Category Archives: Website Security

BB-8 Sweepstakes Official Rules

      No Comments on BB-8 Sweepstakes Official Rules

SYMANTEC OFFICIAL RULES FOR THE

BB-8 APP ENABLED DROID SOCIAL MEDIA SWEEPSTAKES DRAWING

THE BB-8 APP ENABLED ANDROID SOCIAL MEDIA SWEEPSTAKES DRAWING IS OPEN TO LEGAL RESIDENTS OF THE 50 UNITED STATES AND THE DISTRICT OF COLUMBIA (EXCLUDING GUAM, PUERTO RICO, AND ALL OTHER U.S. TERRITORIES AND POSSESSIONS) AND CANADA (EXCLUDING QUEBEC) WHO ARE THE AGE OF MAJORITY IN THEIR STATE OF RESIDENCE AND AT LEAST 18  YEARS OR OLDER.  THIS DRAWING SHALL BE CONSTRUCTED AND EVALUATED ACCORDING TO CALIFORNIA LAW.

NO PURCHASE NECESSARY TO ENTER OR WIN.  PURCHASE WILL NOT INCREASE YOUR CHANCE OF WINNING.

BY PARTICIPATING IN THE DRAWING, YOU ACCEPT AND AGREE TO BE BOUND BY THESE “OFFICIAL RULES” AND THE DECISIONS OF THE JUDGES AND/OR SPONSOR RELATIVE TO THIS DRAWING.

1. SPONSOR

The BB-8 App Enabled Droid Social Media Drawing (the “Drawing”) is sponsored by Symantec Corporation (the “Sponsor”), 350 Ellis Street, Mountain View, California, 94043, U.S.A. The drawing begins after each posting and ends October 23rd, 2015 at 11:59:59pm PT (the “Drawing Period”). 

THIS DRAWING IS IN NOT SPONSORED, ENDORSED OR ADMINISTRATED BY, OR ASSOCIATED WITH FACEBOOK OR TWITTER.

2. ELIGIBILITY – VOID WHERE PROHIBITED

This drawing is open to legal residents of one of the fifty United States or the District of Columbia and Canada (except Quebec), who have reached the age of majority in their state or of residence as of the starting date of the Drawing Period (“Participant”).  Each Participant must have an account on www.facebook.com OR www.twitter.com.  Persons in any of the following categories are NOT eligible to enter, participate in, or win the Drawing: (a) persons who on or after the starting date of the Drawing Period were or are officers, directors or employees of Symantec Corporation, or any of its subsidiary, affiliated companies, service agencies, or independent contractors; and (b) persons who are immediate family members (defined as spouse or biological or step-mother, father, sister, brother, daughter, or son and each of their respective spouses) of any person in any of the preceding categories, regardless of where they live, and/or individuals who reside in the same household, whether related or not, as any person in any of the preceding categories. Any questions and/or issues concerning eligibility shall be determined at the sole discretion of the Sponsor.  This drawing is void in Guam, Puerto Rico, and where prohibited by law.  Employees or representative of government agencies or organizations are not eligible to participate.

Participants understand that by participating in this Drawing, they are providing their information to Sponsor and not to Facebook. Further, Participants specifically release Facebook from any and all liability associated with this Drawing. The information you provide will be used as provided in Sponsor’s privacy policy (provide link). Any questions, comments or complaints regarding this Drawing shall be directed to Sponsor and not to Facebook. Participation constitutes Participant’s full and unconditional agreement to these Official Rules and Sponsor’s and/or Judges’ decisions, which are final and binding in all matters related to the Drawing.  Winning a prize is contingent upon fulfilling all requirements set forth herein.

3. HOW TO ENTER.  NO PURCHASE NECESSARY.  PURCHASE WILL NOT INCREASE YOUR CHANCE OF WINNING.

On Facebook:

You must have a valid Facebook account in order to participate.  You can enter the Drawing by following these steps during the Drawing Period (“Entry”):

  1. Visit www.facebook.com/SymantecWebsiteSecuritySolutions

  2. Like the Website Security Solutions Facebook Page

  3. Comment on the questions in the Post related to the Drawing

On Twitter:

You must have a valid Twitter account in order to participate.  You can enter the Drawing by following these steps during the Drawing Period (“Entry”):

  1. Visit https://twitter.com/NortonSecured

  2. Follow the @nortonsecured twitter account

  3. Retweet the post refered to in the post where these rules are posted.

General Requirements 

In addition to the above-listed required steps, all Participants must abide by these General Requirements:

  • Your Entry must be in English.

  • Your Entry must not:

    a. violate applicable law;

    b. depict hatred;

    c. be in bad taste;

    d. denigrate (or be derogatory toward) any person or group of persons or any race, ethnic group, or culture;

    e. threaten a specific community in society, including any specific race, ethnic group, or culture;

    f. incite violence or be likely to incite violence;

    g. contain vulgar or obscene language or excessive violence;

    h. contain pornography, obscenity, or sexual activity; or

    i. disparage the Sponsor. 

  • Your Entry must be original, your sole property, and not previously published or submitted in any other Drawing.

  • Your Entry must not violate any right of a third party including, but not limited to: copyright, trademark, any other intellectual property right, right of publicity, confidentiality, and privacy. Please do not include the name or logo of any company or product produced by a manufacturer other than Symantec.

    By submitting an Entry, you agree that Sponsor has the unrestricted right to use your Entry in whole or in part, commercially or non-commercially in any media known or unknown in perpetuity, worldwide, including the right to publish and display the Entry for advertising and publicity, and to edit and make derivative works, all without additional review or compensation. Additionally, you agree that Sponsor may post your Entry, including your name on its sponsored websites and/or third-party sites. 

Limit one (1) entry per person, regardless of the number of Social Media accounts used, for the duration of the Drawing Period.  If you enter or attempt to enter more than once using multiple identities, all of your entries may be declared null and void, and you may be disqualified and ineligible to participate in this Drawing.  Duplicate entries and/or other mechanical reproductions of entries are not permitted.  Illegible or incomplete entries will be disqualified.

Your entry may be disqualified, at the sole discretion of Sponsor if you attempt to enter through any means other than by the online submission requirement herein, if you disrupt the Drawing or circumvent the terms and conditions of these Official Rules, or violate the Facebook Terms of Service or Facebook Rules (https://www.facebook.com/policies/?ref=pf), which govern the use of Facebook.  If any of the above occurs, Sponsor has the right to remedy any such action, disruption, or circumvention in a manner to be solely determined by Sponsor.

4. PRIZES

Symantec will award one (1) of the following prizes in the Drawings:

Qty

Description

Estimated Value (USD)

4

BB-8 App Enabled Droid

$150.00

The total estimated retail value of all of the prizes to be awarded under the Drawings are US$600.00.  The odds of winning depend on the number of eligible entries received during the Drawing Period.  Prizes are not transferable or exchangeable, or redeemable for cash.  No prize substitution is allowed, except Sponsor may substitute a comparable prize at Sponsor’s sole discretion.  Winner is solely responsible for any applicable federal, state, provincial, and local taxes.  Any other costs and expenses associated with prize acceptance and use not specified herein as being provided are winner’s sole responsibility.  All details and other restrictions of prizes not specified in these Official Rules will be determined by Sponsor in its sole discretion.

5. SELECTION OF WINNER; NEED NOT BE PRESENT TO WIN

A total of up to one (1) potential winner will be selected by random drawing one week after the post before 23 October 2015 at Symantec Corporation, 350 Ellis Street, Mountain View, CA.

Potential winner will be notified via his or her Facebook or Twitter email account (e.g., “Congrats [Username!] You are a winner!  To claim your prize, email Symantec at brook_chelmo@symantec.com with your contact information”).  Potential winners must respond via Facebook within 7 business days of notification by sending an email message to brook_chelmo@symantec.com  with your contact information.  There will be no additional media or channels utilized to announce winners. 

If a potential winner is (i) found to be ineligible or not in compliance with these Official Rules, (ii) declines to accept a prize, (iii) if Sponsor does not receive a timely response to a winner notification, or (iv) in the event that a prize notification or prize is returned undeliverable, then the corresponding prize will be forfeited, the potential winner disqualified, and at the Sponsor’s sole discretion, the prize may be awarded to an alternate winner chosen by Sponsor’s judges.  Potential winners may be required to furnish proof of identification.  Before being declared a winner, potential winner must execute and return an Affidavit of Eligibility and Waiver of Liability within seven (7) business days from the postmarked date as having been sent by the Sponsor’s representative or otherwise the corresponding prize may be forfeited.

In the event of a dispute as to the identity of an entrant, the affected entry will be deemed submitted by the authorized account holder of the Facebook ot Twitter account used to enter the prize drawing.  A potential winner may be required to provide Sponsor with proof that the potential winner is the authorized holder of the associated Facebook account or email account.  An authorized account holder is defined as the natural person who is assigned to the Facebook account by Facebook, Inc.  If a dispute cannot be resolved to Sponsor’s satisfaction, the affected entry will be deemed disqualified and ineligible to win a prize, but these Official Rules will otherwise continue to govern the affected entry.

6. CONDITIONS

BY PARTICIPATING IN THE DRAWING, YOU AGREE TO RELEASE AND HOLD SPONSOR, FACEBOOK, THEIR RESPECTIVE PARENT COMPANIES, SUBSIDIARIES, AFFILIATES, PRODUCTION AND ADVERTISING AGENCIES, AND EACH OF THEIR RESPECTIVE OFFICERS, DIRECTORS, EMPLOYEES AND AGENTS (COLLECTIVELY, THE “RELEASED PARTIES”) HARMLESS FROM ANY AND ALL LOSSES, DAMAGES, RIGHTS, AND CLAIMS OF ANY KIND IN CONNECTION WITH THE DRAWING, DRAWING-RELATED ACTIVITY,  OR YOUR ACCEPTANCE, POSSESSION, USE OR MISUSE OF ANY PRIZE, INCLUDING, WITHOUT LIMITATION, PERSONAL INJURIES, PROPERTY DAMAGE, INVASION OF PRIVACY, AND MERCHANDISE DELIVERY.

Sponsor assumes no responsibility for any damage to your computer device which is occasioned by participation in the Drawing, or for any computer device, phone line, hardware, website, software or program malfunctions, or other errors, failures, delayed computer transmissions or network connections that are human or technical in nature. 

All federal, state, provincial, and local laws apply.  Without limiting the generality of the foregoing, Sponsor is not responsible for incomplete, illegible, typographical errors, misdirected, misprinted, late, lost, damaged, stolen, or intercepted Drawing entries or prize notifications; or for lost, interrupted, inaccessible or unavailable networks, servers, satellites, Internet Service Providers, websites, or other connections; or for miscommunications, failed, jumbled, scrambled, delayed, or misdirected tweets, or computer, telephone or cable transmissions; or for any technical malfunctions, failures, difficulties or other errors of any kind or nature; or for the incorrect or inaccurate capture of information, or the failure to capture any information.  In the case of any of the aforementioned events occur, Sponsor shall have the right to modify, suspend, or terminate the Drawing in its sole discretion.  Sponsor reserves the right in its sole discretion to disqualify any individual who is found to be tampering with the entry process or the operation of the Drawing, or to be acting in violation of these Official Rules, or to be acting in an unsportsmanlike or disruptive manner, or with the intent to disrupt or undermine the legitimate operation of the Drawing, or to annoy, abuse, threaten or harass any other person, and Sponsor reserves the right to seek damages and other remedies from any such person to the fullest extent permitted by law.  In the event Sponsor is prevented from awarding prize(s) or continuing with the Drawing as contemplated herein by any event beyond its control, including but not limited to fire, flood, natural or man-made epidemic, earthquake, explosion, labor dispute or strike, act of God or public enemy, satellite, equipment or software failure, riot or civil disturbance, terrorist threat or activity, war (declared or undeclared) or any federal state or local government law, order, or regulation, public health crisis (e.g. SARS), order of any court or jurisdiction, or other cause not reasonably within Sponsor’s control (each a “Force Majeure” event or occurrence), then subject to any governmental approval which may be required, Sponsor shall have the right to modify, suspend, or terminate the Drawing in its sole discretion. 

By entering the Drawing, you agree: (i) to be bound by these Official Rules and by all applicable laws and decisions of Sponsor which shall be binding and final; (ii) to waive any rights to claim ambiguity with respect to these Official Rules; (iii) to waive all of rights to bring any claim, action, or proceeding against the Released Parties in connection with the Drawing; and (iv) to forever and irrevocably agree to release, defend, indemnify, and hold harmless the Released Parties from any and all claims, lawsuits, judgments, causes of action, proceedings, demands, fines, penalties, liability costs and expenses (including, without limitation, reasonable outside attorneys’ fees) that may arise in connection with your participation in this Drawing.

By posting to Facebook or Twitter, you must (i) make no false or misleading representations or advertisements with regard to Sponsor; (ii) make no statements regarding Sponsor that you do not have a reasonable basis for or that are inconsistent with your honest opinions, findings, beliefs, or experiences; (iii) comply with all applicable laws and regulations, including but not limited to advertising and marketing laws such as the Federal Trade Commission’s Endorsement Guidelines; (iv) comply with the Facebook and/or Twitter terms of service and other policies; and (vi) comply with any other policies of Sponsor as may be communicated to you during the Drawing Period.

All issues and questions concerning the construction, validity, interpretation and enforceability of these Official Rules, or the rights and obligations of a Participant and/or Sponsor in connection with the Drawing, will be governed by, and construed in accordance with, the laws of the State of California without regard to California conflicts of law principles.  All Participants consent to the exclusive jurisdiction and venue in Santa Clara County, California, U.S.A.

The invalidity or unenforceability of any provision of these Official Rules will not affect the validity or enforceability of any other provision. In the event that any provision is determined to be invalid or otherwise unenforceable or illegal, these Official Rules will otherwise remain in effect and will be construed in accordance with their terms as if the invalid or illegal provision were not contained herein. In particular, Sponsor’s employees are not authorized to waive, modify, or amend any provision or provisions of these Official Rules in any manner whatsoever.

By entering the Drawing, Participants agree to the terms of Sponsor’s Privacy Policy (http://www.symantec.com/about/profile/privacypolicy/index.jsp). Unless Participants indicate otherwise at the time of entry, personal information collected from Participants may be used by Sponsor for the purpose of not only administering this Drawing but also contacting you regarding your interest in Sponsor’s products and services.  Winner’s name and identity will be publicly announced via Facebook.

AFFIDAVIT OF ELIGIBILITY AND WAIVER OF LIABILITY

By signing below, the undersigned Participant in the BB-8 App Enabled Droid Social Media Drawing (the “Drawing”) sponsored by Symantec Corporation (“Symantec”) hereby attests that, prior to participating in the Drawing he/she read the Official Rules for the Drawing and has previously agreed that his/her participation in the Drawing is governed exclusively by those Official Rules.  In consideration for the prize awarded to Participant through his/her participation in the Drawing, Participant agrees and acknowledges as follows:

1.   Eligibility: Participant was at least 18 years old and had reached the age of majority in his/her state of residence as of the starting date of the Drawing Period, and is an individual eligible to participate in the Drawing in accordance with the Official Rules, and, accordingly, is eligible to receive any prize awarded to him/her through the Drawing.  Participant acknowledges that his/her right to receive a prize may not be transferred, substituted for another prize, or exchanged for cash, and that Participant is solely responsible for all taxes or governmental fees due for receiving, owning, or using the prize.  Should it thereafter be discovered or determined that Participant was not eligible to receive a prize, Participant agrees to return such prize within ten days of written notice by Symantec, or by a duly authorized agent of Symantec, and to pay all costs associated with the return of such prize.

2.   Waiver of Liability: As set forth in the Official Rules, Participant hereby releases Symantec, Twitter, and Facebook, and their respective subsidiaries, affiliates, agencies, and their respective officers, directors, employees and representatives (collectively, the “Released Parties”) from any and all liability, loss, or damage arising from Participant’s acceptance, possession, or use of a prize, including, but not limited to, claims for product liability, personal injury, breach of contract, and negligence.  Participant acknowledges and agrees that the Released Parties make no warranty, expressed or implied, with respect to the accuracy of any information relating to the prizes awarded, including pricing and product editorials, and Participant hereby waives and releases the Released Parties from any liability, loss, or damage caused directly or indirectly by any inaccuracy associated with such information.  Without in any way limiting the generality of the foregoing, Participant agrees that this waiver embraces, covers and includes each, every, and all matters, transactions, causes of action, claims, demands and obligations arising in favor of Participant as against the Released Parties relating to Participant’s participation in the Drawing.  Participant hereby waives any and all rights under the provisions of California Civil Code Section 1542, which provides as follows:

A general release does not extend to claims which the creditor does not know or suspect to exist in his or her favor at the time of executing the release which if known by him must have materially affected his or her settlement with the debtor.

3.   Governing Law: Participant agrees that any dispute that arises as a consequence of his/her participation in the Drawing will be governed by the laws of the State of California.

Participant:     __________________________________                                                                                               

Signature:    _______________________________________                                                                                                   

Date:  ______________________                     

Address: ____________________________                                                                  

               ____________________________                                                                                                          

Email Address:     ____________________________

Ensuring compatibility without compromising security: the case of ECC/RSA hybrid certificates

Twitter Card Style: 

summary

We have talked a lot about ECC (Elliptic Curve Cryptography) for the past year. Although the use of elliptic curves is not exactly new, their use in our industry is fairly recent: ECC is a new cryptographic algorithm used for key exchange and authentication purposes in the SSL/TLS protocols (see this previous blog article for more details). 

It is expected that RSA – the current standard – will be replaced by ECC as its scalability is becoming an issue with the arrival of IoT (Internet of Things):  explosion in number of devices, machine to machine (M2M) communications, ever-growing amount of data transfers, etc.

We expected this change to happen. This is why Symantec’s ECC roots have been added to all major root stores back in 2007. Most CAs followed years later.

ECC, RSA and compatibility

The reliability and performances of ECC no longer need to be demonstrated. However, a significant obstacle to the adoption of ECC lies on the lack of support for this relatively new algorithm in legacy products.  While all modern servers and browser fully support ECC, some legacy system will not trust ECC roots, or will not be able to support ECC at all.

Browser compatibility (root ubiquity) as of today

Client ECC Support Pure ECC ECC & RSA Hybrid
PC

Windows HP or older

Not supported Not supported
  Windows Vista or newer Supported Supported
  Mac OSX V10.9 or newer V10.6 or newer
Mobile Android Android 3.x or newer Android 4.0 or newer
  iOS iOS 7.x or newer iOS 3.x or newer
Ecosystem Server to Server Depends on the customer environment Depends on the customer environment

Current Server compatibility as of today

Vendor Product ECC CSR ECC cert install
Mircrosoft Win Server 2008 (IIS 7.0) or newer Supported Supported
Apache, nginx OpenSSL 1.0.1e Supported Supported
Oracle Sun Java System Web Server 7.0 Supported Supported
F5 11.5 or newer Supported Supported
IBM HTTP Server 8.0 + PM80235 Supported Supported
Citrix Netscaler Not Supported Not Supported

There are devices and systems that are unable to proceed with ECC due to a trust deficit due to the missing trusted ECC root certificate and it is not always possible to upgrade, change servers or switch to another application easily. To overcome this issue, Symantec has created a solution for devices and systems that can support ECC but don’t have ECC roots in their trust stores: hybrid ECC/RSA hybrid SSL certificates.

Hybrid certificates use ECC for encryption and authentication but are chained to a well-trusted RSA root. Hybrid ECC/RSA certificates enable you to benefit from the best protection for your current infrastructure and mitigate potential compatibility issues at the same time.

How does it work?

It’s fairly simple: when you enroll, we give you the choice between a full ECC certification chain (fig.1) and a hybrid ECC/RSA certification chain (fig.2). The full ECC chain comprises of your ECC SSL certificate, signed by an ECC intermediate, signed by an ECC root.

ECC - RSA chains-01.jpeg

Fig. 1:full ECC chain

In order to offer hybrid RSA/ECC certificates, we have created a new ECC intermediate signed by an RSA root. This intermediate can be installed as direct intermediate, or as a cross certificate to a full ECC chain.

The direct intermediate is the solution we recommend. You benefit from ECC encryption for your infrastructure, while using a globally trusted RSA root.

ECC - RSA chains-02.jpeg

Fig.2: hybrid ECC/RSA chain

If you are unsure which certification path is made for you, or if you have questions or concerns, please contact us! We are happy to help and to advise.

Raising the Bar for Security and Trust on the Web

      No Comments on Raising the Bar for Security and Trust on the Web

Symantec to Stop Issuing DV SSL/TLS Certificates to .PW Domains

Recently, Symantec updated its certificate issuance controls to pay special attention to domains flagged for excessive abuse, malwa…

Symantec CryptoExec Makes SSL Administration Easy for Hosting Providers

Symantec would like to introduce the new CryptoExec API exclusively for Symantec Website Security business partners.  CryptoExec, a free-to-use API, links cPanel and WHMCS to automate the SSL issuance process to mitigate errors and remove the manual steps in ordering and administration of SSL certificates for customers.  The intuitive and easy to use GUI helps customers buy and install SSL certificates.  Here is how:

WHMCS Benefits

The solution enables partners in the Symantec Website Security Partner Program to utilize the popular WHMCS for billing/procurement of Symantec, GeoTrust, RapidSSL, and Thawte SSL and code-signing certificates and provide a shopping cart experience.  The partner can offer the certificates and Trust Seals through WHMCS. 

One other advantage of the solution is the flexibility offered through the support for either a voucher-based path or a classic SSL-based path. The voucher-based path is recommended for partners who have both cPanel and WHMCS so a customer can buy vouchers in WHMCS and redeem them in cPanel. The classic SSL path is recommended for partners who use WHMCS but not cPanel. 

cPanel Benefits

CryptoExec can also be used within cPanel, the popular control panel solution for hosting providers. Partners can utilize this solution to redeem vouchers purchased through WHMCS and automatically install all SSL certificate types without any manual intervention.

Through cPanel, the Certificate Signing Request (CSR) generation is completely automated for partners who support both WHMCS and cPanel.  Additionally, the end customer will see live status messages on the progress of the certificate’s validation and installation.  cPanel will also provide a list of existing Symantec SSL certificates and the details related to each certificate. Through CryptoExec the complete lifecycle of an SSL certificate is covered; users can reissue, revoke and renew all SSL certificates through this solution. 

For WHMCS

  1. Download Symantec™ CryptoExec for WHMCS directly from Symantec’s Knowledge Base

  2. Add the module to your WHMCS installation

  3. In WHMCS, setup few initial product configurations and your customers are ready to start purchasing Symantec Products!

For WHMCS and cPanel

  1. Download Symantec™ CryptoExec for WHMCS and Symantec™ CryptoExec for cPanel directly from Symantec’s Knowledge Base

  2. Add the module to your WHMCS and cPanel installations

  3. Within each system, setup your initial configurations and your customers are ready to start purchasing Symantec Products!

To learn more about CryptoExec or the Symantec Website Security Partner program email us at website_security@symantec.com

Obtaining your .BANK Domain; a New Best Practice

It will take a little more effort and a little more time to register new .BANK domains for your bank’s trademarks, trade names and service marks, but it’s worth it.

Twitter Card Style: 

summary

Remember how quick it was to register your bank’s .com and other domains. You went to your registrar’s homepage, typed in preferred domain names, clicked a few times, entered billing information and you were done. Within a few seconds, you had confirmations and a new online home.

It will take a little more effort and a little more time to register new .BANK domains for your bank’s trademarks, trade names and service marks, but it’s worth it. Here’s why:

All .BANK domains will be verified by Symantec before the registration is confirmed; part of the enhanced security requirements for .BANK domains required by the .BANK registry fTLD.  Because this process cannot be fully automated, it requires that we talk to one or two people at your bank.

Verification ensures that only eligible institutions – banks, bank associations, regulators and certain core service providers – have .BANK domains. It also ensures that the person registering .BANK domains for your bank is authorized to do so. Verification protects the integrity of the .BANK gTLD and the integrity of the banks and other organizations that register .BANK domains. You can learn more about the verification process and Symantec’s role here.

During the registration process you will be asked for the bank’s contact information, regulatory ID number, and the government regulatory authority that charters your bank.

You registrar will also request the name and contact information of someone at your company who can verify the employment information of the registrant contact and the share the name and contact information for someone who can verify that the registrant contact is authorized to register the domains requested.

You can help make the registration process smooth and quick by following a few simple guidelines.

  1. Make sure you have all the necessary information, including contact information for others at your bank, available when you start the registration process.
  2. Tell your colleagues that they will receive an important call from Symantec, and why. It will only take them a few minutes to get us the information we need.
  3. Finally, take a few minutes over the next day or two to see if your colleagues have received a call from a Symantec representative and were able to give us the information we need to verify your bank’s .BANK domain(s).

These few additional steps will help ensure that you get the okay for your .BANK domains as fast as possible. The process typically takes a day of two. It is not as fast as a click, but your bank’s new .BANK domains will set a solid foundation on which to build and maintain your online brand.

Digital Bank.jpg

New Rules: Feds Mandate HTTPS on U.S. Government Sites

The White House has mandated that all public-facing Web sites of the federal government must implement HTTPS within the next two years.

Twitter Card Style: 

summary

Have you read the news lately? It seems like hardly a week can go by without another data breach happening.

In the past few years, cybercriminals have upped their game considerably, using incredibly sophisticated attacks in growing number. Out of every six large companies, five were targeted last year for attack—that’s a 40% increase over 2013.*

The recent breach on federal employees’ private data, allegedly from China, only underscores the continued looming menace cybercriminals present—and this threat hasn’t gone unnoticed by the feds.

In a January 12 post on the White House Blog, President Obama is quoted as saying: “This is a direct threat to the economic security of American families, and we’ve got to stop it.” Further adding, “If we’re going to be connected, then we need to be protected.”  So true! And that line of thinking is what prompted the U.S. government’s latest move.

To help combat these attacks, the White House has mandated that all public-facing Web sites of the federal government must implement HTTPS within the next two years.

This is no minor security update. It carries far-reaching implications that extend beyond the fed. Here’s what we mean.

What HTTPS Offers to Everyone

HTTPS provides a secure line of communication over the Internet, combining the usual HTTP (Hypertext Transfer Protocol) that you see in the address bar of unsecure sites, with SSL (Secure Sockets Layer) that you’re likely to see on most sites involving financial transactions.    

This federal move shouldn’t come as a surprise, as the majority of the U.S. government sites have already made the switch to the secure protocol. This includes whitehouse.gov, which made the switch on March 11, 2015, to other federal sites that made the jump earlier, like ftc.gov, donotcall.gov, and others.

This goes beyond the initial site communication handshake—drilling down to subdomains, like examplesection.whitehouse.gov, too.

Up until now, many government sites are current with NIST-recommended SSL standards, but the administration has now moved to make prioritizing security and privacy a common practice among all aspects of federal government sites.

Make no mistake about it, this is huge!

These extra security measures follow the Always On SSL tenets advocated by the Online Trust Alliance, exhibiting some of the strongest moves yet to protect the identity and personal information of U.S. citizens online.

Others Must Follow, Strengthening the Security of the Web

Cybercrime isn’t going to easily back down.

Now, it’s far too easy to compromise private information on sites with subpar security. Today’s cybercriminals are smart and tenacious. By protecting all aspects of a site with SSL—not just transaction pages—businesses can help quell social engineering techniques. These complex ruses can now fool even the savviest netizens into handing over their private information to the bad guys.   

Nothing is 100% unhackable now and forever. But just like locking your car doors when you’re out, providing as much security as possible is still a good great idea! By expanding the coverage of SSL, we help further the strength and backbone of the Internet itself.

*2015 Internet Security Threat Report, Volume 20

Easy Ways to Help Boost Your Bottom Line with SSL

Let your site visitors know their transactions are secure!

Twitter Card Style: 

summary

Attending to all of the day to day routines in running a small business can eat up so much of your time that you don’t have any spare moments (or energy left) to devote to actually growing your business. Everything seems to fall into the bucket of “get it done and out the door.”

We’re here to help.

There are only so many ways to reduce the costs of running your business no matter how silver-tongued your negotiations may be, and one person can only juggle so many hats when trying to be the owner, customer service manager, IT department, and graphic designer all rolled into one. (Whew!)

Take a breather and discover some easy things you can do tomorrow to help your business grow. Let’s get right to them!

Let your site visitors know their transactions are secure

People care about security—a lot. They also care about appearances. There’s a reason why your local bank always has employees dressed to the nines, cameras everywhere, and a security guard.  

Use this frame of mind when designing your website. With all of the stories of data breaches hitting the news, customers are more wary than ever about handing over their credit card information. They want to feel secure.

Assure them right up front by displaying a SSL (Secure Socket Layer) Trusted Site Certificate in a highly visible location. Use it in multiple places, like your home page, login page, and buy page. It’s recognized worldwide and immediately assures people that they’re dealing with the right business—you.

Show visitors the green bar

Not all SSL certificates are created equally. EV (Extended Validation) certificates include a green bar where you type the URL. The exact appearance differs slightly depending upon which browser you’re using. No doubt you’ve seen this when visiting your financial institution online.

Now, your average customer isn’t going to think, “Aha! That site is using a certificate with extended validation. Cool!” But customers will recognize the visual cue (green means go), and they will have seen it at other sites known for their security and be assured they’re not on some phishing site.

Moving over to EV SSL certificates is painless and it’s an easy way to lump your small business in with the big boys for a fairly nominal annual cost.

Avoid cutting corners on security

To many small businesses, every dollar counts. But while you can save the freshly stocked break area for later, online security doesn’t fall into the “nice to have” category. It’s now essential. One data breach is all it takes to destroy everything that you’ve worked so hard to build up.

While the number of mega breaches decreased in 2014, according to the 2015 Website Threat Security Report, the overall number of breaches increased. As the report recommends, keeping your server configuration up to date and ensuring that old, unsecure versions of the SSL protocol (SSL2 and SSL3) are disabled, and newer versions of the TLS protocol (TLS1.1 and TLS1.2) are enabled and prioritized is the way to go.

Sound like technobabble gobbledygook? It isn’t hard to implement, and the digital stitch in time here could pay off far more than saving time later. Talk to your SSL salesperson and make sure you’re up to speed.

While you may not have the budget of some major corporation (yet!), these methods are some easy ways to tweak your SSL certificates and help you get the most mileage out of them.

Securing Telecommunications with Encryption

Twitter Card Style: 

summary

I know you have been waiting for this and it’s finally here!  May 17th is Voice Telecommunication day! One of the most common subjects raised, year after year, is how do we secure our telecommunication channels?

In the past, where telephone calls were placed over a land line (PSTN), the only security issue was to worry about surveillance by the telephone company, and anyone who physically intercepted the line between you and the person you are talking to.

While there are hardware devices and actual crypto-phones that can be used to safeguard your conversation, the devices come at a high price and with the move to mobile and internet communication, the effort & costs involved to install can be considered unnecessary.

The advance in telecommunication networks and the Internet have made communicating easier and more cost effective, but unfortunately have also made the interception of calls more rampant than it has ever been. Without taking extra steps to protect your privacy, every phone call is vulnerable to eavesdroppers.

If you’re using a mobile phone, your conversation is conducted over a broadcast channel, which is easier to intercept than a physical line. There are numerous protocols involved in mobile technology with the most common being GSM.

One thing that makes GSM special is its call encryption capability: it is designed to encrypt calls in between the handset and the local tower. Your GSM SIM card stores an encryption key, which is authenticated by your service provider (who has a copy of your key), at the nearest tower. The main problem with GSM is that the tower doesn’t check back, which means that anyone can create a ‘fake’ tower and intercept your call.

The GSM protocol dates back 30 years and the technology behind it, while still useful, is somewhat outdated. Fortunately Smart Phones support improved 3G or LTE standards, offering improved encryption and mutual authentication between your device and tower.

If you’re planning to deploy VoIP (Voice over Internet Protocol), or are already using it within your company, you firstly need to ensure that the data network you are using is secure. VoIP is vulnerable to all of the intrinsic security problems associated with IP and because VoIP transmits digitized voice as a stream of data, there is a risk of theft of private information by a hacker.

There are many technologies, hardware and software involved in a VoIP system (depending on your requirements), such as

  • IP Phones- the end points that create and receive calls
  • Communication server/router – responsible for provisioning, monitoring & administering
  • Voice/Media Gateways  – contains protocols that interconnect your VoIP system and facilitate calls between IP and analogue

Ensuring that they are secure is critical to keeping your network safe.

VoIP uses the Session Initiation Protocol (SIP) and the Real-time Transport Protocol (RTP) for call signaling and voice-message delivery, these protocols do not encrypt the data

Installing a Symantec SSL certificate on your VoIP server greatly enhances the security by encrypting the signals and securing the voice streams between your devices, preventing MITM (Man in the Middle) attacks and other compromises.

Secure your communications with a Symantec Premium SSL certificates and implement an additional layer of protection with its free malware and vulnerability scanning services.

Frequent scans of your server will help protect your networks from unwanted intrusions and help you proactively mitigate vulnerabilities.

In addition to the Malware and Vulnerability services that Symantec Premium SSL certificates offer, it also includes a free an ECC (Elliptic Curve Cryptography) certificate alternative at no additional cost. ECC certificates provide stronger security and increased server performance due to the shorter key lengths (e.g. 256 bit ECC key provides the same level of security as 3,072 RSA key). It also reduces computational overhead on the server’s resources. Enjoy the flexibility of being able to use a single SSL certificate that can secure multiple domain names by simply adding them onto the same certificate. These types of certificates are known as SAN certificates or Unified Communications (UC) certificates and are commonly used with Microsoft server products (MS Exchange Server, MS Lync server etc.).

Data Cables.jpg

Vulnerabilities in Mobile Apps

      No Comments on Vulnerabilities in Mobile Apps
Twitter Card Style: 

summary

Recently, we read about lots of SSL/TLS-related vulnerabilities found in mobile apps, which should come as no surprise. We were warned about this back in 2012 (see my previous blog). More warnings came in 2014 from CERT and FireEye. The Open Web Application Security Project (OWASP) listed “insufficient transport layer protection” as number three in its top 10 list of mobile security problems of 2014.

One recent study found that thousands of mobile apps still used an old version of the OpenSSL library that was vulnerable to the FREAK attack. A similar problem was revealed by the creators of a popular mobile networking library called AFNetworking, when they disclosed a serious bug in their library that bypassed all SSL/TLS security checks. Although this bug and the one in OpenSSL were quickly corrected, thousands of mobile apps remain vulnerable until their developers recompile with the fixed version of AFNetworking or OpenSSL, and users upgrade to the fixed version of each app. Because these bugs were in application libraries and not in the operating system, phone vendors cannot automatically apply a patch. Given the slow rate at which users upgrade mobile apps, these vulnerable apps are likely to be with us for a long time.

Failure to properly write and test SSL/TLS-related code might be due to ignorance or an assumption that the platform or library will “get it right”.  Sometimes SSL/TLS checks are disabled during development and debugging. App creators intend to re-enable the checks before the app is shipped, but they forget. That’s apparently what happened with Fandango and Credit Karma, who were cited last year by the FTC for SSL/TLS failures in their mobile apps.

Developers don’t have to use blind faith; some good tools are now available for testing how an app works in the presence of a Man-in-the-Middle (MITM) like CERT’s Tapioca.

In addition to the SSL/TLS certificate validation tests described in the white paper linked by my earlier blog, developers might also consider Public Key Pinning, defined in a relatively new RFC from the Web Security working group at the Internet Engineering Task Force (IETF). Developers need to apply caution, however, since one study pointed out the difficulty of building it correctly and the consequences of mistakes.

Website Attackers Move to the Cloud While Malware Attacks Fall – Website Security Threat Report 2015

Twitter Card Style: 

summary

This post uses information taken from the Symantec Website Security Threat Report 2014 Part One.

2014 saw a change in tactics for those attempting to attack websites and their users. While the number of websites infected with malware decreased almost 50% (from 1 in 566 to 1 in 1126), the number of web attacks decreased by just 13%. This means that each infected website was responsible for many more attacks compared to 2013.

wstr-blog-01.png

The reason is a huge change of tactics by cyber criminals, who are now using web attack toolkits that are designed to be used in the cloud as Software-as-a-Service (SaaS). These SaaS toolkits use a HTML iframe tag or some obfuscated JavaScript in order to inject malicious code from the SaaS-based exploit toolkit rather than launch the malicious attack directly from exploit code hosted on the compromised website itself.

In terms of the most exploited categories of websites, the attackers are also keeping up with the tech trends. We have seen ‘anonymizer’ websites – which are used to increase web users’ online privacy – break into the top 10 for the first time while automotive sites have dropped out of the top 10.

wstr-blog-2.png

For much more information on the website security landscape and how you can keep your website visitors safe download the first part of the WSTR here.

wstr-blog-3_0.png