Here is our latest news roundup of articles about PKI and TLS/SSL security. Click here to see the whole series.

TLS news

• At the October CA/B Forum meeting, Apple announced new S/MIME profile requirements and a two-year lifetime on S/MIME certificates that will go into effect April 2022.
• Additionally, the S/MIME working group is developing a new set of Baseline Requirements and a rough draft was discussed at this month’s CA/B Forum. However, the requirements likely will take time to adopt, and will go into effect in the next year or two.
• The NSA warned organizations of a new risk in wildcard certificates named ALPACA. The NSA recommended that organizations inventory the current scope of wildcard certificates in use and, going forward, limit the use of wildcard certificates to avoid this type of attack.
• After Let’s Encrypt root certificate expired on Sept. 30, many websites experienced issues, including Fortinet, Shopify and Google Cloud Monitoring. Let’s Encrypt released a blog post to help users experiencing issues, but this example highlights the major impacts of a root certificate expiration.

Data security

• October was cybersecurity awareness month, a reminder to protect against cyberattacks and prompt discussions about what governments and organizations can do to promote best practices.
• Luxury fashion brand Neiman Marcus let 4.6 million customers know that their data, including usernames and passwords, was exposed in a breach in May 2020.
• The FBI issued a warning about a phishing scheme targeting people searching for unemployment benefits.

Outages

• Facebook, WhatsApp and Instagram were down for about six hours on Oct. 4 due to “an internal technical issue.” The issue took longer than usual to resolve because it affected the company’s internal systems, preventing employees from accessing the building and company networks. Facebook issued a statement apologizing and reassuring users that there was no evidence that user data was compromised as a result.

Data breaches

• A hacker accessed a government ID database for the entire population of Argentina, including celebrities and sports starts like Lionel Messi. The hacker plans to sell and leak the stolen ID card details to any interested buyers. The breach affects over 45 million people and was likely achieved through a compromised VPN account.
• Earlier this month hackers exploited a multi-factor authentication flaw to steal cryptocurrency from about 6,000 Coinbase customers.
• A U.S. TV network, Sinclair Broadcast Group, was hit with a ransomware attack that disrupted some of its servers and stations.

Automation

• A new survey on PKI Automation from DigiCert found that enterprises are managing an average of 50,000 certificates and two-thirds have experienced outages caused by unexpected expiring certificates. Get the full survey findings here.

Malware

• A former Microsoft security analyst claims that OneDrive and Office365 have been hosting malware for years. A Microsoft spokesperson responded to the story, saying: "Abuse of cloud storage is an industry-wide issue and we're constantly working to reduce the use of Microsoft services to cause harm. We are investigating further improvements to prevent and rapidly respond to the types of abuse listed in this report."
• Apple criticized EU draft rules that would allow users to install software from outside the Apple App Store, claiming it could lead to increased malware. However, the Coalition for App Fairness claims that security measures like encryption and anti-virus programs provide device security, not the App Store.

Digital signatures

• A new spoofing flaw for digital signatures was uncovered in LibreOffice and OpenOffice. Attackers could manipulate the time stamp, document contents or even self-sign documents with untrusted signatures.

Code signing

• Apple stopped signing code for iOS 15.0.1, blocking users from downgrading to the older operating system.