The Payment Card Industry (PCI) council have spoken. Early versions of Transport Layer Security (TLS) and Secure Sockets Layer (SSL) are now being forced into obscurity by the Payment Card Industry Data Security Standard (PCI DSS) 3.2.1, pushed there by years of security failures and a technological horizon in which those failures will simply not be acceptable.
Continue reading at Infosecurity Magazine
Help Net Security sat down with Jeremy Rowley, Executive Vice President of Product at DigiCert. He leads the company’s product development teams serving its TLS and digital certificate clients for web communications and emerging markets clients that require security solutions for the Internet of Things, U.S. federal healthcare exchange, advanced Wi-Fi and other innovative technology sectors.
Continue reading at Help Net Security
All Symantec-issued digital certificates will be deprecated on Google Chrome by mid-October. Former Symantec customers must ensure their websites are compliant.
Continue reading at SCO Online
An IoT breach can involve multiple vulnerable systems and applications in an owner’s environment, dispersing levels of responsibility; ultimately the courts will decide and consumers bear the consequences.
Continue reading at SC Media
Quantum computing threats are on the horizon, but DigiCert, Gemalto and ISARA have teamed up to develop new quantum-proof digital certificates and remake the PKI industry.
Continue reading at TechTarget
As quantum computing power grows, so too does the risk to currently deployed cryptographic algorithms, which is why DigiCert, Gemalto and ISARA are now working together to prepare for the future.
Continue reading at eWeek
In 1995, kids everywhere fell in love with Woody and Buzz, ultimate frienemies from the Pixar film Toy Story. This first-of-its-kind animation had millennials enthralled by the idea of their toys coming to life. But, as they say, be careful what you wish for. Just a generation later, those same millennials who dreamed of lifelike toys are now trying to protect their kids from, well… lifelike toys.
Continue reading at HealthIT Security
Alleged North Korea spy Park Jin Hyok is the latest person to face cybercrime charges as part of several high-profile cases brought by US Department of Justice against cybercriminals and other assorted bad actors.
Continue reading at HealthIT Security
fa
Wirelessly connecting infusion pumps to point-of-care medication systems and EHRs improves healthcare delivery but also increases cybersecurity vulnerability, warned NIST and NCCoE in a new guide.
Continue reading at Hospitality Technology
fa
With so many issues competing for an IT security professional’s time, it’s difficult to find time for future planning. That being said, now is the time of professionals to have quantum computing on the radar.
Continue reading at CSO Online
fa
Wirelessly connecting infusion pumps to point-of-care medication systems and EHRs improves healthcare delivery but also increases cybersecurity vulnerability, warned NIST and NCCoE in a new guide.
Continue reading at HealthIT Security
fa
In a move to blanket the Internet with encrypted website traffic, Google is moving forward with its insistence that straggling website publishers adopt HTTPS Secure Sockets Layer (SSL).
Continue reading at The Last Watchdog
In this episode of The Security Ledger Podcast (#107): Hacker Summer Camp takes place in Las Vegas this week as the Black Hat, DEFCON and B-Sides conferences take place. We’re joined by DigiCert Chief Technology Officer Dan Timpson to talk about the presentations that are worth seeing. And, in our second segment, The Department of Homeland Security launched a new Risk Analysis Center that sounds a whole lot like some programs it already runs. Is this bureaucratic overkill or is DHS on to something?
Continue reading at The Security Ledger
Any effort to overhaul the cyber security of connected medical devices is likely to take considerable time and energy. Given that many of them are made to last decades, securing them while they’re in use can make turning an ocean liner look positively nimble.
Continue reading at Security Boulevard
As the sheer number of connected devices continues to rise, securing these devices, and becoming “crypto agile” is a key component of an organization’s effort to become more agile. Read on to discover how to improve your organization’s cyrpto-agility.
Continue reading at CSO Online
Is the cloud right for everyone? That, says one leading observer, is the wrong question. “Like any evolutionary development, it’s our current reality.” But woe betide those who fail to take every security measure along the way
Continue reading at Computing Security
Lawyers will no longer be allowed to certify someone’s ownership of an internet domain name, and the public Whois no longer represents proof of ownership, when it comes to assigning security certificates to site owners.
Continue reading at The Register
Healthcare cybersecurity is facing two problems – neither of which can be solved using better technology alone. In fact, these problems have more to do with economics than cybersecurity.
Continue reading at HITECH Answers
A looming deadline – now less than three weeks away – means that Google Chrome users who visit unencrypted websites will be confronted with warnings.
Continue reading at The Register
While some complicate its definition, cloud computing is “any computer-based event that takes place outside your internal network”, points out Mike Ahmadi, CISSP, global director – IoT Security Solutions at DigiCert. “It’s allowed us to connect like never before. But the greater the connection, the higher the stakes. The cloud as we know it wasn’t born from a massive project; it evolved organically as connectivity skyrocketed. Networks gradually became more interconnected, giving us the 99.999% uptime we’ve come to expect.”
Continue reading at Computing Security
Data is the new currency. In fact, most of our financial transactions today are pure data exchanges.
Continue reading at Intelligent CIO
The security industry can play a lead role in providing the tools to make it easier for IoT manufacturers and organizations to make “security by default” a business priority.
Continue reading at IoT Agenda
A few weeks ago, I stayed at a hotel in Las Vegas. I’m always nervous when I open the door to my room. What if it’s not as clean as I’d hoped? What if I discover something mildly disturbing? What I found this time wasn’t alarming, but it was surprising.
Continue reading at IoT Agenda
There’s no slowing down the growing Internet of Things. However, security concerns are becoming an unavoidable problem for consumers. Mike Nelson, VP of IoT Security, DigiCert shares his wisdom about IoT security and fighting back with Public Key Infrastructure.
Continue reading at IoT Agenda
There’s an epidemic of insecure Internet of Things devices. But why? And what is the shortest path to ending that epidemic? In this Spotlight Edition* of The Security Ledger Podcast, we speak with Deepika Chauhan, the Executive Vice President of Emerging Markets at DigiCert. Her job: forging new paths for the use of public key encryption to secure Internet of Things ecosystems.
Continue reading at SecurITy Ledger
DigiCert CEO John Merrill discusses the implications of Google’s plan’s to distrust Symantec certificates and what his company has done to help with the impending deadlines.
Continue reading at CSO
DigiCert Inc. announced a major milestone: less than 1 percent of the top 1 million sites have yet to replace Symantec-issued certificates affected by upcoming browser distrust action. Mozilla released figures from its latest telemetry report earlier this week showing 1 percent with certificates to be untrusted.
Continue reading at App Developer Magazine
One word summarizes the challenge of securing the Internet of Things (IoT): scale.
It’s actually a two-fold challenge. The first issue is the sheer number of IoT devices connected to the internet — a total that continues to grow every year. Gartner estimates that number will reach 26 billion by 2020. Secondly, how can device manufacturers and security providers possibly scale the process of identifying and authenticating each and every one of those devices?
Continue reading at Forbes
Less than 1% of the top 1 million websites have yet to replace Symantec-issued certificates before major browsers distrust them, DigiCert announced this week.
Continue reading at Security Week
Today, at CloudFest 2018 in Rust Germany, certificate authority [CA] provider DigiCert is announcing enhancements to its Certified Partner Program. The key objective here was to integrate the massive swell of channel partners that came as the result of DigiCert’s October 2017 acquisition of Symantec’s Website Security business and related PKI solutions – which more than quadrupled the number of DigiCert partners.
Continue reading at Channel Buzz
DigiCert Tuesday unveiled its enhanced Certified Partner Program, the first phase of an ongoing effort to work with partners and provide added benefits from the company’s acquisition of Symantec’s website security and related PKI services.
Continue reading at Channel Partners Online
All the tools are in place for the migration of SSL digital certificates on a scale that is unprecedented for the certificate authority industry. Are you ready?
Continue reading at Dark Reading
DigiCert has been selected to host the Root CA for Aeronautical Mobile Airport Communication System (AeroMACS), the only wireless technology that has been validated by major international regulatory bodies to support the safety and regularity of flight.
Continue reading at Digitalisation World
Public Key Infrastructure (PKI) certificates have long served as the optimal method for securing the servers on the web and, increasingly, Internet of Things (IoT) devices. Deploying and updating PKIs used to be a largely manual process that required the time and attention of IT personnel. Today, there are tools that can automate those tasks, which makes securing the connections between networks, devices and their users simpler and more cost-effective.
Continue reading at Infosec Island
Securing all these IoT devices and their connections to corporate networks and other systems is an issue manufacturers – and the security industry as a whole – needs to address immediately.
Continue reading at CSO
It was a big year for DevOps adoption: Companies who are well down the path share advice.
Continue reading at The Enterprisers Project
DevSecOps is about introducing security earlier in the life cycle of application development, thus minimizing vulnerabilities and bringing security closer to IT and business objectives.
Continue reading at CSO
Last week DigiCert announced it had closed on the billion-dollar acquisition of Symantec’s security business previously announced in August of this year. The deal adds to DigiCert’s capable team some of the industry’s best talent and resources in the area of SSL/TLS certificates and related PKI solutions. As the world becomes more cloud and IoT-centric, these are security technologies that companies need to pay more attention to.
Continue reading at CSO
By 2020, over 25 billion devices, by conservative estimates, will be connected to the internet, and each one of those connections must be secure to mitigate risks and protect organizations and individuals from malicious attacks.
Continue reading at IoT Agenda
Google is making a big push to compel website publishers to jettison HTTP and adopt HTTPS Transport Layer Security (TLS) as a de facto standard, and it’s expanding use of this important encryption technology.
Continue reading at The Last Watchdog
DigiCert announced on Oct. 31 that is has completed the $950 million acquisition of Symantec’s website security and PKI (Public Key Infrastructure) business assets, which include the company’s SSL/TLS certificates.
Continue reading at eWEEK
DigiCert has addressed the concerns raised by Mozilla and others regarding the company’s acquisition of Symantec’s certificate business after some web browser vendors announced that certificates issued by the security firm would no longer be trusted.
Continue reading at Security Week
During a recent interview, I was asked “could you have picked a worse time to acquire Symantec’s Website Security business?” The interviewer was joking, but I understood the point. Not only are cyberattacks constantly growing in number and sophistication, but the debate within the browser community about trust in the Symantec certificates created uncertainty about the industry. Others questioned if DigiCert could handle the scale of Symantec’s operations.
Continue reading at Medium
I have spent the last decade talking about problems. I suppose the reason is because it seems to have gotten me a lot of attention. It wasn’t like that at first, but it eventually turned out that way.
Let me explain…
Continue reading at Huffington Post
“[Customers will] get a much better, more modern experience through our tools,” Merrill said.
Parallel groups focused on the integration have been formed in both DigiCert’s and Symantec’s web security business to ensure that the transition for channel partners is seamless, Martins said.
Continue reading at CRN
Identity and encryption solution vendor DigiCert has completed the acquisition of Symantec’s Website Security and related public key infrastructure [PKI] solutions, for $USD 950 million and a 30 per cent stake in itself. The move instantly makes DigiCert the global market leader in the space. It will also have significant channel ramifications. While DigiCert has been selling to very large enterprises, it did so through its direct arm. They expect that Symantec’s large enterprise-focused channel will significantly expand their enterprise business.
Continue reading at ChannelBuzz
The marketplace is demanding agility, but many enterprises perceive the need for agility as an ongoing security risk. If applications are constantly evolving, they assume, the process will constantly open up new avenues for attackers to exploit. This worry has given rise to a widespread misconception that security or agility is a binary choice.
Continue reading at Security Intelligence
In an effort to digitally transform their companies, the majority of enterprises are integrating their security teams into DevOps methodologies—or are trying to do so—a new survey finds. Faster app development can open a company to security risks, however. So how can enterprises increase both simultaneously? A new survey, “Making Security Agile” from scalable identity and encryption solutions provider DigiCert, addresses these questions. “Agility and security are not mutually exclusive, and integration requires a combination of technology improvements, and a cultural shift in how technical staff is aligned,” said DigiCert CSO Jason Sabin. “The DevOps methodology is not just a method for increasing speed, but [also] about improving efficiency, quality control and predictability in development outcomes.” The survey polled 300 U.S. enterprise executives (100 of whom are in IT management, 100 in DevOps and 100 in security) to see “whether their organizations are breaking down silos and inviting security to join the DevOps movement.”
Continue reading at CIO Insight
While the number of enterprises subscribing to cloud applications is increasing that doesn’t mean internal application development has gone away. Sometimes customization may be needed for a cloud application to meet business needs, and sometimes a custom application may have to be written.
While DevOps is still a fairly new concept to most enterprises and their development teams, security has been ingrained into the DNA of IT for some time. Now, some are trying to combine the two.
The inclusion of IT security into DevOps processes appears to be occurring at an accelerated rate. A new survey of 300 enterprise IT organizations published this week by DigCert, a provider of identity management and encryption software, finds that almost half (49 percent) of the respondents says they have completed DevSecOps, while another 49 percent say they are already working on it.
A combination of culture change, automation, tools and processes can bring security into the modern world where it can be as agile as other parts of IT.
A new DigiCert survey reveals that 98 percent of enterprises integrating their security teams into their existing DevOps methodologies. Or, at least they’re trying to.
An overwhelming majority of companies believe an integrated security and DevOps team makes sense, with 98% of survey respondents saying they are either planning to or have launched such an effort, according to a report released today by DigiCert.
Recent changes in internet service provider regulations and an increase in online fraud have spurred an increased interest in online privacy. Here are five tips to stay safe online.
Securing IoT is tricky business. IoT exploits include firmware spoofing, compromising hardware, man-in-the-middle attacks, interface exploits, and cloud hosted application hacks, among others. Businesses are not always ready for the unique security challenge posed by the massive deployment of IoT devices.
In-brief: Far from ‘breaking’ the public key encryption (PKI) model, the Internet of Things is poised to turbocharge PKI adoption and revolutionize online identity, DigiCert* CTO Dan Timpson writes.
If you wanted to make a movie about the Mirai botnet attacks of October 2016, you might call it “When Things Attack” or, maybe, “Revenge of the Webcams.” It’s amusing, in hindsight, to imagine the spectacle of hundreds of thousands of compromised webcams marching together in a massive, online army.
No. 24, DigiCert – Lehi, Utah
This Lehi, Utah-based certificate authority provides scalable systems for securing web servers and internet of things devices with encryption technologies or user ID and authentication tools. DigiCert IT employees work in a flexible environment that supports work/life balance. A culture of accountability prioritizes results more than time spent in the office, and the company offers generous employee and dependent care benefits to help IT staffers manage major life events. Members of the IT team are eligible to take advantage of travel incentives through which they can go on trips to relax and recharge while exploring new cultures and places around the world.
Scripts, code and other vulnerabilities in your company’s website could leak sensitive data or take you offline. Avoid it by checking yourself with these tools.
It’s such a weird thing to hear, it seems counter-intuitive: London City Airport is building a new air traffic control tower that will be completely digital and manned by a group of human controllers who will be over 100 miles away.
The WannaCry ransomware attack affected hundreds of countries and hundreds of thousands of systems, including health systems. Experts discuss what healthcare orgs need to do.
In the wake of the WannaCry ransomware attack, two cybersecurity experts suggest that if hospitals are not already using techniques such as multifactor authentication and public key infrastructure certificates, they need to head in that direction.
The National Institute of Standards and Technology has issued new guidance on securing wireless infusion pumps in hopes of hardening the devices against cyber attacks.
The federal agency issued the instructions in collaboration with the National Cybersecurity Center of Excellence (NCCoE), which is a unit within NIST.
New draft guidance from the National Institute of Standards and Technology calls for using commercially available, standards-based technologies to improve the security of wireless infusion pumps.
NIST issued a white paper on the same topic in 2014, but it was criticized for being too prescriptive (see Infusion Pump Security: NIST Refining Guidance).
Wireless infusion pumps are commonly used medical devices that can be potentially vulnerable to accidental and malicious tampering, posing both data security and patient safety risks.
Security certificates are designed to authenticate hosts. Browsers have become pretty good about understanding chains of authorities, and making users accept the risk when websites can’t prove the chain of authorities needed to verify they are who they say they are…
Mark Weiser, known to many as the father of ubiquitous computing, stated in an article he wrote for Scientific American in 1991 that, “The most profound technologies are those that disappear. They weave themselves into the fabric of everyday life until they are indistinguishable from it.” The Internet of Things is quickly achieving this status as we barely recognize all the devices that are both connected to the Internet and part of our lives.
But securing these IoT devices is not an easy task, and is one topic of discussion that must remain prominent because the ramifications from a security breach could be severe. Connected devices need to have strong identity attestation, authenticate all connections, and data must be encrypted to protect system integrity…IoT requires owner-controlled PKI security posture to provide independent security control over connected devices.
FAA Administrator Michael Huerta announced at the agency’s Unmanned Aircraft Systems Symposium in Reston, Virginia, a rulemaking effort that will lead to remote digital identification of drones and their pilots…
An effort by private industry to create a universal system for remote, digital drone identification was announced in December by AirMap, the company that launched with an online airspace recognition tool for remote pilots, collaborating with DigiCert Inc. Industry analyst Colin Snow wrote about the new technology this month, explaining in detail many implications for regulators, pilots, and other stakeholders.
In this podcast recorded at RSA Conference 2017, Jeremy Rowley, Executive VP of Emerging Markets at DigiCert, talks about automating PKI for the IoT platform and building scalable solutions for the IoT platform.
“I’m going to be talking about automating PKI for IoT platform and building scalable solutions for the IoT platform. So we have a lot of IoT devices that are being employed throughout the Internet. You have various connected vehicles, you have connected homes, you have connected cities – heck, you have even connected watches and everything else, right? But a lot of these devices don’t deploy security, meaning they’re subject to attacks. In 2015, for example, we saw attacks on various devices that include cars and medical devices and things like that. And in 2016 we even saw insulin pump taken over through a man in the middle attack where you could actually change the dosage and thus cause harm to the patient who’s wearing that insulin pump.”
“The question becomes: how do we secure these devices at scale when they’ve already been deployed or are being deployed as well as in an effective manner that can support manufacturers? ”
The rapid growth of the Internet of Things is outpacing security implementations, and the industry desperately needs to stem the tide of risks that come with it.
IDC estimates that, by 2020, the number of Internet-connected devices will surge past 200 billion. The sheer scale of this future Internet of Things means that it needs a strong security layer that is scalable, reliable and can be automated to meet the needs of a rapidly growing market.
Cryptography is one solution that can provide a strong security layer, with encryption and identity, at such a scale. And now, more than ever, security teams are looking to evolve public key infrastructure (PKI) to meet the challenges of IoT security.
In an RSAC TV interview during the 2017 RSA Conference in San Francisco, DigiCert VP of Emerging Markets, Jeremy Rowley, discussed what companies can do to better secure their Internet of Things devices using cryptography.
Medical devices can enter the organization through many different channels other than IT. Experts discuss medical device cybersecurity and the FDA’s guidance…The CISO at Intermountain Healthcare in Salt Lake City, Utah, explained that the influx of medical devices into health organizations, often without the knowledge of IT, may be adding to existing security problems. Experts agree that precautions concerning the cybersecurity of medical devices need to be taken on the part of the provider and the medical device manufacturer…
“What most healthcare [organizations] are doing right now is trying to wrap their arms around this new risk,” West said. “It’s significant.”
…”I think manufacturers have used the FDA potentially imposing additional regulatory burdens as a reason for not updating and doing patch management with their existing devices,” Nelson said. “But the FDA has now cleared this impediment.”
DigiCert announced the release of its DigiCert Auto-Provisioning solution to help appease the need for medical Internet of Things (IoT) device security. The tool provisions digital certificates at scale, regardless if an organization’s devices use open standards or support proprietary device enrollment protocols. The number of IoT and connected medical devices is rising rapidly and each device needs to be secured properly.
“Device authentication and encryption are critical to securing connected devices and the information they share, but many software implementations lack standard protocols for provisioning devices,” DigiCert CTO Dan Timpson said in a statement. “DigiCert Auto-Provisioning, powered by Device Authority, helps companies get certificates on a much wider range of IoT devices in a scalable, secure and automated way.”
The Food and Drug Administration’s recently issued final guidance on the post-market cybersecurity of medical devices outlines important steps that hospitals, clinics and others must take to better protect patient data and keep patients safe, say Karl West, CISO at Intermountain Healthcare, and Mike Nelson of DigiCert.
“An overarching theme of the guidance is to make sure a risk assessment is done, and for healthcare organizations … that’s a very important step in understanding the vulnerabilities and risks that are present in those devices,” Nelson points out in an interview with Information Security Media Group.
“Patient safety is, of course, a No. 1 risk and threat for us in cybersecurity with these devices, but at the same time, the security is critical because these devices can be leveraged and used as threat vectors to allow a [broader] breach,” West adds.
The modern IT landscape is filled full of secrets: There are certificates, SQL connection strings, storage account keys, passwords, SSH keys, encryption keys and more. And no matter what role one plays in the group—developer, admin, PKI manager—managing these secrets can become a high-stakes management headache.
Speaking at the DigiCert Security Summit 2017, Rashmi Jha, Microsoft program manager, said that getting a handle on secrets management is one of the No. 1 challenges in modern IT security. Too often, enterprises don’t even know when secrets are compromised, or even how they will be used—and it’s a self-inflicted issue.
There are thousands of medical devices in use today vulnerable to hacking. Hospitals, outpatient centers, healthcare practices and even patients in their homes use high-tech equipment every day to monitor care, improve patient outcomes, and save lives. However, these connected devices (and the data housed within them) are at risk for exploitation without proper authentication and encryption.
Speaking at the DigiCert Security Summit this week, Darin Andrew, senior PKI and solutions architect at DigiCert, and Scott Erven, senior managing director at PwC, ran through three common scenarios that leave these critical pieces of infrastructure wide-open to hackers—and how some of the danger can be mitigated using public key infrastructure (PKI).
As the number of connected devices rises toward an estimated 50 billion by 2020, security continues to lag behind—a lack of encryption, easy default passwords and a dearth of proper, automated user authentication plague the space. But the reason is simple—tools for doing this at scale are few and far between. DigiCert is tackling the issue with an Auto-Provisioning tool, powered by Device Authority.
With the continued push for interoperability and integration of EHRs into daily use, connected medical devices are quickly becoming more common tools for healthcare providers. However, similar to the way computer networks and systems can become vulnerable to data security issues, medical device cybersecurity threats can be especially dangerous for covered entities.
The Food and Drug Administration (FDA) monitors “reports of adverse events and other problems with medical devices” and has previously found potential cybersecurity issues in implantable cardiac devices. Healthcare organizations need to better understand the potential dangers of unsecured medical devices and ensure that they adhere to federal regulations while also staying mindful of recent guidelines designed to assist in creating strong medical device cybersecurity.
Starting in April, Oracle will treat JAR files signed with the MD5 hashing algorithm as if they were unsigned, which means modern releases of the Java Runtime Environment (JRE) will block those JAR files from running. The shift is long overdue, as MD5’s security weaknesses are well-known, and more secure algorithms should be used for code signing instead.
The CA Security Council applauds Oracle for its decision to treat MD5 as unsigned. MD5 has been deprecated for years, making the move away from MD5 a critical upgrade for Java users,” said Jeremy Rowley, executive vice president of emerging markets at DigiCert and a member of the CA Security Council.
ProtonMail, the privacy-focused email business, has launched a Tor hidden service to combat the censorship and surveillance of its users.
The move is designed to counter actions “by totalitarian governments around the world to cut off access to privacy tools” and the Swiss company specifically cited “recent events such as the Egyptian government’s move to block encrypted chat app Signal, and the passage of the Investigatory Powers Act in the UK that mandates tracking all web browsing activity”.
Speaking to The Register, ProtonMail’s CEO and co-founder Andy Yen said: “We do expect to see more censorship this year of ProtonMail and services like us…Given ProtonMail’s recent growth, we realize that the censorship of ProtonMail in certain countries is inevitable and we are proactively working to prevent this. Tor provides a way to circumvent certain Internet blocks so improving our compatibility with Tor is a natural first step.”
ProtonMail, the privacy-focused email business, has launched a Tor hidden service to combat the censorship and surveillance of its users.
The move is designed to counter actions “by totalitarian governments around the world to cut off access to privacy tools” and the Swiss company specifically cited “recent events such as the Egyptian government’s move to block encrypted chat app Signal, and the passage of the Investigatory Powers Act in the UK that mandates tracking all web browsing activity”.
Speaking to The Register, ProtonMail’s CEO and co-founder Andy Yen said: “We do expect to see more censorship this year of ProtonMail and services like us…Given ProtonMail’s recent growth, we realize that the censorship of ProtonMail in certain countries is inevitable and we are proactively working to prevent this. Tor provides a way to circumvent certain Internet blocks so improving our compatibility with Tor is a natural first step.”
The creators of encrypted email service ProtonMail have set up a server that’s only accessible over the Tor anonymity network as a way to fight possible censorship attempts in some countries.
ProtonMail was created by computer engineers who met while working at the European Organization for Nuclear Research (CERN). The service provides end-to-end encrypted email through a web-based interface and mobile apps, but the encryption is performed on the client side, and the ProtonMail servers never have access to plaintext messages or encryption keys.
On Thursday, Proton Technologies, the Geneva-based company that runs ProtonMail, announced that it has set up a Tor hidden service, or onion site, to allow users to access the service directly inside the Tor anonymity network.
The internet of things has drawn the attention of the White House and Congress amid growing concerns about the woeful state of IoT connected device security, most recently demonstrated when Mirai malware spread across botnets. Indeed, the lack of security in IoT devices portends a brave new world.
The concerns are warranted as the future of IoT presents millions of connected devices, each node gathering and storing its own individual data collections and sharing that information with other connected devices through wireless communication technology via the internet and the cloud. By infecting just one device and gaining unauthorized access to the network, a malicious actor can cause large-scale mayhem. Organizations must quickly figure out how to keep track of the IoT devices connected to their network and how to secure the transmission of data to and from those devices.
In today’s healthcare environment, practitioners are using state-of-the-art, high-tech equipment that delivers specialty services with better efficiency, accuracy, and overall quality. Using this technology, patients and doctors are also able to generate meaningful data that improves clinical outcomes and, ultimately, the patient’s quality of life.
Despite these improvements in the delivery of care, many healthcare experts are not aware of the vulnerabilities present in connected medical devices. Numerous devices lack proper authentication—the process of validating identities to ensure only trusted users, messages, or other types of services have access to the device. This allows untrusted users to gain access and potentially manipulate the device. Other devices lack basic encryption of the sensitive data being stored in or transferred from the device. These cybersecurity oversights can result in direct harm to the patients and healthcare providers using the devices…
This white paper discusses security risks inherent in IoT devices, and articulates how PKI can be used to mitigate these vulnerabilities and improve the security posture of connected medical devices.
Drones will start getting digital identification certificates under a new service being launched on Tuesday that hopes to bring trust and verification to the skies.
The Drone IDs will be SSL/TLS certificates from DigiCert issued through AirMap, a provider of drone flight information data, and will first be available to users of Intel’s Aero drone platform.
“We’re hoping that this can be used outside of just our services and help the industry raise the bar with respect to security,” said Jared Ablon, chief information security officer with AirMap.
The Certificate Authority Security Council (CASC) this week announced that the Code Signing Working Group released a set of minimal requirements that Certificate Authorities (CAs) should use for code signing…Microsoft, which has already adopted the new guidelines, will require all CAs that issue code signing certificates for Windows platforms to adopt the minimum requirements starting on Feb. 1, 2017.
Given that Microsoft’s Windows platform accounts for around 90% of the desktop operating system market, its decision to adopt the new guidelines and to ask CAs follow them is will likely have a great influence on other application software suppliers, which might follow suit, Jeremy Rowley, Executive Vice President of Emerging Markets, DigiCert, believes.
It’s a common sentiment of internet-connected device owners and even some manufacturers that the security of an individual device isn’t so important…Individual unsecured devices, especially consumer-facing ones, aren’t so dangerous by themselves, but they become more dangerous as a swarm. We witnessed just such a swarm on October 21, with the Mirai botnet assault on a portion of the Internet’s phone book (also known as a domain name server, or DNS) that shut down the internet on the East Coast.
When individual devices aren’’ secure, hacking into a large number of devices becomes as easy as hacking into one device. But a large portion of the threat can be mitigated if companies and developers follow security best practices, many of which are well established and can be practiced today.
It has been just over ten days since the massive Dyn Distributed Denial-of-Service (DDoS) attack that brought sites like Amazon and Twitter on their knees. The attack affected about 100,000 Internet of Things (IoT) devices and security firm Flashpoint has confirmed that some of the infrastructure responsible for the DDoS attacks against Dyn DNS were botnets compromised by Mirai malware. What is truly worrisome is that this could be sign of things to come.
We talk to Jason Sabin, Chief Security Officer at DigiCert on his thoughts on these attacks and what it means for the IoT devices sector. Jason frequently consults with device manufacturers on how to improve their security environment. He works closely with the DigiCert customers to develop innovative new platforms and features that simplify SaaS-based digital certificate management for the enterprise and IoT. He has filed more than 50 patents involving identity management and cloud security and many of Jason’s innovations are in use by several Fortune 500 companies today.
…While some streaming services have taken precautionary steps toward protecting consumers using streaming devices and systems, unfortunately many have not. Some still view security as an afterthought…To gain consumer trust, responsible organizations should take initiative to protect their media streaming service…
Security solutions need to be simple enough — even transparent — for users to actually use them. Companies like Plex have found solutions by partnering with a trusted certificate authority to implement PKI technology into their systems and platforms. Likewise, PKI can help solve the scalability challenges of IoT implementations that involve millions of connected devices and their associated credentials.
Interoperability for technology solutions is a top priority—standards used in these solutions become irrelevant when products operate in a silo. Thus, shifting to a new protocol in any solution takes careful consideration and collaboration by multiple parties in order to achieve a seamless operation.
One such protocol is Enrollment over Secure Transport (EST). EST provides secure digital certificate provisioning. Some of our products already support EST for digital certificates (e.g., Cisco IOS and IOS-XE), but EST endpoints don’t just operate by themselves. EST involves a certificate consumer and a certificate provider, usually called a Certificate Authority (CA). We needed to ensure that our EST solutions are compatible with third parties such as CAs, authentication servers, and endpoints.
To achieve that, Cisco collaborated with DigiCert to make sure Cisco’s EST implementations are interoperable with their CA. Today we want to share with you some lessons we learned from our testing.
Buying an Organization-Validated (OV) or Extended Validation (EV) SSL/TLS Certificate will enhance your website’s reputation, give customers the assurance they need to complete secure transactions with confidence, decrease cart abandonment rates, and build long-term customer loyalty…Establishing trust is mission critical…An SSL/TLS certificate provides the most basic level of trust—the padlock icon in the address bar of your customer’s browser…Not all SSL/TLS certificates are the same. Different kinds of certificates display different information. Some only show the domain name while others show more information about the company.
PKI is uniquely positioned to deliver on the necessary and critical security needs of the IoT. The Institute of Electrical and Electronics Engineers points out, “When you’re looking at authenticating devices, the only real standards at the moment that offer any real interoperability tend to be Public Key Infra- structure (PKI).”
Progress is finally happening in healthcare cybersecurity. Traditionally, healthcare has lagged behind other industries in enabling security controls, but amid reports of breaches, medical device vulnerabilities and the attention of federal regulators, innovative companies are advancing positive change.
Yet, legacy mindsets still threaten healthcare’s ability to stay ahead of evolving threats, especially as medical device manufacturers strive to innovate fast enough to address real security challenges. Medical industry boardrooms need to adopt policies that match today’s security landscape before patient harm or regulatory intervention forces their hand.
There are plenty of companies selling digital certificates to websites. Where DigiCert stands out is its focus on helping customers beyond that sale–from obtaining a certificate and its installation to monitoring and fixing any hiccups. “We help them control the entire certificate lifecycle, not just purchasing the certificate,” says DigiCert CEO Nicholas Hales.
The priority on service is true of DigiCert’s entire philosophy, Hales says, through every department and every employee.
“A lot of people look at customer service as strictly a number you call and someone answers the phone. That is customer service. A lot of companies look at it as a necessary evil,” he says. “We try to take the principles of the brick-and-mortar world in sales and marketing and bring them to the internet, where customer is king, and try to treat the customer as someone you’re providing the service to, not solving a problem for. So it’s not just the guy who answers the phone for support. It’s not just a guy who answers an email or message. It’s more than that: Every department within the company needs to be customer-centric and worry about what that customer experience is.”
“One of the keys to success is surrounding yourself with people who are brighter than you, who have knowledge in areas you don’t have.”
DigiCert has been named to the 2016 Online Trust Alliance (OTA) Honor Roll, marking the fifth consecutive year the company has been recognized for its leadership in online security and privacy.
“OTA commends DigiCert not only for achieving the Honor Roll for the fifth consecutive year, but more importantly, its commitment to collaboration in both the public and private sector,” said Craig Spiezle, Online Trust Alliance CEO and executive director in a press release.
Embedded device manufacturers have started focusing on devices that talk to each other — a car that knows when your musical choices based on your playlists on your mobile or a house that senses your mood based on your smartwatch notifications. Things are getting increasingly connected.
We are making our devices and our lives accessible but are we making them secure?…
The US Federal Trace Commission released guidelines for IoT manufacturers urges them to follow standards. Privacy Commissioner of Canada also seems to be taking note of the matter. Even though governments all over the world start to take cognizance of this threat, privacy experts warn users of trusting only certified and secure products from known vendors. The vendors need to increase their spending to get their IoT devices security audited and certified by trusted agencies. There are already IoT certifications being provided by companies like DigiCert that the vendors can aggressively use.
A recent Online Trust Alliance survey, sponsored in part by DigiCert, found that free e-file services may not be using best practices in security. The KSL-TV consumer team talks to DigiCert’s Flavio Martins about the report’s findings and what consumers can do to stay safe.
A recent Online Trust Alliance survey, sponsored in part by DigiCert, found that free e-file services may not be using best practices in security. The KSL-TV consumer team talks to DigiCert’s Flavio Martins about the report’s findings and what consumers can do to stay safe.
Interview with Jason Sabin, Chief Security Officer of DigiCert:
Security is a very important yet often overlooked component to online safety, especially with how easy it is to access sensitive data over bits and bytes and through vulnerabilities that have been exposed through code leaks. Jason Sabin came into his role at DigiCert, a certificate provider offering SSL, TLS, and PKI expertise, through unconventional means, but he’s passionate about what he’s done. It’s been great to learn about his business and DigiCert’s core competencies.
"TLS and SSL are a critical backbone of Internet communications today. Without them, you’d be open to a lot of vulnerabilities and problems,” says Jason Sabin
"As a go-to provider of IoT security solutions, we feel very confident of our growth prospects and our ability to provide the best certificate-based security solutions. The smartest companies are coming to us, and we’re working with them."
If you’re planning on filing your taxes online, caution is advised. An audit released this week by Internet security nonprofit the Online Trust Alliance found that 46 percent, or 6 out of 13 tax software websites in an IRS program, failed cybersecurity protocols. The websites are part of IRS Free File program, which lets anyone who made under $62,000 in 2015 file taxes electronically for free…Some of the websites had issues with lack of email authentication, according to the OTA, which lets cyber criminals send out phishing emails, fake emails purporting to be from a company. Other sites had vulnerabilities that could lead to personal information being stolen.
According to an independent survey by IDT911, a data security firm, some 63 percent of U.S. taxpayers polled believe that tax fraud "could never happen to me" — and aren’t that concerned by the prospect. The study also found that nearly 20 percent of U.S. filers haven’t ensured their wireless networks are secure when filing online.
"The sophistication of cybercriminals is a lot more advanced than a few years ago. It’s hard for the average consumer to tell [if a website or email is legitimate]," said Jason Sabin, chief security officer at DigiCert, a technology security firm…"This is not like school. Everyone can and should be on honor roll," Sabin said in a phone interview.
To protect personal data when e-filing taxes, experts suggest users look for clues that the website you are using is encrypted. Most browsers display either green in the browser bar, or a closed lock symbol, that shows users the site is secure.
Nearly half the firms that have agreements with the Internal Revenue Service to provide online tax-preparation and filing services are failing to protect customers’ privacy and security, according to an audit scheduled to be released Wednesday.
The audit by the nonprofit OnlineTrust Alliance found that six out of 13 firms, including Jackson Hewitt and Free 1040TaxReturn.com, don’t provide adequate security against cybercriminals. Seven firms, including Turbo Tax, H&R Block, TaxAct and TaxSlayer were praised for their practices and named to an "Honor Roll".
The group did the audit in early February. It was funded in part by grants from three cybersecurity firms, including DigiCert Inc.
Momentum is building toward finding a way to fix security vulnerabilities in wireless medical infusion pumps, which are widely used in the nation’s hospitals.
The National Institute of Standards and Technology (NIST) is mounting the charge, announcing in late January that it’s looking for technology companies to participate in a collaborative project to improve the security of wireless infusion pumps.
Manufacturers are aware of the concerns and have been working toward reducing the risks, says Mike Nelson, vice president of DigiCert, a company that provides security and identity solutions. "I do think the issue is very real, and there is a real risk of introducing a ‘back door’ into a hospital network. All these vulnerabilities need to be addressed."
With all the benefits of IoT in healthcare also come the risks. A group of experts discuss exactly what those dangers are and what to do about them: Mike Nelson, Karl West, and Scott Erven.
In healthcare, the Internet of Things offers many benefits, ranging from being able to monitor patients more closely to using generated data for analytics.
But that increased flow of information also brings risks that health IT professionals need to address.
"There are so many benefits that come with these new connected devices," said Mike Nelson, vice president of healthcare solutions at DigiCert…"But they also present some new risks and vulnerabilities that as an industry we haven’t, I would say, firmly dealt with to this point."
On the morning of Jan. 1, 2016, anyone with a cell phone more than five years old will be unable to access the encrypted web – which includes sites like Facebook, Google, and Twitter – according to a new plan to upgrade the way those sites are verified.
It might not be a big deal in New York or San Francisco, where a 5-year-old phone is treated as an antique, but in some parts of the developing world up to 7% of internet users could find themselves suddenly cut off from the world’s most popular sites, according to research recently published by Facebook and CloudFlare.
Jeremy Rowley, a CA/Browser Forum representative for DigiCert, a major certificate-issuing authority, told BuzzFeed News that while the group sees the move to SHA-2 as necessary from a security standpoint, it sees the points raised by Facebook and CloudFlare as valid.
"We support Facebook’s recommendation that there should be something to do rather than cutting out all these people at the same time," said Rowley. He said Facebook was expected to submit a timeline for its proposal by the end of the working day Monday, but by 5 p.m. PST, it was unclear if Facebook’s proposal has been finished.
While fitness trackers, smartwatches and even smart clothing can make for fun presents, experts say consumers should keep the devices’ potential security weaknesses in mind while shopping. Most wearable devices connect to the Internet or are Bluetooth enabled, meaning they could be vulnerable without safeguards like data encryption and authentication.
Jason Sabin is the chief security officer at Utah-based DigiCert, which provides SSL certificates – recognizable as the padlock that shows up on secure websites — for organizations that include Facebook, PayPal and NASA. He said that as an avid runner he likes the idea of a lot of wearable devices, but that as a security expert the lack of protection scares him.
The predominant theme at the DigiCert Security Summit Nov. 12–13 in Las Vegas was improving the usability of security solutions for the Internet of Things, (IoT), enterprises and end-users.
Many of the discussions at the Security Summit focused on protecting data in the era of the IoT, as the number of connected objects and devices is expected to increase exponentially in the next five years.
"The IoT introduces a new scale for security, one that we’re prepared to help organizations efficiently implement," said Jason Sabin, DigiCert chief security officer. "Express, automated installation and real-time certificate monitoring and inspection provide organizations the scalabilities, efficiencies and real-time insights into their systems that make strong security of devices and data in motion feasible. Leading organizations know that device authentication and data encryption are must-haves for the IoT era."
Think back to the height of the Cold War. As the US and the Soviet Union amassed huge stockpiles of weapons, the real battle was waged with information…Flash forward to today, and we see a battle of information and identity between organizations and attackers trying to steal personal information that they can turn around and sell. Nowhere is the risk greater than with the exploding Internet of Things (IoT) market. The threat vector is expanding…Encrypting all data is vitally important, but we have to make sure that the encrypted data ends up in the right hands. Hence, the importance of high-assurance identity binding to accompany security credentials online.
Medical device security is quickly becoming one of the top issues in the healthcare industry, especially as more healthcare providers implement connected devices. Organizations must ensure that everything from an X-ray machine to MRIs and even pace makers have the necessary security solutions in place to prevent unauthorized access.
General best practices for security devices, vulnerability testing, and the responsibility of medical device security are three main issues, according to DigiCert VP of Healthcare Solutions Mike Nelson. DigiCert is hosting a Security Summit November 12 and 13, with Nelson moderating a panel discussing medical device security. "An issue right now not just with devices being manufactured, but also with Legacy devices that exist within hospitals right now," Nelson said in an interview with HealthITSecurity.com. "The question is, ‘Whose responsibility is it to secure those devices?’"
With the efforts from Facebook and the Tor project, it should become easier to browse securely via SSL on the so-called Darknet. It’s not clear, in practice, if obtaining an SSL certificate for a .onion site will now be as standard as doing the same for a .com or .net. But DigiCert, the certificate authority that worked with Facebook on its .onion SSL certificate last year, expects to see more requests. Obtaining an SSL certificate for a .onion site also isn’t as simple as it is for a regular site. “.Onion sites may only obtain EV certificates. EV Certificates require a high-level of identity validation that ties an existing, registered, entity to the certificate’s public key,” Rowley said. “This is a far greater level of scrutiny than what most .com and .net sites go through to obtain a certificate.”
Even though it’s only early October, if your online retail business isn’t already gearing up for the holiday season, you may miss out on revenue. So what should you and your staff be doing now to ensure your ecommerce store is able to handle the extra holiday-related traffic? Following are 16 tips from ecommerce, security, and digital marketing pros on how to make sure your online store is prepared for the Hanukkah/Christmas/Kwanzaa shopping season.
Security is top of mind for many online shoppers these days. So "installing a high-assurance SSL/TLS certificate on your website is a must," says Flavio Martins, vice president of Operations, DigiCert.
Article by Scott Rea vice president of government and education relations and senior PKI architect at DigiCert:
Our healthcare system is often too wasteful and inefficient, placing a strain on patient outcomes and the federal budget. The Center for Medicare & Medicaid Services alone is burdened with $50 billion a year just in wrong payments. We’re in need of a major step forward using modern technology to provide efficiencies, and Direct messaging is the solution.
Direct messaging continues to grow because of its simplicity of use and interoperability via a standardized framework put in place by DirectTrust. The benefit of "Direct" is that it supports whatever data formats are already being used by provider EHRs. The focus is on securing the transport method, irrespective of what the message content is. Direct messaging, as prescribed by DirectTrust, utilizes military grade public key infrastructure to give providers, payers, clinics, and all healthcare parties a secure channel to communicate via simple e-mail protocols.
During the AdvaMed 2015 panel on cybersecurity, enticingly titled "The Hidden Life of Medical Devices," Vice President of Government/Education Relations and Senior PKI Architect for DigiCert Inc. Scott Rea reminded attendees not to forget these threats. "We shouldn’t lose sight of how the health industry has traditionally been slow on the best ways to serve patients because of perceptions of cybersecurity," Rea, an expert in and an advocate for advancing healthcare IT security, said. "As healthcare begins to embrace these things, we mustn’t lose sight of the fact that there are malicious groups out there ready and waiting to take advantage."
Private equity firm Thoma Bravo is once again wading into the security arena, this time picking up a majority interest stake in security vendor DigiCert. As part of the deal, in which financial terms have not been publicly disclosed, Thoma Bravo is acquiring the majority interest in DigiCert, with existing shareholder TA Associates remaining on-board as a minority shareholder. Current management at DigiCert will remain in place to oversee day-to-day operations. "We look forward to adding Thoma Bravo’s strategic insight and influence as we embark on our next phase of growth," Nicholas Hales, CEO at DigiCert, said in a statement.
The cyber sector is white hot. According to IDC, the hot areas for growth are security analytics/SIEM, threat intelligence, mobile security, and cloud security. Corporations are investing heavily in these areas to combat cybercrime. Here’s some noteworthy mergers and acquisition activity to report over the recent quarter (Q2 2015): DigiCert, a global Certificate Authority and leader of trusted identity solutions, acquires the CyberTrust Enterprise SSL business from Verizon Enterprise Solutions. Financial terms of the deal were not disclosed. The acquisition makes DigiCert the second-largest Certificate Authority (CA) for high-assurance SSL certificates.
Back in the old days – say, a whole 10 years ago – thieves had to be physically inside a healthcare facility to steal patient information. How times have changed.
Now, with the Internet and the seeming lack of consistent implementation of online security best practices when it comes to patient information, we’re making things much easier for attackers. The proof is in the data. Gartner research conservatively estimates close to 40 million health care records have been breached to date. That’s likely a conservative figure, given that breaches of fewer than 500 records are not required to be reported.
Avivah Litan, cybersecurity analyst at Gartner, told the Associated Press after the Anthem hack, "The healthcare industry is generally about 10 years behind the financial services sector in terms of protecting consumer information."
Logjam reminds us of the new reality we face in needing to continuously monitor and manage our SSL/TLS deployment. While many may wish it weren’t so, it’s critical that we pay more attention to digital certificates and secure server configuration and apply updates immediately. Recent reports show that a large number of Fortune 2000 companies still have not taken every step to remediate Heartbleed threats to their servers.
We’ve seen a rising tide of hacks in recent years, occurring in part because most businesses have no clue how to smartly manage their certificate landscape. With Google’s Certificate Transparency (CT) and new tools to continuously monitor certificate deployment, we can do better. There’s no reason not to know about vulnerable deployments and fix them. It’s time to stem the tide.
Smart clothes are increasingly where it’s at and where the industry is headed – a growing universe of garments made from fabric that’s wireless, washable and that integrates computing fibers into the integrity of the fabric. As just one indicator of how big this market may soon be, Google announced a partnership recently with the iconic clothing maker Levi’s. With such progress however, comes security issues and concerns. "A lot of this stuff is being done insecurely. Now we’re connecting millions of devices, such as smart clothing and wearables, and a lot of it is insecure," says DigiCert CSO Jason Sabin, whose company is discussing security solutions with many IoT companies.
With the use of mobile devices booming, and attacks against government networks and business databases escalating, data security has become a hot topic for IT system managers and users alike. Today’s technology advances have spurred a number of solutions to meet the requirements and the pockets of everybody who needs to secure a machine, from a simple home computer, to the most sophisticated networks. Sorting through so many different solutions, however, can be overwhelming. "Recent security breaches in multiple industries – including entertainment, retail, and healthcare — tell us that large enterprises are not paying enough attention to security best practices," says Dan Timpson, CTO at certificate authority DigiCert.
Capital One, JPMorgan Chase, Suntrust, Wells Fargo — none of them use what’s commonly referred to as the “best practice” in the industry when it comes to Web security. The worst offenders are HSBC and TD Bank. Their homepages don’t even secure private connections with customers, who might be unwittingly logging into fake websites run by cyberthieves. The only banks that do it right? BNY Mellon (BK) and PNC (PNC). DigiCert CSO Jason Sabin said banks "should be using https throughout their site. It doesn’t cost any more."
DigiCert today announced that it is acquiring the CyberTrust Enterprise SSL business from Verizon Enterprise Solutions. The acquisition, the financial terms of which are not being publicly disclosed at this time, will further bolster DigiCert’s customer ranks, while providing new security certificate options to Verizon’s customers.
Global Certificate Authority (CA) DigiCert announced on Tuesday that it has acquired the CyberTrust Enterprise SSL business from Verizon Enterprise Solutions. The acquisition will help DigiCert become the second-largest CA for high-assurance SSL Certificates, behind industry leader Symantec. As part of the deal, Lehi, Utah-based DigiCert will assume management of the CyberTrust trusted roots and intermediate certificates.
IoT, with its tiny screens & headless devices, will drive an authentication revolution. It’s a short leap from the kind of two-factor authentication used on the Apple Watch to proximity-based authentication that does away with any user interaction. Passwords are just the canary in the coalmine. “Maybe authentication becomes the way you walk as a person, or how you interact with the environment around you,” Jason Sabin said. “My shoes, my phone, my watch, my clothing – those could be another form of identification to prove that I am ‘Jason.'”
DigiCert’s SSL/TLS Internet of Things (IoT) solution will address tens of millions of Plex media servers and clients—making it one of the largest implementations of publicly trusted certificates to date. From now on, every Plex video and music streaming packet leaving and entering a user’s network is encrypted, and its recipient verified.
eWeek’s Sean Kerner sits down for a video interview with DigiCert CSO Jason Sabin to discuss SSL/TLS security and DigiCert’s efforts to improve security operations and standards for all. He also discusses DigiCert’s work to simplify certificate management for the enterprise.
When it comes to medical records, there is no lack of people with bad intentions trying to get their hands on that information. Unless healthcare organizations use available technology to protect this data flowing over the Internet, we are bound to witness more attacks like those that struck Anthem and Premera.
DigiCert is one of just two providers approved to provide digital certificates to verify signatures in NFC tags. This greatly enhances security. Learn more about the technical specification that DigiCert helped create and how it benefits consumers.
Digital certificates are a large part of what makes a secure web page/site secure. A certificate is a file that the website provides the browser. Certificate files serve two main functions, encryption and authentication…Domain Validation certificates are cheap, issued quickly and come with no practical trust. Extended Validation certificates cost more, take time to issue and are far more trustworthy.
DigiCert, a leader in SSL Certificate trust, today is announcing new ways to automate SSL certificate installation and server configuration while helping enterprises detect certificate fraud. Certificate Monitoring parses data from Google Certificate Transparency (CT) logs and proprietary DigiCert systems to give enterprises unparalleled insight into certificates issued for their domains, along with phishing detection. Express Install, unlike any other utility available, simplifies and automates SSL installation and server configuration for Windows servers and top Linux distributions.
CAs hold the security and trust of the Web in their hands, and issues like an intermediate CA associated with Chinese certificate authority CNNIC mis-issuing certificates for Google domains haven’t helped reinforce that trust. To help address the problems, CA DigiCert is introducing a new platform that enables continuous monitoring of all of an organization's certificates to protect against fraudulent certificate issuance, theft and other abuses of the system. The platform is based on DigiCert's participation in Google’s certificate transparency scheme, which creates public logs of issued certificates.
Learn more about DigiCert and some of the unique things we’re doing to affect change in the SSL industry.
Making sure that Secure Sockets Layer (SSL) certificates are authentic and have not been improperly issued is a challenge the Google-led Certificate Transparency effort is aiming to help solve. Multiple vendors now supporting the Certificate Transparency effort include certificate management vendor Venafi and certificate authority (CA) DigiCert. The Certificate Transparency initiative requires CAs to publish certificate information to a minimum of three log servers. CAs are the trusted authorities that can sell and manage SSL certificates.
Over the past few years, there have been several fake SSL wildcard certificates created, due to lapses at certificate authorities (CAs) and sometimes through compromised server infrastructure. These fake SSL certificates can be utilized to masquerade as legitimate, secure websites, appearing to be verified and authentic, fooling web browsers, so users can’t tell that a site they’re visiting is not secure.
The Certificate Transparency scheme proposed by Google engineers has taken a couple of significant steps forward recently, with the approval of the first independent certificate log and the passing of a deadline for all extended validation certificates to be CT-compliant or lose the green indicator in Google Chrome. On Jan. 1, a CT log operated by DigiCert, a Utah certificate authority, became operational, making it the first non-Google CT log to be approved. The approval is an important step, as part of the CT scheme requires that two-year extended validation certificates have proofs from three separate logs. Google currently operates two logs of its own.
Mozilla is planning to add support for Certificate Transparency checks in Firefox in the near future, but the company says that the feature won’t be turned on by default at first. Certificate Transparency is a proposal from engineers at Google that would help resolve some of the issues with certificate authorities, fraudulent certificates and stolen certificates. The framework would provide a public log of every certificate that’s issued by compliant CAs and also would provide proof to users’ browsers when each certificate is presented. Google is planning to implement CT in Chrome, and now Mozilla officials say that the company will implement in Firefox, but the process will be a gradual one.
UK-based Bitcoin wallet provider Blockchain has a new .onion address and, like Facebook, it’s got itself a signed SSL certificate to validate its hidden website in an effort to combat thefts against its users. Blockchain, the maker of the world’s most popular Bitcoin wallet, has followed Facebook down the path of the so-called ‘dark web’ — where sites or hidden services with a .onion suffix are not accessible by standard web browsers. Onion addresses are referred to as the dark web, in particular when law enforcement links a Tor hidden service to more nefarious activities on the web, such as those the alleged operators of the recently seized Silk Road and Silk Road 2.0 marketplaces have been accused of. Facebook’s arrival as a hidden service illustrated they could also facilitate access to a site from nations where it is censored, such as China and Iran. Blockchain’s hidden service on the other hand was a response to a spate of attacks on users of its wallet who’d accessed its site through the The Onion Network (Tor) browser.
Over the past couple of weeks there has been a marked increase in the number of man-in-the-middle (MITM) attacks against Tor users of web based Bitcoin wallet provider Blockchain.info. One user reported 63 bitcoin stolen, and there were many other examples as the thefts continued despite warnings to users. The attacks were so successful that Blockchain resorted to blocking all traffic to the wallet service from Tor exit nodes.
Believe most of you are aware that SHA-1 SSL certificates are going to be discontinued by Microsoft after 2016. As we all know that SHA-1 is the commonly used certificate and most of the websites out there in the Internet are using this Cert and also this is the common Certificate that is used inside most of the Organizations. I am writing this post today to refer and remind you up on this critical update to begin your Cert upgrades to supported SHA-2 SSL certificates proactively and point you to the vital resources well written and available in the community by Technical Experts and vendors for better understanding on the topic.
Following a recommendation by the National Institute of Standards and Technology (NIST), Microsoft will block Windows from accepting SSL certificates encrypted with the Secure Hash Algorithm-1 (SHA-1) algorithm after 2016. Given the number of mission-critical SSL certificates that are allowed to expire from inattention, administrators have their work cut out for them. By knowing what will happen, why it’s happening, and what you need to do, you won’t be surprised by these important policy changes.
In an unusual move, retail groups from across the U.S. sent a letter to Congressional leaders that urged them to pass federal data protection legislation that sets clear rules for businesses serving consumers. The letter, dated November 6, was addressed to the majority and minority party leaders of the U.S. Senate and the House of Representatives and signed by 44 state and national organizations representing retailers, including the National Retail Federation, the National Grocers Association, the National Restaurant Association and the National Association of Chain Drug Stores, among others.
(Emirates News Agency (WAM) (United Arab Emirates) Via Acquire Media NewsEdge) One of the longest running jokes in the security industry is that each coming year finally will be The Year of PKI. While that one huge year never materialized, the use of PKI and digital certificates has become an integral part of how the Internet works today. But there are some challenges on the horizon that will need some innovative solutions.
Certificate authority DigiCert is considering issuing SSL certificates to more Tor .onion address owners after recently providing Facebook with one. However, SSL certificates for pseudo-top-level domains like .onion that don’t actually exist on the Internet are in the process of being phased out and the Tor Project has not yet decided if Tor websites getting SSL certificates is a good thing.
Tor hidden services use URL addresses that end in .onion, a suffix that does not exist in the Internet’s DNS root zone and is not a TLD recognized by the Internet Corporation for Assigned Names and Numbers. As such, these addresses only resolve within the Tor network through a private DNS-like system. The internal use of made-up TLDs like .onion is not something specific to Tor. Organizations have used pseudo-TLDs like .local, .lan, .corp, .priv and others on their internal networks for a long time, even though it is not a recommended practice.
Last week, Facebook made its website accessible inside the Tor anonymity network by setting up a so-called Tor hidden service with the facebookcorewwwi.onion address. The company described it as an experiment that will provide Tor users with end-to-end communication, from their browsers directly into a Facebook data center, avoiding third-party exit nodes.
LAS VEGAS–The Internet that we use today was not designed as a cohesive network. It was put together from found bits and pieces over the course of the last few decades, and, as major bugs such as Heartbleed and others have shown, it’s a frighteningly fragile construction. Attackers know this as well as anyone, and they’ve certainly made a lot of hay in recent years exploiting the fundamental weaknesses of the Internet. Serious flaws in protocols such as SSL, the DNS system and other key pieces of the Internet’s infrastructure have made life easier for the bad guys. But that doesn’t have to continue, experts say.
Dennis Fisher talks with Jeremy Rowley of DigiCert about the company’s decision to issue a certificate for Facebook’s .onion site, the challenge of key protection in today’s environment and what the near future holds for PKI.
LAS VEGAS–One of the longest running jokes in the security industry is that each coming year finally will be The Year of PKI. While that one huge year never materialized, the use of PKI and digital certificates has become an integral part of how the Internet works today. But there are some challenges on the horizon that will need some innovative solutions.PKI was developed at a time when having digital certificates in TVs and cars would have seemed absurd. But it’s no longer just Web servers, mail servers and the core network infrastructure that’s in play. Now, the range of devices that use digital certificates includes WiFi routers, mobile devices and many others.
LAS VEGAS–Nick Percoco has been thinking a lot about the future of technology, and some of the things he’s dreamed up aren’t very pretty: farms of people renting out their spare brain cycles, autonomous cars that freak out and careen into oncoming traffic and hacking groups hijacking users’ augmented reality gear and demanding ransoms to unlock them.That’s a fairly dark, dystopian view of what’s awaiting us in the coming decades, but it’s not necessarily the way that Percoco believes it has to be. Rather, he believes there’s plenty of time, talent and technology available to solve the fundamental security and reliability problems that could lead to that dim future. Percoco, a security researcher and vice president of strategic services at Rapid 7, said that the brighter, technologically slick future he imagined as a young boy first learning about computers is still a possibility.
Certificate authority DigiCert is considering issuing SSL certificates to more Tor .onion address owners after recently providing Facebook with one. However, SSL certificates for pseudo-top-level domains like .onion that don’t actually exist on the Internet are in the process of being phased out and the Tor Project has not yet decided if Tor websites getting SSL certificates is a good thing. Last week, Facebook made its website accessible inside the Tor anonymity network by setting up a so-called Tor hidden service with the facebookcorewwwi.onion address. The company described it as an experiment that will provide Tor users with end-to-end communication, from their browsers directly into a Facebook data center, avoiding third-party exit nodes.
News broke last week that Facebook had built a hidden services version of its social network available to users browsing anonymously via the Tor Project’s proxy service. Unlike any .onion domain before it, Facebook’s would be verified by a legitimate digital signature, signed and issued by DigiCert.What this means is that Tor users could be certain that when they connect to Facebook’s hidden services site in the .Onion top level domain, they were in fact communicating with the real Facebook as opposed to a domain controlled by an unknown third party.
Increasingly, leading companies are providing their employees with work/life balance, including the ability for working dads to enjoy workplace flexibility and be more involved in their children’s lives. A multi-year winner of the Alfred P. Sloan Award, DigiCert values its employees attention to their families’ needs and strives to provide a flexible, supportive work environment.
POODLE, or Padding Oracle On Downgraded Legacy Encryption, is a newly disclosed vulnerability in the legacy SSL 3.0 protocol that could be exposing users of newer Transport Layer Security (TLS) encryption protocols to risk. Google disclosed the POODLE vulnerability, also identified as CVE-2014-3566, in a research paper. If exploited, the POODLE flaw could potentially enable an attacker to access and read encrypted communications.
“Using the DigiCert® SHA-1 Sunset Tool, administrators can determine validity periods for their SHA-1 SSL certificates and receive information about how Google’s new policy will affect user interaction with these certificates. DigiCert issues new certificates with SHA-2 by default and has done so for nearly a year. For those choosing to migrate their existing SHA-1 to a new DigiCert-issued SHA-2 certificate, DigiCert will provide a free replacement matching the length of the existing certificate licensing term, regardless of whether or not they are a DigiCert customer.”
No ecommerce site is perfect, especially when it first goes live. Even if you choose a seemingly straightforward or turnkey ecommerce solution, problems are bound to occur. And while it’s hard to predict problems, there are certain common ecommerce problems, say the experts, which can be prevented — or fixed relatively easily. Here are 11 of the most common ecommerce mistakes — and how to avoid or fix them.
Continue reading at NetworkWorld
Continue reading at ITWorld
Continue reading at ITNews
“As security professionals put in place the final patches to fix the Heartbleed bug, I think network administrators have a unique opportunity to look beyond Heartbleed to close the unintentionally self-inflicted SSL implementation vulnerabilities within their control.”
“Discover all certificates on network. Identify potential certificate and endpoint configuration vulnerabilities, such as weak keys, problematic ciphers and expired certificates. For each detected vulnerability, receive list of remediation activities.”
“DigiCert announced DigiCert Certificate Inspector, a tool designed to quickly find problems in certificate configuration and implementation, and provide real-time analysis of an organization’s entire certificate landscape, including SSL termination endpoints. ”
“There are a number of different ways to ensure application security in the modern IT environment. One of them is by starting right at the source, by enabling application developers to digitally sign their code, in an effort to guarantee the integrity and authenticity of a given application.”
“DigiCert, Inc., a leading global authentication and encryption provider, announced today that it is the first Certificate Authority (CA) to implement Certificate Transparency (CT). DigiCert has been working with Google to pilot CT for more than a year and will begin adding SSL Certificates to a public CT log by the end of October.”
“If you’ve ever shopped online, and chances are you have, you’ve probably noticed, or been told to look for, certain indicators that you have a secure Web connection. For many years, the primary indicator was a padlock at the bottom of your browser screen. Now, the padlock is likely to be found in the address bar up top. Sometimes the address bar itself will turn a different color (usually green) when you enter a secure website.”
“The intensity and sophistication of cyber-attacks are making it increasingly difficult for small businesses to protect sensitive information online. By implementing the simple steps below, small business owners can build trust and loyalty by ensuring their website is safe for customers to visit, search, enter personal information or complete a transaction.”
“By deploying DigiCert’s dual-mode data certification, DataMotion will make secure messaging quicker through the federal government’s Direct Project data-transfer protocol.”
“DigiCert and DataMotion announced a partnership this week in which DataMotion will issue certificates to healthcare customers using DigiCert as part of the DirectTrust Transitional Trust Anchor Bundle.”
Plans to populate the Internet with dozens of new top-level domains in the next year could give criminals an easy way to bypass encryption protections safeguarding corporate e-mail servers and company intranets, officials from PayPal and a group of certificate authorities are warning.
The introduction of Internet addresses with suffixes such as “.corp”, “.bank”, and “.ads” are particularly alarming to these officials because many large and medium-sized businesses use those strings to name machines inside their networks. If the names become available as top-level domains to route traffic over the Internet, private digital certificates that previously worked only over internal networks could potentially be used as a sort of skeleton key that would unlock communications for huge numbers of public addresses.
“The primary concern is the speed at which these new gTLDs are going to be adopted by ICANN without giving enough consideration to the potential impact on security and established networks,” Jeremy Rowley, the associate general counsel for certificate authority DigiCert, told Ars. “I don’t think they have an accurate understanding of the number of internal server names [and] internal networks that are out there and the number of certificates that have been issued to those networks.”
“Giving consumers the assurances they need to know they’re securely sending their private information to your business.”
DigiCert is highlighted on CareerBliss’ list of companies who are changing the way their employees use their time off. PTO at DigiCert helps employees strike a work-life balance.
“Certificate authority DigiCert announced on Tuesday at HostingCon 2012 that its high-assurance certificates are now available for web hosts to resell.”
The free SSL Discovery Tool from DigiCert is an automated certificate finder that will help any user locate and catalog all the active digital certificates in their inventory.
DigiCert announces that Nicholas Hales has been appointed as its new CEO while Ken Bretschneider, DigiCert’s founder, has been named the Executive Chairman of the Board.
DigiCert founder and Executive Chairman of the Board, Ken Bretschneider, was recently featured in the Utah Business Magazine for being a Finalist in the Ernst & Young Entrepreneur of the Year Award.
Global analyst group Frost & Sullivan recognizes DigiCert for its flexible, value-added features and industry leading customer support.
Utah Business Magazine has honored DigiCert’s VP of Marketing, Travis Tidball, with its first annual Sales and Marketer of the Year (SAMY) Award for 2012.
