The Hacker News | #1 Trusted Cybersecurity News Site — Index Page

Fixing indirect vulnerabilities is one of those complex, tedious and, quite frankly, boring tasks that no one really wants to touch. No one except for  Debricked , it seems. Sure, there are lots of ways to do it manually, but can it be done automatically with minimal risk of breaking changes? The Debricked team decided to find out.  A forest full of fragile trees So, where do you even start? Firstly, there needs to be a way to fix the vulnerability, which, for indirect dependencies, is no walk in the park. Secondly, it needs to be done in a safe way, or, without anything breaking.  You see, indirect dependencies are introduced deep down the dependency tree and it's very tricky to get to the exact version you want. As Debricked's Head of R&D once put it, " You are turning the knobs by playing around with your direct dependencies and praying to Torvalds that the correct indirect packages are resolved. When Torvalds is in your favour, you have to sacrifice some cloud

Amazon, in December 2021, patched a high severity vulnerability affecting its  Photos app  for Android that could have been exploited to steal a user's access tokens. "The Amazon access token is used to authenticate the user across multiple Amazon APIs, some of which contain personal data such as full name, email, and address," Checkmarx researchers João Morais and Pedro Umbelino  said . "Others, like the Amazon Drive API, allow an attacker full access to the user's files." The Israeli application security testing company reported the issue to Amazon on November 7, 2021, following which the tech giant rolled out a fix on December 18, 2021. The leak is the result of a misconfiguration in one of the app's components named "com.amazon.gallery.thor.app.activity.ThorViewActivity" that's defined in the  AndroidManifest.xml file  and which, when launched, initiates an HTTP request with a header containing the access token. In a nutshell, it

Imagine a world where the software that powers your favorite apps, secures your online transactions, and keeps your digital life could be outsmarted and taken over by a cleverly disguised piece of code. This isn't a plot from the latest cyber-thriller; it's actually been a reality for years now. How this will change – in a positive or negative direction – as artificial intelligence (AI) takes on a larger role in software development is one of the big uncertainties related to this brave new world. In an era where AI promises to revolutionize how we live and work, the conversation about its security implications cannot be sidelined. As we increasingly rely on AI for tasks ranging from mundane to mission-critical, the question is no longer just, "Can AI  boost cybersecurity ?" (sure!), but also "Can AI  be hacked? " (yes!), "Can one use AI  to hack? " (of course!), and "Will AI  produce secure software ?" (well…). This thought leadership article is about the latter. Cydrill  (a

A cloud threat actor group tracked as 8220 has updated its malware toolset to breach Linux servers with the goal of installing crypto miners as part of a long-running campaign. "The updates include the deployment of new versions of a crypto miner and an IRC bot," Microsoft Security Intelligence said in a series of tweets on Thursday. "The group has actively updated its techniques and payloads over the last year." 8220, active since early 2017 , is a Chinese-speaking, Monero-mining threat actor so named for its preference to communicate with command-and-control (C2) servers over port 8220. It's also the developer of a tool called whatMiner, which has been co-opted by the Rocke cybercrime group in their attacks. In July 2019, the Alibaba Cloud Security Team uncovered an extra shift in the adversary's tactics, noting its use of rootkits to hide the mining program. Two years later, the gang resurfaced with Tsunami IRC botnet variants and a custom "

Google's Threat Analysis Group (TAG) on Thursday disclosed it had acted to block as many as 36 malicious domains operated by hack-for-hire groups from India, Russia, and the U.A.E. In a manner analogous to the  surveillanceware ecosystem , hack-for-hire firms equip their clients with capabilities to enable targeted attacks aimed at corporates as well as activists, journalists, politicians, and other high-risk users. Where the two stand apart is that while customers purchase the spyware from commercial vendors and then deploy it themselves, the operators behind hack-for-hire attacks are known to conduct the intrusions on their clients' behalf in order to obscure their role. "The hack-for-hire landscape is fluid, both in how the attackers organize themselves and in the wide range of targets they pursue in a single campaign at the behest of disparate clients," Shane Huntley, director of Google TAG,  said  in a report. "Some hack-for-hire attackers openly adver

One of the commissioners of the U.S. Federal Communications Commission (FCC) has renewed calls asking for Apple and Google to boot the popular video-sharing platform TikTok from their app stores citing "its pattern of surreptitious data practices." "It is clear that TikTok poses an unacceptable national security risk due to its extensive data harvesting being combined with Beijing's apparently unchecked access to that sensitive data," Brendan Carr, a Republican member of the FCC,  wrote  in a letter to Apple and Google's chief executives. TikTok, in September 2021,  disclosed  that there are one billion people who use its app every month, making it one of the largest social media platforms after Facebook, YouTube, WhatsApp, Instagram, and WeChat. Carr further emphasized that the short-form video service is far from just an app for sharing funny videos or memes, calling out its features as "sheep's clothing" intended to mask its core funct

Shadow IT refers to the practice of users deploying unauthorized technology resources in order to circumvent their IT department. Users may resort to using shadow IT practices when they feel that existing IT policies are too restrictive or get in the way of them being able to do their jobs effectively. An old school phenomenon  Shadow IT is not new. There have been countless examples of widespread shadow IT use over the years. In the early 2000s, for example, many organizations were reluctant to adopt Wi-Fi for fear that it could undermine their security efforts. However, users wanted the convenience of wireless device usage and often deployed wireless access points without the IT department's knowledge or consent. The same thing happened when the iPad first became popular. IT departments largely prohibited iPads from being used with business data because of the inability to apply group policy settings and other security controls to the devices. Even so, users often ignored IT and

A former Canadian government employee this week agreed to plead guilty in the U.S. to charges related to his involvement with the NetWalker ransomware syndicate. Sebastien Vachon-Desjardins , who was  extradited to the U.S.  on March 10, 2022, is accused of conspiracy to commit computer fraud and wire fraud, intentional damage to a protected computer, and transmitting a demand in relation to damaging a protected computer. The 34-year-old IT consultant from Gatineau, Quebec, was initially apprehended in January 2021 following a coordinated  law enforcement operation  to dismantle the dark web infrastructure used by the NetWalker ransomware cybercrime group to publish data siphoned from its victims. The takedown also brought its activities to a standstill. A search warrant executed at Vachon-Desjardins's home in Canada resulted in the seizure of 719 bitcoin, valued at approximately $28.1 million at the time, and $790,000 in Canadian currency. In February 2022, the Ontario Court o