extended validation certificate

Chrome bumps ineffective EV certificates off the omnibar

Posted on September 10, 2019 by Lisa Vaas

Ever notice a missing company name next to the URL address bar? Ever change behavior because of it? Likely not, so bye-bye, useless badge. Continue reading Chrome bumps ineffective EV certificates off the omnibar→

Criminals sell counterfeit certificates to make malware look legitimate

Posted on February 22, 2018 by Patrick Howell O'Neill

Enterprising cybercriminals are selling counterfeit digital certificates that allow hackers to disguise their malware as legitimate software, according to a new report from the cybersecurity firm Recorded Future. The fraudulent files, which act like valid code signing certificates, render malware invisible to a large number of anti-virus engines. “It’s not a cheap commodity,” said Andrei Barysevich, Recorded Future’s director of advanced collection. “But once you sign a payload with the certificate, then the file becomes pretty much undetectable by any antivirus out there.” Barysevich’s team found a small group of independent vendors in the Eastern European cybercrime markets selling counterfeit code signing certificates to Russian-speaking customers. The fake certificates are not stolen from legitimate owners but are instead created using real information that can deliver a unique, working and effectively real certificate to hackers willing to pay. A 2017 paper from the University of Maryland highlighted the issue and showed that digitally […]

The post Criminals sell counterfeit certificates to make malware look legitimate appeared first on Cyberscoop.

Continue reading Criminals sell counterfeit certificates to make malware look legitimate→

Netsparker’s Weekly Security Roundup 2017 – Week 51

Posted on December 22, 2017 by Netsparker Security Team

Finally – OWASP Top 10 2017!
Although, the OWASP Top 10 vulnerability list is not a mandatory web security standards document, it plays a significant role in the cyber-security sector, not least because it is compiled based on data collected by t… Continue reading Netsparker’s Weekly Security Roundup 2017 – Week 51→

It’s easy to fake Extended Validation certificates, research shows

Posted on December 12, 2017 by Patrick Howell O'Neill

What does the happy green lock at the top of your browser mean? Maybe not what you think. Extended Validation certificates — the files that tell your browser to show the lock — are supposed to make crystal clear who owns a website, in order to stymie cyberattacks and phishing. Instead, EV certificates are dangerously easy to fake, according to experts like U.S.-based researcher Ian Carroll. The certificates are meant to prove legal ownership of HTTPS websites so that you are certain, for instance, that Google owns the website you’re visiting. Browsers like Chrome and Firefox show a green bar with the company name to signify security. The iOS version of Safari even replaces URLs entirely with the EV certificate. The problem, Carroll explained in a recent blog post, is that it’s easy to incorporate under the same name as big-time companies and therefore imitate their EV certificate. Carroll did exactly that by incorporating […]

The post It’s easy to fake Extended Validation certificates, research shows appeared first on Cyberscoop.

Continue reading It’s easy to fake Extended Validation certificates, research shows→

Google reminds website owners to move to HTTPS before October deadline

Posted on September 7, 2017 by Malwarebytes Labs

To encourage website owners and service providers to move to HTTPS, Google began sending out emails to remind them that their sites will be marked as insecure if they don’t comply. This is the latest step in the search giant’s long-term effort of crea… Continue reading Google reminds website owners to move to HTTPS before October deadline→