SecurityWeek – DigiCert Addresses Mozilla’s Concerns on Symantec CA Acquisition

DigiCert has addressed the concerns raised by Mozilla and others regarding the company’s acquisition of Symantec’s certificate business after some web browser vendors announced that certificates issued by the security firm would no longer be trusted.

Continue reading at Security Week

Medium – DigiCert’s Commitment to Keeping the Public Trust

During a recent interview, I was asked “could you have picked a worse time to acquire Symantec’s Website Security business?” The interviewer was joking, but I understood the point. Not only are cyberattacks constantly growing in number and sophistication, but the debate within the browser community about trust in the Symantec certificates created uncertainty about the industry. Others questioned if DigiCert could handle the scale of Symantec’s operations.

Continue reading at Medium

NEW Huffington Post UK – A Cry in the Cybersecurity Wilderness

I have spent the last decade talking about problems. I suppose the reason is because it seems to have gotten me a lot of attention. It wasn’t like that at first, but it eventually turned out that way.

Let me explain…

Continue reading at Huffington Post

eWEEK – DigiCert Closes Acquisition of Symantec’s Website SSL Security Unit

DigiCert announced on Oct. 31 that is has completed the $950 million acquisition of Symantec’s website security and PKI (Public Key Infrastructure) business assets, which include the company’s SSL/TLS certificates.

Continue reading at eWEEK

NEW Dark Reading – Will New Ownership Open Opportunities for Digital Cert Vendors

Two leading certificate authorities this week had changes in ownership of their business.

Private equity firm Francisco Partners acquired a majority stake in Comodo’s digital certificate business for an undisclosed sum while rival DigiCert announced the completion of its previously announced $950 million purchase of Symantec’s troubled CA operations.

Continue reading at Dark Reading

CRN – CRN Exclusive: DigiCert Quintuples Sales, Headcount with Close of Deal for Symantec Website Security, PKI Offerings

“[Customers will] get a much better, more modern experience through our tools,” Merrill said.

Parallel groups focused on the integration have been formed in both DigiCert’s and Symantec’s web security business to ensure that the transition for channel partners is seamless, Martins said.

Continue reading at CRN

ChannelBuzz – DigiCert Sees Enterprise Channel Expansion with Closing of Symantec Website Security Business Deal

Identity and encryption solution vendor DigiCert has completed the acquisition of Symantec’s Website Security and related public key infrastructure [PKI] solutions, for $USD 950 million and a 30 per cent stake in itself. The move instantly makes DigiCert the global market leader in the space. It will also have significant channel ramifications. While DigiCert has been selling to very large enterprises, it did so through its direct arm. They expect that Symantec’s large enterprise-focused channel will significantly expand their enterprise business.

Continue reading at ChannelBuzz

The Myth of Mutual Exclusivity: Making the DevOps Process More Agile Without Compromising Security

The marketplace is demanding agility, but many enterprises perceive the need for agility as an ongoing security risk. If applications are constantly evolving, they assume, the process will constantly open up new avenues for attackers to exploit. This worry has given rise to a widespread misconception that security or agility is a binary choice.

Continue reading at Security Intelligence

Security or Agility? An Unnecessary Choice

In an effort to digitally transform their companies, the majority of enterprises are integrating their security teams into DevOps methodologies—or are trying to do so—a new survey finds. Faster app development can open a company to security risks, however. So how can enterprises increase both simultaneously? A new survey, “Making Security Agile” from scalable identity and encryption solutions provider DigiCert, addresses these questions. “Agility and security are not mutually exclusive, and integration requires a combination of technology improvements, and a cultural shift in how technical staff is aligned,” said DigiCert CSO Jason Sabin. “The DevOps methodology is not just a method for increasing speed, but [also] about improving efficiency, quality control and predictability in development outcomes.” The survey polled 300 U.S. enterprise executives (100 of whom are in IT management, 100 in DevOps and 100 in security) to see “whether their organizations are breaking down silos and inviting security to join the DevOps movement.”

Continue reading at CIO Insight

How to integrate security into a DevOps team

While the number of enterprises subscribing to cloud applications is increasing that doesn’t mean internal application development has gone away. Sometimes customization may be needed for a cloud application to meet business needs, and sometimes a custom application may have to be written.

Continue reading

Enterprises Look to Bake Security Into DevOps – Study

While DevOps is still a fairly new concept to most enterprises and their development teams, security has been ingrained into the DNA of IT for some time. Now, some are trying to combine the two.

Continue reading

Study: Half of Enterprises Have Achieved DevSecOps – DevOps.com

The inclusion of IT security into DevOps processes appears to be occurring at an accelerated rate. A new survey of 300 enterprise IT organizations published this week by DigCert, a provider of identity management and encryption software, finds that almost half (49 percent) of the respondents says they have completed DevSecOps, while another 49 percent say they are already working on it.

Continue reading

98% of Companies Favor Integrating Security with DevOps

An overwhelming majority of companies believe an integrated security and DevOps team makes sense, with 98% of survey respondents saying they are either planning to or have launched such an effort, according to a report released today by DigiCert.

Continue reading

5 ways to be more private online

Recent changes in internet service provider regulations and an increase in online fraud have spurred an increased interest in online privacy. Here are five tips to stay safe online.

Continue reading

Where Business is Getting IoT Security Wrong

Securing IoT is tricky business. IoT exploits include firmware spoofing, compromising hardware, man-in-the-middle attacks, interface exploits, and cloud hosted application hacks, among others. Businesses are not always ready for the unique security challenge posed by the massive deployment of IoT devices.

Continue reading

Identity at Scale: how the Internet of Things will Revolutionize Online Identity

In-brief: Far from ‘breaking’ the public key encryption (PKI) model, the Internet of Things is poised to turbocharge PKI adoption and revolutionize online identity, DigiCert* CTO Dan Timpson writes.

If you wanted to make a movie about the Mirai botnet attacks of October 2016, you might call it “When Things Attack” or, maybe, “Revenge of the Webcams.” It’s amusing, in hindsight, to imagine the spectacle of hundreds of thousands of compromised webcams marching together in a massive, online army.

Continue reading

Best Places to Work in IT 2017 Employer Profile

No. 24, DigiCertLehi, Utah
This Lehi, Utah-based certificate authority provides scalable systems for securing web servers and internet of things devices with encryption technologies or user ID and authentication tools. DigiCert IT employees work in a flexible environment that supports work/life balance. A culture of accountability prioritizes results more than time spent in the office, and the company offers generous employee and dependent care benefits to help IT staffers manage major life events. Members of the IT team are eligible to take advantage of travel incentives through which they can go on trips to relax and recharge while exploring new cultures and places around the world.

Continue reading

WannaCry ransomware attack should push hospitals to gauge certain tech

The WannaCry ransomware attack affected hundreds of countries and hundreds of thousands of systems, including health systems. Experts discuss what healthcare orgs need to do.

In the wake of the WannaCry ransomware attack, two cybersecurity experts suggest that if hospitals are not already using techniques such as multifactor authentication and public key infrastructure certificates, they need to head in that direction.

Continue reading

 

NIST offers guidance for securing wireless infusion pumps

The National Institute of Standards and Technology has issued new guidance on securing wireless infusion pumps in hopes of hardening the devices against cyber attacks.

The federal agency issued the instructions in collaboration with the National Cybersecurity Center of Excellence (NCCoE), which is a unit within NIST.

Continue reading

NIST Issues Draft Guidance for Wireless Infusion Pumps

New draft guidance from the National Institute of Standards and Technology calls for using commercially available, standards-based technologies to improve the security of wireless infusion pumps.

NIST issued a white paper on the same topic in 2014, but it was criticized for being too prescriptive (see Infusion Pump Security: NIST Refining Guidance).

Wireless infusion pumps are commonly used medical devices that can be potentially vulnerable to accidental and malicious tampering, posing both data security and patient safety risks.

Continue reading

Security certificates gone wrong

Security certificates are designed to authenticate hosts. Browsers have become pretty good about understanding chains of authorities, and making users accept the risk when websites can’t prove the chain of authorities needed to verify they are who they say they are…

Continue Reading

Owner-controlled PKI: The next step in securing the future of IoT

Mark Weiser, known to many as the father of ubiquitous computing, stated in an article he wrote for Scientific American in 1991 that, “The most profound technologies are those that disappear. They weave themselves into the fabric of everyday life until they are indistinguishable from it.” The Internet of Things is quickly achieving this status as we barely recognize all the devices that are both connected to the Internet and part of our lives.

But securing these IoT devices is not an easy task, and is one topic of discussion that must remain prominent because the ramifications from a security breach could be severe. Connected devices need to have strong identity attestation, authenticate all connections, and data must be encrypted to protect system integrity…IoT requires owner-controlled PKI security posture to provide independent security control over connected devices.

Continue reading

 

FAA Seeks Digital ID for Drones

FAA Administrator Michael Huerta announced at the agency’s Unmanned Aircraft Systems Symposium in Reston, Virginia, a rulemaking effort that will lead to remote digital identification of drones and their pilots…

An effort by private industry to create a universal system for remote, digital drone identification was announced in December by AirMap, the company that launched with an online airspace recognition tool for remote pilots, collaborating with DigiCert Inc. Industry analyst Colin Snow wrote about the new technology this month, explaining in detail many implications for regulators, pilots, and other stakeholders.

Continue reading

Automating PKI for the IoT platform

In this podcast recorded at RSA Conference 2017, Jeremy Rowley, Executive VP of Emerging Markets at DigiCert, talks about automating PKI for the IoT platform and building scalable solutions for the IoT platform.

“I’m going to be talking about automating PKI for IoT platform and building scalable solutions for the IoT platform. So we have a lot of IoT devices that are being employed throughout the Internet. You have various connected vehicles, you have connected homes, you have connected cities – heck, you have even connected watches and everything else, right? But a lot of these devices don’t deploy security, meaning they’re subject to attacks. In 2015, for example, we saw attacks on various devices that include cars and medical devices and things like that. And in 2016 we even saw insulin pump taken over through a man in the middle attack where you could actually change the dosage and thus cause harm to the patient who’s wearing that insulin pump.”

“The question becomes: how do we secure these devices at scale when they’ve already been deployed or are being deployed as well as in an effective manner that can support manufacturers? ”

Continue reading

 

Evolving PKI for the Internet of Things

The rapid growth of the Internet of Things is outpacing security implementations, and the industry desperately needs to stem the tide of risks that come with it.

IDC estimates that, by 2020, the number of Internet-connected devices will surge past 200 billion. The sheer scale of this future Internet of Things means that it needs a strong security layer that is scalable, reliable and can be automated to meet the needs of a rapidly growing market.

Cryptography is one solution that can provide a strong security layer, with encryption and identity, at such a scale. And now, more than ever, security teams are looking to evolve public key infrastructure (PKI) to meet the challenges of IoT security.

Continue reading

 

Using Cryptography to Solve the Gaps in IoT Security

In an RSAC TV interview during the 2017 RSA Conference in San Francisco, DigiCert VP of Emerging Markets, Jeremy Rowley, discussed what companies can do to better secure their Internet of Things devices using cryptography.

Watch interview

 

Cybersecurity of medical devices: The new threat landscape

Medical devices can enter the organization through many different channels other than IT. Experts discuss medical device cybersecurity and the FDA’s guidance…The CISO at Intermountain Healthcare in Salt Lake City, Utah, explained that the influx of medical devices into health organizations, often without the knowledge of IT, may be adding to existing security problems. Experts agree that precautions concerning the cybersecurity of medical devices need to be taken on the part of the provider and the medical device manufacturer…

“What most healthcare [organizations] are doing right now is trying to wrap their arms around this new risk,” West said. “It’s significant.”

…”I think manufacturers have used the FDA potentially imposing additional regulatory burdens as a reason for not updating and doing patch management with their existing devices,” Nelson said. “But the FDA has now cleared this impediment.”

Continue reading

DigiCert Releases Healthcare IoT Security Solution

DigiCert announced the release of its DigiCert Auto-Provisioning solution to help appease the need for medical Internet of Things (IoT) device security. The tool provisions digital certificates at scale, regardless if an organization’s devices use open standards or support proprietary device enrollment protocols. The number of IoT and connected medical devices is rising rapidly and each device needs to be secured properly.

“Device authentication and encryption are critical to securing connected devices and the information they share, but many software implementations lack standard protocols for provisioning devices,” DigiCert CTO Dan Timpson said in a statement. “DigiCert Auto-Provisioning, powered by Device Authority, helps companies get certificates on a much wider range of IoT devices in a scalable, secure and automated way.”

Continue reading

 

Expert Analysis: Improving Medical Device Cybersecurity

The Food and Drug Administration’s recently issued final guidance on the post-market cybersecurity of medical devices outlines important steps that hospitals, clinics and others must take to better protect patient data and keep patients safe, say Karl West, CISO at Intermountain Healthcare, and Mike Nelson of DigiCert.

“An overarching theme of the guidance is to make sure a risk assessment is done, and for healthcare organizations … that’s a very important step in understanding the vulnerabilities and risks that are present in those devices,” Nelson points out in an interview with Information Security Media Group.

“Patient safety is, of course, a No. 1 risk and threat for us in cybersecurity with these devices, but at the same time, the security is critical because these devices can be leveraged and used as threat vectors to allow a [broader] breach,” West adds.

Continue reading

Secrets Management: the Must-Dos

The modern IT landscape is filled full of secrets: There are certificates, SQL connection strings, storage account keys, passwords, SSH keys, encryption keys and more. And no matter what role one plays in the group—developer, admin, PKI manager—managing these secrets can become a high-stakes management headache.

Speaking at the DigiCert Security Summit 2017, Rashmi Jha, Microsoft program manager, said that getting a handle on secrets management is one of the No. 1 challenges in modern IT security. Too often, enterprises don’t even know when secrets are compromised, or even how they will be used—and it’s a self-inflicted issue.

Continue reading

PKI: Essential for Medical IoT

There are thousands of medical devices in use today vulnerable to hacking. Hospitals, outpatient centers, healthcare practices and even patients in their homes use high-tech equipment every day to monitor care, improve patient outcomes, and save lives. However, these connected devices (and the data housed within them) are at risk for exploitation without proper authentication and encryption.

Speaking at the DigiCert Security Summit this week, Darin Andrew, senior PKI and solutions architect at DigiCert, and Scott Erven, senior managing director at PwC, ran through three common scenarios that leave these critical pieces of infrastructure wide-open to hackers—and how some of the danger can be mitigated using public key infrastructure (PKI).

Continue reading

Auto-Provisioning for IoT Devices Tackles Security Gaps

As the number of connected devices rises toward an estimated 50 billion by 2020, security continues to lag behind—a lack of encryption, easy default passwords and a dearth of proper, automated user authentication plague the space. But the reason is simple—tools for doing this at scale are few and far between. DigiCert is tackling the issue with an Auto-Provisioning tool, powered by Device Authority.

Continue reading

How FDA Medical Device Cybersecurity Guidance Affects Providers

With the continued push for interoperability and integration of EHRs into daily use, connected medical devices are quickly becoming more common tools for healthcare providers. However, similar to the way computer networks and systems can become vulnerable to data security issues, medical device cybersecurity threats can be especially dangerous for covered entities.

The Food and Drug Administration (FDA) monitors “reports of adverse events and other problems with medical devices” and has previously found potential cybersecurity issues in implantable cardiac devices. Healthcare organizations need to better understand the potential dangers of unsecured medical devices and ensure that they adhere to federal regulations while also staying mindful of recent guidelines designed to assist in creating strong medical device cybersecurity.

Continue reading

Oracle to Java devs: Stop signing JAR files with MD5

Starting in April, Oracle will treat JAR files signed with the MD5 hashing algorithm as if they were unsigned, which means modern releases of the Java Runtime Environment (JRE) will block those JAR files from running. The shift is long overdue, as MD5’s security weaknesses are well-known, and more secure algorithms should be used for code signing instead.

The CA Security Council applauds Oracle for its decision to treat MD5 as unsigned. MD5 has been deprecated for years, making the move away from MD5 a critical upgrade for Java users,” said Jeremy Rowley, executive vice president of emerging markets at DigiCert and a member of the CA Security Council.

Continue reading

ProtonMail Over Tor Can Now Increase Privacy SecurityAnd Censorship Resilience

ProtonMail, the privacy-focused email business, has launched a Tor hidden service to combat the censorship and surveillance of its users.

The move is designed to counter actions “by totalitarian governments around the world to cut off access to privacy tools” and the Swiss company specifically cited “recent events such as the Egyptian government’s move to block encrypted chat app Signal, and the passage of the Investigatory Powers Act in the UK that mandates tracking all web browsing activity”.

Speaking to The Register, ProtonMail’s CEO and co-founder Andy Yen said: “We do expect to see more censorship this year of ProtonMail and services like us…Given ProtonMail’s recent growth, we realize that the censorship of ProtonMail in certain countries is inevitable and we are proactively working to prevent this. Tor provides a way to circumvent certain Internet blocks so improving our compatibility with Tor is a natural first step.”

Continue reading

ProtonMail launches Tor hidden service to dodge totalitarian censorship

ProtonMail, the privacy-focused email business, has launched a Tor hidden service to combat the censorship and surveillance of its users.

The move is designed to counter actions “by totalitarian governments around the world to cut off access to privacy tools” and the Swiss company specifically cited “recent events such as the Egyptian government’s move to block encrypted chat app Signal, and the passage of the Investigatory Powers Act in the UK that mandates tracking all web browsing activity”.

Speaking to The Register, ProtonMail’s CEO and co-founder Andy Yen said: “We do expect to see more censorship this year of ProtonMail and services like us…Given ProtonMail’s recent growth, we realize that the censorship of ProtonMail in certain countries is inevitable and we are proactively working to prevent this. Tor provides a way to circumvent certain Internet blocks so improving our compatibility with Tor is a natural first step.”

Continue reading

Encrypted email service ProtonMail is now accessible over Tor

The creators of encrypted email service ProtonMail have set up a server that’s only accessible over the Tor anonymity network as a way to fight possible censorship attempts in some countries.

ProtonMail was created by computer engineers who met while working at the European Organization for Nuclear Research (CERN). The service provides end-to-end encrypted email through a web-based interface and mobile apps, but the encryption is performed on the client side, and the ProtonMail servers never have access to plaintext messages or encryption keys.

On Thursday, Proton Technologies, the Geneva-based company that runs ProtonMail, announced that it has set up a Tor hidden service, or onion site, to allow users to access the service directly inside the Tor anonymity network.

Continue reading

Securing the perimeter with IoT begins and ends with the device

The internet of things has drawn the attention of the White House and Congress amid growing concerns about the woeful state of IoT connected device security, most recently demonstrated when Mirai malware spread across botnets. Indeed, the lack of security in IoT devices portends a brave new world.

The concerns are warranted as the future of IoT presents millions of connected devices, each node gathering and storing its own individual data collections and sharing that information with other connected devices through wireless communication technology via the internet and the cloud. By infecting just one device and gaining unauthorized access to the network, a malicious actor can cause large-scale mayhem. Organizations must quickly figure out how to keep track of the IoT devices connected to their network and how to secure the transmission of data to and from those devices.

Continue reading

Public Key Infrastructure: A Trusted Security Solution for Connected Medical Devices

In today’s healthcare environment, practitioners are using state-of-the-art, high-tech equipment that delivers specialty services with better efficiency, accuracy, and overall quality. Using this technology, patients and doctors are also able to generate meaningful data that improves clinical outcomes and, ultimately, the patient’s quality of life.

Despite these improvements in the delivery of care, many healthcare experts are not aware of the vulnerabilities present in connected medical devices. Numerous devices lack proper authentication—the process of validating identities to ensure only trusted users, messages, or other types of services have access to the device. This allows untrusted users to gain access and potentially manipulate the device. Other devices lack basic encryption of the sensitive data being stored in or transferred from the device. These cybersecurity oversights can result in direct harm to the patients and healthcare providers using the devices…

This white paper discusses security risks inherent in IoT devices, and articulates how PKI can be used to mitigate these vulnerabilities and improve the security posture of connected medical devices.

Continue reading
Part 1 Part 2

AirMap, DigiCert to issue digital certificates for drones

Drones will start getting digital identification certificates under a new service being launched on Tuesday that hopes to bring trust and verification to the skies.

The Drone IDs will be SSL/TLS certificates from DigiCert issued through AirMap, a provider of drone flight information data, and will first be available to users of Intel’s Aero drone platform.
“We’re hoping that this can be used outside of just our services and help the industry raise the bar with respect to security,” said Jared Ablon, chief information security officer with AirMap.

Continue reading

CASC Releases Minimum Requirements for Code Signing Certificates

The Certificate Authority Security Council (CASC) this week announced that the Code Signing Working Group released a set of minimal requirements that Certificate Authorities (CAs) should use for code signing…Microsoft, which has already adopted the new guidelines, will require all CAs that issue code signing certificates for Windows platforms to adopt the minimum requirements starting on Feb. 1, 2017.

Given that Microsoft’s Windows platform accounts for around 90% of the desktop operating system market, its decision to adopt the new guidelines and to ask CAs follow them is will likely have a great influence on other application software suppliers, which might follow suit, Jeremy Rowley, Executive Vice President of Emerging Markets, DigiCert, believes.

Continue reading

We need cooperation to secure the Internet of Things

It’s a common sentiment of internet-connected device owners and even some manufacturers that the security of an individual device isn’t so important…Individual unsecured devices, especially consumer-facing ones, aren’t so dangerous by themselves, but they become more dangerous as a swarm. We witnessed just such a swarm on October 21, with the Mirai botnet assault on a portion of the Internet’s phone book (also known as a domain name server, or DNS) that shut down the internet on the East Coast.

When individual devices aren’’ secure, hacking into a large number of devices becomes as easy as hacking into one device. But a large portion of the threat can be mitigated if companies and developers follow security best practices, many of which are well established and can be practiced today.

Continue reading

Dyn DDoS May Just be the Beginning!

It has been just over ten days since the massive Dyn Distributed Denial-of-Service (DDoS) attack that brought sites like Amazon and Twitter on their knees. The attack affected about 100,000 Internet of Things (IoT) devices and security firm Flashpoint has confirmed that some of the infrastructure responsible for the DDoS attacks against Dyn DNS were botnets compromised by Mirai malware. What is truly worrisome is that this could be sign of things to come.

We talk to Jason Sabin, Chief Security Officer at DigiCert on his thoughts on these attacks and what it means for the IoT devices sector. Jason frequently consults with device manufacturers on how to improve their security environment. He works closely with the DigiCert customers to develop innovative new platforms and features that simplify SaaS-based digital certificate management for the enterprise and IoT. He has filed more than 50 patents involving identity management and cloud security and many of Jason’s innovations are in use by several Fortune 500 companies today.

Continue reading

Securing streaming media provides roadmap for IoT

…While some streaming services have taken precautionary steps toward protecting consumers using streaming devices and systems, unfortunately many have not. Some still view security as an afterthought…To gain consumer trust, responsible organizations should take initiative to protect their media streaming service…

Security solutions need to be simple enough — even transparent — for users to actually use them. Companies like Plex have found solutions by partnering with a trusted certificate authority to implement PKI technology into their systems and platforms. Likewise, PKI can help solve the scalability challenges of IoT implementations that involve millions of connected devices and their associated credentials.

Continue reading

Cisco Proves EST Interoperability with DigiCert

Interoperability for technology solutions is a top priority—standards used in these solutions become irrelevant when products operate in a silo. Thus, shifting to a new protocol in any solution takes careful consideration and collaboration by multiple parties in order to achieve a seamless operation.

One such protocol is Enrollment over Secure Transport (EST). EST provides secure digital certificate provisioning. Some of our products already support EST for digital certificates (e.g., Cisco IOS and IOS-XE), but EST endpoints don’t just operate by themselves. EST involves a certificate consumer and a certificate provider, usually called a Certificate Authority (CA). We needed to ensure that our EST solutions are compatible with third parties such as CAs, authentication servers, and endpoints.

To achieve that, Cisco collaborated with DigiCert to make sure Cisco’s EST implementations are interoperable with their CA. Today we want to share with you some lessons we learned from our testing.

Continue reading

How To Choose The Best SSL/TLS Certificate For Your Online Presence

Buying an Organization-Validated (OV) or Extended Validation (EV) SSL/TLS Certificate will enhance your website’s reputation, give customers the assurance they need to complete secure transactions with confidence, decrease cart abandonment rates, and build long-term customer loyalty…Establishing trust is mission critical…An SSL/TLS certificate provides the most basic level of trust—the padlock icon in the address bar of your customer’s browser…Not all SSL/TLS certificates are the same. Different kinds of certificates display different information. Some only show the domain name while others show more information about the company.

Continue reading

PKI: The Security Solution for the Internet of Things

PKI is uniquely positioned to deliver on the necessary and critical security needs of the IoT. The Institute of Electrical and Electronics Engineers points out, “When you’re looking at authenticating devices, the only real standards at the moment that offer any real interoperability tend to be Public Key Infra- structure (PKI).”

Continue reading

Continue reading (German translation)

Securing Medical Devices – A Policy not a Technical Challenge

Progress is finally happening in healthcare cybersecurity. Traditionally, healthcare has lagged behind other industries in enabling security controls, but amid reports of breaches, medical device vulnerabilities and the attention of federal regulators, innovative companies are advancing positive change.

Yet, legacy mindsets still threaten healthcare’s ability to stay ahead of evolving threats, especially as medical device manufacturers strive to innovate fast enough to address real security challenges. Medical industry boardrooms need to adopt policies that match today’s security landscape before patient harm or regulatory intervention forces their hand.

Continue reading

DigiCert CEO Nick Hales Named EY 2016 Entrepreneur of the Year

There are plenty of companies selling digital certificates to websites. Where DigiCert stands out is its focus on helping customers beyond that sale–from obtaining a certificate and its installation to monitoring and fixing any hiccups. “We help them control the entire certificate lifecycle, not just purchasing the certificate,” says DigiCert CEO Nicholas Hales.

The priority on service is true of DigiCert’s entire philosophy, Hales says, through every department and every employee.

“A lot of people look at customer service as strictly a number you call and someone answers the phone. That is customer service. A lot of companies look at it as a necessary evil,” he says. “We try to take the principles of the brick-and-mortar world in sales and marketing and bring them to the internet, where customer is king, and try to treat the customer as someone you’re providing the service to, not solving a problem for. So it’s not just the guy who answers the phone for support. It’s not just a guy who answers an email or message. It’s more than that: Every department within the company needs to be customer-centric and worry about what that customer experience is.”

“One of the keys to success is surrounding yourself with people who are brighter than you, who have knowledge in areas you don’t have.”

Continue reading

DigiCert honored for leadership in online security

DigiCert has been named to the 2016 Online Trust Alliance (OTA) Honor Roll, marking the fifth consecutive year the company has been recognized for its leadership in online security and privacy.

“OTA commends DigiCert not only for achieving the Honor Roll for the fifth consecutive year, but more importantly, its commitment to collaboration in both the public and private sector,” said Craig Spiezle, Online Trust Alliance CEO and executive director in a press release.

Continue reading

Securing the Internet of Vulnerable Things

Embedded device manufacturers have started focusing on devices that talk to each other — a car that knows when your musical choices based on your playlists on your mobile or a house that senses your mood based on your smartwatch notifications. Things are getting increasingly connected.

We are making our devices and our lives accessible but are we making them secure?…

The US Federal Trace Commission released guidelines for IoT manufacturers urges them to follow standards. Privacy Commissioner of Canada also seems to be taking note of the matter. Even though governments all over the world start to take cognizance of this threat, privacy experts warn users of trusting only certified and secure products from known vendors. The vendors need to increase their spending to get their IoT devices security audited and certified by trusted agencies. There are already IoT certifications being provided by companies like DigiCert that the vendors can aggressively use.

Continue reading

Guard Your Security When Filing Taxes Online

A recent Online Trust Alliance survey, sponsored in part by DigiCert, found that free e-file services may not be using best practices in security. The KSL-TV consumer team talks to DigiCert’s Flavio Martins about the report’s findings and what consumers can do to stay safe.

Continue reading

3 big IoT security fears and how developers can tackle them

A recent Online Trust Alliance survey, sponsored in part by DigiCert, found that free e-file services may not be using best practices in security. The KSL-TV consumer team talks to DigiCert’s Flavio Martins about the report’s findings and what consumers can do to stay safe.

Continue reading

At DigiCert Security is Mission Critical

Interview with Jason Sabin, Chief Security Officer of DigiCert:
Security is a very important yet often overlooked component to online safety, especially with how easy it is to access sensitive data over bits and bytes and through vulnerabilities that have been exposed through code leaks. Jason Sabin came into his role at DigiCert, a certificate provider offering SSL, TLS, and PKI expertise, through unconventional means, but he’s passionate about what he’s done. It’s been great to learn about his business and DigiCert’s core competencies.

"TLS and SSL are a critical backbone of Internet communications today. Without them, you’d be open to a lot of vulnerabilities and problems,” says Jason Sabin

"As a go-to provider of IoT security solutions, we feel very confident of our growth prospects and our ability to provide the best certificate-based security solutions. The smartest companies are coming to us, and we’re working with them."

Continue reading

E-filing taxes? Watch out for fraud.

If you’re planning on filing your taxes online, caution is advised. An audit released this week by Internet security nonprofit the Online Trust Alliance found that 46 percent, or 6 out of 13 tax software websites in an IRS program, failed cybersecurity protocols. The websites are part of IRS Free File program, which lets anyone who made under $62,000 in 2015 file taxes electronically for free…Some of the websites had issues with lack of email authentication, according to the OTA, which lets cyber criminals send out phishing emails, fake emails purporting to be from a company. Other sites had vulnerabilities that could lead to personal information being stolen.

According to an independent survey by IDT911, a data security firm, some 63 percent of U.S. taxpayers polled believe that tax fraud "could never happen to me" — and aren’t that concerned by the prospect. The study also found that nearly 20 percent of U.S. filers haven’t ensured their wireless networks are secure when filing online.

"The sophistication of cybercriminals is a lot more advanced than a few years ago. It’s hard for the average consumer to tell [if a website or email is legitimate]," said Jason Sabin, chief security officer at DigiCert, a technology security firm…"This is not like school. Everyone can and should be on honor roll," Sabin said in a phone interview.

To protect personal data when e-filing taxes, experts suggest users look for clues that the website you are using is encrypted. Most browsers display either green in the browser bar, or a closed lock symbol, that shows users the site is secure.

Continue reading

Six of 13 IRS-Approved Tax Preparers Fail Cybersecurity Test

Nearly half the firms that have agreements with the Internal Revenue Service to provide online tax-preparation and filing services are failing to protect customers’ privacy and security, according to an audit scheduled to be released Wednesday.

The audit by the nonprofit OnlineTrust Alliance found that six out of 13 firms, including Jackson Hewitt and Free 1040TaxReturn.com, don’t provide adequate security against cybercriminals. Seven firms, including Turbo Tax, H&R Block, TaxAct and TaxSlayer were praised for their practices and named to an "Honor Roll".

The group did the audit in early February. It was funded in part by grants from three cybersecurity firms, including DigiCert Inc.

Continue reading

Pressure grows to boost security of infusion pumps

Momentum is building toward finding a way to fix security vulnerabilities in wireless medical infusion pumps, which are widely used in the nation’s hospitals.

The National Institute of Standards and Technology (NIST) is mounting the charge, announcing in late January that it’s looking for technology companies to participate in a collaborative project to improve the security of wireless infusion pumps.

Manufacturers are aware of the concerns and have been working toward reducing the risks, says Mike Nelson, vice president of DigiCert, a company that provides security and identity solutions. "I do think the issue is very real, and there is a real risk of introducing a ‘back door’ into a hospital network. All these vulnerabilities need to be addressed."

Continue reading

Healthcare IoT security issues: Risks and what to do about them

With all the benefits of IoT in healthcare also come the risks. A group of experts discuss exactly what those dangers are and what to do about them: Mike Nelson, Karl West, and Scott Erven.

In healthcare, the Internet of Things offers many benefits, ranging from being able to monitor patients more closely to using generated data for analytics.

But that increased flow of information also brings risks that health IT professionals need to address.

"There are so many benefits that come with these new connected devices," said Mike Nelson, vice president of healthcare solutions at DigiCert…"But they also present some new risks and vulnerabilities that as an industry we haven’t, I would say, firmly dealt with to this point."

Continue reading

Nearly 40 Million People Might Not Be Able To Safely Browse The Web On Jan. 1

On the morning of Jan. 1, 2016, anyone with a cell phone more than five years old will be unable to access the encrypted web – which includes sites like Facebook, Google, and Twitter – according to a new plan to upgrade the way those sites are verified.

It might not be a big deal in New York or San Francisco, where a 5-year-old phone is treated as an antique, but in some parts of the developing world up to 7% of internet users could find themselves suddenly cut off from the world’s most popular sites, according to research recently published by Facebook and CloudFlare.

Jeremy Rowley, a CA/Browser Forum representative for DigiCert, a major certificate-issuing authority, told BuzzFeed News that while the group sees the move to SHA-2 as necessary from a security standpoint, it sees the points raised by Facebook and CloudFlare as valid.

"We support Facebook’s recommendation that there should be something to do rather than cutting out all these people at the same time," said Rowley. He said Facebook was expected to submit a timeline for its proposal by the end of the working day Monday, but by 5 p.m. PST, it was unclear if Facebook’s proposal has been finished.

Continue reading

Expert explains potential security risks of wearable tech

While fitness trackers, smartwatches and even smart clothing can make for fun presents, experts say consumers should keep the devices’ potential security weaknesses in mind while shopping. Most wearable devices connect to the Internet or are Bluetooth enabled, meaning they could be vulnerable without safeguards like data encryption and authentication.

Jason Sabin is the chief security officer at Utah-based DigiCert, which provides SSL certificates – recognizable as the padlock that shows up on secure websites — for organizations that include Facebook, PayPal and NASA. He said that as an avid runner he likes the idea of a lot of wearable devices, but that as a security expert the lack of protection scares him.

Continue reading

Better Internet of Things security needed

The predominant theme at the DigiCert Security Summit Nov. 12–13 in Las Vegas was improving the usability of security solutions for the Internet of Things, (IoT), enterprises and end-users.

Many of the discussions at the Security Summit focused on protecting data in the era of the IoT, as the number of connected objects and devices is expected to increase exponentially in the next five years.

"The IoT introduces a new scale for security, one that we’re prepared to help organizations efficiently implement," said Jason Sabin, DigiCert chief security officer. "Express, automated installation and real-time certificate monitoring and inspection provide organizations the scalabilities, efficiencies and real-time insights into their systems that make strong security of devices and data in motion feasible. Leading organizations know that device authentication and data encryption are must-haves for the IoT era."

Continue reading

IoT requires strong authentication paired with encryption to succeed

Think back to the height of the Cold War. As the US and the Soviet Union amassed huge stockpiles of weapons, the real battle was waged with information…Flash forward to today, and we see a battle of information and identity between organizations and attackers trying to steal personal information that they can turn around and sell. Nowhere is the risk greater than with the exploding Internet of Things (IoT) market. The threat vector is expanding…Encrypting all data is vitally important, but we have to make sure that the encrypted data ends up in the right hands. Hence, the importance of high-assurance identity binding to accompany security credentials online.

Continue reading

Why Medical Device Security Needs a Comprehensive Approach

Medical device security is quickly becoming one of the top issues in the healthcare industry, especially as more healthcare providers implement connected devices. Organizations must ensure that everything from an X-ray machine to MRIs and even pace makers have the necessary security solutions in place to prevent unauthorized access.

General best practices for security devices, vulnerability testing, and the responsibility of medical device security are three main issues, according to DigiCert VP of Healthcare Solutions Mike Nelson. DigiCert is hosting a Security Summit November 12 and 13, with Nelson moderating a panel discussing medical device security. "An issue right now not just with devices being manufactured, but also with Legacy devices that exist within hospitals right now," Nelson said in an interview with HealthITSecurity.com. "The question is, ‘Whose responsibility is it to secure those devices?’"

Continue reading

Facebook helps Tor project get official recognition for .onion hidden sites

With the efforts from Facebook and the Tor project, it should become easier to browse securely via SSL on the so-called Darknet. It’s not clear, in practice, if obtaining an SSL certificate for a .onion site will now be as standard as doing the same for a .com or .net. But DigiCert, the certificate authority that worked with Facebook on its .onion SSL certificate last year, expects to see more requests. Obtaining an SSL certificate for a .onion site also isn’t as simple as it is for a regular site. “.Onion sites may only obtain EV certificates. EV Certificates require a high-level of identity validation that ties an existing, registered, entity to the certificate’s public key,” Rowley said. “This is a far greater level of scrutiny than what most .com and .net sites go through to obtain a certificate.”

Continue reading

How to prep your ecommerce store for holiday shoppers

Even though it’s only early October, if your online retail business isn’t already gearing up for the holiday season, you may miss out on revenue. So what should you and your staff be doing now to ensure your ecommerce store is able to handle the extra holiday-related traffic? Following are 16 tips from ecommerce, security, and digital marketing pros on how to make sure your online store is prepared for the Hanukkah/Christmas/Kwanzaa shopping season.

Security is top of mind for many online shoppers these days. So "installing a high-assurance SSL/TLS certificate on your website is a must," says Flavio Martins, vice president of Operations, DigiCert.

Continue reading

Direct messaging can reduce Medicare fraud and waste

Article by Scott Rea vice president of government and education relations and senior PKI architect at DigiCert:

Our healthcare system is often too wasteful and inefficient, placing a strain on patient outcomes and the federal budget. The Center for Medicare & Medicaid Services alone is burdened with $50 billion a year just in wrong payments. We’re in need of a major step forward using modern technology to provide efficiencies, and Direct messaging is the solution.

Direct messaging continues to grow because of its simplicity of use and interoperability via a standardized framework put in place by DirectTrust. The benefit of "Direct" is that it supports whatever data formats are already being used by provider EHRs. The focus is on securing the transport method, irrespective of what the message content is. Direct messaging, as prescribed by DirectTrust, utilizes military grade public key infrastructure to give providers, payers, clinics, and all healthcare parties a secure channel to communicate via simple e-mail protocols.

Continue reading

AdvaMed 2015: Cybersecurity of Medical Devices a Real Concern

During the AdvaMed 2015 panel on cybersecurity, enticingly titled "The Hidden Life of Medical Devices," Vice President of Government/Education Relations and Senior PKI Architect for DigiCert Inc. Scott Rea reminded attendees not to forget these threats. "We shouldn’t lose sight of how the health industry has traditionally been slow on the best ways to serve patients because of perceptions of cybersecurity," Rea, an expert in and an advocate for advancing healthcare IT security, said. "As healthcare begins to embrace these things, we mustn’t lose sight of the fact that there are malicious groups out there ready and waiting to take advantage."

Continue reading

Thoma Bravo Invests in Security Firm DigiCert

Private equity firm Thoma Bravo is once again wading into the security arena, this time picking up a majority interest stake in security vendor DigiCert. As part of the deal, in which financial terms have not been publicly disclosed, Thoma Bravo is acquiring the majority interest in DigiCert, with existing shareholder TA Associates remaining on-board as a minority shareholder. Current management at DigiCert will remain in place to oversee day-to-day operations. "We look forward to adding Thoma Bravo’s strategic insight and influence as we embark on our next phase of growth," Nicholas Hales, CEO at DigiCert, said in a statement.

Continue reading

Cloud security sector leads cybersecurity mergers and acquisition report

The cyber sector is white hot. According to IDC, the hot areas for growth are security analytics/SIEM, threat intelligence, mobile security, and cloud security. Corporations are investing heavily in these areas to combat cybercrime. Here’s some noteworthy mergers and acquisition activity to report over the recent quarter (Q2 2015): DigiCert, a global Certificate Authority and leader of trusted identity solutions, acquires the CyberTrust Enterprise SSL business from Verizon Enterprise Solutions. Financial terms of the deal were not disclosed. The acquisition makes DigiCert the second-largest Certificate Authority (CA) for high-assurance SSL certificates.

Continue reading

Security needs to be a top priority for healthcare leaders

Back in the old days – say, a whole 10 years ago – thieves had to be physically inside a healthcare facility to steal patient information. How times have changed.
Now, with the Internet and the seeming lack of consistent implementation of online security best practices when it comes to patient information, we’re making things much easier for attackers. The proof is in the data. Gartner research conservatively estimates close to 40 million health care records have been breached to date. That’s likely a conservative figure, given that breaches of fewer than 500 records are not required to be reported.
Avivah Litan, cybersecurity analyst at Gartner, told the Associated Press after the Anthem hack, "The healthcare industry is generally about 10 years behind the financial services sector in terms of protecting consumer information."

Continue reading

Its Time to Change How We Think About SSL/TLS

Logjam reminds us of the new reality we face in needing to continuously monitor and manage our SSL/TLS deployment. While many may wish it weren’t so, it’s critical that we pay more attention to digital certificates and secure server configuration and apply updates immediately. Recent reports show that a large number of Fortune 2000 companies still have not taken every step to remediate Heartbleed threats to their servers.
We’ve seen a rising tide of hacks in recent years, occurring in part because most businesses have no clue how to smartly manage their certificate landscape. With Google’s Certificate Transparency (CT) and new tools to continuously monitor certificate deployment, we can do better. There’s no reason not to know about vulnerable deployments and fix them. It’s time to stem the tide.

Continue reading

Forget Your Smartwatch Because Smart Clothing is Where Its At

Smart clothes are increasingly where it’s at and where the industry is headed – a growing universe of garments made from fabric that’s wireless, washable and that integrates computing fibers into the integrity of the fabric. As just one indicator of how big this market may soon be, Google announced a partnership recently with the iconic clothing maker Levi’s. With such progress however, comes security issues and concerns. "A lot of this stuff is being done insecurely. Now we’re connecting millions of devices, such as smart clothing and wearables, and a lot of it is insecure," says DigiCert CSO Jason Sabin, whose company is discussing security solutions with many IoT companies.

Continue reading

Tales from the Crypt: Hardware vs Software

With the use of mobile devices booming, and attacks against government networks and business databases escalating, data security has become a hot topic for IT system managers and users alike. Today’s technology advances have spurred a number of solutions to meet the requirements and the pockets of everybody who needs to secure a machine, from a simple home computer, to the most sophisticated networks. Sorting through so many different solutions, however, can be overwhelming. "Recent security breaches in multiple industries – including entertainment, retail, and healthcare — tell us that large enterprises are not paying enough attention to security best practices," says Dan Timpson, CTO at certificate authority DigiCert.

Continue reading

Banks are skimping on website security

Capital One, JPMorgan Chase, Suntrust, Wells Fargo — none of them use what’s commonly referred to as the “best practice” in the industry when it comes to Web security. The worst offenders are HSBC and TD Bank. Their homepages don’t even secure private connections with customers, who might be unwittingly logging into fake websites run by cyberthieves. The only banks that do it right? BNY Mellon (BK) and PNC (PNC). DigiCert CSO Jason Sabin said banks "should be using https throughout their site. It doesn’t cost any more."

Continue reading

DigiCert Grows SSL/TLS Business Via Verizon Enterprise SSL Deal

DigiCert today announced that it is acquiring the CyberTrust Enterprise SSL business from Verizon Enterprise Solutions. The acquisition, the financial terms of which are not being publicly disclosed at this time, will further bolster DigiCert’s customer ranks, while providing new security certificate options to Verizon’s customers.

Continue reading

DigiCert Acquires Verizon Enterprise SSL Business

Global Certificate Authority (CA) DigiCert announced on Tuesday that it has acquired the CyberTrust Enterprise SSL business from Verizon Enterprise Solutions. The acquisition will help DigiCert become the second-largest CA for high-assurance SSL Certificates, behind industry leader Symantec. As part of the deal, Lehi, Utah-based DigiCert will assume management of the CyberTrust trusted roots and intermediate certificates.

Continue reading

IoT is the password killer weve been waiting for

IoT, with its tiny screens & headless devices, will drive an authentication revolution. It’s a short leap from the kind of two-factor authentication used on the Apple Watch to proximity-based authentication that does away with any user interaction. Passwords are just the canary in the coalmine. “Maybe authentication becomes the way you walk as a person, or how you interact with the environment around you,” Jason Sabin said. “My shoes, my phone, my watch, my clothing – those could be another form of identification to prove that I am ‘Jason.'”

Continue reading

Plex Mounts Huge DigiCert Encryption Install for Media Streaming

DigiCert’s SSL/TLS Internet of Things (IoT) solution will address tens of millions of Plex media servers and clients—making it one of the largest implementations of publicly trusted certificates to date. From now on, every Plex video and music streaming packet leaving and entering a user’s network is encrypted, and its recipient verified.

Continue reading

How DigiCerts CSO Looks at SSL/TLS Security

eWeek’s Sean Kerner sits down for a video interview with DigiCert CSO Jason Sabin to discuss SSL/TLS security and DigiCert’s efforts to improve security operations and standards for all. He also discusses DigiCert’s work to simplify certificate management for the enterprise.

Continue reading

What Happens When Health Data Is Transferred How to Protect It

When it comes to medical records, there is no lack of people with bad intentions trying to get their hands on that information. Unless healthcare organizations use available technology to protect this data flowing over the Internet, we are bound to witness more attacks like those that struck Anthem and Premera.

Continue reading

NFC Tags Get Much Needed Security Upgrade

DigiCert is one of just two providers approved to provide digital certificates to verify signatures in NFC tags. This greatly enhances security. Learn more about the technical specification that DigiCert helped create and how it benefits consumers.

Continue reading

Security Issues at the HP Online Store

Digital certificates are a large part of what makes a secure web page/site secure. A certificate is a file that the website provides the browser. Certificate files serve two main functions, encryption and authentication…Domain Validation certificates are cheap, issued quickly and come with no practical trust. Extended Validation certificates cost more, take time to issue and are far more trustworthy.

Continue reading

DigiCert Rolls Out Certificate Monitoring; Express Install automates SSL deployment

DigiCert, a leader in SSL Certificate trust, today is announcing new ways to automate SSL certificate installation and server configuration while helping enterprises detect certificate fraud. Certificate Monitoring parses data from Google Certificate Transparency (CT) logs and proprietary DigiCert systems to give enterprises unparalleled insight into certificates issued for their domains, along with phishing detection. Express Install, unlike any other utility available, simplifies and automates SSL installation and server configuration for Windows servers and top Linux distributions.

Continue reading

DigiCert Offers Continuous Monitoring of Digital Certificates to Defeat Fraud

CAs hold the security and trust of the Web in their hands, and issues like an intermediate CA associated with Chinese certificate authority CNNIC mis-issuing certificates for Google domains haven’t helped reinforce that trust. To help address the problems, CA DigiCert is introducing a new platform that enables continuous monitoring of all of an organization's certificates to protect against fraudulent certificate issuance, theft and other abuses of the system. The platform is based on DigiCert's participation in Google’s certificate transparency scheme, which creates public logs of issued certificates.

Continue reading

Under the Lens: DigiCert

Learn more about DigiCert and some of the unique things we’re doing to affect change in the SSL industry.

Continue reading

 

Googles Certificate Transparency Project Gains New Backers

Making sure that Secure Sockets Layer (SSL) certificates are authentic and have not been improperly issued is a challenge the Google-led Certificate Transparency effort is aiming to help solve. Multiple vendors now supporting the Certificate Transparency effort include certificate management vendor Venafi and certificate authority (CA) DigiCert. The Certificate Transparency initiative requires CAs to publish certificate information to a minimum of three log servers. CAs are the trusted authorities that can sell and manage SSL certificates.

Continue reading

What You Need to Know About Google Certificate Transparency

Over the past few years, there have been several fake SSL wildcard certificates created, due to lapses at certificate authorities (CAs) and sometimes through compromised server infrastructure. These fake SSL certificates can be utilized to masquerade as legitimate, secure websites, appearing to be verified and authentic, fooling web browsers, so users can’t tell that a site they’re visiting is not secure.

Continue reading

Certificate Transparency Moves Forward With First Independent Log

The Certificate Transparency scheme proposed by Google engineers has taken a couple of significant steps forward recently, with the approval of the first independent certificate log and the passing of a deadline for all extended validation certificates to be CT-compliant or lose the green indicator in Google Chrome. On Jan. 1, a CT log operated by DigiCert, a Utah certificate authority, became operational, making it the first non-Google CT log to be approved. The approval is an important step, as part of the CT scheme requires that two-year extended validation certificates have proofs from three separate logs. Google currently operates two logs of its own.

Continue reading

Mozilla to Support Certificate Transparency in Firefox

Mozilla is planning to add support for Certificate Transparency checks in Firefox in the near future, but the company says that the feature won’t be turned on by default at first. Certificate Transparency is a proposal from engineers at Google that would help resolve some of the issues with certificate authorities, fraudulent certificates and stolen certificates. The framework would provide a public log of every certificate that’s issued by compliant CAs and also would provide proof to users’ browsers when each certificate is presented. Google is planning to implement CT in Chrome, and now Mozilla officials say that the company will implement in Firefox, but the process will be a gradual one.

Continue reading

After thefts Bitcoin wallet heads to HTTPS Tor .onion address

UK-based Bitcoin wallet provider Blockchain has a new .onion address and, like Facebook, it’s got itself a signed SSL certificate to validate its hidden website in an effort to combat thefts against its users. Blockchain, the maker of the world’s most popular Bitcoin wallet, has followed Facebook down the path of the so-called ‘dark web’ — where sites or hidden services with a .onion suffix are not accessible by standard web browsers. Onion addresses are referred to as the dark web, in particular when law enforcement links a Tor hidden service to more nefarious activities on the web, such as those the alleged operators of the recently seized Silk Road and Silk Road 2.0 marketplaces have been accused of. Facebook’s arrival as a hidden service illustrated they could also facilitate access to a site from nations where it is censored, such as China and Iran. Blockchain’s hidden service on the other hand was a response to a spate of attacks on users of its wallet who’d accessed its site through the The Onion Network (Tor) browser.

Continue reading

Securing Blockchain Users with Tor and SSL

Over the past couple of weeks there has been a marked increase in the number of man-in-the-middle (MITM) attacks against Tor users of web based Bitcoin wallet provider Blockchain.info. One user reported 63 bitcoin stolen, and there were many other examples as the thefts continued despite warnings to users. The attacks were so successful that Blockchain resorted to blocking all traffic to the wallet service from Tor exit nodes.

Continue reading

Get Ready to Upgrade your SHA-1 Certificates!!!

Believe most of you are aware that SHA-1 SSL certificates are going to be discontinued by Microsoft after 2016. As we all know that SHA-1 is the commonly used certificate and most of the websites out there in the Internet are using this Cert and also this is the common Certificate that is used inside most of the Organizations. I am writing this post today to refer and remind you up on this critical update to begin your Cert upgrades to supported SHA-2 SSL certificates proactively and point you to the vital resources well written and available in the community by Technical Experts and vendors for better understanding on the topic.

Continue reading

Is Your Organization Using SHA-1 SSL Certificates?

Following a recommendation by the National Institute of Standards and Technology (NIST), Microsoft will block Windows from accepting SSL certificates encrypted with the Secure Hash Algorithm-1 (SHA-1) algorithm after 2016. Given the number of mission-critical SSL certificates that are allowed to expire from inattention, administrators have their work cut out for them. By knowing what will happen, why it’s happening, and what you need to do, you won’t be surprised by these important policy changes.

Continue reading

Retailers Demanding Federal Action on Data Breach

In an unusual move, retail groups from across the U.S. sent a letter to Congressional leaders that urged them to pass federal data protection legislation that sets clear rules for businesses serving consumers. The letter, dated November 6, was addressed to the majority and minority party leaders of the U.S. Senate and the House of Representatives and signed by 44 state and national organizations representing retailers, including the National Retail Federation, the National Grocers Association, the National Restaurant Association and the National Association of Chain Drug Stores, among others.

Continue reading

Expanding Use of PKI in Variety of Devices Holds Challenges Emirates News Agency (WAM) (United Arab Emirates)

(Emirates News Agency (WAM) (United Arab Emirates) Via Acquire Media NewsEdge) One of the longest running jokes in the security industry is that each coming year finally will be The Year of PKI. While that one huge year never materialized, the use of PKI and digital certificates has become an integral part of how the Internet works today. But there are some challenges on the horizon that will need some innovative solutions.

Continue reading

IT-World: DigiCert is considering SSL certificates for more Tor hidden services

Certificate authority DigiCert is considering issuing SSL certificates to more Tor .onion address owners after recently providing Facebook with one. However, SSL certificates for pseudo-top-level domains like .onion that don’t actually exist on the Internet are in the process of being phased out and the Tor Project has not yet decided if Tor websites getting SSL certificates is a good thing.

Continue reading

DigiCert receives requests for .onion SSL certificates after issuing one to Facebook

Tor hidden services use URL addresses that end in .onion, a suffix that does not exist in the Internet’s DNS root zone and is not a TLD recognized by the Internet Corporation for Assigned Names and Numbers. As such, these addresses only resolve within the Tor network through a private DNS-like system. The internal use of made-up TLDs like .onion is not something specific to Tor. Organizations have used pseudo-TLDs like .local, .lan, .corp, .priv and others on their internal networks for a long time, even though it is not a recommended practice.

Continue reading

CIO: DigiCert is considering SSL certificates for more Tor hidden services

Last week, Facebook made its website accessible inside the Tor anonymity network by setting up a so-called Tor hidden service with the facebookcorewwwi.onion address. The company described it as an experiment that will provide Tor users with end-to-end communication, from their browsers directly into a Facebook data center, avoiding third-party exit nodes.

Continue reading

Securing an Internet Made From ‘Duck Tape and Baling Wire’

LAS VEGAS–The Internet that we use today was not designed as a cohesive network. It was put together from found bits and pieces over the course of the last few decades, and, as major bugs such as Heartbleed and others have shown, it’s a frighteningly fragile construction. Attackers know this as well as anyone, and they’ve certainly made a lot of hay in recent years exploiting the fundamental weaknesses of the Internet. Serious flaws in protocols such as SSL, the DNS system and other key pieces of the Internet’s infrastructure have made life easier for the bad guys. But that doesn’t have to continue, experts say.

Continue reading

Jeremy Rowley on the Facebook Tor Cert Decision and the Future of PKI

Dennis Fisher talks with Jeremy Rowley of DigiCert about the company’s decision to issue a certificate for Facebook’s .onion site, the challenge of key protection in today’s environment and what the near future holds for PKI.

Continue reading

Expanding Use of PKI in Variety of Devices Holds Challenges

LAS VEGAS–One of the longest running jokes in the security industry is that each coming year finally will be The Year of PKI. While that one huge year never materialized, the use of PKI and digital certificates has become an integral part of how the Internet works today. But there are some challenges on the horizon that will need some innovative solutions.PKI was developed at a time when having digital certificates in TVs and cars would have seemed absurd. But it’s no longer just Web servers, mail servers and the core network infrastructure that’s in play. Now, the range of devices that use digital certificates includes WiFi routers, mobile devices and many others.

Continue reading

Avoiding the Dark Security Future

LAS VEGAS–Nick Percoco has been thinking a lot about the future of technology, and some of the things he’s dreamed up aren’t very pretty: farms of people renting out their spare brain cycles, autonomous cars that freak out and careen into oncoming traffic and hacking groups hijacking users’ augmented reality gear and demanding ransoms to unlock them.That’s a fairly dark, dystopian view of what’s awaiting us in the coming decades, but it’s not necessarily the way that Percoco believes it has to be. Rather, he believes there’s plenty of time, talent and technology available to solve the fundamental security and reliability problems that could lead to that dim future. Percoco, a security researcher and vice president of strategic services at Rapid 7, said that the brighter, technologically slick future he imagined as a young boy first learning about computers is still a possibility.

Continue reading

DigiCert Considering SSL Certificates for More Tor Hidden Services

Certificate authority DigiCert is considering issuing SSL certificates to more Tor .onion address owners after recently providing Facebook with one. However, SSL certificates for pseudo-top-level domains like .onion that don’t actually exist on the Internet are in the process of being phased out and the Tor Project has not yet decided if Tor websites getting SSL certificates is a good thing. Last week, Facebook made its website accessible inside the Tor anonymity network by setting up a so-called Tor hidden service with the facebookcorewwwi.onion address. The company described it as an experiment that will provide Tor users with end-to-end communication, from their browsers directly into a Facebook data center, avoiding third-party exit nodes.

Continue reading

DigiCert Considering Certs for Hidden Services Beyond Facebook

News broke last week that Facebook had built a hidden services version of its social network available to users browsing anonymously via the Tor Project’s proxy service. Unlike any .onion domain before it, Facebook’s would be verified by a legitimate digital signature, signed and issued by DigiCert.What this means is that Tor users could be certain that when they connect to Facebook’s hidden services site in the .Onion top level domain, they were in fact communicating with the real Facebook as opposed to a domain controlled by an unknown third party.

Continue reading

Not Your Fathers Workplace

Increasingly, leading companies are providing their employees with work/life balance, including the ability for working dads to enjoy workplace flexibility and be more involved in their children’s lives. A multi-year winner of the Alfred P. Sloan Award, DigiCert values its employees attention to their families’ needs and strives to provide a flexible, supportive work environment.

Continue reading

POODLE Flaw Found in Legacy SSL 3.0 Encryption – DigiCert Offers Workaround

POODLE, or Padding Oracle On Downgraded Legacy Encryption, is a newly disclosed vulnerability in the legacy SSL 3.0 protocol that could be exposing users of newer Transport Layer Security (TLS) encryption protocols to risk. Google disclosed the POODLE vulnerability, also identified as CVE-2014-3566, in a research paper. If exploited, the POODLE flaw could potentially enable an attacker to access and read encrypted communications.

Continue reading.

DigiCert Releases Tool to Simplify SHA-2 Migration for System Administrators

“Using the DigiCert® SHA-1 Sunset Tool, administrators can determine validity periods for their SHA-1 SSL certificates and receive information about how Google’s new policy will affect user interaction with these certificates. DigiCert issues new certificates with SHA-2 by default and has done so for nearly a year. For those choosing to migrate their existing SHA-1 to a new DigiCert-issued SHA-2 certificate, DigiCert will provide a free replacement matching the length of the existing certificate licensing term, regardless of whether or not they are a DigiCert customer.”

Continue reading

11 Common Ecommerce Mistakes — and How to Fix Them

No ecommerce site is perfect, especially when it first goes live. Even if you choose a seemingly straightforward or turnkey ecommerce solution, problems are bound to occur. And while it’s hard to predict problems, there are certain common ecommerce problems, say the experts, which can be prevented — or fixed relatively easily. Here are 11 of the most common ecommerce mistakes — and how to avoid or fix them.

Continue reading at NetworkWorld
Continue reading at ITWorld
Continue reading at ITNews

Beyond Heartbleed: Closing SSL implementation gaps within our own networks

“As security professionals put in place the final patches to fix the Heartbleed bug, I think network administrators have a unique opportunity to look beyond Heartbleed to close the unintentionally self-inflicted SSL implementation vulnerabilities within their control.”

Continue reading

DigiCert Certificate Inspector – Products of the week 03.03.14

“Discover all certificates on network. Identify potential certificate and endpoint configuration vulnerabilities, such as weak keys, problematic ciphers and expired certificates. For each detected vulnerability, receive list of remediation activities.”

Continue reading

Code Signing Seen as Effective Way to Safeguard App Security

“There are a number of different ways to ensure application security in the modern IT environment. One of them is by starting right at the source, by enabling application developers to digitally sign their code, in an effort to guarantee the integrity and authenticity of a given application.”

Continue reading

DigiCert Announces Certificate Transparency Support

“DigiCert, Inc., a leading global authentication and encryption provider, announced today that it is the first Certificate Authority (CA) to implement Certificate Transparency (CT). DigiCert has been working with Google to pilot CT for more than a year and will begin adding SSL Certificates to a public CT log by the end of October.”

Continue reading

Behind the Padlock: How Secure Web Connections Work

“If you’ve ever shopped online, and chances are you have, you’ve probably noticed, or been told to look for, certain indicators that you have a secure Web connection. For many years, the primary indicator was a padlock at the bottom of your browser screen. Now, the padlock is likely to be found in the address bar up top. Sometimes the address bar itself will turn a different color (usually green) when you enter a secure website.”

Continue reading

5 Tips for Securing Your Small Business’s Online Presence

“The intensity and sophistication of cyber-attacks are making it increasingly difficult for small businesses to protect sensitive information online. By implementing the simple steps below, small business owners can build trust and loyalty by ensuring their website is safe for customers to visit, search, enter personal information or complete a transaction.”

Continue reading

Securing and Managing HISP-to-HISP Communication

“DigiCert and DataMotion announced a partnership this week in which DataMotion will issue certificates to healthcare customers using DigiCert as part of the DirectTrust Transitional Trust Anchor Bundle.”

Continue reading

Possible security disasters loom with rollout of new top-level domains

Plans to populate the Internet with dozens of new top-level domains in the next year could give criminals an easy way to bypass encryption protections safeguarding corporate e-mail servers and company intranets, officials from PayPal and a group of certificate authorities are warning.

The introduction of Internet addresses with suffixes such as “.corp”, “.bank”, and “.ads” are particularly alarming to these officials because many large and medium-sized businesses use those strings to name machines inside their networks. If the names become available as top-level domains to route traffic over the Internet, private digital certificates that previously worked only over internal networks could potentially be used as a sort of skeleton key that would unlock communications for huge numbers of public addresses.

“The primary concern is the speed at which these new gTLDs are going to be adopted by ICANN without giving enough consideration to the potential impact on security and established networks,” Jeremy Rowley, the associate general counsel for certificate authority DigiCert, told Ars. “I don’t think they have an accurate understanding of the number of internal server names [and] internal networks that are out there and the number of certificates that have been issued to those networks.”

Continue reading.

Securing SMB Online Transactions

“Giving consumers the assurances they need to know they’re securely sending their private information to your business.”

Continue reading

These Companies Want You to Take Time Off

DigiCert is highlighted on CareerBliss’ list of companies who are changing the way their employees use their time off. PTO at DigiCert helps employees strike a work-life balance.

Continue reading

 

SSL Certificate Discovery Tool

The free SSL Discovery Tool from DigiCert is an automated certificate finder that will help any user locate and catalog all the active digital certificates in their inventory.

Continue reading

DigiCert Inc. Names Nicholas Hales CEO

DigiCert announces that Nicholas Hales has been appointed as its new CEO while Ken Bretschneider, DigiCert’s founder, has been named the Executive Chairman of the Board.

Continue reading

Ernst & Young Entrepreneur of the Year Finalist

DigiCert founder and Executive Chairman of the Board, Ken Bretschneider, was recently featured in the Utah Business Magazine for being a Finalist in the Ernst & Young Entrepreneur of the Year Award.

Continue reading.

 

Travis Tidball – Utah Marketer of the Year

Utah Business Magazine has honored DigiCert’s VP of Marketing, Travis Tidball, with its first annual Sales and Marketer of the Year (SAMY) Award for 2012.

Continue reading