News 12-30-2021

Latest News In TLS/SSL: 2021 Year in Review

In 2021, we brought you monthly roundups of the latest news about network and TLS/SSL security. Looking back on the year, we’ve now rounded up the biggest network and TLS security headlines of 2021. Furthermore, a team of experts have made some forecasts for 2022 trends which you can read in this post.

TLS news

  • In September the number of web certificates in use surpassed 100 million for the first time. According to Netcraft, there were 100,323,811 valid certificates, an increase of 1.39% since August.
  • At the October CA/B Forum meeting, Apple announced new S/MIME profile requirements and a two-year lifetime on S/MIME certificates that will go into effect April 2022.
  • After expired on Sept. 30, , including Fortinet, Shopify and Google Cloud Monitoring. Let’s Encrypt released a to help users experiencing issues, but this example highlights the major impacts of a root certificate expiration.
  • The NSA warned organizations of a new risk in wildcard certificates named ALPACA. The NSA recommended that organizations inventory the current scope of wildcard certificates in use and, going forward, limit the use of wildcard certificates to avoid this type of attack.
  • in both iOS and macOS. Currently, TLS 1.0 and 1.1 are not supported in iOS 15 and macOS 12, but all support will be removed in the future.

Data security

  • October was cybersecurity awareness month, a reminder to protect against cyberattacks and prompt discussions about what governments and organizations can do to promote best practices.
  • The targeting people searching for unemployment benefits.

Data breaches

  • A hacker accessed a government ID database for the , including celebrities and sports starts like . The hacker plans to sell and leak the stolen ID card details to any interested buyers. The breach affects over 45 million people and was likely achieved through a compromised VPN account.
  • Over by a breach at GoDaddy in November. The attacker gained access through a compromised password and . Additionally, it appears that usernames and passwords were easily exposed because they were .
  • Robinhood, a U.S. trading platform, was breached due to aimed at customer support. Attackers were able to access the names of 2 million customers and additional data on some clients. However, according to a Robinhood statement, there were no customer financial losses.
  • In October, hackers exploited a multi-factor authentication flaw to .

Vulnerabilities

  • A new vulnerability in Java, the , was discovered in December that could have . Companies like Apple, Google and Microsoft have quickly pushed updates to deal with the flaw, which left unpatched could be used to take over computer servers.
  • The as forged certificates for Mickey Mouse, Sponge Bob and even Adolf Hitler were generated and recognized as valid. The EU is currently investigating the leak to contain it and prevent any future misuse.

Government regulation

  • The that would better protect consumer IoT devices from hackers and proposed heavy fines of up to £10m (or 4% of global turnover). The proposed requirements include banning universal default passwords, forcing firms to be transparent about how they are fixing security flaws and creating a reporting system for discovered vulnerabilities.
  • The U.S. Office of Management and Budget released a draft of the , which will help move government agencies to a baseline of zero trust.
  • The U.S. Department of Defense announced that they will launch an office dedicated to zero trust to hasten the adoption of a zero-trust architecture. This comes in response to the 2020 attack and the May , which calls for government agencies to move towards a zero-trust architecture.
  • In September, issued security guidance for companies to curb cyberattacks, especially following the recent hacks on U.S. companies.

Automation

  • A new survey on PKI Automation from found that enterprises are and two-thirds have experienced outages caused by unexpected expiring certificates. Get the full survey findings here.

Outages

  • for about six hours on Oct. 4 due to “an internal technical issue.” The issue took longer than usual to resolve because it affected the company’s internal systems, preventing employees from accessing the building and company networks. Facebook issued a apologizing and reassuring users that there was no evidence that user data was compromised as a result.

Quantum Computing

  • IBM announced a : creating a quantum processor that can process information that a traditional computer cannot. The Eagle processor, as IBM calls it, can , whereas a traditional computer can only process 100 qubits.

Malware

  • A former Microsoft security analyst claimed that for years. A Microsoft spokesperson responded to the story, saying: "Abuse of cloud storage is an industry-wide issue and we're constantly working to reduce the use of Microsoft services to cause harm. We are investigating further improvements to prevent and rapidly respond to the types of abuse listed in this report."
  • A phishing campaign that targeted the aviation industry with malware had . Although the malware is not particularly advanced, it shows how small-scale attackers can manage to go under the radar for long periods of time without being detected.

Digital signatures

  • Due to the lack of the Swiss electronic signature being recognized in the EU, a in September. The signer used a digital signature, but not one that is valid across boarders within EU states.
  • Employees are for due to a legal dispute over electronic signatures.

Internet of Things

  • Smart home device manufacturers such as Google, Apple, Samsung and Amazon have come together on an industry standard: . In early November, announced support of Matter for Echo and Eero devices. The Matter standard would help ensure interoperability between different devices and ecosystems, but also needs to consider the security of those connections.
  • A found that the Internet of Things is missing product legislation for cybersecurity and lacks monitoring throughout a product’s lifecycle. The researchers recommend that the EU Commission launch proposals for legislation as soon as possible.

We’ll continue to provide updates in 2022 about industry news and events. Meanwhile, click here to see the past series and click here to read our predictions for 2022. For the latest news about , visit our newsroom.

UP NEXT
PKI

3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories

07-03-2024

What is a CA’s Role in delivering digital trust?

11-11-2024

FIPS 140-3 certification unlocked for TrustCore SDK

10-31-2024

Announcing the GA release of Device Trust Manager