The Hacker News | #1 Trusted Cybersecurity News Site — Index Page

A security researcher has won $13,000 bounty from Microsoft for finding a critical flaw in its main authentication system that could allow hackers to gain access to a user's Outlook, Azure and Office accounts. The vulnerability has been uncovered by UK-based security consultant Jack Whitton and is similar to Microsoft's OAuth CSRF (Cross-Site Request Forgery) in Live.com discovered by Synack security researcher Wesley Wineberg. However, the main and only difference between the vulnerabilities is that: Flaw discovered by Wineberg affected Microsoft's OAuth protection mechanism while the one discovered by Whitton affected Microsoft's main authentication system. Microsoft handles authentication across its online services including Outlook, Azure and Office through requests made to login.live.com, login.windows.net, and login.microsoftonline.com. Now, for example, if a user browses to outlook.office.com, he/she redirects to a login.microsoftonline

Marcel Lazar Lehel aka " Guccifer " – an infamous Romanian hacker who hacked into the emails and social networking accounts of numerous high profile the US and Romanian Politicians – appeared in the United States court for the first time after extradition. Following Romania's top court approval last month, Guccifer was extradited to the United States recently from Romania, his home country, where he had already been serving a hacking sentence. Lehel has been charged with cyber-stalking, unauthorized access to a protected computer and aggravated identity theft in a nine-count indictment filed in 2014 in a federal district court in Alexandria, the U.S. Justice Department said in a statement. Lehel "hacked into the email and social media accounts of high-profile victims, including a family member of two former U.S. presidents, a former U.S. Cabinet member, a former member of the U.S. Joint Chiefs of Staff and a former presidential advisor," acc

Follow this real-life network attack simulation, covering 6 steps from Initial Access to Data Exfiltration. See how attackers remain undetected with the simplest tools and why you need multiple choke points in your defense strategy. Surprisingly, most network attacks are not exceptionally sophisticated, technologically advanced, or reliant on zero-day tools that exploit edge-case vulnerabilities. Instead, they often use commonly available tools and exploit multiple vulnerability points. By simulating a real-world network attack, security teams can test their detection systems, ensure they have multiple choke points in place, and demonstrate the value of networking security to leadership. In this article, we demonstrate a real-life attack that could easily occur in many systems. The attack simulation was developed based on the MITRE ATT&CK framework, Atomic Red Team,  Cato Networks ' experience in the field, and public threat intel. In the end, we explain why a holistic secur

Just last week, the Federal Bureau of Investigation (FBI) issued an urgent "Flash" message to the businesses and organisations about the threat of Samsam Ransomware , but the ransomware has already wreaked havoc on some critical infrastructure. MedStar, a non-profit group that runs 10 hospitals in the Baltimore and Washington area, was attacked with Samsam, also known as Samas and MSIL , last week, which encrypted sensitive data at the hospitals. After compromising the MedStar Medical System, the operators of the ransomware offered a bulk deal: 45 Bitcoins (about US$18,500) for the decryption keys to unlock all the infected systems. But unlike other businesses or hospitals, MedStar did not pay the Ransom to entertain the hackers. So, you might be thinking that the hospitals lost all its important and critical data. Right? But that was not the case in MedStar. Here's How MetStar Successfully dealt with SAMSAM Ransomware MetStar sets an exam

A huge trove of confidential documents from the Panamanian law firm Mossack Fonseca was made public on Sunday in what's known as One of the World's Largest Data Leaks ever, called The Panama Papers . Over 11.5 Million Leaked Files including 2.6 Terabytes of Data Even larger than the NSA wires leak in 2013, the Panama Papers includes 2.6 Terabytes of private data , exposing an enormous web of offshore shell companies frequently used by many of the richest and most powerful members around the globe to evade taxes, hoard money, and skirt economic sanctions. Shared with German newspaper 'Suddeutsche Zeitung' by an anonymous source, the leaked documents then passed on to the International Consortium of Investigative Journalists (ICIJ) – in which 370 Reporters from 100 News Media organizations looked into the massive leak for a year. After a year-long investigation, ICIJ and its reporting partners began publishing a series of leaks on Sunday based on the Pa

A researcher has demonstrated how easy it is to steal high-end drones, commonly deployed by government agencies and police forces, from 2 kilometres away with the help of less than $40 worth of hardware . The attack was developed by IBM security researcher Nils Rodday, who recently presented his findings at Black Hat Asia 2016. Hacking the $28,463 Drone with Less than $40 of Hardware Rodday explained how security vulnerabilities in a drone's radio connection could leverage an attacker ( with some basic knowledge of radio communications ) to hijack the US$28,463 quadcopters with less than $40 of hardware. Rodday discovered ( PPT ) two security flaws in the tested drone that gave him the ability to hack the device in seconds. First, the connection between drone's controller module, known as telemetry box, and a user's tablet uses extremely vulnerable ' WEP ' ( Wired-Equivalent Privacy ) encryption – a protocol long known to be 'crackable in sec