Web Security Updates

Chrome 68 is Here, and It’s Penalizing All HTTP Sites

1 Star2 Stars3 Stars4 Stars5 Stars (3 votes, average: 3.67 out of 5)
Loading...

Chrome 68 to mark all HTTP sites as “Not Secure”

Google Chrome, the most popular browser on the planet, has just rolled out an update of version 68 and it’s one of the most crucial Chrome updates in recent times. The reason behind this is the decision of Google to mark all HTTP sites as ‘Not Secure.‘ Yes, you read it right. All websites serving content over HTTP will now be marked with a ‘Not Secure’ warning.

Continue reading Chrome 68 is Here, and It’s Penalizing All HTTP Sites

Here’s how we got ready for GDPR

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...

RapidSSLonline.com has made a number of changes to prepare for GDPR

GDPR is important and we took it very seriously. Here’s a quick look at the steps we took to ensure that we’re GDPR compliant both for us and our partners.

We redid our Privacy Policy

We’ve simplified our privacy policy. It was already available in the footer of every page of our website, but we now link to it from our privacy notifications, to

We added a ton of privacy notifications

At any point where we are collecting your data, we will now notify you about what it’s going to be used for. Trust me, for a site like ours that involved writing a lot of notifications, but we now notify you about pretty much every action we take.

We refined our security practices

We didn’t have too much to do in this department, after all we’re a cybsercurity company. We already use the requisite safeguards like firewalls and encryption. We also appointed a Data Protection Officer, Robert Walters-Thorn, to oversee our data policy

We got Privacy Shield Certified

That’s right, you can look us up on the Privacy Shield roll under Rapid Web Services, LLC. Additionally, if you ever have an issue exercising your data rights with us, you can contact the ICDR-AAA, who we use as an independent recourse mechanism for disputes.

We signed DPAs with all our partners

We made sure to contact all of our partners, anyone we share any data with, and get a legally binding Data Protection Addendum with them. This ensures that any data shared will only be used for the intended purposes and also governs what safeguards must be in place.

We recognize your right to be forgotten

We recognize your data rights, as defined by the EU, at RapidSSLonline.com. For the most part, you can access any data we have saved on you in your user control panel after logging in. It can be modified from there. Alternatively, you can email our Data Protection Officer to get a copy of your data. You may also choose to delete all of your data by sending an email to the DPO, we will delete it within 72 hours.

The only data we may not be able to delete is any data published in certificate transparency logs following issuance of an SSL certificate. While we don’t anticipate this being a major issue, it’s worth putting out there that we do not operate a CT log, nor do we publish to any directly. So we can’t really help with that.

Overall though, we want you to feel comfortable doing business with us. We’re just out here trying to help businesses and site owners find affordable SSL certificates—we really don’t have anything to hide.

Stay cautious, my friends.

10 Pro Security Tips to Stop Virus, Malware, and Trojan Threats

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...

How can a computer be protected from viruses?

I was recently handed a writing assignment on how to protect a computer from viruses, malware and trojan threats. The project description asked for “10 pro security takes.” I’m not really sure what a security take is, but the article that was cited included 8 security tips.

We need 10.

This is what’s wrong with mixing SEO with security advice. Well, that, and the fact the other article started: “This era is one of instantaneous information, immediate communication and lightning Internet.” If a voice in your head doesn’t start shouting “la migra! la migra!” about midway through that sentence, then you haven’t been living in America.

This article is going to strive to give you sound security advice on defending your computer against cyber threats. What it’s not going to do is strive for ten tips just for the sake of beating eight. In fact, it’s not even going to give eight. Security advice should be a bit more dignified than a Buzzfeed checklist. If you disagree, here are five techniques to help you cope with the fact that I don’t care.

Different Kinds of Cyber Threats

There are myriad different threats facing computers at any given time. Unfortunately, popular culture has taken a lot of these terms and given them their own meaning, or blended them with other threats. In reality, there are distinctions between types of threats that help to differentiate them. Here are some of the most common types of cyber threats.

Viruses

The term virus is perhaps the most overused in the entire threat lexicon. In reality, virus refers to a very specific kind of program that alters, or possibly even deletes data on your system. Typically viruses arrive on a system via malicious downloads and have to be executed to begin operation.

Malware

The way people mistakenly use the term viruses as a catch-all, is actually the way malware should be used. Malware refers to malicious software and encompasses pretty much any threat to your computer. It’s trivially easy to end up with malware on your system.

Trojans

Trojans are a specific kind of program that appears to be genuine, but ends up causing disruption. The term trojan derives from the Trojan Horse story from the sacking of Troy, where soldiers infiltrated by hiding in a large wooden horse statue that was initially presented as a gift. If you aren’t familiar, I highly suggest you check it out. It’s way more interesting than anything else you’re going to read in this article.

Worms

A worm is simply a file or element that continues to replicate itself once it’s in your system. Typically, you’ll see a file continue to pop up even after it’s been deleted or else you might even have an entire drive say it’s full despite the fact that you know it can’t be. These are worms. You definitely don’t want worms in your computer. Or your bowel movements. Or your computer’s bowel movements. What? Everyone need Data Security. [Editor’s Note: Carl…]

Protecting yourself from malware and other cyber threats

Here’s some helpful advice on how to avoid all these worms, trojans, viruses and malware…

Invest in good Antivirus Software

This one should be pretty obvious, but let’s start here anyway. Get a legitimate, professional-grade antivirus program. Update it regularly. It’s just basic security hygiene.

Be Wary of Email Attachments

Again, this isn’t rocket science, but make sure that you scan all email attachments before downloading anything. Email is an incredibly effective attack vector. Always be wary downloading attachments or following links.

Avoid Third-party Downloads

Unless you are 100% certain of what you’re downloading, avoid third-party downloads. Legitimate downloads will be code signed and come from known websites. If it’s hosted on some fly-by-night site, chances are it’s infected with something.

Turn off Auto-run

If you’re going to be loading any kind of external drive or hard disk on your computer make sure auto-run is toggled off so that you can scan before executing anything.

Back up your data regularly

Here’s another obvious one, back up your data regularly. This way if your computer is infected with a virus you can restore any data that is lost.

Avoid bad security advice

Some marketers throw the term ‘security’ as if it were an advertising slogan. Some SSL sellers shoehorn about these things in the form of “security checklists” and sneak in their products somewhere in the content to get their sales up. To be honest, this is a pretty stupid idea, and that’s why we don’t do it.

It is quite necessary to check authenticity with SSL (Secure Socket Layer) while dealing with the website as cyber culprits can sniff the information or it may happen that the website has already any Trojan or virus. It is safe to deal with an online website that has implemented SSL security.

For starters, reread that first sentence. Ignoring its crimes against English for a second, the information it contains is utter BS. Cyber culprits can sniff the information? What this bastard form of speech may be attempting to say is that if you are on a website WITHOUT SSL, someone can eavesdrop on the data you transfer. But frankly, that’s giving this miscarriage of English a little more credit than I’m willing to extend. And if the website already has a virus or trojan, SSL isn’t going to help. At all.

And finally, telling someone it’s safe to deal with an online website that has implemented SSL is actively dangerous advice. Criminals can implement SSL, too.

Wrapping this Up

The internet is a dangerous place if you have no common sense. But, you can stay safe if you just try to be mindful. Don’t follow random links. Don’t download programs from unknown sources. Keep your antivirus updated and listen to your browser filter.

It’s really not hard.

When do you need to reissue/replace your Symantec SSL/TLS Certificate?

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...

Steamline Process to Get Reissue or Replace Your Symantec SSL Certificate

As of October 31, 2017, DigiCert, Inc. has officially acquired Symantec’s Certificate Authority business. This move didn’t come as a surprise considering Google’s plans to distrust the SSL/TLS certificates of Symantec and its subsidiary CAs, namely GeoTrust, RapidSSL, and Thawte in Chrome, the most famous browser in the world.

This distrust has been divided into two parts by Google depending upon the issuance date. The first phase will begin with the launch of Chrome 66, expected to be released in March 2018. And the second part in October 2018, with the launch of Chrome 70.

To avoid this distrust and security warnings, existing customers of Symantec, GeoTrust, RapidSSL, and Thawte will need to reissue/replace their certificates from DigiCert’s infrastructure before the deadlines.

Here is the timeline of Google’s plans:

  • December 1, 2017: As of this date, Google has required that TLS certificates no longer be issued by Symantec roots, but must be issued by another CA. As of December 1, DigiCert will be issuing all certificates for Website Security customers. This date does not mandate any immediate certificate changes, but officially transfers validation and issuance of Symantec certificates to DigiCert systems. From this date forward, Symantec customers can begin to request free replacement certificates. These replacement certificates will be valid through the issuance to the end of the certificate validity period.
  • ~March 15, 2018: Chrome beta will distrust certificates issued by Symantec before June 1, 2016. The public release of Chrome is expected on April 17, 2018.
  • ~September 13, 2018: Chrome beta will distrust all certificates issued by Symantec. The public release of Chrome is expected in mid-October of 2018.

Now you must be wondering: “Do I need to reissue my SSL certificate? When do I need to renew my certificate?” Well, let us put in simple terms. Here’s all you need to know:

  • If your certificate was issued before June 1, 2016, you’d need to reissue/replace your certificate before March 15, 2018.
  • If your certificate was issued after June 1, 2016, and before December 1, 2017, you’ll need to reissue/replace your certificate before September 13, 2018.
  • And if your issuance date is after December 1, 2017, you don’t need to reissue your certificate.

Here’s a picture to make the picture clearer:

Symantec SSL replacement deadline

Now that you know when to reissue your certificate, you must have some questions regarding the renewal process. Let us answer them for you.

Do I need to pay any charges for reissuance?

No. The reissuance is entirely free.

I issued a certificate from GeoTrust/RapidSSL/Thawte. Am I eligible for the reissuance?

Yes, totally. In case you are not sure whether your certificate is eligible for reissuance or not? You could check your certificate through Symantec SSL/TLS Certificate reissue checker tool. Simply add your domain name and click “Check Now” button and see the result.

Do I need to undergo the vetting process if I have OV/EV certificate?

Yes, you’ll need to. As your “new” certificate will have to be issued from DigiCert’s infrastructure, they will need to verify your details.

How good is DigiCert?

Pretty good we’d say. DigiCert has established itself as the premium provider of high-assurance digital certificates. When it comes to the validation process, DigiCert comes second to none thanks to its super-efficient PKI infrastructure. Where it takes days for other CAs to issue certificates, DigiCert does this in minutes.

How to Reissue?

If you’re one of our existing customers, follow the steps given in this link to for a seamless reissuance experience.

If you’re not one of our customers, you either need to contact your vendor or do it directly by going to your CA portal. Here are the links:

If you have even the slightest of doubts or concerns, contact our ever-available, friendly team of SSL experts.

 

Do You Want to Replace Your Symantec SSL Certificate?

RapidSSL Logo
We build handy-process for Symantec SSL certificate replacement. Visit our official website and start your process now!

 

Cautious Carl’s Guide to Safe Holiday Online Shopping

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...

Four rules to for safe holiday online shopping

Happy Thanksgiving. It’s a beautiful holiday. A day of food. Of football. Of arguments with family about the estate tax and which one of our dead relatives is in hell. [Editor’s Note: Carl?] It’s also a time of much shopping. There’s Black Friday, there’s Cyber Monday. And nothing says the holidays at Carl’s house like some safe holiday online shopping.

Now, I don’t like to toot my own horn, but Carl is a master gift giver. I’ve mastered every aspect of the gift, from shopping for it, to presenting it, to acting surprised by what I’ve received in return, and then re-gifting that. With me its an art.

And this holiday season, you too can be a super shopper just like Carl. As you’re unfastening your pants following a cacophony of turkey and stuffing and gravy, before hopping on to the series of tubes that we call the world wide web, just remember to follow Cautious Carl’s Safe Holiday Online Shopping rules and you’ll be a master gift giver in no time—just like me!

Carl’s Safe Holiday Online Shopping Rule #1: Stay Home

That’s right. Stay right there on your couch. Look, I’m not going to BS you. I hate crowds of people. I have multiple phobias that overlap on crowds and it’s just a nightmare waiting to happen. And really, even though there are some great deals at brick and mortar stores, do you really feel like leaving at 6PM on Thanksgiving day to go pitch a tent outside of Best Buy and risk getting trampled over a $200 flat screen TV? Trampling sounds like a pretty terrible way to go. It’s pretty low on my list. Right in between being catapaulted into the grand canyon and death by ice cream (don’t ask).

Anyway, regardless of what you do on Black Friday – stay in or go out – always do your online shopping from home. It may be tempting to log on to the internet at the coffee shop or in the airport, but WiFi is notoriously unsecure, even more so in light of the recent KRACK exploits. Granted, you could set up a VPN, but I’d be willing to wager that anyone who’s coming to Carl for advice on Safe Holiday Online Shopping probably doesn’t know a VPN from a VCR. Just avoid the risk and shop from the comfort of your couch.

Carl’s Safe Holiday Online Shopping Rule #2: Check the URL

Always check the URL. You can get a lot of information just from looking at the address of the page you’re on. This is doubly important if you’re following links, because the text of the link doesn’t necessarily tell you where you’re being pointed. So first of all, check the domain. Is it the domain you expected? If it’s not, you’re about to get duped. Run.

Second, if the domain checks out, check the protocol. There are two: HTTP and HTTPS. Remember, HTTP is outmoded. It lacks encryption. Anyone that wants to, can eavesdrop on your connection and steal any information being transmitted. And remember, you’re shopping, so what’s being transmitted is personal and financial information about you. That’s not good. So make sure the websites you’re visiting are served over HTTPS.

Carl’s Safe Holiday Online Shopping Rule #3: Click the Padlock

Next to the URL in the address bar should be a padlock icon. Remember, if there’s no padlock you’re on an HTTP website and your connection isn’t secure. So there should be a padlock. Now click on it and view the certificate details. What you’re looking at is this website’s SSL certificate. In addition to encrypting, SSL certificates contain verified information about the entity that operates the website. Depending on the level of validation you’ll either see verified business information, or just a single line about who the site is registered to.

If you see business information, it’s OK to take that at face. It’s been verified by a trusted third party. However, if it’s not there, take pause. That doesn’t mean you should automatically distrust the site, but most legitimate companies take steps to give you as much information as possible. They want your trust. It’d be weird for them not to do everything in their power to earn it.

Oh, and one last thing, if you see the company’s name in the address bar there’s no need to click the padlock. You’re where you should be.

Carl’s Safe Holiday Online Shopping Rule #4: Look for Site Seals

A Site Seal is a small logo that a website can place on its home- or checkout page that says it’s been vetted by a trusted third party. Most of them can be clicked on and display real-time information about the company as well as a timestamp.

These are there for a reason. Almost any company that accepts payment should have one as a result of Payment Card Industry requirements. And legitimate websites don’t hide these, either. They’re right in the footer or next to the submit button on the checkout page.

Look for these, if you don’t see them. That’s a sign.

Safe Holiday Online Shopping is easy, just follow my rules

That’s right, as long as you follow these four rules you should have no problems with safe holiday online shopping. And here’s a final tip for the road: use common sense. If it looks too good to be true, it probably is. There’s no point taking unnecessary risks that could cost you big time on the very small chance that you actually did find a free iPhone or Playstation.

Just use common sense. Famous last words.

Stay cautious, my friends.

Cautious Carl’s Guide to Staying Safe on the Internet

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...

Everything you need to know to safe when surfing the web

A while back the guys came to me and said, “Carl, we need someone to write a guide on how to stay safe on the internet.”

I said that sounds like that last thing someone like me should be doing. After all, I have to ask permission to get on the internet. At work. Like a middle schooler during the dial-up era. I mean, it does make sense. I had a ransomware infection within my first hour of working here [Editor’s Note: Literally 51 minutes into his tenure. 9:51 AM on his first day, Carl comes to us and asks what a bitcoin is, then says he needs two].

They said, no Carl. You would be perfect for this. So here we are. This is Cautious Carl’s Guide to Staying Safe on the Internet.

The Only Surefire Way to Avoid Trouble on the Internet is Abstinence

That’s right. The only surefire way to avoid catching something on the internet is abstinence. And just like Forrest Gump, that’s all I’ve got to say about that.

But let’s be honest, the only people that aren’t on the internet nowadays are the ones with a foot in the grave. Even newborn babies have Facebook accounts now, the nurses are wiping them down immediately following birth and they’re already posting selfies, “getting a sponge bath. #baller #newbornlife.” [Editor’s Note: Thanks for putting that image in my head, Carl].

My point is, you’re going to use the internet. So if you want to stay, safe, here’s what to look out for.

Let’s Start with your Browser

Your browser is your portal to the internet. Think about it, without your browser, what could you do online? Nothing. I’ll just go ahead and answer that for you. If you were to draw a Venn diagram and you had the group of people who can do anything meaningful on the internet without a browser in one circle and the group of people who need to read an article about how to spot a bad website in the other and I’m beyond certain that the two wouldn’t overlap. There is zero overlap. So the answer is none.

There are dozens of browsers, and if you want to be the MOST secure I could certainly suggest a specific browser and settings that would practically make you a specter online. [Editor’s Note: Could you really, Carl?] Someone here at this company could suggest a specific browser and settings that would practically make you a specter online. [Editor’s Note: That’s better].

But for our purposes, here’s the advice I’m going to give you. At the crossroads of security and user experience, the best two browsers – in my opinion – are Mozilla Firefox and Google Chrome. Pick one of these and make sure that you have toggled your security settings to your tastes.

Specifically, you need to go to the settings section and find the Privacy and Security settings. Make sure you have your web filter enabled, that you’re sending “Do Not Track” requests along with your traffic and then make sure to tweak your content settings to control what sites and services can access certain areas of your systems.

Keep in mind, this isn’t foolproof. Sites and ISPs can ignore the “Do Not Track” requests, things can slip through browser filters and there’s always some new malware or exploit awaiting you. But by using a reputable browser and making sure you’ve got your security settings arranged properly you’re laying a good foundation.

I’ll have a follow-up article with some suggestions on how to set your Security settings in the future.

How to Tell if a Website is Fake

In addition to your browser settings, I would recommend a strong antivirus program as well.

Now, let’s move on to the actual web. You’re going to be interacting with websites and web pages. Most of these will be legitimate and safe—but some are designed to trick you. If that seems overly simplistic, it’s because it is. But bear with me.

The biggest threat to your safety online is the theft of your personal information. This can be used to impersonate you at financial websites, at medical websites, and to commit identity theft and fraud. A recent study by USA Today showed that identity theft is most Americans’ number one fear in terms of potential crimes they may realistically face. Obviously, people are more scared of murder. But a lot of us don’t wake up each day with a realistic fear of being murdered. It’s kind of a sign of how well off we are in the civilized world. There’s probably someone somewhere who would fill out that survey and answer “Tigers.” We’re just worried about someone pretending to be us.

Anyway, I’m getting off track. Protecting your personal information and private data are the name of the game. When I say “stay safe online” I don’t mean safe in a physical sense. I mean keeping your data and personal information safe.

To that end there are certain things we can look for in websites that kind of tip us off when sharing our data or information may not be safe. Let’s talk about some of them.

The Address Bar says more than just the URL

Take a look at your browser’s address bar. It’s telling you a lot more than just the URL of the page you’re on. It’s telling you whether your connection with that page is secure. It might even be able to tell you authoritatively who made the page. Those are important things to know when you’re deciding whether or not you can trust a website.

Because that’s what the entire web is based on: trust. You’re willing to shop, bank and network online because you trust the spaces you’re doing it in. If you didn’t, you wouldn’t feel comfortable sharing the information required to transact there, whether that’s banking information, personal identification or some other form of data.

I rarely speak categorically, but I will here. Never give any information of any importance to a website who’s URL doesn’t start with HTTPS. You’ve probably noticed that every URL starts in either http:// or https://. That little S is so important because it’s the difference between an encrypted connection where nobody but the intended recipient can see what you’re sending or an unencrypted connection where anyone who wants to can see it. Basically it’s the difference between whispering in someone’s ear and shouting across the room.

You wouldn’t shout sensitive information across the room. Other people could hear it. That’s why you don’t transmit it via HTTP. You need encryption. No encryption is a non-starter. Don’t ever trust a website without it.

Beyond just verifying that your connection with the website is secure, the address bar can also provide other information. For instance, it might be able to tell you who created and administers the site. After all, just because your connection with a website is encrypted doesn’t mean you know who you’ve made the encrypted connection with. Is this website real? Are these people who they say they are?

One way to tell is via your browser’s address bar. Some, very forward-thinking companies have made this process of verification easy on their customers by investing in something called an Extended Validation SSL certificate. An SSL certificate is the software behind the encryption we just talked about, and when a company gets an EV version, it displays its name in green font next to the URL in the address bar. This is sometimes called the green address bar.

The green address bar offers instant, irrefutable proof of a website’s identity. If the website you’re on has its name displayed in the address bar you can be assured of two things:

  • This company has been officially vetted by a trusted third-party security organization
  • It is safe to send personal information and sensitive data on this website

What if I don’t see the company’s name in the address bar?

Just because a company’s name doesn’t appear in the address bar doesn’t mean it’s unsafe. Quite the opposite, in fact. Most SSL certificates are not of the Extended Validation variety. But that doesn’t mean they don’t still supply information about the entity that registered for it.

One of the best-kept secrets on the internet is that you can click the padlock icon in the address bar and view information about the website. When you do this you will see one of two things:

  • The website has an Organization Validated SSL certificate, you will see verified business details listed in the certificate details
  • The website has a Domain Validated SSL certificate, you will only see the name of the entity that owns the domain

Obviously, if you see a company’s business details in the certificate information you can trust the website. These details have been painstakingly verified by a third-party security company and are trustworthy.

If you don’t see company details you have reason to be a little suspect given the lack of information available on the site. This doesn’t mean you have to write the website off entirely, it just means your antennas should be up.

What else should I look for?

One of the biggest things that helps you identify legitimate websites are site seals or trust marks. You’ve probably seen them before and not even realized it. The Norton Secure checkmark. The BBB logo. Maybe a PayPal or Visa logo. These are trust seals. They’re placed on a website to tell you that a company has been vetted successfully by a third party, whether that’s a payment company live Visa or a web security company like Symantec.

You need to click on these too. You should be shown real-time identifying information that verifies that the website is in good standing. You can fake a trust mark or site seal from the standpoint of adding a small image file to a page. You cannot fake the dynamic qualities.

Use Common Sense on the Internet

I think “Use Common Sense on the Internet” might be one of the most obvious, yet least heralded pieces of advice in existence today. But seriously, if something smells fishy, don’t trust it. If it walks like a duck… you get it, right?

Don’t believe outlandish claims. Be skeptical of everything. It’s sad that needs to be your default outlook on the internet, but that’s just how it has to be.

If you follow the advice I gave you – you use a good browser with good security settings, check the address bar and vet the websites you’re visiting and just use good common sense – you should be fine online. Just keep to the well-lit areas. It’s like any big city, really.

Stay Cautious, my friends

A Word About Equifax and Security Best Practices

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...

Your credit information may be available on the dark web, but at least we’re learning about cyber security!

Before we get started talking about Equifax, I’d like to apologize for the brief interruption in our regularly scheduled programming, err… blog… posting? As you may know, our company resides in beautiful St. Petersburg, FL, which recently found itself in the path of Hurricane Irma.

We’re glad to say that we made it out safe and relatively unscathed. Most of us have power back by now. I actually had mine back shortly after the storm but continued to eat room temperature beans out of aluminum cans by candlelight while living without electricity for fear of looters.

Anyway, while we’ve been bailing water, a lot has happened in the world of cyber security. Namely, the Equifax Breach. So I figured this would be an excellent opportunity to go over what happened and what we can learn from this whole situation.idUSKCN1BN1WN

What is the Equifax Breach?

Equifax, an equestrian telecommunications company… [Editor’s Note: This was the point that we sent Carl back to do some more research] Scratch that. Equifax is one of the world’s largest credit reporting agencies. It keeps information on over 800 million consumers and over 88 million businesses worldwide.

On July 29th, Equifax discovered that it had been breached. Over the coming days and weeks, it was discovered that over 143-million consumer records – including full names, addresses, social security numbers and other personal identifying information – had been compromised. As more and more scrutiny has been applied to Equifax, additional troubling information has emerged that raises serious questions about the company’s security practices.

As far as data breaches go, this could be the motherload. Per a report by Reuters, verified credit card information – meaning a card that has been tested and is still active – can fetch 10-20 dollars per card on the dark web. Full ID dossiers – which include all the information to carry out identity theft – can fetch up to $10. It may seem like a trivial amount, but when you’re pulling down 143-million records it can turn into a nice haul. Some experts are already calling this the worst breach in history.

What Happened with Equifax?

From the sounds of it, Equifax really needs to overhaul its security policies and practices. A lot of what occured comes down to gross negligence. The vulnerability that was used against Equifax is called Apache Struts CVE-2017-5638. Apache Struts is an open-source framework for developing Java web applications. Researchers identified the vulnerability that was used against Equifax on March 6, 2017. It was patched a week later.

Now, if you do the math, Equifax had roughly four and a half months to patch its own systems and remove this vulnerability. It clearly didn’t. Now, 143-million consumer records have been exposed.

And that just appears to be the tip of the iceberg. Hold Security, a Milwaukee-based security firm was able to crack one of Equifax’s Argentinian database and harvest employee information with little more than guesswork. In this case, Equifax was using “admin” as both a username and the accompanying password for the database. Let’s pause for a second and appreciate a major international credit monitoring agency that has secured its database with the same level of sophistication as the average internet user sets up a router with—using just the default settings.

Let’s just put it this way. I’ve been tricked, duped and ripped off on the internet so much that my coworkers have sarcastically taken to calling me “Cautious Carl.” I got ransomware my first day working here. To this day, I’m considered such a danger I have to ask permission just to use the internet at work. The point I’m making is that when I can look at your company’s security implementation and tell you it’s awful—it must really be bad.

What Can We Learn From Equifax?

There used to be a great baseball player named Gary Sheffield that had an amazing swing, which, ironically enough, was also a pretty textbook example of how not to swing a baseball bat. Commentators used to remark that you could look at him in action and teach a young player exactly what not to do. Equifax’s security is a lot like Gary Sheffield’s swing, except for rather than using it to mash 509 career homers like Gary did, Equifax just took a fastball in its daddy bits.

Actually, that’s probably a terrible analogy for a number of reasons, the least of which is that I’m trying to talk to the cyber security community using an example that includes the word “baseball.” (It’s the game with the bases and the outs and the wooden bats—no, not Cricket. Nevermind. Just nevermind.)

Anyway, the point I’m making is that we could probably write a book on how not to secure a company or organization just using Equifax examples. In fact, someone probably will. The infosec community is petty like that. For our purposes though, there is one big lesson we can take away from Equifax.

Always stay up to date on Security Updates

Apache Struts had been patched for months before Equifax was breached. This wasn’t some zero day exploit where nobody had any warning, this was a well-documented vulnerability that should have been dealt with immediately. Or, at least within four and a half months of its disclosure. Granted, this kind of feels like your newly eclipse-blind friend telling you that this was a great lesson about not staring at the sun – it’s that obvious – but it’s still good advice. Advice that goes unfollowed far too often, even in this day and age. You just can’t ignore patches and updates. I mean, I guess you can, but this is what happens.

Of course, there are other smaller, more specific lessons that you can glean from this fiasco as well. Like, for instance, don’t ever use admin as a password for anything. Ever. Especially if your username is also “admin.” Or how about maybe don’t offload $2-million worth of stock before your company has a chance to disclose a security breach. Again, that’s very specific but it’s sound advice.

A Final Word

Let this serve as a lesson to you. The next time you get a notification about updating new security settings, spend the minute or so it takes to implement them. Granted, chances are the personal data of 143-million consumers doesn’t hang in the balance, but don’t let that stop you from updating.

And hey, at at least if you learn this one lesson you’ll be able to say you gained something from this entire debacle when your identity inevitably gets stolen sometime around Christmas.

Thanks, Equifax.

Attn: Small Business Owner, You ARE Big Enough to Get Hacked

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...

74% of SMBs have been targeted by hackers

Your business is not too small to get hacked, trust me. We’ll get to that in a second though, first let me tell you a story. I used to have this friend named Jim. He had the same mindset. ‘Nothing’s going to happen to me.’ He did everything right. Crossed all his T’s, dotted every I. Successful at all levels of life. Beautiful wife. Good job. Then during his last week of work his spacecraft suffered critical power cell failures, started leaking oxygen and almost killed him.

Ok, so that’s actually the plot of Apollo 13, and as I reread it I’m not entirely sure how it relates to your website getting hacked except to say that anything can happen.

You may think nothing’s going to happen to you. That you and your small business fly beneath the radar and scope of hackers and cyber criminals. But the odds of Jim’s Service Module suffering a catastrophic energy failure were astronomically low, too.

…he never did get to walk on the moon…

Anyway, business owners who think their business isn’t at risk are misguided. The odds of a small or medium-sized business getting hacked are not small at all. In fact, according to a 2016 study by Symantec – the top security brand in the world – 74% of small and medium-sized businesses have been target by hackers and cyber criminals.

These Cyber Criminals Would Make John Dillinger Blush

A lot of people try to paint the internet like it’s the Wild West. That’s lazy and uninspired. Like the plot of a Hallmark Channel movie. Besides, it’s not nearly as lawless. No, the better comparison would be during the depression era when bank robbers and the FBI were constantly battling across the nation’s headlines.

To follow this metaphor to its absurd conclusion you should look at the MO of a lot of these bank robbers. Sure, you could knock off a big bank, but that took more planning, more resources. And the banks typically had security, the ability to investigate and possibly find the culprits, see? Sorry. (I didn’t mean to start writing in a James Cagney mobster voice right there.)

You see my point though, yes you can knock off a big bank but that could make things go sideways, fast. A lot of times it was easier to knock off a smaller bank in a rural county. It was a quicker job. Less security. Lower risk of getting caught. You could knock out several in a weekend without drawing much heat.

Sound familiar?

Don’t Let Your Business Become the Modern Equivalent of a Po-Dunk Bank

The fact of the matter is that small and medium-sized businesses make attractive targets to cyber criminals and hackers because they’re far less likely to have the resources to invest in good security.

Whereas large enterprise-level companies can afford to staff entire teams for cyber defense, a small or medium size business can’t.

Another advantage enterprise-level businesses have is that they’re far more likely to survive a cyber-attack. According to the National Cyber Security Alliance, 60% of the SMBs that suffer a cyber-attack go out of business within six months.

So, not only can you get hacked—it could also put you out of business.

It’s Time to Invest in Protection—And Not the Sopranos Type

You don’t wear a seat belt because you think you’re likely to get into an accident, you wear one because what COULD happen when you don’t is too serious to take any chances with. Hell, you even wear a seat belt on an airplane and there is NO WAY that’s going to help you in a crash—hey, at least they’ll know what seat to look for your corpse in.

The point is, even if you want to ignore the statistics and the likelihood you could be a target, the seatbelt logic still exists. What COULD happen if you aren’t staying current with security trends is your entire business could go up in flames. Remember, three out of five small and medium sized businesses that get attacked are out business within half a year.

Now, no one security product is a cure-all. You’re going to need to build a set of defenses to help you mitigate everything from eavesdropping to DDoS attacks.

An SSL certificate is a great place to start. It won’t solve all your problems, but it will protect your website’s sensitive data, encrypt all communication between your business and its customers and prevent anyone from tracking visitors on your site.

Some certificates even provide verified proof of identity, to help put your customers’ minds at ease. Adding SSL to your website is the perfect first step towards securing your business’ online interests.

And it’s never been more important. Granted, nowadays the robbers have names like “Fancy Bear” and “Guccifer” instead of “Machine Gun Kelly” and “Babyface” Nelson—but the stakes are the same: your livelihood.

So, don’t wait for one of these crooks to come waltzing through your bank lobby to think about security, see.

Stay cautious, my friends.

There Are No $20 iPads… and Some Stuff About Site Seals

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...

Dynamic Site Seals offer immediate, indisputable assurance of SSL protection

Have you ever been so nervous about being robbed that you hid your whole wallet in your rectum? No? Me neither…

I am however convinced that Google planted a tracking chip in me during an airport cavity search in Atlanta back in 2003. How else does my smart phone know where I am, where I’m going and what the weather is like there? [Editor’s Note: By that logic, wouldn’t it always be 98.6 degr—just grossed myself out].

Continue reading There Are No $20 iPads… and Some Stuff About Site Seals

Artificial Intelligence is the Future of Cyber security (And Probably the End of the World)

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...

Seriously, the end is nigh.

Normally we reserve our discussions for SSL, encryption and how you can personally stay safe online. But sometimes I like to update you on emerging technology, too. So today we’re going to talk about how Artificial Intelligence (AI) is going to alter the cyber security landscape very soon.

In fact it’s already beginning to.

When I say Artificial Intelligence, your mind probably goes right to the Terminator movies and SkyNet. When I first saw that movie I ruined a good pair of pants and spent the next few months in adult diapers while I waited for the flashbacks to stop. So you can probably imagine how many Tide pods it took to rectify my reaction when I saw AI and Machine Learning (ML) in the news recently.

Granted, AI isn’t designed to turn murderous – just like cell phones aren’t designed to eradicate our social skills – it starts as a tool that humans design with the noblest of intentions. It’s just that at the end you wind up with an entire generation of fidgety kids that don’t know how to hold a conversation, much less make eye contact—in the case of cell phones. Or just mass human extinction in the case of AI.

But Carl, what does AI have to do with cyber security?

Sorry, started to go off on a tangent there, let’s get back on track. In the years before an AI wipes out humanity, we will be able to apply the technology to cyber security and use it to help make our networks safer. You see, at the heart of cyber security is a constant game of cat and mouse between cybercriminals and the brave men and women who protect our networks.

The problem is, if you’re a hacker all you’re looking for is a vulnerability to exploit. Whereas, for a cyber security professional, you’re attempting to holistically secure an entire network—a much broader task. Have you ever seen Star Wars? The very first one—there’s like ten of them now. The Death Star is a perfect metaphor for cyber defense. You built this whole big death star, and spent copious amounts of time on its defenses, but you totally forgot to cover that one hole in the trench over there and now the other guys have used it to blow you up.

At least they knew they had been breached right away at the Death Star. Notice came in the form of hot, fiery death. It takes the average organization 226 days to even detect a breach, and then 69 more days to contain it. That’s due to the human element being incapable of processing large amounts of data rapidly.

Enter AI and Machine Learning.

Artificial Intelligence
I swear it’s THIS big.

 

Currently, new products like Cognetyx , that use AI and ML to monitor your network 24/7/365, are emerging.

How is that different from other products that do the same thing? Well, over time these products get smarter. The Machine Learning aspect means that they analyze all of your network data and start to identify patterns of use. What employees are using what logins from what access points, what areas they typically access, what times they typically log on—everything.

Then it looks for deviations from those trends and notifies administrators when something is off.

You can probably see how that would help to mitigate threats. Suddenly, if Ivan the Russian hacker – or it could be China or some guy in his home in New Jersey – tries to breach your network, the AI will see an unfamiliar location, or that the compromised login is behaving differently than normal (for instance, trying to access new parts of your network). At that point it will work to mitigate the issue. This happens in real time, as opposed to the way things have typically be done—which takes much longer.

It’s an exciting development and one that promises to make us all much safer, but it’s worth noting that AIs are not going to be exclusively used for defense, either. No, eventually cyber security will shift from man vs. man to AI vs. AI as cybercriminals unleash AI technology that will help advance their own nefarious objectives.

So how does an AI that monitors network activity end humanity, Carl?

If the prospect of an AI vs. AI cyber war doesn’t send a shiver down your spine, what inevitably comes next definitely will. Eventually, one of the AIs tasked with defending a large network will postulate that the only surefire way to keep its network completely safe from being breached by humans is to simply eliminate humans entirely. How it goes about carrying out that task is something I’ll leave almost entirely up to your imagination, though I picture it liquefying us.

Anyway, it’s just a matter of time before we go completely extinct.

But in the interim, we should enjoy vastly improved cyber security. And hey, the eradication of our entire species is a small price to pay so that Target can avoid another data breach. Totally worth it.

Stay cautious, my friends.