Security News

Since measuring the time taken to execute cryptographic algorithms is crucial to carrying out a timing attack and consequently leak information, the jitter on the network path from the attacker to the server can make it impractical to successfully exploit timing side-channels that rely on a small difference in execution time. The new method, called Timeless Timing Attacks by researchers from DistriNet Research Group and New York University Abu Dhabi, instead leverages multiplexing of network protocols and concurrent execution by applications, thus making the attacks immune to network conditions.

The Vermont Department of Taxes may have been exposing taxpayer data that could be used in credential scams for more than three years due to a vulnerability in its online tax filing system. A notice posted on the department's website warned taxpayers who filed a Property Transfer Tax return through the department's online filing site between Feb. 1, 2017, and July 2, 2020, may have had their personal information leaked.

A high-severity vulnerability in Cisco's network security software could lay bare sensitive data - such as WebVPN configurations and web cookies - to remote, unauthenticated attackers. The flaw exists in the web services interface of Cisco's Firepower Threat Defense software, which is part of its suite of network security and traffic management products; and its Adaptive Security Appliance software, the operating system for its family of ASA corporate network security devices.

In May 2019, KrebsOnSecurity broke the news that the website of mortgage title insurance giant First American Financial Corp. had exposed approximately 885 million records related to mortgage deals going back to 2003. On Wednesday, regulators in New York announced that First American was the target of their first ever cybersecurity enforcement action in connection with the incident, charges that could bring steep financial penalties.

Collaboration security startup Polymer announced its official launch on Wednesday with a solution that automatically detects and redacts sensitive data shared by users in popular collaboration tools. When users share this type of information via one of the supported collaboration tools, Polymer automatically redacts sensitive information and ensures that the unredacted information can only be accessed by users that have been authorized in the Polymer administrative dashboard.

A server containing information of users of a genealogy service has exposed the data of 60,000 users, putting them at risk for fraud, phishing and other cybercriminal activity. The leak exposed a MacKiev server with 25 gigabytes of Ancestry user data and MacKiev Software user subscriptions, including information such as email addresses, user location, user support messages and technical data.

Cloud software provider Blackbaud has admitted that it paid cybercriminals to regain control of data following a ransomware attack in May 2020. Last week, the company published a notice on a ransomware attack that it fell victim to in May 2020, claiming that it was able to discover and stop the assault, but not before some data was exfiltrated by the attackers.

Australian beverage company Lion says it has found no evidence that hackers have stolen information from its systems, but the hackers claim they have and are threatening to leak it unless the company pays up. While Lion has not shared any technical information about the attack or the ransomware, the operators of the ransomware known as Sodinokibi and REvil claim to have breached the company's systems.

Twitter has permanently banned the account of Distributed Denial of Secrets after it posted links to stolen information belonging to hundreds of law enforcement organizations in the United States. Distributed Denial of Secrets, a WikiLeaks-style organization whose goal is the "Free transmission of data in the public interest," recently leaked roughly 270 GB of information on more than 200 police departments, fusion centers, the FBI and other law enforcement organizations.

Known as BlueLeaks, the info trove consists mostly of crime intelligence material uploaded to what are known as fusion centers. Created in the aftermath of the September 11 terror attacks, serve as a way for state and county cops to share information with one another and with the FBI and US Homeland security.