Russia to create its own security certificate authority, alarming experts

Russia responds to economic sanctions hobbling renewals of its Internet security certificates by saying it will create its own.

The post Russia to create its own security certificate authority, alarming experts appeared first on CyberScoop.

Continue reading Russia to create its own security certificate authority, alarming experts

Mimecast confirms SolarWinds attackers breached security certificate, ‘potentially exfiltrated’ credentials

Email security firm Mimecast on Tuesday confirmed that the hackers behind the SolarWinds espionage campaign compromised a software certificate the firm uses to secure connections to Microsoft cloud services. The revelation underscores how deeply embedded the suspected Russian hackers have been in major technology companies as part of a campaign that has also breached multiple U.S. federal agencies. The hackers may have exfiltrated “certain encrypted service account credentials created by customers hosted” in the U.S. and the U.K., the new Mimecast statement reveals. The company said it wasn’t aware of the hackers decrypting or abusing any of the stolen credentials. But it still told its U.S. and U.K.-hosted customers to reset their credentials as a precaution. Mimecast, which says it has 39,000 customers around the world, offers an attractive target for spies looking to burrow into high-value organizations. A stolen software certificate of this type could allow an intruder to […]

The post Mimecast confirms SolarWinds attackers breached security certificate, ‘potentially exfiltrated’ credentials appeared first on CyberScoop.

Continue reading Mimecast confirms SolarWinds attackers breached security certificate, ‘potentially exfiltrated’ credentials

A phishing campaign with nation-state hallmarks is targeting Chinese government agencies

Hackers with possible ties to an advanced persistent threat (APT) group are trying to steal usernames and passwords of Chinese government officials as part of an apparent cyber-espionage effort, according to findings provided exclusively to CyberScoop prior to scheduled publication Thursday. Researchers from the threat intelligence company Anomali have uncovered malicious websites with registrations dating back to November 2018 that impersonate email login pages from the Chinese Ministry of Foreign Affairs; China’s National Development and Reform Commission, an economic management agency under the State Council; and the National Aero-Technology Import and Export Corporation, a Chinese state-owned defense company. While it’s not clear who exactly is behind the effort, CyberScoop independently verified the findings with three external threat intelligence practitioners, two of whom said with confidence the attack resembles a nation-state effort. All three spoke only on the condition of anonymity because they were not authorized to speak to reporters. Upon […]

The post A phishing campaign with nation-state hallmarks is targeting Chinese government agencies appeared first on CyberScoop.

Continue reading A phishing campaign with nation-state hallmarks is targeting Chinese government agencies

‘Critical’ flaw in apps for Sennheiser headphones allows certificate access

Two applications developed by German electronics company Sennheiser contain vulnerabilities that could make it possible for hackers to forge digital certificates and impersonate legitimate websites. Sennheiser’s two apps, HeadSetup and HeadSetup Pro, installed certificates on users’ computers then failed to secure the key, according to a vulnerability report published Wednesday by the German security consulting firm Secorvo. The mistake means that hackers could decrypt the key and use the certificate, a means of digital authentication, to monitor victims’ traffic and launch main-in-the-middle attacks. “We found — caused by a critical implementation flaw — the secret signing key of one of the clandestine planted root certificates can be easily obtained by an attacker,” the Secorvo report states. “This allows him or her to sign up and issue technically trustworthy certificates. Users affected by this implementation bug can become victim of such a certificate forgery, allowing an attacker to send e.g. trustworthy signed […]

The post ‘Critical’ flaw in apps for Sennheiser headphones allows certificate access appeared first on Cyberscoop.

Continue reading ‘Critical’ flaw in apps for Sennheiser headphones allows certificate access

Pentagon lays out plan to secure websites in response to lawmaker inquiry

The Department of Defense says it has a plan to make sure that all of its public-facing websites are configured in a way that doesn’t put the security of their visitors at risk. In a letter responding to a lawmaker dated July 20, DOD Chief Information Officer Dana Deasy wrote that the department plans by the end of 2018 to fix issues with trust certificates and encryption that are present across many websites affiliated with it. Certain issues will take longer, he said, will at least have a definitive plan by the end of the year. “The Department is working hard to ensure DoD inspires trust among citizens and partners in its digital interactions across our missions, business, and entitlements roles,” Deasy wrote. Deasy laid out the plan in response to a May letter from Sen. Ron Wyden, D-Ore., that raised questions about the issue of insecure websites. Wyden initially […]

The post Pentagon lays out plan to secure websites in response to lawmaker inquiry appeared first on Cyberscoop.

Continue reading Pentagon lays out plan to secure websites in response to lawmaker inquiry

Explained: security certificates

Do you want to know how security certificates work and let us show you how malware can abuse the certificates system to block you from downloading and/or running your favorite software.
Categories:
Security world
Technology
Tags: Pieter Arntzsecurity… Continue reading Explained: security certificates

Mozilla weighs following Chrome in mistrusting Symantec certs

Mozilla, maker of the open-source browser Firefox, is weighing whether to join Google’s Chrome in its crusade against Symantec. A Mozilla blog post says Chrome engineers are correct in their assessment of the problems with Symantec-issued internet security certificates, but they may have gone too far by proposing to distrust them. Security certificates underlie the little green padlock in the browser address bar that tells consumers it’s safe to shop and bank online. It’s a high-stakes game — if Chrome goes ahead with its plan to progressively stop trusting the certificates, its users will see a warning message or might even be blocked from visiting e-commerce sites that use Symantec certificates. And currently, that’s at least a third of the internet. But the more browsers that join Chrome in distrusting Symantec certificates, the more likely it becomes that Symantec’s customers will simply get their certificates elsewhere. In a blog post from Mozilla Policy Engineer Gervase […]

The post Mozilla weighs following Chrome in mistrusting Symantec certs appeared first on Cyberscoop.

Continue reading Mozilla weighs following Chrome in mistrusting Symantec certs

Citing compliance failures, Chrome will distrust Symantec certificates

Two of the biggest names on the internet embarked on a game of chicken this week over the little green padlock in the address bar. Browser behemoth Chrome, citing what it says are repeated failures by security giant Symantec to comply with the rules governing the issuance of internet security certificates, is threatening to stop fully trusting them. At stake is the browser experience for millions of consumers who use the Google-backed browser to shop and bank online. The security certificates are the basis for TLS, the encrypted connection between a website and a visiting computer that’s denoted by the green padlock. TLS — and the outdated SSL system it’s replacing — make it possible for users to send credit card details, social security numbers and other sensitive information safely and privately across the public internet. If Chrome stopped recognizing Symantec certificates — which are behind at least a third of the TLS traffic on the […]

The post Citing compliance failures, Chrome will distrust Symantec certificates appeared first on Cyberscoop.

Continue reading Citing compliance failures, Chrome will distrust Symantec certificates