Here is our latest roundup of news about digital security in our connected world. Click here to see the whole series.
DigiCert news
- We are changing the names of our DigiCert ONE managers to better reflect the value they bring to their customers. The name changes are part of DigiCert's focus on digital trust, which reduces risk of business disruption, protects attack surfaces, improves agility and drives innovation.
- DigiCert is now offering Verified Mark Certificates (VMCs) for six additional trademark offices and government marks in over 30 countries worldwide. VMCs are part of the Brand Indicators for Message Identification (BIMI) initiative and enable businesses to demonstrate their brand in emails through a visual indicator, even before the email is opened. While trademarks are how private organizations register and protect their logo, government agencies register marks differently, often through government legislation. Therefore, VMC requirements were updated to allow government agencies to present their enabling legislation, instead of presenting a trademark registration, to get VMCs for their official seals. Government marks are eligible for a VMC everywhere VMC trademarks are currently recognized and in all EU countries.
IoT
- The National Institute of Standards and Technology (NIST) has chosen Ascon as the formal encryption standard for lightweight electronic devices and their communications. Given that such devices have limited processing power and storage, this standard is expected to help businesses, manufacturers and critical infrastructure sectors to better secure data and devices from attackers targeting operational technology. However, IoT vendors are still catching up to cybersecurity best practices, with devices often lacking strong authentication capabilities, no easy way to distribute and install patches, and poor visibility into activity.
European standards
- The European Parliament's Industry, Research and Energy Committee has adopted a proposal for a European digital identity wallet, which would enable users to authenticate themselves online. The wallet would enable citizens to access key public services across EU borders, while giving users control of their data and the ability to decide what information to share and with whom. The wallet will also facilitate wider adoption of electronic signatures. MEPs also proposed measures to enhance privacy and cybersecurity and ensure accountability for transactions.
U.S. standards
- A recent decision by a California Court of Appeals suggests that electronic signatures require additional proof for authentication compared to handwritten signatures. The court stated that “while handwritten and electronic signatures have the same legal effect once authenticated, there is a considerable difference between the evidence needed to authenticate the two.” The decision explains that it is easy for a person to recognize a handwritten signature later, but they may not recall an electronic signature. That's why it's important to pay attention to e-signature legal requirements for your jurisdiction, and to use digital signatures that clearly authenticate the signer and provide strong proof of signature.
Quantum
- Scientists at Sussex University have taken a significant step towards the development of quantum computers with a successful experiment in transferring quantum information between two computer chips with a record accuracy and speed. Current quantum computing technology involves solving problems with one chip at a time. Researchers want to be able to develop computers that can carry out calculations using multiple chips simultaneously. Since quantum information is more than just zeros and ones, being able to transfer it from one chip to another with high accuracy is crucial. The breakthrough brings the goal of developing a powerful quantum computer, which would be able to solve complex real-world problems that current computers can't, closer to reality.
- Google has demonstrated quantum error correction on its quantum processor, Sycamore, which has the same number of qubits but improved performance. Error correction involves the creation of an error-corrected logical qubit by distributing a quantum state among a set of connected qubits with additional qubits neighboring each member of the logical qubit. While it is the first time an advantage has been demonstrated, Google estimates that the performance of the hardware qubits would need to improve by another 20% or more to provide a clear advantage to large logical qubits.
- The Kyber key encapsulation method, which has been recommended by NIST for post-quantum cryptography has not been broken. However, researchers from the KTH Royal Institute of Technology in Stockholm showed how side-channel attacks against specific implementations can be found using recursive training AI combined with side-channel attacks. The importance of this research is that rapidly improving artificial intelligence may accelerate our ability to find flaws in both classical and post-quantum encryption algorithms and their implementations. This is a reminder that crypto-agility is essential to protect against evolving threats.
Vulnerabilities
- Researchers from SentinelLabs have discovered that cybercriminals are using malvertising to distribute virtualized .NET loaders that are dropping info-stealing malware, including the Formbook and XLoader malware, which are sold on the dark web. The loaders, which are called MalVirt, use virtualization via the legitimate KoiVM tool for .NET applications to obfuscate their implementation and execution. The move towards malvertising is an adaptation by cybercriminals after Microsoft blocked macros by default in its Word, Excel and PowerPoint applications.
Data breaches
- GoDaddy has reported a multi-year security compromise in a filing with the Securities and Exchange Commission. Three security events from 2020 to 2022 allowed attackers to steal company source code, employee login credentials and install malware. In the latest event in December 2022, the threat actor accessed cPanel hosting servers used by customers to manage websites hosted by GoDaddy, and installed malware that intermittently redirected some customer websites to malicious sites. The company's investigation is ongoing.
- LastPass has disclosed new details about a data breach in December, revealing that attackers stole encrypted password vault data and customer information for over two months using a keylogger on a senior DevOps engineer's computer. The hackers exploited a remote code execution vulnerability to install the keylogger and gained access to the DevOps engineer's LastPass corporate vault, enabling them to export native corporate vault entries, content of shared folders and encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups and other cloud-based storage resources.
- Cryptocurrency exchange platform Coinbase has disclosed that its employees were targeted in a cybersecurity attack that exposed a "limited amount of data" from its directory, including employee names, e-mail addresses and some phone numbers. The incident occurred Feb. 5, after several employees were targeted in an SMS phishing campaign. One employee fell for the scam, but the company's cyber controls prevented the attacker from gaining direct system access and compromising customer information.
- Atlassian suffered a data breach when a third-party app was compromised. The breach resulted in the exposure of employee data, including names, emails, departments and floor plans of some of its offices. The breach was caused by hackers gaining access to an Atlassian employee's credentials to access the company's employee directory and office floor plans held within Envoy's app. However, the breach did not affect Envoy's systems.
Malware
- Google search results for popular software downloads are being targeted by malicious actors who create fake download links in the promoted search results to deliver malware to unsuspecting users. These fraudulent pages redirect users to malware when they click on the ads, while avoiding detection by Google. The malware involved in these campaigns includes Formbook, IcedID, MetaStealer and others, and can be digitally signed from well-known companies to avoid detection by antivirus programs. Until Google Ads responds to this malvertising, users are advised to find other ways to look for software downloads.
- The U.S. Marshals Service (USMS) suffered a ransomware attack Feb.17 that led to the agency disconnecting the affected system and launching a forensic investigation. The system contained sensitive law enforcement information, including personal information of subjects under investigation, third parties and USMS employees. The USMS has not yet identified the perpetrators of the attack or confirmed if they paid a ransom to unlock the system.
TLS/SSL
- Following changes to the Chrome Certificate Transparency log list file format, many Android apps broke after developers failed to implement the changes, although Google announced changes the changes in November 2021 and notified developers whose apps might be affected in August 2022. However, Google reversed the file format shortly after.
- After the CA/B Forum Meeting, Chrome announced upcoming updates to their policy including further reducing certificate validity periods to 90 days. We’ll cover this update and more in our next blog post recapping the Ca/B Forum discussions.