Security News

It wasn't the best of New Year's Day mornings for some Check Point customers; in addition to possible hangovers, those who lagged with their patching had been left with inoperable systems and a tough fix ahead for some. On January 1, 2021, a certificate used for outdated Check Point Remote Access VPN clients and Endpoint services expired.

Let's Encrypt, a Certificate Authority that puts the "S" in "HTTPS" for about 220m domains, has issued a warning to users of older Android devices that their web surfing may get choppy next year. Next year, on September 1, 2021, the DST Root X3 certificate that Let's Encrypt initially relied for cross-signing will expire and devices that haven't been updated in the past four years to trust the X1 root certificate may find they're unable to connect to websites securely, not without throwing up error messages, at least.

"Our goal," writes Metcalf, "Is to create neutral names that provides a means for people to remember vulnerabilities without implying how scary the particular vulnerability in question is." There is no doubt that there is no apparent emotive bias to the new naming convention, but much still needs to be done on the project - and it is not entirely clear that two disconnected words are any better than one emotive word.

Named security incidents recently have editorialized their own importance with fear-mongering monikers like Heartbleed, Meltdown, Spectre, and Foreshadow, and Fallout and ZombieLoad. Not all do so. "Sensational names are often the tool of the discoverers to create more visibility for their work," explained Leigh Metcalf, senior network security research analyst at the CMU's CERT/CC, on Friday.

Taiwan's CERT detected cyber-crooks impersonating medical authorities to attack the country's tech industry during the early stages of the COVID pandemic. "Attackers used COVID-19 social engineering to increase the success rate of their attacks," said TWCERT/CC director Chih-Hung Lin.

Thousands of ISO certifications at risk of lapsing due to halted re-certification auditsThousands of valuable ISO management system certifications earned by UK companies may now be at risk because auditors from Certification Bodies may not have been able to attend organizations' premises to conduct essential re-certification audits during the current coronavirus pandemic. Kali Linux 2020.3 released: A new shell and a Bluetooth Arsenal for NetHunterOffensive Security has released Kali Linux 2020.3, the latest iteration of the popular open source penetration testing platform.

The CERT Coordination Center at Carnegie Mellon University has published alerts on several vulnerabilities that impact Diebold Nixdorf ProCash and NCR SelfServ automated teller machines. A vulnerability in the Diebold Nixdorf ProCash 2100xe USB ATMs running Wincor Probase version 1.1.30, CERT/CC reveals, could be abused by an attacker with physical access to internal machine components to commit deposit forgery.

From September 1, Apple software, from Safari to macOS to iOS, will reject new HTTPS and other SSL/TLS certificates that are valid for more than 398 days, plus or minus some caveats. "Connections to TLS servers violating these new requirements will fail," Apple warned in its official note.

On Saturday, at 10:48 UTC, Sectigo's AddTrust legacy root certificate expired, causing a bit of weekend havoc for thousands of websites and services that rely on it for making a secure TLS/SSL connection. "Generally speaking, this is affecting older, non-browser clients which talk to TLS servers which serve a Sectigo certificate chain ending in the expired certificate," wrote Andrew Ayer, founder of SSLMate, in a blog post.

British companies have been offered access to a £400k pot of cash to design a UK-specific "Kitemark" assurance scheme for Internet of Things products. The government grant scheme is intended to complement previous announcements, making it a legal requirement that IoT devices ship with unique, non-default passwords and for vendors to "Explicitly state" for how long security updates will be published.