Video Screencast Help
Website Security Solutions
Showing posts in English
FranRosch | 02 Feb 2012 | 3 comments

News broke recently that Verisign, Inc. reported in their quarterly SEC filings that they had been victims of a security breach in 2010. At this time, Verisign, Inc. has only confirmed that the incident did not impact their DNS business. 

Just as Verisign, Inc. stated that there was no impact to their production environment, I stand behind the following statement that Symantec made in response to media questions regarding the 2010 Verisign, Inc. security breach:

Symantec takes the security and proper functionality of its solutions very seriously.Trust Services (SSL), User Authentication (VIP, PKI, FDS), and other production systems acquired by Symantec were not compromised by the corporate network security breach mentioned in the Verisign, Inc. quarterly filing.

Unfortunately, many people are associating the breach at...

Michael Lin | 06 Dec 2011 | 1 comment

While presenting at the HostingCon earlier this year, some particular figures in my slide deck jumped out at me: 1) Corporations are seeing their information double every two years; and 2) Each day, 600 million emails are sent containing unencrypted confidential data. Those are staggering figures on their own. Put them together, and the need to protect sensitive data online becomes glaringly obvious.

The booming popularity of Secure Sockets Layer (SSL) Certificates and Extended Validation SSL (EV SSL) Certificates reflects the recognition that people and organizations must protect themselves from worsening malware, data breaches and other IT security threats. By validating user and...

Leelin Thye | 30 Nov 2011 | 0 comments

Today, Symantec is launching Symantec Certificate Intelligence Center as a generally available release after a successful public beta. Symantec Certificate Intelligence Center is a cloud-based service for enterprises to discover all SSL certificates, regardless of Certificate Authority (CA), and exercise end-to-end certificate lifecycle management.

The onslaught of news on security breaches related to SSL certificates such as weak 512-bit SSL certificates being issued by CAs, or stolen certificates being used to propagate cyber attacks, or even...

FranRosch | 21 Nov 2011 | 1 comment

Malaysia just can’t catch a break lately. Earlier this month it was discovered that  Malaysian certificate authority,  DigiCert Sdn. Bhd. (no relation to DigiCert, Inc.) had been issuing weak 512-bit SSL certificates, a serious no-no in the CA business. This led to the major browsers yanking DigiCert Sdn. Bhd. from their trusted root stores. Then last week a story broke in which a code signing certificate had been stolen from a Malaysian government agency and used to sign malware that exploits a vulnerability in Adobe Acrobat 8.  

An investigation found that the certificate was issued by DigiSign Server ID to a domain managed by the Malaysian Agricultural Research and Development Institute. Although the certificate has since expired, Malaysian authorities say the certificate was stolen “some time ago”.  

I’ve read a number of articles on this subject since the story broke and each article makes mention of this being the...

Teresa Wingfield | 09 Nov 2011 | 0 comments

Did you know that Symantec offers free vulnerability assessments for Extended Validation Secure Sockets Layer (EV SSL), Premium and Secure Site Pro certificate customers?  The new Symantec service enables quick identification and remediation of the most exploitable weaknesses on public-facing Web pages, Web-based applications, server software and network ports.

In less than three weeks since the October launch of Symantec’s vulnerability assessments, the company has scanned nearly 2000 web sites for critical vulnerabilities that could allow malicious hackers to insert malware or to directly access confidential customer data. Of these sites, more than half had critical vulnerabilities which customers were able to quickly remediate. Symantec identified hundreds of exposures, largely due to outdated software, and has already helped over half of the impacted customers to completely eliminate all identified vulnerabilities.

Could you also benefit from the...

Bernard Laroche | 03 Nov 2011 | 0 comments

Is your business ready to be blacklisted by search engines or you have the right tools to stay online and trusted?

The only way websites can get off the blacklist and shut down the warnings is to demonstrate that they are malware free. That’s why anti-malware scans and anti-malware seals are so valuable: they offer immediate, demonstrable proof that visitors can trust a website to be free of malware.

Anti-malware scans and seals offer website owners other tangible business benefits, including:

  • uninterrupted search traffic, higher search rankings and more completed transactions
  • improved compliance with commercial and government data security standards
  • significantly decreased chances that search engines will identify the website as malicious
  • much lower likelihood of public exposure, bad press and negative business...
Bernard Laroche | 28 Oct 2011 | 0 comments

With National Cybersecurity Awareness Month winding down, now is a good time to re-emphasize the threat that malicious code (malware) poses. Website owners of all sizes must protect themselves and their customers from these destructive or intrusive programs, which can destroy, compromise or steal sensitive data and inflict terrible financial costs on all victims.

Malware affects individuals and organizations of every size, from one-person operations to the largest global enterprises. But like calculating the distance between stars, the size of the federal budget deficit, or how many calories are in some fast food menu items, it’s hard to imagine how staggeringly large malware numbers are until you really look at them.

For example, Verizon’s 2010 Data Breach Investigations Report...

FranRosch | 26 Oct 2011 | 3 comments

There is a distributed denial of service (DDOS) attack making news this week called THC-SSL-DOS, and it’s stirring up some discussion about the renegotiation feature of SSL. Some are saying this is a flaw in SSL. It is not. SSL renegotiation is a feature; not a flaw to be fixed. The attack is primarily another DDOS attack.

A better user experience

Renegotiation is a feature that makes it possible to adjust the parameters of an SSL handshake without requiring an entirely new SSL session. This allows for an improved user experience, a must have for most Ecommerce, media, cloud providers, and SaaS sites.

Here is just one example: a web user visits a web site that is SSL encrypted. After spending some time shopping on that site anonymously the user decides to purchase or log in. Renegotiation will allow the SSL connection with that site to adjust to authenticate the user without requiring a break in the user experience. This way, all the...

FranRosch | 18 Oct 2011 | 0 comments

Some of the files associated with the new W32.Duqu threat were signed with a private key. After intense investigation we concluded that the private key used for signing these Duqu files was stolen from a Symantec customer whose systems appear to have been compromised. The private key was associated with a code signing certificate issued to that customer.

A Stolen Key

We take this very seriously and quickly revoked the customer code signing certificate in question. We have found no evidence of any breach to our systems and our records show that the code signing certificate was issued only after completing our rigorous customer authentication process. Our systems, roots and intermediate CAs were never at risk.

Running the world’s largest commercial cyber-intelligence network, Symantec is constantly monitoring the internet and customer environments in search of...

AllenKelly | 06 Oct 2011 | 0 comments

As you may already know, VeriSign Authentication Services became part of Symantec in August of 2010. Since then, we’ve continued to invest in and enhance your SSL Certificates—adding more value and providing even more protection for your business—while still giving online customers the greatest confidence that your website is secure. Since we became part of Symantec we’ve delivered:

  • Express Renewal and AutoRedeem/AutoPay Renewal Services Learn more

  • Vulnerability Assessment Learn more

  • Symantec Certificate Intelligence Center...