Security News > 2022 > January

Let's Encrypt will begin revoking certain SSL/TLS certificates issued within the last 90 days starting January 28, 2022. As a non-profit certificate authority run by Internet Security Research Group, Let's Encrypt provides X.509 certificates for Transport Layer Security encryption at no cost.

The Nobel Foundation and the Norwegian Nobel Institute have disclosed a cyber-attack that unfolded during the award ceremony on December 10, 2021. The Nobel prize ceremony is being live-streamed from Oslo and Stockholm, and as such, DDoS attacks can interrupt the video feed and possibly even blemish the prestige of the institution.

A memory corruption vulnerability in PolKit, a component used in major Linux distributions and some Unix-like operating systems, can be easily exploited by local unprivileged users to gain full root privileges. While the vulnerability is not exploitable remotely and doesn't, in itself, allow arbitrary code execution, it can be used by attackers that have already gained a foothold on a vulnerable host to escalate their privileges and achieve that capability.

QNAP is warning customers again to secure their Internet-exposed Network Attached Storage devices to defend against ongoing and widespread attacks targeting their data with the new DeadBolt ransomware strain. All QNAP users are urged to "Immediately update QTS to the latest available version" to block incoming DeadBolt ransomware attacks.

A security bod scored a $100,500 bug bounty from Apple after discovering a vulnerability in Safari on macOS that could have been exploited by a malicious website to potentially access victims' logged-in online accounts - and even their webcams. Ryan Pickren, last seen on The Register after scooping $75k from Cupertino's coffers for finding an earlier webcam-snooping flaw, said the universal cross-site scripting bug in Safari could have been abused by a webpage to hijack a web account the user is logged into, which would be bad. It was also possible to activate the webcam.

Organizations pulling their code from open source will often find themselves in scenarios where they have created a Frankensteined final artifact, with extremely fragmented origins. Organizations must take time to carefully consider their approach to supply chain security to prepare for potential future security incidents, and to gain the full benefits of open source.

Runecast moves organizations ahead of these challenges with automated discovery and single-platform visibility of issues for IT Security and Operations teams. Runecast began as an answer to a problem that many IT teams were having, including its founders: after hours or even days of searching for root causes to problems, 90% of the issues discovered within their environments had been already documented - and could have been avoided with the assistance of automation.

The report compiles responses from 428 leaders and executives in IT, security and development roles to identify the latest trends on how organizations are adapting to new security challenges of the software supply chain. Managing software supply chain security a significant or top focus in 2022.

An upcoming webinar tries to help lean security teams understand how to tackle this intractable problem. While adding security solutions to cover blind spots seems logical, the webinar will argue that this just leads to more alarms and more noise.

Experian released its annual forecast, which reveals five fraud threats for the new year. With consumers continuing to take a digital-first approach to everything from shopping, dating and investing, fraudsters are finding new and innovative ways to commit fraud.