The Secure Sockets Layer (SSL) allows you to communicate over the Internet with a secure and encrypted connection. SSL is probably most associated with web sites and email, but it can be used with almost any Internet service.
There are two components to a secure connection:
1) Encryption: This is the process of encoding message between the parties communicating so only they know the content. Read More
2) Assurance: This ensures that the party you think you are communicating with is actually who you think they are.
Good name in man and woman, dear my lord,
Is the immediate jewel of their souls.
Who steals my purse steals trash; ’tis something, nothing;
‘Twas mine, ’tis his, and has been slave to thousands;
But he that filches from me my good name
Robs me of that which not enriches him,
And makes me poor indeed.
Iago, Othello Act 3, scene 3, 155–161
I was recently reviewing Verizon’s recently annual Data Breach Investigations Report for 2013, published earlier this year. It is must reading for anyone who has an interest in data security. Actually, if there is anyone who isn’t they should be!
There are a lot fascinating findings in this year’s edition, enough to inspire numerous blog articles. For today, I want to focus on two important findings as a warning for us all.
- 78% of initial intrusions rated as low difficulty
- 69% of breaches discovered by external parties
Comodo announced last week that our Web Inspector service now also uses the advanced malware detection technologies of their award winning Comodo Internet Security to identify malicious code on a web page. Comodo Web Inspector is a cloud-based malware scanning service that detects thousands of security threats and attack vectors on e-commerce websites. In addition to utilizing Comodo Antivirus technology, Web Inspector also uses dynamic page analysis, buffer overflow detection, and signature based detection. The newly added heuristic detection techniques can potentially detect previously unknown malicious code, protecting users from zero-day attacks.
CryptoLocker, first spotted in September, continues to claim victims of both consumers and businesses alike. The Trojan is a form of ransomware that spreads mainly through fake emails, mimicking the look of legitimate businesses. Other users report being tricked into installing the ransomware via phony FedEx and UPS tracking notices.
How does CryptoLocker work?
Once the user opens the malicious message, CryptoLocker installs itself on the user’s system and scans the hard drive to sniff out files within the network. If one computer on a network becomes infected with CryptoLocker, mapped network drives could also become infected. Then, the ransomware encrypts the selected files and renders them inaccessible to the user until he or she pays a ransom to receive a decryption key.
When we talk of internet transactions, we have always been protecting them with passwords. But do you think passwords are a sure way of providing protection? Well, the answer is no! With the technological advancement and increase in number of hackers, the security of passwords has become risky. When everything else is advancing why wouldn’t the hacker also learn new technologies and be able to crack the strongest of passwords? Regardless of the strength of the password, it is still at risk.
Spoofing occurs when only a password is used for the purpose of authentication. Spoofing is the act of acquiring a user’s password and then using it for logging in into the users account and tampering with it. So companies no longer trust only passwords for the security of their confidential data. They need something more than just a password. With this threat of security there came into existence the concept of multi factor authentication.
We have a running debate here at Comodo as to whether to use Low Cost or Cheap in referring to our SSL Certificates. My friends who like to use “cheap” argue that more customers looking for SSL use the word cheap in their searches than “low cost” and it makes our web pages easier to find.
Personally, I hate using the word cheap because it could be misinterpreted as low quality, which is not the case with any of our SSL Certificate products. Whether you purchase the low cost domain validated certificates or pay the extra money for Enhanced Validated certificates, you will still get the highest quality encryption technology available.
Many e-Commerce sites display “Trust Seals”, aka Trust Mark Logos, provided by third parties who have conducted an independent audit of the site or its ownership. The concept did not start with the web era. It is essentially the same as the “Good Housekeeping Seal of Approval”, which attests that a product has been tested by the Good Housekeeping Research Institute. Members of the “Better Business Bureau” display a membership logo at and a BBB rating as a measure of their trustworthiness.
For e-Commerce sites, there are several different types of Trust Seals.
Certificate Authorities who issue SSL certificates, like Comodo, offer Trust Seals that attest that the owner of a domain has been verified to be a legitimate organization. Certificate Authorities themselves have their own Trust Seal from Web Trust that verifies the authority has been audited by an independent accounting firm and is in compliance with the certificate industry best practices.
Between Flash and PDF Reader alone, Adobe is ubiquitous on today’s desktop. Have you ever registered for an Adobe product? If you have, you should seriously consider changing your password. If you are like most people, who use similar passwords and usernames across their personal account, you might consider changing all of your passwords.
On October 3rd, Adobe announced that they were the victims of one of the most significant data breaches in history. Personal data for nearly 2.9 million of their customers had been stolen, including credit card data. That alone put it in the hall of fame of breaches.
But it gets worse. Read More
Yesterday, Adobe announced that an additional 35 million customer data records were included in the breach. They hastened to add that these records do not include credit card data, but personal information that includes user names and passwords can be a goldmine to hackers.
I saw a recent headline “Dexter Strikes South Africa”.
And I thought he was hiding out in Alaska!
I was a big fan of the TV series Dexter, the show about an amiable vigilante serial killer who works for the Miami Metro Police Homicide department. The series end, which was a bit of disappointment, left him hiding out as a lumberjack in Alaska. I’m hoping that Dexter will resurface, perhaps in a movie.
I was not happy, however, to see that Dexter’s computer virus namesake has resurfaced. It was first discovered in 2012 by Israeli computer firm Seculert. Dexter is a notorious cyber fraud malware program that compromises credit card payment systems running on Windows and has led to tens of millions of dollars in losses.
No web site that exchanges personal data with its site visitors can afford to operate without SSL. Without it, internet communication is unsecure and hackers can easily listen in and steal data. For organizations that have many web sites and manage many subdomains, this can become expensive and,, importantly, difficult to manage.
Fortunately, there is an alternative worth considering: Multiple Domain certificates.
Multi-Domain certificates provide the same SSL security as other certificates but allow you to secure up to 100 domains on a single SSL certificate.
The notorious John Dillinger was supposedly asked why he robbed banks. His reply was “That’s where the money is!” You could get the same reply if you asked a hacker why they attack credit/debit card payment systems. The information obtained could be used to generate millions in fraudulent transactions.
Simply in terms of the financial loss, the number one data breach of the 21st century so far was Heartland Payment Systems breach of 2008. 134 million credit cards were exposed through SQL injection attacks used to install spyware on Heartland’s data systems.
On September 30th, Comodo’s (OCSP) responders handled over 2 billion requests in one day! Web users all over the globe can sleep better at night knowing Comodo has their back.
OCSP is a protocol enabled in modern browsers that makes real time checks as to whether or not an SSL certificate has been revoked. A certificate may be revoked for a variety of reasons, including inattentiveness by the site operators and procurement by fraudsters. Certificates are sometimes revoked because their private key has been compromised by hackers who can use it to commit “man-in the middle” attacks. Such attacks intercept the messages between a browser and the web server and are often used for financial fraud. Read More
Online retailer, Hayneedle.com, has become an astonishing success with security-conscious shoppers since the brand was introduced in August, 2009. According to Hayneedle’s Chief Technical Officer Steven Dee, the site’s Extended Validation SSL certificate from Comodo has helped it build trust.
“People shopping on Hayneedle are looking for something very specific,” said Dee. “They’re used to dealing with some mom and pop shops. At times they’re not sure whether a site can be trusted or not. Part of the Hayneedle brand is that we are a trusted place to shop.”
There is a recent study by the “Anti Phishing Working Group” (APWG) being widely reported that phishing attacks were down 20% in 2012.
When I first read about this I thought,
“They HAVE to be kidding!”
There is a flood of other stories that contradict such a finding, including numerous reports of high profile attacks. Last week, in fact, we learned that a Syrian group had a successful email phishing attack on White House staffers. A member of the “Syrian Electronic Army” (SEA), supporters of dictator Bashar al-Assad, proudly distributed screen prints of White House staffer Erin Lindsey’s Gmail account emails. Ms. Lindsey made the mistake of clicking on a link in a faux email from the SEA.
American Banker Magazine this week is reporting on a “spike” in email phishing that targets bank customers. I can testify that I get emails almost every day about my accounts at Banks I don’t use! Read More
The use of BitCoin, digital currency that is not backed by a government, is on the rise because it is much more secure than currency transactions and has been a good investment so far.
However, a recent report in BitCoin.org revealed that its Mobile Security is under threat and coins are being stolen by hackers from unidentified location. A vulnerability in the system can allow a third party to guess the private key provided for the digital wallet and nearly 55.8 BitCoins have been stolen, each worth about $104.52 at the time of the event.
A mailing was sent to all subscribers explaining that the private keys generated on Android phones as well as tablets are extremely weak and all android wallet apps are vulnerable to attack.
After thorough research and analysis, it was confirmed that the vulnerability originated from the Java Secure Random number generator. For better mobile security, the experts have advised users to frequently rotate their keys. The next step is to get a new address using a repaired random number generator and then send the same BitCoin funds back to your account. Read More
PCI Compliance: Failure is Not an Option
There is an epidemic of identity theft and financial fraud hat is costing businesses and consumers millions of dollars per year. Most of these incidents are the result of data breaches that compromised credit and debit card data. The cost of dealing with a data breach is bad enough, but the damage to your reputation with your customers and suppliers as a trust worthy business is incalculable.
Business in the internet age is more about trust than ever before. The entire system of card payments is dependent on card holders trusting the merchant with their card data. A loss of trust can be fatal to a business
The Payment Card Industry (PCI) Data Security Standards (DSS) are intended to ensure the integrity and security of credit card data used in transactions. The card payment services require merchants to comply with these standards, Failure to comply can result in large incident fines and even the suspension of the ability to accept cards.
Recently, we reviewed a document of best practices in deploying SSL Certificates published by Qualys, a prominent security company. Their document had some very good advice. In particular, we agree whole heartedly with their recommendation that an SSL user should “obtain certificates from a reliable Certificate Authority”.
They went on to list criteria that you should use in determining if a CA should be considered reliable. We decided to evaluate ourselves to see how we stack up based on their standards. Not only do we pass the test, you might think that they had Comodo in mind when they defined the criteria!
Take a look for yourself!
It was with great pride last week that we learned that Comodo Internet Security is once again at the top of the charts in the Matousec Proactive Security Challenge 64.
As of January 18, 2013, the independent tester of security software ranked Comodo Internet Security 2013 Premium (v6) number 1 in tests of 38 internet security suite. Moreover, Comodo was the only suite to receive a rating of “Excellent” and only one of three products that Matousec rated as “Recommended”!