Security News

Sectigo's chief compliance officer has hit out at Google for minimizing the visibility of Extended Validation HTTPS certificates in Chrome. In a chat with The Register, Sectigo CCO Tim Callan said his biz, which among other things is one of the biggest sellers of EV HTTPS certificates, was "Going to remove street and postal information from all of our public sites," seeing as Google thinks no one cares where a business is based.

"EU Agency for Cybersecurity Executive Director, Juhan Lepassaar, said:"The agreement ENISA signed with CERT-EU is a stepping-stone in utilising our synergies to the benefit of EU Member States and the EU Institutions, Agencies and Bodies. "Our structured cooperation comes at a time where the EU and its Member States need to strengthen their cybersecurity capabilities more than ever."

Internet Security Research Group nonprofit Let's Encrypt has massively upgraded its certification hardware and software so that it can delete and reissue all its certs in less than 24 hours. Last April the certificate authority was forced to kill three million HTTPS certs after a bug was found in its automated certificate management environment, about 2.6 per cent of its 150 million live certificate base.

When Google Chrome 90 arrives in April, visitors to websites that depend on TLS server authentication certificates from AC Camerfirma SA, a digital certificate authority based in Madrid, Spain, will find that those sites no longer present the secure lock icon. Mozilla, maker of Chrome rival Firefox, has been trying to decide whether Camerfirma's history of questionable certificate management practices - documented in a lengthy list - warrants banishing the Spanish company's certificates from its Root Store - the set of certificates Firefox recognizes as trustworthy by default.

Researchers have disclosed a new family of Android malware that abuses accessibility services in the device to hijack user credentials and record audio and video. The malware repeatedly reopens the Settings screen every eight seconds until the user turns on permissions for accessibility and device usage statistics, thus pressurizing the user into granting the extra privileges.

We explain how two French researchers hacked the Google Titan security key product, and dig into the Mimecast certificate compromise story to see what we can all learn from it. WHERE TO FIND THE PODCAST ONLINE. You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher, Overcast and anywhere that good podcasts are found.

It wasn't the best of New Year's Day mornings for some Check Point customers; in addition to possible hangovers, those who lagged with their patching had been left with inoperable systems and a tough fix ahead for some. On January 1, 2021, a certificate used for outdated Check Point Remote Access VPN clients and Endpoint services expired.

Let's Encrypt, a Certificate Authority that puts the "S" in "HTTPS" for about 220m domains, has issued a warning to users of older Android devices that their web surfing may get choppy next year. Next year, on September 1, 2021, the DST Root X3 certificate that Let's Encrypt initially relied for cross-signing will expire and devices that haven't been updated in the past four years to trust the X1 root certificate may find they're unable to connect to websites securely, not without throwing up error messages, at least.

"Our goal," writes Metcalf, "Is to create neutral names that provides a means for people to remember vulnerabilities without implying how scary the particular vulnerability in question is." There is no doubt that there is no apparent emotive bias to the new naming convention, but much still needs to be done on the project - and it is not entirely clear that two disconnected words are any better than one emotive word.

Named security incidents recently have editorialized their own importance with fear-mongering monikers like Heartbleed, Meltdown, Spectre, and Foreshadow, and Fallout and ZombieLoad. Not all do so. "Sensational names are often the tool of the discoverers to create more visibility for their work," explained Leigh Metcalf, senior network security research analyst at the CMU's CERT/CC, on Friday.