“WannaCry” Blocked by Symantec – Best Practices Against Ransomware.

A world wide cyberattack that caused chaos On May 12, 2017  is still ongoing involving a ransomware named WannaCry (aka WCry). These attacks are targeting and have affected users from various countries across the globe. The WannaCry threat will encrypt data files on infected computers and ask users to pay a $300 US ransom in bitcoin to decrypt their files. A specific exploit against this vulnerability, code-named “Eternal Blue”, and was made available through a dump of various attack tools by the group Shadow Brokers, on April 14, 2017. Analysis indicates the attack spreads through an SMB remote code execution in Microsoft Windows. This was announced and patched by Microsoft on March 14, 2017. That is two whole months where if a patch […]

Read More

CA|B Forum Passes Ballot 193 – Deprecation of 3 Year SSL Certificates

The CAB Forum (CA Forum) is the governing body that moves the security of the internet with SSL Certificates. The CA/Browser Forum began in 2005 as part of an effort among certification authorities and browser software vendors to provide greater assurance to Internet users about the web sites they visit by leveraging the capabilities of SSL/TLS certificates. The Ballots they pass together are geared to propelling the internet into a more safer environment. What was passed in Ballot 193? Maximum SSL validity period will be restricted to 2 year (825 days / 27 months) effective March 1, 2018. Authentication domain and organization vetting will only be valid for 27 months effective April 22, 2017 What does this mean? Eventually there […]

Read More

What is Certificate Transparency?

Google’s Certificate Transparency is an open source project that aims to strengthen the SSL/TLS certificate system, which is the main cryptographic security system that underlies all HTTPS secure connections. It is a extra tier of certificate security that forms a Security Triad to ensure that clients navigating the internet are safe and secure in regards to web security. What Is Certificate Transparency (CT)? As the name implies, CT allows people on the internet to look at all certificates that have been issued by a Certificate Authority (CA). This is achieved using centralized logging to a collection of servers. These log servers talk to one another, to ensure consistency and reveal any unusual activity. Anyone can query the log servers to find out […]

Read More

SSLv2 – The “Drown” Attack

Just recently there has been a lot of news regarding a vulnerability with SSLv2 (SSL2.0) and what has been named the Drown Attack. You will see articles saying “Drown Attack effects over 1/3 of the worlds websites, ” “No one is secure on the internet anymore,”  More than a Million sites effected!” etc.. the list goes on and on. Allow me to calm some fears you may have.. Unless your have NOT touched your server system since 2011 then don’t worry. SSLv2 which was created back in 1995 was considered an obsolete protocol back in 2011, and more than likely you are not using it. Because the following… Browsers such as Chrome have by default put a stop to the use of this […]

Read More

OpenSSL patch released that fixes High-severity Diffie Hellman bug

OpenSSL has fixed a high-severity vulnerability that made it possible for attackers to obtain the key that decrypts communications secured in HTTPS based on the ephemeral keys, DSA based Diffie Hellman (DH) key exchange. The OpenSSL Diffie Hellman issue got assigned CVE-2016-0701 with a severity of High. This vulnerability could allow an attacker to force the peer to perform multiple handshakes using the same private Diffie Hellman key component. Meaning they could use this flaw to conduct man-in-the-middle attacks on the SSL/TLS connection. OpenSSL released on 28-Jan-2016 their Security Advisory regarding the fixes on their website OpenSSL.org. OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in TLS. It is not on by default. If the option is not set then the server reuses […]

Read More

SHA 1 Critical Vulnerability Notice

On October 8, 2015, a team of international cryptography researchers warned of a significantly increased risk in using SHA-1 certificates, and recommended that administrators accelerate their migration to SHA-2 certificates. The risk is that, with enough computing power, an attacker can craft a fake certificate that in all key respects appears to be signed by a public Certification Authority (it cryptographically chains up to a Certification Authority’s root certificate). This doesn’t mean that websites is suddenly insecure, but it certainly is a wake-up call. The current policy of most browsers stipulates that they will completely reject SHA-1 TLS certificates on January 1, 2017. However, in light of these new findings, it’s highly possible the deadline will be accelerated. If your […]

Read More

How to fix Alternative chains certificate forgery (CVE-2015-1793)

How to fix Alternative chains certificate forgery (CVE-2015-1793):Critical OpenSSL vulnerability could allow attackers to intercept secure communications. What is it: An error in the implementation of the alternative certificate chain logic could allow an attacker to cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and “issue” an invalid certificate. Reported by Adam Langley and David Benjamin (Google/BoringSSL).Fixed in OpenSSL 1.0.2d (Affected 1.0.2c, 1.0.2b)Fixed in OpenSSL 1.0.1p (Affected 1.0.1o, 1.0.1n) ===================================================================== How to Fix it: Alternative chains certificate forgery (CVE-2015-1793) ==================================================================== Severity: High During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if […]

Read More

OpenSSL: Alternative Chains Certificate Forgery Vulnerability (CVE-2015-1793)

Critical OpenSSL vulnerability could allow attackers to intercept secure communications with the new Alternative Chains Certificate Forgery Vulnerability (CVE-2015-1793) A critical new vulnerability in OpenSSL could allow attackers to intercept secure communications by tricking a targeted computer into accepting a bogus digital certificate as valid. This could facilitate man-in-the-middle (MITM) attacks, where attackers could listen in on connections with secure services such as banks or email services. OpenSSL is one of the most widely used implementations of the SSL and TLS cryptographic protocols. Open-source software, it is used widely on internet-facing devices, including two thirds of all web servers. The new Alternative Chains Certificate Forgery Vulnerability (CVE-2015-1793) was patched today in a security update issued by the OpenSSL project (https://www.openssl.org/news/secadv_20150709.txt) […]

Read More

The FREAK Vulnerability.

The FREAK Vulnerability, What is happening? A new SSL/TLS vulnerability named “FREAK” was identified by several security researchers. This threat allows an attacker to get between a client and server and view what is intended to be a secure and private communication. The vulnerability is primarily due to a bug in OpenSSL client software, but only exploitable on poorly-configured web servers. Both clients and servers are at risk. Website owners can protect their sites by properly configuring their web servers by removing affected ciphers and restarting their servers. Note that this vulnerability is not related to SSL certificates. Your existing certificate will continue to work as intended. No certificate replacement is needed. Why should a Acmetek Customer or Partner care? […]

Read More

Replacing SHA-1 with SHA-2 certificates

How to Replace SHA-1 with SHA-2 certificates: Depending on what Certificate Authority and how you purchased your certificate a reissue of the certificate may be available to you. This would require a New CSR to be generated typically with a reissue or replace option available in a portal that is used to manage your SSL certificate. The end result will be a new SHA2 SSL certificate issued that will then have to be reinstalled back on the server system. Identify certificates that have a SHA-1 algorithm. Knowing the Order number or Common Name of the SSL certificate issued will typically be required. If your SSL certificate was issued through Acmetek Click HERE. Note: Contact your Certificate Authority for procedures in […]

Read More