Thursday 21 March 2013
Friday 4 January 2013
Why an SSL Certificate is Important to a User and an Owner of Website
As we now all live in an online world, every day we browse multiple websites according to our needs. Sharing our personal and banking details with websites is just like sharing this vital information with people whom we have never met personally; we just know them virtually through their online eCommerce platform.
Is the question becomes, is this is a safe way of sharing our personal and credit card details or banking details? The answer is not always. But, because we are all living more and more in an online world, completing transactions over the internet is becoming more than a convenience – it’s becoming a necessity.
Just as the public needs websites for online shopping, trading, or for transferring money, eCommerce website owners also need more traffic and ROI for their platform. As we know, day-by-day online phishing is increasing rapidly, and hackers have become more active on eCommerce a platform, which has led customers to just ignore dealing with websites that do not appear to be reputable and offer noticeable security features. And that’s why eCommerce website owners and users must think about their web security.
When web security is a concern, an SSL Certificate is one of the best choices to secure your website with a high level of encryption strength and with https, since the “S stands for Secure”. When your website carries a Secure Socket Layer, this means you pass the message to your website user that they are in safe hands and they can easily deal with your website and safely share their personal data.
As per one recent online survey, 65% of people are more likely to deal with websites which have a Domain Validated SSL Certificate, an Organization Validated SSL Certificate, or an EV SSL. Only 35% of people are taking risk to share their information or deal with pages which are not secure with “https.” And, from this 35% of people in the world, most are affected by hackers and risks losing their hard earn money or private information.
After reading this, we would hope that you never share your personal information on an online website that isn’t visibly secured by an SSL certificate. But, at the same time, if you are an eCommerce retailer, then you must need to endorse an SSL certificate for your website as per your needs.
SSL Certificate Requirement Guidelines:
Is the question becomes, is this is a safe way of sharing our personal and credit card details or banking details? The answer is not always. But, because we are all living more and more in an online world, completing transactions over the internet is becoming more than a convenience – it’s becoming a necessity.
Just as the public needs websites for online shopping, trading, or for transferring money, eCommerce website owners also need more traffic and ROI for their platform. As we know, day-by-day online phishing is increasing rapidly, and hackers have become more active on eCommerce a platform, which has led customers to just ignore dealing with websites that do not appear to be reputable and offer noticeable security features. And that’s why eCommerce website owners and users must think about their web security.
When web security is a concern, an SSL Certificate is one of the best choices to secure your website with a high level of encryption strength and with https, since the “S stands for Secure”. When your website carries a Secure Socket Layer, this means you pass the message to your website user that they are in safe hands and they can easily deal with your website and safely share their personal data.
As per one recent online survey, 65% of people are more likely to deal with websites which have a Domain Validated SSL Certificate, an Organization Validated SSL Certificate, or an EV SSL. Only 35% of people are taking risk to share their information or deal with pages which are not secure with “https.” And, from this 35% of people in the world, most are affected by hackers and risks losing their hard earn money or private information.
After reading this, we would hope that you never share your personal information on an online website that isn’t visibly secured by an SSL certificate. But, at the same time, if you are an eCommerce retailer, then you must need to endorse an SSL certificate for your website as per your needs.
SSL Certificate Requirement Guidelines:
- If you have an eCommerce website with low volume, then the RapidSSL Certificate is one of the best solutions for you.
- If you have a website related to banking & finance which has online bill payments or online banking facilities, then you should go with Symantec Secure Site with EV or Symantec Secure Site Pro with EV according to your specific needs.
- If you are looking for SSL Security for your Email & Application Server, then GeoTrust QuickSSL Premium is the finest solution if you have MS Exchange Server (OWA) or MS SharePoint Server. For other email application servers, Thawte SSL123 is best.
- Moreover if you want to secure multiple domain names with a single SSL Certificate which are sharing the same host name, then Wildcard SSL certificates are the best choice for you.
Thursday 6 December 2012
Leverage Vulnerability Assessments within Symantec Website Security SSL Certificates
Our online world is rife with shadowy creatures; it’s riddled with crime organizations, activist groups, government entities, and lone hackers. Why they breach our data can boil down to a few things; greed, ideological dissent, and their desire to publicly embarrass their targets. In 2011, high-profile attacks on various Certificate Authorities threatened the systems that sustain trust in the internet itself. These attacks highlighted the need for Symantec to continue to harden their defenses and develop even stronger security procedures and policies.
The Website Security Internet Threat Report, published in May 2012, reported that in 2011 the Symantec website security malware scanning service scanned over 8.2 Billion URLs for malware infection. Approximately 1 in 156 unique websites were found to contain malware. The struggle to preserve IT security for your client accounts is a 24/7 job, and your strategy needs to be comprehensive and focused. Where website malware scanning finds malware infection fast and helps you eliminate it, website vulnerability assessments are a proactive measure to prevent hacks in the first place. They enable you to proactively identify weaknesses in your website that bad actors are most likely to use to attack you. Vulnerability assessment services identify and guide resolutions to the most common and highest risk exposure points like SQL Injection and Cross Site Scripting (XSS). Symantec's vulnerability assessment identified critical vulnerabilities on 50% of websites scanned in a Symantec Assessment Preview Program conducted in August 2011.
In the 2012 Verizon Data Breach Investigation Report, 79% of victims were targets of opportunity. Of these, 96% of the attacks were simple, well known or published vulnerabilities. Meaning most of these businesses were attacked because they possessed easily exploitable weaknesses. Don’t leave your clients’ front door open.
Symantec Secure Site Pro with Extended Validation (EV), Secure Site with EV, and Secure Site Pro SSL Certificates carry the Norton™ Secured Seal, the most recognized trust mark on the Internet** and include vulnerability assessment at no cost for your clients. The targeted scan helps quickly identify and take action against the most common exploitable weaknesses that create the biggest risk to your customer’s business operations. Scans done automatically on a weekly basis can check for vulnerabilities on public-facing Web pages, Web-based applications, server software and network ports. Actionable reports identify both critical vulnerabilities that should be investigated immediately as well as informational items that pose a lower risk. You and your clients then have an option to rescan the websites to confirm that the vulnerabilities have been fixed. In addition, Symantec maintains one of the world’s most comprehensive vulnerability databases, currently consisting of more than 47,662 recorded vulnerabilities (spanning more than two decades) from over 15,967 vendors representing over 40,006 products.
Neglecting to perform frequent vulnerability checks puts your customers’ websites, their clients, and their business at risk by leaving the door open to hackers. Studies show that the average cost per incident of a data breach in the United States is $7.2 million, with one of the largest breaches costing $35.3 million to resolve.*
The shadowy creatures that infiltrate security vulnerabilities are not going away; they will continue to refine their attacks against your customers. Your clients need tools that allow them to continue to do business safely online. They want answers and look to you, their trusted advisor, for the right solution. Symantec Secure Site Pro with Extended Validation (EV), Secure Site with EV, and Secure Site Pro SSL Certificates are the tools they need to stay protected. Symantec vulnerability assessment help reduces the cost and complexity of vulnerability management, and it’s a solid starting point for your clients’ organizations that want to quickly assess their security standing. Symantec SSL certificates vulnerability assessments are also ideal for your clients' organizations that already use a compliance vulnerability scanning solution such as those for PCI, and need a complementary solution to cross-check the results of their scan for an added layer of security. When used in combination with Symantec SSL Certificates and daily website malware scan, vulnerability assessments help you to secure your clients' websites and protect their consumers.
Source : Symantec.com
The Website Security Internet Threat Report, published in May 2012, reported that in 2011 the Symantec website security malware scanning service scanned over 8.2 Billion URLs for malware infection. Approximately 1 in 156 unique websites were found to contain malware. The struggle to preserve IT security for your client accounts is a 24/7 job, and your strategy needs to be comprehensive and focused. Where website malware scanning finds malware infection fast and helps you eliminate it, website vulnerability assessments are a proactive measure to prevent hacks in the first place. They enable you to proactively identify weaknesses in your website that bad actors are most likely to use to attack you. Vulnerability assessment services identify and guide resolutions to the most common and highest risk exposure points like SQL Injection and Cross Site Scripting (XSS). Symantec's vulnerability assessment identified critical vulnerabilities on 50% of websites scanned in a Symantec Assessment Preview Program conducted in August 2011.
In the 2012 Verizon Data Breach Investigation Report, 79% of victims were targets of opportunity. Of these, 96% of the attacks were simple, well known or published vulnerabilities. Meaning most of these businesses were attacked because they possessed easily exploitable weaknesses. Don’t leave your clients’ front door open.
Symantec Secure Site Pro with Extended Validation (EV), Secure Site with EV, and Secure Site Pro SSL Certificates carry the Norton™ Secured Seal, the most recognized trust mark on the Internet** and include vulnerability assessment at no cost for your clients. The targeted scan helps quickly identify and take action against the most common exploitable weaknesses that create the biggest risk to your customer’s business operations. Scans done automatically on a weekly basis can check for vulnerabilities on public-facing Web pages, Web-based applications, server software and network ports. Actionable reports identify both critical vulnerabilities that should be investigated immediately as well as informational items that pose a lower risk. You and your clients then have an option to rescan the websites to confirm that the vulnerabilities have been fixed. In addition, Symantec maintains one of the world’s most comprehensive vulnerability databases, currently consisting of more than 47,662 recorded vulnerabilities (spanning more than two decades) from over 15,967 vendors representing over 40,006 products.
Neglecting to perform frequent vulnerability checks puts your customers’ websites, their clients, and their business at risk by leaving the door open to hackers. Studies show that the average cost per incident of a data breach in the United States is $7.2 million, with one of the largest breaches costing $35.3 million to resolve.*
The shadowy creatures that infiltrate security vulnerabilities are not going away; they will continue to refine their attacks against your customers. Your clients need tools that allow them to continue to do business safely online. They want answers and look to you, their trusted advisor, for the right solution. Symantec Secure Site Pro with Extended Validation (EV), Secure Site with EV, and Secure Site Pro SSL Certificates are the tools they need to stay protected. Symantec vulnerability assessment help reduces the cost and complexity of vulnerability management, and it’s a solid starting point for your clients’ organizations that want to quickly assess their security standing. Symantec SSL certificates vulnerability assessments are also ideal for your clients' organizations that already use a compliance vulnerability scanning solution such as those for PCI, and need a complementary solution to cross-check the results of their scan for an added layer of security. When used in combination with Symantec SSL Certificates and daily website malware scan, vulnerability assessments help you to secure your clients' websites and protect their consumers.
Source : Symantec.com
Thursday 1 November 2012
SSL for Apps
SSL/TLS is technology that is critical for securing communications. The challenge facing the SSL ecosystem today is how it is being implemented and used. Several University researchers have recently published reports indicating errors and shortcomings in non-browser applications that act as the client of an SSL/TLS connection. These issues result from flawed implementations of SSL in the applications or in SDKs or APIs used by them. SSL Client non-browser applications should follow these best practices to ensure the high level of authentication, confidentiality and integrity promised by SSL remain intact.
A Developer must perform a number of checks, and the most important is to cryptographically validate that the end-entity certificate presented by the server is the expected certificate, or was signed by an expected certificate. In other words, the Developer must create a trusted and validated chain of certificates starting with the end-entity certificate and linking up to a trusted root or intermediate certificate. Certificates in the chain can be returned in random order, with instances of more or even fewer certificates necessary to build a chain. If a self-signed root certificate is returned by the server, it should be ignored. By building a certificate chain, the developer cryptographically verifies that the chain from end-entity certificate through intermediates to root certificate are valid and can be trusted.
Think carefully about which certificates you will trust. It is good to require the server to return a particular end-entity SSL certificate, however your application can break when the certificate is renewed or replaced. Alternatively, require that the end-entity SSL certificate chains up to a particular trusted root, and is signed by an intermediate certificate with a specific Common Name.
The SSL/TLS protocol, when properly implemented, provides strong confidentiality and integrity for communications, as well as authentication of one or both endpoint identities. But it must be used according to standards and best practices. SSL Certificate has been the key to trust on the Internet for more than a decade, and it will continue to provide excellent protection against evolving cyber security threats.
Monday 22 October 2012
Some Android apps have serious SSL vulnerabilities, researchers say
A team of researchers from two German universities has released a study asserting that many of the most popular free apps available through the Google Play store may be vulnerable to man-in-the-middle attacks -- seriously threatening user privacy.
RELATED: The 10 most common mobile security problems and how you can fight them
The researchers, from the Universities of Hannover and Marburg, studied the 13,500 most popular free apps on the Play store for SSL and TLS vulnerabilities. They found that 1,074 of the applications "contain SSL specific code that either accepts all certificates or all hostnames for a certificate and thus are potentially vulnerable to MITM attacks," according to a summary posted online.
Additionally, the scientists performed a manual audit of 100 apps for a more definitive look at potential security issues, finding that 41 were open to man-in-the-middle attacks because of SSL vulnerabilities. They said that the vulnerable apps could be exploited, allowing an attacker to steal highly sensitive usernames and passwords for Facebook, WordPress, Twitter, Google, Yahoo and even online banking accounts, among others.
Similar vulnerabilities, the team added, could be used to manipulate antivirus software on the phone, changing definitions to include benign apps or ensure that malicious ones are ignored.
"The cumulative install base of the apps with confirmed vulnerabilities against MITM attacks lies between 39.5 million and 185 million users, according to Google's Play Market. Actually Google's Play Market does not give a precise number of installs, instead giving a range. The actual number is likely to be larger, since alternative app markets for Android also contribute to the install base," the researchers wrote.
According to the H-Online, the team plans to make the code analysis tool it developed for the research public "in the near future."
Source:networkworld.com
RELATED: The 10 most common mobile security problems and how you can fight them
The researchers, from the Universities of Hannover and Marburg, studied the 13,500 most popular free apps on the Play store for SSL and TLS vulnerabilities. They found that 1,074 of the applications "contain SSL specific code that either accepts all certificates or all hostnames for a certificate and thus are potentially vulnerable to MITM attacks," according to a summary posted online.
Additionally, the scientists performed a manual audit of 100 apps for a more definitive look at potential security issues, finding that 41 were open to man-in-the-middle attacks because of SSL vulnerabilities. They said that the vulnerable apps could be exploited, allowing an attacker to steal highly sensitive usernames and passwords for Facebook, WordPress, Twitter, Google, Yahoo and even online banking accounts, among others.
Similar vulnerabilities, the team added, could be used to manipulate antivirus software on the phone, changing definitions to include benign apps or ensure that malicious ones are ignored.
"The cumulative install base of the apps with confirmed vulnerabilities against MITM attacks lies between 39.5 million and 185 million users, according to Google's Play Market. Actually Google's Play Market does not give a precise number of installs, instead giving a range. The actual number is likely to be larger, since alternative app markets for Android also contribute to the install base," the researchers wrote.
According to the H-Online, the team plans to make the code analysis tool it developed for the research public "in the near future."
Source:networkworld.com
Monday 1 October 2012
Adobe Revokes Certificates Following Server Compromise
Adobe is in the process of revoking certain digital certificates after discovering two malicious utilities signed by valid Adobe certs.
Adobe's senior director of security Brad Arkin, wrote in a blog post that attackers had compromised an Adobe build server (and not the certificates themselves) that was able to make code signing requests to Adobe's actual code signing service.
The breach occurred on July 10, so any certs signed with the impacted key from then until October 4 will be revoked, Arkin wrote.
Adobe Downplays Impact
"This only affects the Adobe software signed with the impacted certificate that runs on the Windows platform and three Adobe AIR applications [Adobe Muse, Adobe Story AIR, and Acrobat.com] that run on both Windows and Macintosh. The revocation does not impact any other Adobe software for Macintosh or other platforms," he said.
"This only affects the Adobe software signed with the impacted certificate that runs on the Windows platform and three Adobe AIR applications [Adobe Muse, Adobe Story AIR, and Acrobat.com] that run on both Windows and Macintosh. The revocation does not impact any other Adobe software for Macintosh or other platforms," he said.
So far, Adobe has found only two malicious utilities, pwdump7 v7.1 and myGeeksmail.dll, bearing the certificates. Adobe told Securityweek that "the evidence indicates that the certificate was not used to sign widespread malware."
The Story's Not Over, Security Experts Say
But although the current scope is small, some security experts warn that the impact could be huge.
Kaspersky's Roel Schouwenberg questioned why Adobe had backdated the cert revocation to July 10, when the two malicious files were signed two weeks later.
"Is Adobe 100 percent confident no other malicious files were signed?" he asked. "We should view this as along the same lines as the RSA attack."
Furthermore, he said, no one knows who the attackers are really targetting. "So far nothing suggests that Adobe was the real target."
F-Secure's Sean Sullivan agreed that although "there's definitely no need to panic at this point" about getting infected by a stolen Adobe signature, we shouldn't move on too quickly.
"Being the build server, it makes one wonder if any developer computers have been compromised to allow code to be injected into Adobe's apps. Injecting a backdoor into Adobe's apps would be so much more valuable than spoofing its cert," he said.
In a statement, Paul Zimski of Lumension said that with the right certificates an attacker "could theoretically impersonate a legitimate software update, and spread malware payloads through these mechanisms."
"The installed software is going to think its downloading a valid update, but it’s actually a false update signed with a fraudulent, but real certificate. I’m not saying that’s what was done here, but this is the Holy Grail of what could happen."
The issue now, Zimski said, is where the attackers are going next.
Similarly Wes Miller, research VP at Directions on Microsoft, said the fact that attackers now have code signing certificate for code "from one of the most pervasive companies on the planet, and one that is constantly patching" means it will take quite a bit of time for Adobe to revoke the certificates on a global level. And in the meantime, "how large of a threat vector does this pose"
Adobe posted the malicious utilities on the Microsoft Active Protection Program (MAPP) so security vendors could detect and block them. At the moment, using an up-to-date anti-virus is your best bet, Schouwenberg said.
But although the current scope is small, some security experts warn that the impact could be huge.
Kaspersky's Roel Schouwenberg questioned why Adobe had backdated the cert revocation to July 10, when the two malicious files were signed two weeks later.
"Is Adobe 100 percent confident no other malicious files were signed?" he asked. "We should view this as along the same lines as the RSA attack."
Furthermore, he said, no one knows who the attackers are really targetting. "So far nothing suggests that Adobe was the real target."
F-Secure's Sean Sullivan agreed that although "there's definitely no need to panic at this point" about getting infected by a stolen Adobe signature, we shouldn't move on too quickly.
"Being the build server, it makes one wonder if any developer computers have been compromised to allow code to be injected into Adobe's apps. Injecting a backdoor into Adobe's apps would be so much more valuable than spoofing its cert," he said.
In a statement, Paul Zimski of Lumension said that with the right certificates an attacker "could theoretically impersonate a legitimate software update, and spread malware payloads through these mechanisms."
"The installed software is going to think its downloading a valid update, but it’s actually a false update signed with a fraudulent, but real certificate. I’m not saying that’s what was done here, but this is the Holy Grail of what could happen."
The issue now, Zimski said, is where the attackers are going next.
Similarly Wes Miller, research VP at Directions on Microsoft, said the fact that attackers now have code signing certificate for code "from one of the most pervasive companies on the planet, and one that is constantly patching" means it will take quite a bit of time for Adobe to revoke the certificates on a global level. And in the meantime, "how large of a threat vector does this pose"
Adobe posted the malicious utilities on the Microsoft Active Protection Program (MAPP) so security vendors could detect and block them. At the moment, using an up-to-date anti-virus is your best bet, Schouwenberg said.
Source : securitywatch.pcmag.com
Monday 17 September 2012
PRESIDENT OBAMA URGED TO ISSUE CYBERSECURITY ORDER
U.S. president Barack Obama has been called upon to issue an executive order to improve the nation's computer and website security practices. Senate Intelligence Chairwoman Dianne Feinstein of California wrote an open letter to the president that expressed concerns over cybersecurity legislation efforts, predicting that effective legislation is not likely to pass within the next year.
"Therefore, I believe the time has come for you to use your full authority to protect the U.S. economy and the networks we depend on from future cyber attack," Feinstein wrote. "While an Executive Order cannot convey protection from liability that private sector companies may face, your administration can issue cybersecurity standards and provide technical assistance to companies willing to take voluntary steps to improve their security. You can also direct the Intelligence Community and the Department of Homeland Security to provide as much information as possible to the private sector about cyber threats, including classified information."
A recent article from The New American pointed out this isn't the only time the Obama administration has been called to action. Senator Jay Rockefeller of West Virginia wrote a similar letter to the president earlier this month. White House representatives said that the administration considered issuing an executive order after the Cybersecurity Act of 2012 failed to pass in the Senate.
Although the U.S. government has made several attempts to pass legislation enhancing communication between the private and public sector, those efforts have come under heavy criticism from security experts. According to a CIO blog post written earlier this month, experts said previous cybersecurity bills did not address core issues.
The article highlighted comments from Jason Lewis, chief scientist at Lookingglass Cyber Solutions, who said the problem with the bill was accountability. Voluntary guidelines such as those outlined by CISPA are not enough to protect critical infrastructure, according to Lewis. An effective cybersecurity solution would be painful for everyone, legislators and businesses included.
"If the law stated that companies involved in security incidents had to shut down their business until they could prove they had addressed the issues, the number of breaches would be low and the level of security across all sectors would improve dramatically," Lewis said.
Lewis added that organizations responsible for managing critical infrastructure would need help upgrading their technology infrastructures and implementing best-practice solutions. Making improvements to these systems without hindering operations can be costly, but the first step would be to hold organizations accountable for security.
Source: thawte.com
"Therefore, I believe the time has come for you to use your full authority to protect the U.S. economy and the networks we depend on from future cyber attack," Feinstein wrote. "While an Executive Order cannot convey protection from liability that private sector companies may face, your administration can issue cybersecurity standards and provide technical assistance to companies willing to take voluntary steps to improve their security. You can also direct the Intelligence Community and the Department of Homeland Security to provide as much information as possible to the private sector about cyber threats, including classified information."
A recent article from The New American pointed out this isn't the only time the Obama administration has been called to action. Senator Jay Rockefeller of West Virginia wrote a similar letter to the president earlier this month. White House representatives said that the administration considered issuing an executive order after the Cybersecurity Act of 2012 failed to pass in the Senate.
Although the U.S. government has made several attempts to pass legislation enhancing communication between the private and public sector, those efforts have come under heavy criticism from security experts. According to a CIO blog post written earlier this month, experts said previous cybersecurity bills did not address core issues.
The article highlighted comments from Jason Lewis, chief scientist at Lookingglass Cyber Solutions, who said the problem with the bill was accountability. Voluntary guidelines such as those outlined by CISPA are not enough to protect critical infrastructure, according to Lewis. An effective cybersecurity solution would be painful for everyone, legislators and businesses included.
"If the law stated that companies involved in security incidents had to shut down their business until they could prove they had addressed the issues, the number of breaches would be low and the level of security across all sectors would improve dramatically," Lewis said.
Lewis added that organizations responsible for managing critical infrastructure would need help upgrading their technology infrastructures and implementing best-practice solutions. Making improvements to these systems without hindering operations can be costly, but the first step would be to hold organizations accountable for security.
Source: thawte.com
Subscribe to:
Posts (Atom)