logo
logo
logo
logo
Hub Hacken 2018-09-30
img

Security is an essential part of any business. There are multiple ways a system can become compromised which is why one needs to ensure high quality modern technologies are applied, such as SSL certificates, firewalls, physical machinery protection, and many others.

To keep your company safe from potential security attacks you will need to undertake constant performance and security monitoring. Penetration testing has shown itself to be the best method of discovering any potential security breaches and in this article we will detail the potential advantages, disadvantages and how much does penetration testing cost.

We will also include practical recommendations and case studies showing the benefits available to companies for implementing appropriate security protection.

collect
0
Marie Haines 2017-01-20
img

Many of the improperly issued certificates—which contained the string "test" in various places in a likely indication they were created for test purposes—were revoked within an hour of being issued.

Still, the move represents a major violation by Symantec, which in 2015 .

Ayer discovered the unauthorized certificates by analyzing the publicly available , a project started by Google for auditing the issuance of Chrome-trusted credentials.

Normally, Google requires CAs to report only the issuance of so-called , which offer a higher level of trust because they verify the identity of the holder, rather than just the control of the domain.

Following Symantec's previously mentioned 2015 mishap, however, .

Had Symantec not been required to report all certificates, there's a strong likelihood the violation never would have come to light.

collect
0
Jacqueline Cleghorn 2018-09-10
img

As a leading provider of SSL certificates, DigiCert is here to help you discover the benefits of using HTTPS across your entire site, and to help you successfully implement it.

For future downloads the form will autocomplete after your email is entered

collect
0
Howard Marcinkowski 2017-08-04
img

You don't have to choose the specific content you'd like to cache, and there's no need to edit your site code.

Some of the benefits are similar to other CDNs.

The program can block threats based on reputation, HTTP headers, blacklists and more.

Quality extras include some effective image optimisations.

Cloudflare's ‘Polish’ technology works to reduce image file sizes by an average of 35%, while ‘Mirage’ uses multiple techniques to optimise how images are displayed on mobile devices.

While Cloudflare has a strong focus on ease-of-use and consumer-friendly features, the service also offers plenty for the more demanding and technical user.

collect
0
William Garza 2018-08-15
img

A wildcard certificate is a type of public key certificate which can be used to secure multiple subdomains of a domain, validating to the user that the domain and all its subdomains are safe and can be trusted.

Wildcard certificates have some unique qualities: when an organisation uses a wildcard certificate on a public facing web server, it can secure an unlimited number of subdomains very quickly, all with the same certificate.

The main use case we created wildcard certificates for was to enable businesses to support websites as they scaled in size, as well as in other scenarios where a certificate was needed in a more complex environment.

Wildcard certificates offered a solution to this by providing a simple way to add web servers, instead of having to manage additional key pairs and certificates to authenticate the new webservers with.

Wildcard certificates mean that servers which had previously used “www1.company.com”, “www2.company.com”, and “www3.company.com” could all use a “www*.company.com” wildcard syntax instead.

One of the common use cases for wildcard certificates is within a DevOps environment where there is a need to quickly secure multiple subdomains, as this allows the pace of development to continue securely.

collect
0
Jerrell Lawson 2017-04-21
img

Both Google and Mozilla recently introduced protections against a particularly nasty form of web-based phishing.

It's called a homograph attack, and it can be nearly impossible to detect.

In my previous post I gave an example using forbes.com, something that the researcher Xudong Zheng assured me you don't have to worry about.

Because "f does not have a convenient equivalent [character] in Cyrillic," so it can't be easily spoofed.

The same would hold true for facebook.com, which is great news since scammers love to get their hands on social media accounts.

Other major websites, though, definitely can be booby trapped.

collect
0
David Bierman 2017-03-24
img

Google and Symantec are going through a rough patch.

Google are aiming to boost the confidence of Chrome users with engineers announcing plans to reduce trust in Symantec certificates.

This gradual shift is set to reach a point in early 2018 when Chrome 64 will only trust certificates that are issued from Symantec for 279 days or less.

The scale of the misissuance by Symantec has exploded from an initial 127 certificates under scrutiny, to a figure noted as at least 30,000.

The punishing results of these failures include a reduction in the accepted validity period to nine months or less, an incremental distrust, and a removal of the ‘Extended Validation’ status on Symantec issued certificates.

In a Google post, Ryan Sleevi said: “Given the nature of these issues, and the multiple failures of Symantec to ensure that the level of assurance provided by their certificates meets the requirements of the Baseline Requirements or Extended Validation Guidelines, we no longer have the confidence necessary in order to grant Symantec-issued certificates the “Extended Validation” status.”

collect
0
James Kiley 2017-11-10
img

The CIA wrote code to impersonate Kaspersky Labs in order to more easily siphon off sensitive data from hack targets, according to leaked intel released by Wikileaks on Thursday.

Forged digital certificates were reportedly used to "authenticate" malicious implants developed by the CIA.

Digital certificates for the authentication of implants are generated by the CIA impersonating existing entities.

The three examples included in the source code build a fake certificate for the anti-virus company Kaspersky Laboratory, Moscow pretending to be signed by Thawte Premium Server CA, Cape Town.

In this way, if the target organization looks at the network traffic coming out of its network, it is likely to misattribute the CIA exfiltration of data to uninvolved entities whose identities have been impersonated.

Eugene Kaspersky, chief exec of Kaspersky Lab, sought to reassure customers.

collect
0
Alfred Borrow 2016-08-29
img

A Chinese certificate authority handed out a base certificate for Github and the Univerisity of Central Florida to a mere user in a significant security blunder.

British Mozilla programmer Gervase Markham reported the incident on the browser baron's mailing list saying it occurred more than a year ago in July 2015 but went unreported.

The gaffe meant an unnamed university student and mere Github user was handed a certificate for the Github domain from issuer WoSign.

It was the second time the researcher was able to score a base certificate from WoSign; the issuer also handed over a certificate for the university when a researcher accidentally applied for it instead of a subdomain.

"... an applicant found a problem with WoSign's free certificate service, which allowed them to get a certificate for the base domain if they were able to prove control of a subdomain," Markham says.

"They the researcher accidentally discovered it when trying to get a certificate for med.ucf.edu and mistakenly also applied for www.ucf.edu which was approved.

collect
0
Alberto Mcgovern 2017-09-06
img

Computer-maker Lenovo has agreed to pay US states $3.5m (£2.7m) to settle allegations that it sold laptops with pre-loaded adware that compromised buyers' security without warning.

The company has also agreed to seek consumers' consent before installing any such software in the future.

Lenovo faced uproar when it emerged in 2015 that it had hidden an advert-delivering program made by Superfish on hundreds of thousands of computers.

US Federal Trade Commission investigators have alleged that Lenovo first started selling compromised laptops in August 2014.

The software involved was called VisualDiscovery, and was made by the California-based start-up Superfish.

It was designed to show pop-up ads from retailers when users hovered their cursors over related products on a website.

collect
0
Daniel Martin 2017-04-27
img

Symantec is hoping to get its certificates back on Google's trust list.

In March, an ongoing spat between the two companies came to a head.

After a scandal in 2015 over three certs issued by Symantec subsidiary Thawte, the number grew to 23, then 164, then 2,458 within a month.

Google decided in December 2015 to distrust the company's 'Class 3 Public Primary CA' root certificate.

Things went quiet for a while, but in January Google started another investigation, turned up an alleged 30,000 dodgy certs, and decided to sin-bin Symantec.

To stave off disaster, Symantec has put forward another proposal to put things right, published here.

collect
0
Dorothy Chiaramonte 2018-05-22
img

During that era, Knights carried with them documentation that proved their identity, created by a notary, often embossed with official wax seals.

But how do you pick a good SSL provider?

First of all, we’ve got a list of 10 of our favored SSL certificate providers, although everyone’s needs vary, so following our list, we will engage in an in-depth discussion of all the criteria you should consider when picking the right company for you.

On the plus side, the company has excellent support people should you have installation or browser issues.

The motivation for this buyout was that Symantec managed to convince 90% of Fortune 500 companies to pay for the Norton Secured Seal.

You get what you pay for here, with top-notch support

collect
0
Peter Garvey 2017-03-06
img

Worse than those who ignored Cassandra are those who believed her and were swept away by the tides of fate.

On February 27, it emerged that a maker of an Internet of Things (IoT) teddy bear that could send and receive “voicemail” messages between kids and their parents/guardians had not just improperly secured their databases of user data and audio messages, but that hackers had copied and erased those databases and were holding the data for ransom.

This drumbeat of news may be overwhelming and hard to process, but it includes some foresight, some good news, and some cautionary tales that will ultimately lead to change.

Let’s start with the breaking of SHA-1, which I’ve written about in anticipation of those moment many times over the last few years, as SHA-1 remained until just recently the primary way that browsers validated https communications to make sure the server on the other end wasn’t being spoofed.

With SHA-1 broken, it doesn’t mean the floodgates have opened up for every secure website having its digital certificate spoofed by malicious parties or government actors.

Fortunately, browser makers led a charge starting a few years ago to get certificate authorities (CAs) to stop issuing SHA-1-signed certificates.

collect
0
Daniel Slye 2016-12-13
img

Drones will start getting digital identification certificates under a new service being launched on Tuesday that hopes to bring trust and verification to the skies.

The Drone IDs will be SSL/TLS certificates from DigiCert issued through AirMap, a provider of drone flight information data, and will first be available to users of Intel's Aero drone platform.

Under the system, drone owners receive the digital ID in the form of an SSL/TLS certificate when they register for AirMap services.

The ID is different from the identification number issued to drone owners by the U.S. Federal Aviation Administration and isn't part of any government scheme.

Initially, the IDs will be used to authenticate drones into AirMap's system, which provides data about local weather and obstacles that could impede a drone's flight.

The hope is they'll become something akin to a driving license: a recognized, trusted and widely accepted form of ID.

collect
0
Dennis Colella 2017-05-19
img

p Updated While the rest of the world had its eyes firmly on the WannaCrypt outbreak, digital certificate firm Comodo suffered an unrelated but protracted database problem that affected its billing systems.

The Register learned of the issue from reader Ian Barber who came across the problem in the process get a new SSL certificate from Comodo activated last Friday.

"It appears that Comodo having some issues.

The scary bit is where they say they have restored to a database nine days old," he told El Reg in reaction to an emailed alert on the issue he received from Comodo – an extract of the missive below:

We regret to say that, due to a database system error, Comodo’s CA license database is having to be being restored.

The initial restore has already taken place and all orders placed before 03-May-2017 12:19:52 UTC are being correctly managed.

collect
0
Sam Gibson 2016-10-14
img

Test revocation causes browsers and systems to reject GlobalSign-issued certificates

Users around the world have had trouble accessing some HTTPS websites due to an error at GlobalSign, one of the world's largest certificate authorities.

As part of a planned exercise, GlobalSign revoked one of its cross-certificates that allowed end-user certificates to chain to alternate root certificates.

GlobalSign operates multiple roots, which are trusted in browsers and operating systems by default, and links them together through these cross-certificates.

The revocation of such a certificate was interpreted by some browsers and systems also as a revocation of the intermediate certificates that chained back to it.

This was not really the case or the company's intention.

collect
0
Hub Hacken 2018-09-30
img

Security is an essential part of any business. There are multiple ways a system can become compromised which is why one needs to ensure high quality modern technologies are applied, such as SSL certificates, firewalls, physical machinery protection, and many others.

To keep your company safe from potential security attacks you will need to undertake constant performance and security monitoring. Penetration testing has shown itself to be the best method of discovering any potential security breaches and in this article we will detail the potential advantages, disadvantages and how much does penetration testing cost.

We will also include practical recommendations and case studies showing the benefits available to companies for implementing appropriate security protection.

Jacqueline Cleghorn 2018-09-10
img

As a leading provider of SSL certificates, DigiCert is here to help you discover the benefits of using HTTPS across your entire site, and to help you successfully implement it.

For future downloads the form will autocomplete after your email is entered

William Garza 2018-08-15
img

A wildcard certificate is a type of public key certificate which can be used to secure multiple subdomains of a domain, validating to the user that the domain and all its subdomains are safe and can be trusted.

Wildcard certificates have some unique qualities: when an organisation uses a wildcard certificate on a public facing web server, it can secure an unlimited number of subdomains very quickly, all with the same certificate.

The main use case we created wildcard certificates for was to enable businesses to support websites as they scaled in size, as well as in other scenarios where a certificate was needed in a more complex environment.

Wildcard certificates offered a solution to this by providing a simple way to add web servers, instead of having to manage additional key pairs and certificates to authenticate the new webservers with.

Wildcard certificates mean that servers which had previously used “www1.company.com”, “www2.company.com”, and “www3.company.com” could all use a “www*.company.com” wildcard syntax instead.

One of the common use cases for wildcard certificates is within a DevOps environment where there is a need to quickly secure multiple subdomains, as this allows the pace of development to continue securely.

David Bierman 2017-03-24
img

Google and Symantec are going through a rough patch.

Google are aiming to boost the confidence of Chrome users with engineers announcing plans to reduce trust in Symantec certificates.

This gradual shift is set to reach a point in early 2018 when Chrome 64 will only trust certificates that are issued from Symantec for 279 days or less.

The scale of the misissuance by Symantec has exploded from an initial 127 certificates under scrutiny, to a figure noted as at least 30,000.

The punishing results of these failures include a reduction in the accepted validity period to nine months or less, an incremental distrust, and a removal of the ‘Extended Validation’ status on Symantec issued certificates.

In a Google post, Ryan Sleevi said: “Given the nature of these issues, and the multiple failures of Symantec to ensure that the level of assurance provided by their certificates meets the requirements of the Baseline Requirements or Extended Validation Guidelines, we no longer have the confidence necessary in order to grant Symantec-issued certificates the “Extended Validation” status.”

Alfred Borrow 2016-08-29
img

A Chinese certificate authority handed out a base certificate for Github and the Univerisity of Central Florida to a mere user in a significant security blunder.

British Mozilla programmer Gervase Markham reported the incident on the browser baron's mailing list saying it occurred more than a year ago in July 2015 but went unreported.

The gaffe meant an unnamed university student and mere Github user was handed a certificate for the Github domain from issuer WoSign.

It was the second time the researcher was able to score a base certificate from WoSign; the issuer also handed over a certificate for the university when a researcher accidentally applied for it instead of a subdomain.

"... an applicant found a problem with WoSign's free certificate service, which allowed them to get a certificate for the base domain if they were able to prove control of a subdomain," Markham says.

"They the researcher accidentally discovered it when trying to get a certificate for med.ucf.edu and mistakenly also applied for www.ucf.edu which was approved.

Daniel Martin 2017-04-27
img

Symantec is hoping to get its certificates back on Google's trust list.

In March, an ongoing spat between the two companies came to a head.

After a scandal in 2015 over three certs issued by Symantec subsidiary Thawte, the number grew to 23, then 164, then 2,458 within a month.

Google decided in December 2015 to distrust the company's 'Class 3 Public Primary CA' root certificate.

Things went quiet for a while, but in January Google started another investigation, turned up an alleged 30,000 dodgy certs, and decided to sin-bin Symantec.

To stave off disaster, Symantec has put forward another proposal to put things right, published here.

Peter Garvey 2017-03-06
img

Worse than those who ignored Cassandra are those who believed her and were swept away by the tides of fate.

On February 27, it emerged that a maker of an Internet of Things (IoT) teddy bear that could send and receive “voicemail” messages between kids and their parents/guardians had not just improperly secured their databases of user data and audio messages, but that hackers had copied and erased those databases and were holding the data for ransom.

This drumbeat of news may be overwhelming and hard to process, but it includes some foresight, some good news, and some cautionary tales that will ultimately lead to change.

Let’s start with the breaking of SHA-1, which I’ve written about in anticipation of those moment many times over the last few years, as SHA-1 remained until just recently the primary way that browsers validated https communications to make sure the server on the other end wasn’t being spoofed.

With SHA-1 broken, it doesn’t mean the floodgates have opened up for every secure website having its digital certificate spoofed by malicious parties or government actors.

Fortunately, browser makers led a charge starting a few years ago to get certificate authorities (CAs) to stop issuing SHA-1-signed certificates.

Dennis Colella 2017-05-19
img

p Updated While the rest of the world had its eyes firmly on the WannaCrypt outbreak, digital certificate firm Comodo suffered an unrelated but protracted database problem that affected its billing systems.

The Register learned of the issue from reader Ian Barber who came across the problem in the process get a new SSL certificate from Comodo activated last Friday.

"It appears that Comodo having some issues.

The scary bit is where they say they have restored to a database nine days old," he told El Reg in reaction to an emailed alert on the issue he received from Comodo – an extract of the missive below:

We regret to say that, due to a database system error, Comodo’s CA license database is having to be being restored.

The initial restore has already taken place and all orders placed before 03-May-2017 12:19:52 UTC are being correctly managed.

Marie Haines 2017-01-20
img

Many of the improperly issued certificates—which contained the string "test" in various places in a likely indication they were created for test purposes—were revoked within an hour of being issued.

Still, the move represents a major violation by Symantec, which in 2015 .

Ayer discovered the unauthorized certificates by analyzing the publicly available , a project started by Google for auditing the issuance of Chrome-trusted credentials.

Normally, Google requires CAs to report only the issuance of so-called , which offer a higher level of trust because they verify the identity of the holder, rather than just the control of the domain.

Following Symantec's previously mentioned 2015 mishap, however, .

Had Symantec not been required to report all certificates, there's a strong likelihood the violation never would have come to light.

Howard Marcinkowski 2017-08-04
img

You don't have to choose the specific content you'd like to cache, and there's no need to edit your site code.

Some of the benefits are similar to other CDNs.

The program can block threats based on reputation, HTTP headers, blacklists and more.

Quality extras include some effective image optimisations.

Cloudflare's ‘Polish’ technology works to reduce image file sizes by an average of 35%, while ‘Mirage’ uses multiple techniques to optimise how images are displayed on mobile devices.

While Cloudflare has a strong focus on ease-of-use and consumer-friendly features, the service also offers plenty for the more demanding and technical user.

Jerrell Lawson 2017-04-21
img

Both Google and Mozilla recently introduced protections against a particularly nasty form of web-based phishing.

It's called a homograph attack, and it can be nearly impossible to detect.

In my previous post I gave an example using forbes.com, something that the researcher Xudong Zheng assured me you don't have to worry about.

Because "f does not have a convenient equivalent [character] in Cyrillic," so it can't be easily spoofed.

The same would hold true for facebook.com, which is great news since scammers love to get their hands on social media accounts.

Other major websites, though, definitely can be booby trapped.

James Kiley 2017-11-10
img

The CIA wrote code to impersonate Kaspersky Labs in order to more easily siphon off sensitive data from hack targets, according to leaked intel released by Wikileaks on Thursday.

Forged digital certificates were reportedly used to "authenticate" malicious implants developed by the CIA.

Digital certificates for the authentication of implants are generated by the CIA impersonating existing entities.

The three examples included in the source code build a fake certificate for the anti-virus company Kaspersky Laboratory, Moscow pretending to be signed by Thawte Premium Server CA, Cape Town.

In this way, if the target organization looks at the network traffic coming out of its network, it is likely to misattribute the CIA exfiltration of data to uninvolved entities whose identities have been impersonated.

Eugene Kaspersky, chief exec of Kaspersky Lab, sought to reassure customers.

Alberto Mcgovern 2017-09-06
img

Computer-maker Lenovo has agreed to pay US states $3.5m (£2.7m) to settle allegations that it sold laptops with pre-loaded adware that compromised buyers' security without warning.

The company has also agreed to seek consumers' consent before installing any such software in the future.

Lenovo faced uproar when it emerged in 2015 that it had hidden an advert-delivering program made by Superfish on hundreds of thousands of computers.

US Federal Trade Commission investigators have alleged that Lenovo first started selling compromised laptops in August 2014.

The software involved was called VisualDiscovery, and was made by the California-based start-up Superfish.

It was designed to show pop-up ads from retailers when users hovered their cursors over related products on a website.

Dorothy Chiaramonte 2018-05-22
img

During that era, Knights carried with them documentation that proved their identity, created by a notary, often embossed with official wax seals.

But how do you pick a good SSL provider?

First of all, we’ve got a list of 10 of our favored SSL certificate providers, although everyone’s needs vary, so following our list, we will engage in an in-depth discussion of all the criteria you should consider when picking the right company for you.

On the plus side, the company has excellent support people should you have installation or browser issues.

The motivation for this buyout was that Symantec managed to convince 90% of Fortune 500 companies to pay for the Norton Secured Seal.

You get what you pay for here, with top-notch support

Daniel Slye 2016-12-13
img

Drones will start getting digital identification certificates under a new service being launched on Tuesday that hopes to bring trust and verification to the skies.

The Drone IDs will be SSL/TLS certificates from DigiCert issued through AirMap, a provider of drone flight information data, and will first be available to users of Intel's Aero drone platform.

Under the system, drone owners receive the digital ID in the form of an SSL/TLS certificate when they register for AirMap services.

The ID is different from the identification number issued to drone owners by the U.S. Federal Aviation Administration and isn't part of any government scheme.

Initially, the IDs will be used to authenticate drones into AirMap's system, which provides data about local weather and obstacles that could impede a drone's flight.

The hope is they'll become something akin to a driving license: a recognized, trusted and widely accepted form of ID.

Sam Gibson 2016-10-14
img

Test revocation causes browsers and systems to reject GlobalSign-issued certificates

Users around the world have had trouble accessing some HTTPS websites due to an error at GlobalSign, one of the world's largest certificate authorities.

As part of a planned exercise, GlobalSign revoked one of its cross-certificates that allowed end-user certificates to chain to alternate root certificates.

GlobalSign operates multiple roots, which are trusted in browsers and operating systems by default, and links them together through these cross-certificates.

The revocation of such a certificate was interpreted by some browsers and systems also as a revocation of the intermediate certificates that chained back to it.

This was not really the case or the company's intention.