Here is our latest roundup of news about digital security in our connected world. Click here to see the whole series.
Malware
- Several including the FBI and National Security Agency, discovered malware that could gain full access to industrial control systems (ICS). The agencies issued a joint statement, claiming that the malware was discovered before an attack could occur. Nation-state actors developed the malware to target ICS and supervisory control and data acquisition (SCADA) devices.
Vulnerabilities
- that allowed bad actors to digitally sign files, allowing them to pass on digitally signed malware and malicious files as if they were legitimate.
- Microsoft released in their April 2022 patch to fix several vulnerabilities, including two zero-day vulnerabilities.
- Security researchers discovered a vulnerability in the platform a scanning service that looks for malware in suspicious files and URLs. Hackers could have gained remote code execution on any unpatched third-party sandboxing machines. However, the flaw is now patched.
- The European Union Agency for Cybersecurity (ENISA) published a roadmap for a coordinated vulnerability disclosure policy in the EU. The policy would provide frameworks for researchers to report vulnerabilities and for vendors to deploy patches quickly. EU Member States will need to establish their own national policies and guidelines for coordinated vulnerability disclosure.
TLS/SSL
- Starting April 25, 2022, Cloudflare automatically started issuing for all of their domains to prevent outages.
Data breaches
- A found that about half of businesses from over a dozen countries have experienced a data breach in the last two years. The study found that data breaches are increasing, and with an increasing threat landscape comes increased costs and resources spent in remediation.
- was hit with a breach that included stolen code for operation of Galaxy smartphones. Samsung says no customer data was breached, but 190GB of code were stolen. This example is a reminder for businesses to build sufficient defenses and have plans in place in the event of data loss.
- was hacked in April, and the hackers were phishing for cryptocurrency. The hackers targeted users of Trezor hardware cryptocurrency wallet and stole data of over 100 customers to send targeted phishing emails. Mailchimp disabled the breached employee accounts as soon as suspicious activity was detected, but not before the hackers were able to obtain customer data.
Government standards
- The U.S. White House, along with 60 global partners, issued a The declaration included a warning about rising digital risks and misinformation. About 60 other countries endorsed the declaration, as well as the European Commission.
- The U.S. Food and Drug Administration released last month on to replace previous guidance, last issued in 2018. The FDA explained that increasing connectivity requires adequate security to protect both patients and healthcare networks. The FDA recommends that manufacturers consider the larger network security and environment where the device will be used. The FDA is accepting comments until July 7, 2022, on the updated language.
Quantum computing
- a photon-based quantum computer that is a million times faster at solving a particular problem than what Google reported achieving with a superconducting quantum computer in 2019. China has reportedly invested nearly $10 billion in R&D for quantum, which make put it ahead of the U.S. in the race to quantum. However, the U.S. Senate passed a bill in 2021 to invest $29 billion in quantum by 2026.
- IBM announced that allows for real-time AI insights at scale and is the first quantum-safe system in the industry.
- A team of researchers from Griffith University’s Center for Quantum Dynamics demonstrated that at a quantum level. This would not only reduce data loss but also enable the transmission of data securely, without access by a third party.
Internet of Things
- None of the subway cameras were functioning during the in early April, although officials had years before. This delayed the police’s search for the gunman.
- The act was put forward recently, which would make it It would also require manufacturers to follow security best practices for the design, development and maintenance of these devices.
CA/B Forum
- The S/MIME Certificate Working Group of the CA/Browser Forum has released a final discussion draft of a new used for secure email, with a view to going to formal ballot later in 2022. This would be the first standard aimed to create consistency across all issuers of publicly-trusted S/MIME certificates and includes provisions for the Enterprise Registration Authorities which are commonly used to register users for corporate email environments.