The Hacker News | #1 Trusted Cybersecurity News Site — Index Page

Update (22 June 2019)  — More technical details and proof-of-concept for the OutLook for Android vulnerability has been released that we have covered in a separate article here. Microsoft today released an updated version of its "Outlook for Android" that patches an important security vulnerability in the popular email app that is currently being used over 100 million users. According to an advisory , Outlook app with versions before 3.0.88 for Android contains a stored cross-site scripting vulnerability ( CVE-2019-1105 ) in the way the app parses incoming email messages. If exploited, remote attackers can execute malicious in-app client-side code on the targeted devices just by sending them emails with a specially crafted message. "The attacker who successfully exploited this vulnerability could then perform cross-site scripting attacks on the affected systems and run scripts in the security context of the current user." According to Microsoft, the fl

At its developer conference held earlier this week in New York, the MongoDB team announced the latest version of its database management software that includes a variety of advanced features, including Field Level Encryption, Distributed Transactions, and Wildcard Indexes. The newly introduced Field Level Encryption (FLE), which will be available in the upcoming MongoDB 4.2 release, is an end-to-end encryption feature that encrypts and decrypts sensitive users' data on the client-side, preventing hackers from accessing plaintext data even if the database instance left exposed online or the server itself gets compromised. Almost every website, app, and service on the Internet today usually encrypt (particularly "hashing") only users' passwords before storing them into the databases, but unfortunately left other sensitive information unencrypted, including users' online activity data and their personal information. Moreover, even if there is an encryption

In today's digital world, where connectivity is rules all, endpoints serve as the gateway to a business's digital kingdom. And because of this, endpoints are one of hackers' favorite targets.  According to the IDC,  70% of successful breaches start at the endpoint . Unprotected endpoints provide vulnerable entry points to launch devastating cyberattacks. With IT teams needing to protect more endpoints—and more kinds of endpoints—than ever before, that perimeter has become more challenging to defend. You need to improve your endpoint security, but where do you start? That's where this guide comes in.  We've curated the top 10 must-know endpoint security tips that every IT and security professional should have in their arsenal. From identifying entry points to implementing EDR solutions, we'll dive into the insights you need to defend your endpoints with confidence.  1. Know Thy Endpoints: Identifying and Understanding Your Entry Points Understanding your network's

Important Update (21 June 2019) ➤  The Tor Project on Friday released second update ( Tor Browser 8.5.3 ) for its privacy web-browser that patches the another Firefox zero-day vulnerability patched this week. Following the latest critical update for Firefox, the Tor Project today released an updated version of its anonymity and privacy browser to patch the same Firefox vulnerability in its bundle. Earlier this week, Mozilla released Firefox 67.0.3 and Firefox ESR 60.7.1 versions to patch a critical actively-exploited vulnerability ( CVE-2019-11707 ) that could allow attackers to remotely take full control over systems running the vulnerable browser versions. Besides updating Firefox, the latest Tor Browser 8.5.2 for desktops also includes updated NoScript version 10.6.3 that fixes a few known issues. According to the Tor Project Team, if you are already using Tor browser with "safer" and "safest" security levels, the flaw doesn't affect you. For som

In today's business environment, data is what matters most. It matters to organizations that monetize it into operational insights and optimisations, and it matters the threat actors that relentlessly seek to achieve similar monetisation by compromising it. In the very common scenario in which organisation A provides services to organization B, it's imperative for the latter to be absolutely sure that the former handles its data in the most secure way. While there's no one-size-fits-all in cybersecurity, there are various frameworks that provide robust guidelines for organizations to see if the security controls in place indeed address their needs. NIST cybersecurity framework is a good example of such guidelines. There are industry specific standards, such as HIPPA for healthcare and PCI-DSS for credit card processing. However, in recent years, SOC 2 is gaining momentum in the US as a general standard for all organizations that store or process data for consumers and busi

Oracle has released an out-of-band emergency software update to patch a newly discovered critical vulnerability in the WebLogic Server. According to Oracle, the vulnerability—which can be identified as CVE-2019-2729 and has a CVSS score of 9.8 out of 10—is already being exploited in the wild by an unnamed group of attackers. Oracle WebLogic is a Java-based multi-tier enterprise application server that allows businesses to quickly deploy new products and services on the cloud, which is popular across both, cloud environment and conventional environments. The reported vulnerability is a deserialization issue via XMLDecoder in Oracle WebLogic Server Web Services that could allow unauthorized remote attackers to execute arbitrary code on the targeted servers and take control over them. "This remote code execution vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password," the advisor

Important Update [21 June 2019] — Mozilla on Thursday released another update Firefox version 67.0.4 to patch a second zero-day vulnerability. If you use the Firefox web browser, you need to update it right now. Mozilla earlier today released Firefox 67.0.3 and Firefox ESR 60.7.1 versions to patch a critical zero-day vulnerability in the browsing software that hackers have been found exploiting in the wild. Discovered and reported by Samuel Groß, a cybersecurity researcher at Google Project Zero, the vulnerability could allow attackers to remotely execute arbitrary code on machines running vulnerable Firefox versions and take full control of them. The vulnerability, identified as CVE-2019-11707 , affects anyone who uses Firefox on desktop (Windows, macOS, and Linux) — whereas, Firefox for Android, iOS, and Amazon Fire TV are not affected. According to an advisory , the flaw has been labeled as a type confusion vulnerability in Firefox that can result in an exploitable cras

Cybersecurity isn't easy. If there was a product or service you could buy that would just magically solve all of your cybersecurity problems, everyone would buy that thing, and we could all rest easy. However, that is not the way it works. Technology continues to evolve. Cyber attackers adapt and develop new malicious tools and techniques, and cybersecurity vendors design creative new ways to detect and block those threats. Rinse and repeat. Cybersecurity isn't easy, and there is no magic solution, but there are a handful of things you can do that will greatly reduce your exposure to risk and significantly improve your security posture. The right platform, intelligence, and expertise can help you avoid the vast majority of threats, and help you detect and respond more quickly to the attacks that get through. Challenges of Cybersecurity Effective cybersecurity is challenging for a variety of reasons, but the changing perimeter and the confusing variety of solution