Here is our latest news roundup of articles about PKI and TLS/SSL security. Click here to see the whole series.
TLS news
At the October CA/B Forum meeting, Apple announced new S/MIME profile requirements and a two-year lifetime on S/MIME certificates that will go into effect April 2022.
Additionally, the S/MIME working group is developing a new set of Baseline Requirements and a rough draft was discussed at this month’s CA/B Forum. However, the requirements likely will take time to adopt, and will go into effect in the next year or two.
The NSA warned organizations of a new risk in wildcard certificates named ALPACA. The NSA recommended that organizations inventory the current scope of wildcard certificates in use and, going forward, limit the use of wildcard certificates to avoid this type of attack.
October was cybersecurity awareness month, a reminder to protect against cyberattacks and prompt discussions about what governments and organizations can do to promote best practices.
Luxury fashion brand Neiman Marcus let 4.6 million customers know that their data, including usernames and passwords, was exposed in a breach in May 2020.
Facebook, WhatsApp and Instagram were down for about six hours on Oct. 4 due to “an internal technical issue.” The issue took longer than usual to resolve because it affected the company’s internal systems, preventing employees from accessing the building and company networks. Facebook issued a statement apologizing and reassuring users that there was no evidence that user data was compromised as a result.
Data breaches
A hacker accessed a government ID database for the entire population of Argentina, including celebrities and sports starts like Lionel Messi. The hacker plans to sell and leak the stolen ID card details to any interested buyers. The breach affects over 45 million people and was likely achieved through a compromised VPN account.
A former Microsoft security analyst claims that OneDrive and Office365 have been hosting malware for years. A Microsoft spokesperson responded to the story, saying: "Abuse of cloud storage is an industry-wide issue and we're constantly working to reduce the use of Microsoft services to cause harm. We are investigating further improvements to prevent and rapidly respond to the types of abuse listed in this report."
Apple criticized EU draft rules that would allow users to install software from outside the Apple App Store, claiming it could lead to increased malware. However, the Coalition for App Fairness claims that security measures like encryption and anti-virus programs provide device security, not the App Store.
Digital signatures
A new spoofing flaw for digital signatures was uncovered in LibreOffice and OpenOffice. Attackers could manipulate the time stamp, document contents or even self-sign documents with untrusted signatures.