Tag Archives: Symantec

Security News Bites for the Week Ending Oct. 12, 2018

Data Aggregator Apollo Loses Data on 200 Million

Apollo’s business model is to aggregate both publicly available data and company private data to build profiles used to market to people.

Apollo’s 212 million contacts, 10 million companies and 9 billion data points are now public.  In addition to names and email addresses, the company also scrapes sites like LinkedIn and Twitter and then combines that data with company private data from Salesforce.  Billions of data points.

Because Apollo has tied together all kinds of data that was never tied together before, there have very complete profiles on people and their relationships.  This data is all in the wild now.  Source: Wired.

CA SB 327 Bans Weak Passwords on Internet of Things Devices

California is making history again.  It is the first state to ban the sale of IoT devices in California (note that the article says manufacture of devices in California – this is just wrong) that have weak passwords.  In particular, they are banning the sale of devices that come preloaded with userid/password combinations like Admin/admin or user/password or, even worse, default to no password.

It does allow a weak password if the system forces the user to change the password before it connects online.

It also says that devices should have reasonable security, but doesn’t say what that means other than the password idea.

While this is good, it does not address the issue of forcing devices to be patchable or automatically patched (which would be even better).

Some people, like Prof. Eric Goldman of Santa Clara Univ. Law suggest that this is inherently an interstate commerce issue and may be struck down by the courts.  Since Congress has totally abdicated any responsibility for cybersecurity (like passing a national cybersecurity law, perhaps?), the states are filling the void.

I am pretty pessimistic that Congress will act unless they are somehow forced to and I don’t see any path forward where that is likely.  After all, if Congress could not get off it’s collective tushies after the Equifax breach, what might it take to get them to act?  Source: The Register

Web Sites Using Symantec HTTPS Certificates Beware!

As the process of ramping down Symantec’s SSL certificate business continues, the next phase starts in a few days.  When Google roles out version 70 of Chrome, Symantec’s SSL certificates will be no longer trusted by Google’s browser.  If a user visits a web site that still uses a Symantec certificate, the user will get an error message that says that the site is no longer trusted.   Site owners need to replace the SSL certificate to get rid of the error message.  Source: Google’s Blog .

Firefox, on the other hand, decided to delay its rollout of the distrust of Symantec certificates.  I am not sure that this will make a difference since Chrome is the majority browser.  Firefox estimates that 1 percent of the top million web sites are still using Symantec certificates and will not change until the last possible moment – making the delay seem really stupid.  Source: The Register .

Well, I Was Wrong – U.S. Snares Chinese Spy

In last week’s news bytes I said that indicting Russian spies was pretty much useless since, after all, how dumb could a spy be to travel to, say, the EU where some country friendly to us would throw a butterfly net over the spy and hand him over to the Feds.


A high level Chinese spy created a relationship with an engineer at GE and invited him to visit China to give a talk.  The spy represented himself as an official of a Chinese university.

The GE engineer, who is not named, brought a few documents with him to China and the spy asked him if he could bring more to a meeting in Belgium.  The GE engineer baited the spy by sending him a list of document names that he had put on his computer with the spy’s hope that he could copy those documents to a flash drive in Belgium.  It is not clear if the GE engineer reported the spy’s effort and was cooperating with the feds or if the Feds were shadowing him.

However, all the spy got in Belgium was a gift of a pair of chrome plated handcuffs and an all expense paid trip to a federal penitentiary in the United States.

Of course, he has not been tried, has not been convicted and could be used as exchange bait by the administration.  As long as he is not acquitted, it would be a very rare win for the Feds.

Still, it does point out that occasionally (this may actually be the first time ever), spies can be VERY stupid.  Score one for the good guys.  Source: WaPo .

Fixmetrix Breach – Amazon Elastic Search Servers Leak 100 Million+ Records

One more time, an Amazon database with its permissions intentionally changed to make it visible to the public with no password.  113 million records from Fixmetrix, recently purchased by Mindbody, publicly visible.  The data includes name, birth date, email, emergency contact information, height, weight,  phone numbers and a bunch of exercise stats.  If this includes residents of the European Union, we will have another GDPR related breach.

And, one more time, it took almost a week to get someone’s attention at Mindbody.  Once they did get someone’s attention the databases were quickly secured.

Source: Hacken .

Warning For Symantec Customers

As I have reported before, Symantec has had problems with its server SSL certificate business for years and was on double-super probation.  Symantec bought its certificate business mostly from Verisign in 2010 for about 1.2 billion dollars.  It also bought the certificate businesses of Thawte, Equifax and others

Last month it sold that business to Digicert, a move that was designed to preserve its equity.  It sold that business for $950 million plus a minority stake in Digicert.

But now the other shoe is dropping.

The reason Symantec was in trouble was that the browser vendors didn’t trust the security of the certificates that were issued before June 2016.

OK, so what is there to do.

First, each browser maker does its own thing.  Except, Chrome has the largest share of the browser market, so what Chrome does is more important than what anyone else does and, for the most part, everyone will follow what Chrome does in this case.

As of December 1 of this year, Chrome will no longer trust any NEW certificates issued by Symantec after this date.  That means that if your web server uses a Symantec certificate issued on December 2, when a user visits that site, Chrome will pop up a warning saying that the site is not to be trusted.

Starting with Chrome version 66 which should be released around April 1, 2018, no Symantec certificate issued before June 1, 2016 will be trusted.

Finally, When Chrome 70 is released in October 2018, NO Symantec certificates will be trusted at all.

So, for those of you webmasters that bought Symante certificates – for certificates bought before June 2016, you have until early next year to replace those server certificates and for those of you who bought Symantec certificates after June 2016, you have until late 2018 to replace your certificates.

Since most people buy certificates that last one, two or three years, some of this will be solved by attrition, but we were examining one certificate today that expires TEN years in the future.

If you don’t know what vendor your certificates came from please reach out to us and we will be happy to assist you.

Information for this post came from ZDNet.


Browser Makers Doing What Needs to be Done – Finally

When you log on to a “secure” web site – one that that you access via HTTPS:// instead of HTTP:// , you do that because the web site bought a certificate from a certificate authority.  Those certificates work because the browsers – all of them – “trust” the makers of those certificates.

How do those certificate authorities become trusted?  The certificate authorities apply to each of the browser makers and those browser makers each decide who to trust.

If a browser or more than one browser decides to not trust a certificate authority, then any time a user goes to a web site that uses that vendor’s certificate they will get an error message saying the certificate is not trusted.  Every single time.

What that means is that if any of the major browser vendors don’t trust you, then you cannot sell your certificates.

If you look at any browser or computer, if you know where to look, you can find a list of all of the certificate authorities that the browser or computer trusts.  That used to be a handful of companies, but over time that has mushroomed to a ridiculous number, like 150 or more.  For some reason the browser makes have made it incredibly hard for Joe or Jane user to see what certificates are installed or to delete one of them.

There is a group called the CA/Browser Forum and they set standards for certificate authorities to follow.  The process of disciplining a CA can take years, but recently the CAB Forum started getting tough.

Two Chinese certificate authorities were not following the rules so the CAB Forum scolded them.  Then they didn’t change their actions.  So finally, one by one, the browsers started the process of the death sentence.  This week, the last major browser maker said that come September they are no longer going to trust certificates made by WoSign and StartCom.

Of course smart people would be asking why the <bleep> we were trusting security certificates from China in the first place.

My answer?  Beats me.  I guess they want to be inclusive.

I would appreciate it if they allowed me to make that decision.  But they figure that I am not smart enough to decide whether I want to trust certificates from China.

For a certificate authority, losing the trust of the browser makers is basically a death sentence – which is why they keep giving certificate authorities that screw up another chance.  Personally, I vote for ONE strike and you are out.

On a related front, one of the biggest U.S. certificate authorities, Symantec (formerly Verisign) just sold it’s certificate business to Digicert.

Symantec/Verisign has been in CAB Forum “time out” for a year or two now because of oopsies that they have made, like issuing certificates for Google.Com to someone other than Google and stuff like that.  Symantec has been given several chances to clean up their act but does not appear to be getting it right.  Fearing that they were going to go down the same path that WoSign went down and pour a billion plus dollar investment down the sewer, this week they sold that business for $950 million plus some stock, to Digicert.  This is good for users because Digicert is well respected, unlike Symantec.

So, while certificate authorities have, historically, received the death penalty like never, it appears that the browser makers have had their fill of it and ARE NOT GOING TO TAKE IT ANY MORE!!!

I hope this is the beginning of a trend.  I could do with maybe a dozen trusted certificate authorities.  That would be enough for me.  3 down, one hundred plus to go.

Information for this post came from ZDNet and eWeek.

Symantec Issues More Unvalidated SSL Certificates

Symantec, who is already on probation for issuing inappropriate SSL certificates, issued more than a hundred additional “illegit” certificates.

SSL certificates – more technically TLS certificates – are the bits of technology required to make those “secure” web sites work.

Certificates are issued by certificate authorities (CAs) – organizations who have supposedly set up processes and controls to only issue certificates to, for example, the real owners of web sites, among many other rules.

There is a CA oversight board that actually has the authority to shut down CAs who do not follow the rules, but that almost never happens because it would put those companies out of business.

In this most recent case, Symantec was found to have issues at least 108 bogus certificates. 9 of the certificates were issued without the knowledge of the web site owner;  the rest were issued without proper validation.

Some of these bogus certificates were revoked quickly, but some were not.

Even after the certificates are revoked, there are many situations where the bogus certificates might still work in a browser.

This is the reason that there are many rules for CAs to follow.  Only, they don’t always do that.  It is highly unlikely that anything will happen to Symantec as a result of this second bogus certificate issue.  Last year, Symantec issued bogus certificates to Google, among other sites.  Those certificates would allow a hacker, for example, to create a fake GMail site and attract visitors to it.  Anyone who visited the fake site and logged in would have his or her GMail credentials compromised and give the attacker the ability to read all of his or her mail.

The Symantec owned CAs in question are Symantec Trust Network, GeoTrust and Thawte.

After Symantec’s mistake last year, Google required Symantec to log all certificates it issues in a “transparency log” – just so that researchers can check on them.  Whether all of the bogus certificates were caught or not is probably a subject to debate.  Google and the other major browser vendors that run the CA oversight board can dictate to the CAs what they have to do because the browsers have to accept the CA’s master key.  If Google or another browser vendor were to stop accepting Symantec’s master key – as they have done for the Chinese CA WoSign – then all of the certificates that they issue will generate an error message when a user tries to initiate an HTTPS session using that browser.

Given Symantec issues so many certificates, it could fall into the “too big to fail” category, making it hard for the CA oversight board (technically the CA/Browser Forum) to shut them down.

My suggestion is to use a different CA – there are lots of them.  Sending a message with your checkbook is always a prudent practice.

Information for this post came from Ars Technica.

Symantec Anti Virus Security Problems Exposed

Anti Virus software has long been a concern of the security community.  While it endeavors to protect the user’s workstation, in order to do it’s job, it requires a lot of system level permissions.  This week, at least with Symantec, that came home to roost.

Tavis Ormandy a researcher from Google announced that he’d found numerous critical security vulnerabilities in Symantec’s suite of anti-virus software.  That suite covers 17 enterprise software products and 8 consumer and small business products.

While some of the bugs are simple, others are quite fatal and would allow an attacker to remotely control the user’s computer.

One bug would allow the attacker to take over an entire enterprise by just sending an infected file or malicious link – without the user ever doing anything.  This is because the anti-virus software has to open files and links when they arrive to see if they are malicious and that code has the flaws in it.

Ormandy says these flaws are “as bad as it gets“.  He is the guy who has made a career out of finding security holes in security software. His previous finds include FireEye, Kaspersky, McAfee, Sophos and Trend Micro – pretty much everyone in the anti-virus business and then some.

While we do not know how actively hackers and foreign governments are exploiting these vulnerabilities, they probably will now if they have not been doing so in the past.

What is not clear is how come these vulnerabilities exist.  After all, security companies, more than anyone else, should understand the problem of vulnerable software.  Yet, apparently, they do not.

Chris Wysopal of software testing vendor Veracode had a number of comments to make about the situation.  He thinks that at least some of these vulnerabilities would have been detected by the software testing products his company makes.

Symantec has now patched these vulnerabilities, but that doesn’t mean that customers have applied these patches.  It also doesn’t mean that there aren’t other vulnerabilities not yet detected.

And since most of this code from Symantec and other vendors like them runs with very high privileges, this software is more likely to put your system at risk than, say, a word processor.

At a minimum, everyone needs to make sure that their anti-virus software is patched as soon as the patches are released.  When they are released to you, they will be released to the hackers as well.

Ormandy says that maybe the anti-virus vendors did not understand that they had a problem, but I have a hard time believing that.  More likely, they figured that they could get away with not spending too much effort at testing their software.  Mr. Ormandy is on a  mission to prove that theory wrong and I think he is doing pretty good at that mission.

Information for this post came from Wired.