We Live Data Security

Nerd Out On Our Latest Thoughts

Cloudflare announces "Spectrum"

 

We personally think that Cloudflare's particularly groovy when it comes to the services they offer. Their recent Spectrum announcement makes them even more so.

Read more…

The 7 Steps of a Successful Risk Assessment

There’s been a lot of talk about standards and compliance (ISO 27001 and GDPR to name a few). We’ve been talking about these standards quite a bit lately (here and here). What we haven’t done a lot of is talk about what people need to do in order to prepare for these standards while assuring you’re compliant with the obligations you already have.

Read more…

Threat Hunting Tools: Cybereason

Go on the Offense Against Attackers

Get the unfair advantage with Cybereason Total Endpoint Protection: behavior- based, offense-first Endpoint Detection and more.

Read more…

Want to Delete Facebook? Here's How...

Facebook's been all over the news the last couple days. A UK data firm named Cambridge Analytica to harvest over 50 million Facebook accounts and help sway our last presidential election.*

I'm not going to get into the nitty-gritty details. That darn 2016 election never seemed to end, and we can't get a news cycle without a cavalcade of new and more torrid information shoved down our throats.

Social media's evolved from a place where your great-aunt regularly shares pictures of her cat (thanks, Aunt Thelma!) to being a weaponized tool leveraged by domestic and foreign powers.

As a digital marketing manager, I must seek out and publish new content for all eternity. A modern-day Sisyphus; forever resigned to pushing a boulder complied of 140 characters or less up a steep and windy hill, only to watch it roll back down to the bottom upon reaching the top.

But you my friends can escape the harsh cold fate that comes from being entangled in social media forever. Facebook, despite all of their shortcomings, allows you the ability to delete your profile altogether.

Here's how:

WARNING: Deleting your Facebook account is a serious decision and one you have to prepare for (mentally and physically). The lotus-eaters in your life (aka friends and family) who are still on the social media platform will be confused and possibly concerned regarding your decision to leave.

If you're expecting some convoluted, multi-step process to delete your Facebook account, you're in for a treat. Honestly, all you have to do is click this link: https://www.facebook.com/help/delete_account

Once you step through the process, Facebook gives you up to 30 days to log back in and reverse the decision. Also, if you've got any accounts linked to Facebook (i.e., Instagram) that you continue to use, your Facebook account will be reactivated. You've got to unlink each account manually if you want to keep using them separately.

If you're interested you can download a copy of the information Facebook has on you. Since it's PII Data we recommend keeping it in a secure place if you decide to keep a copy of it.

Read more…

Don't Trust Trustico: Get Your SSL Certificates from Someone Else...

DISCLAIMER: Security7 Networks is a DigiCert partner. The views expressed in this article focuses more on Trustico's poor security practices rather than any personal relationship we might have with DigiCert

In mid-February, Trustico made a power play in a fight against DigiCert that forced the website security powerhouse to revoke 23,000 HTTPS certificates. Not only did it cause a major headache for 23,000 SSL certificate holders and those at DigiCert, but it revealed just how underhanded and insecure Trustico business practices are.

We don't ultimately know what caused DigiCert and Trustico's relationship to deteriorate. We can speculate it began as result of internet browsers like Google Chrome and Mozilla Firefox rejecting Symantec-branded (and DigiCert issued) certificates, leading Trustico to favor certificates issued by Comodo instead.

The rejection of Symantec-branded certificates by Google and Mozilla isn't unexpected or entirely out of the blue. Both developers had previously announced they'd be abandoning support for Symmantic-branded certificates in 2018 that were created before June 1st, 2016.

Google has also announced they will blackball Symantec certificates all together in a future Chrome update (Version 70 which is due out sometime this year).

Trustico had initially claimed it was this change that caused the issues experienced with Symantec-branded certificates and is the main reason why they wanted DigiCert to revoke the 50,000 SSL certificates before changing their tune and saying the certificates were "compromised."

Ars Technica speculates (and I agree with them) (https://arstechnica.com/information-technology/2018/03/23000-https-certificates-axed-after-ceo-e-mails-private-keys/) that Trustico tried to get 50,000 SSL certificates revoked in mass by DigiCert so that they could in turn issue brand-new Comodo certs to their customers instead.

Jeremy Rowley, a VP at DigiCert agreed with that speculation in a Google Email Group statement. Rowley said DigiCert had the 23,000 keys emailed to him after he told Trustico's CEO that without evidence the certificates were compromised.

Rowley said Trustico shared the 23,000 private keys with DigiCert to trigger a baseline-response 24-hour revocation requirement (https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/wxX4Yv0E3Mk).

Rowley said that ultimately it didn't matter whether or not the 50,000 certificates had been compromised at the start. Once Trustico's CEO emailed over the private keys DigiCert had no choice but to revoke them.

Trustico says they hold on to private keys in case the certificate needs to be revoked. All of Trustico's keys are kept in "cold storage" (typically meaning storage that's not connected to the internet). This is where things start to get hairy, and it makes our skin crawl.

What does it matter if Trustico stored private keys or not?

Let's get into how SSL/TLS certificate keys work. Every certificate has two keys. A public key and a private one. The public key is embedded in the actual SSL certificate, and the private key is stored (securely) somewhere on the server. It's not public facing and should be kept secret.

When someone visits your website and fills out a form with personal information (PII), that info gets encrypted by the public key and then decrypted by the private key for further processing. This process keeps that PII data safe from prying eyes and professional snoops.

No one can decrypt that information without the private key. Without the private key, any data encrypted by the public key is useless. The only person who's supposed to have the private key is the owner of the certificate.

By keeping those public keys, Trusico violated a fundamental security best practice. Whether or not those keys were in "cold storage," or not, the very fact they held on to them means there was a chance they could have been compromised.

On top of that, the 23,000 private keys were sent by email to Rowley. Email! I don't think we need to get into how insecure and irresponsible that is from a security standpoint.

Add these things together, and you start to get an excellent idea of how important (or rather unimportant) Security is to Trustico. Quite frankly, we don't think we'd be caught even looking in their general direction let alone consider doing business with them. They only have their own best interests at heart, not the security of their customers.

Read more…

7 Questions You Should Ask Before Hiring an MSSP

Looking to hire a Managed Security Services Provider for your business? Here are the questions you should ask yourself before you make such an important decision!
Read more…

Learn How to Install Cylance with Ray Scholl, CISO

Read more…