Tag Archives: Website Security Solutions

Quick update….

      No Comments on Quick update….

I’d like to share two webinars with you that we delivered this week

The first was Attack of the Cyber Spies a webinar delivered as part of BrightTALK’s Hackers Summit which you can access here.

The second is the December update of the regular webinar series I do with my colleague Andrew Shepherd: Website Security Threats: December Update

I’ve also posted both webinar slide decks to Slideshare here

Finally, I’d also like to share this blog posted by Tom Powledge who is the VP of the Website Secuirty Solutions division here at Symantec Keeping Your Data Safe with SSL

We’ll be back next week with some new blogs.

Keeping Your Data Safe with SSL

      No Comments on Keeping Your Data Safe with SSL

There’s been plenty in the news recently regarding encryption and SSL – which has led some people to wonder how safe the technology really is.  As the leader of Symantec’s Trust Services Products & Services organization, I want to assure you that SSL is safe.  Below is some information that may help you understand why, and also inform you about the current state of SSL security.

First, the fundamental key strength of RSA 2048-bit certificates is solid and without question.  Independent cryptography experts have confirmed this, and highly-respected publications such as the MIT Technology Review have published articles on the subject.  As always, organizations that use SSL should make sure they use the strongest algorithms available.

Customers of SSL certificates should take specific actions to safeguard the security of their server-side private keys.  They should put in place powerful network protections and should never utilize tools where private keys are revealed to third parties.  Symantec never takes possession of any customer’s SSL private keys.

Lastly, and perhaps most importantly, Certificate Authorities that issue SSL certificates must never share the private keys of their roots. The trust in SSL by everyone – from end-users, to the companies that they communicate with, to the browsers that enable secure connections – all depend on Certificate Authorities to provide unequivocal security of their root keys.  

As the world’s largest and most trusted Certificate Authority, we use best-in-class security processes to protect our roots.  We do not share our private keys with any third-party company, government, organization or individual.  To repeat: We never share our root keys, and never will.  Period. 

We are committed to ensuring our customers can use SSL safely and we recommend that customers take important, but simple steps to proactively protect their private keys.  To learn more about Symantec’s SSL offerings, please go to http://go.symantec.com/ssl.

PAYING THE PRICE FOR SUCCESS: CYBERCRIME AND THE MIDDLE EAST

      No Comments on PAYING THE PRICE FOR SUCCESS: CYBERCRIME AND THE MIDDLE EAST

As we wrote in our previous blog The Middle East and North Africa (MENA) region is basking in the joys of booming economic growth.

These are exciting times however, that said, such success also has its downsides. While e-commerce is on a rapid upward trajectory – particularly in the banking and travel sectors – it has made many MENA businesses highly attractive to the cybercriminals, who are out to cash in on any vulnerabilities they can exploit.

Just how open to the cybercriminals the region is can best be exemplified by the targeting of its oil and gas sector. Last year, it was the victim of a hacker attack known as Shamoon (aka W32.Disttrack), which is capable of wiping files and rendering several computers on a network unusable. Saudi Arabia’s national oil company Saudi Aramco itself came under fire, with 30,000 of its computers knocked out, resulting in its own network being taken offline. Only a few days later, in Qatar, computer systems at energy firm RasGas, one of the world’s largest producers of liquid petroleum gas, were also taken offline by a similar attack.

What exactly can Shamoon do, once it gets inside an organisation? A great deal of damage, is the answer. Using bespoke malware written to run on both 64bit and 32bit systems, it is able to:

  • Disseminate malware over the network
  • Pass data to the attackers
  • Erase disks of infected machines.

But the level and scale of attacks go way beyond that. In some cases, they are designed to cause maximum disruption for political reasons. In other cases, it’s all about inflicting brand damage or manipulating the market. But mostly these assaults are driven by financial motives. And they are only increasing. As the MENA region’s economy prospers, the cybercriminals are out to do the same.

One favoured method of trapping the unsuspecting is by means of what is known as a ‘Watering hole’ web attack. Just as a lion will lurk unseen waiting for its prey when it comes out into the open to drink, believing it is safe, so, too, do the hackers seek out those with their guard down (Indeed one particularly successful (for the perpetrator that is) waterhole attack infected 500 organisations in a single day). Moreover, the intended victims that the attackers seek out are particular individuals or groups (organisation, industry or region, such as MENA) and then: Identifying which websites are used most often

  • Exploiting a website vulnerability and infecting one or more of these sites with malware
  • Ensuring as a result that some member of the targeted group will also get infected.

Once that process is complete, the trap is sprung and the defenceless victim ensnared. Google, Apple, Twitter and Facebook have all been victims of such attacks after employees visited a site popular with iOS app developers.

For those intent on enjoying a share of MENA’s burgeoning prosperity, while avoiding the damage inflicted by the cybercriminals, it is vital that anyone who engages with your business remains safe and secure, particularly when conducting on line transactions. And the way to make certain of this is by using SSL and a trust mark such as the Norton Secured Seal

In fact, SSL certificates should be the starting point for any ecommerce site or anyone else that asks customers to submit personal information. Equally, for companies that don’t ask for personal information from visitors, SSL is still an absolute must, as it acts as a powerful protective barrier on line, keeping the cybercriminals at arm’s length. So, if you are operating in the region or looking to do so, you need to put a series of ‘Best Practice’ measures in place, such as:

Advanced Reputation Security: Detect and block new and unknown threats based on global reputation and ranking

Layered Endpoint Protection: use more than just AV – use full functionality of endpoint protection including heuristics, reputation-based, behaviour-based and other technologies; restrict removable devices and turn off auto-run to prevent malware infection

Layered Network Protection: Monitor globally for network intrusions, propagation attempts and other suspicious traffic patterns, including using reputation-based technologies; network protection is more than just blacklisting

Security Awareness Training: ensure employees become the first line of defence against socially engineered attacks, such as phishing, spear phishing, and other types of attacks.

Website Security Solutions from Symantec: SSL certificates with added website malware scans and web vulnerability assessment to ensure your site cannot be compromised by hackers.

Most of all, you need to create and enforce security policies, so that all confidential information is encrypted – and monitor globally for network intrusions, propagation attempts and other suspicious traffic patterns, including using reputation-based technologies.

On which note, according to a survey carried out recently by the independent web research organisation Baymard Institute, in conjunction with Google, the Norton Secured Seal is by far the most trusted – nearly 13% ahead of its nearest rival (http://baymard.com/blog/site-seal-trust). It was shown to be the seal that gave customers the strongest sense of trust when purchasing online, making it the de facto choice.

For any business intent on capturing and keeping customers in the MENA region by establishing the highest levels of trust and trustworthiness, such reassurance will play a major role in the days ahead, as the internet spreads its reach even farther and e-commerce gathers ever greater momentum.

To learn more please visit go.symantec.com/ssl

The price of fame

      No Comments on The price of fame

In the past year we have seen a number of security related stories in the Finish media.

Spring saw one of the Nordic region’s largest banks forget  to renew the SSL certificate that secured their new online banking site. This unfortunately is not a rare phenomenon ,and companies such as Google , Twitter, and LinkedIn have all experienced similar certificate expiry issues. Consumers are advised, however, to be cautious online and pay heed to warning messages they see in their web browsers, my colleague Andy Horbury wrote about a similar incident recently

Another blunder highlighted in the press happened a few weeks after, when the Certificate Authority used to issue certificates on some local government sites advised users that the site they were visiting was no longer to be trusted. This was simply due to the fact that they had used a CA whose root certificate was not trusted in the Mozilla browser – Firefox. Imagine securing your site with an SSL certificate that works for everyone apart from Firefox users cannot and then compounding that by giving visitors the horrendous advice to ignore any browser warnings they might see when visiting this site. Today this issue has been fixed and the site in question has changed the SSL to a to trusted CA. However, I can’t even imagine how this advice from a powerful entity affected consumers and what this means for trust online if they can simply ignore browser warnings in my opinion and that of any IT professional this is pure nonsense.

 

Shopping at your own risk

The third incident, in the news coverage was the report regarding the part that Finns were playing in an international group of hackers. The young man in question has hacked sites in relative peace and quiet for the last couple of years beavering away diligently scouring Finnish discussion forums and gaming sites, for user names, passwords and credit card information, as well as anything else he could find. Were the sites he targeted protected by SSL certificates ? Unfortunately, not.

Sadly in too many instances SSL encryption is often forgotten when securing servers and websites. By not taking security as seriously as they should companies are playing a dangerous game with their own brand and reputation. As we saw in the Symantec ISTR report cybercriminals are increasingly targeting not only banks and large organizations but also much smaller businesses because they are viewed as being very attractive and lucrative targets.

Brand building and winning consumer confidence does not happen overnight, but comes as a result of many hours of work , sleepless nights and meetings after meetings… yet all this can be put at risk from the simplest mistake you make. By letting a certificate expire, using a mistrusted CA and even giving the wrong advice about security online you are building your business on foundations of sand.

 

If they can’t see it, how can they know?

I myself was recently talking about the information security to business students . Before I told them about the existence of SSL certificates I showed them these two sites and asked which of the two sites are safe :

blogiin.jpg

From there, came the reply like from the pharmacy shelf , one of the students pointed the one on the right hand side even thinking about it. When I asked the reasons for the choice he replied : ” Well.. there’s that green address bar there. ” Yes! Too bad I didn’t record this session, I would’ve forwarded the recording to some IT people..

Today’s online consumer , a young student chose the Extended Validation certificate certified site without knowing about all its technical features – intuitively they knew what looked safe and would put their money where their mouth is when it came to purchasing on a site like this.

Customers and the company’s protection of information is not a staggeringly large investment. Creating brand awareness and brand status are key when it comes to maintaining a trustworthy reputation part of the investment in your brand should be to make purchases from reliable partners – the same applies to security contracts. Security should no longer be purchased acquired with “as long as we have something there” attitude. If you feel that you don’t have the knowledge or resources you can always get this from your trusted service providers.

 

(Finnish) companies should be prouder of their brands – and protect them accordingly.

Knowledge is Power – Website Vulnerabilities

      No Comments on Knowledge is Power – Website Vulnerabilities

This blog post is based on the ‘Knowledge is Power: Symantec Guide to Protecting your Website’ whitepaper which is free to download now.In 2012 Symantec performed more than 1,400 website vulnerability scans each day. More than half the webs…

The Power to Destroy: How Malware Works

      No Comments on The Power to Destroy: How Malware Works

This blog post is based on the new Symantec Website Security Solutions free white paper, The Power to Destroy: How Malware Works which pulls together statistics from across Symantec’s global security network. The white paper is available in Frenc…

Staying safe online over the Christmas holiday period

      No Comments on Staying safe online over the Christmas holiday period

While we rush online to buy gifts for our nearest and dearest, scammers are looking to make their wage from your online mistakes. Learn how to stay safe online while doing your Christmas shopping this holiday season.
‘I’m dreaming of a safe…

CYBERCRIME TAKES ITS TOLL

      No Comments on CYBERCRIME TAKES ITS TOLL

For anyone intent on finding out exactly what the worldwide impact of cybercrime is now – and the price we are all paying as it penetrates every corner of the global markets – there can be no better starting point than the 2013 Norton Cybercrime Report[1].

The findings are both eye-opening and deeply concerning. According to the report, some 1 million-plus adults become cybercrime victims every single day and, if you break that down, it equates to a staggering 12 victims per second.

This annual report, commissioned by Symantec[2], is focused on understanding exactly how cybercrime affects consumers (more than 13,000 adults across 24 countries took part in the 2013 survey) and how the adoption and evolution of new technologies impacts their overall security.

And what an impact that turns out to be, with the global price tag of consumer cybercrime now topping US$113 billion annually – enough to host the 2012 London Olympics nearly 10 times over –  while the cost per cybercrime victim has shot up to USD$298: a 50% increase over 2012. In terms of the number of victims of such attacks, that’s 378 million per year – averaging 1 million plus per day.[3] Speaking of the Olympics: BT security chief executive officer Mark Hughes, in a presentation at the recent RSA conference, said that no (successful) cyber-attack had occurred during the Games. Quite an achievement, considering BT dealt with over 212 million cyber-attacks on the official website during last year’s Olympic and Paralympic Games.

PAYING THE PRICE

According to the report, 83% of direct financial costs are a result of fraud, repairs, theft and loss. Equally worrying is how deeply cybercrime is etching its mark across each and every continent.

In North America, the percentage hit by these attacks was 63% in the USA (at a cost of US$38 bn), while, in Canada, it was even higher, at 68% (cost: US$3 bn)

In Central America-Latin America (CALA), the figures were no less alarming: Brazil 60% (cost: US$8 bn); Mexico 71(US$3 bn); and Colombia 64% (US$0.5 bn)

In the Middle East, the worst affected countries were Saudi Arabia (62% – US$0.5 bn) and the UAE (71% – US$0.3 bn).

THE VICTIMS

What makes this even more concerning is that, as our channels and means of communication expand, cybercrime is seizing on the opportunity, spreading across the world with the speed and ferocity of a pandemic. Well over a third (38%) of those surveyed have experienced mobile cybercrime in the past 12 months, the main victims being:

  • Social network users – 63%
  • Public/unsecured Wi-Fi users – 68%
  • Emerging market – 68%
  • Parent of children 8-17 – 65%.

Half (50%) of all online adults have been victims of cybercrime and/or negative online situations in the past year, the report confirms, while 41% have fallen victim to attacks such as malware, viruses, hacking, scams, fraud and theft.

PUBLIC/UNSECURED WI-FI

As far as public/unsecured Wi-Fi is concerned, the statistics relating to potentially risky behaviour are particularly disturbing:

  • 56% access their social network account
  • 54% access personal email
  • 29% access their bank accounts
  • 29% shop online
  • 30% do not always log off after having used a public Wi-Fi connection
  • 39% do not take any special steps to protect themselves when using public Wi-Fi.

The cybercriminals must be equally encouraged at the response to their full-on assaults when it comes to mobile devices – because the 2013 Norton Cybercrime Report also reveals that nearly a half of respondents don’t use basic precautions, such as passwords, security software or back-up files.

On the plus side, when it comes to their PCs:

  • 90% do delete suspicious emails from people they don’t know
  • 72% have at least a basic free antivirus solution
  • 78% avoid storing sensitive files online.

However, that still means more than a quarter DON’T appear to have any antivirus protection at all, while almost a quarter DO store sensitive files on line.

CONVENIENCE OVER SAFETY

Why is safety on line treated so indifferently by so many people? According to the 2013 Norton Cybercrime Report: “Many consumers are making a conscious decision to trade their safety for convenience; many more are unaware that they’re making the same trade.”

What the report highlights most of all is that the need to stay safe at all times has never been greater. Moreover, ‘constantly connected, doesn’t have to equal ‘constantly at risk’, it points out. The tools and solutions are readily to hand to ensure that you are always protected. And here are some ‘Top Tips’ from the report on how to defend your data:

  • A comprehensive security suite provides a strong defence against online threats. Norton 360 multi-device offers protection for PCs, smartphones and tablets, in a single solution
  • Be cautious in the cloud. While cloud storage solutions make it easy to save and share files, they also open other avenues for attack
  • Be careful about who has access to your files and use a solution with built-in security, if possible
  • Save sensitive transactions for secure connections
  • Free or unsecured Wi-Fi networks can make it easy for thieves to eavesdrop on your activity
  • Avoid conducting sensitive transactions, such as banking or shopping, while connected to these networks, or use a personal VPN client
  • After you connect, double check!
  • Check credit card and bank statements regularly for fraudulent transactions, and report any suspicious activity to your provider and/or law enforcement.
  • And, of course, when shopping online or signing into webmail or social networks, look for https, The Norton Secured Seal and the Extended Validation ‘green bar’.

Failing to ensure this means the cybercriminals will only go from strength to strength, leaving an ever greater trail of destruction in their wake. And even more victims.

For more information on how to stay safe and secure online, visit https://www.staysecureonline.com/

[1] 2013 Norton Cybercrime Report: go.symantec.com/norton-report-2013 (Direct link to PPT of the report)

[2] Research conducted Edelman Berland.

[3] Online adults per country x % cybercrime victims past 12 months per country = 377,943,431 (sum of 24 countries).

 

Symantec SSL Authentication Procedures: Short-Term Pain for Long-Term Gain

      No Comments on Symantec SSL Authentication Procedures: Short-Term Pain for Long-Term Gain

Stefano Rebulla, Senior Account Manager – Continental Europe
On a regular basis questions arise such as: “Why are your authentication procedures so complicated? Why is it so difficult to get my certificate or account vetted?”
These ar…

Website vulnerabilities: which countries’ websites are most vulnerable to malware?

      No Comments on Website vulnerabilities: which countries’ websites are most vulnerable to malware?

This post is based on the new vulnerability gap white paper compiled by Symantec Website Security Solutions
Malware infection is one of the fastest emerging security threats for websites. More than 24% of websites are vulnerable to malware, while a lar…