Logo

PKI Consortium blog

Posts by tag Malware

    Securing Software Distribution with Digital Code Signing
    October 16, 2013 by Bruce Morton (Entrust), Jeremy Rowley CASC Code Signing Malware SSL/TLS

    Code signing certificates from publicly trusted Certification Authorities (CAs) fulfill a vital need for authentication of software distributed over the Internet in our interconnected world. As the commonly referred to “Internet of things” continues to grow, consumers have access to millions of applications for their desktops, laptops, and mobile devices. Creative software engineers provide us with applications to cover any of our potential needs or interests. Cybercriminals and others with malicious intent recognize this as an opportunity and seek to trick us into installing malicious software (malware) — programs that hijack our computers, steal our money, or try to inflict harm.

    Encryption Still Works – It’s About How You Implement It
    September 13, 2013 by Ben Wilson ECC Encryption Malware RSA SHA1 SHA2 SSL/TLS TLS 1.1 Vulnerability

    The September 5th joint article by the New York Times and Guardian newspapers on NSA’s and GCHQ’s efforts to circumvent encryption implementation have left many people speculating on the security of the data they are transmitting over the Internet. Hopefully, this blog post will provide some guidance and help understand SSL in light of these recent articles. Importantly, the articles point out that the primary means of attacking SSL/TLS do not exploit a vulnerability in the protocol itself but instead aim to exploit poor implementations of the protocol, insecure servers, and weak cryptography.

    Firefox 23 Blocks Mixed Content
    August 13, 2013 by Wayne Thayer Chrome Encryption EV Firefox Google Malware Mixed Content Mozilla SSL/TLS

    The latest version of the Firefox Web browser from Mozilla was released on August 6th with a great new security feature called a “mixed content blocker”. In a nutshell, this feature ensures that all of the parts of a secure Website are indeed encrypted via SSL certificates. All of the data on the website is prevented from being intercepted, and it becomes more difficult to add malware into the site’s content.

    5 Tips for SMBs to Help Secure Their Online Presence
    June 17, 2013 by CA Security Council CASC Identity Malware SSL/TLS Vulnerability

    With National SMB Week upon us, the CASC has come up with its five tips for SMBs to help secure their online presence. By implementing these simple steps SMBs can build trust and loyalty by ensuring their website is safe to visit, search, enter personal information, or complete a transaction.

    1. Create unbreakable passwords – Strong passwords are essential on any account related to your online presence (domain registrar, hosting account, SSL provider, social media, PayPal, etc.). Brute-force attacks where a computer is used to rapidly guess your password are surprisingly common and effective. To prevent your business accounts from being hijacked, we recommend that you use a password generator to create strong passwords and a password safe to store them. Many services now also offer a two-factor authentication option and we recommend that you take advantage of this whenever possible.
    2. Consider an SSL certificate – In today’s world of e-commerce, consumers need to have trust in your brand and your authenticity. If you’re a small business and don’t have the brand identity that your larger competitors enjoy, verifying your identity and trustworthiness with an SSL certificate can make a major difference in your online success. Extended Validation certificates enhance the assurance provided to your customers by displaying your company name in green in their browser’s address bar. Even if your website doesn’t do e-commerce or collect private information, you should consider an SSL certificate to authenticate your business to visitors.
    3. Regularly scan your website for vulnerabilities and malware – It’s common for sites to become infected the same way that your PC can. When this happens, the website might load slowly, display unwanted advertisements, and infect your customer’s computers with more malware. Just as you should run a virus scanner on your PC, it’s a good practice to monitor your site for problems. There are many vendors that will do this automatically and alert you if they find a problem.
    4. Don’t forget updates and patches – Make sure that someone is regularly patching your website. This is especially important if your site is built using popular software like WordPress or Zen Cart. This software is constantly being updated to address security problems, but those updates must be installed on your website, just like installing the latest Windows Updates on your PC. We recommend that you check with your hosting provider or site designer to find out if they are updating your website’s software on a regular basis.
    5. Maintain control – Make sure that you have control over your domain name, SSL certificate, and website. It’s all too common for business owners to hire someone to build their website, and leave that person as the only one with access to the SSL, domain name, and hosting account. When these services come up for renewal or need to be changed, you can run into big problems if you can’t reach the person who originally built the site. We recommend you make sure that someone at your organization is also listed as a contact on these accounts so that you will still be able to maintain continuity with and otherwise manage your certificate, domain name, and hosting account.

    The Importance of Revocation Checking Part 2: A Real World Example
    March 11, 2013 by Wayne Thayer Attack Code Signing CRL Encryption Identity Malware OCSP Revocation SSL/TLS

    Just last week, a new security incident related to certificate revocation checking made headlines. It was discovered that a legitimate website was hosting a malicious Java application that installed malware on the computers of people who visited the site. This comes after recent updates that introduced Security Level settings in Java, and then raised the default from Medium to High. At the high level, users are shown a warning before any unsigned Java code is executed. Unfortunately, this recent incident exposed a method that allows an attacker to bypass the warning.

    The Importance of Checking for Certificate Revocation
    March 9, 2013 by Rick Andrews Attack CRL Identity Malware MITM OCSP Revocation SSL/TLS

    Certificates are typically valid for one to three years, and during that time it’s possible that the web site owner or the CA realizes that end users should not trust the certificate. There are several cases in which this might happen, including these:

    • The web site owner ceases doing business, no longer owns the domain name used in the certificate, has changed their organization name, or wishes to shut down the web server.
    • The subscriber learns that an unauthorized party has gained access to the private key associated with the public key in the certificate.
    • The CA learns that errors were made in authentication, the subscriber misrepresented some material info used in the authentication process, or the subscriber has violated the terms of its agreement with the CA.

    When the subscriber or CA makes the decision to revoke a certificate, that decision must be conveyed to end users who encounter the certificate in use. There are two different methods for this:

    Participate in our community discussions and/or join the consortium