Security News

Researchers have discovered a new side-channel that they say can be reliably exploited to leak information from web browsers that could then be leveraged to track users even when JavaScript is completely disabled. In avoiding JavaScript, the side-channel attacks are also architecturally agnostic, resulting in microarchitectural website fingerprinting attacks that work across hardware platforms, including Intel Core, AMD Ryzen, Samsung Exynos 2100, and Apple M1 CPUs - making it the first known side-channel attack on the iPhone maker's new ARM-based chipsets.

Oxfam Australia has confirmed a data breach after suffering a cyberattack and their donor databases put up for sale on a hacker forum in January. Last month, BleepingComputer was the first to report that a threat actor was selling a stolen Oxfam Australia database containing 1.7 million user records.

In its' Mobile Malware Evolution 2020, Kaspersky documents the current mobile threat landscape and identifies 2021 mobile security trends. "We saw a decrease in the number of attacks in the first half of the year, which can be attributed to the confusion of the first months of the pandemic," wrote Victor Chebyshev, a mobile security researcher at Kaspersky and author of the report.

With browser makers steadily clamping down on third-party tracking, advertising technology companies are increasingly embracing a DNS technique to evade such defenses, thereby posing a threat to web security and privacy. In other words, CNAME cloaking makes tracking code look like it's first-party when in fact, it is not, with the resource resolving through a CNAME that differs from that of the first party domain.

On August 13, 2016, a hacking unit calling itself "The Shadow Brokers" announced that it had stolen malware tools and exploits used by the Equation Group, a sophisticated threat actor believed to be affiliated to the Tailored Access Operations unit of the U.S. National Security Agency. "The caught-in-the-wild exploit of CVE-2017-0005, a zero-day attributed by Microsoft to the Chinese APT31, is in fact a replica of an Equation Group exploit codenamed 'EpMe,'" Check Point researchers Eyal Itkin and Itay Cohen said.

Millions of COVID-19 test reports were found to be publicly accessible due to flawed online system implementation. The leak, comprising over 8 million COVID-19 test results, has been attributed to the Health and Welfare Department of West Bengal, India.

A CAD drawing of a radar antenna stolen and leaked online by criminals is of a military radar system produced by defense contractor Leonardo and fitted to a number of US and UAE aircraft, The Register has learned. The Register can reveal Clop got its hands on at least one drawing of a Leonardo Seaspray 7500E radar antenna, and divulged on its Tor-hidden website a rendering of the hardware in some detail - without its external covers usually seen in promotional material.

The Clop ransomware gang claims to have stolen documents from aerospace giant Bombardier's defense division - and has leaked what appears to be a CAD drawing of one of its military aircraft products, raising fears over what else they've got. Bombardier confirmed its security had been breached, putting out a public statement only minutes after The Register grilled the Canadian business jet maker on the Clop gang's claims.

An investigation into a ransomware attack on a North Carolina county's computer network showed personal information posted for sale on the "Dark web," the county said. The Chatham County network was hit on Oct. 28 with ransomware that originated in a phishing email with a malicious attachment, The News & Observer of Raleigh reported Tuesday.

Startpage announced results of its survey exploring the attitudes of Americans towards protecting their own privacy online. The results found a gap between the high levels of online privacy awareness and concern respondents report, and the low levels of action they take to combat increasingly egregious assaults on their privacy.