Here is our latest news roundup of articles about network and TLS/SSL security. Click here to see the whole series.

TLS/SSL

• The root certificate currently used by Microsoft 365 and Azure Communication Services will expire in May 2025. Microsoft has published guidance and documentation to prepare users for the migration to one of DigiCert’s newer root certificates.
• Russia created its own certificate authority (CA) to bypass sanctions. Other CAs, such as DigiCert, have not renewed existing .ru TLS certificates. As browsers will block any sites with expired certs, Russia’s own CA is their way to bypass these sanctions.
• Microsoft Azure upgraded to TLS 1.2, causing issues for some DevOps users. So Microsoft temporarily resumed service for TLS 1.0/1.1 to fix those issues.

Digital identity

• The debate continues between internet browsers and other community groups with European Union lawmakers regarding the display of verified identity information for QWAC (Qualified Web Authentication Certificate) TLS.
• The EU released an outline of the Architecture and Reference Framework for the European Digital Identity Wallets proposed as part of the eIDAS-2 revisions to the EU’s eID and electronic transactions laws, and issued a call for proposals for digital identity pilots and infrastructure under the program.

Vulnerabilities

• Google issued an emergency security update for over 3 billion Chrome users after Chrome was under attack earlier this month. Attackers targeted a zero-day vulnerability. The attackers came from North Korea and appeared to target U.S. workers in industries like news media, IT, cryptocurrency and financial services.
• President Joe Biden warned private sectors to protect against potential Russian cyberattacks in a statement from the White House. Biden said, "I urge our private sector partners to harden your cyber defenses immediately . . . to do [your] part to meet one of the defining threats of our time." With the Colonial Pipeline incident fresh on our minds, it’s an important reminder to all businesses, even outside of the United States
• OpenSSL patched a bug caused by rogue certificates. The bug left systems vulnerable to denial-of-service attacks.

Data breaches

• Okta announced a breach from January 2022. The company said that about 2.5% of customers may have been affected.
• Facebook received a fine of over $18 million (€17 million) for GDPR violations in 2018. The Irish Data Protection Commission found several data breaches in which Meta failed to implement security measures to protect EU users’ data.
• The FTC took action against ecommerce platform CafePress in mid-March due to CafePress’s failure to implement security measures to protect information on its network and cover-up of a major breach. CafePress stored plain text Social Security numbers, and inadequately encrypted passwords and answers to password reset questions with what the FTC director called “careless security practices.” CaféPress will pay half a million dollars to small business owners to compensate.
• Over 500,000 patients' personal data was exposed in a data breach affecting firms in Alabama and Colorado. According to the healthcare firm breached, healthcare data was not affected but names, birth dates, Social Security numbers and driver’s license numbers may have been.
• Student data in New York City was compromised in a massive breach affecting 820,000 current and former students. Children K-12 were exposed, and the New York City school district advises parents to change passwords and beware of scam calls or fraudulent credit card openings.
• Shutterfly disclosed a breach that occurred in December 2021. Shutterfly was hit with Conti ransomware, which allowed the attackers to steal network data, including employee information.

Quantum computing

• Microsoft claimed an important breakthrough in quantum computing: the ability to sustain its version of a quantum bit, the topological qubit. This is a key step to scaling quantum computing and solving the large-scale problems that current computers cannot.
• Scientists at the Max Planck Institute of Quantum Optics discovered a "speed limit" for electronics — the fastest that they could theoretically operate.

Malware

• Researchers discovered a new malware in Ukraine, the CaddyWiper. The malware can erase user data and steal information from drives on a compromised device.
• Stolen code signing certificates from Nvidia were used to sign malware. Nvidia was hit by ransomware that led to a data leak, including two code signing certs and up to 1TB of data. Although both certs have expired, Windows will accept expired certs for drivers.
• Admins can configure WDAC (Windows Defender Application Control policies) to control what drivers can be loaded in windows.

Internet of Things

• The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned of a new threat to uninterruptible power supply (UPS) devices. These devices include routers, smart-lighting systems and appliances. CISA advised that default usernames and passwords be changed, as this is the most common way attackers gain access.
• Microsoft patched several bugs in Microsoft Azure Defender for IoT, including SQL injection, race condition and two critical remote code execution vulnerabilities. These are now patched; however, it did take six months to address these flaws.