What is Ransomware “WannaCry” and How To Protect Against Hackers?

On May 12, 2017 there were multiple public reports of an ongoWana Decrypt WannaCrying large-scale cyberattack involving a variant of the ransomware named WannaCry (aka WCry). These attacks are targeting and have affected users from various countries across the globe. The WannaCry threat will encrypt data files on infected computers and ask users to pay a ransom in bitcoin to decrypt their files. Wana Decrypt WannaCry

The ransom note indicates that the payment amount will be doubled after three days. If payment is not made after seven days, the encrypted files will be deleted. Analysis indicates the attack spreads through an SMB remote code execution in Microsoft Windows announced and patched by Microsoft on March 14, 2017.

Who was not Hit?

Users who have installed this patch are not susceptible. Symantec -Norton users had generic protection against this vulnerability with their Intrusion Prevention System (IPS) network protection technology, Symantec Endpoint Protection (SEP) and Norton products prior to the release of the WannaCry attacks. Symantec even picked up the attacked before it went mainstream.

WannaCry Blocked By symantec 2017-05-16_1041Exploit attempts WannaCry blocked by Symantec

Exploit attempts WannaCry blocked by Symantec

Who is/was impacted?

The first law in security is to stay up to date with patches. Although this may be an annoyance to some, any unpatched Windows computer is potentially susceptible to WannaCry. Organizations are particularly at risk because of its ability to spread across networks and a number of organizations globally have been affected, the majority of which are in Europe. However individuals can also be affected.Wanna Cry Heat Map from Norton Endpoint

How is WannaCry spread?

For the most part, While WannaCry can spread itself across an organization’s networks by exploiting a vulnerability, the initial means of infection—how the first computer in an organization is infected—usually tends to be the innocent employee. Majority of the time randsome where is associated by a individual visiting a website or opening/clicking on an email. Symantec has seen some cases of WannaCry being hosted on malicious websites, but these appear to be copycat attacks, unrelated to the original attacks..

How Can you avoid it?

Ransomware can get on your PC from nearly any source that any other malware (including viruses) can come from. This includes:

  • Visiting unsafe, suspicious, or fake websites.RansomeWare Example
  • Opening emails and email attachments from people you don’t know, or that you weren’t expecting.
  • Clicking on malicious or bad links in emails, Facebook, Twitter, and other social media posts, instant messenger chats, like Skype.

It can be very difficult to restore your PC after a Ransomware attack – especially if it’s infected by Encryption Ransomware. The best solution to Ransomware is to just be safe be safe on the Internet

  • Don’t click on a link on a webpage, in an email, or in a chat message unless you absolutely trust the page or sender.
  • If you’re ever unsure – don’t click it!padcrypt-ransomware
  • Often fake emails and webpages have bad spelling, or just look unusual. Look out for strange spellings of company names (like “PayePal” instead of “PayPal”) or unusual spaces, symbols, or punctuation (like “iTunesCustomer Service” instead of “iTunes Customer Service”).
  • Make sure any Anti-Virus/Malware program you are using is up to date. Most Ransomewares have been discovered already and can be removed automatically by Anti-Virus/malware programs.

When navigating the world wide web be cautious of where you go. For hundreds of thousands of people around the world Symantec saved the day for its users, but remember The First Line of Security Is To Stay Up To Date With Software Patching. Stagnation or putting off an important patch could lead to a hacker gaining access to your system and it’s data.


Lead Tech Engineer:
Dominic Rafael

Six Golden Rules for Selecting an SSL / TLS Certificate

In today’s cyber environment, the SSL certificate is a necessity for any interest that wants toCapture have a serious Internet presence, but the end-user experience has to be considered. The majority of SSL certificate purchasers have limited resources in terms of time and little experience in the proper implementation of SSL certificates. Enabling Web properties for SSL certificates is not a primary goal, but is often on the critical path to getting something done.

Additionally, management of an SSL certification has to be easy throughout the entire life cycle of a certificate as organizations frequently face a dilemma refreshing SSL certificates at the time of expiry. At the end of the day, websites have to be secured with as little friction created for organizations as possible.

The SSL certificate is much more than a server-PKI key exchange. Here are Six Golden Rules to consider when purchasing a SSL certificate:

  1. The quality of the encryption matters.
    Every vertical industry requires SSL certificates that use, at a minimum, 2048-bit encryption keys. The threat landscape is becoming more aggressive; however, CAs can provide enhanced security for their customers by offering SSL certificates with stronger encryptions. An elliptic curve cryptography (ECC) 256-bit is a stronger cryptography than a RSA 2048-bit key length, but about the same as a RSA 3072-bit key. By using the ECC, customers can leverage the same supporting structure longer, even if the need for stronger security increases.
  2. CAs need to help customers get started and stay secure.
    Several steps are required to make SSL certificates functional. The website administrator needs to generate a Certificate Signing Request (CSR) for the server where the certificate will be installed. The domain needs to be validated, and finally, the certificate is then installed.The responsibility of the CA does not end at installation. The customer needs to make sure the encryption is in compliance with industry standards as well as with the company’s policy. The CA should be able to provide tools to help customers do this. For any site manager, handling a few certificates may be relatively easy to do, but handling multiple SSL certificates for different locations becomes difficult.
  3. Robust management of SSL certificates and integration of certificates into a company’s IT systems prevents future business interruptions.
    SSL certificate management and inventory tools should be included with any SSL certificate purchase. An IT administrator will want to have multiple roles and asset settings. Additionally, since the SSL certificate management is offline from a company’s standard IT workflow, SSL certificate management should be integrated into a company’s ticketing system. As difficult as it can be to configure SSL certificates for externally facing websites, often port configurations and certificates attached over multiple servers in an internal network are more problematic.
  4. The total user experience must be easy and effective.Teacher
    SSL certificates are not issued in a vacuum. The leading CAs will have ubiquitous browser support, and SSL certificates will be compatible with multiple server OS. The Online Certificate Status Protocol (OCSP) is the request/response mechanism used for SSL certificate revocation checks. CAs with fast load times can accelerate response times to users’ inquiries; the best CAs have the fastest load times. Additionally, PKI roots are used for internal emails and as encryption for mobile.
  5. SSL certificate issuance is an integral part of the network infrastructure.
    The renewal process for SSL certificates should be automated. In some server systems, such as Microsoft Windows servers and Apache Tomcat, a new CSR has to be generated. Automated renewals help customers through the process. 5 Six Golden Rules for Selecting an SSL or TLS Certificate All rights reserved © 2015 Frost & Sullivan Preferably the CA that issues SSL certificates has a global footprint. CAs need to have partnerships with global datacenters. Part of the investment CAs make is with datacenters globally. The CA would perform a real service for its customers if they would regularly scan their SSL certificates for cross-site scripting (XSS) or SQL injection (SQLi) vulnerabilities.
  6. The trustworthiness of the CA extends beyond the issuance of SSL certificates.
    With each certificate purchase, the often overlooked value of a CA increases in importance. Customers may need the help of tech support. The reputation of the CA permeates every aspect of the SSL certificate lifecycle, including installation, fast certificate revocation, breach detection, on-going tech support, and account management.

For businesses working with a CA, the best CAs instill trust when protecting cyber properties. For consumers, trust comes in the form of a secure transaction. The https:// browser prefix indicates a secure link transaction. When a customer enters a site protected by an EV certificate, the browser field turns green. In addition to these secure-site consumer protections, other companies have certificate assurance procedures also visible to visitors of a website.

The six Golden Rules are paramount in purchasing a SSL certificate and choosing a CA provider.


Posted by:
Dominic Rafael
Lead Tech Solutions Engineer
Be sure to Subscribe!!
twitter

How your company can be effected by the European Union General Data Protection Regulation

The General Data Protection Regulation (GDPR) is the European Parliament, the European Council, and the European Commission intent to strengthen security and create a unifying standard to protect individuals that belong to the European Union (EU). At the heart is the idea of privacy being a fundamental right. For this to be achieved, the EU is insisting that organizations must implement ‘privacy by design’, ‘privacy by default’ and ‘accountability’. The purpose of the GDPR is to evolve the existing privacy framework. The world has reach technological heights in the recent years, but that has often left data protection trailing in its wake. The GDPR demands that organizations use the proper technologies to ensure the privacy of data. The GDPR will be enforceable as of May 25th 2018.

Who Does it Impact?

  • Organizations/Controllers of any size in any country that process personal data that originates in the EU are subject to the GDPR. This means that if an American based company is gathering or is processing data from a member of the EU they must abide from the rules designated by the GDPR.
  • Organizations/Controllers responsible for holding personal data from those who come from the EU.

A lack of awareness:Are you Ready for GDPR

In a survey conducted by marketing research company Vanson Bourne 900 business decision-makers and IT decision-makers in the UK, Germany, and France were asked about the GDPR, and their readiness. Of those surveyed, nearly a quarter (23 percent) said their organization will not be compliant at all, or will be only partly compliant, by 2018. Of this group, only a fifth (20 percent) believe it is even possible to become fully compliant with the GDPR, with nearly half (49 percent) believing that while some company departments will be able to comply, others will not.

WHY COMPANIES NEED TO ADDRESS THE  GDPR-

The following sanctions can be imposed to companies that fall into the GDPR for non-compliance:

  • A warning in writing in cases of first and non-intentional non-compliance
  • Regular periodic data protection audits.
  • A Fine up to €20m or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater.

The evolution is coming.  Are you ready to adapt?

  1. Mandatory Breach Notifications. The legislation will require reporting any personal data breaches within 72 hours wherever possible, and it could be costly if you don’t have the right security processes in place or tools to perform this.
  2. The “Right To Be Forgotten” Foreshadowed by a European Court of Justice ruling earlier in 2014 about Google Search, the Right to be Forgotten is the considerably reinforced right of individuals to have their data deleted.
  3. Citizens data should not in principle be used without their consent. There will be no implied consent and even when consent has been given, Citizens can object to any further use of their data. Moreover, it will be for controllers to prove they have obtained consent, and no longer the other way around. As a company you need to be sure that you collect and document consent properly, and are using personal data safely.
  4. Be Accountable for your Data Companies. Managing personal data will have to be able to demonstrate at any time their compliance with the GDPR. This might involve appointing a Data Protection Officer (DPO), and it will in any case include implementing privacy by design, understanding how data flows, and carrying out data protection impact assessments.
  5. Finally, encrypting data/systems will be more important than ever. Implementing SSL/TLS Certificates will be a no brainer. Peoples data and the data stored must be protected with the proper encryption technology and protocols. SSL 2048 offers various SSL Certificate Encryption Solutions up to 78% cheaper than buying direct.

“As privacy laws are internationally trending toward the EU model, U.S. businesses need to assess the way they do e-commerce abroad because compliance with foreign data protection rules and regulations may require them to change their business practices.” – Cynthia Larose, Mintz Levin

Ready or not, regulatory change is coming. Keep your compliance plan on track with these 4 key milestones.Security

  • Inventory data repositories and personal data.
  • Analyze data flow.
  • Inventory current policies and procedures in maintaining that data.
  • Develop breach discovery, response, and notification processes.

Until now, there have been few industry drivers to take data privacy and security seriously. Regulators have only stepped in when the market wasn’t working. This led to interventions like Sarbanes-Oxley and the PCI Standard (Payment Card Industry). The GDPR is about bringing legislation into line with the demands of today’s world, with its sights on tomorrow’s. Peoples personal information needs to be controlled and protected with care. This needs to be an ongoing program and not just a project. Organizations will need to look holistically at how personal data should best be secured, and not limit their focus to ‘How do I comply?’

Our personal lives have become a trail of digital clues, leaking from mobile devices and Internet Of Things (IOT) as we snap, post, search, jog and log into various applications at various locations. It is an organization’s responsibility to protect all personal data it processes. No longer will the leaking of personal information be tolerated. If organizations to not adequately provide the protection needed to secure their clients information then organizations could risk loosing those clients. Clients that would end up going to competing organizations that can provide the security that the client desires.

For more information visit the European Commission Data Protection Reform website to learn more.


Posted by:
Dominic Rafael
Lead Tech Solutions Engineer
Be sure to Subscribe!!
twitter

Yahoo’s Security Issues, And What To Do About It.

Yahoo recently came out to the public in a statement regarding another breach in their security informing users that one billion Yahoo accounts have been compromised. This latest discovery incident to emerge happened in 2013, and is distinct from the breach of 500 million user accounts in 2014.

Yahoo says that the breached data includes names, email addresses, phone numbers, birthdays, hashed passwords, and a mix of encrypted and unencrypted security questions and answers. They do positively state that the breach does not include unencrypted passwords, credit card numbers, or bank account information. Specifically, the company says that financial data is stored in a separate system that it doesn’t believe was compromised.

The number of affected accounts was double the number implicated in a 2014 breach that the internet company disclosed in September and blamed on hackers working on behalf of a government.

“An unauthorized third party” broke into the accounts, Yahoo’s CISCO Bod Lord said in a statement posted on Yahoo tumblr “Important Security Information for Yahoo Users.” The company believes the hacks are connected and that the breaches are “state-sponsored.”

How could this of happened?

Believe it or not network security from what I have seen tends not to be a priority for a lot of web-based companies. I come across large corporations and even government websites surprised by the lack of standard security practices in their infrastructure. They typically use old outdated server systems, insecure ciphers, dated encryption algorithms, etc.. Budget issues typically lump IT and Security into one field without adequate overhead, and gets over looked as project management or administration gets a bonus instead.

Unlike a standard email hack where one person may have been a victim, over a billion users have had their accounts hacked! This can only mean that a hacker was able to reach the root of a server system to exploit all the information stored on that system. Proper modern security practices should have prevented such a ridiculously large hack from occurring. Repeated attacks of this scale and shifting focus to blame a “state-sponsored” party is common in many companies that refuse to take responsibility for their own negligence. Hoping on band wagons blaming the government or the Russian’s seem to be a popular trend as of late with little to no evidence.

How will this effect Yahoo?

Yahoo is being acquired by Verizon for $4.8 billion but the purchase of the company of course is coming at odds due to the recent hacks that Yahoo has come across. Verizon lawyer, Craig Silliman, said that the September breach had clearly damaged Yahoo’s value and hinted that the damage ought to be reflected in the buying price. “I think we have a reasonable basis to believe right now that the impact is material and we’re looking to Yahoo to demonstrate to us the full impact.”

What can users do to protect their account?

Yahoo encourages their users to visit their Safety Center page for recommendations on how to stay secure online. Some important recommendations they are re-emphasizing include the following:

  • Change your passwords and security questions and answers for any other accounts on which you used the same or similar information used for your Yahoo account;
  • Review all of your accounts for suspicious activity;
  • Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information;
  • Avoid clicking on links or downloading attachments from suspicious emails; and
  • Consider using Yahoo Account Key, a simple authentication tool that eliminates the need to use a password on Yahoo altogether.

Another option Yahoo users have is creating a new email through another provider. I personally ran into a issue with a my own Yahoo email account being hacked many years ago from anonymous sources in Iran. Unrelated to these recent Yahoo hacking events. After doing all I could with changing passwords and such to only be hacked time and time again I finally gave up and moved over to Google’s Gmail.


Posted by:
Dominic Rafael
Lead IT Engineer
Be sure to Subscribe!!
twitter

How To Stop Phishing?

When you hear about Phishing in the tech security world people are not talking about their vacation plans. Phishing is a form of fraud and a huge security concern in the age of information.

The Fraud Entity that implements the phishing can do it in multiple ways. Most common phishing technique is in the form of an email, but it can also come from a Facebook message, or phone call. This Fraud Entity attempts to trick the recipient/target into divulging important personal information like a password, bank account number, credit card info, etc.. and in some instances it can lead to installing malicious software within your own computer system.

Here is how to keep an eye out for phishing, what to do, and how to report it.

How to protect yourself against Phishing:

  1. Be cautious of emails asking for confidential information from an unknown source. Especially information of a financial nature. Legitimate organizations will never request sensitive information via email.
  2. Phishers like to use scare tactics, and may threaten to disable an account or delay services until you update certain information.
  3. Watch out for generic-looking requests for information. Fraudulent emails are often not personalized, while authentic emails from your bank often reference an account you have with them. Many phishing emails begin with “Dear Sir/Madam”, and some come from a bank with which you don’t even have an account.
  4. Delete email and text messages that ask you to confirm or provide personal information (credit card and bank account numbers, Social Security numbers, passwords, etc.).
  5. Do not reply, and do not click on links or call phone numbers provided in what appears to be fraudulent emails or messages.  These links direct you to spoof sites – sites that look real but whose purpose is to steal your information so a scammer can run up bills or commit crimes in your name.
  6. Check URL’s! If you receive an email stating such and such something… from bank of America bankofamerica.com for example, but the hyperlink shows boa.youaregotingtogethacked.com keep away from it! Domains are only operated and controlled by the company that controls it!

Here is an example of a phishing email:
phishing email example

Report phishing scams:

If you receive a fake email:

This will vary on the email client you are using. Google Gmail for example will allow you to report the email as phishing under more options.

Mozilla Thunderbird by default can analyze messages for suspected email scams by looking for common techniques.

If your email client does not have the ability to report phishing you can forward the suspected email to spam@uce.gov or forward it directly to the support department of the bank, or organization it is impersonating

If you receive a fake Phone Call:

When you get a call from a potential phisher ask yourself the following:

  • Who’s calling… and why?
  • If it’s free, why are they asking me to pay?
  • Why am I “confirming” my account information — or giving it out?
  • What time is it? The law allows telemarketers to call only between 8 am and 9 pm. A seller calling earlier or later is ignoring the law.
  • Resist pressure to make a decision immediately.
  • Keep your credit card, checking account, or Social Security numbers to yourself. Don’t tell them to callers you don’t know — even if they ask you to “confirm” this information. That’s a trick.

If you receive a fake phone call take down the caller’s information and report it to your local authorities.

How to be secure?

  • Use trusted security software and set it to update automatically.
  • Don’t email personal or financial information. Email is not a secure method of transmitting personal information.
  • Be cautious about opening attachments and downloading files from emails. These files can contain viruses or other malware that can weaken your computer’s security.
  • Do not leave yourself signed into any of your accounts on a public computer like at a library or school computer lab.
  • Only provide personal or financial information through an organization’s website that has the https in front of the website https:www.acmetek.com (the “s” stands for secure).

For Website Owners:

  • Implement Always on HTTPS (Always on SSL). It encrypts all information that is on your website.You do not want someone signing in to your website without encryption. The information a client enters without https can be intercepted as the page will not encrypt important form or user name and password information they enter.
    Read my other blog article What is Always on HTTPS for more information on having a secure website.
  • Get your SSL/TLS Certificate for your HTTPS from Symantec. Symantec Certificates feature a wide range of security features by default to protect website owners and their clients.

The first line of security is to stay up to date with technology. As the progress of technology moves so do the tactics of hacking/phishing. Be savvy and stay up to date.


Posted by:
Dominic Rafael
Lead Tech Solutions Engineer
Be sure to Subscribe!!
twitter

Firefox to Block Chinese Certificate Authority for failed security practice.

For quite some time now Mozilla has been investigating a list of security failures from a Chinese Certificate Authority (CA) named WoSign and WoSign’s newly purchased Israeli CA StarCom. In a recent Mozilla report released to the public Mozilla states that they have found that the CA has improperly issued multiple certificates, and has undermined the standardwosigns of website security.

“Taking into account all the issues listed above, Mozlla’s CA team has lost confidence in the ability of WoSign/StartCom to faithfully and competently discharge the functions of a CA.” And “We propose that, starting on a date to be determined in the near future, Mozilla products will no longer trust newly issued certificates issued by either of these two CA brands.

Back Dating the Issuance of SHA1 Certificates:

WoSign has been intentionally back-dating certificates to avoid blocks on SHA-1 issuance in browsers, to avoid an industry-mandated ban on the use of the SHA-1 algorithm. SHA-1-based signatures were barred at the beginning of the year by the industry because of a consensus that it is a dated signature that can be hacked due to today’s technology. To satisfy customers who experienced difficulty retiring the old hashing function, WoSign continued to use it anyway and concealed the use by dating certificates prior to the first of this year, Mozilla officials said.

SHA1’s use on the Internet has been deprecated since 2011. The governing body for web browsers and Certificate Authorities (CAs) the CA/Browser Forum published their Baseline Requirements for SSL regarding this depreciation. These Requirements recommended that all CAs transition away from SHA1 as soon as possible. This follows similar events in other industries, such as NIST deprecating SHA1 for government use in 2010. The reason being that due to the progress of technology this old algorithm is on the verge of being exploited.

Microsoft and Google announced their SHA1 deprecation plans and websites with SHA1 certificates have already begone to display warnings if a SHA1 certificate is present. According to Google’s blog on “Gradually Sunsetting SHA-1”, Chrome version 39 and later will display visual security indicators on sites with SHA1 certificates with validity beyond January 1, 2016.

Improper validation of Issued Website Certificates:

On top of this WoSign’s practices have blatantly disregard the system of trust that we are relying on to keep our internet secure.  Recently they have been caught issuing certificates to non registered domain admins. An IT administrator for the University of Central Florida used WoSigns service to obtain a certificate for med.ucf.edu. He then discovered that the certificate he received was for www.ucf.edu, and not med.ucf.edu as he requested.

Surprised and doing his own investigation he then used his control over the github subdomains schrauger.github.com and schrauger.github.io to get certificates for github.com, github.io, and www.github.io. When the admin finally succeeded in alerting WoSign to the improperly issued Github certificates, WoSign still didn’t catch the improperly issued www.ucf.edu certificate and allowed it to remain valid for more than a year. More on this indecent can be read on Stephens blog at schrauger.com

This is a serious issue. WoSign is undermining the security infrastructure of the internet and has been caught violating the CAB Forum Baseline Requirements. Issuing arbitrary unvalidated domain names in certificates, and making loopholes around industry standards does not follow their online slogan of “Making the internet more secure and trusted”

This of course goes without saying that any IT representative should be very cautious of where and who they put their security trust in.

Back in early 2015 Google’s Chrome and Mozilla’s Firefox browsers announced that they will stop trusting all new digital certificates issued by the China Internet Network Information Center (CNNIC) which is China’s administrative agency responsible for internet affairs. This was following a major trust breach that led to the issuance of unauthorized credentials for Gmail and several other Google domains.


Posted by:
Dominic Rafael
Lead Tech Solutions Engineer
Be sure to Subscribe!!
twitter

SHA1 Vulnerability Notice

The clock is ticking on the SHA1 to SHA2 Migration! By the end of this year no End Entity Web Server Certificate issued by a Certificate Authority shall exist. This migration and vulnerability notice has been in the works for many years now.

On October 8, 2015, a team of international cryptography researchers warned of a significantly increased risk in using SHA1 certificates, and recommended that administrators accelerate their migration to SHA2 certificates.

Why the SHA-1 Depreciation?

SHA1’s use on the Internet has been deprecated since 2011. The governing body for web browSHA1 vulnerabilitysers and Certificate Authorities (CAs) the CA/Browser Forum published their Baseline Requirements for SSL regarding this depreciation. These Requirements recommended that all CAs transition away from SHA1 as soon as possible. This follows similar events in other industries, such as NIST deprecating SHA1 for government use in 2010. The reason being that due to the progress of technology this old algorithm is on the verge of being exploited.

Microsoft and Google announced their SHA1 deprecation plans and websites with SHA1 certificates have already begone to display warnings if a SHA1 certificate is present. According to Google’s blog on “Gradually Sunsetting SHA-1”, Chrome version 39 and later will display visual security indicators on sites with SHA1 certificates with validity beyond January 1, 2016.

In short:
After 12/31/2016, most browsers will not trust certificates that use SHA1. Use SHA2 instead.

Purpose of Migration:

Some organizations may state their systems or devices cant understand SHA2 and they need this industry standard extended. But at some point those organizations need to take into account that these standards have been implemented since 2011. The constant rhetoric of “oh we will upgrade next year” will never happen. If the industry were to extend insecure practices while faced with ample evidence of their weaknesses this would put the entire community at risk. As the progress of technology ever evolves so do the security risks. Stagnation is what leaves a network vulnerable.

The current policy of most browsers stipulates that they will completely reject SHA-1 TLS certificates on January 1, 2017.

Meaning that browsers will display warnings, red errors, and even blocks if a SHA1 certificate is being used on a website. However, in light of these new findings, it’s highly possible the deadline will be accelerated. If your web-services are still using a SHA1 certificate, you should accelerate plans to replace them with SHA2/SHA256 certificates to avoid security warnings and to ensure visitors to your website are not blocked.

How do you know if you are still using a SHA1 Certificate?

By now if you are using a SHA1 certificate on your website then you should be receiving some sort of warning message pertaining to there being a SHA1 certificate running on the website.Padlock

You can double check the certificate details by clicking on the universal symbol of browser encryption the padlock. Typically you should have an option to view the certificate that is running on the website, and under the certificates details you should see SHA256RSA or SHA256 under the signature has algorithm. If you see SHA1 then it means you have a old SHA1 certificate and it needs to be replaced.

How to replace a SHA1 Certificate with a SHA2?

Depending on what Certificate Authority and how you purchased your certificate a reissue of the certificate may be available to you. This would require a New CSR to be generated typically with a reissue or replace option available in a portal that is used to manage your SSL certificate.

SSL2048 maintains the utmost standards in the industry and will only issue SHA2/SHA256 certificates by default regardless of brand. You can purchase new SHA2 certificates on our site www.ssl2048.com. 

The end result will be a new SHA2 SSL certificate issued that will then have to be reinstalled back on the server system.

For more information regarding this SHA1 to SHA2 migration check out CA/Browser Forum notice about SHA-1


Posted by:
Dominic Rafael
Lead Tech Solutions Engineer
Be sure to Subscribe!!
twitter

BEC Scams Billions from Small to Medium businesses!

Business Email Compromise (BEC), continues to be the bane of companies in 2016. BEC scams are low-tech financial fraud in which spoofed emails that are sent to financial staff to request large money transfers. As odd as it sounds some have actually been hooked and have become victims of such scams.

In light of recent warnings from the FBI regarding BEC, Symantec has taken an in-depth look at Symantec’s Email Security.cloud data to get a better understanding of the state of BEC fraud today.

So who’s being hit by these scams? And who are the people behind them? Here is what has been discovered:

  1. Small and medium sized businesses are most targeted by scammers

    Targets of BEC Scammers.png

    Targets of BEC Scammers

    Nearly 40% of identified victims are small to medium sized business. With the Financial center nearing 15%.

  2. Organizations have lost billions to BEC scams:

    bec-scams-steal-billionsData from the FBI illustrates how lucrative BEC is. At least $3 billion have been lost to BEC scams in the past three years, with over 22,000 victims globally.

  3. Emails are sent Monday to Friday, following a standard working week

    BEC Scams sent Mon to Fri.png

    BEC Scams sent Mon to Fri

    It is interesting to see that from the data that was collected the majority of  BEC emails are sent on weekdays. The scammers know that this is when most businesses would expect emails. More importantly, most financial transactions can only be cleared during weekdays. BEC scammers are also most active during a typical working day. They will generally begin sending emails from 0700 GMT, take a break from 1100 until 1400 GMT and then resume sending until 1800 GMT.

  4. “Request” is the most common subject line

    BEC Scams have action subject words.png

    BEC Scams have action subject words

    BEC scammers keep things simple with most emails containing a single-word subject line. Subjects always contain one or more of the following words: request, payment, urgent, transfer, inquiry. Simple subject lines are less likely to arouse suspicion and are also harder to filter.

How to protect against BEC email scams?

Security is a ever evolving industry and user education tends to be the most effect means of protecting companies and personal users from Scams.

  • Question any emails requesting actions that seem unusual or aren’t following normal procedures.
  • Users shouldn’t reply to any emails that seem suspicious. Obtain the sender’s address from the email and notify your IT department on suspicion. Your IT may be able to block the senders address.
  • Majority of emails are sent through a large string of pings in hopes of grabbing an actual email account. Responding to such an email solidifies that this email address is legitimate. This allows scammers to flood that email with scams knowing it will hit someone from various different sender emails.

There are many forms of scams. Some start with emails and eventually grow into full fledged calls, or vise versa.  Read our blog regarding “Free Vacation Scams and How to Spot them” to understand more, and to learn what to watch out for. If you believe you have been a victim of BEC fraud, notify your financial institution and local law enforcement as soon as possible.


 

Posted by:
Dominic Rafael
Lead Tech Solutions Engineer
Be sure to Subscribe!!
twitter

Memorandum Requires Https Connections across Federal Websites and Web Services.

Signed June 8th 2015 The Executive Office Of The President has enacted memorandum M-15-13. Also known as The HTTPS-Only Standard that requires that all public accessible Federal websites and web services only provide service through a secure connection.
This is very important as unencrypted HTTP connections create a privacy vulnerability and expose potentially sensitive information about users of unencrypted Federal websites and services. Any data sent over HTTP is susceptible to interception, manipulation, and impersonation. This data can include browser identity, website content, search terms, and other user-submitted information.

“All browsing activity should be considered private and sensitive.”

Many commercial organizations have adopted HTTPS or implemented HTTPS-only policies to protect visitors to their websites and services. Users of Federal websites and services deserve the same protection, and the Federal Government needs to set a presidence that in this day-and-age Web Security is as important as the air we breathe.

Although the challenges are few there are some considerations and implementations of HTTPS that may have effect on these Federal Government Services.

Challenges and Considerations:

Site Performance: While encryption adds some computational overhead, modern software and hardware can handle this overhead without substantial deleterious impact on server performance or latency.

Server Name Indication: The Server Name Indication (SNI) extension to SSL/TLS allows for more efficient use of iP addresses when serving multiple domains. However, these technologies are not supported by some legacy clients. An example of SNI also known as Fully Qualified Domain Name (FQDN) would be www.energy.gov.

Mixed Content: Websites served over HTTPS need to ensure that all external resources (images, scripts, fonts, iframes, etc.) are also loaded over a secure connection. Modern browsers will refuse to load many insecure resources referenced from within a secure website. When migrating existing websites, this can involve a combination of automated and manual effort to update, replace, or remove references to insecure resources. For some websites, this can be the most time consuming aspect of the migration process.

APis and Services: Web services that serve primarily non-browser clients, such as web APis, may require a more gradual and hands-on migration strategy, as not all clients can be expected to be configured for HTTPS connections or to successfully follow redirects.

Planning for Change: Protocols and web standards improve regularly, and security vulnerabilities can emerge that require prompt attention. With that said Admin may have to be upgrade their system typologies in order to meet this standard. Federal websites and services should also deploy HTTPS in a manner that allows for rapid updates to certificates, proper cipher choices.

One standard that has effected legacy systems that will need to be taken into account is the SHA2 standard due to the SHA1 vulnerability that has taken effect in the commercial browser industry.  For Example, old Microsoft IIS6 (Server 2003) systems lack the ability to understand the SHA2 algorithm due to its 12 year outdated software. Federal web service admins should evaluate the feasibility of using technology to improve performance efficiency and may have to upgrade their infrastructure as soon as possible.ssl/tls certificate

In order to secure and implement HTTPS a Digital Server Certificate will have to be issued to the SNI/FQDN for that implemented HTTPS Web Service. Issued by a Trusted Authority.

The Office of Management and Budget (OMB) affirms that tangible benefits to the American public outweigh the cost to the taxpayer. Implementation of Server Certificates with HTTPS will help fight unofficial or malicious websites claiming to be Federal services, and block hacker eavesdropping on communications with official U.S. government sites.


Posted by:

Dominic Rafael
Lead Tech Solutions Engineer
Be sure to Subscribe!!
twitter

The importance of a Digital Server Certificate.

“It’s All about trust!”

Lets first start off about talking about what a  Digital Server Certificate (DSC) is. A Digital Server Certificate is a bit of code on a web server that provides authentication security for online communications validated by a governing third party Certificate Authority (CA). These server certificates can also known as a SSL/TLS certificate, ECC certificate, End Entity certificate, etc..

Purpose of a server certificate and what it provides:

  • Third party validation from a Certificate Authority (CA).
  • Ensures to browser users that website and certificate are operated by the same organization.
  • Ensures to application or servers that certificate is validated by operated by same organization.

When your web browser contacts a secured website, the server certificate enables an encrypted connection. If you ever see a padlock in your browser that is an SSL certificate protecting the site.

  • A digital server certificate acts as a representation of the websites encryption.
  • A server certificate states this website of www.domain.com has been validated by such and such CA and has passed the validation procedures to get a digital server certificate. This informs you the web visitor the website is who they say they are.

Why does a website need a server certificate?

Server certificates help customers gain the confidence to provide personal information on a website. That the certificate has validated the organization to meet the standards of the industry to get a certificate issued to their website.

What happens if a website does not have a valid server certificate?

  • Loss in web traffic.
    httpsaskleo

    Warning message due to either a self signed certificate or a common name mismatch where the name of the website is not reflected on the certificate.

  • Application to server failure.
  • Server to server communication failure.
  • Errors in browsers.
  • Browsers will warn users when there’s no encryption.
  • Loss of revenue.
  • No one will work with you.
    • PCI (Payment Card Industry) compliance and other auditors demand a valid CA server certificate.
    • Self Signed certificates not issued from a valid CA will spark warnings and error messages on applications, browsers, and connection problems with servers.

Who needs a server certificate?

  • Financial institutions,
  • Hospitals,
  • Server to server communications,
  • E-commerce
  • Pretty much EVERYONE that is running a website for business needs.

Who hates server certificates?

  • Criminals

Things to know!  What you need to know

  • To maintain validity and security certificates are issued to a max 3 year validity then need to be re-authenticated/renewed.
  • Without a Valid server certificate running on a website there will be errors in browsers and potential connection issues with server communications.
  • Google has begun using HTTPS as a ranking signal:
    • “Websites without a secure connection could gain a few percentage points in SEO Visibility when migrating to HTTPS-protocol.
    • Websites without HTTPS/SSL certificate will be lower on the google search results

Posted by:

Dominic Rafael
Lead Solutions Engineer
twitter

1 2 3