Browsers enforce shorter lifespan for certificates, survey shows US citizens are increasingly worried about their data, more from Zoom and Twitter.

Browsers to enforce short certificate life spans

  • Apple, Google, and Mozilla will shorten the life span for TLS certificates in a move poised to aid security but cause operational troubles.
  • On Sept. 1, browsers and devices from Apple, Google, and Mozilla will show errors for new TLS certificates with a life span longer than 398 days.
  • Just over a decade ago, domain registrars sold TLS certificates valid for eight to 10 years.
  • Shortening the life span of TLS certificates will require businesses to frequently rotate them so by the time an attacker figures out how to copy one, it's no longer valid.
  • These renewals can be done with automated tools; however, many businesses continue to do this manually, and larger firms may be responsible for renewing thousands of certificates.

"Some website owners find the process of securing their site to be difficult," says Robin Wilton, director of Internet Trust for the Internet Society. "Certificate installation is still not easy, and it's hard to carry out a complex process that only needs to be done every two to three years."

Source https://www.darkreading.com/

Citizens are increasingly worried about how companies use their data


  • A survey of 1,000 respondents in the United States found that nearly every American (97%) considers data privacy to be an important issue, with 87% labeling digital privacy as a human right.
  • More than two-thirds of those surveyed say they don't trust companies to ethically sell their data.
  • 86% of citizens say they must take some responsibility in protecting data, 90% argue that the government should play a role as well. The greatest majority (91%) hold that companies should take responsibility.
  • US citizens are nearly united in their support for more government legislation to protect their rights to data privacy.


Source https://advisory.kpmg.us/

Zoom bug meant attackers could brute force their way into password-protected meetings


  • Zoom has patched a security hole that could have allowed attackers to break their way into password-protected private calls.
  • The problem revolved around the six-digit numeric passcode, used by default to secure Zoom chats. Six digits mean that the passcode for a specific chat had to be a number between “000000” and “999999”.
  • One million possible combinations may sound like an awful lot for a hacker to manually try, but it’s little effort for a computer to brute force their way through until they find the one that unlocks the private Zoom conversation.
  • using 4-5 cloud servers it would be possible to check all the possible six digit numeric passwords in just “a few minutes.”
Upon learning of this issue we immediately took down the Zoom web client to ensure our users’ security while we implemented mitigations. We have since improved rate limiting… and relaunched the web client on 9 April. With these fixes, the issue was fully resolved, and no user action was required. We are not aware of any instances of this exploit being used in the wild.”

Twitter confirms spear-phishing attack caused account takeover

  • In an update to its previous statement, Twitter said the attack occurred on July 15 and “targeted a small number of employees through a phone spear-phishing attack.”

“Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes,” it said. This then enabled them to target additional employees who had access to account support tools.