The Hacker News | #1 Trusted Cybersecurity News Site — Index Page

Microsoft today released its monthly batch of software security updates for the July month to patch a total of 77 vulnerabilities, 14 are rated Critical, 62 are Important, and 1 is rated Moderate in severity. The July 2019 security updates include patches for various supported versions of Windows operating systems and other Microsoft products, including Internet Explorer, Edge, Office, Azure DevOps, Open Source Software, .NET Framework, Azure, SQL Server, ASP.NET, Visual Studio, and Exchange Server. Details of 6 security vulnerabilities, all rated important, were made public before a patch was released, none of which were found being exploited in the wild. However, two new privilege escalation vulnerabilities, one affects all supported versions of the Windows operating system, and the other affects Windows 7 and Server 2008, have been reported as being actively exploited in the wild. Both actively exploited vulnerabilities lead to elevation of privilege, one (CVE-2019-1132)

Lodash, a popular npm library used by more than 4 million projects on GitHub alone, is affected by a high severity security vulnerability that could allow attackers to compromise the security of affected services using the library and their respective user base. Lodash is a JavaScript library that contains tools to simplify programming with strings, numbers, arrays, functions, and objects, helping programmers write and maintain their JavaScript code more efficiently. Liran Tal, a developer advocate at open-source security platform Snyk, recently published details and proof-of-concept exploit of a high-severity prototype pollution security vulnerability that affects all versions of lodash, including the latest version 4.17.11. The vulnerability, assigned as CVE-2019-10744 , potentially affects a large number of frontend projects due to the popularity of lodash that is being downloaded at a rate of more than 80 million times per month. Prototype pollution is a vulnerability t

It comes as no surprise that today's cyber threats are orders of magnitude more complex than those of the past. And the ever-evolving tactics that attackers use demand the adoption of better, more holistic and consolidated ways to meet this non-stop challenge. Security teams constantly look for ways to reduce risk while improving security posture, but many approaches offer piecemeal solutions – zeroing in on one particular element of the evolving threat landscape challenge – missing the forest for the trees.  In the last few years, Exposure Management has become known as a comprehensive way of reigning in the chaos, giving organizations a true fighting chance to reduce risk and improve posture. In this article I'll cover what Exposure Management is, how it stacks up against some alternative approaches and why building an Exposure Management program should be on  your 2024 to-do list. What is Exposure Management?  Exposure Management is the systematic identification, evaluation,

Enterprises should expect to see more cyberattacks launched against them. The data that they now gather and store have made their infrastructures key targets for hackers. Customer data and intellectual property can be sold in the black market for profit, and sensitive information can also be used by hackers to extort them. Enterprises are now aggressively shifting their workloads to the cloud which, while it has many benefits, expands their defensive perimeter and exposes them to further risks as well. As such, organizations are now widely investing in various security solutions in order to comprehensively protect their networks. Gartner expects security spending to exceed $124 billion this year. Solutions such as firewalls and threat prevention tools have increasingly become essential for enterprises. Leading firewall provider Palo Alto Networks , for example, provides companies with various measures to protect their infrastructures. It's currently being used by tens

Smartphones are a goldmine of sensitive data, and modern apps work as diggers that continuously collect every possible information from your devices. The security model of modern mobile operating systems, like Android and iOS, is primarily based on permissions that explicitly define which sensitive services, device capabilities, or user information an app can access, allowing users decide what apps can access. However, new findings by a team of researchers at the International Computer Science Institute in California revealed that mobile app developers are using shady techniques to harvest users' data even after they deny permissions. In their talk " 50 Ways to Pour Your Data " [ PDF ] at PrivacyCon hosted by the Federal Trade Commission last Thursday, researchers presented their findings that outline how more than 1,300 Android apps are collecting users' precise geolocation data and phone identifiers even when they've explicitly denied the required permi

More and more, organizations take the route of outsourcing incident response to Managed Security Service Providers. This trend is distinct regardless of the organization's cyber maturity level and can be found across a wide range of cyber maturity, from small companies with no dedicated security team to enterprises with a fully equipped SOC. The hands of the incident response service providers are extremely busy, and the need from their side to scale while maintaining top quality has never been greater. To address this need, Cynet offers IR service providers to collect data, analyze, investigate and remediate threats on their customers' environments with Cynet 360 platform for free, introducing unmatched speed and reliability into their operations. Any incident responder can now simply sign up to Cynet and immediately get free access to the platform. "Cynet tackles the incident response play at its most fundamental core – speed," said Eyal Gruner, co-fo

Security researchers at Microsoft have released details of a new widespread campaign distributing an infamous piece of fileless malware that was primarily being found targeting European and Brazilian users earlier this year. Dubbed Astaroth , the malware trojan has been making the rounds since at least 2017 and designed to steal users' sensitive information like their credentials, keystrokes, and other data, without dropping any executable file on the disk or installing any software on the victim's machine. Initially discovered by researchers at Cybereason in February this year, Astaroath lived off the land by running the payload directly into the memory of a targeted computer or by leveraging legitimate system tools, such as WMIC, Certutil, Bitsadmin, and Regsvr32, to run the malicious code. While reviewing the Windows telemetry data, Andrea Lelli, a researcher at Microsoft Defender ATP Research Team, recently spotted a sudden unusual spike in the usage of Managemen

If you use Zoom video conferencing software on your Mac computer—then beware—any website you're visiting in your web browser can turn on your device camera without your permission. Ironically, even if you had ever installed the Zoom client on your device and simply uninstalled it, a remote attacker can still activate your webcam. Zoom is one of the most popular cloud-based meeting platforms that provide video, audio, and screen sharing options to users, allowing them to host webinars, teach online courses, conduct online training, or join virtual meetings online. In a Medium post published today, cybersecurity researcher Jonathan Leitschuh disclosed details of an unpatched critical security vulnerability (CVE-2019-13450) in the Zoom client app for Apple Mac computers, which if combined with a separate flaw, could allow attackers to execute arbitrary code on the targeted systems remotely. Jonathan responsibly reported the security vulnerability to the affected company ov

Britain's Information Commissioner's Office (ICO) today hit British Airways with a record fine of £183 million for failing to protect the personal information of around half a million of its customers during last year's security breach . British Airways, who describes itself as "The World's Favorite Airline," disclosed a breach last year that exposed personal details and credit-card numbers of up to 380,000 customers and lasted for more than two weeks. At the time, the company confirmed that customers who booked flights on its official website (ba.com) and British Airways mobile app between August 21 and September 5 had had their details stolen by attackers. The cyberattack was later attributed to the infamous Magecart threat actor, one of the most notorious hacking groups specialized in stealing credit card details from poorly-secured websites, especially online eCommerce platforms. Magecart hackers have been known for using digital credit card ski

An unknown hacker yesterday successfully managed to hack into the official GitHub account of Canonical, the company behind the Ubuntu Linux project and created 11 new empty repositories . It appears that the cyberattack was, fortunately, just a "loud" defacement attempt rather than a "silent" sophisticated supply-chain attack that could have been abused to distribute modified malicious versions of the open-source Canonical software. In a statement, David from Canonical confirmed that attacker(s) used a Canonical owned GitHub account whose credentials were compromised to unauthorizedly access Canonical's Github account. "We can confirm that on 2019-07-06 there was a Canonical owned account on GitHub whose credentials were compromised and used to create repositories and issues among other activities," David said. "Canonical has removed the compromised account from the Canonical organization in GitHub and is still investigating the extent o

A 23-year-old hacker from Utah who launched a series of DDoS attacks against multiple online services, websites, and online gaming companies between December 2013 and January 2014 has been sentenced to 27 months in prison. Austin Thompson, a.k.a. "DerpTroll," pledged guilty back in November 2018 after he admitted to being a part of DerpTrolling , a hacker group that was behind DDoS attacks against several major online gaming platforms including Electronic Arts' Origin service, Sony PlayStation network, and Valve Software's Steam during Christmas. "Thompson typically used the Twitter account @DerpTrolling to announce that an attack was imminent and then posted "scalps" (screenshots or other photos showing that victims' servers had been taken down) after the attack," the DoJ says. According to a U.S. Department of Justice press release published Wednesday, Thompson's actions caused the victim companies at least $95,000 in damages. T

Except for phishing and scams, downloading an HTML attachment and opening it locally on your browser was never considered as a severe threat until a security researcher today demonstrated a technique that could allow attackers to steal files stored on a victim's computer. Barak Tawily, an application security researcher, shared his findings with The Hacker News, wherein he successfully developed a new proof-of-concept attack against the latest version of Firefox by leveraging a 17-year-old known issue in the browser. The attack takes advantage of the way Firefox implements Same Origin Policy (SOP) for the "file://" scheme URI (Uniform Resource Identifiers), which allows any file in a folder on a system to get access to files in the same folder and subfolders. Since the Same Origin Policy for the file scheme has not been defined clearly in the RFC by IETF, every browser and software have implemented it differently—some treating all files in a folder as the same

Taiwanese networking equipment manufacturer D-Link has agreed to implement a "comprehensive software security program" in order to settle a Federal Trade Commission (FTC) lawsuit alleging that the company didn't take adequate steps to protect its consumers from hackers. Your wireless router is the first line of defense against potential threats on the Internet. However, sadly, most widely-used routers fail to offer necessary security features and have often found vulnerable to serious security flaws, eventually enabling remote attackers to unauthorizedly access networks and compromise the security of other devices connected to it. In recent years, the security of wireless networks has been more of a hot topic due to cyber attacks, as well as has gained headlines after the discovery of critical vulnerabilities—such as authentication bypass , remote code execution , hard-coded login credentials , and information disclosure—in routers manufactured by various brands.

Chinese authorities are secretly installing surveillance apps on smartphones of foreigners at border crossings in the Xinjiang region who are entering from neighboring Kyrgyzstan, an international investigation revealed. Xinjiang (XUAR) is an autonomous territory and home to many Muslim ethnic minority groups where China is known to be conducting massive surveillance operations, especially on the activities of Uighurs, a Muslim Turkic minority group of about 8 million people. The Chinese government has blamed the Muslim Turkic minority group for Islamic extremism and deadly attacks on Chinese targets. According to a joint investigation by New York Times , the Guardian, Süddeutsche Zeitung and more, the surveillance app has been designed to instantly extract emails, texts, calendar entries, call records, contacts and insecurely uploads them to a local server set-up at the check-point only. This suggests that the spyware app has not been designed to continuously and remotely t

Data loss and theft continues to rise, and hardly a day goes by without significant data breaches hit the headlines. In January 2019 alone, 1.76 billion records were leaked, and according to IBM's Data Breach study, the average cost of each lost or stolen record has reached about $148. Most of these data leaks are because of malicious attacks, where exploitation of web application vulnerabilities is one of the most common cyber attack vectors. An application security breach is a problem facing one and all, and no matter what's the size of your company, your web applications are prone to cyber attacks. Hackers breach sites for a variety of reasons—some do it for fame, some to get competitive information, whereas some do it just for financial gains. No matter what the reason is, the cost of a security breach is always higher than the cost of protection, leading to loss of data, substantial financial losses, and most importantly, loss of customers' trust. If you a