QR tags have become the next big thing in interactive marketing. But as smart phone users flock to the trendy, postage-stamp sized bar codes, researchers are warning that they could be used to hijack mobile phones by directing them to malicious Web pages.
Apple has finally released a fix for the certificate trust issue caused by the attack on DigiNotar, more than a week after the fraudulent certificates were identified and other browser vendors moved to revoke trust in them. However, the company did not update the mobile version of Safari to remove the certificates in iOS.
Already having revoked trust in the root certificates issued by DigiNotar, Mozilla is taking steps to avoid having to repeat that process with any other certificate authority trusted by Firefox, asking all of the CAs involved in the root program to conduct audits of their PKIs and verify that two-factor authentication and other safeguards are in place to protect against the issuance of rogue certificates.
Apple is keeping mum about when – or if – it will blacklist SSL certificates more than a week after other browser makers moved to break trust with the disgraced Dutch certificate authority DigiNotar.
As GlobalSign continues the investigation into the claimed compromise of its CA infrastructure, the attacker who says he breached DigiNotar and Comodo said in another message on Pastebin Wednesday that not only did he hack GlobalSign, but he has the private key used to sign the certificate for the company’s own domain as well as backups of its databases.
In the wake of this weekend’s revelations of the seriousness of the attack on certificate authority DigiNotar, security experts have renewed criticism of the Internet’s digital certificate infrastructure, with some wondering if larger certificate authorities (CAs) might be too big to fail.
by Roel SchouwenbergEditor’s note: This story was reposted from Securelist.com.In an almost unprecedented event the Dutch minister of internal affairs gave a press conference at 1:15 AM Friday to Saturday night. He announced the Dutch government was revoking trust in Diginotar.
A new report on the security of DigiNotar paints an ugly picture of the certificate authority’s safeguards and network infrastructure, showing that the company had all of its CA servers on one Windows domain and likely failed to separate the critical components on its network, making it easy for the attacker to make his way around the network and into the critical CA servers.
The same attacker who claimed to have compromised Comodo in March is now claiming responsibility for the attack on DigiNotar, the Dutch certificate authority that issued fraudulent certificates for several hundred domains in he last few weeks, including Google, Yahoo, Mozilla Add-Ons and several intelligence agencies. In the wake of the widening scandal, the Dutch government has performed an audit of the company’s CA business and browser vendors have revoked trust for the certificates DigiNotar issued for the Dutch government’s PKI.
The disturbingly complete compromise of DigiNotar, the Dutch certificate authority, has broad ramifications for other CAs, enterprises and consumers who rely on the shaky web of trust that comprises the CA system. Here’s what you should know about the attack and what you can do to protect yourself against intrusions resulting from it.
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.
