Home Tags Authenticity

Tag: Authenticity

You won’t believe why Facebook will block this headline

Updates to news feed algorithms tweaked to catch spammy and deceptive headlines.

Clash of Greed

Yet, the more popular game is, the higher the probability that fraudsters will be looking to make a fortune on that popularity by, for example, organizing phishing attacks on the player base.

Those phishing attacks, though always quite similar in their nature, are very competently planned.

VU#507496: GIGABYTE BRIX UEFI firmware fails to implement write protection and...

GIGABYTE BRIX UEFI firmware for the GB-BSi7H-6500 and GB-BXi7-5775 platforms,versions vF6 and vF2 respectively,fails to properly set the BIOSWE,BLE,SMM_BWP,and PRx bits to enforce write protection. It also is not cryptographically signed. These issues may permit an attacker to write arbitrary code to the platform firmware,potentially allowing for persistent firmware level rootkits or the creation of a permanent denial of service condition in the platform.

Google takes Symantec to the woodshed for mis-issuing 30,000 HTTPS certs...

Chrome to immediately stop recognizing EV status and gradually nullify all certs.

At death’s door for years, widely used SHA1 function is now...

Algorithm underpinning Internet security falls to first-known collision attack.

Download Security Update 2016-003 Supplemental (10.11.6)

The OS X El Capitan Security Update 2016-003 Supplemental Update fixes a kernel issue that may cause your Mac to occasionally become unresponsive. For more information on the security content of this update see: http://support.apple.com/kb/HT1222See http://support.apple.com/kb/HT5044article for details on how to verify the authenticity of this download.

FTC Claims D-Link Routers and IP Cameras are Leaving Consumers at...

In a legal complaint, the FTC makes multiple allegations about improper security measures in D-Link devices that could potentially enable attacks.

D-Link calls the claims "vague and unsubstantiated." The U.S Federal Trade Commission (FTC) filed a legal complaint against networking equipment vendor D-Link Corporation on Jan. 5, alleging that the company has inadequate security measures in its products, leaving consumers at risk.

D-Link denies the allegations.In a 31-page legal complaint, the FTC outlined multiple alleged failings in D-Link's security.

According to the complaint, D-Link, "…failed to to take reasonable steps to protect their routers and IP cameras from widely known and reasonably foreseeable risks of unauthorized access..."Among the issues alleged by the FTC complaint are hard-coded user credentials, which are embedded passwords in devices that users cannot easily change, that could enable an attacker unauthorized access.

The FTC also warns about command injection flaws that might potentially enable a remote attacker to gain control of a vulnerable D-Link device.The FTC also takes issue with how D-Link secures mobile application login credentials, which allegedly are now being stored in a non-encrypted readable text format.

As well, the FTC is concerned with how D-Link has managed its own private encryption key, that is used to validate the authenticity of D-Link's software. "Hackers are increasingly targeting consumer routers and IP cameras -- and the consequences for consumers can include device compromise and exposure of their sensitive personal information," Jessica Rich, director of the FTC's Bureau of Consumer Protection, said in a statement. "When manufacturers tell consumers that their equipment is secure, it's critical that they take the necessary steps to make sure that's true." In an email sent to eWEEK, D-Link stated that it denies the allegations outlined in the complaint and is taking steps to defend the action."The security of our products and protection of our customers private data is always our top priority," the company stated.In a publicly posted response to the FTC claims, D-Link states that the allegations are vague and unsubstantiated.

Additionally, D-Link notes that the FTC complaint does not claim any specific breach of any D-Link product."The FTC speculates that consumers were placed 'at risk' to be hacked, but fails to allege, as it must, that actual consumers suffered or are likely to suffer actual substantial injuries," D-Link states. "D-Link Systems maintains a robust range of procedures to address potential security issues, which exist in all Internet of Things (IOT) devices."The FTC has been actively working in recent years to help protect consumers against potential dangers rising from improperly secured Internet of Things (IoT) devices.
In January 2015, the FTC released a report providing recommendations to vendors on how to improve IoT security.
In February 2016, networking vendor Asus settled with the FTC, over wireless router security issues.
In the Asus case, the company agreed to maintain a comprehensive security program that includes its wireless routers and associated firmware being independently audited every two years for the next 20 years.Earlier this week on  Jan. 4, the FTC announced the $25,000 IoT Home Inspector Challenge to help improve security in connected home devices.Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com.

Follow him on Twitter @TechJournalist.

Drone ID Takes Off to Deliver IoT Security

As increasing numbers of Drones take to the skies, the new Drone ID effort backed by AirMap and DigiCert aims to help provide identification and security. When a drone flies overhead, how can its owner be identified? That's a question that is not easil...

Facebook Releases Free SSL/TLS Certificate Transparency Monitoring Tool

New Certificate Transparency Monitoring Tool aims to help make it easier for organizations and users to identify when a new SSL/TLS certificate has been issued for a specific domain, in an effort to help prevent wrongly issued security certificates. Kn...

Download Security Update 2016-007 (10.10.5)

Security Update 2016-007 is recommended for all users and improves the security of OS X. For more information on the security content of this update see: http://support.apple.com/kb/HT1222 See http://support.apple.com/kb/HT5044 article for details on how to verify the authenticity of this download.

Download Security Update 2016-003 (10.11.6)

Security Update 2016-003 is recommended for all users and improves the security of OS X.For more information on the security content of this update see: http://support.apple.com/kb/HT1222See http://support.apple.com/kb/HT5044article for details on how to verify the authenticity of this download.

Finally! A minimum standard for certificate authorities

The Certificate Authority Security Council has released new Minimum Requirements for Code Signing for use by all CAs (Certificate Authorities).

This represents the first-ever standard for code-signing, and the advocacy group hopes the guidelines will improve web security by making it easier to verify software authenticity. The new Minimum Requirements for the Issuance and Management of Publicly-Trusted Code Signing Certificates outlines specific steps CAs and individual software companies must perform to ensure code-signing certificates are not abused.
It addresses "user concerns about the trustworthiness of signed objects and accurately identifying the software publisher," the working group wrote in the requirements document. While the requirements are intended primarily for CAs that can issue code-signing certificates (including root CAs publicly trusted for code signing and all other CAs part of the root CA's validation path), software companies and developers have to comply with some of the requirements if they are going to work with a standards-compliant CA. Not meeting those requirements can mean a code-signing certificate will not be issued, or an existing one will be revoked. Code signing refers to using certificates to digitally sign executables and scripts in order to verify the author's identity and, more importantly, that the code has not been altered or corrupted since it was signed.
Several attack campaigns have stolen legitimate code-signing certificates to sign malware, making it possible for the malicious code to bypass security defenses.

There are 25 million pieces of malware enabled by code-signing certificates, and stolen code-signing digital certificates are sold everyday on underground markets for more than $1,000 each, said Kevin Bocek, vice president or security strategy and threat intelligence at Venafi. "Code signing is critical to every mobile device and computer we touch," Bocek said. Microsoft has already adopted the minimum requirements and will require all CAs issuing code-signing certificates for the Windows platform to adopt the minimum requirements starting Feb. 1, 2017. Because CAs have different rules for how they issue and revoke code signing certificates, both developers and cybercriminals could game the system, Bocek said. Without any standards in place, it was possible to get accepted one CA even after already being rejected by a different CA.

The variance made it difficult to know which code-signing certificate could be trusted. With the guidance, each CA has some leeway in developing its own process for how to issue and revoke certificates, but the underlying requirements are the same from CA to CA. Along with providing all the information necessary for the CA to verify the identity of the software company (or developer) in order to issue the certificate or sign the code object, organizations are responsible for making sure the private key is generated, stored, and used in a secure environment with controls to prevent the keys from being stolen or misused.

The CA has to provide guidance on how to protect the keys, but it's up to the organization do it in a way that matches the guidelines: Protecting the private keys: Organizations have to use either a trusted platform module to generate and secure key pairs, a FIPS-140-Level-2 Hardware Security Module or equivalent (such as Common Criteria EAL 4+), or another type of hardware storage token, such as a USB key or a SD card.

The tokens have to be kept physically separate from the device hosting the code-signing function until the moment it is actually needed for a signing session. Securing the code signing computer: The computer used for signing cannot be used for web browsing, and it must be periodically scanned by regularly updated security software for possible infections. Picking a trusted third-party: Organizations that use a third-party signing service to sign objects with their private keys should make sure the signing service has enabled multi-factor authentication to access and authorize code signing.
If the service doesn't, it's not compliant with the new requirements and should be a serious warning flag. Transporting the key securely: If the CA or the signing service is generating the private key on behalf of the organization, the private keys may be transported outside of the secure infrastructure.
In those cases, the key must either be transported "in hardware with an activation that is equivalent to 128 bits of encryption, or encrypt the Private Key with at least 128 bits of encryption strength," according to the standard.

That could mean using a 128-bit AES key to wrap the private key, or storing the key in a PKCS 12 file encrypted with a randomly generated password "of more than 16 characters containing uppercase letters, lowercase letters, numbers, and symbols." Using strong keys: The CA will not issue the code-signing certificate if the requested Public Key does not meet modern security requirements or if it has a known weak Private Key (such as a Debian weak key). The CA will have to spell out all of the new requirements in the subscriber agreement, and it has to keep complete records to show both the organization and the CA is following the rules. Under the agreement, the organization cannot request a code-signing certificate if the public key in the certificate is -- or will be -- used with a non-code signing certificate.

The organization also has to commit to protecting against the theft or misuse of the private key, and to immediately request the CA to revoke the certificate if the private key is compromised or used to sign malicious code. If the private key is compromised due to an attack, the CA doesn't have to issue a new or replacement certificate until it is satisfied the organization has improved its security protections. "Documentation of a Takeover Attack may include a police report (validated by the CA) or public news report that admits that the attack took place.

The Subscriber must provide a report from an auditor with IT and security training or a CISA that provides information on how the Subscriber was storing and using Private keys and how the intended solution for better security meets the guidelines for improved security," the standard says. Currently, if the CA rejects the request for a new or replacement certificate, the organization can apply with another CA. However, if the second CA is following the new requirements, then it will be checking "at least one database containing information about known or suspected producers, publishers, or distributors of Suspect Code, as identified or indicated by an Anti-Malware Organization and any database of deceptive names" before issuing a certificate.
If the second CA sees that the organization has been implicated in signing bad code, then the idea is that it will also push back and reject the application, just like the first CA. "The CA must not issue new certificates to organizations that have been the victim of two Takeover Attacks or where the CA is aware the organization is not storing the private keys correctly," the standard says. The standard also has other requirements about the CA setting up a Timestamp Authority and how the timestamp certificates should be used, such as letting code signatures to stay valid for the length of the period of the timestamp certificate.  The standard was released by the Code Signing Working Group, part of the CA/Browser Forum, which is a voluntary group of CAs, browser makers, and software vendors that use X.509 v.3 digital certificates in their applications.

The Code Signing Working Group consists of Comodo, DigiCert, Entrust, GlobalSign, Izenpe, Microsoft, Symantec, SSC, and WoSign.

The China-based WoSign is the same CA that was recently marked as untrusted by Mozilla, Apple, and Google for multiple problems in how SSL certificates were issued. "The CA Security Council guidance on code signing is long overdue," Bocek said. "New methods of certificates to detect fraud and misuse such as Certificate Reputation will also see increased adoption as misuse of code signing certificates gets more and more attention." The requirements have not been adopted by the CA/Browser Forum, but will instead be improved and maintained by the CA Security Council.