News 04-06-2023

Latest News in Digital Trust — March 2023

DigiCert
LatestInDigitalTrust_BlogImage_11-8-22

Here is our latest roundup of news about digital security in our connected world. Click here  to see the whole series.

DigiCert news

DigiCert shared its 2022 business highlights, marked by strong growth in revenue and customer acquisition throughout the past year. By addressing customer needs for comprehensive digital trust, DigiCert is executing a vision for best-in-class innovation with solutions that protect organizations from the risks they face from increasing connectivity.

DigiCert® ONE is the Gold Globee® Winner for Trust Protection Solution. The Globee Cybersecurity Awards recognize cybersecurity companies and professionals for their innovative approaches and effective solutions in ensuring security in the digital age.

DigiCert announced it will now issue Verified Mark Certificates (VMCs) to companies with trademarks registered in New Zealand compliant with the Brand Indicators for Message Identification (BIMI) standard of the AuthIndicators Working Group. 

European standards

The European Parliament has passed a proposal for a digital identity framework that would give citizens access to public services and their own wallet, using zero-knowledge-proof technology to protect users' privacy. However, the International Association for Trusted Blockchain Applications has raised concerns about the removal of a section within the regulation text which addressed electronic ledgers.

U.S. standards

The Biden-Harris administration announced a new National Cybersecurity Strategy that seeks to establish meaningful liability for software products and services and sets mandatory minimum cybersecurity requirements in critical infrastructure. The strategy also focuses on shifting the responsibility for cybersecurity away from individual users and small businesses.

The FDA has issued new cybersecurity guidelines for medical devices to address concerns about internet-connected products being hacked or targeted by ransomware attacks. Applicants for new medical devices must submit a plan to monitor, identify and address cybersecurity issues, provide assurance that the device is protected and make security updates and patches available regularly.

TikTok CEO Shou Chew appeared before the U.S. Congress to defend the popular video app against calls for a ban due to concerns over its Chinese parent company, ByteDance, sharing U.S. user data with the Chinese government. Lawmakers questioned Chew about ByteDance's ties to the Chinese government and expressed doubts about TikTok's ability to protect user data. The RESTRICT Act, which could be used to ban TikTok, has come under scrutiny from digital rights experts who argue that its "insanely broad" language could also lead to a ban of other communications services or apps with foreign connections, including VPNs.

Quantum

Recent developments by Yale researchers have successfully extended the lifetime of a qubit by a factor of 2.3, beyond the break-even point, using quantum error correction, which protects information encoded in qubits from errors due to quantum noise. This breakthrough is the first to extend the qubit’s lifetime with a gain greater than 1 and demonstrates that researchers may eventually be able to build a quantum computer that provides an advantage beyond any modern supercomputer.

AI

Microsoft introduced Microsoft Security Copilot, the first security product to enable defenders to move at the speed and scale of AI. The tool can provide critical guidance and context in natural language, surface prioritized threats, anticipate threat actors' next move and address the talent gap to achieve more secure outcomes.

Vulnerabilities

Fortinet released security updates to address a high-severity vulnerability that allowed attackers to run unauthorized code or commands. These unknown attackers used zero-day exploits to exploit a new FortiOS bug patched to attack governments and large organizations, resulting in OS and file corruption and data loss.

Users of ChatGPT reported a glitch in which they could see the titles of other users' conversations in their chat history, leading to concerns about privacy. OpenAI acknowledged the error and fixed it, but users remain worried about their private information being exposed.

Data breaches

The Cyberabad Police in Hyderabad arrested seven people for stealing and selling sensitive data of the government and important organizations, including personal and confidential data of 168 million citizens and details of defense personnel. The accused were found selling more than 140 categories of information, including data of government employees, gas and petroleum companies and high net-worth individuals. The data breach has serious national security implications, and investigations are ongoing to identify how the data got leaked and who the insiders are.

Dole Food Company has confirmed that its employees' information was accessed by hackers during a ransomware attack in February 2023. The company, which has 38,000 employees and operates in over 75 countries, was forced to shut down production plants across North America. The disclosure was made in the company's annual report filed with the U.S. Securities and Exchange Commission.

Ferrari has suffered a data breach in which personal client data, including names, addresses, email addresses and phone numbers, were exposed. The company received a ransom demand but has chosen not to pay, instead notifying affected customers and hiring external experts to investigate and reinforce its IT environment. No sensitive payment information was stolen, but customers should remain vigilant for spear-phishing attacks.

Malware

After malware was found in the Chinese app, Pinduodo, Google suspended it. Just a few weeks earlier, Chinese security researchers published an analysis that suggested the app exploited multiple security vulnerabilities in Android smartphones.

Infosec software vendor Kaspersky reports that a cyber espionage campaign targeting organizations in Russian-occupied regions of Ukraine is using a novel malware named "PowerMagic" and a previously unknown framework called "CommonMagic.” The malware can steal data from USB devices, take screenshots every three seconds and send data back to the attacker via a public-cloud-storage-based command-and-control server. 

TLS/SSL

The CA/B Forum recently held its face-to-face meeting, where they covered several updates that customers should be aware of, including Chrome’s vision for 90-day certificate validity periods, the implementation of the first S/MIME Baseline Requirements (BRs) starting this September and proposed malware-based revocation and signing service requirements for code signing.

Chrome outlined its vision for future web PKI policies, titled Moving Forward, Together. Notably, Chrome’s vision included 90-day certificate validity periods, in addition to the proposal for a term limit for root Certificate Authorities (CAs) and a maximum validity period for Intermediate Certificate Authority certificates (ICAs). 

UP NEXT
PKI

3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min