The Hacker News | #1 Trusted Cybersecurity News Site — Index Page

Are you aware of fake clickjacking bug bounty reports? If not, you should be. This article will get you up to speed and help you to stay alert. What are clickjacking bug bounty reports? If we start by breaking up the term into its component parts, a bug bounty is a program offered by an organization, in which individuals are rewarded for finding and reporting software bugs. These programs are often used by companies as a cost-effective way to find and fix software vulnerabilities, thereby improving the security of their products. They also help to build goodwill with the security community.  For the bounty hunters (or white hat hackers), they have an opportunity to earn money and recognition for their skills.  Clickjacking is a malicious technique used to trick users into clicking on something that they think is safe, but is actually harmful. For example, a hacker could create a fake button that looks like the "like" button on a social media site. When users click on it,

An unidentified threat actor has been linked to an actively in-development malware toolkit called the "Eternity Project" that lets professional and amateur cybercriminals buy stealers, clippers, worms, miners, ransomware, and a distributed denial-of-service (DDoS) bot. What makes this malware-as-a-service (MaaS) stand out is that besides using a Telegram channel to communicate updates about the latest features, it also employs a  Telegram Bot  that enables the purchasers to build the binary. "The [threat actors] provide an option in the Telegram channel to customize the binary features, which provides an effective way to build binaries without any dependencies," researchers from Cyble  said  in a report published last week. Each of the modules can be leased separately and provides paid access to a wide variety of functions - Eternity Stealer  ($260 for an annual subscription) - An information stealer to siphon passwords, cookies, credit cards, browser crypto

Identities now transcend human boundaries. Within each line of code and every API call lies a non-human identity. These entities act as programmatic access keys, enabling authentication and facilitating interactions among systems and services, which are essential for every API call, database query, or storage account access. As we depend on multi-factor authentication and passwords to safeguard human identities, a pressing question arises: How do we guarantee the security and integrity of these non-human counterparts? How do we authenticate, authorize, and regulate access for entities devoid of life but crucial for the functioning of critical systems? Let's break it down. The challenge Imagine a cloud-native application as a bustling metropolis of tiny neighborhoods known as microservices, all neatly packed into containers. These microservices function akin to diligent worker bees, each diligently performing its designated task, be it processing data, verifying credentials, or

The European Parliament announced a "provisional agreement" aimed at improving cybersecurity and resilience of both public and private sector entities in the European Union. The revised directive, called " NIS2 " (short for network and information systems), is expected to replace the  existing legislation  on cybersecurity that was established in July 2016. The revamp sets ground rules, requiring companies in energy, transport, financial markets, health, and digital infrastructure sectors to adhere to risk management measures and reporting obligations. Among the provisions in the new legislation are flagging cybersecurity incidents to authorities within 24 hours, patching software vulnerabilities, and readying risk management measures to secure networks, failing which can incur monetary penalties. "The directive will formally establish the European Cyber Crises Liaison Organization Network, EU-CyCLONe, which will support the coordinated management of larg

A 28-year-old Ukrainian national has been sentenced to four years in prison for siphoning thousands of server login credentials and selling them on the dark web for monetary gain as part of a credential theft scheme. Glib Oleksandr Ivanov-Tolpintsev , who pleaded guilty to his offenses earlier this February, was arrested in Poland in October 2020, before being  extradited to the U.S.  in September 2021. The illegal sale involved the trafficking of login credentials to servers located across the world and personally identifiable information such as dates of birth and Social Security numbers belonging to U.S. residents on a darknet marketplace. The unnamed site purportedly offered over 700,000 compromised servers for sale, including at least 150,000 in the U.S. alone. Believed to have been operational from around October 2014, the underground marketplace was seized by law enforcement authorities on January 24, 2019, according to court documents. This exactly coincides with the dism

Ever thought about working full-time in  cybersecurity ? With millions of unfilled jobs around, now is a great time to get into the industry. Of course, there are many different roles in this field. But all of them require the same handful of professional certifications. The 2022 Ultimate Advanced CyberSecurity Professional Certification Bundle  helps you collect the full house, with five full-length courses working towards  key exams . The included training has a total value of $1,475. But in a special deal for readers of The Hacker News, the bundle is now available for only $69.  Special Offer  —  You can currently get five top-rated cybersecurity certification courses for only $69, with lifetime access included! Whether you want to be a  penetration tester  or a cybersecurity researcher, technical recruiters want to see proof of your security expertise. NIST is required for government projects. Meanwhile, CISSP, ISACA, and CASP+ can open doors in the private sector. In this bu

SonicWall has published an  advisory  warning of a trio of security flaws in its Secure Mobile Access (SMA) 1000 appliances, including a high-severity authentication bypass vulnerability. The weaknesses in question impact SMA 6200, 6210, 7200, 7210, 8000v running firmware versions 12.4.0 and 12.4.1. The list of vulnerabilities is below - CVE-2022-22282  (CVSS score: 8.2) - Unauthenticated Access Control Bypass CVE-2022-1702  (CVSS score: 6.1) - URL redirection to an untrusted site (open redirection) CVE-2022-1701  (CVSS score: 5.7) - Use of a shared and hard-coded cryptographic key Successful exploitation of the aforementioned bugs could allow an attacker to unauthorized access to internal resources and even redirect potential victims to malicious websites. Tom Wyatt of the Mimecast Offensive Security Team has been credited with discovering and reporting the vulnerabilities. SonicWall noted that the flaws do not affect SMA 1000 series running versions earlier than 12.4.0, SM

Google on Thursday  announced  the creation of a new "Open Source Maintenance Crew" to focus on bolstering the security of critical open source projects. Additionally, the tech giant pointed out  Open Source Insights  as a tool for analyzing packages and their dependency graphs, using it to determine "whether a vulnerability in a dependency might affect your code." "With this information, developers can understand how their software is put together and the consequences to changes in their dependencies," the company said. The development comes as security and trust in the open source software ecosystem has been increasingly thrown into question in the aftermath of a  string  of  supply chain   attacks  designed to compromise developer workflows. In December 2021, a critical flaw in the ubiquitous open source  Log4j logging library  left several companies scrambling to patch their systems against potential abuse. The announcement also comes less than