The Hacker News | #1 Trusted Cybersecurity News Site — Index Page

Two Google engineers have developed a draft version of an API called WebUSB that would allow you to connect your USB devices to the Web safely and securely, bypassing the need for native drivers. WebUSB – developed by Reilly Grant and Ken Rockot – has been introduced to the World Wide Web Consortium's Web Incubator Community Group (W3C WICG), is build to offer a universal platform that could be adopted by browser makers in future versions of their software. Connecting USB Devices to the Web WebUSB API allows USB-connected devices, from keyboards, mice, 3D printers and hard drives to complex Internet of Things (IoTs) appliances, to be addressed by Web pages. The aim is to help hardware manufacturers have their USB devices work on any platform, including Web, without having any need to write native drivers or SDKs for a dedicated platform. Besides controlling the hardware, a Web page could also install firmware updates as well as perform other essential tasks. Howev

Ransomware has risen dramatically since last few years and is currently one of the most popular threats on the Internet. The Ransomware infections have become so sophisticated with the time that victims end up paying ransom in order to get their critical and sensitive data back. But if you are infected with Petya Ransomware , there is good news for you. You can unlock your infected computer without paying the hefty ransom. Thanks to the Petya author who left a bug in the Ransomware code. What is Petya Ransomware? Petya is a nasty piece of ransomware that emerged two weeks ago and worked very differently from any other ransomware. The ransomware targets the victims by rebooting their Windows computers, encrypting the hard drive's master boot file, and rendering the master boot record inoperable. Also Read:  How to Decrypt CoinVault and Bitcryptor Ransomware A master boot record (MBR) is the information in the first sector of any hard disk that ide

In today's digital world, where connectivity is rules all, endpoints serve as the gateway to a business's digital kingdom. And because of this, endpoints are one of hackers' favorite targets.  According to the IDC,  70% of successful breaches start at the endpoint . Unprotected endpoints provide vulnerable entry points to launch devastating cyberattacks. With IT teams needing to protect more endpoints—and more kinds of endpoints—than ever before, that perimeter has become more challenging to defend. You need to improve your endpoint security, but where do you start? That's where this guide comes in.  We've curated the top 10 must-know endpoint security tips that every IT and security professional should have in their arsenal. From identifying entry points to implementing EDR solutions, we'll dive into the insights you need to defend your endpoints with confidence.  1. Know Thy Endpoints: Identifying and Understanding Your Entry Points Understanding your network's

Be careful while buying any off-brand electronics from Amazon, as they could end up infecting you. Recently, independent security researcher Mike Olsen discovered that the CCTV surveillance devices sold on Amazon came with pre-installed malware. Olsen discovered this nasty secret after he bought a set of outdoor CCTV surveillance cameras from Amazon for one of his friends. He picked Sony Chip HD 6 Camera 1080P PoE IP CCTV surveillance camera kit sold by the Urban Security Group (USG) on Amazon, as it had good reviews and was a relatively cheap set of 6 cameras with all necessary equipment included. While helping his friend set up the cameras, Olsen logged into the administrator panel to configure the surveillance system and found that the page hosted "no normal controls or settings." Assuming that it might be bad programming, Olsen opened up the browser's developer tools and was surprised to discover a hidden iFrame loaded at the bottom of the bo

The FBI didn't disclose the identity of the third-party company that helped them access the San Bernardino iPhone, but it has been widely believed that the Israeli mobile forensic firm Cellebrite was hired by the FBI to put an end to the Apple vs. FBI case. For those unfamiliar in the Apple vs. FBI case: Apple was engaged in a legal battle with the Department of Justice over a court order that was forcing the company to write software, which could disable passcode protection on terrorist's iPhone, helping them access data on it. However, Apple refused to comply with the court order, so the FBI hired an unknown third-party firm, most likely Cellebrite, who managed to successfully hack the locked iPhone 5C used by the terrorist in the San Bernardino shooting incident last year. The new method helped the Federal Bureau of Investigation (FBI) to hack iPhone 5C, but that wasn't the FBI's victory as the method didn't work on iPhone 5S and later iPhone

Earlier this year, Facebook came across a bunch of duplicate SSL certificates for some of its own domains and revoked them immediately with the help of its own Certificate Transparency Monitoring Tool service. Digital certificates are the backbone of our secure Internet, which protects sensitive information and communication, as well as authenticate systems and Internet users. The Online Privacy relies heavily on SSL/TLS Certificates and encryption keys to protect millions of websites and applications. As explained in our  previous article on The Hacker News , the current Digital Certificate Management system and trusted Certificate Authorities (CAs) are not enough to prevent misuse of SSL certificates on the internet. In short, there are hundreds of Certificate Authorities, trusted by your web browsers and operating systems, that has the ability to issue certificates for any domain, despite the fact you already have one purchased from another CA. An improper

Do you know there is a huge encryption backdoor still exists on the Internet that most people don't know about? I am talking about the traditional Digital Certificate Management System … the weakest link, which is completely based on trust, and it has already been broken several times. To ensure the confidentiality and integrity of their personal data, billions of Internet users blindly rely on hundreds of Certificate Authorities (CA) around the globe. In this article I am going to explain: The structural flaw in current Digital Certificate Management system. Why Certificate Authorities (CA) have lost the Trust. How Certificate Transparency (CT) fixes issues in the SSL certificate system. How to early detect every SSL Certificates issued for your Domain, legitimate or rogue? First, you need to know Certificate Authority and its role: Certificate Authority and its Role A Certificate Authority (CA) is a third-party organization that acts as a centr

More than 135 Million modems around the world are vulnerable to a flaw that can be exploited remotely to knock them offline by cutting off the Internet access. The simple and easily exploitable vulnerability has been uncovered in one of the most popular and widely-used cable modem, the Arris SURFboard SB6141 , used in Millions of US households. Security researcher David Longenecker discovered a loophole that made these modems vulnerable to unauthenticated reboot attacks. He also released his "exploit" after Arris (formerly Motorola) stopped responding to him despite a responsible disclosure. The Bug is quite silly: No Username and Password Protection. Arris does not provide any password authentication set up on the modem's user interface, thus allowing any local attacker to access the administration web interface at 192.168.100.1 without the need to enter a username and password. This issue allows a local attacker to ' Restart Cable Modem '

Do you own a custom domain or a blog under the wordpress.com domain name? If yes, then there is good news for you. WordPress is bringing free HTTPS to every blog and website that belongs to them in an effort to make the Web more secure. WordPress – free, open source and the most popular a content management system (CMS) system on the Web – is being used by over a quarter of all websites across the world, and this new move represents a massive shift over to a more secure Internet WordPress announced on Friday that it has partnered with the Electronic Frontier Foundation's " Let's Encrypt " project, allowing it to provide reliable and free HTTPS support for all of its customers that use custom domains for their WordPress.com blogs. Now every website hosted on wordpress.com has an SSL certificate and will display a green lock in the address bar. "For you, the users, that means you'll see secure encryption automatically deployed on ev

Almost two years back, Apple introduced Swift programming language at its World Wide Developers Conference (WWDC) to the developers who build software applications for Apple devices. Swift was designed to make it easier for developers to create apps for Apple's mobile platform. Usually developers write complete app code and then compile it to see output, but Swift helps them see results in real time instantly while writing code. Now, reports have been emerged that the search engine giant is also considering making Swift programming language a "first class" language choice for programmers making apps for its Android platform. In between an ongoing legal battle with Oracle over Android, Google is planning to bring Swift into the Android platform with at least two major third-party developers — Facebook and Uber, reports The Next Web. Around the time when Apple officially made Swift an open source language, executives from Google, Facebook and Uber attended a m

Although everyone, including Apple, was worried about the iPhone hacking tool used by the Federal Bureau of Investigation (FBI) to access data on iPhone belonged to the San Bernardino shooter, the FBI director said the hack does not work on an iPhone 5S or later. FBI Director James Comey said Wednesday that the agency was able to avoid a prolonged legal battle with Apple by buying a tool from a private source to hack into terrorist Syed Farook's iPhone 5C. Apple was engaged in a legal battle with the Department of Justice (DOJ) for a month over a court order that forces the company to write new software, which could disable passcode protection on Farook's iPhone to help them access data on it. Apple refused to comply with the order, so the FBI worked with a third-party firm, most likely the Israeli mobile forensic firm Cellebrite, and was successfully able to access data on the locked iPhone used in the San Bernardino shooting incident last year. But speaking to the

As reported last week, Microsoft will launch an 'Anniversary Update' for Windows 10 that will bring Ubuntu file system, allowing you to use Bash to run command-line Linux applications without a virtual machine. However, you do not have to wait until this summer to run Bash ( Bourne Again Shell ) on your Windows 10 OS, as Microsoft has released the first preview build of the Windows 10 Anniversary Update to the members of its Insider program. Don't expect it to run Ubuntu directly on Windows 10, as this is basically Ubuntu user-space packages running natively on Windows 10 by the company coming up with real-time translation of Linux system calls into Windows system calls. This new Bash Shell support features a full Ubuntu user space complete with support for tools including ssh, apt, rsync, find, grep, awk, sed, sort, xargs, md5sum, gpg, curl, wget, apache, mysql, python, perl, ruby, php, vim, emacs and more. Windows 10 build 14316's biggest addition is

Hacking Team – the infamous Italy-based spyware company that had more than 400 GB of its confidential data stolen last year – is facing another trouble.  This time not from other hackers, but from its own government. Hacking Team is infamous for selling surveillance spyware to governments and intelligence agencies worldwide, but now it may not be allowed to do so, as the Italian export authorities have revoked the company's license to sell outside of Europe. Almost a year after it was hacked and got all its secrets leaked online , Hacking Team somehow managed to resume its operations and start pitching new hacking tools to help the United States law enforcement gets around their encryption issues. Hacking Team had sold its malware, officially known as the Galileo Remote Control System , to authorities in Egypt, Morocco, Brazil, Malaysia, Thailand, Kazakhstan, Vietnam, Mexico, and Panama. Hacking Team had also signed big contracts with the Federal Burea