Google

Google’s plan for Data security

June 13th, 2013

Gmail and Google Apps account hijacking has been the linchpin of a number of high-profile targeted attacks, starting with the Aurora attacks of 2009, right up until last week’s attack against the Twitter account belonging to the satirical Onion news site.

Granted we’re talking about two very different levels of severity between stealing data from the defense industrial base and sending out a few politically motivated hoax Tweets, but the thirst for legitimate credentials among state-sponsored hackers, cybercriminals and hacktivists won’t abate any time soon.

The chase, along with the general inadequacy of passwords, has forced Google for one to aggressively pursue a new direction for authentication into its online services. The company this week announced a new long-term plan for strong authentication, one that builds off a similar initiative in 2008 that led to the current implementations of two-factor authentication for Gmail and risk-based login challenges in order to determine if requests for access are indeed from the intended user.

Going forward, Google hopes to put strong authentication in place when endpoints such as laptops, tablets or Smartphones are first configured and have the device act as an authenticator. It also explained a number of other measures it would like to see implemented in the relatively near future. Clearly, smart phones have changed the dynamic of authentication for Google.

“With mobile devices like Android the usability is even further improved because you only login to the device once at the OS level and it works across all the apps on the device instead of having to go through a multi-step login flow for each application,” said Eric Sachs, a product manager with the Google security team. “However to improve the usability of this approach, one of our goals will be to have a consistent concept of identity between the OS, applications, and websites accessed from the browser on the device.”

Google has also thrown its support behind the Channeled open standard, which aims to secure the cookie on the device that certifies the user has signed in to a service.  The concept puts up a barrier for man in the browser attacks that attempt to sniff and steal cookies as they’re passed to the browser. This tighter connection between cookies and encryption keys as proposed in the standard and currently in place in the Chrome browser is another priority initiative for Google going forward.

“In essence, the browser self-provisions an anonymous public-private key pair for each web domain it needs to talk to via SSL. The web domain can use the consistent SSL public key Channel ID presented by the client device to tie into cookies that it issues to the client device,” Sachs said. “But once the cookies are ‘tied’ in this manner, they are no longer reusable bearer tokens.  The web server will only accept them as part of a connection that has been digitally signed with the same ChannelID.  ChannelID significantly reduces the risk associated with leaked reusable bearer tokens.”

Google said it also is re-thinking how to unlock devices so that pass codes are no longer necessary, and involve the use of fingerprint scanners, Near Field Communication between devices, or proximity readers. These same concepts could be applied, Google said, where the OS would intervene when a risky behavior appears in the browser and request the user to approve it via a fingerprint check, for example. Google acknowledges this could require changes to APIs and how the OS and browser communicate.

Google is doing its best against data breach and enhancement of data security.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta

Traffic control The man in the middle

May 13th, 2013

Data sent by GPS applications such as Google maps and Waze can be altered hence control navigation routes of other drivers and even cause traffic jams. That is, if hackers would be interested in it, they would be able to affect the real-time traffic in order to trick users in travelling to the busiest traffic centers, rather than to open road, or to any track or spot they desire.

Both applications allow users to navigate through the use of information obtained from their devices, along with other devices currently on the road – and analyze the real-time traffic in order to offer the ideal route. But just at this point hackers can cause damage and change the route, anonymously and without being discovered by the applications, and to persuade users to take completely different tracks than they should.

Those apps use GPS sensors and Wifi in Smartphone devices in order to track the location of the user. If Wifi

is enabled and alone, you can get information only on the wireless access points and area of radio cells around the user, which helps calculate the approximate location? Google for its part uses real-time traffic information that is sent using TLS protocol (Transport Layer Security) designed to send the user’s location in a protected and secure mode.

While the protocol itself ensures the reliability of the data, which makes it impossible to attack or monitor the phone without Google’s notice, there is a work around that allows controlling the data itself. This is called ‘man-in-the-middle’ – We used Android 4.0.4, placing hack just before the security protocol allows to control the information sent from the Smartphone, without being detected by Google.

Google receives information from the device without approval or user’s current location check, and that’s how it possible to change the driving route to and from any point in the world.

Obviously, in order to have a significant impact on the traffic, you have to create large number of different users.

A similar attack can be associated with Waze, but this application is much more difficult to affect drivers and navigation process, since the app connects the user’s location with an account. Thus, an attacker who wants to change the traffic to simulate more vehicles would need to create multiple accounts with different email addresses.

Companies that offer navigation applications can avoid these attacks by linking the information about the current location of the user to a one-time approval cataloged by the hour and will be limited in time. Thus, applications can limit the maximum amount of information sent or received by any device, and by that effectively offer another layer of security to their internal system.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta

Malicious spyware in Google Play

May 11th, 2013

New malicious spyware spreading around in Google Play, threatening millions of Android users. The good news is that you’re only infected if you downloaded a funny Russian app, intended to transcribe other common applications. The bad news is it’s probably popular applications since millions of users have already been infected.

The spyware received the non-surprising name ‘bad news’, and is currently detected in 32 different applications, created by four different developers. We can’t tell exactly how many devices got infected, because Google Play is not showing exact number of downloads, but only a relatively wide range, so all we can say now is that between two million to nine million, not bad for relatively new spyware.

The great wisdom inherent in this particular spyware is that it is installed in the form of advertisements server that alerts users later on, thus it does not look dangerous at the initial stage, or when it is placed in the apps store, because there is no initial spyware expression as it “wakes up” only after some time.

Please note that it is unknown if all the infected app developers intended to harm. May be that they were just planning to develop a user-friendly application, but unfortunately bought a tainted platform. One of the recommendations to Android app developers: Observe carefully third-party libraries listed in your application. Even if you meant for the best, you may be putting users at risk.

So what does this spyware do? Two things you would not be very happy to happen to your device. First, it sends false alerts encourage you to download other infected apps, including ‘AlphaSMS’ that in turn sign your name without your approval to premium SMS services that cost money.

Second, it sends your phone number and your device identification number to the Spyware developers – two pieces of data that when are in the wrong hands, the sky’s the limit.

You obviously assume Google is doing something about this. You are right. The company operates the ‘Bouncer’ service that scans the applications for traces of spyware, but it is among the ongoing anthology in which no society cannot always win. Not even Google. As of today, Google removed all known infected apps from its store. On the other hand, it is only those that are known, it is unclear how many more unknown still out there in the market.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta

Mobile devices malware detection

May 9th, 2013

A new method for identification of mobile devices malware, which usually are not detected by the common detection methods, and uses advanced methods of machine learning.

Cellular phones security is an intensively studied area by security companies and research institutions around the world since the release of G1 devices Android based operating system in 2009.

Recently discovered a new and sophisticated type of malware named Dropdialer, which was distributed to the Google apps store. This malware is installed as legitimate software by the user. Hostile code actually installed later using the ability of the “Automatic Update”, which is used by the software and allows it to “pull” independent software updates from a remote server. In this way malware can spread to a large number of devices without being detected. Retrieving hostile code can occur at a future random or fixed time, or as a command received from a remote server. This capability can be implemented in any malicious application.

The standard Antivirus software usually cannot detect this type of malware (self-updating malware) because the original app is completely innocent and therefore can escape from any static analysis method (code analysis without execution) or dynamic analysis (monitoring software at runtime). The difficulty in identifying such malware is also due to the fact that the ability to self-update serves application developers’ legitimate needs such as application version upgrade, adding stages in different games, bug fixes, and more.

The new method for self-updating malware identification uses advanced algorithms of machine learning, which learns the normal behavior of applications, thus allow detecting abnormal behavior in real time which may indicate that the app is malicious. An analysis of mobile smart phone malicious apps shows that about 70% focus on stealing sensitive information. Therefore, in this study we use the characteristics of a network to study the behavior of applications because they can point to information leakage.

The use of a limited number of characteristics (network characteristics) and the machine-learning algorithm allows to perform the learning behavior of applications, the monitoring and identification on the device itself, which is of course resources limited (i.e. battery).

Examples of properties which are used for studying the behavior of applications are: number of bytes sent or received in different time windows, such as 5 minutes or time since the app was active and connected to the net, etc.

The degree of behavior of an application is performed by using an algorithm based on a technique called Cross-Feature Analysis, which “learns” the relationship of each property relative to other properties of a normal behavior. In the monitoring phase, each sample is checked against each feature and whether the same relationship with other properties is maintained. In other words, we calculate each characteristic probability that it is normal given the values of other viewed properties, and take into consideration the probabilities along the value that represents the distance from normal behavior.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta

Google five times safer than Bing

April 18th, 2013

As the World Wide Web becomes the choicest destination of an ever growing community, cyber criminals find newer ways of attacking them. They have now started targeting them through the search engines. They make websites, blogs and pages that are based on current issues and dump those malwares there.

In a recent research done by AV-TEST, that analyzed the search results of a number of search engines, found that Google was a safer search engine than Bing

Microsoft’s search engine Bing is nearly five times as likely as Google to link to malware, a study by independent research firm AV-TEST found. Out of every 10.9 million links generated by Google,272 directed towards malware according to thirty-six different anti-virus services.

Bing returned a tiny bit more results than Google for the same terms, less than half a percentage point more. But 1,285 of the Bing links contained malware, a nearly fivefold increase over Google.

AV-TEST, that is based in Germany, took eighteen months to analyze a host of search engines from the likes of Google,Bing,BaiduYandex etc.

Google beat all the other websites to emerge as the safest search engine.

“Although search engine operators such as Google and Bing make a lot of effort to avoid doing so, they sometimes deliver websites infected with Trojans and similar malware among their top search results,” AV-TEST’s Markus Selinger observed  in the report. “Other search engines do an even worse job.”

AV-TEST analyzed nearly forty million websites shown in the search results of the search engines.It tested a nearly equal number of results from Google and Bing, and found out that Bing has nearly five times as many malicious results as Google. However, Bing still fared as the second safest engine in the study since the other search engines were worse

The readers might think that the number of infected websites is small considering there are that many results your search engine churns out every second. But the scary part is that you are not the only one .There are billions of people who use these engines.Imagine the humungous numbers the malware results would catapult to if we consider putting all the results together!

The study also shows that around 110 million infected sites are currently active so online-goers aren’t all that safe from malware harm.

The study also threw light on the 110 million malicious sites still active online that could be threatening for the netizens who are not careful of what they are opening.

Microsoft tried salvaging their search engine’s reputation through this response

“We show results with warnings for about 0.04% of all searches, meaning about 1 in 2,500 search result pages will have a result with a malware warning on it.  Of those, only a small proportion of malicious links ever get clicked and the warning therefore triggered, so a user will see the warning only 1 in every 10,000 searches. In any case, the overall scale of the problem is very small.”

Alertsec safeguards you against those never ceasing malware attacks

Traditional antivirus approaches don’t work any more and a new approach to endpoint security is required to better protect your company from malicious threats.

The above threat could have simply been reduced to an insurance matter by a mere investment of $13/month. The information would have been secure with no loss what so ever. That is certainly a small price to pay compared to what can happen if you lose confidential or sensitive data. Alertsec Xpress offers a very good and easy-to-use laptop security service that includes more than the traditional software licensing model. Feel free to subscribe18 for your personal 30-day free trial

Alertsec further offers computer protection software from Check Point as a fully customizable and pre-packaged data encryption software solution. It can help you dramatically reduce your cost of ownership for encrypting your laptops.


Organisations are now made aware about their data security and are implementing data encryption techniques. Alertsec uses encryption software to protect data from breaches and theft.

Alertsec Xpress is backed up by Check Point Full Disk Encryption and is used by over 4 million users worldwide, with single deployments exceeding 150,000 laptops and PCs. This is the most deployed software of its kind and is seen as today’s market leader.

Enhanced by Zemanta

Apple App Store Unsecure

March 21st, 2013

In a statement by Google security researcher Elie Bursztein, Apple’s App Store servers didn’t encrypt all the communications with iOS clients, which left users exposed to several potential cyber attacks until late January.

In a blogpost on Friday, Bursztein said that, “The Apple App Store and associated applications, such as the Newsstand, are native applications provided by default with iOS to access and/ or purchase content from the Apple App Store”. He concluded, “While the Apple App Store is a native iOS app, most of its active content, including app pages and the update page, is dynamically rendered from server data.” For the purpose of infusing rogue content into applications, network attackers might have exploited lack of HTTPS (HTTP secure) encryption for specified parts of the communication between Apple’s App Store iOS clients and the servers, he said. With this technique, attackers aim to trick apple users into password exposure by infusing fake password into the App Store app, which in turn force users to install and buy rogue applications with alteration in purchase parameters on the fly, trick users into installing rogue apps by passing them as updates for already installed apps, prevent the users from upgrading and installing specific apps, or check what apps they have already installed on their devices.

When the tech giant enabled HTTPS for app store active content by default, such attacks were possible until Jan 23. Later, the Apple, figured out the change itself in support listing that fixes on its websites and two other researchers along with Bursztein, credited with reporting issues. It is happening because of the fact that users devices’ are not protected with data encryption software which is vital for any device that feeds on technology. So there it calls for a data security.

Google researcher claims to have reported about the cyber attacks to Apple early in July, last year. “I am really happy that my spare-time work pushed Apple to finally enabled HTTPS to protect users,” he said. he also emphasized on using data encryption software.

Like most of the cyber attacks scenarios which are exploiting the data security as well as the lack of full-session HTTPS on websites, the cyber attacks on App Store found by Bursztein could have been easily executed against iOS users who connects to public Wi-Fi networks like those who are found in airports, coffee shops, libraries, filling stations and other public spaces, by encryption process

The researcher interpreted all those cyber attacks in detail in his blog post. Precisely, he also published few video demonstrations for the clients in general, as well as the users, on YouTube showing how the cyber attacks would have appeared to targeted iOS users.

He said, “I decided to render all those attacks public, in hope that it will lead more developers (in particular mobile ones) to enable HTTPS,”. “Enabling HTTPS and ensuring certificates validity is the most important thing you can do to secure your app communication.” Before doing so, always keep data security in mind.

During past few years, major Internet giants like Facebook, Google, and Twitter enabled always-on HTTPS in order to ensure users’ data security for their on-line services.

Paul Ducklin, the head of technology at Sophos (Asia-Pacific) told in a blog post on Saturday, “Apple, it seems, didn’t bother with HTTPS everywhere, even for its own App Store, until 2013,”. “Since there’s no other place to shop when you’re buying or selling iDevice software, and since Apple likes it that way, you might think that Cupertino would have set the bar a bit higher.”

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta

Twitter gives user data to U.S. 7 times out of 10

January 17th, 2013

Twitter gives government agencies in the United States at least some of the information they ask for on users 69 percent of the time.

That data and much more about how the social network responds to government requests for user information, as well as demands to remove tweets and reports of copyright violations was part of Twitter’s second so-called transparency report, which it issued today “in celebration of”Data Privacy Day. Google issued such a report today as well.

“We’ve been thinking about ways in which we can more effectively share this information, with an aim to make it more meaningful and accessible to the community at large,” Twitter wrote in a blog post. “We believe the open exchange of information can have a positive global impact. To that end, it is vital for us (and other Internet services) to be transparent about government requests for user information and government requests to withhold content from the Internet; these growing inquiries can have a serious chilling effect on free expression — and real privacy implications.”

In the report, Twitter said that, worldwide, it received 1,858 requests from governments for information about users in 2012, as well as 6,646 reports of copyright violations, and 48 demands from governments that content they deem illegal be removed.

Although Twitter has a responsibility to provide information on users as a result of official actions like subpoenas and court orders, the company has long taken the public position that it protects users’ privacy and anonymity whenever possible. For example, last August, the company fought police attempts in New York to get information on an Occupy Wall Street protester’s account, claiming that law enforcement did not adequately follow the Constitution’s safeguards against invasion of privacy.

“It’s our continued hope that providing greater insight into this information helps in at least two ways,” Twitter continued in its blog post: “first, to raise public awareness about these invasive requests; second, to enable policy makers to make more informed decisions. All of our actions are in the interest of an open and safe Internet.”

Privacy advocates seem to agree. In an email sent to CNET, the Electronic Frontier Foundation’s Trevor Timm lauded Twitter’s report and its attempts to maintain users’ freedoms and privacy. “I think this is the most detailed transparency report that we’ve seen from any Internet company and it should become a model for other companies, especially Facebook,” Timm told CNET. “Facebook is by far the largest social media site, yet has so far refused to release transparency reports to show us how much information the government is requesting and how much they comply.

“The first step in combating unreasonable government surveillance is information. And these transparency reports are vital in that fight. Cell phone carriers should start releasing them on a yearly basis as well.”

It will likely be interesting to many people to see how many times governments around the world ask Twitter to provide information about users in their countries, as well as how often the company decides it has no choice but to comply with those requests. The transparency report includes a section detailing “actionable” demands — meaning situations in which Twitter is legally responsible to provide what is asked for — from every country, as well as a second section focusing solely on the United States.

China is missing from the report, as Twitter is officially blocked there. And while there appears to be evidence that some Chinese are able to access Twitter, the company doesn’t have a responsibility to reply to that government, explained a Twitter spokesperson.

U.S. requests

From July 1 to December 31, 2012, Twitter said, it received a total of 1,009 requests for user information from 30 countries. Across the board, the company complied by providing some or all information demanded 57 percent of the time, covering a total of 1,433 user accounts.

Outside the U.S., Japan issued the most requests, asking Twitter for information on 75 users a total of 62 times. Yet Twitter complied just 5 percent of the time, it said. Brazil submitted 34 requests, covering 43 user accounts, and got some or all of what it was looking for 12 percent of the time.

By comparison, American government agencies were given at least some of what they were demanding in 69 percent of the 815 cases in which they asked, the report said. “As Twitter is based in San Francisco…the great majority of government information requests for user information we receive come from the United States,” the company wrote. “To increase transparency and insight, we’re introducing more in-depth details about these requests.”

According to the U.S.-only report, 60 percent of demands in the U.S. came in the form of subpoenas, while 11 percent were court orders, 19 percent were search warrants, and 10 percent were other official requests. Twitter said that in the cases of subpoenas, the requests “do not generally require a judge’s sign-off and usually seek basic subscriber information, such as the email address associated with an account and IP logs.”

Because of the Fourth Amendment to the U.S. Constitution, Twitter wrote, search warrants “typically require the most judicial scrutiny before they are issued, including a showing of probable cause and a judge’s signature. A properly executed warrant is required for the disclosure of the contents of communications (e.g., tweets, [and direct messages]).”

Twitter said that its general policy is to notify users when a government agency is demanding their information, “unless we are prohibited from doing so by law or in an emergency situation.” All told, it explained, less than 20 percent of cases involved such prohibitions issued “under seal.”

The EFF’s Timm said, “I don’t necessary blame Twitter for complying with valid subpoenas and warrants, since they are required to by law. It seems they have been vigilant in challenging unnecessarily broad legal requests. They only comply with 69 percent, while Google complied with 88 percent. And they’ve also written a detailed explanation of why they may not comply, and notify users whenever legally possible. The blame lies with the government for making so many warrantless requests and with Congress for not giving much of our electronic data more protection than just a subpoena.”

Added Timm, “It’s also great to see Twitter requires warrants for all content, despite [the Electronic Communications Privacy Act] not requiring it by law. It’s encouraging to see Google, Facebook, Microsoft, and Yahoo all come out and say this in the past week. The Fourth Amendment should protect the content of our email, just like it protects our physical letters and phone calls.”

Removal requests

Twitter has long held that its users have the right to post almost anything they want, as long as it isn’t illegal. But in some cases, it does respond when governments ask it to remove offending content.

According to the transparency report though, such cases are exceedingly rare. Between July and December, there were just 26 such court-ordered requests worldwide, Twitter said, and in just 5 percent of cases did it actually remove some or all of the content in question.

A recent situation involving a series of anti-Semitic tweets in France is one such case. And as a result, France’s removal requests were granted 100 percent of the time, the report detailed. But even so, that removal covered just 40 accounts, and only 44 individual tweets.

In the United States, by comparison, there were just two such requests between July and December.

Copyright takedowns

Although the parts of Twitter’s transparency report that are likely to get the most attention are the company’s responses to government officials for information on users, and the amount of offending content removed, it also contained interesting data on how often the company acted on demands that content posted to the social network contained copyright violations.

According to the report, Twitter received 3,268 take-down notices worldwide between July and December, and it’s agreed to comply with part or all of those requests 53 percent of the time.

Twitter said that when such requests are submitted, it notifies affected users. Among the types of media it has to remove as a result of these notices are “profile photos, header photos, background images, and Twitter-hosted media (e.g., pic.twitter.com).”

But Twitter also noted that it doesn’t comply with take-down notices for a number of reasons. In many cases, it said, such demands don’t supply adequate information for locating the allegedly offending content. And at the same time, it receives many “misfiled, non-copyright complaints” through its Web forms.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta

Fake Turkish site certs create threat of bogus Google sites

January 5th, 2013

Google and Microsoft revealed today that a certificate authority based in Turkey “mistakenly” issued security certificates last month, and that a recipient of one of the e-documents in turn created a bogus certificate that could let it impersonate various Google sites.

According to a blog post by Google engineer Adam Langley, Chrome detected and blocked an unauthorized security certificate for the domain “*.google.com” on December 24. After blocking the certificate, Langley said, Google investigated and determined the certificate came from an intermediate certificate authority that linked back to the Turkish certificate authority TurkTrust.

Fraudulent certificates — or e-documents used to verify Web site authenticity — are no joke, since they can be used to perform phishing attacks, man-in-the-middle attacks, or to spoof content.

After Google warned TurkTrust and other browser vendors, TurkTrust reported that it had mistakenly issued two intermediate certificates in August 2011 to organizations that should have received standard SSL certificates.

Microsoft wrote in its concurrent security advisory blog post that it has also blocked certificates from TurkTrust. “TurkTrust incorrectly created two subsidiary Certificate Authorities: (*.EGO.GOV.TR and e-islam.kktcmerkezbankasi.org). The *.EGO.GOV.TR subsidiary CA was then used to issue a fraudulent digital certificate to *.google.com,” the company wrote.

People using Windows Vista or newer won’t have to take any action, Microsoft said, as long as they have installed the Certificate Trust List from last June. Windows 8, Windows RT, Windows Server 2012, and devices running Windows Phone 8 will be automatically protected.

Langley added that Google’s actions last month fixed the immediate security problem for Chrome users, but that the company will update the browser again in January to remove Extended Validation status for TurkTrust-issued certificates.

He finished by warning that it’s possible Google “may also decide to take additional action after further discussion and careful consideration.”

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta