10-29-2021

Latest News In TLS/SSL: October 2021

Here is our latest news roundup of articles about PKI and TLS/SSL security. Click here to see the whole series.

TLS news

  • At the October CA/B Forum meeting, Apple announced new S/MIME profile requirements and a two-year lifetime on S/MIME certificates that will go into effect April 2022.
  • Additionally, the S/MIME working group is developing a new set of Baseline Requirements and a rough draft was discussed at this month’s CA/B Forum. However, the requirements likely will take time to adopt, and will go into effect in the next year or two.
  • The NSA warned organizations of a new risk in wildcard certificates named ALPACA. The NSA recommended that organizations inventory the current scope of wildcard certificates in use and, going forward, limit the use of wildcard certificates to avoid this type of attack.
  • After Let’s Encrypt root certificate expired on Sept. 30, many websites experienced issues, including Fortinet, Shopify and Google Cloud Monitoring. Let’s Encrypt released a blog post to help users experiencing issues, but this example highlights the major impacts of a root certificate expiration.

Data security

Outages

  • Facebook, WhatsApp and Instagram were down for about six hours on Oct. 4 due to “an internal technical issue.” The issue took longer than usual to resolve because it affected the company’s internal systems, preventing employees from accessing the building and company networks. Facebook issued a statement apologizing and reassuring users that there was no evidence that user data was compromised as a result.

Data breaches

  • A hacker accessed a government ID database for the entire population of Argentina, including celebrities and sports starts like Lionel Messi. The hacker plans to sell and leak the stolen ID card details to any interested buyers. The breach affects over 45 million people and was likely achieved through a compromised VPN account.
  • Earlier this month hackers exploited a multi-factor authentication flaw to steal cryptocurrency from about 6,000 Coinbase customers.
  • A U.S. TV network, Sinclair Broadcast Group, was hit with a ransomware attack that disrupted some of its servers and stations.

Automation

Malware

  • A former Microsoft security analyst claims that OneDrive and Office365 have been hosting malware for years. A Microsoft spokesperson responded to the story, saying: "Abuse of cloud storage is an industry-wide issue and we're constantly working to reduce the use of Microsoft services to cause harm. We are investigating further improvements to prevent and rapidly respond to the types of abuse listed in this report."
  • Apple criticized EU draft rules that would allow users to install software from outside the Apple App Store, claiming it could lead to increased malware. However, the Coalition for App Fairness claims that security measures like encryption and anti-virus programs provide device security, not the App Store.

Digital signatures

Code signing

UP NEXT

3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

Featured Stories

VMC Blog Featured Image

Getting Your Logo in Your User's Inbox: Tips Learned from the VMC Gmail Pilot

06-21-2021

What Makes Digital Signatures Secure

06-11-2021

How Vaccine Passports Could Change Digital Identity