How and when to use self-signed SSL Certificates
SSL – Secure Socket Layer – is a vital weapon in the armory of any organisation intent on ensuring its systems are safe. It is the standard behind ensuring secure communication on the Interne…
Ponga rumbo a tierras más seguras con el protocolo TLS
Las redes privadas virtuales (VPN) son de gran ayuda para las empresas que desean abaratar la comunicación empresarial y, al mismo tiempo, facilitar el acceso seguro a los datos a qui…
Schützen Sie den Datenverkehr in Ihrer Umgebung mit TLS
Virtuelle private Netzwerke (VPN) sind eine hervorragende Lösung, wenn Sie die Kommunikationskosten Ihres Unternehmens senken und Telearbeitern, Mitarbeitern auf Geschäftsreise und …
Sécurisez Vos Communications En Ligne
Les réseaux privés virtuels (VPN) représentent la solution idéale pour garantir un accès sécurisé et économique aux télétravailleurs et autres collaborateurs mobiles de l’entreprise. Mais voilà, le déploiement et la gestion d’un VPN sécurisé peuvent s’avérer pour le moins complexes. Heureusement, des solutions existent. État des lieux.
Le protocole TLS (Transport Layer Security) – qui succède aux certificats SSL (Secure Sockets Layer) – constitue sans aucun doute l’une des meilleures solutions. Pour ceux qui connaissent mal cette technologie, il s’agit d’un mécanisme de cryptage des communications point à point sous de nombreux protocoles (HTTPS, SMTPS, POP3S, etc.). Un VPN TLS permet à des échanges autrement non cryptés d’emprunter un canal sécurisé. Résultat : vos données sensibles sont protégées sur vos sites Web, intranets et extranets.
Un VPN peut être configuré de manière à transmettre des communications sécurisées vers le site distant, en aval du VPN. Le site distant peut aussi servir de passerelle. L’intégralité du trafic entre le poste de travail local et le routeur VPN est alors cryptée. Un VPN TLS encapsule les données sous-jacentes dans des paquets cryptés selon le protocole TLS. En d’autres termes, des paquets VPN pourront être des paquets HTTP cryptés en TLS – le VPN agissant comme une couche inférieure du modèle OSI.
Au terme de ce bref aperçu des rouages du dispositif, peut-être vous demandez-vous ce qu’il en est vu de l’extérieur, là où la confiance de vos clients décide de la réputation et de la réussite de votre entreprise. Tout naturellement, vous souhaitez garantir une protection de tous les instants aux visiteurs de vos sites Web. Dans cette optique, et face à des cybermenaces en constante évolution, la technologie SSL/TLS s’est imposée comme la pierre angulaire de la protection et de la confiance des internautes depuis plus de 10 ans, et ce pour encore longtemps. Le TLS 1.2 ne peut pas encore être utilisé avec tous les platforms web et tous les programmes, mais il se traite, sans doute, du protocole TLS du future.
C’est à ce niveau que Symantec Website Security Solutions (WSS), combinés avec les TLS d’excellente qualité,intervient. Aujourd’hui, 100 % des entreprises du Fortune 500 font appel à Symantec. Nos produits de sécurisation des sites Web ont donc largement fait leurs preuves dans des environnements aussi exigeants que fréquentés.
La gamme Symantec SSL repose sur une infrastructure évolutive et fiable.En moyenne, nos services de validation SSL traitent 4,7 milliards de hits par jour, le tout sans interruption de service depuis plus de 8 ans. Ça n’est pas rien !
Même si la technologie sous-jacente s’avère élaborée, l’objectif reste simple : sécuriser les transactions en ligne, pour vous comme pour vos clients. À cet égard, le protocole TLS ne constitue bien entendu qu’une pierre de l’édifice. Pour renforcer encore davantage la protection de votre VPN, vous pourriez notamment adopter Symantec Validation and ID Protection (VIP), une solution d’authentification à deux facteurs qui permet aux entreprises de sécuriser l’accès à leurs réseaux et à leurs applications contre d’éventuelles intrusions.
Toute modestie à part, il n’existe aucune marque de confiance plus reconnue que le sceau Norton Secured. Or, lorsqu’il s’agit de protéger nos biens les plus précieux, personne n’est enclin aux compromis. Il en va sans aucun doute de même pour la réputation et la sécurité de votre entreprise. Là encore, les solutions Symantec vous aident à rester exempt de tout reproche.
Transported to a more secure environment
Virtual private networks (VPNs) are a real boon when it comes to reducing the cost of business communication, while at the same time extending secure remote access to teleworkers, travellers and mobile professio…
An ongoing threat exists for computer users who, while browsing the Internet, began receiving pop-up security warnings that state their computers are infected with numerous viruses. These pop-ups known as scareware, fake, or rogue anti-virus software look authentic and may even display what appears to be real-time anti-virus scanning of… Read more »
今では、データ侵害の事例をほぼ毎週のように見かけるようになりました。そのたびに膨大なユーザーアカウントと、おそらくはそれ以外にも重要なデータが危険にさらされていますが、ほとんどの人はそうした報道に驚きさえしなくなっています。データ侵害はそれほど日常茶飯事になりつつあるからです。
データ侵害に使われる攻撃のなかでも特に多いのが、SQL インジェクションです。SQL インジェクションは、Web アプリケーションの欠陥ランキング OWASP Top 10 でも、長年にわたってトップの座を占め続けています。SQL インジェクションを防ぐ手段はいくつも知られているはずですが、残念ながらアクセス数の多いサイトでも SQL インジェクションの発生は後を絶ちません。さらに、Web サーバーの設定不備やリモート管理ツールの脆弱性を狙えば、攻撃者はシステムにアクセスし、潜在的に重要なファイルを読み取ることができます。
最も確実なパスワードの保存方法については長い間さかんに議論されてきましたが、今でもその結論は出ていません。データベースに平文でパスワードを保存するのは好ましくない、というのは大多数の一致するところですが、実際には今でも至るところで行われています。言い訳として返ってくるのは、「データベースには誰も読み取りアクセス権を持っていないのだから、何も問題ないでしょう?」といった言葉です。歴史が繰り返し証明しているように、この言葉がいつまでも当てはまることはありえません。
一般のユーザーは、自分のパスワードがサービス上でどのように保存されているのか知らないのが普通です。パスワードリセットの機能を利用するという鮮やかな手口も考えられます。なかには、ユーザーのパスワードを平文で記載したメールを送信してくるサービスもありますが、それだけでもパスワードが平文で保存されていることは明らかです。疑問に思ったら、サービス会社に問い合わせてみることもできますが、たいてい「パスワードは最新の暗号化技術で保護されています」と請け合うだけで、それ以上のことは知らされないでしょう。
それでも、キーワードは間違っていません。ほとんどのシステムでは、一方向の暗号化関数が導入されているからです。パスワードの保存には、MD5 や SHA1 など、いわゆるハッシュ関数が使われています。注意したいのは、これがパスワード保護の関数ではなく、通常はメッセージダイジェストを作成するための関数だということです。これをパスワードに利用し、ハッシュ値だけを保存することで、平文パスワードの問題は消え去るように見えます。ところが攻撃者には、パスワードとそれに対応するハッシュ値のペアをあらかじめ計算した「レインボーテーブル」を作成するという手があります。最近のクラウドサービスを使えば、レインボーテーブルの生成にそれほど時間はかからず、組み合わせの値も簡単に保存できます。こうした仕組みを利用すれば、簡単なルックアップだけで一般的なパスワードはすべて瞬時のうちに破ることができるのです。
レインボーテーブルでもパスワードを簡単に破ることができないように、ソルト(salt)を使う方法があります。ソルトとは、ランダムな長い文字列で、これをハッシュ化する前にパスワードと組み合わせます。ユーザー単位でこれを使うと、文字列は一気に複雑になります。仮に 2 人のユーザーが同じパスワード(たとえば、123456)を使ったとしても、結果的にテーブルでは異なるハッシュとして生成されます。しかも、攻撃者は想定されるソルトごとにレインボーテーブルが必要になるので、多数のユーザーのパスワードを同時に解析することは大幅に難しくなります。それでも、特定の 1 ユーザー(たとえば管理者)のパスワードを総当たりで突き止めることは、依然として可能です。
ここで登場するのが、イテレーション(反復)またはキーストレッチです。ハッシュ関数を何度も何度も繰り返すと、全体のプロセスは遅くなります。通常の使い方でログオンする場合には、多少の遅延もそれほど問題になりませんが、総当たり攻撃となれば、パスワードの解析に要する時間は数千年に達するかもしれません。簡単に組み込める例が、bcrypt と PBKDF2 です。もちろん、2 要素認証を使うだけでも障壁を高くすることはできます。シマンテックの VIP サービスもその一例です。
パスワードの保存にどのような機能が使われるとしても、サービスごとに異なるパスワードを使うようにするのが理想的であることは変わりません。すべてのサービスで同じパスワードを使っている場合、そのひとつでも破られてしまうと(おそらくはパスワード保存のしかたが悪いために)、他のパスワードもすべて攻撃者に知られてしまうことになるからです。データ侵害に成功するたびに、攻撃者は他のサービスに対しても電子メールパスワードの組み合わせを試そうとするものです。あわよくば、という期待程度にすぎませんが。
そもそも強力なパスワードを使うことが必須であることは、言うまでもありません。「123456」は、もちろん強力なパスワードとはほど遠く、けっして使うべきではありません。パスワードを変えたらすべて覚えていられない、というのであれば、パスワードマネージャを使うという手があります。そうすれば、パスワードをスマートフォンに保存して、いつでも確認できます。もちろん、そのスマートフォンを紛失した場合には誰もパスワードマネージャにアクセスできないようにしておく必要がありますが、それはまた別に考えるべき問題です。
* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。
In today’s connected world, many of us are members of at least one, if not more, social networking services. The influence and reach of social media enterprises, such as Facebook (more than 600M active users per month) and Twitter (more than 140M active users), is staggering and as communications tools they offer a global reach delivering almost instantaneous communications to huge multinational audiences. Social media is attractive for hacktivists because it is a forum for people on the Internet and where big discussions take place. Hijack a forum like this and you have an effective soapbox to get your message across. Hardly a day passes without news of another high profile breach by hacktivists and social media influencers are in the crosshairs. Are social media and hacktivism two ideas that are made for each other? Let’s explore some thoughts and ideas and you can make up your own mind.
The ability of social media to spread news quickly is powerful, and obviously, has great potential for positive use but, like many things in life, it also has potential to be abused. In the case of the recent tragic events in Boston, the tweets started almost immediately and helped keep people informed and also warned people away from the area. Many of the tweets came from “citizen journalists” who were actually on the ground as the events unfolded and were able to describe first-hand what they witnessed. Even in the aftermath of that event, social media played a major part in helping to track down the suspects behind the tragic event. Law enforcement issued a general plea for information and the public gladly did what they could by publishing information, pictures, and videos of the event on the public forums provided by social media sites. Law enforcement was able to utilize this information available to put the pieces together.
The downside of this highly visible means of public participation when looking for suspects in a highly charged situation, such as this, is that individuals may be wrongly accused. This is exactly what happened on certain social media sites where, notably, the Reddit service drew the most criticism. On their site users took the role not only of citizen journalist, but as citizen investigator too. Users began to look at the details and photos posted on the site and pieced together their own—and, as it turned out, incorrect—conclusions on the matter. False information and allegations began to circulate and took on a life of their own.
The business of news is all about influencing people and social media provides a large audience to be influenced. Influence is such a fundamental concept in social media that there are even services which attempt to measure how much influence a user has in the social media space. Services, such as Klout, are designed to address how much influence a user has by using algorithms to measure a person’s “clout,” reflected by a number between 1 and 100, with a higher score indicates a higher level of influence.
The news industry has long recognized the power of social media, not only for influencing people but also for gathering information. Today, just about all news outlets have a social media presence to receive and broadcast news to interested audiences. Twitter is the default choice to quickly get information out there. The 140 character limit on tweets forces users to be succinct and focus on main points when communicating. Since many Twitter users use the service on their mobile device and people generally have their mobile device near them all day, information can quickly reach people and be shared again (retweeted) propagating throughout the service’s user population (“going viral”).
Indeed, services like Twitter reach mass audiences and in turn hold a strong level of influence. Then when trusted media brands enter the social media space, their power of influence and reach is further magnified. We have seen how big news stories often drive follow-up events. Major disasters or terrorist acts have an immediate impact on stock markets. For example, the stock market crashed immediately following the September 11 attacks in 2001—and that happened before the advent of modern day social media services. Recently it was reckoned that the next market crash will be tweeted and given the role social media now plays in society there is no reason to doubt that. What is to stop criminals from perpetrating “pump and dump” stock market fraud by spreading market-moving rumors in social media which cause wild movements in stock prices? This is particularly true as professional trading systems are now even designed to “read” news headlines and react to news autonomously.
Hacktivism is a modern-day evolution of traditional activism brought about by a confluence of technology, politics, and people power. While traditional activism still has its place, activist activity is increasingly being conducted online. There are likely a myriad of reasons why this is the case but one thing is for sure, activists have caught on to the powers of social media and the Internet as tools to further their cause. Many of them actively use Twitter to communicate and coordinate worldwide activities.
Ultimately, hacktivists aim to draw attention to their causes which, naturally, makes big influencers their biggest targets. With so much power and influence under the control of trusted brand’s social media accounts it is not too difficult to see that hacktivists would try compromise these accounts and leverage some of the influence for themselves. We have all heard of various celebrity, politician, and corporate social media accounts being hacked, bogus messages being sent, and much of it relatively harmless. But what if a highly influential account is hacked and a plausible but fake message about some disaster or terrorist attack is broadcast to a nation? The possibility for causing panic and disruption is clear. Unfortunately, this type of activity is set to be become an increasingly common phenomenon.
While much of the hacktivists’ attention is focused on the perceived injustices of governments and big business, along with global issues, they also zone in on local issues too.
In recent months, there has been an increase of hacktivism activity. This activity is largely focused on hacking into legitimate social media service accounts and defacing them or posting false messages. In general, these social media accounts are protected only by password based authentication. The only thing that stands between an attacker and your loyal base of social media followers is a short series of characters. While in some cases, passwords may be guessed due to a bad choice of passwords, there are other ways in which an attacker could get at the password and gain access. It has been proven that people are often the weakest link in many security systems, so it makes sense to exploit this weakness through social engineering. In recent attacks of this type, attackers gained access by sending phishing emails that, at their core, just asked the user for the login details, but disguised the request to make it look legitimate. For example, phishing emails may present users with a link and ask them to log in using the link to verify their account, but in reality their password is being stolen. Attacks of this type have been tried and tested, and found to be effective.
Another way in is to exploit weaknesses in the lost password feature. The feature is not only convenient for users, but also for mischief makers too. There are a plethora of implementations for handling lost user passwords. Some will just ask the user to specify an email address and it will send a new password. Other types will ask a security question, but often times the security questions themselves are insecure, and ask where the user was born or where they went to school. This type of information can be obtained relatively easily on the Internet. Couple this with password reuse and users who do not change their passwords frequently and it is easy to see that there is an opportunity for attack here.
The Internet and the social media services enabled by it are truly revolutionary, but many of them are built in such a way that enables anonymous and irresponsible messaging. For example, when a person signs up for a social media account, they are asked for personal details during the sign process, but how many people actually provide real names and contact details when signing up for these accounts? There may be legitimate reasons for providing false information, particularly in the light of all the data breaches into large and well known websites in recent times, but the ability to access these services without being traceable makes them ripe for abuse. It’s interesting to consider whether people would be as inclined to carry out malicious activities on the Web if they knew they could be easily traced and held accountable for their actions.
Given the potential influence behind the brands who own social media accounts, the question for legitimate account owners and social media service providers is: shouldn’t the protection of these accounts be of the highest priority? We are all waking up to the risks posed but unfortunately, there is no single silver bullet that can stop all misuse. Responsibility for account protection is a shared one. The social media industry could do more to help protect against misuse and unauthorized access, but at the same time, account owners could do more too.
Social media sites could ensure that if account login attempts fail repeatedly, further attempts are either delayed by temporary suspensions to slow down brute force attempts or have the account locked and notification sent to the owner. Some services even track the list of IP addresses used to access the service and will notify the owner if a new IP is used to access the service, which could indicate a possible breach of the account.
Social media service providers can help by implementing improved security around authentication and authorization, and more secure storage and handling of personal information. Many websites are increasingly turning to two factor authentication (2FA) to increase account login security. This is a welcome and necessary measure, but they could potentially do more. How about requiring two factor authorization before messages can be sent? This could help prevent unauthorized messages from being sent, even if the main account password was compromised.
Service providers could also introduce tiered accounts with different access levels; this would be particularly useful for business users on social media. Not everybody in a business needs to be able to send messages, so the ability to manage user access controls would be beneficial. HootSuite is an example of a service that offers granular user access controls for managing social media accounts and may be a helpful add-on service for business users. Subscriber and follower management is another feature area that could be explored. Google had an interesting idea with the concept of circles, which allows for selective sharing of information, and goes some way towards addressing this. When you boil it down, the problem is this: accounts in most social networking sites are designed around a person, who is unlikely to need or want different access control levels for their own account, and not a brand or a company. This situation makes the current mapping of requirements between a commercial or brand entity and a personal social media user account a somewhat uncomfortable fit.
Users can help matters by being better educated against social engineering attacks, equipping themselves with good quality protection software, and practicing better security hygiene such as better choice and handling of passwords. For example, according to a recent report by Ofcom (UK communications industry regulator), over half of the adults in the UK use the same password across multiple websites. This statistic is very likely mirrored in other parts of the world and is not encouraging at all from a security standpoint. Users of social media would be well advised to beef up on their security awareness training because technology only represents a small part of the solution to this problem.
As some commentators say, it’s a bit of a wild west in the social media space right now, freedom of speech and civil liberties is hugely important, but so is the responsibility that comes with it. Back to my original question: Are social media and hacktivism made for each other? Of course that is not true, both can exist quite happily without the other. Social media was not created to be a platform for hacktivism and it would be beneficial if hacktivism was not carried out through it. However, social media does amplify the power of hacktivism and because of that, it represents a highly effective and attractive avenue for hacktivists to carry out their activities.
A YouTube video called Movies vs. Life compares scenes embellished with movie magic to their real-life equivalents. We like to think that an avast! Antivirus cameo during a computer hacking scene (pay attention around 0:22 seconds) is one of the reasons that this hilarious video has gone viral. A round of applause from avast! to […]
It can be fun ‘checking in’ at your favourite restaurant on Facebook, sharing pics of your hotel room on Instagram or buying and selling items on eBay. In fact – it can give you quite a buzz. But did you know that ‘geotagging’ (sharing your location via your pics or videos) can put you and Read more…