Here is our latest news roundup of articles about PKI and TLS/SSL security. Click here to see the whole series.
TLS news
- At the October CA/B Forum meeting, Apple announced new S/MIME profile requirements and a two-year lifetime on S/MIME certificates that will go into effect .
- Additionally, the S/MIME working group is developing a new set of Baseline Requirements and a rough draft was discussed at this month’s CA/B Forum. However, the requirements likely will take time to adopt, and will go into effect in the next year or two.
- The NSA warned organizations of a new risk in wildcard certificates named ALPACA. The NSA recommended that organizations inventory the current scope of wildcard certificates in use and, going forward, limit the use of wildcard certificates to avoid this type of attack.
- After expired on Sept. 30, including Fortinet, Shopify and Google Cloud Monitoring. Let’s Encrypt released a to help users experiencing issues, but this example highlights the major impacts of a root certificate expiration.
Data security
- October was cybersecurity awareness month, a reminder to protect against cyberattacks and prompt discussions about what governments and organizations can do to promote best practices.
- Luxury fashion brand Neiman Marcus let 4.6 million customers know that their data, including usernames and passwords, was exposed in a breach in May 2020.
- The targeting people searching for unemployment benefits.
Outages
- for about six hours on Oct. 4 due to “an internal technical issue.” The issue took longer than usual to resolve because it affected the company’s internal systems, preventing employees from accessing the building and company networks. Facebook issued a apologizing and reassuring users that there was no evidence that user data was compromised as a result.
Data breaches
- A hacker accessed a government ID database for the including celebrities and sports starts like The hacker plans to sell and leak the stolen ID card details to any interested buyers. The breach affects over 45 million people and was likely achieved through a compromised VPN account.
- Earlier this month hackers exploited a multi-factor authentication flaw to
- A U.S. TV network, Sinclair Broadcast Group, was hit with a that disrupted some of its servers and stations.
Automation
- A new survey on PKI Automation from found that enterprises are and two-thirds have experienced outages caused by unexpected expiring certificates. Get the full survey findings here.
Malware
- A former Microsoft security analyst claims that for years. A Microsoft spokesperson responded to the story, saying: "Abuse of cloud storage is an industry-wide issue and we're constantly working to reduce the use of Microsoft services to cause harm. We are investigating further improvements to prevent and rapidly respond to the types of abuse listed in this report."
- that would allow users to install software from outside the Apple App Store, claiming it could lead to increased malware. However, the Coalition for App Fairness claims that security measures like encryption and anti-virus programs provide device security, not the App Store.
Digital signatures
- was uncovered in LibreOffice and OpenOffice. Attackers could manipulate the time stamp, document contents or even self-sign documents with untrusted signatures.
Code signing
- blocking users from downgrading to the older operating system.