Security News
Announced last year, Google's proposal to reduce the lifespan of TLS certificates from 13 months to 90 days could be implemented in the near future. As a result, the new 90-day TLS certificate lifespan proposed by Google will have far-reaching impacts on three areas of corporate IT: DevOps, security and operations.
It can handle almost anything, and someone once called it the kitchen sink of PKI. With its extensive history as one of the longest-standing CA software projects, EJBCA offers proven robustness, reliability, and adaptability. "EJBCA was created as an open-source project. The first version of the software was released as open source in December 2001. The ability to make a living from working with it and form a good company with many developers working on open source came later when the co-founders of PrimeKey and I realized that it was something we could do," Tomas Gustavsson, the creator of EJBCA, told Help Net Security.
Digital Certificates are not new. In this Help Net Security video, Andreas Brix, Senior Program Manager at GlobalSign, discusses why they are back in the news and what you should do about it. The...
The International Information System Security Certification Consortium and IBM teamed up on February 12 to launch the IBM and ISC2 Cybersecurity Specialist Professional Certificate, which can be earned through a free, four-month, beginner-level training course. IBM chose ISC2 to develop the certification program, which prepares potential cybersecurity professionals for a career in a cybersecurity specialist role.
Many organizations are unprepared for sweeping industry changes that call for mandated certificate automation, according to GMO GlobalSign. The solution to meet this call by Google, and other browsers, is to automate certificate management.
SSL certificates are essential for encrypting traffic between systems such as clients, which access servers via web browsers or applications that communicate with remote systems. Certificates protect client and server data, commonly involving confidential information such as credit card details or social security numbers.
The threat actors behind RedLine and Vidar information stealers have been observed pivoting to ransomware through phishing campaigns that spread initial payloads signed with Extended Validation code signing certificates. In the incident investigated by the cybersecurity company, an unnamed victim is said to have first received a piece of info stealer malware with EV code signing certificates, followed by ransomware using the same delivery technique.
Among organizations that have suffered data breaches 58% were caused by issues related to digital certificates, according to a report by AppViewX and Forrester Consulting. According to the Forrester study, "Enterprise organizations have traditionally been less focused on managing machine identities compared to human ones, partly because they have different requirements and more complicated lifecycle and security challenges. These digital certificates offer authentication and protect sensitive information. Yet, few are confident in successfully layering and managing identity security across machines and navigating responsibility assignment for privacy and security."
The China-aligned APT group known as 'Bronze Starlight' was seen targeting the Southeast Asian gambling industry with malware signed using a valid certificate used by the Ivacy VPN provider. According to SentinelLabs, which analyzed the campaign, the certificate belongs to PMG PTE LTD, a Singaporean vendor of the VPN product 'Ivacy VPN.'.
Microsoft Sharepoint and OneDrive for Business were briefly interrupted today after a German TLS certificate was mistakenly added to the main.com domains for the Microsoft 365 services. At approximately 3:08 PM ET today, a Microsoft 365 advisory 'SP659992' warned that users may be unable to access SharePoint Online and OneDrive for Business.