Entrust Identity On: Latest Posts

Jason Soroko

The Identity Context

February 19, 2014 by Jason Soroko Leave a Comment
This entry is part 3 of 3 in the series Identity Context: Defense's Next Play

This entry is part 3 of 3 in the series Identity Context: Defense’s Next PlayPart Three: The Identity Context  All attacks involve some form of stolen identity. According to Mandiant’s threat landscape study, 100 percent of breaches they investigated involve stolen credentials. In our own studies — where we reverse-engineered malware and studied the source [Read More...]

Bogus SSL Certificates

February 16, 2014 by Bruce Morton Leave a Comment

Netcraft has published an article stating they have found many bogus SSL certificates. In this case, a bogus certificate is self-signed (i.e., not issued from a legitimate certification authority) and replicates an SSL certificate of a large, popular website. This type of bogus SSL certificate could be used for a man-in-the-middle (MITM) attack. In this [Read More...]

Why the Dual-EC DRBG Mechanism is Suspect

February 13, 2014 by Entrust, Inc. Leave a Comment

As we covered in December, special publication 800-90, released by the National Institute of Standards and Technology (NIST) in 2006, claimed that security vendor RSA and the NSA created a deal to make the dual-EC (elliptic curve) variant the default deterministic random-bit generator algorithm, or DRBG, in its commercial toolkit product. These claims introduce serious [Read More...]

Jason Soroko

Blacklisting – Finite Utility

February 12, 2014 by Jason Soroko Leave a Comment
This entry is part 2 of 3 in the series Identity Context: Defense's Next Play

This entry is part 2 of 3 in the series Identity Context: Defense’s Next Play Part Two: Blacklisting – Finite Utility  Malicious actors are ruled by the laws of economics just like everyone else; they have finite resources. If they want to attack many targets, the chances are good that they will reuse their tools [Read More...]

Filed Under: General, Malware Tagged: malware

Moving to TLS 1.2

February 10, 2014 by Bruce Morton Leave a Comment

In 2014, there will be a trend for website owners to implement TLS 1.2 on their servers. TLS 1.2 was defined in RFC 5246 in August 2008 and is the most secure version of SSL/TLS protocol. Although TLS 1.2 has been available for a few years, it is not well deployed. SSL Pulse indicates that [Read More...]

Filed Under: SSL, SSL Deployment Tagged: CBC, How's My SSL, Microsoft
Mark Reeves

Top 5 Security Practices for Financial Institutions to Defeat Online Identity Attacks

February 10, 2014 by Mark Reeves Leave a Comment

The Bank of England (BoE) recently simulated a major cyber-attack against the British financial system that yielded some disturbing results: many of the UK’s largest financial institutions are unprepared for large-scale online identity-based attacks. More surprisingly, many of them are also uneducated on how to detect and report cyber security breaches. The Telegraph UK reported [Read More...]

Always-On SSL

February 6, 2014 by Bruce Morton 2 Comments

Always-On SSL is an approach to securing your website to mitigate attacks against your users. When I think of Always-On SSL, I think of three concepts: SSL across your entire site, SSL deployed to the best practices, and SSL with leading technology. SSL across Your Entire Site The approach to Always-On SSL is to avoid [Read More...]

Filed Under: EV SSL, SSL, SSL Deployment Tagged: EV SSL, HSTS, OCSP stapling
Jason Soroko

Network and Desktop Operating Systems Have Too Much Trust

February 5, 2014 by Jason Soroko 1 Comment
This entry is part 1 of 3 in the series Identity Context: Defense's Next Play

This entry is part 1 of 3 in the series Identity Context: Defense’s Next Play Part One: Network and Desktop Operating Systems Have Too Much Trust At Black Hat 2012, John Flynn showed a slide with the text, “The kids these days, they’re hacking the system as a whole.” There is a wide assumption that [Read More...]

Jason Soroko

You Can’t Defend Against What You Can’t Detect: Malicious Signals in Legitimate Noise

February 4, 2014 by Jason Soroko Leave a Comment

 As a CIO, CISO, or anyone else who has to defend a corporate environment from malicious activity, there are many point solutions to spend your budget on. A lot of these technologies are really good and there certainly is no shortage of them.    Walk around a vendor floor of any large security conference and [Read More...]

Filed Under: Identity Assurance, Malware Tagged:
Jason Soroko

Playing in the Digital Sandbox: Mobile versus Desktop Security

January 27, 2014 by Jason Soroko Leave a Comment

Mobile operating systems consume resources from unknown sources on the Internet all the time, and yet they are not infected in the same manner as desktop operating systems. Certainly, sideloaded malicious Android apps are able to access parts of a mobile device that the user has authorized (e.g., pictures, contacts, SMS).  We have also seen [Read More...]

Filed Under: Malware, Mobility Tagged: mobile security, sandbox