In 2021, we brought you monthly roundups of the latest news about network and TLS/SSL security. Looking back on the year, we’ve now rounded up the biggest network and TLS security headlines of 2021. Furthermore, a team of DigiCert experts have made some forecasts for 2022 trends which you can read in this post.

TLS news

• In September the number of web certificates in use surpassed 100 million for the first time. According to Netcraft, there were 100,323,811 valid certificates, an increase of 1.39% since August.
• At the October CA/B Forum meeting, Apple announced new S/MIME profile requirements and a two-year lifetime on S/MIME certificates that will go into effect April 2022.
• After Let’s Encrypt root certificate expired on Sept. 30, many websites experienced issues, including Fortinet, Shopify and Google Cloud Monitoring. Let’s Encrypt released a blog post to help users experiencing issues, but this example highlights the major impacts of a root certificate expiration.
• The NSA warned organizations of a new risk in wildcard certificates named ALPACA. The NSA recommended that organizations inventory the current scope of wildcard certificates in use and, going forward, limit the use of wildcard certificates to avoid this type of attack.
• Apple is depreciating TLS 1.0 and 1.1 in both iOS and macOS. Currently, TLS 1.0 and 1.1 are not supported in iOS 15 and macOS 12, but all support will be removed in the future.

Data security

• October was cybersecurity awareness month, a reminder to protect against cyberattacks and prompt discussions about what governments and organizations can do to promote best practices.
• The FBI issued a warning about a phishing scheme targeting people searching for unemployment benefits.

Data breaches

• A hacker accessed a government ID database for the entire population of Argentina, including celebrities and sports starts like Lionel Messi. The hacker plans to sell and leak the stolen ID card details to any interested buyers. The breach affects over 45 million people and was likely achieved through a compromised VPN account.
• Over 1.2 million WordPress customers were affected by a breach at GoDaddy in November. The attacker gained access through a compromised password and went undetected for two months. Additionally, it appears that usernames and passwords were easily exposed because they were not stored with a hash or public key.
• Robinhood, a U.S. trading platform, was breached due to a social engineering attack aimed at customer support. Attackers were able to access the names of 2 million customers and additional data on some clients. However, according to a Robinhood statement, there were no customer financial losses.
• In October, hackers exploited a multi-factor authentication flaw to steal cryptocurrency from about 6,000 Coinbase customers.

Vulnerabilities

• A new vulnerability in Java, the Log4j flaw, was discovered in December that could have "incalculable damage". Companies like Apple, Google and Microsoft have quickly pushed updates to deal with the flaw, which left unpatched could be used to take over computer servers.
• The private key used for EU Digital COVID certificates was leaked in late October as forged certificates for Mickey Mouse, Sponge Bob and even Adolf Hitler were generated and recognized as valid. The EU is currently investigating the leak to contain it and prevent any future misuse.

Government regulation

• The U.K. government introduced new legislation that would better protect consumer IoT devices from hackers and proposed heavy fines of up to £10m (or 4% of global turnover). The proposed requirements include banning universal default passwords, forcing firms to be transparent about how they are fixing security flaws and creating a reporting system for discovered vulnerabilities.
• The U.S. Office of Management and Budget released a draft of the Federal Zero Trust Strategy, which will help move government agencies to a baseline of zero trust.
• The U.S. Department of Defense announced that they will launch an office dedicated to zero trust to hasten the adoption of a zero-trust architecture. This comes in response to the 2020 SolarWinds attack and the May U.S. Executive Order on Improving the Nation’s Cybersecurity, which calls for government agencies to move towards a zero-trust architecture.
• In September, U.S. President Joe Biden issued security guidance for companies to curb cyberattacks, especially following the recent hacks on U.S. companies.

Automation

• A new survey on PKI Automation from DigiCert found that enterprises are managing an average of 50,000 certificates and two-thirds have experienced outages caused by unexpected expiring certificates. Get the full survey findings here.

Outages

• Facebook, WhatsApp and Instagram were down for about six hours on Oct. 4 due to “an internal technical issue.” The issue took longer than usual to resolve because it affected the company’s internal systems, preventing employees from accessing the building and company networks. Facebook issued a statement apologizing and reassuring users that there was no evidence that user data was compromised as a result.

Quantum Computing

• IBM announced a breakthrough in quantum computing: creating a quantum processor that can process information that a traditional computer cannot. The Eagle processor, as IBM calls it, can process 127 qubits, whereas a traditional computer can only process 100 qubits.

Malware

• A former Microsoft security analyst claimed that OneDrive and Office365 have been hosting malware for years. A Microsoft spokesperson responded to the story, saying: "Abuse of cloud storage is an industry-wide issue and we're constantly working to reduce the use of Microsoft services to cause harm. We are investigating further improvements to prevent and rapidly respond to the types of abuse listed in this report."
• A phishing campaign that targeted the aviation industry with malware had gone unnoticed for two years. Although the malware is not particularly advanced, it shows how small-scale attackers can manage to go under the radar for long periods of time without being detected.

Digital signatures

• Due to the lack of the Swiss electronic signature being recognized in the EU, a 400 million euro deal for double-decker trains fell through in September. The signer used a digital signature, but not one that is valid across boarders within EU states.
• Employees are suing company Gorillas for unenforceable employment contracts due to a legal dispute over electronic signatures.

Internet of Things

• Smart home device manufacturers such as Google, Apple, Samsung and Amazon have come together on an industry standard: Matter. In early November, Amazon announced support of Matter for Echo and Eero devices. The Matter standard would help ensure interoperability between different devices and ecosystems, but also needs to consider the security of those connections.
• A report by DigitalEurope found that the Internet of Things is missing product legislation for cybersecurity and lacks monitoring throughout a product’s lifecycle. The researchers recommend that the EU Commission launch proposals for legislation as soon as possible.

We’ll continue to provide updates in 2022 about industry news and events. Meanwhile, click here to see the past series and click here to read our predictions for 2022. For the latest news about DigiCert, visit our newsroom.