Trust Italia is on a decades-long mission to help people everywhere understand the importance of identity and security online. They first partnered with Verisign in 1995, then with Symantec until its acquisition by DigiCert in 2017. CEO Riccardo Cazzola said, “We’re happy to see the sector pass into the hands of DigiCert … a company capable of looking to the future.” Watch the video to see how Trust Italia and DigiCert are working together to deliver solutions that elevate trust and security to even higher levels.

Today, we are surrounded by devices that can record the surrounding sound without our consent, take pictures without our knowledge and transmit data without our permission. In other words, we are surrounded by digital eyes and ears. Commonly, we categorize these devices as the Internet of Things, or IoT for short. Examples such as Amazon Alexas, Nest smart cameras and smart thermostats are taking over our personal space one piece at a time.

Recently, researchers found that devices such as Amazon Alexa possess the capability of recording their surrounding sounds without the knowledge of the owner. While this could increase the device’s capability and functionality, it poses a number of issues. First and foremost, privacy is threatened. Imagine having an Alexa in the corner of your kitchen, and it has the capability to record, store and process conversations you have there. Secondly, the same capability could create security issues, such as enabling or disabling other IoT devices in the household simply by recording and replaying a set of commands originated by the owner (e.g., Alexa can enable or disable a security system).

In addition, there are privacy issues associated with devices such as robotic vacuum cleaners. These issues are based off the robot’s capability of recording and transmitting household dimensions, virtually allowing an adversary to spy on the owner if the robot gets compromised. The cleaner features a default username and password combination, resulting in poor autehtication that attackers could easily exploit.There are seemingly endless examples of invading privacy and causing security issues via consumer IoT devices.

At DigiCert Labs, we’re busy experimenting with different methods on how to appropriately categorize IoT devices based on their level of privacy invasion and known security vulnerabilities. Specifically, we’re focused on utilizing technologies such as AI and Pattern Recognition to analyze the behavior of different IoT devices in different environments.

What appears to hold true thus far is the underestimated capabilities of IoT devices when it comes to recording and transmitting data without the consent of the owner. Additionally, the lack of proper security procedures, such as authentication, causes a broader area of vulnerabilities. The resulting conclusion is that we may be surrounding ourselves at home with devices that threaten harm and may lead us to question whether the usefulness of these devices is worth compromising our personal privacy and security.

As the recent 2018 State of IoT survey by DigiCert suggests, IoT security is top of mind for most organizations, but many have yet to fully grasp what they need to do or make the necessary investments. The result is a clear divide between companies faring better with IoT security and those not doing well, leading to significant costs for those struggling with IoT security.

While some are concerned with the cost of good security practices (e.g., 65 percent of the surveyed companies indicated that encryption is too expensive), the reality is that the cost of ignoring IoT security may be much higher. Those struggling the most report impacts of at least $34 million over two years. Frankly, ignoring good security practices for IoT devices is too costly to ignore.

Pressure is bound to continue to mount as the number of IoT-based attacks leads to widespread shutdowns of critical infrastructure. As these attacks begin to affect nation-state economies or harm public or personal health, companies will be forced to act. Already, the State of California, the U.S. Food & Drug Administration, the European Commission and the Japanese government are reviewing stronger regulation of IoT devices.

While it is a complex task to protect consumers against the privacy and security issues caused by IoT devices, we have technology available today to protect the same set of IoT devices against unauthorized access or improper authentication. One example is to utilize proper methods of authentication, such as PKI and digital certificates, instead of traditional usernames and passwords. We can also use code signing to assure secure over the air updates of firmware, secure device booting and that devices only run signed code to prevent malicious tampering.

In the ensuing months, DigiCert Labs will publish the results of our experiments around IoT privacy and security. Our goal of such publications is to educate the public in regard to general IoT privacy and security as we innovate new solutions against identified vulnerabilities.

“The landscape has shifted under our feet. With the rapid adoption of Software as a Service, all the beautiful protections provided by on-premises network security are totally bypassed.”
— Weber Yuan, Ph.D, Lead Architect, CIO, Identity Services & Information Security, IBM

In the new digital landscape, Software as a Service models are disrupting the traditional approach to user security. Companies need universal, scalable IT services—anywhere and everywhere their users need those services to stay productive and connected within a distributed global environment. IBM’s CIO Office (which is essentially the company’s functioning IT Department), in partnership with DigiCert, has developed an innovative solution.

By using easy-to-deploy digital certificates to validate user identities—on and off the corporate network—IBM has created both user-enabling services for wireless, VPN, and secure email that are easy to use, protect company and user data, and avoid costly service interruptions for 500,000 internal users spread across 170 countries.

A recent article published by Nikkei in Japan today reported that the security risks posed by Internet of Things (IoT) devices is rising, and that the Ministry of Internal Affairs and Communications will be considering regulations beginning in 2020 to enforce standards. The regulations they are considering include mandating that all devices have identity, that devices prevent unauthorized access, and possibly in the field updates (or over the air (OTA)) remediation of issues.

For manufacturers and device creators the risks have never been higher. The Mirai botnet attacks, in which millions of devices globally were breached and used in multiple Dedicated Denial of Service (DDoS) attacks, demonstrated clearly that devices require security measures to prevent unauthorized access, only run the correct code, and when necessary be able to securely communicate and receive updates for critical issues. In addition, this must be done at scale globally, so that we give device consumers the confidence their data won’t be hacked or leaked, and devices commandeered for ill intent.

DigiCert’s team has been working for decades on device security. Through the Digicert IoT Platform we enable customers to inject device identity for strong authentication, anywhere from silicon to manufacturing, protect device integrity, and to securely encrypt all device communications. Today, we already are securing billions of IoT devices globally and are working with leading enterprises to future proof devices with quantum resistant cryptography.

Additionally, we are increasing in-country investments worldwide and continue to increase our investment in Japan where local staff and data centers support government workflows today. In Europe we provide the platforms and technology that integrate EU qualified identity protection services for banks and governments, which support country specific regulations for identity that roll up to support the European Union {EU} stringent eIDAS regulations for identity protection.

We are actively tracking Japan governments efforts to secure devices and look forward to working with our partners, customers and industry experts to make sure we protect consumers from unnecessary risk from IoT Devices.

Healthcare, by its very nature, deals with sensitive patient data. In addition to medical records, much of the medical equipment today is network connected, and vulnerable to potential cyberattacks.

In October, the US Food and Drug Administration (FDA) issued pre-market guidance for medical devices containing cyber risks. Weeks later, Health Canada released a guidance document for pre‐market requirements for medical device cybersecurity. This document is designed to help medical device manufacturers during the product development stage, providing cybersecurity recommendations to ensure products are secure before they are released to the market.

Cybersecurity presents multiple risks to healthcare providers and device manufacturers, including legal liability, lost revenue, and a loss of patient and customer trust. The rapid growth of connected devices requires the healthcare industry to take steps to minimize the threat of security incidents and breaches. To that end, medical device manufacturers need to ensure security is built into their products during product planning and development.

The Health Canada guidance document for pre‐market requirements for medical device cybersecurity encourages manufacturers to secure all connections between other devices and interfaces. This will ensure best practice for secure authentication when connecting to back-end systems, like servers and electronic health record systems. The guidance also includes securing connections between devices and back-end systems with encryption for data at rest, and data on the device, and puts in place recommendations for user access controls to grant access and privileges to the device.

From a security industry perspective, the proper implementation of PKI and the use of digital certificates is the best way to securely authenticate devices to back-end systems and encrypt data in transit.

Virtually every industry is susceptible to cybercrime, but healthcare is an industry where cyber-threats can have a direct impact on individual lives, for both personal information and physical safety. While cybersecurity is a shared responsibility for device manufacturers, regulators, healthcare IT, and patients and clients; having security protection guidance in the pre-market development of medical devices is vital to protecting all parties within the healthcare ecosystem.

Connected medical devices are everywhere. Ensuring cybersecurity protection is becoming more challenging as more devices enter the market. Connected medical devices include diagnostic equipment, picture archiving communication systems (PACS), such as MRIs and CAT scans, laboratory equipment, infusion systems, and even patient beds are now connected. Device manufacturers now provide tablet computers that are used throughout hospitals to monitor and collect data from connected devices. The most rapidly growing connected medical devices are consumer products, like cardiac, neurology and diabetic devices that include continuous glucose monitors and insulin pumps. These consumer devices are worn by, or embedded within, patients, and the data they collect is commonly sent via Bluetooth to their smartphones and smartwatches, and then wirelessly sent to the cloud. Whether medical devices are purchased by hospitals, or by patients and consumers, the Health Canada guidance applies to all devices.

The Health Canada guidance document takes into consideration the prevention of unauthorized individuals attempting to alter a device by manipulating configuration settings and makes recommendations on incorporating product security testing into the manufacturer’s verification and validation processes. The recommended strategy includes having a secure device design, device-specific risk management, verification and validation, as well as a plan for monitoring and responding to emerging risks.

Health Canada should be applauded for their efforts in helping to drive manufacturers to be more responsive in the handling of cybersecurity issues by providing substantial, tangible and actionable guidance. This is welcome regulatory guidance that will help manufacturers develop a strategy to ensure security is integral in the development of their medical devices.

This is the first of a series of technical blogs that DigiCert is publishing on quantum computing and the coming post-quantum transition. Upcoming articles will provide additional, easy to understand information about what is happening and steps that can be taken now to prepare for the future. Bookmark our blog and follow us on Twitter @digicert to stay informed.

The Committee on Technical Assessment of the Feasibility and Implications of Quantum computing, part of the National Academy of Sciences, recently released a report entitled “Quantum Computing: Progress and Prospects”.  The 200-page report gathers the consensus of industry experts and conveys an important message about the current state of quantum computing and its threat to modern cryptography: the time to start preparing for a quantum-safe future is now.

DigiCert has estimated that it takes several quadrillion years to factor a 2048-bit RSA key using classical computing technology, an estimate that is referenced in the National Academy’s report. However, a sufficiently capable quantum computer can break the same key much faster, perhaps in only a few months. There are still many technical challenges that must be overcome before it is possible to build a quantum computer that threatens RSA and ECC, the two main asymmetric cryptographic algorithms that the internet’s security is based on. The report estimates that such a quantum computer must be five orders of magnitude larger, with two orders of magnitude lower error rates, than the first-generation quantum computers that exist today, and likely requires technological advancements that haven’t been invented yet.

Given the early state of the field, with rapid progress towards being able to build quantum computers only beginning to accelerate within the last few years, the report concludes it is still too early to be able to predict when it will be possible to build a scalable quantum computer. Progress towards that goal must track not only the scaling rate of the number of physical qubits the computers have, but also the error rates.

Error rates are important because they have a big impact on the number of physical qubits required to make a logical qubit. Physical qubits are the individual quantum systems that represent either a ‘0’ or a ‘1’. However, physical qubits are prone to errors, through unavoidable interactions with their environment, even at temperatures approaching absolute zero. Uncorrected, it is impossible to perform large, complex calculations involving qubits without the errors quickly overwhelming the calculation.

Many physical qubits can be combined into a single logical qubit, much in the same way that classical error correcting codes use several classical bits to encode a single classical bit. However, the overhead for quantum error correcting codes are much larger. Researchers have yet to produce even a single logical qubit, however progress is rapidly being made towards that goal. Once logical qubits are available, tracking the number of logical qubits will be the preferred metric. The committee concluded that “no fundamental reason why a large, fault-tolerant quantum computer could not be built in principle.”

While it will take a long time to overcome those obstacles, it will also take a long time to develop, standardize and deploy post-quantum cryptographic techniques. In fact, the timescales are probably roughly the same. Especially for high assurance applications, it is critical to begin the transition effort now, to avoid the possibility that quantum computers will arrive before our cryptographic techniques are capable of protecting critical information.

In the near term, research and development into commercial applications of noisy intermediate-scale quantum computers will probably drive progress in this area. How useful these computers turn out to be, and what problems they are able to solve, will probably be the driver for increased investments in improving quantum computing technologies. Right now, the field is extremely active, with billions of dollars of research funding being committed to the race to produce larger and more capable quantum computers.

Industry standards groups are also preparing for a post-quantum future, and DigiCert is very active in these efforts. Most well-known is the NIST post-quantum cryptography project, which is working with researchers around the world to develop new cryptographic primitives that are not susceptible to attack by quantum computers. However, it will be several years before those algorithms are ready for standardization. A simpler technology (hash-based signatures, RFC 8391) has been standardized by the Internet Engineering Task Force and will soon be standardized by NIST. While it has some drawbacks compared to more advanced algorithms, namely larger signatures and a limit on the total number of signings, it has the advantage of being well-understood, quantum-safe and available now.

Other efforts by standards groups include ANSI X9’s Quantum Risk Study Group, which is preparing an information report specifically examining the threat quantum computing poses to cryptography being used in the financial services industry. The report is expected to be available in early 2019. The European Telecommunications Standards Institute (ETSI) also has a Quantum Safe Cryptography group, which has been producing information reports for the past nine years.

These two parallel efforts are rapidly heating up: one, by those who are exploring how to build large, fault-tolerant quantum computers, and the other, by those who are seeking to make sure quantum-safe cryptography is available and ready to be deployed before that happens. DigiCert will be producing a series of blog posts to help readers understand this important transition, and what they can do to protect their systems from the upcoming threat to existing asymmetric cryptographic algorithms, like RSA and ECC.

Panasonic Connected Solutions Company builds IoT solutions that connect with people, devices and services. Chief Engineer Saburo Toyonaga and team develop security software for B-to-B IoT devices. They have developed an encryption module that permits incorporation of a certificate at manufacturing, and that runs efficiently even on CPUs with slower speeds or lower specifications. Panasonic is partnering with DigiCert to secure IoT devices such as security cameras, to protect against information leakage and device integrity.

Once again, expiring digital certificates leading to massive online services shutdowns made headlines. These types of incidents can happen, though here at DigiCert, we’ve built CertCentral to help companies avoid these headaches. And, we are constantly working on improvements to the platform to include additional functionality and automation.

Digital certificates are used to encrypt website traffic during browser sessions. These certificates are issued for a limited period after vetting the domain holder’s authorization for the certificate. Certificates have a set expiration date to ensure they are updated periodically to include improved industry standards and protocols and revalidate the true identity of the domain owner or operator. These security checks help protect end-users and encourage adoption of evolving and improving best practices.

Once certificates expire, a device or site using the certificate needs to be updated with a new certificate or risk blocking user access to the device. Each device treats an expiring certificate differently, but generally requires a valid certificate to maintain a connection.

Some organizations have thousands, hundreds of thousands and even millions of certificates. Your phone, for example, may have dozens of certificates on it. Because of this volume, using something like spreadsheets or human memory to replace the certificates before expiration is not a good idea.  In fact, a report in 2017 said that 80% of business were hit by certificate-related outages (https://www.scmagazine.com/home/security-news/vulnerabilities/80-of-businesses-hit-by-certificate-related-outages-study/). Recently, millions of smartphones were taken offline because of a certificate outage (https://www.theverge.com/2018/12/7/18130323/ericsson-software-certificate-o2-softbank-uk-japan-smartphone-4g-network-outage). Failing to manage certificates properly has real financial and customer implications.

The serious business of managing certificates, especially in volume, is why DigiCert built CertCentral. Regardless of the volume, type or expiration date, DigiCert’s CertCentral software can easily track, manage and replace certificates. The software features discovery and automation services that can help administrators automatically track, manage and deploy certificates as needed.

The system was designed to support both websites and IoT devices en masse to ensure no certificate is forgotten. The configurable alerts permit administrators to send renewals and notices at customizable intervals throughout the lifecycle and escalate issues with both security and lifecycle management. The audit logs show exactly what users are doing, to ensure a rogue actor doesn’t covertly sabotage a company’s certificate operations. Enhanced permission settings go further, limiting the damage a single disgruntled employee can do.

On top of management, CertCentral includes tools to diagnose installation issues, detect expiring certificates, and warn about certificate-related issues. Our certificate inspection tools detect vulnerabilities and help troubleshoot even the most difficult situations. The solution is an all-encompassing certificate experience, designed with the user in mind. Regardless of whether users access the system through the API or GUI, certificate management becomes an automated and seamless task using the award-winning platform.

Like most services, certificate management can be a headache or non-issue, depending on the partner providing the services and management tools used. DigiCert’s best-in-breed and award-winning software is trusted worldwide by the world’s top companies to make certificate management easy.

To learn more or get a demo, visit https://www.digicert.com/mpki/.

Addressing the need for strong identity validation in blockchain systems

Recently, DigiCert announced joining Linux Foundation and consequently Hyperledger. Additionally, we made an announcement of becoming a steward for Sovrin Foundation. Our efforts in both verticals is to protect identities on blockchain platforms in order to provide a safer environment for our customers and other users of the web while using blockchain platforms.

The matter of a valid identity on blockchain is an important topic that requires expertise in number of areas, first and foremost is familiarity with the identity validation process. At DigiCert we have crafted our validation framework to perform at the highest level of security and efficiency while keeping its integrity with global industry standards. Given that we have 20 years of expertise in identity validation as an organization, we are striving to share our knowledge and framework with the blockchain community.

Historically, eliminating financial intermediates has been one of the bases for Bitcoin’s development (an example of crypto currency based on public blockchain). That being said, Bitcoin has also been described as a method to transact anonymously. While this partially holds true and benefits some, it simultaneously causes number of problems. For example, in February of 2011, an online marketplace in the name of Silk Road was launched as a platform for selling illegal drugs. One of the main technologies utilized by Silk Road was Bitcoin, since it provided an ability of purchasing goods online while staying anonymous. Given this use case, interacting with valid identities on the internet even with the presence and protection of blockchain is important. It still holds true that interacting with valid identities does not require revealing the identity.

It has been the focus of academic researchers to facilitate different methods to preserve identities and process datasets without giving away access to the identity or the original dataset. One example is the advancement of Fully Homographic Encryption (FHE), which allows computation on encrypted datasets such as Electronic Medical Records (EMR) without the need to decrypt the original dataset (for a detailed yet easy to read paper visit Computing Arbitrary Functions of Encrypted Data). Similar to the approach taken by academic researchers, DigiCert’s R&D team is working towards a solution which allows identities to be validated yet stay anonymous on a permissioned or hybrid blockchain platform. Given DigiCert’s relationship with the Hyperledger, we are aiming to provide our first functional modular for the Hyperledger Fabric in the near future.

Additionally, with DigiCert’s scalable Managed PKI, we are working towards the development of a modular specifically crafted for Hyperledger Fabric. In addition to enabling the identity validation process, this modular also provides a high-performance certificate issuance engine.

We are excited about our new development of identity for blockchain, and we invite customers and partners to reach out via email to labs@DigiCert.com, if they believe they could contribute to our initiative.