Here is our latest roundup of news about digital security in our connected world. Click here to see the whole series.

DigiCert News

• DigiCert welcomes Dr. Amit Sinha as CEO and member of the DigiCert Board of Directors. Sinha brings over 20 years of technology, strategy and operational experience from Zscaler, Motorola, AirDefense and Engim. Sinha’s leadership will ensure the right focus and strategy to help DigiCert define digital trust for the real world and continue to accelerate its leadership in digital trust.

TLS/SSL

• The Open SSL project announced a high-level vulnerability that was first identified as critical severity but later downgraded to high vulnerability. This can be remedied with an update to Open SSL 3.0.7 and will not require certificate replacement.
• Public certificates obtained through Amazon’s AWS Certificate Manager will now be issued from one of the multiple intermediate certificate authorities that Amazon manages. While most customers won’t notice the change, it will help to create a more resilient certificate infrastructure that will allow Amazon to respond more quickly.
• Microsoft has fixed an issue that triggered TLS/SSL handshake failures on client and server platforms that were caused by security updates earlier in the month.

IoT

• The Connectivity Standards Alliance (CSA) released Matter 1.0 on October 4th and DigiCert’s Root Certificate Authority (CA) became the first Matter-approved root CA by the CSA for Matter device attestation, allowing for rapid time to market for smart home manufacturers and automatic security for customers.

Quantum

• DigiCert will be working with Canadian-based company ISARA to ensure ongoing digital trust. ISARA, the world’s leading provider of quantum-safe security solutions, announced that it is dedicating four hybrid certificate patents to the public. These hybrid certificates combine traditional digital certificates with additional quantum-safe components.
• Mastercard has launched a new contactless credit card intended to be resistant to quantum attack. These cards follow new industry standards from EMVco and involve the use of longer key lengths, while still being compatible with existing payment hardware.

Government standards

• The White House hosted a meeting with tech industry leaders this month to create a new standard for security labels for IoT devices, planned to launch Spring 2023. This security “nutrition label” will help consumers easily access information about their smart devices, such as vulnerability and interoperability with other products. Learn more.
• The U.S. Department of Commerce has appointed 16 experts to a new Internet of Things Advisory Board (IoTAB). This advisory board will lend expertise to the federal working group regarding matters of IoT federal regulations, IoT benefits to the United States, IoT opportunities regarding small businesses and IoT international opportunities.

Malware

• Guardio Labs reported that a malware-ridden Chrome extension infected over a million PCs. This malware injected advertising into standard pages and appended affiliate links to popular shopping websites, making it so these developers can also receive profit. These compromised extensions have been removed, but users should continue to be careful and keep an active anti-virus running.
• MajikPOS and Treasure Hunter malware remains active, as it scans networks for open and poorly secured VNC and RDP remote-desktop services. Once in, the malware can collect shoppers' payment card information from the compromised terminals. So far, there’s $3.3 million worth of credit card numbers stolen.

Data breaches

• Some of Australia’s biggest companies have fallen under attack to data breaches that put millions of Australians at risk. Personal data from Optus, Telstra, Medibank and Woolworths has been compromised, which raises questions of how the Australian government should intervene going forward.
• International ticket selling company See Tickets announced that it has been leaking payment data since June 2019, when online attackers set up a skimmer on its site. This cyberattack was first noticed in April of 2021 but was not successfully removed until January 2022. The exact number of people affected is unknown.

Ransomware

• Tata Power Energy Company, India's largest integrated power company, fell victim to a cyber-attack leaking personally identifiable information (PII). While the Hive RaaS has claimed responsibility, Tata Power’s likely refusal to pay a ransom has resulted in the stolen data being published.

Vulnerabilities

• Meta Platforms announced that it would be notifying about a million Facebook users of their account credentials being compromised after they identified more than 400 malicious Android and iOS apps scamming users to share their login information. Apple and Google have both removed the apps, and Meta says it will be sharing tips to help potential victims avoid compromising their credentials with problematic apps.
• Organizations are being warned of a security weakness within Microsoft Office 365 Message Encryption (OME) that may allow hackers to figure out the encrypted contents. Currently, there is not a known solution to the issue.

General security

• This year’s U.S. National Cybersecurity Awareness Month was centered on the humans behind the devices and screens. As we seek to maintain digital trust, it is crucial that individuals increase their personal digital security by seeing themselves in cyber and acting to better their cybersecurity habits. The CISA recommends thinking before you click, updating your software, using strong passwords, and enabling multi-factor authentication.