices, they are routinely being hacked and used in cyber attacks. We have seen Smart TVs and Refrigerator sending out millions of malicious spam emails ; we have also seen printers and set-top-boxes mining Bitcoins . And Now… Cyber crooks have targeted innocent looking CCTV cameras – common Internet-of-Things (IoT) device – to launch Distributed Denial-of-Service (DDoS) attacks . Also Read: 100,000 Refrigerators and other home appliances hacked to perform cyber attack. Yes, Surveillance cameras in shopping malls are being targeted to form a large botnet that can blow large websites off the Internet by launching crippling Distributed Denial-of-service (DDoS) attacks. THE CAUSE The cro

Breaking.... WikiLeaks, The Anti-secrecy and transparency organization, claims to have obtained the contents of CIA Director John Brennan 's personal AOL email account. Also, Julian Assange, founder of WikiLeaks , has promised to publish them soon on their website. Earlier this week, Brennan's personal email account was hacked by an anonymous self-described high school student, who swiped sensitive top-secret data from it. The teenager also posted a partial Spreadsheet filled with the supposed names, email addresses, phone numbers and Social Security numbers (SSNs) of 2,611 former and current government intelligence officials. Also Read:   High school Student Hacked Into CIA Director's Personal Email Account Anonymous Teenage Hacker is motivated by opposition to American foreign policy, particularly in respect to the Israel-Palestine conflict, according to an interview. The Central Intelligence Agency did not confirm whether the hack happened

US Federal Official: Unlock that iPhone for me? Apple: Sorry, Nobody can do this! Neither we, nor you. Yes, in a similar manner, Apple told a U.S. federal judge that it is " IMPOSSIBLE " to access data stored on a locked iPhone running iOS 8 or later iOS operating system. In short, Apple has reminded everyone that the tech giant can not, and will not, break its users' encryption if the government official asks it to. Apple revealed this in a court filing late Monday in response to the U.S. federal magistrate judge, who is being requested by the Justice Department to force the company to help authorities extract data from a seized iPhone. However, Apple says that it has the " technical ability " to help federal enforcement unlock older iOS devices – and almost 10 percent of iOS devices are running older versions of the operating system. In the brief filed Monday, Apple said : "In most cases now and in the future, the government's requested order would

Yes, Let's Encrypt is now one step closer to its goal of offering Free HTTPS certificates to everyone. Let's Encrypt  – the free, automated, and open certificate authority (CA) – has announced that its Free HTTPS certificates are Now Trusted and Supported by All Major Browsers . Let's Encrypt enables any website to protect its users with free SSL/TLS (Secure Socket Layer/Transport Layer Security) certificates that encrypt all the Internet traffic passed between a site and users. Not only free, but the initiative also makes HTTPS implementation easier for all website or online shopping site owner to ensure its users that their browser activities and transactions are safe from snoopers. Let's Encrypt issued its first free HTTPS certificate last month and was working with other major browsers to recognize its certificate as a trusted authority. Let's Encrypt achieved a New Milestone Let's Encrypt has received cross-signatures from SSL

October 1, 2015, was the end of the deadline for U.S. citizens to switch to Chip-enabled Credit Cards for making the transactions through swipe cards safer. Now, a group of French forensics researchers have inspected a real-world case in which criminals played smart in such a way that they did a seamless chip-switching trick with a slip of plastic that it was identical to a normal credit card. The researchers from the École Normale Supérieure University and the Science and Technology Institute CEA did a combined study of the subject, publishing a research paper [ PDF ] that gives details of a unique credit card fraud analyzed by them. What's the Case? Back in 2011 and 2012, police arrested five French citizens for stealing about 600,000 Euros (~ $680,000) as a result of the card fraud scheme, in spite of the Chip-and-PIN cards protections. How did the Chip-and-Pin Card Fraud Scheme Work? On investigating the case, the researchers discovered that the n

For most of us Hacking is Technological in Nature. But, we usually forget the most important element of hacking that makes a successful hack from 10% to over 90%... ... The Human Element . And here the Social Engineering comes in. Social Engineering deals with non-technical kind of intrusion and manipulation that relies heavily on human interaction rather than technology. Social Engineering is popular because the human element is frequently the weakest part of a system and most prone to mistakes. Most businesses and organizations spend a ton of money on the latest shiny technology that promises to fix their security issues while humans are giving hackers the easiest way to get in. Impact of Social Engineering  Social Engineering has been the primary cause of a number of the most high profile cyber-attacks in recent years. The impact of it on an organisation could result in economic loss, loss of Privacy, temporary or permanent Closure, loss of goodwill

Hackers have come after your phone, your computer, and your car . Now hackers are coming after your home refrigerators, Smart TVs , and eventually KETTLES . Yes, your kettle turns out good for more than just heating up water or making coffee for you– they are potentially a good way for hackers to breach your wireless network. Also Read:   How to Weaponize your Cat to Hack Neighbours' Wi-Fi Passwords . Ken Munro, a security researcher at PenTest Partners, has managed to hack into an insecure iKettle , which was proclaimed " the world's first WiFi kettle " by its developers, and stolen a home's Wi-Fi password. Besides boiling water, the iKettle can connect to a user's home WiFi network. It also comes inbuilt with an Android and iOS app that allows the user to switch on the kettle and boil the water from other location. However, the biggest security flaw resides in the Android iKettle app that keeps the kettle's password as the defa

It's inevitable. Most security threats eventually target privileged accounts. In every organization each user has different permissions, and some users hold the metaphorical keys to your IT kingdom. If the privileged accounts get compromised, it can lead to theft or sabotage. Because these accounts control delicate parts of your IT operations, and it is important to know who has privileges, what privileges they have, when they received access, and what activity they've done. This is where Security Information and Event Management (SIEM) software comes in handy. SIEM Monitors and Alerts on Privileged Account Activity Comprehensive monitoring of privileged accounts can be challenging because you need to monitor users who are administrators, users with root access, and users with access to firewalls, databases, services, automated processes, etc. With every additional user, group, and policy monitoring account activity gets increasingly difficult. On top of mo

Yes, Google wants you to keep your bits and bytes as safe as possible through encryption. With the launch of Android 5.0 Lollipop last year, Google wanted to make full disk Encryption mandatory , but unfortunately, the idea did not go too well. However, Google thinks the idea will go right this time, and it will try again to require full-disk encryption by default for devices that release with the newest Android 6.0 Marshmallow and higher versions. Google has published the new version of the Android Compatibility Definition Document ( PDF ), mandating Android encryption with a couple of exceptions in Android 6.0 Marshmallow. The document reads: "For device implementations supporting full-disk encryption and with Advanced Encryption Standard (AES) crypto performance above 50MiB/sec, the full-disk encryption MUST be enabled by default at the time the user has completed the out-of-box setup experience." New smartphones and tablets that ship with Androi

Apple is cleaning up its iTunes App Store again – for the third time in two months – following another flood of iOS apps that secretly collect users' personal information. Researchers discovered more than 250 iOS apps that were violating Apple's App Store privacy policy , gathering personal identifiable data from almost one Million users estimated to have downloaded those offending apps. The offending iOS applications have been pulled out of the App Store after an analytics service SourceDNA reported the issue. After XcodeGhost , this is the second time when Apple is cleaning its App Store. Malicious iOS Apps Stealing Users' Private Info The malicious applications were developed using a third-party software development kit (SDK) provided by Youmi, a Chinese advertising company. Once compiled and distributed on Apple's official App Store, those apps secretly accessed and stored users' personal information, including: A list of apps installed on the victim's phone Serial nu

Security researchers have uncovered a new piece of Adware that replaces your entire browser with a dangerous copy of Google Chrome , in a way that you will not notice any difference while browsing. The new adware software, dubbed " eFast Browser ," works by installing and running itself in place of Google Chrome The adware does all kinds of malicious activities that we have seen quite often over the years: Generates pop-up, coupon, pop-under and other similar ads on your screen Placing other advertisements into your web pages Redirects you to malicious websites containing bogus contents Tracking your movements on the web to help nefarious marketers send more crap your way to generating revenue Therefore, having eFast Browser installed on your machine may lead to serious privacy issues or even identity theft. What's Nefariously Intriguing About this Adware? The thing that makes this Adware different from others is that instead of taking contr

A self-described teenage hacker has claimed to have hacked into personal AOL email account of Central Intelligence Agency (CIA) Director John Brennan and swiped sensitive top-secret data. It's Really a major embarrassment for Brennan as well as the CIA. The hacker, who describes himself as an American high school student, called the New York Post to describe his exploits. According to the teenage hacker, Brennan's private email account held a range of sensitive files, which includes: His 47-page application for top-secret security clearance Social Security numbers (SSNs) and personal information of more than a dozen top US intelligence officials A government letter discussing " harsh interrogation techniques " used on terrorist suspects Sensitive Information Leaked The teenage hacker operates with under the Twitter name " Crackas With Attitude " with Twitter handle @_CWA_ . He confirmed the Post that he also controlled the