The Hacker News | #1 Trusted Cybersecurity News Site — Index Page

This may sound crazy, but it's true! The war for "most-subscribed Youtube channel" crown between T-Series and PewDiePie just took an interesting turn after a hacker yesterday hijacked more than 50,000 internet-connected printers worldwide to print out flyers asking everyone to subscribe to PewDiePie YouTube channel. PewDiePie, whose real name is Felix Kjellberg, is a famous YouTuber from Sweden known for his game commentary and pranks and has had the most subscribers on YouTube since 2013. However, the channel owned by Bollywood record label T-Series has been catching up in recent months, and now both are hovering around 72.5 million YouTube subscribers. From this fear that PewDiePie won't remain the number one most-subscribed YouTuber in the world, an anonymous hacker (probably his die-hard fan) with the Twitter username " TheHackerGiraffe " came up with a hackish idea. TheHackerGiraffe scanned the Internet to find the list of vulnerable printers

The world's biggest hotel chain Marriott International today disclosed that unknown hackers compromised guest reservation database its subsidiary Starwood hotels and walked away with personal details of about 500 million guests. Starwood Hotels and Resorts Worldwide was acquired by Marriott International for $13 billion in 2016. The brand includes St. Regis, Sheraton Hotels & Resorts, W Hotels, Westin Hotels & Resorts, Aloft Hotels, Tribute Portfolio, Element Hotels, Le Méridien Hotels & Resorts, The Luxury Collection, Four Points by Sheraton and Design Hotels. The incident is believed to be one of the largest data breaches in history, behind 2016 Yahoo hacking in which nearly 3 billion user accounts were stolen. The breach of Starwood properties has been happening since 2014 after an "unauthorized party" managed to gain unauthorized access to the Starwood's guest reservation database, and had copied and encrypted the information. Marriott dis

Identities now transcend human boundaries. Within each line of code and every API call lies a non-human identity. These entities act as programmatic access keys, enabling authentication and facilitating interactions among systems and services, which are essential for every API call, database query, or storage account access. As we depend on multi-factor authentication and passwords to safeguard human identities, a pressing question arises: How do we guarantee the security and integrity of these non-human counterparts? How do we authenticate, authorize, and regulate access for entities devoid of life but crucial for the functioning of critical systems? Let's break it down. The challenge Imagine a cloud-native application as a bustling metropolis of tiny neighborhoods known as microservices, all neatly packed into containers. These microservices function akin to diligent worker bees, each diligently performing its designated task, be it processing data, verifying credentials, or

Multinational computer technology company Dell disclosed Wednesday that its online electronics marketplace experienced a "cybersecurity incident" earlier this month when an unknown group of hackers infiltrated its internal network. On November 9, Dell detected and disrupted unauthorized activity on its network attempting to steal customer information, including their names, email addresses and hashed passwords. According to the company, the initial investigation found no conclusive evidence that the hackers succeeded to extract any information, but as a countermeasure Dell has reset passwords for all accounts on Dell.com website whether the data had been stolen or not. Dell did not share any information on how hackers managed to infiltrate its network at the first place or how many user accounts were affected, but the company did confirm that payment information and Social Security numbers were not targeted. "Credit card and other sensitive customer information

The Department of Justice announced Wednesday charges against two Iranian nationals for their involvement in creating and deploying the notorious SamSam ransomware. The alleged hackers, Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah, 27, have been charged on several counts of computer hacking and fraud charges, the indictment unsealed today at New Jersey court revealed. The duo used SamSam ransomware to extort over $6 million in ransom payments since 2015, and also caused more than $30 million in damages to over 200 victims, including hospitals , municipalities, and public institutions. According to the indictment, Savandi and Mansouri have been charged with a total of six counts, including one count of conspiracy to commit wire fraud, one count of conspiracy to commit fraud and related activity in connection with computers, two counts of intentional damage to a protected computer, and two counts of transmitting a demand in relation to damaging a protected computer. Si

Google, the FBI, ad-fraud fighting company WhiteOps and a collection of cyber security companies worked together to shut down one of the largest and most sophisticated digital ad-fraud schemes that infected over 1.7 million computers to generate fake clicks used to defraud online advertisers for years and made tens of millions of dollars in revenue. Dubbed 3ve (pronounced "Eve"), the online ad-fraud campaign is believed to have been active since at least 2014, but its fraudulent activity grew last year, turning it into a large-scale business and earning their operators more than $30 million in profit. Meanwhile, the United States Department of Justice (DoJ) also unsealed Tuesday a 13-count indictment against 8 people from Russia, Kazakhstan, and Ukraine who allegedly ran this massive online advertising scheme. The 3ve botnet scheme deployed different tactics, such as creating their own botnets, creating fake versions of both websites and visitors, selling fraudulent

British and Dutch data protection regulators Tuesday hit the ride-sharing company Uber with a total fine of $1,170,892 (~ 1.1 million) for failing to protect its customers' personal information during a 2016 cyber attack involving millions of users. Late last year, Uber unveiled that the company had suffered a massive data breach in October 2016, exposing names, email addresses and phone numbers of 57 million Uber riders and drivers along with driving license numbers of around 600,000 drivers. Besides this, it was also reported that instead of disclosing the breach at the time, the company paid $100,000 in ransom to the two hackers with access to the stolen data in exchange for keeping the incident secret and deleting the information. Today Britain's Information Commissioner's Office (ICO) fined Uber 385,000 pounds ($491,102), while the Dutch Data Protection Authority (Dutch DPA) levied a 600,000 euro ($679,790) penalty on Uber for failing to protect the personal informatio

Cheetah Mobile —a prominent Chinese app company, known for its popular utility apps like Clean Master and Battery Doctor—and one of its subsidiary Kika Tech have allegedly been caught up in an Android ad fraud scheme that stole millions of dollars from advertisers. According to app analytics firm Kochava , 7 Android apps developed by Cheetah Mobile and 1 from Kika Tech with a total 2 billion downloads on Google Play Store have been accused of falsely claiming the credits for driving the installation of new apps in order to claim a fee or bounty. Many mobile application developers generate revenue by promoting and recommending the installation of other apps inside their apps for a fee or a bounty that typically ranges from $0.50 to $3.00. To know which advertisement recommended the app and should get the credit, the newly installed app does a "lookback" immediately after it is opened for the first time to see from where the last click was originated and attribute the

A widely used third-party NodeJS module with nearly 2 million downloads a week was compromised after one of its open-source contributor gone rogue, who infected it with a malicious code that was programmed to steal funds stored in Bitcoin wallet apps. The Node.js library in question is "Event-Stream," a toolkit that makes it easy for developers to create and work with streams, a collection of data in Node.js — just like arrays or strings. The malicious code detected earlier this week was added to Event-Stream version 3.3.6, published on September 9 via NPM repository , and had since been downloaded by nearly 8 million application programmers. Event-Stream module for Node.js was originally created by Dominic Tarr, who maintained the Event-Stream library for a long time, but handed over the development and maintenance of the project several months ago to an unknown programmer, called "right9ctrl." Apparently, right9ctrl gained Dominic's trust by making

Looking for how to hack WiFi password OR WiFi hacking software? Well, a security researcher has revealed a new WiFi hacking technique that makes it easier for hackers to crack WiFi passwords of most modern routers. Discovered by the lead developer of the popular password-cracking tool Hashcat, Jens 'Atom' Steube, the new WiFi hack works explicitly against WPA/WPA2 wireless network protocols with Pairwise Master Key Identifier (PMKID)-based roaming features enabled. The attack to compromise the WPA/WPA2 enabled WiFi networks was accidentally discovered by Steube while he was analyzing the newly-launched WPA3 security standard . This new WiFi hacking method could potentially allow attackers to recover the Pre-shared Key (PSK) login passwords, allowing them to hack into your Wi-Fi network and eavesdrop on the Internet communications. How to Hack WiFi Password Using PMKID According to the researcher, the previously known WiFi hacking methods require attackers to wai

The United States Postal Service has patched a critical security vulnerability that exposed the data of more than 60 million customers to anyone who has an account at the USPS.com website. The U.S.P.S. is an independent agency of the American federal government responsible for providing postal service in the United States and is one of the few government agencies explicitly authorized by the United States Constitution. The vulnerability is tied to an authentication weakness in an application programming interface (API) for the USPS "Informed Visibility" program designed to help business customers track mail in real-time. 60 Million USPS Users' Data Exposed According to the cybersecurity researcher, who has not disclosed his identity, the API was programmed to accept any number of "wildcard" search parameters, enabling anyone logged in to usps.com to query the system for account details belonging to any other user. In other words, the attacker could