The Hacker News | #1 Trusted Cybersecurity News Site — Index Page

In the fight against encryption , Apple has positioned itself as a staunch defender of its user privacy by refusing the federal officials to provide encryption backdoors into its products, as well as implementing better encryption for its products. However, a new report from a security firm suggests Apple's online syncing service iCloud secretly stores logs of its users' private information for as long as four months — even when iCloud backup is switched off. Russian digital forensics firm Elcomsoft discovered that Apple's mobile devices automatically send its users' call history to the company's servers if iCloud is enabled, and stored that data for up to four months. And it turns out that there is no way for iCloud users to stop this phone call syncing service unless they completely disable the cloud synchronization feature. Elcomsoft, which sells software to extract data from Apple's iCloud backups and works with police and intelligence agencies,

Setting a passcode on your iPhone is the first line of defense to help prevent other people from accessing your personal details. However, it's pretty much easy for anyone with access to your iPhone to bypass the passcode protection (doesn't matter if you configured Touch ID or not) and access your personal photos and messages. A new critical security flaw discovered in iOS 8 and newer, including 10.2 beta 3, allows anyone to bypass iPhone's passcode and gain access to personal information using the benevolent nature of Apple's personal assistant Siri. The security glitch has been discovered by EverythingApplePro and iDeviceHelps and now that they have gone public with a video demonstration, you can expect Apple to fix this issue in the next iOS beta version. All an attacker need is to find out the phone number of the target's iPhone and access to the phone for a few minutes. But, what if you don't have target's phone number? No worries. You can

It comes as no surprise that today's cyber threats are orders of magnitude more complex than those of the past. And the ever-evolving tactics that attackers use demand the adoption of better, more holistic and consolidated ways to meet this non-stop challenge. Security teams constantly look for ways to reduce risk while improving security posture, but many approaches offer piecemeal solutions – zeroing in on one particular element of the evolving threat landscape challenge – missing the forest for the trees.  In the last few years, Exposure Management has become known as a comprehensive way of reigning in the chaos, giving organizations a true fighting chance to reduce risk and improve posture. In this article I'll cover what Exposure Management is, how it stacks up against some alternative approaches and why building an Exposure Management program should be on  your 2024 to-do list. What is Exposure Management?  Exposure Management is the systematic identification, evaluation,

You won't believe your eyes while reading this, but this is true. Microsoft just joined the Linux Foundation as a high-paying Platinum member. Microsoft's love with open source community is embracing as time passes. At its first Connect event in 2013, the company launched Visual Studio 2013. A year later, Microsoft open sourced .NET, and last year, it open sourced the Visual Studio Code Editor, as well. Not just that, Microsoft partnered with Canonical to bring Ubuntu on Windows 10 , worked with FreeBSD to develop a Virtual Machine image for its Azure cloud , and chosen Ubuntu as the OS for its Cloud-based Big Data services. And the big news for this year is… At its 2016 Connect developer event in New York today, Microsoft announced that the company is joining the Linux Foundation as a Platinum member – the highest level of membership, which costs $500,000 annually. Besides this, Microsoft also announced that tech giant Google has also joined on with the indepen

You need to be more careful next time while leaving your computer unattended at your office, as it cost hackers just $5 and only 30 seconds to hack into any computer. Well-known hardware hacker Samy Kamkar has once again devised a cheap exploit tool, this time that takes just 30 seconds to install a privacy-invading backdoor into your computer, even if it is locked with a strong password. Dubbed PoisonTap , the new exploit tool runs freely available software on a tiny $5/£4 Raspberry Pi Zero microcomputer, which is attached to a USB adapter. The attack works even if the targeted computer is password-protected if a browser is left open in the computer's background. All an attacker need is to plug the nasty device in the target computer and wait. Here's How PoisonTap works: Once plugged into a Windows or Mac computer via USB port, the tiny device starts impersonating a new ethernet connection. Even if the victim's device is connected to a WiFi network, Poi

A hacker with little more than a minute can bypass the authentication procedures on some Linux systems just by holding down the Enter key for around 70 seconds. The result? The act grants the hacker a shell with root privileges, which allows them to gain complete remote control over encrypted Linux machine. The security issue relies due to a vulnerability ( CVE-2016-4484 ) in the implementation of the Cryptsetup utility used for encrypting hard drives via Linux Unified Key Setup (LUKS), which is the standard implementation of disk encryption on a Linux-based operating system. The flaw actually is in the way the Cryptsetup utility handles password failures for the decryption process when a system boots up, which lets a user retry the password multiple times. What's even worse? Even if the user has tried up all 93 password attempts, the user is dropped to a shell (Busybox in Ubuntu) that has root privileges. In other words, if you enter a blank password 93 times – or s

Do you own an Android smartphone? You could be one of those 700 Million users whose phone is secretly sending text messages to China every 72 hours. You heard that right. Over 700 Million Android smartphones contain a secret 'backdoor' that surreptitiously sends all your text messages, call log, contact list, location history, and app data to China every 72 hours. Security researchers from Kryptowire discovered the alleged backdoor hidden in the firmware of many budget Android smartphones sold in the United States, which covertly gathers data on phone owners and sends it to a Chinese server without users knowing. First reported on by the New York Times on Tuesday, the backdoored firmware software is developed by China-based company Shanghai AdUps Technology, which claims that its software runs updates for more than 700 Million devices worldwide. Infected Android Smartphone WorldWide Moreover, it is worth noting that AdUps provides its software to much larger ha

The Dutch hacker, who in 2013 was accused of launching the biggest cyberattack to date against the anti-spam group Spamhaus, escaped prison Monday even after he was sentenced to nearly 8 months in jail because most of his term was suspended. Sven Olaf Kamphuis , 39, was arrested in April 2013 by Spanish authorities in Barcelona based on a European arrest warrant for launching massive distributed denial of service (DDoS) attack against Spamhaus that peaked at over 300 Gbps. Spamhaus is a non-profit group based in Geneva and London that tracks spam and cyber-related threats, creates blacklists of those sites and then sells them to Internet Service Providers. However, the DDoS attacks on the company were so sustained that put "the proper functioning of the Internet at risk and thus the interests of many individuals, businesses and institutions," said the court. Kamphuis was initially sentenced to a total of 240 days, but he has already served 55 days in on remand aft

WhatsApp has introduced a new security feature that fixes a loophole in the popular messaging platform, which if exploited, could allow an attacker to hijack victim's account with just knowing the victim's phone number and some hacking skills. The attack does not exploit any vulnerability in WhatsApp; instead, it relies on the way the account setup mechanism works. WhatsApp allows users to sign up to the app using their phone number, so if an attacker wants to hijack your WhatsApp account, they would require an OTP (One time password) send to your phone number. The attacker can grab this OTP by diverting the SMS containing the passcode to their own computer or phone, using either a malicious app or SS7 vulnerability , and then log into the victim's WhatsApp account. The attack even works in case the phone is locked. In August, Iranian state-sponsored hackers reportedly hijacked over dozens of Telegram accounts belonging to activists and journalists by exploiting a

Hackers can steal your sensitive information, such as your Passwords, PINs and Keystrokes, from your phone by observing changes in the wireless signal as you enter them into your smartphones. A group of researchers from the Shanghai Jaio Tong University, the University of South Florida and the University of Massachusetts at Boston have demonstrated a new technique that can reveal private information by analyzing the radio signal Interference, using just one rogue WiFi hotspot. Dubbed WindTalker, the attack sniffs a user's fingers movement on the phone's touchscreen or a computer's keyboard by reading the radio signal patterns called Channel State Information (CSI). CSI is part of the WiFi protocol which provides general information about the status of the WiFi signal. " WindTalker is motivated from the observation that keystrokes on mobile devices will lead to different hand coverage and the finger motions, which will introduce a unique interference to the mult

Yes, you only need a single laptop with a decent internet connection, rather a massive botnet, to launch overwhelming denial of service (DoS) attacks in order to bring down major Internet servers and modern-day firewalls. Researchers at TDC Security Operations Center have discovered a new attack technique that lone attackers with limited resources (in this case, a laptop and at least 15Mbps of bandwidth) can use to knock large servers offline. Dubbed a BlackNurse attack or the low-rate " Ping of Death " attack, the technique can be used to launch several low-volume DoS attacks by sending specially formed Internet Control Message Protocol (ICMP) packets, or 'pings' that overwhelm the processors on server protected by firewalls from Cisco, Palo Alto Networks, among others. ICMP is a protocol used by routers and other networking devices to send and receive error messages. According to a technical report [ PDF ] published this week, the BlackNurse attack is mo

As reported late October, the world's largest online professional network LinkedIn is going to ban in Russia beginning Monday following a Moscow court decision this week that found Microsoft-owned LinkedIn to be in violation of the country's data protection laws. Here's why LinkedIn is facing ban in Russia: In July 2014, Russia approved amendments to the Russian Personal Data Law that came into force on 1st September 2015, under which foreign tech companies were required to store the personal data of its citizens within the country. Legislation put in place for protecting its citizens' data from the NSA's worldwide surveillance revealed by whistleblower Edward Snowden. The Russian state's federal media regulator, known as Roskomnadzor, is now threatening to block any company that stored its citizens' personal data on non-Russian servers. Facebook and Twitter could be Next to Get BLOCKED! Not just LinkedIn, even other bigger companies, includ

Last night, Facebook declared everyone dead, including the company's CEO Mark Zuckerberg, in a massive memorial 'remembering' profile glitch. Well, that's awkward. Despite being very much alive, Facebook users, when logged on to their accounts on Friday afternoon, found their accounts turned to a " memorialized account ," strongly suggesting that they are dead to everyone who visits their profile. A statement on Mark Zuckerberg's profile read: "We hope people who love Mark will find comfort in the things others share to remember and celebrate his life." When the message appeared, thousands of users shaken by the incident complained on Twitter about their premature digital deaths, offering their proof-of-life so that their concerned relatives could calm themselves down. This weird glitch was first spotted by Business Insider when several of its employees saw the message at the top of their Facebook profiles on Friday. When reached

The brand new Android smartphone launched by Google just a few months back has been hacked by Chinese hackers just in less than a minute. Yes, the Google's latest Pixel smartphone has been hacked by a team white-hat hackers from Qihoo 360, besides at the 2016 PwnFest hacking competition in Seoul. The Qihoo 360 team demonstrated a proof-of-concept exploit that used a zero-day vulnerability in order to achieve remote code execution (RCE) on the target smartphone. The exploit then launched the Google Play Store on the Pixel smartphone before opening Google Chrome and displaying a web page that read "Pwned By 360 Alpha Team," the Reg media reports . Qihoo 360 won $120,000 cash prize for hacking the Pixel. Google will now work to patch the vulnerability. Besides the Google Pixel, Microsoft Edge running under Windows 10 was also hacked in PwnFest hacking competition. The Qihoo 360 team also hacked Adobe Flash with a combination of a decade-old, use-after-free

Distributed Denial of Service (DDoS) attacks have risen enormously in past few months and, mostly, they are coming from hacked and insecure internet-connected devices, most commonly known as Internet of Things (IoT). Recent DDoS attack against DNS provider Dyn that brought down a large chunk of the Internet came from hacked and vulnerable IoT devices such as DVRs, security cameras, and smart home appliances. This DDoS was the biggest cyber attack the world has ever seen. Now, in the latest incident, at least five Russian banks have been subject to a swathe of DDoS attacks for two days, said the Russian banking regulator. The state-owned Sberbank was one of the five targets of the attacks that began on last Tuesday afternoon and lasted over the next two days. According to Kaspersky Lab, the longest attack last for 12 hours and peaked at 660,000 requests per second came from a botnet of at least 24,000 hacked devices located in 30 countries. Although the culprit appears

Just a few hours after Donald Trump won the 2016 US Presidential Election, a hacking group launched a wave of cyber attacks targeting U.S.-based policy think-tanks with a new spear phishing campaign designed to fool victims into installing malware. The group of nation-state hackers, also known as Cozy Bear , APT29 , and CozyDuke , is the one of those involved in the recent data breach of the Democratic National Committee (DNC) and is allegedly tied to the Russian government. On Wednesday, the hackers sent a series of phishing emails to dozens of targets associated with non-governmental organizations (NGOs), policy think tanks in the US and even inside the US government, said security firm Volexity. Phishing Attacks Powered by 'PowerDuke' Malware The phishing emails were sent from purpose-built Gmail accounts and other compromised email accounts at Harvard University's Faculty of Arts and Sciences (FAS), trying to trick victims into opening tainted attachments

As announced on Tuesday, the OpenSSL project team released OpenSSL version 1.1.0c that addresses three security vulnerabilities in its software. The most serious of all is a heap-based buffer overflow bug (CVE-2016-7054) related to Transport Layer Security (TLS) connections using *-CHACHA20-POLY1305 cipher suites. The vulnerability, reported by Robert Święcki of the Google Security Team on September 25, can lead to DoS attack by corrupting larger payloads, resulting in a crash of OpenSSL. The severity of the flaw is rated "High" and does not affect OpenSSL versions prior to 1.1.0. However, the OpenSSL team reports there is no evidence that the flaw is exploitable beyond a DoS attack. The OpenSSL project also patches a moderate severity flaw (CVE-2016-7053) that can cause applications to crash. "Applications parsing invalid CMS structures can crash with a NULL pointer dereference. This is caused by a bug in the handling of the ASN.1 CHOICE type in OpenSSL 1.1.0

Facebook is reportedly buying stolen passwords that hackers are selling on the underground black market in an effort to keep its users' accounts safe. On the one hand, we just came to know that Yahoo did not inform its users of the recently disclosed major 2014 hacking incident that exposed half a billion user accounts even after being aware of the hack in 2014. On the other hand, Facebook takes every single measure to protect its users' security even after the company managed to avoid any kind of security scandal, data breach or hacks that have recently affected top notch companies. Speaking at the Web Summit 2016 technology conference in Portugal, Facebook CSO Alex Stamos said that over 1.3 Billion people use Facebook every day, and keeping them secure is building attack-proof software to keep out hackers, but keeping them safe is actually a huge task. Stamos said there is a difference between 'security' and 'safety,' as he believes that his team

Part of the $81 Million stolen from Bangladesh bank's New York Federal Reserve account earlier this year in the wake of the major malware attack on the SWIFT interbank transfer network has been tracked down to a casino in the Philippines. SWIFT, or Society for Worldwide Interbank Telecommunication, is a global financial messaging system that thousands of banks and organizations around the world use to transfer billions of dollars every day. In February, hackers dropped a piece of malware on a SWIFT terminal employed by Bangladesh's central bank, obtained credentials needed for payment transfers from the New York Federal Reserve Bank, and then transferred large amount to fraudulent accounts based in the Philippines and Sri Lanka. In March, the investigation revealed that the stolen money was then sold to a black market foreign exchange broker and later transferred to at least 3 local casinos in the Philippines. In September, Philippine court ordered the return of $1