Here is our latest roundup of news about digital security in our connected world. Click here to see the whole series.

IoT

• Matter 1.0 has officially arrived, with the CSA (Alliance) announcing its release on Oct. 4. Matter has been a multi-year project bringing together all of the biggest names in smart home manufacturing, including Apple, Google, Samsung and more to create a reliable, secure way for devices by different manufacturers to interoperate. DigiCert has been highly involved in Matter, and can help manufacturers achieve compliance with device attestation.
• As the first Matter-approved root CA, also known as a Product Attestation Authority (PAA), DigiCert can now provide rapid time to market for smart home manufacturers looking to earn the Matter seal on their products. Learn more here.

VMC

• iOS 16, iPadOS 16 and macOS Ventura 13 and later now include support for BIMI in Apple Mail. Once users install the updated OS, they should be able to see VMCs addressed to an iCloud email. Learn more about BIMI and VMC at https://www.digicert.com/support/resources/faq/email-trust/what-is-bimi-and-why-is-it-important.

Browsers

• Chrome announced a new Root Program in a blog post in September. Previously, Chrome relied on the Root store on the platform it was running, but with this new move Chrome will have a consistent, more secure, root across all platforms with minimum requirements for all Cas to be trusted in their Root program. We covered the Chrome Root program and its requirements in more detail in our June recap of the CA/Brower Forum: https://www.digicert.com/blog/ca-browser-forum-recap-june-2022.

Government standards

• The final language for the revision of an eIDAS 2 has been agreed, which will now be voted on. If approved, the EU Commission will have a universal, cross-border digital ID and by September 2023 every EU member state must have a digital ID wallet available. That means that as soon as next year, the EU digital wallets will be in use.
• The FBI and CISA warned that malicious actors may attempt spreading false information, phishing and more to disrupt the 2022 midterm elections. Read more about how to secure voter data and avoid phishing during elections at https://www.digicert.com/blog/election-security-secure-voter-data-and-avoid-phishing.
• The White House released a blueprint for an AI bill of rights, including five principles to “guide the design, use, and deployment of automated systems to protect the American public in the age of artificial intelligence.” The principles include safe and effective systems, algorithmic discrimination protections, data privacy, notice and explanation and human alternatives and fallbacks.
• The White House also released a memo on software supply chain security, requiring software firms to meet NIST security standards and favoring software bills of material (SBOMs). Additionally, the NSA, CISA and ODNI released a framework on securing the software supply chain for developers and promise to release future frameworks for suppliers and customers.
• Switzerland’s Federal Council announced that the new data protection law will enter into effect on Sept. 1, 2023. The Data Protection Act (DSG) is designed to ensure that Switzerland maintains a high level of data privacy compatible with EU regulation for cross-border data transmission to continue without additional requirements.

Malware

• Minecraft malware is infecting thousands of PCs with fake updates. Additionally, malware has been found in Minecraft cheat programs that claim to help gamers take shortcuts to success, which has affected thousands of users. Other games have also experienced malware threats, including FIFA, Roblox, Far Cry and Call of Duty.
• GIFs in Microsoft Teams have been found to spread malware. Attackers have put malicious code encoded in GIFs that can be used to steal data, which they then share on Microsoft Teams. The flaw has not yet been fixed, so for now users should think twice before opening GIFs shared in Teams.
• Open source apps have been a recent source of spreading malware from hackers backed by the North Korean government. Several organizations were compromised from installing these apps. Microsoft said that the threat group ZINC added malware to legitimate open-source apps like PuTTY and has had several victims since June 2022.

Data breaches

• Samsung experienced a data breach where U.S. customer data was exposed online. The breach occurred in August and the company confirmed the incident in a blog post in early September, assuring customers that social security numbers and credit card numbers were not exposed but that contact and demographic information were exposed.
• A data breach at Uber caused by a social engineering attack affected all of their internal systems, including Slack, where the attacker posted a company-wide message. However, Uber did not find evidence that the attacker accessed customer-facing systems. The attack was compared to Uber’s major 2016 breach, for which Uber’s former CSO was just convicted of criminal obstruction for attempting to cover up.

Outages

• Zoom experienced a significant, but brief, outage on Sept. 15. The global outage prevented users from starting and joining meetings for about an hour. Zoom did not express the cause, publishing on their service status only that “We have identified the issue starting and joining meetings. We will continue to investigate and provide updates as we have them.”

Quantum

• IBM created a refrigeration system which can cool to temperatures colder than outer space to hold future quantum computers. In a blog post, IBM says their “super-fridge” could cool future quantum experiments and could hold up to 1.7 cubic meters worth of volume. Intel recently announced the Intel Quantum SDK, which is designed to help developers learn how to program quantum algorithms. The SDK is available now in beta through Intel Developer Cloud.

Ransomware

• The LA School District was hit with ransomware in early September, leading to a response from local officials, the FBI and Department of Homeland Security. Up to 400,000 students were impacted with potential data exposed, including personal information, disciplinary records and assessments. The LA School District, the second largest district in the country, required all students to reset their passwords. Additionally, following the breach the CISA warned that the education sector is highly at-risk of attacks by ransomware by attack group Vice Society.

Vulnerabilities

• Apple pushed out security fixes in mid-September to fix vulnerabilities in iPhone, iPad and Mac systems that were actively exploited. The patches were released for all iPhone 6 and later, all iPad Pro models, iPad Air 2 and later, and iPod touch 7 and later.
• Australia’s commemorative 50-cent coin code was cracked by a 14-year-old in an hour. The limited-edition coin marks the 75th anniversary of the Australian Signals Directorate (ASD) and had four levels of encryption. Now the ASD is hoping to recruit the boy who cracked their encryption.