Entrust Identity On: Latest Posts

Entrust at RSA: Back to the Bay Area

February 24, 2014 by Entrust, Inc. Leave a Comment
This entry is part 2 of 12 in the series Entrust at RSA 2014

This entry is part 2 of 12 in the series Entrust at RSA 2014 Hello, San Francisco. Entrust security experts from around the world will soon be live at the Moscone Center for the opening night of RSA Conference 2014. If you weren’t able to make it out to the West Coast, we’ll have you [Read More...]

Filed Under: General Tagged:

OCSP Stapling

February 24, 2014 by Bruce Morton 1 Comment

Digital certificate status is provided by the certificate revocation list (CRL) and online certificate status protocol (OCSP). The CRL is a list of all certificates that have been revoked. If the serial number is not on the list it is assumed to be good. OCSP provides a response for all certificates. In layman’s terms, the [Read More...]

Filed Under: SSL, SSL Deployment Tagged: OCSP, OCSP stapling, RFC 5019

Entrust at RSA: The Week Ahead

February 24, 2014 by Entrust, Inc. 1 Comment
This entry is part 1 of 12 in the series Entrust at RSA 2014

This entry is part 1 of 12 in the series Entrust at RSA 2014 Entrust’s gearing up for a big, big week. Our go-to guys will focus on several key security areas, including: cloud, mobility, finance, enterprise, malware and more. Each day, our resident experts will host live presentations and demos that explore these strategic [Read More...]

Filed Under: General Tagged:
Jason Soroko

The Identity Context

February 19, 2014 by Jason Soroko Leave a Comment
This entry is part 3 of 3 in the series Identity Context: Defense's Next Play

This entry is part 3 of 3 in the series Identity Context: Defense’s Next PlayPart Three: The Identity Context  All attacks involve some form of stolen identity. According to Mandiant’s threat landscape study, 100 percent of breaches they investigated involve stolen credentials. In our own studies — where we reverse-engineered malware and studied the source [Read More...]

Bogus SSL Certificates

February 16, 2014 by Bruce Morton Leave a Comment

Netcraft has published an article stating they have found many bogus SSL certificates. In this case, a bogus certificate is self-signed (i.e., not issued from a legitimate certification authority) and replicates an SSL certificate of a large, popular website. This type of bogus SSL certificate could be used for a man-in-the-middle (MITM) attack. In this [Read More...]

Why the Dual-EC DRBG Mechanism is Suspect

February 13, 2014 by Entrust, Inc. Leave a Comment

As we covered in December, special publication 800-90, released by the National Institute of Standards and Technology (NIST) in 2006, claimed that security vendor RSA and the NSA created a deal to make the dual-EC (elliptic curve) variant the default deterministic random-bit generator algorithm, or DRBG, in its commercial toolkit product. These claims introduce serious [Read More...]

Jason Soroko

Blacklisting – Finite Utility

February 12, 2014 by Jason Soroko Leave a Comment
This entry is part 2 of 3 in the series Identity Context: Defense's Next Play

This entry is part 2 of 3 in the series Identity Context: Defense’s Next Play Part Two: Blacklisting – Finite Utility  Malicious actors are ruled by the laws of economics just like everyone else; they have finite resources. If they want to attack many targets, the chances are good that they will reuse their tools [Read More...]

Filed Under: General, Malware Tagged: malware

Moving to TLS 1.2

February 10, 2014 by Bruce Morton Leave a Comment

In 2014, there will be a trend for website owners to implement TLS 1.2 on their servers. TLS 1.2 was defined in RFC 5246 in August 2008 and is the most secure version of SSL/TLS protocol. Although TLS 1.2 has been available for a few years, it is not well deployed. SSL Pulse indicates that [Read More...]

Filed Under: SSL, SSL Deployment Tagged: CBC, How's My SSL, Microsoft
Mark Reeves

Top 5 Security Practices for Financial Institutions to Defeat Online Identity Attacks

February 10, 2014 by Mark Reeves Leave a Comment

The Bank of England (BoE) recently simulated a major cyber-attack against the British financial system that yielded some disturbing results: many of the UK’s largest financial institutions are unprepared for large-scale online identity-based attacks. More surprisingly, many of them are also uneducated on how to detect and report cyber security breaches. The Telegraph UK reported [Read More...]

Always-On SSL

February 6, 2014 by Bruce Morton 2 Comments

Always-On SSL is an approach to securing your website to mitigate attacks against your users. When I think of Always-On SSL, I think of three concepts: SSL across your entire site, SSL deployed to the best practices, and SSL with leading technology. SSL across Your Entire Site The approach to Always-On SSL is to avoid [Read More...]

Filed Under: EV SSL, SSL, SSL Deployment Tagged: EV SSL, HSTS, OCSP stapling