Posts Tagged ‘ Symantec ’


New SSL server rules go into effect Nov. 1

Written by admin
July 26th, 2014

Rules designed to thwart man-in-the-middle attacks; could mean extra work for IT shops

Public certificate authorities (CAs) are warning that as of Nov. 1 they will reject requests for internal SSL server certificates that don’t conform to new internal domain naming and IP address conventions designed to safeguard networks.

The concern is that SSL server digital certificates issued by CAs at present for internal corporate e-mail servers, Web servers and databases are not unique and can potentially be used in man-in-the-middle attacks involving the setup of rogue servers inside the targeted network, say representatives for the Certification Authority/Browser Forum (CA/B Forum), the industry group that sets security and operational guidelines for digital certificates. Members include the overwhelming bulk of public CAs around the globe, plus browser makers such as Microsoft and Apple.

“Even in an internal network, it’s possible for an employee to stand up a fake server,” says Rick Andrews, senior technical director for trust services at Symantec, explaining the new rules.

The problem today is that network managers often give their servers names like “Server1” and allocate internal IP addresses so that SSL certificates issued for them through the public CAs are not necessarily globally unique, notes Chris Bailey, general manager for Deep Security for Web Apps at Trend Micro.

“People rely on these internal names today,” Bailey says. But “if someone hacks in, they can set up a man-in-the-middle domain.”

The CA/B Forum three years ago reached the conclusion this was a significant security issue and nailed down new certificate-issuance guidelines they have been sharing with their customers. Now that the Nov. 1 deadline is getting closer, they are speaking out about it.

As of Nov. 1, network managers requesting internal SSL certificates from the public CAs will have to following these new guidelines. Network managers will need to ensure SSL server certificate requests are expressed in a way that they are associated with an external domain name, says Andrews. Some enterprises already use names that chain up to the company name, but “these are probably in the minority,” he adds.

MORE WORK FOR YOU?
This change to requirements pertaining to public issuance of internal SSL server certificates means that in some instances, network managers may need to expand their internal DNS infrastructure so the name maps appropriately, Andrews points out. For some, particularly large organizations with sprawling networks, it could be a painful set of changes, even impacting the applications running on these servers, he acknowledges.

For any organization or network manager not wishing to adhere to the new public CA issuance guidelines, there are a few alternatives, though Andrews says many may not find them appealing. Organizations can decide not to obtain publicly-issued SSL certificates for internal servers and instead start privately issuing digital certificates on their own by relying on their own management hierarchy. But Web browsers might not necessarily recognize these private certificates and more changes might need to occur to ensure they do.

One other CA/B Forum deadline to keep an eye on: Oct. 1, 2016. By then, any SSL certificates issued for internal domains that don’t meet the new standards will be revoked. Organizations that determine they must make changes to meet the CA/B Forum guidelines now have about two years to migrate.

 


MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com

Trend’s Deep Security as a Service offers cloud-based server protection

Trend Micro today announced a slate of cloud-based security services that it says protect servers for Amazon Web Services (AWS) customers.

Trend Micro Deep Security as a Service is offered as a variety of security modules that can be activated by AWS customers, according to Kevin Simzer, Trend Micro’s senior vice president of business development, alliances and strategy. These Deep Security services for AWS servers include data encryption, firewall, malicious software detection and blocking, file-integrity monitoring, and compliance controls that can be managed through a cloud-based console hosted by AWS.

The idea is that customers using AWS can add these Trend Micro services to their Amazon Elastic Compute Cloud (EC2) and Amazon Virtual Private Cloud deployments by simply turning them on when a new AWS instance is created, Simzer says. Trend Micro is also charging for activation of the security services to suit the on-demand environment through a simple per server per hour rate, which starts at 10 cents per hour per module.

Trend Micro is able to provide the activation of the Deep Security as a Service through a close partnership with AWS. Other security providers that have similar security-activation arrangements with AWS include BitDefender, McAfee and Symantec.

Whichever Trend Micro service is activated in the AWS setup can also be tracked and recorded via any Trend Micro management platform that exists in the user’s on-premises enterprise as well, Simzer notes. More than 100 Trend Micro customers are said to be early adopters of these new services.


MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com

 

 

The Elderwood group appears to be living up to its reputation of finding serious software vulnerabilities

Symantec is crediting a hacker group with an impressive track record as responsible for finding the latest as yet unpatched vulnerability in older versions of Microsoft’s Internet Explorer browser.

Microsoft issues quick fix for critical zero-day hole in IE

A gang Symantec calls the Elderwood group appears to have found the latest zero-day vulnerability in IE, which can allow a malicious website to automatically infect a person’s computer.

Analysis of the attack code used to exploit the vulnerability has similarities to other code used by the Elderwood group to exploit other zero-day vulnerabilities in Microsoft’s software, the company wrote on its blog.

In one example, Symantec found the phrase “HeapSpary” inside several samples of attack code.

“HeapSpary is a clear mistyping of Heap Spray, a common attack step used in vulnerability exploitation,” the company wrote. “In addition to this commonality, there are many other symbols in common between the files.”

In September, Symantec published a research paper saying that the Elderwood group appeared to have an “unlimited supply of zero-day vulnerabilities.” A zero-day vulnerability is rare and highly valuable to hackers, as it means it has not been patched by the affected software vendor yet.

The Elderwood group may have possessed as many as nine zero-day exploits since 2009 when Symantec began first monitoring the group. Their attack codes have been distributed through targeted emails, known as spear phishing, and planted on hacked websites.

When someone with a vulnerable browser visits a hacked website, the malicious software is delivered. The Elderwood group has planted its malware on sites that indicate the group is targeting certain types of users, which Symantec calls a “watering hole” attack.

The Elderwood group appears to favor targets associated with defense contractors, human rights groups, non-governmental organizations and IT service providers, according to Symantec’s September report.

Amnesty International’s Hong Kong website was compromised in May 2012 in an attack linked to Elderwood, Symantec wrote.

An exploit for the latest IE vulnerability was found last month on the website of the Council on Foreign Relations as well as that of Capstone Turbine Corporation, a U.S.-based manufacturer of gas microturbines used for power generation.

Microsoft issued a quick fix earlier this week for the IE software problem but will not distribute a patch for it on Jan. 8, the company’s next scheduled patch release.

 


MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com