Tag: security mobile

Unauthorized Google certificates issued by Symantec staffers lead to firings

In this way, it has allowed HTTPS-enabled Google domains to be impersonated by the wrong parties.

It has now been revealed that Symantec has fired several of its staff members after it was discovered that they had issued unauthorized Google certificates that allows potential attackers to be able to impersonate legitimate pages that have been protected by HTTPS.

The Symantec digital security company posted the news of the unauthorized certificate issuing in a recent blog post.

According to the company, “We learned on Wednesday that a small number of test certificates were inappropriately issued internally this week for three domains during product testing.” It also explained that all of the test Google certificates and the keys had always remained within the company’s control, and when the issue was identified, they were immediately revoked. “There was no direct impact to any of the domains and never any danger to the Internet.”

That said, they did terminate the employment of the people who misused the Google certificates in question.

Google Certificates - IssuesThe issue, itself, was identified by employees at Google, who had been monitoring an open framework called Certificate Transparency, which is a project that the company operates in order to be able to repair SSL certificate system structural flaws. Clearly, the system proved its worth in a new way in this specific situation, as Google was able to spot the unauthorized activity with regards to the certificates, nearly immediately.

Google then proceeded to communicate the issue to Symantec, and the two companies worked together to make certain that the pre-certificate remained active and valid for only a single day at the start of 2015. The certificate has since been blocked by way of an update to the revocation metadata through Chrome. Moreover, there isn’t any reason to believe that there was any risk to the security and privacy of Symantec’s website or product users at any point, as a result of this error.

Those responsible for the issue with the Google certificate are no longer employed with Symantec. That said, the company has now employed Dan Rogers as its new chief marketing officer. Rogers is the former CMO of Salesforce EMEA.

Headline hacks aren’t enough for a mobile security boost

Despite the fact that there have been many high profile cases of cyber attacks, apps remain vulnerable.

A recent study conducted by Bluebox has shown that virtually no travel apps have gone to the extent of adding encrypted data to protect them from mobile security breaches, and several are made with vulnerable code.

Even though there have been countless cyber attacks in recent headlines, added security hasn’t become a priority.

The attacks to companies as large as Target and Ashley Madison could have acted like a mobile security wake up call, but it’s clear that this has not been the case. Even though the evidence is strong that mobile app security is important to consumers, and there is great concern about hacks among companies and individuals, alike, app developers don’t seem to be building it in. Bluebox, a mobile app security and analytics company has conducted an analysis that has shown that the average person is surprisingly vulnerable to hacking through mobile devices.

The focus on the mobile security study was primarily on travel apps, which showed considerable holes.

Mobile Security BoostAmong 10 top Android travel apps, Bluebox found that only one of them had encrypted the data that it was storing on the user’s device. Among 10 of the top iOS travel apps, there wasn’t a single one that had encrypted the data stored on the device. Furthermore, only 2 out of the 10 Android apps that were analyzed and only 1 of the 10 iOS apps analyzed had used certificate pinning. Bluebox explained that certificate pinning is “a key capability for securing app data in transit.”

The lead security analyst at Bluebox Security, Andrew Blaich, explained that among the most important activities of a mobile app is to ensure that it is encrypting data that is written. He also pointed out that “We also want to make sure that the data is not easily accessible at all.” Of all the apps that were analyzed in this study, only one of them had actually employed data encryption.

That said, it was pointed out that in that instance, this mobile security step was “hard-coded into the source code,” which means that it would still be simple for someone to decrypt the data from the source code.