Security News

Jenkins-a popular open-source automation server software-published an advisory on Monday concerning a critical vulnerability in the Jetty web server that could result in memory corruption and cause confidential information to be disclosed. "Jenkins bundles Winstone-Jetty, a wrapper around Jetty, to act as HTTP and servlet server when started using java -jar jenkins.war. This is how Jenkins is run when using any of the installers or packages, but not when run using servlet containers such as Tomcat," read the advisory.

Abstract: Four hack-and-leak operations in U.S. politics between 2016 and 2019, publicly attributed to the United Arab Emirates, Qatar, and Saudi Arabia, should be seen as the "Simulation of scandal" ­- deliberate attempts to direct moral judgement against their target. Although "Hacking" tools enable easy access to secret information, they are a double-edged sword, as their discovery means the scandal becomes about the hack itself, not about the hacked information.

Intel is investigating reports that a claimed hacker has leaked 20GB of data coming from the chip giant, which appear to be related to source code and developer documents and tools. "The information appears to come from the Intel Resource and Design Center, which hosts information for use by our customers, partners and other external parties who have registered for access," an Intel spokesperson told SecurityWeek.

The NSA released the advisory this week informing people of the various ways mobile phones, by design, give up location information-which go beyond the well-known Location Services feature that people use on a regular basis. Most people are aware that location services on devices can pinpoint where they are so people can have access to services in the area, as well as share their location with friends via mobile apps such as WhatsApp, among other useful activities.

Enter The Blacklist Alliance, which promises to help marketers avoid TCPA legal snares set by "Professional plaintiffs and class action attorneys seeking to cash in on the TCPA." According to the Blacklist, one of the "Dirty tricks" used by TCPA "Frequent filers" includes "Phone flipping," or registering multiple prepaid cell phone numbers to receive calls intended for the person to whom a number was previously registered. The leaked Blacklist customer database points to various companies you might expect to see using automated calling systems to generate business, including real estate and life insurance providers, credit repair companies and a long list of online advertising firms and individual digital marketing specialists.

Its underlying truth is undeniable: today's technology, particularly at a time of wholesale digital transformation, has expanded the threat surface exponentially, and it keeps expanding all the time, frequently exceeding the bandwidth of human operators to triage which threats are more critical. Research from the North Carolina State University found that leaks of digital secrets - passwords, cryptographic keys, API, and access credentials to more than 100,000 private code repositories - take place on development platforms such as GitHub thousands of times a day.

Since measuring the time taken to execute cryptographic algorithms is crucial to carrying out a timing attack and consequently leak information, the jitter on the network path from the attacker to the server can make it impractical to successfully exploit timing side-channels that rely on a small difference in execution time. The new method, called Timeless Timing Attacks by researchers from DistriNet Research Group and New York University Abu Dhabi, instead leverages multiplexing of network protocols and concurrent execution by applications, thus making the attacks immune to network conditions.

The Vermont Department of Taxes may have been exposing taxpayer data that could be used in credential scams for more than three years due to a vulnerability in its online tax filing system. A notice posted on the department's website warned taxpayers who filed a Property Transfer Tax return through the department's online filing site between Feb. 1, 2017, and July 2, 2020, may have had their personal information leaked.

A high-severity vulnerability in Cisco's network security software could lay bare sensitive data - such as WebVPN configurations and web cookies - to remote, unauthenticated attackers. The flaw exists in the web services interface of Cisco's Firepower Threat Defense software, which is part of its suite of network security and traffic management products; and its Adaptive Security Appliance software, the operating system for its family of ASA corporate network security devices.

In May 2019, KrebsOnSecurity broke the news that the website of mortgage title insurance giant First American Financial Corp. had exposed approximately 885 million records related to mortgage deals going back to 2003. On Wednesday, regulators in New York announced that First American was the target of their first ever cybersecurity enforcement action in connection with the incident, charges that could bring steep financial penalties.