Information Technology

Apple has patched a security flaw in macOS that Microsoft researchers found could be used to install a malicious kernel driver, otherwise known as a ‘rootkit’.  

ZDNet Recommends

The flaw resided within macOS System Integrity Protection (SIP). The glitch allowed a potential attacker to install a hardware interface that allows them to “overwrite system files, or install persistent, undetectable malware”.   The discovery reflects Microsoft’s increased focus on enterprise customers that use a mix of Windows and macOS under hybrid work arrangements, which is evidenced by products like its cross-platform security product, Microsoft Defender for Endpoint. Microsoft introduced Defender ATP for Macs in 2019, well before the pandemic pushed everyone to the hardware they used at home. See also: Ransomware: It’s a ‘golden era’ for cybercriminals – and it could get worse before it gets better. “This OS-level vulnerability and others that will inevitably be uncovered add to the growing number of possible attack vectors for attackers to exploit,” explains Jonathan Bar-Or, from the Microsoft 365 Defender Research team.  “As networks become increasingly heterogeneous, the number of threats that attempt to compromise non-Windows devices also increases.” SIP, aka ‘rootless’, locks down the system from the root by using Apple’s sandbox to protect macOS. It contains several memory-based variables that shouldn’t be able to be modified in non-recovery mode. But SIP can be turned off after booting into recovery mode, allowing an attacker to bypass SIP protections.

“Over the years, Apple has hardened SIP against attacks by improving restrictions,” writes Or.  “One of the most notable SIP restrictions is the filesystem restriction. This is especially important for red teamers and malicious actors, as the amount of damage one can do to a device’s critical components is directly based on their ability to write unrestricted data to disk.” The flaw Microsoft found in Apple’s SIP restrictions was related to system updates, which require unrestricted access to SIP-protected directories. Apple “introduced a particular set of entitlements that bypass SIP checks by design,” writes Or.  Apple patched the flaw, tracked as CVE-2021-30892, in macOS Monterey 12.0.1, as well as updates for Catalina and Big Sur. SIP vulnerabilities aren’t new, but Microsoft decided the bug was serious enough to warrant the name “shrootless”. “While assessing macOS processes entitled to bypass SIP protections, we came across the daemon system_installd, which has the powerful com.apple.rootless.install.inheritable entitlement. With this entitlement, any child process of system_installd would be able to bypass SIP filesystem restrictions altogether,” explains Or.  See also: Cloud security in 2021: A business guide to essential tools and best practices. Microsoft, of course, argues this flaw warrants Defender for Endpoint’s behavioral analytics capabilities to protect Macs in the enterprise.  Apple patched dozens more serious bugs in its latest update for macOS Monterey and earlier. Taking a step back, Microsoft’s post touches on a decades-old debate about whether Macs need antivirus and the two companies’ respective approaches to that question.  Macs, in Apple’s view, don’t need antivirus, whereas Windows PCs do. Apple has used the rise of malware targeting macOS in its arguments against Fortnite-maker Epic Games, for example. And Microsoft this year hired Justin Long, the face of the “Get A Mac” campaigns that once focused on malware targeting Windows PCs but not Macs. But in the enterprise in 2021, where Macs are ascending, work is hybrid, and state-sponsored hackers are looking for every entry point, it’s clear that security threats continue to evolve. More

Image: Getty Images
Signal has released the details of a search warrant it received from police in Santa Clara, California, unveiling the efforts US law enforcement authorities will undertake to force online platforms into disclosing the personal information of their users.In the search warrant, Santa Clara Police sought to get the name, street address, telephone number, and email address of a specific Signal user. It also wanted billing records, the dates of when the account was opened and registered, inbound and outbound call detail records, voicemails, video calls, emails, text messages, IP addresses along with dates and times for each login, and even all dates and times the user connected to Signal.In response to the search warrant, Signal provided law enforcement authorities with timestamps regarding the account specified in the search warrant. The timestamps showed the dates that the account last connected to Signal.Signal said in a blog post that, by default, it does not collect the requested information from users.  “As usual, we couldn’t provide any of that. It’s impossible to turn over data that we never had access to in the first place. Signal doesn’t have access to your messages; your chat list; your groups; your contacts; your stickers; your profile name or avatar; or even the GIFs you search for,” Signal wrote in the blog post.The company’s interaction with Santa Clara County police didn’t end there, however, as the law enforcement authorities then issued a non-disclosure order that required Signal to not publicly disclose that it received the search warrant. The non-disclosure order was then extended four times, which resulted in Signal’s request to unseal the search warrant being repeatedly pushed back. In total, it took Signal almost a full year before the company was able to legally publicly disclose the process it underwent when it received the search warrant.

“Though the judge approved four consecutive non-disclosure orders, the court never acknowledged receipt of our motion to partially unseal, nor scheduled a hearing, and would not return counsel’s phone calls seeking to schedule a hearing,” Signal wrote.Law enforcement authorities around the world are increasingly finding ways to compel online platforms to hand over information about their users. Just last month, hosted email service provider ProtonMail publicly disclosed that French authorities were able to acquire the IP address of one of its users through getting approval from Swiss courts. This was despite ProtonMail not being subject to French or EU requests, and only being required to comply with requests from Swiss authorities.In response to the order, ProtonMail CEO and founder Andy Yen said all companies have to comply with laws, such as court orders, if they operate within 15 miles of land.”No matter what service you use, unless it is based 15 miles offshore in international waters, the company will have to comply with the law,” Yen said at the time.Democracy advocate Freedom House last month also published findings that indicate a growing number of governments are forcing tech businesses to comply with online censorship and surveillance. Freedom House said in the past year alone, 48 out of 70 countries covered in its research — which accounted for 88% of the world’s internet users — have pursued new rules for tech companies on content, data, or competition over the past year.RELATED COVERAGE More

Image: Audit Office of New South Wales
The cybersecurity policy for New South Wales government agencies is not sufficiently robust which is a cause for “significant concern”, according to the state’s auditor-general Margaret Crawford. “Key elements to strengthen cybersecurity governance, controls, and culture are not sufficiently robust and not consistently applied. There has been insufficient progress to improve cyber security safeguards across NSW government agencies,” the auditor-general wrote in a compliance report [PDF] about the state’s cybersecurity capabilities. The audit assessed whether nine of the state’s lead cluster agencies — Premier and Cabinet, Communities and Justice, Customer Service, Education, Planning, Regional NSW, Health, Treasury, and Transport — had provided accurate reporting on their level of maturity in implementing the requirements of the state’s cybersecurity policy. Of these agencies, none of them have implemented all of the Essential Eight controls at level one, with the auditor-general saying that all organisations at a baseline should be at level three. She added that all agencies failed to reach even level one maturity for at least three of the Essential Eight strategies. Seven of the nine participating agencies also reported levels of maturity regarding cybersecurity policy and the Essential Eight that were not supported by evidence. “Each of the nine participating agencies for this audit had overstated their level of maturity against at least one of the 20 mandatory requirements. Seven agencies were not able to provide evidence to support their self-assessed ratings for the Essential Eight controls,” Crawford wrote in the report.

Crawford warned that overstating the effectiveness of an agency’s cybersecurity capabilities could undermine the ability to address cyber risks and ultimately expose them to cyber attacks. Outside of the nine agencies that received close scrutiny, the data of 95 other state agencies were also reviewed by the auditor-general. In total, of the 104 agencies reviewed in the audit, only five self-assessed that they had implemented all of the mandatory requirements at level three or above. 14 agencies self-assessed that they had implemented each of the Essential Eight controls at level one maturity or higher, while the remainder reported at level zero for implementation of one or more of the Essential Eight controls.  These levels are similar to those reported in 2019 and 2020, with the auditor-general saying better leadership and resourcing would be required if there is to be significant improvement in agency cybersecurity capability. Crawford said the agencies were not the only ones to blame for this lack of progress, however, criticising the cybersecurity policy itself for allowing agencies to determine what are “mandatory requirements” when addressing cybersecurity risks. Unlike cybersecurity policies from comparable jurisdictions, the one in NSW lacks a requirement for agency heads to demonstrate reasons for not implementing protocols from the policy. The NSW cybersecurity policy also does not require these considerations to be documented, nor does it require an explicit acknowledgement and acceptance of the residual risk. There is also currently no requirement for NSW agencies to implement the “top four” controls of the Essential Eight strategies to any designated level of maturity, which are application whitelisting, patching applications, patching operating systems, and restricting administrative privileges. The auditor-general also expressed concern for the lack of systematised and formal monitoring, by either Cyber Security NSW or another agency, of the adequacy or accuracy of agencies’ cyber self-assessment processes. Late last year, the NSW audit office found that Service NSW did not effectively handle private information, as a result of the agency experiencing a phishing attack where 47 staff email accounts were compromised. All up, the breach was said to have impacted 186,000 customers and exposed up to 738GB of customer information contained within 3.8 million documents. Related Coverage More

China’s Personal Information Protection Law (PIPL) is now in force, laying out ground rules around how data is collected, used, and stored. It also outlines data processing requirements for companies based outside of China, including passing a security assessment conducted by state authorities. Multinational corporations (MNCs) that move personal information out of the country also will have to obtain certification on data protection from professional institutions, according to the PIPL. The legislation was passed in August, after it went through a couple of revisions since it was first pitched in October last year. Effective from November 1, the new law was necessary to address the “chaos” data had created, with online platforms over-collecting personal data, the Chinese government then said. 

Personal information is defined as all types of data recorded either electronically or other forms, which relates to identified or identifiable persons. It does not include anonymised data.  The PIPL also applies to foreign organisations that process personal data overseas for the purpose of, amongst others, providing products and services to Chinese consumers as well as analysing the behaviours of Chinese consumers. They also will have to establish designated agencies or appoint representatives based in China to assume responsibility for matters related to the protection of personal data. The new legislation encompasses a chapter that applies specifically to cross-border data transfers, stating that companies that need to move personal information out of China must first conduct “personal information protection impact assessments”, according to Hong Kong’s Office of the Privacy Commissioner for Personal Data (PCPD). They also will need to obtain separate consent from individuals pertaining to the transfer of their personal information and meet one of several requirements. These include agreeing to a “standard contract” issued by authorities overseeing cyberspace matters and fulfilling requirements outlined in other laws and regulations established by the authorities, the PCPD said. 

These MNCs also would have to implement necessary measures to ensure other foreign parties involved in processing the data adhere to data security standards stipulated by the PIPL. Unclear what security assessments entailLeo Xin, senior associate with law firm Pinsent Masons, described the legislation as a “milestone” in China’s data protection legal regime and urged MNCs to pay special attention to the rules on cross-border data transfers.Leo said in a post: “There are still certain areas that remain unclear and require detailed implementation rules, such as how the security assessment should be handled, what the model clauses for data transfer formulated by the China Cyberspace Administration look like, what the approval procedure shall be [if] there is request for personal information by overseas judicial organs or law enforcement agencies.”The legislation further called for the handling of personal data to be clear, reasonable, and limited to the “minimum scope necessary” to achieve their objectives of processing the information. The lawyer recommended that MNCs begin evaluating the potential impact of PIPL on their IT infrastructure and data processing activities.According to the PCPD, the new legislation also encompasses “automated decision-making” data processing, in which IT systems are used to automatically analyse and make decisions about consumer behaviours as well as consumers’ habits, interests, financial, and health. Here, companies will have to ensure such decision-making processes are transparent and fair. Consumers also must be provided with the option to opt out of receiving personalised content. Security impact assessments must be carried out and these reports retained for at least three years. Companies that breach PIPL rules may be issued an order for rectification or warnings. Chinese authorities also may confiscate any “unlawful income”, according to the PCPD. Violators that fail to comply with orders to rectify the breach will face fines of up to 1 million yuan ($150,000), while the person responsible for ensuring compliance can be fined between 10,000 yuan ($1,500) and 100,000 yuan ($15,000). For “serious” cases, Chinese authorities also dish out fines of up to 50 million yuan ($7.5 million) or 5% of the company’s annual turnover for the previous fiscal year. In addition, its business operations may be suspended or business permits and licences revoked. The Beijing administration last month told local media it would take “targeted measures” to address problems it deemed to persist within the digital economy, such as poor data management. According to South China Morning Post, the Ministry of Industry and IT was pushing ahead with its scrutiny of the internet sector as part of a six-month campaign that began in July. The ministry recently instructed 43 apps to make rectifications after they were found to have illegally transferred user data. The Cyberspace Administration of China (CAC) in July ordered Chinese ride-sharing platform Didi to remove its app from local app stores, after it breached regulations governing the collection and use of personal data. Did was instructed to rectify “existing problems” and “effectively protect” users’ personal data. In May, the CAC called out 33 mobile apps for collecting more user data than it deemed necessary to offer their service. These companies, which included Baidu and Tencent Holdings, also were told to plug the gaps. Tencent said last month said it was forming a committee to assess its user data protection and privacy policies. This team would comprise technical, legal, and media professionals as well as members of the public, the Chinese tech giant said. The committee will make recommendations on improvements, if and where necessary, to better safeguard user privacy, the company added.RELATED COVERAGE More

Fortinet’s FortiGuard Labs has discovered a new scam using the lure of an Amazon gift card generator to steal cryptocurrency from people.Researchers with FortiGuard Labs said they found a file titled “Amazon Gift Tool.exe” that was being marketed on a publicly available file repository site as a free Amazon gift card generator.When people download the file and open it, a malicious winlogin.exe is dropped and executed. “The purpose of the malware is simple. If the victim tries to add money to their anon-bitcoin wallet by copying and pasting the wallet address, the malware overwrites the victim’s wallet address on the clipboard with its own, resulting in the money potentially going to the attacker,” the researchers explained. According to FortiGuard Labs, the malware watches a user’s clipboard to search for text that is 54 characters long — the length of a cryptocurrency wallet address — and other criteria that indicate the text is related to cryptocurrency. If the text matches three different criteria, the malware puts the attacker’s Bitcoin Cash wallet address in place of the clipboard information.The malware also searches for addresses related to Ethereum, Binancecoin, Litecoin, Dogecoin and Ripple. 

“We also found that the malicious winlogin.exe was distributed by a number of droppers with enticing names, such as Crunchyroll Breaker.exe, Netflix Tools.exe, Multi Gift Tools.exe, etc,” FortiGuard Labs explained. “Free generators of this sort has been around and scammed people for years. But given the market power of Amazon, this new scam is especially enticing. Consumers are eager to shop as much as they can on Black Friday as a lot of goods go on sale. Free Amazon gift cards are very attractive to those who want to spend less for the holiday season. However, be careful with what you wish for and don’t fall a victim to scams like this one.”Derek Manky, chief of security insights & global threat alliances at Fortinet’s FortiGuard Labs, told ZDNet that they made this research discovery through their threat hunting process while looking for specific rules/targets. FortiGuard Labs found samples collected through open repository and then did further correlation work from there as part of discovery phase, Manky said. Cryptowallet addresses are quite large, and while cryptowallet users may write their wallet in a physical location, chances are they have this stored digitally — either in a cold storage wallet or on their workstation, according to Manky.”That digital cryptowallet addresses is typically accessed when doing transactions to send/receive money during the transaction itself on the client machine. In this instance, the attacker is hoping to replace the victim wallet with theirs to divert the funds. Keep in mind there usually is MFA with these transactions, but that’s done by the client to approve. They may not notice the wallet address they pasted was actually not their own,” Manky said. “This attack attempt has been specifically designed to hijack cryptowallet addresses/transactions similar to payment diversion fraud. And specifically Bitcoin Cash.”FortiGuard Labs also found another scam related to gaming consoles, attempting to lure those interested in purchasing PlayStation 5 and Xbox Series X and S systems.The researchers found a group of malicious PDF files with titles like, “how_much_do_xbox_one_cost_on_black_Friday.pdf” and “Walmart_black_Friday_ps5_pickup.pdf.”After victims click on the link, they are taken to phishing sites where they are asked to give out confidential information.  More

Mozilla has become the latest browser to test the waters in incorporating the Global Privacy Control in Firefox this week, calling itself “the first major web browser” to do so. The GPC — required under the California Consumer Protection Act (CCPA) and Europe’s Global Data Protection Regulation (GDPR) — tells websites not to sell or share your personal data.  Mozilla said the GPC is a prerelease feature available for experimental use in Firefox Nightly.A Mozilla spokesperson said they were excited to see GPC getting traction both in California and Colorado and now that they expect sites to start honoring it, they want to start getting experience with it in the field.”Many websites present cookie consent banners that let users opt out of tracking and of having their data sold on a site by site basis. The difference here is that the user doesn’t need to opt out on every site — which we think is a better solution,” Mozilla told ZDNet. “Mozilla was one of the early supporters of the CCPA and of the CPRA and, in 2020, we became one of the founding members of the Global Privacy Control. We endorsed this concept because it gives more control to people over their data online and sets a path for the enforcement of their privacy rights. Our approach to privacy has long been to fight on different fronts which is why we launched Enhanced Tracking Protection by default back in 2019 and have since expanded our arsenal of anti-tracking tools, and have been advocating for strong privacy legislation and enforcement.”To turn Global Privacy Control on in Firefox Nightly, users can type about:config in the URL bar of their Firefox browser or type type `globalprivacycontrol` in the search box. From there, toggle `privacy.globalprivacycontrol.enabled` to true.

If you visit https://globalprivacycontrol.org/, the site will tell you whether you have it enabled or not. Abine, Brave, Disconnect, DuckDuckGo, OptMeowt and Privacy Badger are listed on the GPC website as browsers that have incorporated the feature into their service. The Washington Post reported this week that the GPC is part of an effort by organizations like the Electronic Frontier Foundation and Consumer Reports to force websites into privacy compliance.But unfortunately, California is one of the few states where the GPC is considered an acceptable method for consumers to opt-out of sales. “Under law, it must be honored by covered businesses as a valid consumer request to stop the sale of personal information,” California attorney general Robert Bonta said on a website explaining the CCPA. It is unclear whether officials in Virginia and Colorado will also enforce it the same way. “CCPA requires businesses to treat a user-enabled global privacy control as a legally valid consumer request to opt out of the sale of their data. CCPA opened the door to developing a technical standard, like the GPC, which satisfies this legal requirement & protects privacy,” said former California Attorney General Xavier Becerra, who is now Secretary of the US Department of Health & Human Services. More

Cybersecurity firm Proofpoint has found evidence of a prolific cybercrime group using the popularity of Netflix hit “Squid Game” to spread the Dridex malware. In a blog post, Proofpoint said TA575 — a “large cybercrime actor” — has sent emails pretending to be someone working on the show, urging people to download malicious attachments or fill out forms with sensitive information. The emails come with subject lines saying things like: “Squid Game is back, watch new season before anyone else,” “Invite for Customer to access the new season,” “Squid game new season commercials casting preview,” and “Squid game scheduled season commercials talent cast schedule.”Proofpoint said it found thousands of emails using the lures that targeted a variety of industries in the US. Some of the emails try to lure victims in by saying they could be in the show if they download a document and fill it out. 
Proofpoint
“The attachments are Excel documents with macros that, if enabled, will download the Dridex banking trojan affiliate id ‘22203’ from Discord URLs,” Proofpoint researchers Axel F and Selena Larson wrote. Sherrod DeGrippo, vice president of threat detection and response at Proofpoint, told ZDNet that Dridex is a banking trojan used to siphon money directly from the victim’s bank account.”But Dridex is also used for information gathering or as a malware loader that can lead to follow-on infections such as ransomware,” DeGrippo added. 

Proofpoint has been tracking TA575 since late 2020, noting that the group typically distributes Dridex through “malicious URLs, Microsoft Office attachments, and password-protected files.” The gang uses a variety of lures to get victims to click on links or download documents, often playing off of pop culture or deploying invoice-related language in emails. “On average, TA575 sends thousands of emails per campaign impacting hundreds of organizations. TA575 also uses the Discord content delivery network (CDN) to host and distribute Dridex,” the Proofpoint researchers said, adding that Discord has become a “popular malware hosting service for cybercriminals.” Cybersecurity experts like ThreatModeler CEO Archie Agarwal said the TA575 criminal group is made up of prolific, financially-motivated opportunists who specialize in Dridex malware and operate swaths of Cobalt Strike servers. Both the Dridex malware and Cobalt Strike servers are examples of repurposing the work of others, Agarwal said, explaining that Dridex dates back as far as 2015 and was known for specializing in banking credential theft. Hank Schless, Lookout senior manager of security solutions, said that throughout the COVID-19 pandemic, cybercriminals have used a variety of hooks related to the vaccine or government aid as a lure for emails with malicious attachments. Lookout data shows threat actors are heavily targeting users through mobile channels such as SMS, social media platforms, third-party messaging apps, gaming, and even dating apps. He added that one of the most interesting parts of the report is that TA575 uses the Discord CDN to host and deliver the malware. “This practice of using legitimate services as an intermediary command and control server is becoming more common. We frequently see it with data storage platforms like Dropbox as well. Attackers do this because it may help them slip by any detections more easily if the traffic looks legitimate,” Schless said.  More

Dozens of websites and services reported issues late last month thanks to the expiration of a root certificate provided by Let’s Encrypt, one of the largest providers of HTTPS certificates.

ZDNet Recommends

Let’s Encrypt and other researchers had long warned that the IdentTrust DST Root CA X3 would expire on September 30, and many platforms did heed the calls and updated their systems. But a few did not, causing a minor kerfuffle as users questioned why some of their favorite sites were not working as well as they should. Scott Helme, the founder of Security Headers, told ZDNet that he confirmed issues with Palo Alto, Bluecoat, Cisco Umbrella, Catchpoint, Guardian Firewall, Monday.com, PFsense, Google Cloud Monitoring, Azure Application Gateway, OVH, Auth0, Shopify, Xero, QuickBooks, Fortinet, Heroku, Rocket League, InstaPage, Ledger, Netlify and Cloudflare pages, but noted that there may have been more that went unreported.Millions of websites rely on the services provided by Let’s Encrypt, which operates as a free non-profit that makes sure the connections between your device and the internet are secure and encrypted.Without them, some older devices will no longer be able to verify certain certificates. Josh Aas, executive director of the Internet Security Research Group at Let’s Encrypt, told ZDNet that he was frustrated with how some outlets covered the September outages, with some implying it was a mistake or an accident. “We didn’t forget that it was going to expire or anything. We’ve been planning for this for years. We knew that this was going to happen, and we’ve been literally planning for this for years. Because we’ve been planning this for years, a lot less stuff broke,” Aas said. 

“The internet is a huge place. How many millions or billions of devices and servers and things like that are out there? Any time you change anything, stuff’s going to break. I don’t want to minimize any disruption that was frustrating to people, but all in all, it could have been worse.”Aas explained that there are three levels of certificates on the internet. There are certificates that websites have called end-entity certificates. Then there are two certificates issued by certificate authorities like Let’s Encrypt: root certificates and intermediate certificates. Root certificates are the main things that browsers trust, and intermediate certificates are what organizations like Let’s Encrypt use to issue to the websites. Aas said, end-entity certificates are valid for about 90 days: the intermediate certificates are valid for about five years, and root certificates last for about 20 years. When one is set to expire, organizations like Let’s Encrypt introduce a new one and ask websites to adopt it before the old one expires. “There’s really nothing you can do about avoiding certificate expiration. Certificates expire; that is an intended thing. That’s just what happens and that happens for a number of different reasons. We can’t prevent it. It’s designed to expire in that way. Every certificate authority works that way,” Aas said.Let’s Encrypt worked with hundreds of websites to get them switched over. Still, the internet has grown significantly, making it difficult to get every website, phone, browser, laptop, and device changed over. Aas added that there were always going to be some number of devices and browsers that were not able to make the switch when the old certificate expired. “We try to keep that number as low as possible through outreach and giving people tools on how to be ready. But it doesn’t get to everybody. The internet is too big for that,” Aas explained. “We did our best to try to give advice and tell people what they can do to move to the new certificate. And it seems like a lot of people did that. A lot of stuff was fixed relatively quickly.”Aas noted that certificates are designed to expire to protect the set of cryptographic keys behind them. “There are two keys that are essentially just really long numbers that are related to each other, and that’s how the cryptography behind certificates works. And one of those keys, called a private key, needs to be protected at all times. You don’t tell other people. So websites have the private key for their own identity certificates, but certificate authorities like Let’s Encrypt hold the private keys for root and intermediate certificates,” Aas explained. “We have to make sure that nobody else ever finds out what those keys are. They are very heavily protected and guarded by us. But it’s possible that somebody could have gotten a copy of the key, and we don’t know. As a general safeguard in the industry, we rotate keys every certain amount of time depending on the risk profile and things like that. So, certificate expiration is essentially a mechanism for rotating cryptographic keys on the internet over a certain time to ensure that these keys are never compromised. The longer a key is in use, the more likely it is that there’s an issue.”One of Let’s Encrypt’s root certificates was issued in 2015, and a second one was issued in 2020. The next expiration for these root certificates will be in 15 years and 20 years, respectively. The root that expired last month — IdentTrust DST Root CA X3 — was issued in 2000. Aas noted that the certificate authority industry started in the late 90s and early 2000s, meaning many of the certificates issued back then are starting to expire. “They are sort of clustered in that time period when all these CAs started, so I think we’re going to see more and more of these. Every time one of these things expires and causes some issues on the internet, we as a community of people who operate these devices and certificate authorities get a little better at managing the problem,” Aas said. While users and websites dealt with issues last month, Aas said the silver lining is that it was practice for the next time a certificate expires. He urged anyone with more questions about the topic to head to Let’s Encrypt’s Community Support Forum. Other experts echoed what Aas said, explaining that root expirations are a rare but normal occurrence and a necessity in the certificate authority ecosystem.Ed Giaquinto, CIO of Sectigo and an expert in digital certificates, said outages caused by root expirations are simply results of poor certificate lifecycle management. “If an enterprise does not have an accurate inventory of its certificates, including their chains to trusted roots, then outages due to expirations are inevitable. This is another example of how good certificate hygiene prevents outages,” Giaquinto said.  “A proper lifecycle management tool inventories and displays all relevant certificate information, including their expiration dates. Then, using automation, it replaces those certificates prior to expiration, enabling IT teams to be ahead of the game. We no longer exist in a world where we simply manage a few certificates for web front ends. PKI integrations have put certificates everywhere (ephemeral compute services, containers, program-to-program, B2B, and B2C communications, etc.), and proper management of the certificate lifecycle is crucial to preventing business outages.”Keyfactor chief security officer Chris Hickman echoed Giaquinto’s comments, telling ZDNet that in most cases, the greatest issue is a lack of automation to distribute the new root CA certificate to those devices that need to trust it. In many organizations, the root CA certificate stores are not managed universally, Hickman explained, adding that this can lead to situations like only updating parts of the network but not the entity of all devices that need to trust the new root. Hickman suggested organizations bring all of their keys and certificates into a single inventory by integrating directly with network endpoints, key stores and CA databases for comprehensive visibility. He noted that the first signs of trouble emerged when the AddTrust CA expired in May 2020, causing widespread outages for streaming and payment services like Roku, Stripe and Spreedly. Now, products are being designed to manage Roots of Trust out of band to software updates — but that process doesn’t extend to legacy products, he added. “If you don’t update your legacy roots, you can’t push updates, resulting in potential device failure. With multiple root CAs set to expire in 2021, it’s essential to ensure that updates can be sent efficiently and effectively to embedded and non-traditional operating systems, recognizing that many legacy devices may be unable to receive these updates,” Hickman said. “Another wrinkle in all of this is UNIX-based systems, as these devices cannot accept certificates with expirations beyond the year 2038. This situation is poised to be a very big problem without a clear solution that has not received much attention to date.”  More