Here is our latest roundup of news about digital security in our connected world. Click here  to see the whole series.

DigiCert news

• DigiCert announced a new certificate linter called pkilint, which utilizes prior industry experience in automating compliance checks for digital certificates. The initial version of pkilint implements compliance testing for the recently issued S/MIME Baseline Requirements by the CA/Browser (CA/B) Forum.
• DigiCert announced our new unified partner program, designed to provide new and existing partners with a comprehensive portfolio that delivers digital trust for the real world. The new program offers partners expanded digital trust offerings as well as enhanced tools and resources.
• DigiCert celebrated a milestone of 20 years. DigiCert was founded on April 10, 2003. It’s been a great road, and we look forward to many years ahead as a leading global provider of digital trust.
• Last month, DigiCert established the root of trust for Next Generation 911 (NG911), which will serve as the foundation for secure interoperability for all emergency services providers in the United States. NG911 is a digital, internet protocol (IP)-based system that will replace the analog 911 infrastructure, and it will leverage smart technology to enable emergency responders to respond more accurately and swiftly to emergencies. As NG911 rolls out this year, DigiCert is honored to be trusted with this critical infrastructure.

Quantum

• Thales has successfully conducted an end-to-end encrypted phone call pilot test using its Cryptosmart secure mobile app and 5G SIM cards in commercial smartphones, employing a hybrid cryptography approach to defend against post-quantum attacks. The pilot is designed to test the scalability and quality of the solutions that Thales has developed to counter the vulnerabilities of the public key cryptography-based digital infrastructure to quantum attacks. The pilot's success represents a step towards the creation of real-world quantum-protected mobile solutions, as recommended by the National Institute of Standards and Technology (NIST).

Vulnerabilities

• Black Basta, the group that claimed responsibility for the recent breach of Capita, is reportedly selling sensitive data, including bank account information, addresses and passport photos. Capita has not yet confirmed the validity of the data leak and continues to work closely with regulators and forensic experts to investigate the incident. Capita plays a critical role in providing services for public and private organizations, including the UK's National Health Service and the Ministry of Defence.
• Apple has released emergency security updates to address zero-day vulnerabilities that have already been exploited by hackers to attack iPhones, iPads and Macs. The first flaw allows for data corruption or code execution using a maliciously crafted app to run arbitrary code with kernel privileges, while the second flaw requires users to load a malicious web page that could execute code on their devices. Apple has not provided any details about how the hackers are targeting its devices, but users are encouraged to install the latest updates to protect their devices from cyberattacks.
• WhatsApp has introduced key transparency that will enable users to automatically verify a secure connection without the need for a long code. This allows users to automatically validate that a user's encryption key is genuine, thus ensuring the security of their conversation. While this system provides easy and convenient verification tools to users, those who wish to verify their end-to-end encrypted sessions without utilizing WhatsApp servers at all are encouraged to utilize the traditional security code verification process in addition to this new automated process.

IoT

• A researcher has discovered that a garage door controller made by Nexx, used to open and close garage doors and control home security alarms and smart power plugs, has severe security and privacy vulnerabilities. The device employs the same easy-to-find universal password to communicate with Nexx servers and also broadcasts the unencrypted email address, device ID, first name and last initial corresponding to each one, along with the message required to open or shut a door or turn on or off a smart plug or schedule such a command for a later time. The researcher is advising anyone using one to immediately disconnect it until they are fixed.

Standards

• The European Parliament has approved the world’s first comprehensive regulatory framework for cryptocurrencies. The Markets in Crypto Act (MiCA) seeks to reduce risks for consumers buying crypto assets, and imposes requirements on crypto platforms, token issuers and traders around transparency, disclosure, authorization and supervision of transactions.
• Last year, the Office of the National Cyber Director (ONCD) issued directives to federal agencies about taking inventory of their cryptographic systems in readiness for the move to quantum-resistant cryptography, as per the White House’s National Security Memorandum 10. The instructions provided guidelines on how to prioritize the inventory of critical cryptographic systems with a deadline set for May 4, 2023, to submit the list. But even for organizations without a May 4 deadline, it's still important to identify their crypto assets and manage them proactively.
• The Digital Credentials For Europe (DC4EU) Project has been approved for funding by the European Commission under the Digital Europe Program. The project aims to promote the deployment and development of use cases of the new version of the digital identity framework, testing its interoperability in pre-production systems with a cross-border perspective. Led by the Government of Spain, the project consortium consists of 80 organizations from 22 countries, with an estimated project cost of €19.2 million. The piloting of the portfolio is particularly relevant in view of the future reform of the eIDAS Regulation, and the two use cases to be addressed in this project are in education and social security.

Data breaches

• ChatGPT, an AI chatbot developed by OpenAI, has suffered a data breach due to a vulnerability in the Redis open-source library that allowed users to see the chat history of other active users. OpenAI confirmed that the data leakage in ChatGPT was addressed swiftly with little damage. However, it could be a harbinger of the risks that could impact chatbots and users in the future. Tightening restrictions on AI use have been implemented due to the privacy concerns surrounding chatbots. Experts also expect threat actors to use ChatGPT to create sophisticated and realistic phishing emails. Samsung has also banned employees from using ChatGPT after the breach.
• T-Mobile has reported another data breach affecting just over 800 people. The breach occurred between Feb. 24 and March 30 and involved the theft of customers' names, driver's license or identification card numbers, account PIN, Social Security number, date of birth, balance due and phone plan. This is the latest in a series of data breaches for T-Mobile, including one in January that impacted 37 million customers and a 2021 breach that affected 54 million customers.

Malware

• Meta, the owner of Facebook, has reported that it has discovered malware purveyors who are taking advantage of public interest in ChatGPT to lure users into downloading malicious apps and browser extensions. Meta has identified about 10 malware families and over 1,000 malicious links since March, likening the phenomenon to cryptocurrency scams.