Here is our latest news roundup of articles about network and TLS/SSL security. Click here to see the whole series.

TLS news

• DigiCert released security predictions for 2022, including predictions about what’s in store for ransomware, post-quantum computing, automation, VMCs and more.
• Earlier this month, Detectify Labs published a report analyzing TLS certificates that shows companies need to be aware of information in domain names, otherwise they can become “a looking glass into the organization.”
• Microsoft Windows 11 users experienced some failures due to an expired certificate. The certificate expired on Oct. 31, 2021, and affected features like the snipping tool, start menu, touch keyboard and more. Microsoft issued a warning and suggested workarounds and continues to update users on the situation.

Data breaches

• Robinhood, a U.S. trading platform, was breached due to a social engineering attack aimed at customer support. Attackers were able to access the names of 2 million customers and additional data on some clients. However, according to a Robinhood statement, there were no customer financial losses.
• Over 1.2 million WordPress customers were affected by a breach at GoDaddy. The attacker gained accessed through a compromised password and went undetected for two months. Additionally, it appears that usernames and passwords were easily exposed because they were not stored with a hash or public key.
• Personal data of nearly 6 million Southeast Asians was leaked from a hotel booking site, RedDoorz. RedDoorz’s website operator, Commeasure, was fined $74,000 as a result.

Vulnerabilities

• After Microsoft failed to correctly patch a flaw, every version of Windows was at risk of a zero-day vulnerability. Microsoft is aware and has labeled the vulnerability a medium threat but didn’t give a timeline for releasing a fix.
• The private key used for EU Digital COVID certificates was leaked in late October as forged certificates for Mickey Mouse, Sponge Bob and even Adolf Hitler were generated and recognized as valid. The EU is currently investigating the leak to contain it and prevent any future misuse.

Government regulation

• The U.K. government introduced new legislation that would better protect consumer IoT devices from hackers and proposed heavy fines of up to £10m (or 4% of global turnover). The proposed requirements include banning universal default passwords, forcing firms to be transparent about how they are fixing security flaws and creating a reporting system for discovered vulnerabilities.
• The U.S. Department of Defense announced that they will launch an office dedicated to zero trust to hasten the adoption of a zero-trust architecture. This comes in response to the 2020 SolarWinds attack and the recent U.S. Executive Order on Improving the Nation’s Cybersecurity, which calls for government agencies to move towards a zero trust architecture.

Quantum Computing

• IBM announced a breakthrough in quantum computing: creating a quantum processor that can process information that a traditional computer cannot. The Eagle processor, as IBM calls it, can process 127 qubits, whereas a traditional computer can only process 100 qubits.

Malware

• A new mobile malware affecting Android devices, dubbed SharkBot, is targeting European banks and cryptocurrency services. SharkBot performs ATS attacks inside an infected device which enables attackers to auto-fill fields in mobile banking apps.

Internet of Things

• Smart home device manufacturers such as Google, Apple, Samsung and Amazon have come together on an industry standard: Matter. In early November, Amazon announced support of Matter for Echo and Eero devices. The Matter standard would help ensure interoperability between different devices and ecosystems, but also needs to consider the security of those connections.
• Awareness of a new iPhone hack where AirPods can be used as a remote listening device spread quickly via TikTok. iPhone users can set their phone to “listening” mode, leave it in another room, and pick up sound via Bluetooth headphones. Thus, people were warned to be careful of their conversations around unattended iPhones.

PKI

• The PKI Consortium is developing an open-source global list of Trust Lists. Trust Lists are used by applications to know whether or not to trust a certificate and its issuer. This global list will be open to any region, purpose, size or industry.
• A new tool, Driftwood, was released this month that allows organizations to discover leaked paired private and public keys.