Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Website Security Solutions
Showing posts in English
AllenKelly | 08 Sep 2011 | 0 comments

This is the second part of a two-part series on the proper management of SSL Certificates.

In Part I of this series, we discussed some of the risks and implications of poorly managed SSL Certificates.  When SSL Certificates expire or become compromised, the need to rectify the situation quickly is paramount. Take the example of a recent incident where a Certificate Authority (CA) was compromised. Customers of that CA may want to take appropriate actions quickly to minimize any cascading impact from that security breach. Unfortunately, if the customers do not have a robust SSL Certificate Management System, they may not know their level of threat exposure.

Many organizations recognize the risks and implications of out-of-status SSL certificates....

FranRosch | 07 Sep 2011 | 1 comment

Since my last post, the effects of the recent DigiNotar breach have spread across the security industry. Many media outlets recently shared some of the names of the 531 fraudulent certificates created, including Google, Facebook, Skype, Microsoft, as well as each of the major certificate authorities. A hacker has claimed responsibility for the breach and claims to have breached some other Certificate Authorities as well. GlobalSign has ceased issuing certificates as it investigates whether or not it has been breached. Pundits are questioning the strength of SSL. Then, yesterday a Dutch government agency erroneously made a statement that Thawte had been breached. Although the statement was proven false and quickly...

AllenKelly | 01 Sep 2011 | 0 comments

On August 17th eWeek ran an article that described how improper SSL implementations can leave websites vulnerable to various cyber attacks.  While this story is spot-on, what is equally important to consider is the proper management of SSL Certificates. The mismanagement of SSL Certificates can lead to financial loss and lack of credibility for your organization.

One particular challenge that enterprises face can be having hundreds of SSL Certificates and no proper SSL Certificate management tool. The status of each certificate is usually tracked manually on a spreadsheet or through some other manual mechanism.  Manual mechanisms are prone to human error, and what’s more, data is difficult to track when IT personnel changes.  In addition, it isn’t unheard of for an SSL Certificate to expire in the middle of the...

FranRosch | 31 Aug 2011 | 0 comments

The Internet is buzzing with news of a recently compromised Certificate Authority (CA), DigiNotar, owned by VASCO Data Security International, Inc., possibly compromising a large number of consumers.

In July of this year an internal audit discovered an intrusion within DigiNotar’s CA infrastructure indicating compromise of their cryptographic keys. The breach of these keys resulted in the fraudulent issuance of public key certificates to a several dozen domains including the domain Google.com. Shortly after the incident DigiNotar revoked all of the certificates in question, conducted an additional external security audit and then attempted to revoke outstanding certificates that were affected. As of July 19th, DigiNotar believed all fraudulent certificates were taken out of circulation by revocation.

Unfortunately this week it was found that there were still instances of fraudulent certificates still in circulation. On August 28, 2011 a false DigiNotar wildcard...

RyanWhite | 14 Jul 2011 | 0 comments

Surveys are a great window into people’s minds, especially when they can illuminate contrasting, and even contradictory, behaviors in the same group. Results from the Symantec Online Internet Safety Survey have done just that. The most compelling finding – that respondents frequently proceed with online transactions they know might be insecure – inspired me to ask not just, “What are they thinking?” but “What are they thinking?!?”

The survey’s focus must be on many people’s minds, as we’ve had an extraordinary response – 301 people in just a few days! My initial impressions of the results are below. Feel free to share your comments and questions here.

Findings

Risky behavior remains common despite respondents knowing better: What struck me the most was that in many cases, respondents continued...

Christina Rohall | 28 Jun 2011 | 0 comments

...on behalf of Michael Lin, senior director of Trust Services

A recent flurry of media stories and blog posts has debated which technology is more crucial for online security: Domain Name System Security (DNSSEC) or Secure Sockets Layer (SSL) encryption?  The very question itself indicates that confusion may still exist over what each technology does – and how they actually work best together.

DNSSEC ensures that people reach the real IP address of the websites they seek. More specifically, DNSSEC authenticates the origin and integrity of DNS data as that data traverses the Internet. The technology helps thwart man-in-the-middle attacks and DNS cache poisoning, where cybercriminals corrupt stored DNS data to direct website visitors to fraudulent sites. The Online Trust Alliance recommended organizations support of DNSSEC in their latest scorecard,...

Christina Rohall | 02 Jun 2011 | 0 comments

Headlines about a massive spear phishing attack on top U.S. officials’ Gmail accounts hit early today, leaving many to wonder, “Could this happen to me?” Nobody is immune to receiving a phishing email, but they can arm themselves with information and technologies that will minimize the chance they will fall victim.

Fraudsters have been using the classic phishing attack to steal user names and passwords for more than a decade, yet phishing remains a powerful method for account takeover attempts because it relies on the human brain, versus a computer, to execute the requested activity. However, many savvy Internet users today know the basics of spotting the telltale signs of a phishing attempt, for example: receiving unsolicited email from an unknown source, being asked to click a suspicious link or download a file, spotting various typos in an...

AllenKelly | 24 May 2011 | 0 comments

Yesterday, an independent researcher claimed in his blog to have successfully exploited vulnerabilities in the way LinkedIn handles and transmits cookies over SSL (see blog at http://www.wtfuzz.com/blogs/linkedin-ssl-cookie-vulnerability). According to the blog, one of the problems is the availability of cookies sent in plain text over unencrypted channels of communication, which is due to SSL cookies not having a secure flag set, as well as appearing to contain session tokens.

"An attacker may be able to perform a man in the middle (MITM) attack, and thus capture these cookies from an established Linkedin session." said the researcher.

This type of attack is similar to how Firesheep, a Firefox plug-in that was released in October 2010, enabled hackers to hijack information from other users on the same...

AllenKelly | 18 May 2011 | 0 comments

The Online Trust Alliance (OTA) today announced their annual scorecard on security-related matters for a number of companies including members of the Fortune 500, Internet Retailer Top 500 Retailers, The FDIC 100, the top 50 government sites, leading social networking sites and OTA member sites.

You can find the entire scorecard here. It’s interesting to note the year over year growth in adoption of EV SSL Certificates.  In some groups, adoption was up 289% Y/Y and the overall average for all of the groups was a commendable 68%.

This helps to support the notion that the industry is really starting to adopt EV SSL as the latest standard in SSL security.  We’ve seen instances where agencies like the IRS have made strong recommendations for e-filing sites using EV SSL during tax season, as well as it...

Christina Rohall | 17 May 2011 | 0 comments

...on behalf of Carlos Chang, product marketing manager, Symantec.

 It is Small Business Week here in the U.S., and time for outstanding small businesses to be recognized. Small businesses are the engines that power our economy and deserve recognition for everything they do that makes our country strong. 

Traditionally, consumers tend to trust small business owners – whether it is the helpful pharmacist around the corner, or the owner of the sandwich shop down the street that will always greet you with a friendly hello. Unfortunately, consumers don’t always have that same trust when doing business online.

Consumers do not always know who is behind a website they are visiting and need confirmation that it is run by a legitimate business. One way to receive that confirmation is through a symbol or mark on the website itself, indicating that it is indeed safe. It is important for small businesses that have an online presence to have a trust...