The Hacker News | #1 Trusted Cybersecurity News Site — Index Page

Earlier this month Tumblr revealed that a third party had obtained access to a set of e-mail addresses and passwords dating back from early 2013, before being acquired by Yahoo. At that time, Tumblr did not reveal the number of affected users, but in reality, around 65,469,298 accounts credentials were leaked in the 2013 Tumblr data breach, according to security expert Troy Hunt, who runs the site Have I Been Pwned . "As soon as we became aware of this, our security team thoroughly investigated the matter. Our analysis gives us no reason to believe that this information was used to access Tumblr accounts," read Tumblr's blog . A Hacker, who is going by "peace_of_mind," is selling the Tumblr data for 0.4255 Bitcoin ($225) on the darknet marketplace The Real Deal . The compromised data includes 65,469,298 unique e-mail addresses and "salted & hashed passwords." The Same hacker is also selling the compromised login account data from Fling, Li

Last year, Iran blocked Telegram and many other social networks after their founders refused to help Iranian authorities to spy on their citizens. Now it looks like Iranian government wants tighter controls on all foreign messaging and social media apps operating in the country that will give the authorities a wider ability to monitor and censor its people. All foreign messaging and social media apps operating in Iran have one year to move 'data and activity' associated with Iranian citizens onto servers in Iran, Reuters reported . In order to comply with the new regulations, the companies would need to set up data centers in Iran within one year, but apps may lose a larger number of users by moving data onto Iranian servers. However, transferring data to Iran servers might not be enough, as some of the most popular messaging services like WhatsApp , Apple iMessage , and Telegram are offering end-to-end encrypted communication i.e. nobody in between, not even Whats

It comes as no surprise that today's cyber threats are orders of magnitude more complex than those of the past. And the ever-evolving tactics that attackers use demand the adoption of better, more holistic and consolidated ways to meet this non-stop challenge. Security teams constantly look for ways to reduce risk while improving security posture, but many approaches offer piecemeal solutions – zeroing in on one particular element of the evolving threat landscape challenge – missing the forest for the trees.  In the last few years, Exposure Management has become known as a comprehensive way of reigning in the chaos, giving organizations a true fighting chance to reduce risk and improve posture. In this article I'll cover what Exposure Management is, how it stacks up against some alternative approaches and why building an Exposure Management program should be on  your 2024 to-do list. What is Exposure Management?  Exposure Management is the systematic identification, evaluation,

There's nowhere to hide across the web, especially from the marketing and advertising companies. If you are paranoid about your privacy, you may get upset to know that Facebook will now track and deliver targeted Ads on other apps and websites for everyone, even if you do not have Facebook accounts. Until now, Facebook was showing targeted ads only to its users, but now the social networking giant says it needs extra data to make its ads better. Facebook announced on Thursday that the company is expanding its Audience Network , allowing publishers and developers to reach more people through Facebook advertising. To deliver interest-based Ads to its users as well as non-users alike, Facebook will now use cookies via third-party websites offering Facebook plug-ins (e.g. 'Like' button). "We've designed these updates so that we continue to comply with EU law. In particular, we reflected feedback from people who use Facebook, including a variety of privacy experts

Google has finally won six-year long $9-billion legal battle with Oracle over the use of Java APIs in Android. Oracle filed its lawsuit against Google in 2010, claiming that the company illegally used 11,500 lines of Java code in its Android operating system, violating copyrights owned by Oracle. However, a federal jury of ten people concluded Thursday that Google's use of Java constituted "Fair Use" under US copyright law and delivered a verdict in favor of Google. The case was a big deal as the court decision could have the potential to change the way future apps are written for the Android operating system that is being used by almost 80% of the world's mobile devices. Also Read:   Google 'Android N' Will Not Use Oracle's Java APIs Oracle, who owns Java, had been seeking $9 Billion in damages for the use of application programming interfaces (APIs), which govern how code communicates with other bits of code. However, Google argued that

SWIFT Bank Hackers have attacked another bank in the Philippines using the same modus operandi as that in the $81 Million Bangladesh Bank heist . Security researchers at Symantec have found evidence that malware used by the hacking group shares code similarities with the malware families used in targeted attacks against South Korean and US government, finance, and media organizations in 2009. These historic attacks were attributed to the North Korean hacking group known as Lazarus , who hacked Sony Pictures in 2014. Also Read:   How Hackers Stole $80 Million from Bangladesh Bank . " At first, it was unclear what the motivation behind these attacks were, however, code sharing between Trojan.Banswift (used in the Bangladesh attack used to manipulate SWIFT transactions) and early variants of Backdoor.Contopee provided a connection, " Symantec blog post says. In past few months, some unknown hackers have been targeting banks across the world by gaining access to SWIFT, the worldwi

It's fair to say the success of the ARM-powered Raspberry Pi computers have surpassed expectations and have been a godsend to hobbyists, hackers, and students. If you're one of those people looking for unofficial hacks to install Android OS on a Raspberry Pi device, then stop and wait for the official release. Raspberry Pi computers have largely been Linux affairs, as several Linux distributions have supported this tiny ARM computer. Now, it seems like Raspberry Pi is ready to get official support for one of the most popular mobile operating systems out there: Android . Google has recently registered the $35 Raspberry Pi 3 ‒ the newest version of the Raspberry Pi ‒ as a new device 'tree' in its Android Open Source Project (AOSP) repository . If you're not aware, Raspberry Pi is cheap, credit card-sized, single board ARM computer that looks and feels very basic, but could be built into many geeky projects. What Google is planning for Android and the P

The FBI and other law enforcement agencies have waged legal war on encryption and privacy technologies. You may have heard many news stories about the legal battle between Apple and the FBI over unlocking an iPhone that belonged to the San Bernardino shooter. However, that was just one battle in a much larger fight. Now, in an effort to make its iPhone surveillance-and-hack proof, Apple has rehired security expert and cryptographer Jon Callas , who co-founded the widely-used email encryption software PGP and the secure-messaging system Silent Circle that sells the Blackphone. This is not Apple's first effort over its iPhone security . Just a few months back, the company hired Frederic Jacobs , one of the key developers of Signal — World's most secure, open source and encrypted messaging app . Now Apple has rehired Callas, who has previously worked for Apple twice, first from 1995 to 1997 and then from 2009 to 2011. During his second joining, Callas designed a ful

Last year, a white hat hacker developed a cheap Arduino-based device that looked and functioned just like a generic USB mobile charger, but covertly logged, decrypted and reported back all keystrokes from Microsoft wireless keyboards. Dubbed KeySweeper , the device included a web-based tool for live keystroke monitoring and was capable of sending SMS alerts for typed keystrokes, usernames, or URLs, and work even after the nasty device is unplugged because of its built-in rechargeable battery. Besides the proof-of-concept attack platform, security researcher Samy Kamkar, who created KeySweeper, also released instructions on how to build your own USB wall charger. Now, it seems like hackers and criminal minds find this idea smart. The FBI has issued a warning advisory for private industry partners to look out for highly stealthy keyloggers that quietly sniff passwords and other input data from wireless keyboards. According to the advisory, blackhat hackers have developed their

The importance of increasing online security around personal information has risen due to the increase in cyber attacks and data breaches over recent years. I find it hilarious people are still choosing terrible passwords to protect their online accounts. The massive LinkedIn hack is the latest in the example that proves people are absolutely awful at picking passwords. The data breach leaked 167 Million usernames and passwords online, out of which "123456" was used by more than 750,000 accounts, followed by "LinkedIn" ( 172,523 accounts ), and "password" ( 144,458 accounts ). In a typical authentication mechanism, two-factor verification is the second layer of security that is designed to ensure that you are the only person who can access your account, even if someone knows your password. Project Abacus: Password-free Logins Now Instead of just relying on uniquely generated PINs, Google intends to use your biometrics data – like your typi

In an era where major data hacks are on the rise, it is no surprise breaches on individuals are also up. In just three hours, over 100 criminals managed to steal ¥1.4 Billion ( approx. US$12.7 Million ) from around 1,400 ATMs placed in small convenience stores across Japan. The heist took place on May 15, between 5:00 am and 8:00 am, and looked like a coordinated attack by an international crime network. The crooks operated around 1,400 convenience store ATMs from where the cash was withdrawn simultaneously in 16 prefectures around Japan, including Tokyo, Osaka, Fukuoka, Kanagawa, Aichi, Nagasaki, Hyogo, Chiba and Nigata, The Mainichi reports . Also Read: Tyupkin Malware Hacking ATM Machines Worldwide Many ATM incidents involve a long-established technique called ' ATM Skimming ' in which criminals install devices to obtain card details via its magnetic stripe, or use ATM malware or from data breaches, and then work with so-called carders and money mules to pilfe

Despite browsing incognito, blocking advertisements, or hiding your tracks, some websites monitor and track your every move online using a new web-tracking technique called Audio Fingerprinting . This new fingerprinting technique can be utilized by technology and marketing companies to deliver targeted advertisements as well as by law enforcement to unmask VPN or Anonymous users, without even decrypting the traffic. Researchers at Princeton University have conducted a massive privacy survey and discovered that Google, through its multiple domains, is tracking users on nearly 80 percent of all Top 1 Million Domains using the variety of tracking and identification techniques. Out of them, the newest tracking technology unearthed by the researchers is the one based on fingerprinting a machine's audio stack through the AudioContext API . "All of the top five third-parties, as well as 12 of the top 20, are Google-owned domains," the researchers note. "In fact, Goog

How to hack an Instagram account? The answer to this question is difficult to find, but a bug bounty hunter just did it without too many difficulties. Belgian bug bounty hunter Arne Swinnen discovered two vulnerabilities in image-sharing social network Instagram that allowed him to brute-force Instagram account passwords and take over user accounts with minimal efforts. Both brute-force attack issues were exploitable due to Instagram's weak password policies and its practice of using incremental user IDs. "This could have allowed an attacker to compromise many accounts without any user interaction, including high-profile ones," Swinnen wrote in a blog post describing details of both vulnerabilities. Brute-Force Attack Using Mobile Login API Swinnen discovered that an attacker could have performed brute force attack against any Instagram account via its Android authentication API URL, due to improper security implementations. According to his blog post , fo