Default title

CERTIFICATES PROVIDE GREAT SECURITY

ONLY IF UNDERSTOOD AND IMPLEMENTED PROPERLY

Secure Certificates protect almost everything on the internet. Whether Symmetric or Asymmetric the foundational technology usually relies on a certificate or key. The key system is usually part of a set of private and public keys used for various purposes and relying on eachother for functionality.

Implementing a certificate is a very well documented process. In many cases it is too well documented and allows for less than qualified person's to effectively demonstrate a skill that they do not fully understand.

In an asymmetric key system the private key is never presented publicly, only public keys are presented to systems who wish to communicate with the target system. This is where a major security problem usually creeps into an otherwise secure system. Many times in my career I have noticed Private Keys left on the System Drives or desktops of mail servers, web servers and Linux Systems. These private keys are the kryptonite to good PKI. Keys should never be left unaccounted for or misplaced. They should be stored offline using secured, audited access methods. Gaining access to the private key of a secured system allows unfettered access to any encrypted communications using that key. This potentially allows access to emails, passwords, queries, bank information etc not because of a technical problem but instead because a lack of process and poor understanding of the technology. It is a purely preventable issue. If your key has been copied because it was left unsecured and is being used to read your encrypted communications there are very few tell-tale signs.

It might be tempting to let more junior people perform your key maintenance it is always advisable to leave anything regarding security safely in the hands of the experts who understand the technology.

RECENT THREAT POSTS

- Nate Nelson
Student Loan Breach Exposes 2.5M Records
2.5 million people were affected, in a breach that could spell more trouble down the line.
- Nate Nelson
Watering Hole Attacks Push ScanBox Keylogger
Researchers uncover a watering hole attack likely carried out by APT TA423, which attempts to plant the ScanBox JavaScript-based reconnaissance tool.
- Nate Nelson
Tentacles of ‘0ktapus’ Threat Group Victimize 130 Firms
Over 130 companies tangled in sprawling phishing campaign that spoofed a multi-factor authentication system.
- Nate Nelson
Ransomware Attacks are on the Rise
Lockbit is by far this summer’s most prolific ransomware group, trailed by two offshoots of the Conti group.
- Nate Nelson
Cybercriminals Are Selling Access to Chinese Surveillance Cameras
Tens of thousands of cameras have failed to patch a critical, 11-month-old CVE, leaving thousands of organizations exposed.
- Threatpost
Twitter Whistleblower Complaint: The TL;DR Version
Twitter is blasted for security and privacy lapses by the company’s former head of security who alleges the social media giant’s actions amount to a national security risk.
- Threatpost
Firewall Bug Under Active Attack Triggers CISA Warning
CISA is warning that Palo Alto Networks’ PAN-OS is under active attack and needs to be patched ASAP.
- Nate Nelson
Fake Reservation Links Prey on Weary Travelers
Fake travel reservations are exacting more pain from the travel weary, already dealing with the misery of canceled flights and overbooked hotels.
- Elizabeth Montalbano
iPhone Users Urged to Update to Patch 2 Zero-Days
Separate fixes to macOS and iOS patch respective flaws in the kernel and WebKit that can allow threat actors to take over devices and are under attack.
- Elizabeth Montalbano
Google Patches Chrome’s Fifth Zero-Day of the Year
An insufficient validation input flaw, one of 11 patched in an update this week, could allow for arbitrary code execution and is under active attack.

Archives

Leave a Reply

Your email address will not be published. Required fields are marked *