The Hacker News | #1 Trusted Cybersecurity News Site — Index Page

If you came across any Facebook Message with an image file (exactly .SVG file format) send by any of your Facebook friends, just avoid clicking it. An ongoing Facebook spam campaign is spreading malware downloader among Facebook users by taking advantage of innocent-looking SVG image file to infect computers. If clicked, the file would eventually infect your PC with the nasty Locky Ransomware , a family of malware that has quickly become one of the favorite tools among criminals due to its infecting capabilities. Discovered by malware researcher Bart Blaze , the attack campaign uses Facebook Messenger to spread a malware downloader called Nemucod that takes the form of .SVG image files. Why SVG file? Hackers considered SVG (or Scalable Vector Graphics) files for spreading the malware downloader, because SVG has the ability to contain embedded content such as JavaScript, and can be opened in a modern web browser. Crooks added their malicious JavaScript code right inside th

Here's some bad news for Android users again. Nearly 3 Million Android devices worldwide are vulnerable to man-in-the-middle (MITM) attacks that could allow attackers to remotely execute arbitrary code with root privileges, turning over full control of the devices to hackers. According to a new report from security rating firm BitSight, the issue is due to a vulnerability in the insecure implementation of the OTA (Over-the-Air) update mechanism used by certain low-cost Android devices, including BLU Studio G from US-based Best Buy. Backdoor/Rootkit Comes Pre-installed The vulnerable OTA mechanism, which is associated with Chinese mobile firm Ragentek Group, contains a hidden binary — resides as /system/bin/debugs — that runs with root privileges and communicates over unencrypted channels with three hosts. According to the researchers, this privileged binary not only exposes user-specific information to MITM attackers but also acts as a rootkit, potentially allowing

Identities now transcend human boundaries. Within each line of code and every API call lies a non-human identity. These entities act as programmatic access keys, enabling authentication and facilitating interactions among systems and services, which are essential for every API call, database query, or storage account access. As we depend on multi-factor authentication and passwords to safeguard human identities, a pressing question arises: How do we guarantee the security and integrity of these non-human counterparts? How do we authenticate, authorize, and regulate access for entities devoid of life but crucial for the functioning of critical systems? Let's break it down. The challenge Imagine a cloud-native application as a bustling metropolis of tiny neighborhoods known as microservices, all neatly packed into containers. These microservices function akin to diligent worker bees, each diligently performing its designated task, be it processing data, verifying credentials, or

Big tech companies, including Facebook, Google, and Microsoft, are in the race of bringing Internet connectivity to unconnected parts of the world through wireless devices , flying drones , high-altitude balloons, and laser beams . But, SpaceX founder Elon Musk has big plans for bringing low-cost Internet service worldwide, and it all starts in space. Private rocket launch service SpaceX has asked the U.S. government for permission to launch 4,425 satellites in orbit to beam high-speed Internet down to the world, according to a newly filed application with the Federal Communications Commission (FCC). That's a hell of a lot of satellites; in fact, the figure surpasses the total number of satellites in the Earth's orbit. Here's what the company's 102-page technical document reads: "The system is designed to provide a wide range of broadband and communications services for residential, commercial, institutional, governmental and professional users world

Three, one of UK's biggest mobile operators, has become the latest victim of a massive data breach that reportedly left the personal information and contact details of 6 Million of its customers exposed. The company admitted the data breach late Thursday, saying that computer hackers gained access to a Three Mobile customer phone upgrade database containing the account details of nearly 6 Million customers. According to multiple British  media reports citing both Three and the National Crime Agency ( NCA ), the computer hackers used an employee login to gain entry into its database. The stolen data includes customer names, addresses, phone numbers and dates of birth, which is then used to carry out mobile phone fraud. The company has not yet confirmed the total number of users' affected by the breach, though it assured its customers that no payment data, including bank account numbers and card numbers, has been accessed. According to Three, the hackers had stolen

In the fight against encryption , Apple has positioned itself as a staunch defender of its user privacy by refusing the federal officials to provide encryption backdoors into its products, as well as implementing better encryption for its products. However, a new report from a security firm suggests Apple's online syncing service iCloud secretly stores logs of its users' private information for as long as four months — even when iCloud backup is switched off. Russian digital forensics firm Elcomsoft discovered that Apple's mobile devices automatically send its users' call history to the company's servers if iCloud is enabled, and stored that data for up to four months. And it turns out that there is no way for iCloud users to stop this phone call syncing service unless they completely disable the cloud synchronization feature. Elcomsoft, which sells software to extract data from Apple's iCloud backups and works with police and intelligence agencies,

Setting a passcode on your iPhone is the first line of defense to help prevent other people from accessing your personal details. However, it's pretty much easy for anyone with access to your iPhone to bypass the passcode protection (doesn't matter if you configured Touch ID or not) and access your personal photos and messages. A new critical security flaw discovered in iOS 8 and newer, including 10.2 beta 3, allows anyone to bypass iPhone's passcode and gain access to personal information using the benevolent nature of Apple's personal assistant Siri. The security glitch has been discovered by EverythingApplePro and iDeviceHelps and now that they have gone public with a video demonstration, you can expect Apple to fix this issue in the next iOS beta version. All an attacker need is to find out the phone number of the target's iPhone and access to the phone for a few minutes. But, what if you don't have target's phone number? No worries. You can

You won't believe your eyes while reading this, but this is true. Microsoft just joined the Linux Foundation as a high-paying Platinum member. Microsoft's love with open source community is embracing as time passes. At its first Connect event in 2013, the company launched Visual Studio 2013. A year later, Microsoft open sourced .NET, and last year, it open sourced the Visual Studio Code Editor, as well. Not just that, Microsoft partnered with Canonical to bring Ubuntu on Windows 10 , worked with FreeBSD to develop a Virtual Machine image for its Azure cloud , and chosen Ubuntu as the OS for its Cloud-based Big Data services. And the big news for this year is… At its 2016 Connect developer event in New York today, Microsoft announced that the company is joining the Linux Foundation as a Platinum member – the highest level of membership, which costs $500,000 annually. Besides this, Microsoft also announced that tech giant Google has also joined on with the indepen

You need to be more careful next time while leaving your computer unattended at your office, as it cost hackers just $5 and only 30 seconds to hack into any computer. Well-known hardware hacker Samy Kamkar has once again devised a cheap exploit tool, this time that takes just 30 seconds to install a privacy-invading backdoor into your computer, even if it is locked with a strong password. Dubbed PoisonTap , the new exploit tool runs freely available software on a tiny $5/£4 Raspberry Pi Zero microcomputer, which is attached to a USB adapter. The attack works even if the targeted computer is password-protected if a browser is left open in the computer's background. All an attacker need is to plug the nasty device in the target computer and wait. Here's How PoisonTap works: Once plugged into a Windows or Mac computer via USB port, the tiny device starts impersonating a new ethernet connection. Even if the victim's device is connected to a WiFi network, Poi

A hacker with little more than a minute can bypass the authentication procedures on some Linux systems just by holding down the Enter key for around 70 seconds. The result? The act grants the hacker a shell with root privileges, which allows them to gain complete remote control over encrypted Linux machine. The security issue relies due to a vulnerability ( CVE-2016-4484 ) in the implementation of the Cryptsetup utility used for encrypting hard drives via Linux Unified Key Setup (LUKS), which is the standard implementation of disk encryption on a Linux-based operating system. The flaw actually is in the way the Cryptsetup utility handles password failures for the decryption process when a system boots up, which lets a user retry the password multiple times. What's even worse? Even if the user has tried up all 93 password attempts, the user is dropped to a shell (Busybox in Ubuntu) that has root privileges. In other words, if you enter a blank password 93 times – or s

Do you own an Android smartphone? You could be one of those 700 Million users whose phone is secretly sending text messages to China every 72 hours. You heard that right. Over 700 Million Android smartphones contain a secret 'backdoor' that surreptitiously sends all your text messages, call log, contact list, location history, and app data to China every 72 hours. Security researchers from Kryptowire discovered the alleged backdoor hidden in the firmware of many budget Android smartphones sold in the United States, which covertly gathers data on phone owners and sends it to a Chinese server without users knowing. First reported on by the New York Times on Tuesday, the backdoored firmware software is developed by China-based company Shanghai AdUps Technology, which claims that its software runs updates for more than 700 Million devices worldwide. Infected Android Smartphone WorldWide Moreover, it is worth noting that AdUps provides its software to much larger ha