July 2012 - Entrust, Inc. 1-10 of 13

Command and Control

July 31, 2012 by Luke Koops
I recently attended the Black Hat USA 2012 in Las Vegas. During the conference, I focused my attention on cyberespionage. This involves attackers who are on a mission with well-defined objectives. They are a source of persistent, targeted attacks. I learned a lot about command and control during my training. Command and control — also [Read More...]

Code Signing: Best Practices

July 27, 2012 by Bruce Morton
The biggest issue with code signing is the protection of the private signing key associated with the code signing certificate. If the key gets compromised, then your certificate is worthless. A compromised key may also jeopardizethe software that you have already signed. Here are some best practices for code signing: 1. Minimize access to private [Read More...]

Self-Signed Versus Trusted CA Certificates

July 23, 2012 by Bruce Morton
In most cases you have to sign your code in order to get it installed on the operating system. You can sign your code using a self-signed certificate or using a certificate issued by a publicly-trusted CA. Due to the costs of buying a code signing certificate from a publicly-trusted CA, some users will decide [Read More...]

Living with HTTPS

July 20, 2012 by Bruce Morton
Here is a post by Adam Langley, a transport security person at Google. These were his notes before a talk that he did at HOPE9 last week. HOPE stands for Hackers on planet Earth. Adam’s talk does not focus on CAs and certificates. His notes deal with HTTPS issues and he really pushes for the [Read More...]

Fighting Fraud is a Team Effort

July 19, 2012 by Mike Byrnes
While it’s quite typical for my blogs to take shots at the banks for failing to implement effective security controls, and at the financial regulators for being too slow at releasing guidelines, I think it’s time to emphasize that fighting fraud is a team effort. By coincidence, my last blog entry, in early July, ended with [Read More...]


July 18, 2012 by Bruce Morton
In order to mitigate a BEAST attack, the advice is to prioritize RC4 cipher suites on your Web server to avoid the use of vulnerable cypher block chaining (CBC) suites. But how well do the clients support RC4? Ivan Ristić of Qualys did some tests at SSL Labs and saw that only 45 of 48,481 unique [Read More...]

US Court Decision is Good News for Banking Customers

July 17, 2012 by Jon Callas
Blogmaster Note: This was originally posted on July 17, 2012 to ComputerWorld UK’s Security Spotlight Blog. US ruling has implications for UK over bank’s liability Thefts from a construction company in Sanford, Maine might be the catalyst for much-needed improvements to banking security. The US First Circuit Court of Appeals reversed a decision that said [Read More...]

HSTS Update

July 16, 2012 by Bruce Morton
HTTP Strict Transport Security (HSTS) will soon be finalized and available in an IETF standard. The request for comment (RFC) is at version 11 and the IESG has put out a last call for comments. HSTS is a security policy mechanism where a Web server tells a supporting browser that it can only connect to [Read More...]

Alan Turing Notes on Cryptography Released

July 12, 2012 by Jon Callas
Are there any insights left to be wrung from the code breaker's papers? Chris Vallance of the BBC reports that GCHQ has released some of Alan Turing’s papers on the theory of code breaking. They’re not on display at the National Archives at Kew. I’ve checked the web pages of the Archives and GCHQ, and there is as of my writing nothing up there, yet. The two papers are titled, The Applications of Probability to Crypt” and Paper on the Statistics of Repetitions. They discuss the use of mathematics to cryptanalysis. This might seem a bit obvious now, but at the time cryptanalysis was largely done by smart people and not by machines. A code-breaker was more likely someone who was good at solving complex crossword puzzles than working with numbers. It was unusual to bring in someone like Turing to a cryptology lab.

There Weren’t Really Chinese Backdoors in Military Chips

July 12, 2012 by Jon Callas
Blogmaster Note: This was originally posted on July 12, 2012 to ComputerWorld UK’s Security Spotlight Blog. What happened and unsolicited advice In March, Cambridge researcher Sergei Skorobogatov and Quo Vadis Labs researcher Christopher Woods put up a draft paper on a cool new technique they used to ‘disable all the security’a security-enabled chip. It sat [Read More...]
Page 1 of 212