The Hacker News | #1 Trusted Cybersecurity News Site — Index Page

A group of academics has devised a system that can be used on a phone or a laptop to identify and locate Wi-Fi-connected hidden IoT devices in unfamiliar physical spaces. With hidden cameras being  increasingly   used  to  snoop  on  individuals  in hotel rooms and Airbnbs, the goal is to be able to pinpoint such rogue devices without much of a hassle. The system, dubbed Lumos , is designed with this intent in mind and to "visualize their presence using an augmented reality interface,"  said  Rahul Anand Sharma, Elahe Soltanaghaei, Anthony Rowe, and Vyas Sekar of Carnegie Mellon University in a new paper. At its core, the platform works by snuffing and collecting encrypted wireless packets over the air to detect and identify concealed devices. Subsequently, it estimates the location of each identified device with respect to the user as they walk around the perimeter of the space. The localization module, for its part, combines signal strength measurements that are avail

If one word could sum up the 2021 infosecurity year (well, actually three), it would be these: "supply chain attack".  A software supply chain attack happens when hackers manipulate the code in third-party software components to compromise the 'downstream' applications that use them. In 2021, we have seen a dramatic rise in such attacks: high profile security incidents like the SolarWinds, Kaseya, and  Codecov  data breaches have shaken enterprise's confidence in the security practices of third-party service providers. What does this have to do with secrets, you might ask? In short, a lot. Take the Codecov case (we'll go back to it quickly): it is a textbook example to illustrate how hackers leverage hardcoded credentials to gain initial access into their victims' systems and harvest more secrets down the chain.  Secrets-in-code remains one of the most overlooked vulnerabilities in the application security space, despite being a priority target in hack

Imagine a world where the software that powers your favorite apps, secures your online transactions, and keeps your digital life could be outsmarted and taken over by a cleverly disguised piece of code. This isn't a plot from the latest cyber-thriller; it's actually been a reality for years now. How this will change – in a positive or negative direction – as artificial intelligence (AI) takes on a larger role in software development is one of the big uncertainties related to this brave new world. In an era where AI promises to revolutionize how we live and work, the conversation about its security implications cannot be sidelined. As we increasingly rely on AI for tasks ranging from mundane to mission-critical, the question is no longer just, "Can AI  boost cybersecurity ?" (sure!), but also "Can AI  be hacked? " (yes!), "Can one use AI  to hack? " (of course!), and "Will AI  produce secure software ?" (well…). This thought leadership article is about the latter. Cydrill  (a

Malicious actors can gain unauthorized access to users' online accounts via a new technique called "account pre-hijacking," latest research has found. The attack takes aim at the account creation process that's ubiquitous in websites and other online platforms, enabling an adversary to perform a set of actions before an unsuspecting victim creates an account in a target service. The study was led by independent security researcher Avinash Sudhodanan in collaboration with Andrew Paverd of the Microsoft Security Response Center (MSRC). Pre-hijacking banks on the prerequisite that an attacker is already in possession of a unique identifier associated with a victim, such as an email address or phone number, information which can be obtained either from scraping the target's social media accounts or credential dumps circulating on the web as a result of countless data breaches. The attacks can then play out in five different ways, including the use of the same em

An unknown advanced persistent threat (APT) group has been linked to a series of spear-phishing attacks targeting Russian government entities since the onset of the Russo-Ukrainian war in late February 2022. "The campaigns [...] are designed to implant a Remote Access Trojan (RAT) that can be used to surveil the computers it infects, and run commands on them remotely," Malwarebytes  said  in a technical report published Tuesday. The cybersecurity company attributed the attacks with low confidence to a Chinese hacking group, citing infrastructure overlaps between the RAT and Sakula Rat malware used by a threat actor known as  Deep Panda . The attack chains, while leveraging different lures over the course of two months, all employed the same malware barring small differences in the source code. The campaign is said to have commenced around February 26, days after Russia's military invasion of Ukraine, with the emails distributing the RAT under the guise of an interac

Security incidents occur. It's not a matter of "if," but of "when." That's why you implemented security products and procedures to optimize the incident response (IR) process. However, many security pros who are doing an excellent job in handling incidents find effectively communicating the ongoing process with their management a much more challenging task. Feels familiar? In many organizations, leadership is not security savvy, and they aren't interested in the details regarding all the bits and bytes in which the security pro masters.  Luckily, there is a template that security leads can use when presenting to management. It's called the  IR Reporting for Management template , providing CISOs and CIOs with a clear and intuitive tool to report both the ongoing IR process and its conclusion. The IR Reporting for Management template enables CISOs and CIOs to communicate with the two key points that management cares about—assurance that the incid

Popular video conferencing service Zoom has  resolved  as many as four security vulnerabilities, which could be exploited to compromise another user over chat by sending specially crafted Extensible Messaging and Presence Protocol ( XMPP ) messages and execute malicious code. Tracked from CVE-2022-22784 through CVE-2022-22787, the issues range between 5.9 and 8.1 in severity. Ivan Fratric of Google Project Zero has been credited with discovering and reporting all the four flaws in February 2022. The list of bugs is as follows - CVE-2022-22784  (CVSS score: 8.1) - Improper XML Parsing in Zoom Client for Meetings CVE-2022-22785  (CVSS score: 5.9) - Improperly constrained session cookies in Zoom Client for Meetings CVE-2022-22786  (CVSS score: 7.5) - Update package downgrade in Zoom Client for Meetings for Windows CVE-2022-22787  (CVSS score: 5.9) - Insufficient hostname validation during server switch in Zoom Client for Meetings With Zoom's chat functionality built on top

Two trojanized Python and PHP packages have been uncovered in what's yet another instance of a software supply chain attack targeting the open source ecosystem. One of the packages in question is "ctx," a Python module available in the PyPi repository. The other involves "phpass," a PHP package that's been forked on GitHub to distribute a rogue update. "In both cases the attacker appears to have taken over packages that have not been updated in a while," the SANS Internet Storm Center (ISC)  said , one of whose volunteer incident handlers, Yee Ching, analyzed the ctx package. It's worth noting that ctx, prior to the latest release on May 21, 2022, was last published to PyPi on December 19, 2014. On the other hand, phpass hasn't received an update since it was uploaded to Packagist on August 31, 2012. Both the libraries have been removed from PyPi and GitHub . At its core, the modifications are designed to exfiltrate AWS credentials t