Tag Archive for HTTPS

| January 20, 2018
Comments Off on Browser Security Updates

Browser Security Updates

Browser Security UpdatesIf you bank, shop, or work on the Intertubes your security is changing. Your browser Security is changing because Symantec is selling its Website Security and related PKI business to PKI encryption solutions to DigiCert for nearly $1 Billion.

SSL and TLS logoExperts estimate that Symantec (SYMC) owns 40% of the SSL certificate market. SSL/TLS certificates are used to encrypt the connections between browsers and HTTPS-enabled websites. The certificates are used to verify that users are actually visiting the websites they intended to and not spoofed versions. Certificates are issued by organizations known as certificate authorities that are trusted by default in browsers and operating systems.

As a result of the sale, many firms are going to have to reissue SSL/TLS server certificates. The reissued certs will ensure browser security and make sure there is no impact on your online experiences. These certificates are essential to ensure secure, encrypted communication for user interaction on the Intertubes.

Google Chrome browser security

Google (GOOG) has led the effort to decrease the disruption that could come along with this change. Google posted a plan back in July of 2017 regarding Symantec-issued SSL/TLS server certificates.

• In March 2018 Google Chrome (Chrome 66 Beta) will show a warning for sites secured with SSL/TLS certificates issued before June 1, 2016. Your security is at risk and data encryption will function normally, but your transactions will be disrupted by a warning in Chrome.
• Google has also stated that all SSL/TLS certificates that had been issued by Symantec before December 1, 2017, will not be trusted starting in September 2018 (Chrome 70 Beta). Doing transactions at sites that have not been updated will put your security at risk, and you will get a warning in Chrome.

Mozilla Firefox

Mozilla, publisher of the Firefox web browser says that it intends to follow the same timeline proposed by Google.

rb-
This change is a normal procedure for typical certificate renewal. There should be no service disruption when the new certificates are issued as long as your web browser is up to date. There is no reason to have an out-of-date browser anymore. All three major browsers will auto-update. Other keys to staying safe online include:

  • Always check for HTTPS when you plan on providing personal data to a website. Always check for HTTPS
  • Pay attention to any security warnings you receive when you visit a website. Although you can almost always trust the HTTPS you see in your browser URL, any additional warnings from your browser should show that there may be a problem with the connection, so you should proceed with caution.

Nearly 54% of all U.S. web browsers will be affected by these changes. Statista says that Chrome held almost 50% of the browser market share and Firefox held over 5% of the share in December 2017. 41% of Internet users are not covered by this change (Safari 32.7% and IE/Edge 9%).

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , ,
| June 29, 2017
Comments Off on Don’t Know Much Security

Don’t Know Much Security

Don’t Know Much SecurityWith apologies to Otis Redding, Americans don’t know much about security. They don’t know much privacy or the SPAM they took. A new Pew Research Center survey, “What the Public Knows About Cybersecurity” quizzed 1,055 adults about their understanding of concepts important to online safety and privacy. The results of the Pew survey are unsettling.

questions about cybersecurityThe Pew Research survey asked 13 questions about cybersecurity. The median score was five correct answers. Just 20% answered eight questions correctly. A relatively large percentage of respondents answered “not sure” to questions rather than providing the wrong answer.

Most Americans don’t know how to protect themselves. Only 10% were able to identify one example of multi-factor authentication when presented with four images of online log-in screens.

Most Americans still unknowingly allow themselves to be tracked across the web. 61% of those surveyed were not aware that Internet Service Providers can still see the websites their customer visit even when they’re using “private browsing” on their search engines.

A slight majority (52%) of people recognized that just turning off the GPS function on smartphones does not prevent all tracking of the phone’s location. Mobile phones can be tracked via cell towers or Wi-Fi networks.

Only 54% of respondents correctly identified a phishing attack. For cybercriminals, phishing remains a favorite trick for infecting computers with malware. Phishing schemes usually involve an email that directs users to click on a link to an infected website.

phishing attackComputer security software does a good job of blocking most phishing schemes, Stephen Cobb, security researcher for anti-virus software firm ESET told Phys.org, including many advanced spear-phishing attacks targeting people with personalized information.

Retired Rear Adm. Ken Slaght, head of the San Diego Cyber Center of Excellence, a trade group for the region’s cybersecurity industry told KnowB4.

It is probably our No. 1 concern and No. 1 vulnerability … These attackers keep upping their game. It has gone well beyond the jumbled, everything misspelled email.

2/3’s of Americans tested, could not identify what the what the ‘s’ in ‘https‘ meant. The article explains that the ‘s’ stands for secure, with website authentication and encryption of digital traffic. It is used mostly for online payments. Security researchers often suggest computer users check the website addresses – known as the URL – as a first step before they click on a link. ESET’s Cobb said, “You wonder if people know what a URL is … Do they know how to read a URL? So there is plenty of work to be done.”

In the most puzzling finding to me, 75% of participants identified the most secure password from a list of four options. And yet followers of Bach Seat know that year after year passwords suck. Could it be that Americans just don’t care about online security?

Fortunately, some Americans also recognize that public Wi-Fi hotspots aren’t necessarily safe for online banking or e-commerce. The mixed security results highlight that staying secure online is not a priority for Americans at work or at home.

The Wall Street Journal also covered the Pew findings and quoted Forrester: “The percentage of security and risk professionals citing “security awareness” as a top priority rose to 61% last year, from 56% in 2010.”

In the enterprise, Heidi Shey, a senior analyst at Forrester, told CIO Journal that security awareness training isn’t always effective, since it’s often conducted once a year as a compliance issue and involves lists of dos and don’ts.

The human element is important in safeguarding a firm against cyberattack, since it’s both a first line of defense as well as a weak link. Successful awareness efforts are focused on enabling behavioral change, and typically customized and specific to an organization, its workforce, and relevant risks.

rb-

The data from Pew says that enterprise and home users need to be more security-aware. Technology can’t solve stupid so users have to be the last line of defense.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , ,
| July 9, 2016
Comments Off on Security Cam Concerns in Ann Arbor

Security Cam Concerns in Ann Arbor

Security Cam Concerns in Ann ArborNext time you are in Ann Arbor to get a bite to eat at Zingerman’s or attend a U of M football game at Michigan stadium someone may be watching you. NetworkWorld, says Ann Arbor is one of the top U.S. cities with the most unsecured security cameras. In fact, Ann Arbor ranks seventh nationally.

The report’s author, security firm Protection 1, analyzed the data from Insecam. Inseacam identifies open security cameras and Protection 1 estimates there are over 11,000 open security cameras on the Internet in the U.S. Protection 1 identified the cities with the most cameras that can be viewed by anyone online. The top 10 cities with unsecured security cameras are:

  1. open security camerasWalnut Creek, CA – 89.69 / 100,000 residents
  2. Richardson, TX – 72.74 / 100,000 residents
  3. Torrance, CA – 72.55 / 100,000 residents
  4. Newark, NJ – 38.07 / 100,000 residents
  5. Rancho Cucamonga, CA – 36.76 / 100,000 residents
  6. Corvallis, OR – 37.98 / 100,000 residents
  7. Ann Arbor, MI – 34.18 / 100,000 residents
  8. Orlando, FL – 34.05 / 100,000 residents
  9. Eau Claire, WI – 22.21 / 100,000 residents
  10. Albany, NY – 20.32 / 100,000 residents

using the manufacturer's default passwordOpen security cameras connect to the Internet via Wi-Fi or a cable. They have no password protection or are using the manufacturer’s default password. Malicious people and governments can record or broadcast our lives from unprotected open security cameras. Open cameras are also vulnerable attacks that can turn them into bots.

From a privacy perspective, the most worrisome finding is that 15% of the open cameras are in Americans’ homes. Anyone can watch these cameras if the default password is not changed to a unique password to lock down the camera.

Besides being spied on from the web, open cameras can be exploited by criminals. Cyber-criminals can force online cameras to attack other things on the Internet as part of a DDoS attack.

distributed denial-of-service (DDoS)A DDoS attack against a jewelry shop website led to the discovery of a CCTV-based botnet. A distributed denial-of-service (DDoS) attack is one in which a multitude of compromised systems attack a single target, thereby causing a denial of service for users of the targeted system. TargetTech says the flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users.

Help Net Security reports that Sucuri researchers discovered the jewelry site was being attacked by a CCTV botnet made up of 25,000+ cameras from around the globe. The website was first attacked by a layer 7 attack (HTTP Flood) at 35,000 HTTP requests per second and then, when those efforts were thwarted, with 50,000 HTTP requests per second.

Sucuri researchers discovered that all the attacking IP addresses had a similar default page with the ‘DVR Components’ title. After digging some more, they found that all these devices are BusyBox based. Busybox is a GNU-based software that aims to be the smallest and simplest correct implementation of the standard Linux command-line tools.

CCTV botnet made up of 25,000+ cameras from around the globeThe compromised CCTV cameras were located around the globe:

  • 24% originated from Taiwan,
  • 12% United States,
  • 9% Indonesia,
  • 8% Mexico,
  • and elsewhere.

rb-

Unless something is done, security flaws, misconfiguration, and ignorance about the dangers of connecting unsecured devices to the IoT will keep these botnets functioning well into the future.

block or absorb malicious trafficTo protect your website from botnets and DDoS, you need to be able to block or absorb malicious traffic. Firms should talk to their hosting provider about DDoS attack protection. Can they route incoming malicious traffic through distributed caching to help filter out malicious traffic — reducing the strain on existing web servers. If not find a reputable third-party service that can help filter out malicious traffic.

DDoS defense services require a paid subscription, but often cost less than scaling up your own server capacity to deal with a DDoS attack.

Arbor Networks is one firm that provides services and devices to defend against DDoS.

Google has launched Project Shield, to use Google’s infrastructure to support free expression online by helping independent sites mitigate DDoS attack traffic.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , , , ,
| July 2, 2016
Comments Off on Independence Day 2016

Independence Day 2016

Independence Day is the time when Americans celebrate freedom from a tyrannical government in the 18th century. While gaining that freedom, the founding fathers used encryption. They used encryption while risking their lives to gain the freedom we celebrate on July 4th. The EFF documents how many of the Founding Fathers of the United States used encryption to secure our freedoms.

  • Thomas Jefferson Thomas Jefferson invented an encryption devicewas the principal author of the Declaration of Independence and the country’s third president. He is known to be one of the most prolific users of secret communications methods. He even invented his own cipher system—the “wheel cipher”  or the “Jefferson disk” as it is now commonly referred to. Mr. Jefferson also presented a special cipher to Meriwether Lewis for use in the Lewis and Clark Expedition.
  • George Washington was the first president of the United States. He frequently dealt with encryption and espionage issues as the commander of the Continental Army. He gave his intelligence officers detailed instructions on methods for maintaining the secrecy and for using decryption to uncover British spies.
  • John Adams was the second U.S. president. He used a cipher provided by James Lovell—a member of the Continental Congress Committee on Foreign Affairs. He was an early advocate of cipher systems—for correspondence with his wife, Abigail Adams while traveling.
  • James Madison was the author of the Bill of Rights and the country’s fourth president. He was a big user of enciphered communications. Numerous examples from his correspondence prove that. The text of one letter from Madison to Joseph Jones, a member of the Continental Congress from Virginia, dated May 2, 1782, was almost completely encrypted via cipher. And on May 27, 1789, Madison sent a partially encrypted letter to Thomas Jefferson describing his plan to introduce a Bill of Rights.

TechDirt correctly concludes that If encryption was good enough for the Founding Fathers to use in the 18th Century … it’s pretty ridiculous that we’re still having this debate now in this age of constant government monitoring, warrantless searches, corporate data aggregationdata sharing, and tools like IBM’s Non-Obvious Relationship Awareness software (NORA). The time is now to fight shortsighted “going dark” claims by the FBI and efforts by clueless politicians like Sen. Dianne Feinstein (D-CA) who have plans to ban encryption.

rb-

Seems to me that the biggest threat to America this Independence Day is the political ambitions of technically illiterate know-nothings in the gooberment. Be like the Founding Fathers and encrypt something start with HTTPS Anywhere from the EFF.

 

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Holidays | Tags: , , , , , , , , , , , , , , , , , , , , ,
| December 7, 2015
Comments Off on Let’s Encrypt Lives

Let’s Encrypt Lives

Let's Encrypt LivesLet’s Encrypt, an initiative to set up a free certificate authority (CA) on the Intertubes has entered its public beta phase. All major browser makers including Google Chrome, Mozilla Firefox, and Microsoft Internet Explorer trust Let’s Encrypt certificates. In their announcement Josh Aas, the executive director of California based Internet Security Research Group (ISRG), which runs the Let’s Encrypt service, wrote:

We’re happy to announce that Let’s Encrypt has entered Public Beta. Invitations are no longer needed in order to get free certificates from Let’s Encrypt … We want to see HTTPS become the default. Let’s Encrypt was built to enable that by making it as easy as possible to get and manage certificates.

Encryption to protect communications

Lets Encrypt logoLet’s Encrypt is overseen by folks from Mozilla, Akamai (AKAM), Cisco (CSCO), Stanford Law School, CoreOS, the EFF, and others. Let’s Encrypt was first announced in 2014, (rb- Which I covered here). motivated by a desire to steer organizations towards the use of encryption to protect their communications. A key part of the strategy is offering free digital certificates, which is a radical departure from the very hefty premiums that certificate authorities typically charge.

The Register reports that the free cert is no freebie weakling. Lets Encrypt uses a 2048-bit RSA TLS 1.2 certificate with a SHA-256 signature installed and the server configured to use it. The cert gets an A from Qualys SSL Labs.

Let’s Encrypt to offer free SSL/TLS certs

Secure Socket Layer/Transport Layer Security certificatesLet’s Encrypt plans to distribute free SSL/TLS (Secure Socket Layer/Transport Layer Security) certificates, which encrypt data passed between a website and users. The use of SSL/TLS is signified in most browsers by “HTTPS” and a padlock appearing in the URL bar. Unencrypted web traffic poses a security risk. For example, an attacker could collect the web traffic of someone using a public Wi-Fi hotspot, potentially revealing sensitive data.

Besides securing your information going across the Internet from spies and thieves, FierceSecurityIT says another key aspect of Let’s Encrypt is to make it easy to generate and install new digital certificates. The Let’s Encrypt CA uses an open source “automated issuance and renewal protocol” that allows for certificates to be renewed without manual intervention.

automated issuance and renewalThe automated issuance and renewal protocol prevents oversights resulting in certificates for live websites expiring, a situation that does happen from time to time. FierceSecurityIT says that short-term certificates also offer better security by reducing exposure in the event that the private keys are stolen.

rb-

Major technology companies including Google, Yahoo and Facebook have made a strong push for broader use of encryption in light of government surveillance programs and burgeoning cyber-crime.

The point of Let’s Encrypt is that anyone who owns a domain name can use Let’s Encrypt to get a trusted certificate at no cost. This will help HTTPS become the default. This is a big step forward in terms of security and privacy.

Instructions for getting a certificate with the Let’s Encrypt client can be found here.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , ,
« Older Entries