Here is our latest news roundup of articles about network and TLS/SSL security. Click here to see the whole series..

TLS News

• In September the number of web certificates in use surpassed 100 million for the first time. According to Netcraft, there were 100,323,811 valid certificates, an increase of 1.39% since August.
• Apple is depreciating TLS 1.0 and 1.1 in both iOS and macOS. Currently, TLS 1.0 and 1.1 are not supported in iOS 15 and macOS 12, but all support will be removed in the future.
• Let’s Encrypt’s root certificate, IdentTrust DST Root CA X3, expired Sept. 30. Any devices that do not trust the new the ISRG Root X1 root certificate will experience warnings on any sites with Let’s Encrypt certificates after Sept. 30.
• The EFF announced plans to deprecate HTTPS Everywhere since HTTPS has been widely adopted.

Data breaches

• A hacktivist group known as Anonymous claimed to leak a decade’s worth of data from web hosting company Epik, which services many right-wing clients.

Vulnerabilities

• Apple released an emergency software update Sept. 13 for a vulnerability in iPhone, iPad, Apple Watches and Mac Computers that allowed an advanced form of spyware from NSO Group, an Israeli company.
• An attacker released nearly 90,000 credential sets for FortiGate SSL VPN devices. Users should reset their passwords to protect against network attacks.

Government regulation

• The U.S. Office of Management and Budget released a draft of the Federal Zero Trust Strategy, which will help move government agencies to a baseline of zero trust.
• U.S. President Joe Biden issued security guidance for companies to curb cyberattacks, especially following the recent hacks on U.S. companies.

Malware

• Microsoft researchers discovered a new malware that has left open a backdoor into AD SSO servers since April 2020. The attackers are said to be the same group behind the destructive SolarWinds attack.
• For the first time, a new malware has compromised Windows machines through Linux binaries.
• A phishing campaign that targeted the aviation industry with malware has gone unnoticed for two years. Although the malware is not particularly advanced, it shows how small-scale attackers can manage to go under the radar for long periods of time without being detected.

Digital Signatures

• Due to the lack of the Swiss electronic signature being recognized in the EU, a 400 million euro deal for double-decker trains fell through this month. The signer used a digital signature, but not one that is valid across boarders within EU states.
• Employees are suing company Gorillas for unenforceable employment contracts due to a legal dispute over electronic signatures.

Internet of Things

• A new report by DigitalEurope found that the Internet of Things is missing product legislation for cybersecurity and lacks monitoring throughout a product’s lifecycle. The researchers recommend that the EU Commission launches proposals for legislation as soon as possible.