Security News

Accedian announced that its cloud-native performance monitoring and analytics platform, Skylight, will include new decryption technology to ensure end-to-end visibility on encrypted network traffic. The technology supports all Transport Layer Security versions, including TLS 1.3, allowing customers to maintain the privacy and security of encryption while still gaining valuable insight into network traffic for performance monitoring and threat detection.

In an incident report published on Friday, Google said that a Google Voice outage affecting a majority of the telephone service's users earlier this month was caused by expired TLS certificates. During regular operation, voice calls made through Google Voice are controlled using the Session Initiation Protocol, with client devices immediately retrying their connection to the service once it breaks.

Mail Transfer Agent-Strict Transport Security is a relatively new standard that enables mail service providers the ability to enforce Transport Layer Security to secure SMTP connections and to specify whether the sending SMTP servers should refuse to deliver emails to MX hosts that that does not offer TLS with a reliable server certificate. SMTP TLS Reporting is a standard that enables reporting issues in TLS connectivity experienced by applications that send emails and detect misconfigurations.

The National Security Agency this week issued guidance for National Security System, Department of Defense, and Defense Industrial Base cybersecurity decision makers, system admins, and network security analysts to replace obsolete versions of the Transport Layer Security protocol. While older versions of the security protocols, namely SSL, TLS 1.0, and TLS1.1, have been deprecated in many existing online services and applications, there still are systems that rely on these insecure protocols, thus exposing entire networks.

"Network connections employing obsolete protocols are at an elevated risk of exploitation by adversaries. As a result, all systems should avoid using obsolete configurations for TLS and SSL protocols." The NSA's alert adds on to an existing collective push for updating TLS protocols, with some of the biggest standards bodies and regulators mandating that web server operators ensure they move to TLS 1.2 before the end of 2020.

Report finds that over half the malware attacks in Q3 could bypass signature-based malware protection. WatchGuard's latest Internet Security Report finds that cybercriminals shifted their focus to network attacks and sending malware over encrypted channels during the third quarter.

A group of researchers has detailed a new timing vulnerability in Transport Layer Security protocol that could potentially allow an attacker to break the encryption and read sensitive communication under specific conditions. Dubbed "Raccoon Attack," the server-side attack exploits a side-channel in the cryptographic protocol to extract the shared secret key used for secure communications between two parties.

Researchers from universities in Germany and Israel have disclosed the details of a new timing attack that could allow malicious actors to decrypt TLS-protected communications. Raccoon can allow a man-in-the-middle attacker to crack encrypted communications that could contain sensitive information.

Beginning September 1st, all publicly trusted TLS certificates must have a lifespan of 398 days or less. Since many organizations lack the automation capabilities necessary to replace certificates with short lifespans at machine scale and speed, they are likely to see sharp increases in outages caused by unexpected certificate expirations.

Cisco has warned of an active zero-day vulnerability in its router software that's being exploited in the wild and could allow a remote, authenticated attacker to carry out memory exhaustion attacks on an affected device. "An attacker could exploit these vulnerabilities by sending crafted IGMP traffic to an affected device," Cisco said in an advisory posted over the weekend.