Google, Apple & GoDaddy Recall Over One Million Certificates

Infosecurity Magazine | March 13, 2019

Google, Apple & GoDaddy Recall Over One Million Certificates
Over one million digital certificates have been mis-issued by Google, Apple and GoDaddy after an operational snafu left them non-compliant with industry standards. Researcher Adam Caudill revealed the issue late last week, claiming that the companies had misconfigured the EJBCA software package used by many Certificate Authorities to generate certs. In effect, this meant they were generating certificates with just 63-bit serial numbers, thus failing to meet the minimum 64-bit requirements set out by the CA Browser Forum in its Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates. “When we are talking about numbers this large, it’s easy to think that one bit wouldn’t make much difference, but the difference between 2^64 and 2^63 is substantial — to be specific, 2^63 is off by over nine quintillion or more specifically 9,223,372,036,854,775,808,” explained Caudill. The good news is that the mis-issued certificates are said to present no security risk today, and Google at least has revoked most (95%) of its batch within the required five-day period.

Spotlight

"Whether the term used is “Advanced Persistent Threat (APT),” “advanced threat” or “state-sponsored threat actor,” cyberattacks are increasing in sophistication and the amount of damage they can inflict. These attacks, frequently affiliated with governments or organized crime, have the resources, expertise and time necessary to meet their objectives"

Spotlight

"Whether the term used is “Advanced Persistent Threat (APT),” “advanced threat” or “state-sponsored threat actor,” cyberattacks are increasing in sophistication and the amount of damage they can inflict. These attacks, frequently affiliated with governments or organized crime, have the resources, expertise and time necessary to meet their objectives"

Related News

SOFTWARE SECURITY

Talon Launches First Corporate Secure Browser for the Hybrid Work Era Backed by Renowned Cyber Security Industry Leaders

Talon | October 08, 2021

Talon Cyber Security, the leader in browser-based security solutions for the distributed workforce, launched TalonWork, a first-of-its-kind browser-based endpoint solution created to address the unique threats imposed by the hybrid workforce and designed with employee experience in mind. Talon also announced investment from top cyber security global leaders: George Kurtz, CEO of CrowdStrike, John Thompson, until recently Microsoft's Chairman of the Board and former CEO of Symantec, and Mark Anderson, CEO of Alteryx and previously the President of Palo Alto Networks. "Today's work from anywhere world demands a flexible and secure working environment, and as a result, modern security must be frictionless by design," said George Kurtz, co-founder and CEO of CrowdStrike. "Talon's browser-based security solution takes a fresh approach, putting the user experience front and center while extending the security of the enterprise." Talon is working with some of the largest employers in the US to protect their evolving global hybrid workforce via its unique patent-pending technology. Talon's corporate browser can be deployed across the organization in less than an hour, empowering security leaders to make the browser their first line of defense with minimum complexity, cost and without additional hardware. With hassle-free operation, Talon allows organizations to better secure and control access to sensitive data and resources, accelerates onboarding in multiple work scenarios and enables rapid and efficient endpoint disaster recovery. "With the shift towards a hybrid workforce, more known and unknown devices are accessing the organization's most sensitive data on premise and in the cloud. Therefore, we must ensure frictionless and secure access to the data, no matter the device or the employee location. Talon provides exactly that," explained John Thompson, recent former Microsoft Chairman. "It is equally important that the next generation of cyber solutions are designed for ease of use, and optimized for a remote work environment," explained Mark Anderson, former President of Palo Alto Networks. "In this regard, Talon's solution is spot on." The workforce revolution and increasing reliance on SaaS services, accelerated by the pandemic, made the browser a main gateway to the organization. The browser is also the most vulnerable application according to CVE; and the industry has witnessed info-stealers extracting credentials stored in browsers, malicious extensions stealing corporate data and browser zero-days exploited in the wild. Earlier this month, Google issued a critical fix for 2 billion Chrome users, Chrome's 11th 'zero day' exploit reported this year. On top of it all, malicious downloads and phishing attacks, which are the means for ransomware, are most likely to occur in the browser, where the user is more susceptible to these attacks. Talon's multi-layered approach provides enterprise-grade security regardless of the endpoint: resilience against malware on the device, browser hardening against zero-day exploits and data leakage prevention mechanisms integrated in the browser. With Talon, security leaders gain full context-aware visibility into all work-related activity in the browser, gaining better control and governance across sanctioned and unsanctioned SaaS services as well as internal web applications. To enable this instant shift to distributed workforce, many organizations were forced to quickly patch security gaps using their current IT stack. Talon offers a new and first to market approach and a strategic alternative that is practical and more sustainable,We are honored to have the leaders who shaped the face of cybersecurity on board with us, sharing our vision and mission. Ofer Ben Noon, Talon's Co-founder and CEO About Talon Cyber Security Talon Cyber Security is the pioneer in cyber security solutions for the hybrid workforce. Talon's browser-centric security approach is redefining enterprise cyber security by making the browser the organization's first-line of defense and leveraging it to enable and secure the distributed workforce. Deployed in less than one-hour, Talon provides security leaders with unprecedented visibility into all employee corporate activity across locations, devices and SaaS services. Talon's technology is built with employee-experience and privacy in mind, providing a native and frictionless experience, on top of superior enterprise-grade security. Talon's founders include proven entrepreneurs and former leaders of Unit 8200, Israel's elite military technology and intelligence unit.

Read More

DATA SECURITY

Mayorkas to Announce the Largest Cybersecurity Hiring Initiative in DHS History

Mayorkas | July 06, 2021

Alejandro N. Mayorkas, Secretary of Homeland Security, has announced its onboarding of 300 cybersecurity professionals and an extension of other 500 tentative job offers in the Department’s largest cybersecurity hiring initiative in its history. This initiative is part of a 60-day Cybersecurity Workforce Sprint, aiming to build a more diverse and multi-talented cybersecurity workforce. According to Secretary Mayorkas, cyber threats and crimes are increasing, so we should prepare well to defend it by hiring more talents. In early May, Secretary Mayorkas set a goal to hire around 200 new cybersecurity personnel in the Department by July 1. The achievement of the Cybersecurity Workforce Sprint shows a strong wish by our country's highest cyber talent to bestow them to public service and support blocks some of the most compound trials we come across today. DHS is dedicated to confirming its staff represents the varied communities it assists. To this end, the Cybersecurity Workforce Sprint is stranded in diversity, equity, and inclusion most acceptable practices, and comprises targeted outreach to underserved communities. Secretary Mayorkas, this month, will also launch an Honors Program starting with an initiative to recruit recent graduates with degrees in cybersecurity-related arenas for a one-year specialized development program at DHS. Participants who productively complete this program will be qualified for enduring, full-time cybersecurity positions at the Department. Additionally, the Department's Cybersecurity and Infrastructure Security Agency (CISA) is mounting its K-12 initiative to nurture the next generation of diverse cybersecurity professionals. Secretary Mayorkas, in March, outlined his dream for the Department's cybersecurity urgencies during a virtual address hosted by RSA Conference in corporation with Hampton University and Girl Scouts of the USA. The Secretary highlighted a series of full sprints intended to raise existing work, eliminate roadblocks to development, and take off new initiatives and partnerships to attain DHS’s cybersecurity assignment and implement the Biden-Harris Administration's primary concern. The first sprint was concentrated on raising consciousness about the cumulative risk of ransomware.

Read More

DATA SECURITY

Develop Launches New Expert-Level Cybersecurity Academy and Enhances Content

cyber attack, Network security, Mobile security, Computer security, Cyber warfare, Denial of service, Application security | November 11, 2020

Create, a web based learning stage that gives on-request courses to IT and business experts, has extended its library of profession centered substance with another Cybersecurity Academy. The Cybersecurity Academy adds to Develop's developing portfolio, which incorporates a Foundation Subscription, furnishing students with basic information over a wide scope of subjects, and Data Academy, which gives broad Data Science aptitudes and activities. Together, these memberships give experts a full scope of choices to fabricate future-fit aptitudes and discover their track to proficient development. The Cybersecurity courses are proposed for IT/Cybersecurity experts with 2+ long stretches of involvement and incorporates more than 40 hours of master drove online courses. Furthermore endorsers will profit by full admittance to a live practice lab climate alongside fulfillment declarations to archive their advancement, at a yearly membership cost of $399.99. At dispatch the Cybersecurity Academy incorporates: Security Policies with SELinux Secret key Policies Catalog and File Permissions Firewall Implementation Framework Auditing Design SAMBA and NFS As of late, the 2020 Skills and Salary Report created by Develop's accomplice Global Knowledge, mutual that network protection and distributed computing affirmations are related with the most noteworthy IT pay rates the world over. Why Linux Is Important To Cybersecurity Linux is the working framework utilized on most organization gadgets and security machines, including switches, firewalls, cutting edge firewall gadgets, bound together danger the executives passages, virtual private organization concentrators, interruption recognition frameworks, interruption insurance frameworks, security data and function the board apparatuses, remote passageway gadgets, and that's just the beginning. "The purpose of our Cybersecurity Academy is to enable professionals to gain practical knowledge in a hybrid training environment, first through the delivery of online course content, then reinforced with skill building, hands on training in a live environment," said Develop Head of Content, John McKeever. "Users will be trained on how to accurately configure a Linux OS and create a hardened secure environment for end users that need varying levels of access." Future augmentations to the Cybersecurity Academy will zero in on the Windows Domain and furthermore teach endorsers on entrance testing. About Develop Develop is an online learning platform that enables business and technology professionals to get ahead in our tech-driven world. By providing future-focused courses and knowledge checks, Develop's subscription service empowers members to take control of their careers on their terms.

Read More