Infosec veteran Marc Rogers on why we need a better system to rate vulnerabilitiesDisclosure The way we rate the severity of computer security vulnerabilities and bugs needs to change if people and businesses want to be better protected from malware and cyber-crime.So says Marc Rogers, executive director of cybersecurity at Okta and head of security at the world's biggest hacking conference DEF CON.Speaking to The Register at Okta's Disclosure conference in San Francisco this week, Rogers reckoned today's methods of scoring and classifying security vulnerabilities reflects a dated system that didn't take into account the way that modern attackers operate.In particular, Rogers said, approaches such as the CVSS scoring system led to an overemphasis on specific qualities of single vulnerabilities in isolation, and ignored the wider context, threat model, and potential for miscreants to exploit security weaknesses in a chain to cause unexpected damage.The old system of scoring security blunders from 0 (benign) to 10 (really bad) with various flags (eg, remotely or locally exploitable) just isn't going to cut it, in other words.
WordPress is the most popular Content Management System (CMS) made by PHP and MySQL and powers more than 34% websites.So, everything related to the security solutions you need to know about.Keep your WordPress up to date with the latest version that will help to make your website secure.Running a website with outdated software, themes and plugins easily compromise with the security vulnerabilities.Limit login attempts & use a strong passwordWordPress usually does not limit users to make unlimited login attempts.
Security researchers have reportedly uncovered another attack from a North Korea-linked hacking group.But on closer inspection it seems to be nothing more than a rehash of the group’s previous exploits.According to research published yesterday, the hacking group, Lazarus, is now using fake cryptocurrency trading software, created by a similarly fake front company, Forbes reports.It appears that hackers set up a front company called JMT Trading, and wrote an accompanying open-source cryptocurrency trading app.The code to which was hosted on GitHub.However, here’s where the originality ends.
Most cyber-attacks target people who haven't taken basic precautions to secure their accounts, making them "low-hanging fruit" to potential hackers.Changing passwords frequently, limiting the information you share online, and being clever with your personalized security questions can help secure your accounts.It's impossible to predict whether you'll be the victim of a cyberattack, but you can drastically reduce the odds of one in a few simple steps.The vast majority of people whose accounts are hacked don't take basic precautions to protect them, making them "low-hanging fruit," according to Alex Heid, chief research and development officer at cybersecurity firm SecurityScorecard."If you're not thinking about these things, you have a nice car and you're leaving it unlocked in a bad neighborhood.Read more: A cybersecurity expert describes the underground hacker network where stolen usernames and passwords are 'traded like Pokémon cards'
Hackers use secret networks to aggregate and trade millions of stolen login credentials and passwords, according to a cybersecurity expert.While high-profile data breaches make headlines, the real damage to individual users can be done in small increments in the months and years that follow using stolen login credentials.The practice of trading stolen passwords is only growing as aggregation software becomes more sophisticated and hacking becomes more profitable.Visit Business Insider's homepage for more stories.If you're reading this, it's time to change all of your passwords.That's because there's a good chance that your login information — or, at least, a past version of it — is circulating among secret networks where hackers trade stolen passwords or sell them for profit.
Google's security researchers said Thursday that they have found a new Android exploit that lets hackers take over a person's phone.The Project Zero team discovered the vulnerability in late September.They've already seen evidence of the exploit being used in the real world before it could be patched, making it what's known as a zero-day vulnerability.The exploit is in Android's operating system kernel code and, if abused, hackers could get root access to a victim's phone.The vulnerability, however, requires action from users -- such as downloading malicious software -- before a hacker can takeover a phone.It can also be combined with a second exploit that targets the Chrome browser for a web-based attack.
The Twitter account of Jack Dorsey, co-founder and chief executive of Twitter, was briefly taken over by hackers over the weekend.The attackers apparently used a SIM-swapping attack to access the account, security experts said.Credit for the hack was taken by a group calling itself Chuckling Squad.Dorsey’s account tweeted racist and offensive remarks for about 15 minutes late on Friday.Twitter said a security lapse at an unnamed mobile operator allowed the attack to take place, and said its own systems remained secure.“The phone number associated with the account was compromised due to a security oversight by the mobile provider,” Twitter stated.
iPhone users have been urged to monitor their online security after an investigation found Apple devices could be at risk of hijacking.A report from Google's Project Zero security team discovered a number of malicious websites were able to hack into a victim's iPhone without them knowing, infecting the devices with malicious software that was able to data such as contact info, media files and even GPS location.Hackers would be able to exploit a number of previously unknown software flaws to quietly take over a victim's device, with versions of iPhone software up to and including iOS 12 affected.Outlining the "indiscriminate" attack in a blog post, Google's researchers warned that victims could be affected by the flaws thanks to the "sustained effort" of the hackers.“Simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant,” Project Zero researcher Ian Beer wrote.Five distinct iPhone exploit chains comprising fourteen seperate flaws were discovered by the researchers, including seven for the iPhone's Safari web broswer.
Researchers at Google's cybersecurity division Project Zero discovered a handful of websites that were being used to hack iPhones.Once visited, the websites would plant a "monitoring implant" on the device, which could then steal messages, photos, and real-time GPS location data.The hacks spanned iOS 10 through 12, which Project Zero said indicated they took place over the course of two years.Visit Business Insider's homepage for more stories.Google researchers have found a handful of hacked websites that were being quietly used to infiltrate iPhones for at least the past two years.Analysts at Google's cybersecurity division Project Zero published a deep-dive technical blog post Thursday night detailing their findings.
Windows PCs could be at risk from a major security flaw triggered by one of the platform's most popular software offerings.A leading security researcher has highlighted a vulnerability that would allow hackers to take over control of an entire PC simply by loading some malicious code using Notepad.Once exploited, this could allow hackers to gain access over all processes within the system.The flaw dates all the way back to the time of Windows XP, meaning a wide range of devices could still be at risk.Google Project Zero expert Tavis Ormandy discovered the flaw, which exploits a shortcoming in the Windows Text Services Framework that oversees keyboard layouts and text input.A component within the system, CTextFramework, can be hacked through apps that interact with it to process showing text on screen.
Look around your home – how many smart speakers do you have dotted around?For many of us, smart speakers have become an integral part of our daily lives; as music players, the hub that controls our smart home devices, and as a vessel for voice assistants like Google Assistant, Siri, and Alexa.But could our smart speakers one day be used to harm us?Matt Wixey, cybersecurity research lead at technology consulting firm PWC UK, says that it's "surprisingly easy to write custom malware that can induce all sorts of embedded speakers to emit inaudible frequencies at high intensity, or blast out audible sounds at high volume", according to WIRED.Check out the best portable speakers insteadThese aural attacks could easily damage your hearing, cause tinnitus, or even lead to psychological changes.
Hackers could be able to doctor WhatsApp messages due to a flaw in the messaging app's security protection, experts have warned.Researchers from Check Point have revealed that vulnerabilites in WhatsApp could allow hackers to gain access to a user's conversations and alter the content within.The flaw, published at the Black Hat security confernce in Las Vegas, could affect both private and public chats, potentially leading to the spread of false information or "fake news" by what were thought to be trusted sources.Check Point says that it found three different potential ways to alter WhatsApp conversations, all of which can be exploited using a particular tool that affects the app's quoting feature.The first flaw looks to change how a message's sender is identified, allowing hackers to mis-attribute a message, with the second allowing third parties to change the text of a user's reply.Also uncovered was a flaw that allows a user to send a private message to another group participant disguised as a public message to all - meaning that when the targeted individual responded, their reply was visible to everyone in the conversation.
A security firm has found a series of flaws in WhatsApp that could allow hackers to intercept and manipulate messages by changing the identity of a sender or altering their text.Attackers could literally "put words in [someone's] mouth," security firm Check Point Research wrote in a press release on Wednesday.This gives the attackers the power to "create and spread misinformation from what appear to be trusted sources," Check Point said.Facebook, which owns WhatsApp, did not immediately respond to a request for comment.Visit Business Insider's homepage for more stories.A cybersecurity firm has discovered a flaw in WhatsApp that allows hackers to intercept and manipulate messages — potentially changing the identity of a message sender or altering their text.
When Jeff Moss started Defcon in 1993, it was unheard of to bring kids to the hacker conference in Las Vegas.Now, as the conference and its attendees grow up, and more security researchers and hackers are becoming parents, services like day cares and childcare rooms at Black Hat and Defcon are in high demand.As the largest hacking conferences, Black Hat and Defcon present an opportunity for security researchers to take training workshops and network with professionals in cybersecurity.But for many years, some parents who didn't make arrangements for their children couldn't attend.The conference, which is considered a more formal and corporate equivalent of Defcon, started the services after attendees noted a lack of women in cybersecurity.Many conferences outside cybersecurity started offering day care services for the same reason, but help is still lacking.
iMessage is going to be the primary way for iOS attackers.As the iPhone messaging service is showing quite a lot of security flaws lately.After resolving the latter, a Google security engineer has rediscovered a critical bug on the platform.It allows an attacker to gain access to private data stored on an iPhone.At the beginning of the year, FaceTime allowed a user to be heard and even seen before a call was answered on the iPhone, even without the “victim” knowing.Now the problem is even greater because the iOS 12 bug that affects the app allows access to the data we store on the phone.
Crooks fail to hijack infosec bloke's site to dress it up as a legit Euro bank login pageLarry Cashdollar, a senior security response engineer at the US-based global web giant, told us late last week he just recently noticed something peculiar in the logs on his personal website.Further investigation turned up signs of someone scanning for remote file inclusion (RFI) vulnerabilities.However, in this particular case, Cashdollar has today helpfully documented his findings as a heads up, or warning, to website admins and webapp developers."Based on my log entries they appear to be parsing web sites looking for form variables and automatically testing if those variables allow remote file inclusion," Cashdollar told El Reg."It’s a generic test against any website where they can parse out the form input variable and then supply a URL to that variable to see if the content is included and executed."
Earlier this year, YouTube added hacking and phishing tutorials to its examples of banned video content — and that ban has been publicized thanks to an apparent crackdown on an ethical “white hat” hacking and computer security channel.Kody Kinzie is a co-founder of Hacker Interchange, which describes itself as an organization dedicated to teaching beginners about computer science and security.Hacker Interchange produces the Cyber Weapons Lab series on YouTube, but yesterday, Kinzie reported that they were unable to upload new videos because of a content strike.“Our existing content is being flagged and pulled, just got a strike too,” noted Kinzie.We made a video about launching fireworks over Wi-Fi for the 4th of July only to find out @YouTube gave us a strike because we teach about hacking, so we can't upload it.YouTube now bans: "Instructional hacking and phishing: Showing users how to bypass secure computer systems"
“Modern attackers are risk-averse and profit-oriented.”PCM a California-based hardware and cloud services provider has confirmed that it was hacked.During the attack, threat actors accessed files belonging to the company’s clients that were held in the firm’s Office 365 file share database.Access to the company’s Office 365 network appears to be the source of the breach.The breach was first reported by cybersecurity researcher and reporter Brian Krebs who was informed by a security expert working for one of PCM’s clients that the attackers seemed to be looking for data that could be used to initiate a gift card fraud attack against PCM customers like retailers and financial institutionsIt is believed that the breach occurred during May of 2019.
Top global chief executives have willingly forked out more than $50m (£38m) to hackers amid growing concerns about cybersecurity threats.Bosses have paid so-called ethical hackers to help tighten up their cyber defences in a bid to avoid expensive and embarrassing data breaches.Read more: Government to roll out new cybersecurity laws for IoT productsAccording to data from cybersecurity firm Hackerone, the amount paid to tech boffins has grown exponentially in recent years.“The state of software security is so bad,” Hackerone chief executive Marten Mickos told City A.M. “Whatever you can imagine; it’s worse.”As cyber threats increase around the world, companies are turning to so-called white hat hackers to identify vulnerabilities in their systems.
“Why not make sure you have a [email protected]… email address?”This article is intended to be a guide for business leaders who never want to get caught with their pants down when it comes to dealing with hackers, writes Guise Bule, co-founder of WEBGAP, a remote browser isolation cybersecurity startup.If a security researcher (white hat hacker) tells you about a hole in your security they found, this is a good thing and infinitely preferable to one of the bad guys finding it and not telling you.It could also be sold on through established vulnerability markets like Zerodium or 0dayToday to the highest bidder.Lawyers (being lawyers) will immediately and advise their clients to try and silence the researcher with the threat of legal action and it almost always results in negative publicity.You are also announcing to black hat hackers that you do not follow best practices when it comes to dealing with security vulnerabilities and probably have other holes in your security.