Security News

Internet Security Research Group nonprofit Let's Encrypt has massively upgraded its certification hardware and software so that it can delete and reissue all its certs in less than 24 hours. Last April the certificate authority was forced to kill three million HTTPS certs after a bug was found in its automated certificate management environment, about 2.6 per cent of its 150 million live certificate base.

When Google Chrome 90 arrives in April, visitors to websites that depend on TLS server authentication certificates from AC Camerfirma SA, a digital certificate authority based in Madrid, Spain, will find that those sites no longer present the secure lock icon. Mozilla, maker of Chrome rival Firefox, has been trying to decide whether Camerfirma's history of questionable certificate management practices - documented in a lengthy list - warrants banishing the Spanish company's certificates from its Root Store - the set of certificates Firefox recognizes as trustworthy by default.

Researchers have disclosed a new family of Android malware that abuses accessibility services in the device to hijack user credentials and record audio and video. The malware repeatedly reopens the Settings screen every eight seconds until the user turns on permissions for accessibility and device usage statistics, thus pressurizing the user into granting the extra privileges.

We explain how two French researchers hacked the Google Titan security key product, and dig into the Mimecast certificate compromise story to see what we can all learn from it. WHERE TO FIND THE PODCAST ONLINE. You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher, Overcast and anywhere that good podcasts are found.

It wasn't the best of New Year's Day mornings for some Check Point customers; in addition to possible hangovers, those who lagged with their patching had been left with inoperable systems and a tough fix ahead for some. On January 1, 2021, a certificate used for outdated Check Point Remote Access VPN clients and Endpoint services expired.

Let's Encrypt, a Certificate Authority that puts the "S" in "HTTPS" for about 220m domains, has issued a warning to users of older Android devices that their web surfing may get choppy next year. Next year, on September 1, 2021, the DST Root X3 certificate that Let's Encrypt initially relied for cross-signing will expire and devices that haven't been updated in the past four years to trust the X1 root certificate may find they're unable to connect to websites securely, not without throwing up error messages, at least.

"Our goal," writes Metcalf, "Is to create neutral names that provides a means for people to remember vulnerabilities without implying how scary the particular vulnerability in question is." There is no doubt that there is no apparent emotive bias to the new naming convention, but much still needs to be done on the project - and it is not entirely clear that two disconnected words are any better than one emotive word.

Named security incidents recently have editorialized their own importance with fear-mongering monikers like Heartbleed, Meltdown, Spectre, and Foreshadow, and Fallout and ZombieLoad. Not all do so. "Sensational names are often the tool of the discoverers to create more visibility for their work," explained Leigh Metcalf, senior network security research analyst at the CMU's CERT/CC, on Friday.

Taiwan's CERT detected cyber-crooks impersonating medical authorities to attack the country's tech industry during the early stages of the COVID pandemic. "Attackers used COVID-19 social engineering to increase the success rate of their attacks," said TWCERT/CC director Chih-Hung Lin.

Thousands of ISO certifications at risk of lapsing due to halted re-certification auditsThousands of valuable ISO management system certifications earned by UK companies may now be at risk because auditors from Certification Bodies may not have been able to attend organizations' premises to conduct essential re-certification audits during the current coronavirus pandemic. Kali Linux 2020.3 released: A new shell and a Bluetooth Arsenal for NetHunterOffensive Security has released Kali Linux 2020.3, the latest iteration of the popular open source penetration testing platform.