STE WILLIAMS

Phishing emails disguised as tax-related alerts aim to trick users into handing attackers their usernames and passwords.

A new wave of phishing attacks aims to dupe users and steal their passwords by disguising malicious emails as tax-related notifications from the IRS.

Barracuda Networks last month flagged a “critical alert” when it detected attack attempts to steal user passwords. This threat lures victims with Microsoft 365 Office files claiming to be tax forms or other official documents; attackers use urgent language to convince people to open the attachment.

Examples of this tactic include files named “taxletter.doc” and phrases like “We are apprising you upon the arisen tax arrears in the number of 2300CAD.” The use of popular file types like Word and Excel, which are globally known and used, further ensures victims will fall for it.

“Today’s documents are far more active … you’re putting in a lot of content, media, links,” says Fleming Shi, senior vice president of technology at Barracuda, comparing this threat with phishing attacks of the past. “Bad guys are leveraging the dynamic, active manner of the documents today to weaponized their files.”

In this case, users are hit with the password stealer when they download and open the malicious document. When the document opens, a macro inside launches PowerShell, which acts in the background while the victim views the document.

Tens of millions of people have been affected by these phishing emails, Shi says, and attackers evade detection by crafting different emails.

“What they do is they rotate the content of the email; they rotate sender information,” he continues. Signature-based systems won’t catch these messages because changing the characteristics of malicious emails changes their fingerprint.

Password theft is increasing overall, a sign of attackers shifting their goals and strategies, Shi explains. Ransomware was big last year; this year, password stealers are appearing in phishing emails, browser extensions, and other programs as criminals hunt login data.

It’s all part of a broader trend of sneaky spearphishing and targeted attacks, he says. Usernames and passwords grant access to multiple systems and applications a particular user is attached to, as well as social media sites and contact lists to fuel future attacks.

“Some attackers try to be like a sleeper cell on your system,” Shi notes. Instead of seeing a red flag, victims will notice subtle clues they have been compromised: their system will slow down; they’ll see more pop-ups. All are signs they’ve lost control of applications on their system.

IRS officials are also recommending caution amid an increase of tax-related phishing emails. Last month, the IRS Online Fraud Detection Prevention Center (OFDP) announced a rise of compromised emails starting in January 2017. Cybercriminals are aiming for mass data theft and many are impersonating executives to request W-2 information from human resources.

It’s a timely opportunity for attackers to capitalize on users’ wariness of tax season and make their campaigns more effective. “You feel vulnerable because you get an email saying the IRS is eyeing you,” Shi says. “What happens is, you’re likely going to open the document.”

Related Content:

• Securing the Web of Wearables, Smartphones Cloud
• How Why the Cybersecurity Landscape Is Changing
• Zero-Day Attacks Major Concern in Hybrid Cloud
• Hacking on TV: 8 Binge-Worthy and Cringe-Worthy Examples

 

 

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/millions-of-office-365-accounts-hit-with-password-stealers/d/d-id/1331181?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Ever received an email that looks for all the world like it’s from Apple? Like, maybe a receipt from an iTunes purchase that you don’t remember making?

Well, that’s easy to fix, right? Just click on the link to update your account information and…

Ooops! Increasingly, chances are if you click, you wind up being phished.

Phishing scams that pose as official Apple emails are getting more and more sophisticated. On Tuesday, 9to5Mac reported on one recent version: phishing attacks posing as App Store subscription renewal messages.

On Friday, Apple posted a quick guide to help customers tell the difference between phishing emails and legitimate email from its App Store, iTunes Store, iBooks Store or Apple Music.

Apple says that scammy emails often resemble official Apple correspondence – same formatting, same language and same graphics. That includes, for example, the official apple-with-a-bite logo and/or that Apple Music pink and blue eighth note icon.

E-swindlers often try to trick us into sharing our personal or financial information by sending us messages or links to sites that look like they’re from Apple, but which in reality are out to steal our account information. From the iCompany’s post:

Some phishing emails will ask you to click on a link to update your account information. Others might look like a receipt for a purchase in the App Store, iTunes Store, iBooks Store or for Apple Music, that you’re certain you didn’t make.

“Never enter your account information on websites linked from” such messages, Apple said, and “never download or open attachments included within them.”

You might well ask OK, if I don’t click on that link, how can I correct what I know is a charge I didn’t make?

Easy, Apple says: if you get an email asking you to update your account or payment information, do it directly on your iOS device, under Settings, or do it in the Settings for the iTunes or App Store on your Mac, or in iTunes on a PC.

Ditto for requests to update your password: only do it in Settings on your device or at appleid.apple.com.

It’s great advice, and it echoes that handed out by Staysafeonline.org in the lead up to holiday shopping last year: Stop. Think. Connect.

Naked Security’s Paul Ducklin says you can try the logic on for size:

• If these messages are true, you don’t need to click – you can just head over to Apple’s website manually, or open the App Store app yourself.
• If the messages are not true, you don’t want to click, for obvious reasons.
• Therefore, true or false, your best action is not to click.

Here are some other red flags that can indicate that a phisher is spoofing emails from Apple:

• Requests for personal information, such as your taxpayer ID/Social Security Number, mother’s maiden name, full credit card number, or your credit card CCV code. Apple never asks for that information to be sent over email.
• No billing address. Genuine purchase receipts – from purchases in the App Store, iTunes Store, iBooks Store, or Apple Music – include your current billing address, which Apple says scammers are unlikely to have. You can also review your App Store, iTunes Store, iBooks Store or Apple Music purchase history.

If you’re thinking, Uh-oh, I think I already fell for something, Apple asks that you report it to [email protected]. If you’re on a Mac, forward the email as an attachment from the Message menu.

And if you think you might have entered personal information like a password or credit card info on a scam website, Apple says you should immediately change your Apple ID password.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/asSQKjuRpl4/

Ever received an email that looks for all the world like it’s from Apple? Like, maybe a receipt from an iTunes purchase that you don’t remember making?

Well, that’s easy to fix, right? Just click on the link to update your account information and…

Ooops! Increasingly, chances are if you click, you wind up being phished.

Phishing scams that pose as official Apple emails are getting more and more sophisticated. On Tuesday, 9to5Mac reported on one recent version: phishing attacks posing as App Store subscription renewal messages.

On Friday, Apple posted a quick guide to help customers tell the difference between phishing emails and legitimate email from its App Store, iTunes Store, iBooks Store or Apple Music.

Apple says that scammy emails often resemble official Apple correspondence – same formatting, same language and same graphics. That includes, for example, the official apple-with-a-bite logo and/or that Apple Music pink and blue eighth note icon.

E-swindlers often try to trick us into sharing our personal or financial information by sending us messages or links to sites that look like they’re from Apple, but which in reality are out to steal our account information. From the iCompany’s post:

Some phishing emails will ask you to click on a link to update your account information. Others might look like a receipt for a purchase in the App Store, iTunes Store, iBooks Store or for Apple Music, that you’re certain you didn’t make.

“Never enter your account information on websites linked from” such messages, Apple said, and “never download or open attachments included within them.”

You might well ask OK, if I don’t click on that link, how can I correct what I know is a charge I didn’t make?

Easy, Apple says: if you get an email asking you to update your account or payment information, do it directly on your iOS device, under Settings, or do it in the Settings for the iTunes or App Store on your Mac, or in iTunes on a PC.

Ditto for requests to update your password: only do it in Settings on your device or at appleid.apple.com.

It’s great advice, and it echoes that handed out by Staysafeonline.org in the lead up to holiday shopping last year: Stop. Think. Connect.

Naked Security’s Paul Ducklin says you can try the logic on for size:

• If these messages are true, you don’t need to click – you can just head over to Apple’s website manually, or open the App Store app yourself.
• If the messages are not true, you don’t want to click, for obvious reasons.
• Therefore, true or false, your best action is not to click.

Here are some other red flags that can indicate that a phisher is spoofing emails from Apple:

• Requests for personal information, such as your taxpayer ID/Social Security Number, mother’s maiden name, full credit card number, or your credit card CCV code. Apple never asks for that information to be sent over email.
• No billing address. Genuine purchase receipts – from purchases in the App Store, iTunes Store, iBooks Store, or Apple Music – include your current billing address, which Apple says scammers are unlikely to have. You can also review your App Store, iTunes Store, iBooks Store or Apple Music purchase history.

If you’re thinking, Uh-oh, I think I already fell for something, Apple asks that you report it to [email protected]. If you’re on a Mac, forward the email as an attachment from the Message menu.

And if you think you might have entered personal information like a password or credit card info on a scam website, Apple says you should immediately change your Apple ID password.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/asSQKjuRpl4/

Researchers might have discovered a simple way to get more computer users to opt for strong passwords – tell them how easy their weak choices would be to hack.

The idea comes from research conducted by a team led by the University of Plymouth’s Centre for Security, Communications and Network Research (CSCAN), which tested the effectiveness of password advice strategies through two experiments.

In the first, 300 users creating a website account were offered either no password advice at all or were aided by a password meter, emotive feedback message or emoji.

The latter prompts improved matters a lot: password choices rated as “weak” dropped from 75% for the group offered no guidance, to a third for those given the emotive feedback.

In a second experiment, 500 users in the US were told how quickly a hacker might crack their password choice, causing them to choose passwords that were longer and up to ten times as strong as a result.

This points to a curious effect: the way you tell people what they’re doing wrong can be as important as the fact you’re telling them at all.

Or, if you like, the abstract rating of a password meter isn’t likely to be as effective at changing human behaviour as an alarming message telling people their hopeless password is going to make like easy for criminals.

Ideally, sites shouldn’t allow users to create weak passwords in the first place, regardless of whether advice on their weakness is offered or not.

Last year a study by Dashlane found that numerous big web brands are astonishingly lax on this score, with some imposing apparently-sensible eight-character limits without also disallowing these from simply being a single character repeated eight times (‘11111111’).

But even sites that already have tight policies in place might be able to boost password security further by giving users strongly-worded feedback.

Study co-author, Professor Steve Furnell:

A common weakness in the provision of security is that while relevant features are present and available to be employed, users are often expected to use them with little upfront guidance, or ongoing support.

It’s as if some sites are reluctant to be too insistent about password strength in case they put users off. If so, adding emotional cues could be a way to overcome this.

It’s also true that even the best-crafted password counts for nothing if it has already been compromised.

On that front, Troy Hunt’s Have I Been Pwned (HIBP) site recently launched version two of Pwned Passwords which allows anyone to check a password to see whether it’s on the compromised naughty step – using one that turns up here would be a major security risk.

Or perhaps passwords are one of those insoluble conundrums and admins should focus instead on layering security using password throttling (limiting incorrect guesses), making sure password reset systems aren’t a backdoor, and enforcing multi-factor authentication.

For anyone who believes there is always a right way and a wrong way to make a password, feel free to read our password advice.

Follow @JohnEDunn
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/U8kReTSyruw/

Researchers might have discovered a simple way to get more computer users to opt for strong passwords – tell them how easy their weak choices would be to hack.

The idea comes from research conducted by a team led by the University of Plymouth’s Centre for Security, Communications and Network Research (CSCAN), which tested the effectiveness of password advice strategies through two experiments.

In the first, 300 users creating a website account were offered either no password advice at all or were aided by a password meter, emotive feedback message or emoji.

The latter prompts improved matters a lot: password choices rated as “weak” dropped from 75% for the group offered no guidance, to a third for those given the emotive feedback.

In a second experiment, 500 users in the US were told how quickly a hacker might crack their password choice, causing them to choose passwords that were longer and up to ten times as strong as a result.

This points to a curious effect: the way you tell people what they’re doing wrong can be as important as the fact you’re telling them at all.

Or, if you like, the abstract rating of a password meter isn’t likely to be as effective at changing human behaviour as an alarming message telling people their hopeless password is going to make like easy for criminals.

Ideally, sites shouldn’t allow users to create weak passwords in the first place, regardless of whether advice on their weakness is offered or not.

Last year a study by Dashlane found that numerous big web brands are astonishingly lax on this score, with some imposing apparently-sensible eight-character limits without also disallowing these from simply being a single character repeated eight times (‘11111111’).

But even sites that already have tight policies in place might be able to boost password security further by giving users strongly-worded feedback.

Study co-author, Professor Steve Furnell:

A common weakness in the provision of security is that while relevant features are present and available to be employed, users are often expected to use them with little upfront guidance, or ongoing support.

It’s as if some sites are reluctant to be too insistent about password strength in case they put users off. If so, adding emotional cues could be a way to overcome this.

It’s also true that even the best-crafted password counts for nothing if it has already been compromised.

On that front, Troy Hunt’s Have I Been Pwned (HIBP) site recently launched version two of Pwned Passwords which allows anyone to check a password to see whether it’s on the compromised naughty step – using one that turns up here would be a major security risk.

Or perhaps passwords are one of those insoluble conundrums and admins should focus instead on layering security using password throttling (limiting incorrect guesses), making sure password reset systems aren’t a backdoor, and enforcing multi-factor authentication.

For anyone who believes there is always a right way and a wrong way to make a password, feel free to read our password advice.

Follow @JohnEDunn
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/U8kReTSyruw/

Beware the “extreme hackers!” They’re the WORST! They’re “gaining control of people’s personal information and selling it on the black market!!!!”

Not just any people, mind you: they’re preying on all those Facebook users who want to see what they look like bald or as the opposite sex!!!

…Or NOT!!!!

Yes, this is the let’s-freak-out-Facebook-users viral hoax of the day! Some hoaxster(s) came up with a fiction about “extreme hackers” stealing personal information via popular entertainment apps that transform your photo, showing you how a gender-bending or less-hirsute version of you would look.

Since last month, the hoaxes have been spreading faster than a razor blade on an aloe vera skating rink.

Here’s one of many you could find on Facebook as of Thursday, when it had been shared nearly 13,000 times and had picked up 671 comments:

And here’s the full text:

WARNING FACEBOOK

There is a website link traveling around Facebook at an extraordinary rate which allows you “to see what you would look like as the opposite sex” and also one that lets you see what you look like “as a bald person”.

DO NOT enter these links, they are controlled by extreme hackers who are now gaining control of people’s personal information and selling it on the black market. As soon as you have clicked share to Facebook it gives these hackers instant access to your own personal details and puts your family and friends personal details at risk.

PLEASE SHARE TO MAKE YOUR FRIENDS AWARE

Snopes debunked the viral warnings on Wednesday.

Yes, the apps do access personal information in users’ profiles, but not in an illegal way. The security threat they pose is “exaggerated,” according to Snopes. After clicking on a link in one of these entertainment apps, an external web page opens and instructs the user to log in with Facebook to see the results.

In fine print at the bottom of the page is this disclaimer:

This app uses data and contents only if they are publicly available or with the consent of the users. We kindly ask you to use the app only, if other users will not be affected adversely.

*Only users who have reached the age of 16 may use this free function. You agree that your picture will be transmitted to the provider FaceApp (St. Petersburg, RU) for the sole purpose of its editing and will be deleted afterwards (data protection and objection notice).

And what information will those baldifying, sex-swapping Russian app makers get out of our clicks?

Snopes says that users who click are presented with a dialogue box informing them that certain information (typically their Facebook profile data, photos, and e-mail address) will automatically be shared with the web site if they continue. Some of the apps also request permission to post on the user’s Facebook page.

Users who continue are then presented with a selection of photos from their Facebook page and invited to choose one for alteration. The app then displays before and after versions of the photo: one with hair, one without. Then it invites the user to like the app.

Snopes calls it “relatively harmless.” Of course, we always have to be careful when granting apps access to our personal data. Snopes advises checking out the Terms of Service and Policy notifications to make sure you know exactly what you’re signing away. Like, say, your firstborn. (Don’t have the time? Check out a new machine-learning project that turns privacy policies into pretty flowcharts!)

Here’s Facebook’s overview of what types of information games and apps are allowed to collect when you install them:

Keep in mind when you install an app, you give it permission to access your public profile, which includes your name, profile pictures, username, user ID (account number), networks and any info you choose to make publicly available. You also give the app other info to personalize your experience, including your friends list, gender, age range and locale.

Of course, just because this viral hoax is hyperventilating doesn’t mean we shouldn’t be concerned about all of the data Facebook and other parties with less than honorable intentions – say, political ad buyers – gobble up from us.

But as far as the hoax slayers are concerned, we can take a deep breath and relax when it comes to the bald-you and gender-swapped-you apps: they’re really not extremely hackerish. The only hacksters at work here appear to be the hoax makers who are whipping people up over nothing.

Which brings me to my favorite comment I’ve seen so far on these hoax posts:

And there’s another post going round about hackers stealing people’s information that actually tests how gullible a person is and shows how quick scaremongering posts spread by social media… keep an eye out for it!!

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Ho8qAHhiYn8/

Beware the “extreme hackers!” They’re the WORST! They’re “gaining control of people’s personal information and selling it on the black market!!!!”

Not just any people, mind you: they’re preying on all those Facebook users who want to see what they look like bald or as the opposite sex!!!

…Or NOT!!!!

Yes, this is the let’s-freak-out-Facebook-users viral hoax of the day! Some hoaxster(s) came up with a fiction about “extreme hackers” stealing personal information via popular entertainment apps that transform your photo, showing you how a gender-bending or less-hirsute version of you would look.

Since last month, the hoaxes have been spreading faster than a razor blade on an aloe vera skating rink.

Here’s one of many you could find on Facebook as of Thursday, when it had been shared nearly 13,000 times and had picked up 671 comments:

And here’s the full text:

WARNING FACEBOOK

There is a website link traveling around Facebook at an extraordinary rate which allows you “to see what you would look like as the opposite sex” and also one that lets you see what you look like “as a bald person”.

DO NOT enter these links, they are controlled by extreme hackers who are now gaining control of people’s personal information and selling it on the black market. As soon as you have clicked share to Facebook it gives these hackers instant access to your own personal details and puts your family and friends personal details at risk.

PLEASE SHARE TO MAKE YOUR FRIENDS AWARE

Snopes debunked the viral warnings on Wednesday.

Yes, the apps do access personal information in users’ profiles, but not in an illegal way. The security threat they pose is “exaggerated,” according to Snopes. After clicking on a link in one of these entertainment apps, an external web page opens and instructs the user to log in with Facebook to see the results.

In fine print at the bottom of the page is this disclaimer:

This app uses data and contents only if they are publicly available or with the consent of the users. We kindly ask you to use the app only, if other users will not be affected adversely.

*Only users who have reached the age of 16 may use this free function. You agree that your picture will be transmitted to the provider FaceApp (St. Petersburg, RU) for the sole purpose of its editing and will be deleted afterwards (data protection and objection notice).

And what information will those baldifying, sex-swapping Russian app makers get out of our clicks?

Snopes says that users who click are presented with a dialogue box informing them that certain information (typically their Facebook profile data, photos, and e-mail address) will automatically be shared with the web site if they continue. Some of the apps also request permission to post on the user’s Facebook page.

Users who continue are then presented with a selection of photos from their Facebook page and invited to choose one for alteration. The app then displays before and after versions of the photo: one with hair, one without. Then it invites the user to like the app.

Snopes calls it “relatively harmless.” Of course, we always have to be careful when granting apps access to our personal data. Snopes advises checking out the Terms of Service and Policy notifications to make sure you know exactly what you’re signing away. Like, say, your firstborn. (Don’t have the time? Check out a new machine-learning project that turns privacy policies into pretty flowcharts!)

Here’s Facebook’s overview of what types of information games and apps are allowed to collect when you install them:

Keep in mind when you install an app, you give it permission to access your public profile, which includes your name, profile pictures, username, user ID (account number), networks and any info you choose to make publicly available. You also give the app other info to personalize your experience, including your friends list, gender, age range and locale.

Of course, just because this viral hoax is hyperventilating doesn’t mean we shouldn’t be concerned about all of the data Facebook and other parties with less than honorable intentions – say, political ad buyers – gobble up from us.

But as far as the hoax slayers are concerned, we can take a deep breath and relax when it comes to the bald-you and gender-swapped-you apps: they’re really not extremely hackerish. The only hacksters at work here appear to be the hoax makers who are whipping people up over nothing.

Which brings me to my favorite comment I’ve seen so far on these hoax posts:

And there’s another post going round about hackers stealing people’s information that actually tests how gullible a person is and shows how quick scaremongering posts spread by social media… keep an eye out for it!!

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Ho8qAHhiYn8/

Over the years, we’ve written about website security certificates many times.

That’s because HTTPS certificates (more properly, TLS certificates, formerly known as SSL certificates) are one of the cornerstones of online transaction security.

Web certificates put that padlock icon into your browser’s address bar – the padlock we’re always urging you to look out for if you’re a website visitor, and to provide if you’re a website operator.

To recap, TLS is short for Transport Layer Security. (TLS used to be known as SSL, or Secure Sockets Layer – you’ll still see the abbreviation SSL a lot.)

The TLS “chain of trust” provided by digital certificates, simplified very greatly, goes something like this:

• I use a certificate to vouch for the fact that a website really is mine to own and operate.
• I get a company called a Certificate Authority (CA) to vouch for my certificate by signing it with their certificate.
• Your operating system or browser maker to vouches for the CA by adding its certificate to a “master trust” list

This forms a chain of trust – your browser tells you that the CA is likely to tell the truth, the CA tells you that the website operator is likely to tell the truth, and the website operator tells you, “This site reallys is mine.”

Note. A TLS certifcate doesn’t tell you that the web server you’re connecting to is secure, patched, safe, truthful, and so on – it vouches for the owner and operator of the site, thus making it much harder for a crook to set up an imposter server that is indistinguishale from yours.

As you can see, there’s a lot that can go wrong here:

• A trusted CA could go rogue, or get acquired by a sloppier company, or sign certificates without doing proper checks.
• Crooks could steal a vendor’s certificate and start stamping that vendor’s official seal on their own malicious websites.
• Crooks could steal your certificate and set up an imposter site that looks completely genuine.

And so on.

As a result, the TLS certificate ecosystem needs to be able not only to introduce new certificates and CAs into the mix, but also to be able to disavow (to revoke, in technical jargon) individual certificates as well as entire CAs.

In an ideal world, revoking an entire CA would be a once-in-a-lifetime sort of affair: firstly, it’s pretty much game over for the CA’s business; secondly, invalidating a CA automatically also invalidates any certificates already signed by it.

If your CA gets struck off abruptly, you need to get a new certificate, signed by a new CA, as soon as possible, or everyone who visits your website is going to see an ominous browser warning advising them that your website can’t be trusted.

Losing trust

CAs that have lost the trust of the community over the years include Dutch company Diginotar, the Turkish CA TURKTRUST, the Chinese Wosign…

…and most recently, computer security behemoth Symantec.

Google has been up in Symantec’s face for close to a year now, arguing strongly that the community should “reduce, and ultimately remove, trust in Symantec’s infrastructure in order to uphold users’ security and privacy when browsing the web.”

Google’s claim was that Symantec’s infrastructure for issuing certificates – which covered a range of different brands the company had acquired over the years – just wasn’t up to scratch, so Symantec ought to get its house in order and reissue all its certificates, allowing all the old and unreliable ones to be revoked for the greater good of all.

In the end, this stand-off was resolved without too many tears: Symantec sold off its certificate business to rivals Digicert, who agreed a timetable during which it would issue its customers with replacement certificates before existing Symantec certificates were automatically distrusted by the world’s browsers.

Regaining trust

In the UK, however, this transition hasn’t gone entirely smoothly – with new owners Digicert getting into a spat with one of its London resellers, a boutique security business called Trustico.

According to the Register, Trustico decided it wanted to switch its customers with Symantec certificates away from new owners Digicert to rival CA Comodo – after all, you’d need a new certificate anyway (some old Symantec certificates automatically become untrusted on 2018-03-15; the rest will expire on 2018-09-13).

At the same time, Digicert had emailed Trustico customers whose certifcates needed replacing (these users were, after all, now Digicert customers, too) to advise them about the certificate swapout process.

Trustico then demanded that Digicert revoke the affected certifcates outright,

Digicert refused, apparently on the understandable grounds that unilaterally revoking individual certificates – in the absence of any overarching security concern – is a matter for the owners of the certificates, not for the resellers or the CAs that issued them.

Things get weird

Here’s where things get weird.

According to Digicert, Trustico emailed over the private keys for more than 20,000 certificates.

Of course, the private key is what makes the certificate yours and stops other people from abusing it, so you should really be the only person with a copy of your private key.

Anyway, the guidelines of the TLS certificate ecosystem say that if a certificate’s private key is known to have been exposed, then for everyone’s peace of mind, that certificate should be revoked within 24 hours.

According to Digicert, that’s exactly what then happened, given that the keys have beem emailed across the internet, so Trustico abruptly got what it wanted anyway, as a convenient procedural side-effect.

What we can’t quite understand is how Trustico came to have copies of so many customers’ private keys in the first place, and why those keys were sent via email as some sort of a pawn in the “Symantec Sells Its Certificate Business” endgame.

As Trustico itself admitted, on the day the news broke of the mass key disclosure:

Unfortunately things didn’t go very well for us today and we are extremely sorry for all the confusion and inconvenience that has been caused. We believed that we had acted in accordance with the agreements and information that both DigiCert and Symantec had imposed and provided upon us.

What next?

This sort of public brouhaha doesn’t reflect very well on the digital certificate world.

We’re all expected to operate our websites over HTTPS these days – indeed, there are many excellent reasons for getting rid of HTTP entirely, forever, in return for additional community security and privacy.

But a public spat like this, where customers’ private keys seem to have turned into business bargaining chips, doesn’t do anyone any favours.

Now it’ll be harder than ever to convince HTTP holdouts (or “HTTPS refuseniks”, if you prefer) to convert their websites to HTTPS.

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/cyXd6vrPTpM/

Over the years, we’ve written about website security certificates many times.

That’s because HTTPS certificates (more properly, TLS certificates, formerly known as SSL certificates) are one of the cornerstones of online transaction security.

Web certificates put that padlock icon into your browser’s address bar – the padlock we’re always urging you to look out for if you’re a website visitor, and to provide if you’re a website operator.

To recap, TLS is short for Transport Layer Security. (TLS used to be known as SSL, or Secure Sockets Layer – you’ll still see the abbreviation SSL a lot.)

The TLS “chain of trust” provided by digital certificates, simplified very greatly, goes something like this:

• I use a certificate to vouch for the fact that a website really is mine to own and operate.
• I get a company called a Certificate Authority (CA) to vouch for my certificate by signing it with their certificate.
• Your operating system or browser maker to vouches for the CA by adding its certificate to a “master trust” list

This forms a chain of trust – your browser tells you that the CA is likely to tell the truth, the CA tells you that the website operator is likely to tell the truth, and the website operator tells you, “This site reallys is mine.”

Note. A TLS certifcate doesn’t tell you that the web server you’re connecting to is secure, patched, safe, truthful, and so on – it vouches for the owner and operator of the site, thus making it much harder for a crook to set up an imposter server that is indistinguishale from yours.

As you can see, there’s a lot that can go wrong here:

• A trusted CA could go rogue, or get acquired by a sloppier company, or sign certificates without doing proper checks.
• Crooks could steal a vendor’s certificate and start stamping that vendor’s official seal on their own malicious websites.
• Crooks could steal your certificate and set up an imposter site that looks completely genuine.

And so on.

As a result, the TLS certificate ecosystem needs to be able not only to introduce new certificates and CAs into the mix, but also to be able to disavow (to revoke, in technical jargon) individual certificates as well as entire CAs.

In an ideal world, revoking an entire CA would be a once-in-a-lifetime sort of affair: firstly, it’s pretty much game over for the CA’s business; secondly, invalidating a CA automatically also invalidates any certificates already signed by it.

If your CA gets struck off abruptly, you need to get a new certificate, signed by a new CA, as soon as possible, or everyone who visits your website is going to see an ominous browser warning advising them that your website can’t be trusted.

Losing trust

CAs that have lost the trust of the community over the years include Dutch company Diginotar, the Turkish CA TURKTRUST, the Chinese Wosign…

…and most recently, computer security behemoth Symantec.

Google has been up in Symantec’s face for close to a year now, arguing strongly that the community should “reduce, and ultimately remove, trust in Symantec’s infrastructure in order to uphold users’ security and privacy when browsing the web.”

Google’s claim was that Symantec’s infrastructure for issuing certificates – which covered a range of different brands the company had acquired over the years – just wasn’t up to scratch, so Symantec ought to get its house in order and reissue all its certificates, allowing all the old and unreliable ones to be revoked for the greater good of all.

In the end, this stand-off was resolved without too many tears: Symantec sold off its certificate business to rivals Digicert, who agreed a timetable during which it would issue its customers with replacement certificates before existing Symantec certificates were automatically distrusted by the world’s browsers.

Regaining trust

In the UK, however, this transition hasn’t gone entirely smoothly – with new owners Digicert getting into a spat with one of its London resellers, a boutique security business called Trustico.

According to the Register, Trustico decided it wanted to switch its customers with Symantec certificates away from new owners Digicert to rival CA Comodo – after all, you’d need a new certificate anyway (some old Symantec certificates automatically become untrusted on 2018-03-15; the rest will expire on 2018-09-13).

At the same time, Digicert had emailed Trustico customers whose certifcates needed replacing (these users were, after all, now Digicert customers, too) to advise them about the certificate swapout process.

Trustico then demanded that Digicert revoke the affected certifcates outright,

Digicert refused, apparently on the understandable grounds that unilaterally revoking individual certificates – in the absence of any overarching security concern – is a matter for the owners of the certificates, not for the resellers or the CAs that issued them.

Things get weird

Here’s where things get weird.

According to Digicert, Trustico emailed over the private keys for more than 20,000 certificates.

Of course, the private key is what makes the certificate yours and stops other people from abusing it, so you should really be the only person with a copy of your private key.

Anyway, the guidelines of the TLS certificate ecosystem say that if a certificate’s private key is known to have been exposed, then for everyone’s peace of mind, that certificate should be revoked within 24 hours.

According to Digicert, that’s exactly what then happened, given that the keys have beem emailed across the internet, so Trustico abruptly got what it wanted anyway, as a convenient procedural side-effect.

What we can’t quite understand is how Trustico came to have copies of so many customers’ private keys in the first place, and why those keys were sent via email as some sort of a pawn in the “Symantec Sells Its Certificate Business” endgame.

As Trustico itself admitted, on the day the news broke of the mass key disclosure:

Unfortunately things didn’t go very well for us today and we are extremely sorry for all the confusion and inconvenience that has been caused. We believed that we had acted in accordance with the agreements and information that both DigiCert and Symantec had imposed and provided upon us.

What next?

This sort of public brouhaha doesn’t reflect very well on the digital certificate world.

We’re all expected to operate our websites over HTTPS these days – indeed, there are many excellent reasons for getting rid of HTTP entirely, forever, in return for additional community security and privacy.

But a public spat like this, where customers’ private keys seem to have turned into business bargaining chips, doesn’t do anyone any favours.

Now it’ll be harder than ever to convince HTTP holdouts (or “HTTPS refuseniks”, if you prefer) to convert their websites to HTTPS.

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/cyXd6vrPTpM/

Promo As cyber threats seem to multiply and mutate at ever-increasing speed, it becomes difficult to be sure you are able defend your organisation against an attack that could come from any direction.

Security training leader SANS is running a series of courses at the Grand Connaught Rooms in London from 16 to 21 April that promise to give IT professionals the immersion training they need to defend their systems against the cyber criminals.

SANS London will deliver a range of six-day courses covering the latest cyber security topics and preparing attendees for valuable GIAC certification.

Teaching by expert security practitioners will be backed by intensive hands-on sessions, and SANS makes a point of re-assuring students they will be able to use their new skills as soon as they return to work.

There’s a bunch of courses available here, including the following:

• Defeating advanced adversaries: implementing kill chain defenses Recent attacks are analysed through in-depth case studies that illustrate the types of attacks and outline the advanced persistent threat attack cycle. A hands-on exercise will require students to compromise a virtual “SyncTechLabs”.
• Windows forensic analysis This will teach how to recover, analyze, and authenticate forensic data on Windows systems for use in incident response, internal investigations, and civil/criminal litigation.
• Intrusion detection in-depth This course emphasises that Institute of Development Studies alerts are a starting point for examination of traffic, not a final assessment. You will learn to investigate activity to decide whether it is noteworthy or a false indication.
• Hacker tools, techniques, exploits and incident handling This course addresses the latest attack methods and provides a step-by-step process for responding to computer incidents. It also explores legal issues such as employee monitoring, working with law enforcement and handling evidence.
• Web app penetration testing and ethical hacking This course aims to teach how to better secure organisations through penetration testing and will help you demonstrate the true impact of web application flaws. It culminates in a web application pen test tournament, powered by the SANS NetWars Cyber Range.

You can read more details about these courses and sign yourself up for some top grade training from SANS right here.

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/02/train_to_become_an_expert_cyber_crime_fighter/