digital certificates

(get it in RSS or Atom)

Patch Tuesday for August 2013 - 3 critical, 5 important

Patch Tuesday

Patch Tuesday for August 2013 includes three critical fixes and five important ones. The focus for this month is certainly the Internet Explorer cumulative patch which fixes 11 vulnerabilities and all versions, including 11 beta.

Google's certificate announcement contains a hidden surprise for Windows XP users

Google's certificate announcement contains a hidden surprise for Windows XP users

Are you an IT administrator still caring for Windows XP computers that are running Internet Explorer?

Google's latest announcement brings another good reason to upgrade your systems or switch to an alternative browser.

Turkish Certificate Authority screwup leads to attempted Google impersonation


Another Certificate Authority has been caught out having issued certificates that were being used to impersonate Google. Does the SSL padlock not mean we are safe anymore?

Microsoft says "No!" to insecure certificate practices

Microsoft says "No!" to insecure certificate practices

Microsoft will be shipping an update as part of October's Patch Tuesday that will invalidate RSA certificates weaker than 1024 bits. If you are using old or weak certificates now is the time to upgrade them to a more appropriate strength.

Flame malware used man-in-the-middle attack against Windows Update


Microsoft has released an emergency update for Windows, revoking digital certificates that could be used to impersonate the Windows Update security service. The Flame malware exploited flaws related to this vulnerability realizing concerns that Windows Update might be compromised to distribute malware.

Second Dutch security firm hacked, unsecured phpMyAdmin implicated


Dutch security firm Gemnet has suffered a data breach including administrative credentials. Parent company KPN has suspended sister company Gemnet CSP's certificate signing operations.

Another certificate authority issues dangerous certficates


Mozilla has revoked the signing privileges of another certificate authority for issuing weak and incomplete SSL/TLS certificates.

End of the road for DigiNotar as bankruptcy declared


DigiNotar, the Dutch certificate authority which hackers compromised and used to generate hundreds of bogus web security certificates, has filed for bankruptcy.

Microsoft reissues update for Win XP/2003 for DigiNotar certificate revocation


Microsoft has reissued a security update to remove DigiNotar's certificates from Windows XP and Windows 2003 after a mistake in last week's Patch Tuesday failed to remove most important certificates that were being abused.

SSCC 72 - DigiNotar, DNS hijacking and Firesheep v2

Sophos Security Chet Chat 41

Mike Wood a Senior Threat Researcher with SophosLabs is Chet's guest. They discuss the upcoming Patch Tuesday, the new Firesheep and go in depth on the recent troubles at certificate authority DigiNotar.

GlobalSign stops issuing SSL certificates in response to Iranian hacker


Digital certificate authority GlobalSIgn, the fifth largest issuer of SSL certificates, ceased signing new certificates today after accusations by an Iranian hacker that they are compromised.

Microsoft revokes DigiNotar certificates from Windows, Mac users still vulnerable


Microsoft has permanently revoked all five certificates belonging to DigiNotar for Windows users. In addition to Windows 7 and Vista the new release also provides protection for users of Windows XP. Users of Windows should check for updates and apply this patch as soon as possible.

Operation Black Tulip: Fox-IT's report on the DigiNotar breach


A preliminary report was released today by Fox-IT, the security team investigating the attack against certificate authority DigiNotar. Many interesting details are included about the hack, including more indications that it primarily affected Iranian users.

SSL certificate debacle includes CIA, MI6, Mossad and Tor


Over 500 falsely signed certificates have now been identified and browser makers are permanently removing DigiNotar as a trusted certificate authority. The targeted organizations are far reaching including the CIA and MI6.

Falsely issued Google SSL certificate in the wild for more than 5 weeks

Close-up of a lock icon on a computer keyboard button.  Blue-toned.

A rogue certificate was found in the wild more than a month after it was issued allowing someone to masquerade as SSL enabled Google services. Where did this certificate come from, who was using it and what can you do to protect yourself?

Unpatched iPhones/iPads secure connections not so secure


All unpatched iPhone/iPads/iPod Touchs can be snooped on exposing usernames, passwords and even sensitive financial data using freely available tools. Patch now!

Apple users left to defend themselves against certificate attacks


Apple users have largely been left unprotected against the recent issuance of fraudulent SSL certificates by Comodo. Learn how to configure your Mac to defend against bogus SSL certificates.

No certificate for you! Verisign revokes cert from malware fiends

Image (1) crlpdfa-350.png for post 3503

I spent some time last week looking into the digital signature involved with the recent zero day malware targeting Adobe Reader. Similar to the Stuxnet situation, Verisign has revoked the signing certificate used to sign the payload associated with this Read more…