The Hacker News | #1 Trusted Cybersecurity News Site — Index Page

Chinese smartphone maker OnePlus has suffered a new data breach exposing personal and order information of an undisclosed number of its customers, likely, as a result of a vulnerability in its online store website. The breach came to light after OnePlus started informing affected customers via email and published a brief FAQ page to disclose information about the security incident. According to OnePlus, the company discovered the breach just last week after an unauthorized party accessed order information of its customers, including their names, contact numbers, emails, and shipping addresses. "Last week while monitoring our systems, our security team discovered that some of our users' order information was accessed by an unauthorized party," the company said . OnePlus also assured that not all customers were affected and that the attackers were not able to access any payment information, passwords, and associated accounts. "Impacted users may receive spa

If you're like most consumers, you're probably looking forward to the upcoming Black Friday and Cyber Monday sale events. Who wouldn't want to get all sorts of products and services at massive discounts? But while most consumers are typically eyeing personal gadgets and entertainment appliances, you may want to consider scoring deals on personal security software and devices. Everyone's exposed to both digital and real-world threats these days, so investing in capable security solutions is a must. These tools are often expensive, and you should take advantage of discounts and sales to boost your privacy and personal security. As such, we have compiled some of the best deals that can help you better protect yourself. Here are four of the best deals on personal security products and services that you shouldn't miss: PC Security: Reason Antivirus Despite today's growing number of hacking incidents, most users don't invest in their digital s

Over the past two years, a shocking  51% of organizations surveyed in a leading industry report have been compromised by a cyberattack.  Yes, over half.  And this, in a world where enterprises deploy  an average of 53 different security solutions  to safeguard their digital domain.  Alarming? Absolutely. A recent survey of CISOs and CIOs, commissioned by Pentera and conducted by Global Surveyz Research, offers a quantifiable glimpse into this evolving battlefield, revealing a stark contrast between the growing risks and the tightening budget constraints under which cybersecurity professionals operate. With this report, Pentera has once again taken a magnifying glass to the state of pentesting to release its annual report about today's pentesting practices. Engaging with 450 security executives from North America, LATAM, APAC, and EMEA—all in VP or C-level positions at organizations with over 1,000 employees—the report paints a current picture of modern security validation prac

With its latest announcement to increase bug bounty rewards for finding and reporting critical vulnerabilities in the Android operating system, Google yesterday set up a new challenging level for hackers that could let them win a bounty of up to $1.5 million. Starting today, Google will pay $1 million for a "full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices," the tech giant said in a blog post published on Thursday. Moreover, if someone manages to achieve the same in the developer preview versions of Android, Google will pay an additional $500,000, making the total to $1.5 million—that's 7.5 times more than the previous top Android reward. Introduced within the Pixel 3 smartphones last year, Google's Titan M secure element is a dedicated security chip that sits alongside the main processor, primarily designed to protect devices against the boot-time attacks. In other words, Titan M chip

A Russian hacker who created and used Neverquest banking malware to steal money from victims' bank accounts has finally been sentenced to 4 years in prison by the United States District Court for the Southern District of New York. Stanislav Vitaliyevich Lisov , 34, was arrested by Spanish authorities at Barcelona–El Prat Airport in January 2017 on the request of the FBI and extradited to the United States in 2018. Earlier this year, Lisov pleaded guilty to one count of conspiracy to commit computer hacking, involving attempts to steal at least $4.4 million from hundreds of victims using the NeverQuest banking trojan. Just like any other sophisticated banking Trojan, NeverQuest , aka Vawtrak or Snifula, has also been designed to let attackers remotely control infected computers and steal a wide range of sensitive information. Besides stealing login information for banking or other financial accounts using a keylogger or web form injection techniques, the malware was also c

Are you a T-Mobile prepaid customer? If yes, you should immediately create or update your associated account PIN/passcode as additional protection. The US-based telecom giant T-Mobile today disclosed a yet another data breach incident that recently exposed potentially personal information of some of the customers using its prepaid services. What happened? In a statement posted on its website, T-Mobile said its cybersecurity team discovered a "malicious, unauthorized access" to information associated with an undisclosed number of its prepaid wireless account customers. However, the company did not disclose precisely how the breach happened, when it happened, and how the attackers unauthorizedly managed to access the private information of the company's prepaid customers. What type of information was accessed? The stolen data associated with customers' prepaid wireless accounts include their: names, phone numbers, billing addresses (if customers provided

Assessing the performance of your security team is critical to both knowing your current posture, as well as planning ahead. ' The Ultimate 2019 Security Team Assessment Template ' is the first attempt to capture all the main KPIs of the security team main pillars, saving CIOs and CISOs the time and effort of creating such an assessment from scratch and providing them with a simple and easy-to-use tool to measure how their teams are operated in 2019, while setting up performance targets for 2020. Building such a template is challenging because security teams vary greatly in size and internal responsibility distribution. Additionally, there is little consistency in the terms used to designate the various positions across the industry – security analyst, for example, could have one meaning in a certain company and different one in another. The same goes for architects, managers, and directors. The Security Team Assessment Template ( download here ) addresses this chall

What an irony — someone hacked the official website of the Monero cryptocurrency project and quietly replaced legitimate Linux and Windows binaries available for download with malicious versions designed to steal funds from users' wallets. The latest supply-chain cyberattack was revealed on Monday after a Monero user spotted that the cryptographic hash for binaries he downloaded from the official site didn't match the hashes listed on it. Following an immediate investigation, the Monero team today also confirmed that its website, GetMonero.com , was indeed compromised, potentially affecting users who downloaded the CLI wallet between Monday 18th 2:30 am UTC and 4:30 pm UTC. At this moment, it's unclear how attackers managed to compromise the Monero website and how many users have been affected and lost their digital funds. According to an analysis of the malicious binaries done by security researcher BartBlaze, attackers modified legitimate binaries to inject

An alarming security vulnerability has been discovered in several models of Android smartphones manufactured by Google, Samsung, and others that could allow malicious apps to secretly take pictures and record videos — even when they don't have specific device permissions to do so. You must already know that the security model of the Android mobile operating system is primarily based on device permissions where each app needs to explicitly define which services, device capabilities, or user information it wants to access. However, researchers at Checkmarx discovered that a vulnerability, tracked as CVE-2019-2234 , in pre-installed camera apps on millions of devices could be leveraged by attackers to bypass such restrictions and access device camera and microphone without any permissions to do so. How Can Attackers Exploit the Camera App Vulnerability? The attack scenario involves a rogue app that only needs access to device storage (i.e., SD card), which is one of the mo