News 04-05-2022

Latest News In PKI: March 2022

digicert-blogimages-mar22

Here is our latest news roundup of articles about network and TLS/SSL security. Click here to see the whole series.

TLS/SSL

  • The root certificate currently used by and Azure Communication Services will expire in Microsoft has published guidance and documentation to prepare users for the migration to one of ’s newer root certificates.
  • Russia created its (CA) to bypass sanctions. Other CAs, such as , have not renewed existing .ru TLS certificates. As browsers will block any sites with expired certs, Russia’s own CA is their way to bypass these sanctions.
  • causing issues for some DevOps users. So Microsoft temporarily resumed service for TLS 1.0/1.1 to fix those issues.

Digital identity

  • The between internet browsers and other community groups with European Union lawmakers regarding the display of verified identity information for QWAC (Qualified Web Authentication Certificate) TLS.
  • The EU released an outline of the for the European Digital Identity Wallets proposed as part of the eIDAS-2 revisions to the EU’s eID and electronic transactions laws, and issued a for digital identity pilots and infrastructure under the program.

Vulnerabilities

  • for over 3 billion Chrome users after Chrome was under attack earlier this month. Attackers targeted a zero-day vulnerability. The attackers came from and appeared to target U.S. workers in industries like news media, IT, cryptocurrency and financial services.
  • to protect against potential Russian cyberattacks in a statement from the White House. Biden said, "I urge our private sector partners to harden your cyber defenses immediately . . . to do [your] part to meet one of the defining threats of our time." With the incident fresh on our minds, it’s an important reminder to all businesses, even outside of the United States
  • OpenSSL patched a bug caused by The bug left systems vulnerable to denial-of-service attacks.

Data breaches

  • announced a breach from January 2022. The company said that about of customers may have been affected.
  • (€17 million) for GDPR violations in 2018. The Irish Data Protection Commission found several data breaches in which Meta to protect EU users’ data.
  • The in mid-March due to CafePress’s failure to implement security measures to protect information on its network and cover-up of a major breach. CafePress stored plain text Social Security numbers, and inadequately encrypted passwords and answers to password reset questions with what the FTC director called “careless security practices.” CaféPress will pay half a million dollars to small business owners to compensate.
  • was exposed in a data breach affecting firms in Alabama and Colorado. According to the healthcare firm breached, healthcare data was not affected but names, birth dates, Social Security numbers and driver’s license numbers may have been.
  • in a massive breach affecting 820,000 current and former students. Children K-12 were exposed, and the New York City school district advises parents to change passwords and beware of scam calls or fraudulent credit card openings.
  • that occurred in December 2021. Shutterfly was hit with Conti ransomware, which allowed the attackers to steal network data, including employee information.

Quantum computing

  • an important breakthrough in quantum computing: the ability to sustain its version of a quantum bit, the This is a key step to scaling quantum computing and solving the large-scale problems that current computers cannot.
  • Scientists at the Max Planck Institute of Quantum Optics discovered a for electronics — the fastest that they could theoretically operate.

Malware

  • Researchers discovered a the CaddyWiper. The malware can erase user data and steal information from drives on a compromised device.
  • Stolen code signing certificates from Nvidia were used to Nvidia was hit by ransomware that led to a and up to 1TB of data. Although both certs have expired, Windows will accept expired certs for drivers.
  • Admins can configure WDAC (Windows Defender Application Control policies) to control what drivers can be loaded in windows.

Internet of Things

  • warned of a new threat to uninterruptible power supply (UPS) devices. These devices include routers, smart-lighting systems and appliances. CISA advised that be changed, as this is the most common way attackers gain access.
  • in Microsoft Azure Defender for IoT, including SQL injection, race condition and two critical remote code execution vulnerabilities. These are now patched; however, it did take six months to address these flaws.
UP NEXT
PKI

3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories

07-03-2024

What is a CA’s Role in delivering digital trust?

11-11-2024

FIPS 140-3 certification unlocked for TrustCore SDK

10-31-2024

Announcing the GA release of Device Trust Manager