Default title

CERTIFICATES PROVIDE GREAT SECURITY

ONLY IF UNDERSTOOD AND IMPLEMENTED PROPERLY

Secure Certificates protect almost everything on the internet. Whether Symmetric or Asymmetric the foundational technology usually relies on a certificate or key. The key system is usually part of a set of private and public keys used for various purposes and relying on eachother for functionality.

Implementing a certificate is a very well documented process. In many cases it is too well documented and allows for less than qualified person's to effectively demonstrate a skill that they do not fully understand.

In an asymmetric key system the private key is never presented publicly, only public keys are presented to systems who wish to communicate with the target system. This is where a major security problem usually creeps into an otherwise secure system. Many times in my career I have noticed Private Keys left on the System Drives or desktops of mail servers, web servers and Linux Systems. These private keys are the kryptonite to good PKI. Keys should never be left unaccounted for or misplaced. They should be stored offline using secured, audited access methods. Gaining access to the private key of a secured system allows unfettered access to any encrypted communications using that key. This potentially allows access to emails, passwords, queries, bank information etc not because of a technical problem but instead because a lack of process and poor understanding of the technology. It is a purely preventable issue. If your key has been copied because it was left unsecured and is being used to read your encrypted communications there are very few tell-tale signs.

It might be tempting to let more junior people perform your key maintenance it is always advisable to leave anything regarding security safely in the hands of the experts who understand the technology.

RECENT THREAT POSTS

- Elizabeth Montalbano
Phishing Campaign Dangles SharePoint File-Shares
Attackers spoof sender addresses to appear legitimate in a crafty campaign that can slip past numerous detections, Microsoft researchers have discovered.
- Lisa Vaas
We COVID-Clicked on Garbage, Report Finds: Podcast
Were we work-from-home clicking zombies? Steganography attacks snagged three out of eight recipients. Nasty CAPTCHAs suckered 50 times more clicks during 2020.
- Becky Bracken
Iranian APT Lures Defense Contractor in Catfishing-Malware Scam
Fake aerobics-instructor profile delivers malware in a supply-chain attack attempt from TA456.
- Tara Seals
Ransomware Volumes Hit Record Highs as 2021 Wears On
The second quarter of the year saw the highest volumes of ransomware attacks ever, with Ryuk leading the way.
- Tom Spring
Raccoon Stealer Bundles Malware, Propagates Via Google SEO
An update to the stealer-as-a-service platform hides in pirated software, pilfers crypto-coins and installs a software dropper for downloads of more malware.
- Elizabeth Montalbano
‘DeadRinger’ Targeted Exchange Servers Long Before Discovery
Cyberespionage campaigns linked to China attacked telecoms via ProxyLogon bugs, stealing call records and maintaining persistence, as far back as 2017.
- Lisa Vaas
‘PwnedPiper’: Devastating Bugs in >80% of Hospital Pneumatics
Podcast: Blood samples aren’t martinis. You can’t shake them. But bugs in pneumatic control systems could lead to that, RCE or ransomware.
- Becky Bracken
Chipotle Emails Serve Up Phishing Lures
Mass email distribution service compromise mirrors earlier Nobelium attacks.
- Becky Bracken
NSA Warns Public Networks are Hacker Hotbeds
Agency warns attackers targeting teleworkers to steal corporate data.
- Elizabeth Montalbano
Novel Meteor Wiper Used in Attack that Crippled Iranian Train System
A July 9th attack disrupted service and taunted Iran’s leadership with hacked screens directing customers to call the phone of Iranian Supreme Leader Khamenei with complaints.

Archives

Leave a Reply

Your email address will not be published. Required fields are marked *

5 × 5 =