The Hacker News | #1 Trusted Cybersecurity News Site — Index Page

In Brief Do you own an iPhone? Mac? Or any Apple device? Just one specially-crafted message can expose your personal information, including your authentication credentials stored in your device's memory, to a hacker. The vulnerability is quite similar to the Stagefright vulnerabilities , discovered a year ago in Android, that allowed hackers to silently spy on almost a Billion phones with just one specially-crafted text message. Cisco Talos senior researcher Tyler Bohan, who discovered this critical Stagefright-type bug in iOS, described the flaw as "an extremely critical bug, comparable to the Android Stagefright as far as exposure goes." The critical bug (CVE-2016-4631) actually resides in ImageIO – API used to handle image data – and works across all widely-used Apple operating systems, including Mac OS X, tvOS, and watchOS. All an attacker needs to do is create an exploit for the bug and send it via a multimedia message (MMS) or iMessage inside a Tagg

Another blow to the Tor Project : One of the Tor Project's earliest contributors has decided to quit the project and shut down all of the important Tor nodes under his administration. Lucky Green was part of the Tor Project before the anonymity network was known as TOR. He probably ran one of the first 5 nodes in the TOR network at its inception and managed special nodes inside the anonymity network. However, Green announced last weekend that "it is no longer appropriate" for him to be part of the Tor Project, whether it is financially or by providing computing resources. TOR, also known as The Onion Router , is an anonymity network that makes use of a series of nodes and relays to mask its users' traffic and hide their identity by disguising IP addresses and origins. The TOR network is used by privacy-conscious people, activists, journalists and users from countries with strict censorship rules. Crucial and Fast TOR Nodes to be Shut Down Soon Alongs

It comes as no surprise that today's cyber threats are orders of magnitude more complex than those of the past. And the ever-evolving tactics that attackers use demand the adoption of better, more holistic and consolidated ways to meet this non-stop challenge. Security teams constantly look for ways to reduce risk while improving security posture, but many approaches offer piecemeal solutions – zeroing in on one particular element of the evolving threat landscape challenge – missing the forest for the trees.  In the last few years, Exposure Management has become known as a comprehensive way of reigning in the chaos, giving organizations a true fighting chance to reduce risk and improve posture. In this article I'll cover what Exposure Management is, how it stacks up against some alternative approaches and why building an Exposure Management program should be on  your 2024 to-do list. What is Exposure Management?  Exposure Management is the systematic identification, evaluation,

Japanese telecommunication giant SoftBank has confirmed that the company intends to acquire UK chip designer ARM Holdings for almost $32 Billion (£24.3 Billion) in an all-cash deal. ARM has also agreed to this offer from SoftBank and said that its board would recommend the all-cash deal to shareholders. SoftBank will pay nearly $22.5 per ARM share, which is 43 percent more than ARM's closing share price on Friday and 41 percent more than ARM's all-time high closing share price. The deal is the largest-ever acquisition of a European technology business, first reported by The Financial Times. Wondering Why is ARM really Worth $32 Billion? Founded in 1990, Cambridge-based ARM Holdings designs microchips for a variety of smartphones and powers more than 95 percent of the smartphones in the market. Whether it is Apple's iPhones or iPads, Samsung's Galaxy smartphones, Amazon's Kindle e-readers, the cheapest Nokia phones or Internet-connected devices li

Smart hackers could exploit a loophole that could allow them to steal a significant amount of cash from Google, Microsoft and Instagram using a Premium rate phone number. Security researcher Arne Swinnen from Belgium has discovered an ingenious way to steal money from big tech companies like Google, Microsoft, and Instagram using their two-factor authentication (2FA) voice-based token distribution systems. Swinnen argues that any attacker with malicious intent could create fake Google, Microsoft or Instagram accounts, as well as premium phone services, and then link them together. The attacker could then request 2FA voice-based tokens for all fake accounts using an automated scripts, placing legitimate phone calls to his service to earn him quite a nice profit. Swinnen created accounts on Google, Microsoft Office 365 and Instagram and then tied them to a premium phone number instead of a regular one. As a result, whenever one of these three services would call the account'

Pokémon GO launched just two weeks ago, and people have been getting crazy to catch 'em all. Users, on an average, are spending more time engaged with the new Pokémon GO app than any other apps like Snapchat. But, before downloading and playing Nintendo's new location-based augmented reality game, users are required to keep the following points in their minds: 1. Unofficial Pokémon GO app might contain Malware Since Pokémon GO is currently available in only a few countries, many third-party gaming websites are offering tutorials due to huge interest surrounding the app, recommending users to download the APK from a non-Google Play link. Users need to "side-load" the malicious app to install the APK by modifying their Android core security settings, which allows their device's OS to install apps from " untrusted sources ." However, researchers have discovered that many of these online tutorials are linked to malicious versions of the Pokém

Online privacy is an Internet buzzword nowadays. If you are also concerned about the privacy of your web surfing, the most efficient way is to use TOR – a free software that lets users communicate anonymously by hiding their actual location from snoopers. Although TOR is a great anonymous network, it has some limitations that could still allow a motivated hacker to compromise the anonymity of legions of users, including dark web criminals as well as privacy-minded innocents. Moreover, TOR (The Onion Network) has likely been targeted by the FBI to arrest criminals , including the alleged Silk Road 2 lieutenant Brian Richard Farrell, who was arrested in January 2014. Even the TOR Project accused the FBI of paying the researchers of Carnegie Mellon University (CMU) at least $1 Million to disclose a technique that could help the agency unmask TOR users and reveal their IP addresses as part of a criminal investigation. So, what's next? Is there an alternative? Well, most p

No software is immune to being Hacked! Not even Linux. The Ubuntu online forums have been hacked, and data belonging to over 2 Million users have been compromised, Canonical just announced. The compromised users' data include their IP addresses, usernames, and email addresses, according to the company, who failed to apply a patch to secure its users' data. However, users should keep in mind that the hack did not affect the Ubuntu operating system, or it was not due to a vulnerability or weakness in the OS. Instead, the breach only affected the Ubuntu online forums that people use to discuss the OS, said BetaNews, who initially reported the news. "There has been a security breach on the Ubuntu Forums site," Jane Silber, Chief Executive Officer at Canonical wrote in a blog post . "We take information security and user privacy very seriously, follow a strict set of security practices and this incident has triggered a thorough investigation." "C

Especially after the Snowden revelations of global  mass surveillance by US intelligence agencies at home and abroad, various countries demanded tech companies including Google, Apple, and Microsoft to set-up and maintain their servers in respective countries in order to keep their citizen data within boundaries. The US government has powers to comply US-based tech companies with the court orders to hand over their customers' data stored on servers, even if the data centers are beyond US borders. Now, the recent court decision has proven that the data centers and servers located outside the US boundaries are safe haven. The Second Circuit Court of Appeals in New York ruled Thursday that the United States government cannot force tech companies to give the FBI or other federal authorities access to their non-US customers' data stored on servers located in other countries. US Government Can't go Beyond its Boundaries to Collect Data Yes, the Stored Communicatio

Yes, you heard it right. If I tell you not to visit my website, but you still visit it knowing you are disapproved, you are committing a federal crime, and I have the authority to sue you. Wait! I haven't disapproved you yet. Rather I'm making you aware of a new court decision that may trouble you and could have big implications going forward. The United States Court of Appeals for the Ninth Circuit has taken a critical decision on the Computer Fraud and Abuse Act (CFAA): Companies can seek civil and criminal penalties against people who access or visit their websites without their permission. Even Sharing Password is also a Federal Crime... Yes, a similar weird decision was taken last week when the Ninth Circuit Court of Appeals ruled that sharing passwords can be a violation of the CFAA, making Millions of people who share their passwords "unwitting federal criminals." Now, you might be wondering how visiting a publically open website could be a crime. We

Just yesterday, I wrote a warning article announcing that Drupal – the popular open source content management system – will release patches for several highly critical Remote Code Execution (RCE) bugs that could allow attackers to fully take over any affected site. Below are the three separate Drupal modules that affect up to 10,000 websites: 1. RESTful Web Services – a popular module used for creating REST APIs, which is currently installed on at least 5,804 websites. The vulnerability in RESTWS alters the default page callbacks for entities to provide additional functionality, allowing attackers to "send specially crafted requests resulting in arbitrary PHP execution." Since anonymous users can exploit this vulnerability and there isn't any mitigating factor, users are advised to patch their websites as soon as possible. Admins using RESTful Web Services versions 7.x-2.x prior to 7.x-2.6 and versions 7.x-1.x prior to 7.x-1.7 for their Drupal websites are

Why we can't detect all security loopholes and patch them before hackers exploit them? Because... we know that humans are too slow at finding and fixing security bugs, which is why vulnerabilities like Heartbleed , POODLE and GHOST remained undetected for decades and rendered almost half of the Internet vulnerable to theft by the time patches were rolled out. Now to solve this hurdle, DARPA has come up with an idea: To build a smart Artificial Intelligence System that will automatically detect and even patch security flaws in a system. Isn't it a revolutionary idea for Internet Security? The Defense Advanced Research Projects Agency (DARPA) has selected seven teams of finalists who will face off in a historic battle, as each tries to defend themselves and find out flaws without any human control. The DARPA Cyber Grand Challenge will be held at the annual DEF CON hacking conference in Las Vegas next month. Must Read : Artificial Intelligence System that can detec

The extraordinary ' Panama Papers leak ' from Law firm Mossack Fonseca that exposed the tax-avoiding efforts by the world's richest and most influential members was initially believed to be the result of an unpatched vulnerability in the popular content management systems: Drupal and WordPress. Now, we are quite sure that the Panama Papers, which implicated 72 current and former heads of state, was due to vulnerabilities in Drupal and WordPress that allowed hackers to get into the law firm's system and stole over 11.5 Million files (around 2.6 Terabytes of data). The Drupal Security Team has announced that critical patches to address several security issues in Drupal contributed modules, including several highly critical Remote Code Execution (RCE) vulnerabilities, will be released today at 16:00 UTC. According to an advisory, the critical arbitrary remote PHP code execution vulnerability ( PSA-2016-001 ) affects up to 10000 Drupal websites. However, "Drupal c

Security researchers have discovered a new campaign targeting energy companies in Western Europe with a sophisticated malware that almost goes to great lengths in order to remain undetected while targeting energy companies. Researchers from SentinelOne Labs discovered the malware, which has already infected at least one European energy company, is so sneaky and advanced that it is likely believed to be the work of a wealthy nation. The malware, dubbed ' SFG ', contains about 280 kilobytes of code, featuring a vast arsenal of tools rarely seen in ordinary malware samples. It takes " extreme measures " to cleverly and stealthily evade a large number of security defenses before it drops its payload. The malware dismantles antiviruses processes one-by-one until the malware is finally safe to uninstall them all. It also encrypts key features of its code so that it could not be discovered and analyzed. It'll not execute itself if it senses it's being run in

Microsoft's July Patch Tuesday offers 11 security bulletins with six rated critical resolving almost 50 security holes in its software. The company has patched a security flaw in the Windows Print Spooler service that affects all supported versions of Windows ever released, which if exploited could allow an attacker to take over a device via a simple mechanism. The "critical" flaw ( CVE-2016-3238 ) actually resides in the way Windows handles printer driver installations as well as the way end users connect to printers. The flaw could allow an attacker to install malware remotely on victim machine that can be used to view, modify or delete data, or create new accounts with full user rights; Microsoft said in MS16-087 bulletin posted Tuesday. Users who are logged in with fewer user rights on the system are less impacted than users who operate with administrative user rights, such as some home accounts and server users. Microsoft said the critical flaw could

Millions of Xiaomi smartphones are vulnerable to a dangerous remote code execution (RCE) vulnerability that could grant attackers complete control of handsets. The vulnerability, now patched, exists in MIUI – Xiaomi's own implementation of the Android operating system – in versions prior to MIUI Global Stable 7.2 which is based on Android 6.0. The flaw, discovered by IBM X-Force researcher David Kaplan, potentially allows attackers with privileged network access, such as cafe Wi-Fi, to install malware remotely on the affected devices and fully compromise them. Researchers found some apps in the analytics package in MIUI, which can be abused to provide malicious ROM updates remotely through a man-in-the-middle attack. " The vulnerability we discovered allows for a man-in-the-middle attacker to execute arbitrary code as the highly privileged Android 'system' user, " researchers say. Researchers say they discovered vulnerable analytics packages in at lea

You might be aware of Microsoft and Canonical's partnership to integrate " Bash on Ubuntu on Windows 10 ," which is typically a non-graphical Ubuntu running over Windows Subsystem for Linux . Windows 10 doesn't officially support graphical Linux desktop applications. But, now we have noticed a very interesting ticket titled "Run Any Desktop Environment in WSL" raised at Github  repository, in which a user who goes by name Guerra24 has managed to run the graphical version of Ubuntu Linux, i.e. Ubuntu Unity on Windows 10. It's not " Microsoft Linux ." BASH or Bourne Again Shell is capable of handling advanced command line functionalities. Microsoft has provided support for Bash on Windows 10 as an expansion of its command-line tool family, so don't get confused. The Bash on Windows 10 feature is designed only for developers who want to run Linux terminal utilities without any OS dependencies. However, this feature downloads and installs

Nintendo's new location-based augmented reality game Pokémon GO has been making rounds since its launch just a few days ago. People are so excited to catch 'em all that brought Nintendo's market-value gains to $7.5 Billion (£5.8 Billion) in just two days – the highest surge since 1983. Due to the huge interest surrounding Pokémon GO, even hackers are using the game's popularity to distribute malicious versions of Pokémon GO that could install DroidJack malware on Android phones, allowing them to compromise user's devices completely. However, the latest threat is related to the privacy concerns raised about the iOS version of the official Pokémon GO app. Pokémon GO – A Huge Security Risk Adam Reeve labeled the game "malware," saying that Pokémon GO is a "huge security risk" as the game, for some reason, grants itself "full account access" to your Google account when you sign into the app via Google on iPhone or iPad. Ye

" Pokémon Go " has become the hottest iPhone and Android game to hit the market in forever with enormous popularity and massive social impact. The app has taken the world by storm since its launch this week. Nintendo's new location-based augmented reality game allows players to catch Pokémon in the real life using their device's camera and is currently only officially available in the United States, New Zealand, UK and Australia. On an average, users are spending twice the amount of time engaged with the new Pokémon Go app than on apps like Snapchat. In fact Pokémon Go is experiencing massive server overload in just few days of launch. Due to the huge interest surrounding Pokémon Go, many gaming and tutorial websites have offered tutorials recommending users to download the APK from a non-Google Play link. In order to download the APK, users are required to " side-load " the malicious app by modifying their Android core security settings, allowing

Twitter account of another high profile has been hacked! This time, it's Twitter CEO Jack Dorsey. OurMine claimed responsibility for the hack, which was spotted after the group managed to post some benign video clips. The team also tweeted at 2:50 AM ET today saying " Hey, its OurMine,we are testing your security, " with a link to their website that promotes and sells its own "services" for which it has already made $16,500. Although the tweets posted by the group did not contain any harmful content, both the tweet and linked to a short Vine video clip have immediately been removed. Ourmine is the same group of hackers from Saudi Arabia that previously compromised some social media accounts of other CEOs including: Google's CEO Sundar Pichai Facebook's CEO Mark Zuckerberg Twitter's ex-CEO Dick Costolo Facebook-owned virtual reality company Oculus CEO Brendan Iribe Since all tweets posted to Dorsey's account came through Vine,