Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/26/2009
03:13 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

VeriSign Offers Recommendations On How To Protect From Man-In-The-Middle Attacks

Common techniques for fooling visitors include phishing e-mails, false wireless hotspots, and most recently poisoning of insecure DNS servers

Mountain View, Calif. " February 25, 2009—In light of a new man-in-the-middle (MITM) type of attack unveiled this week at Black Hat D.C., VeriSign, Inc.(NASDAQ: VRSN), the trusted provider of Internet infrastructure services for the networked world, is providing simple tips end users and businesses can use to effectively thwart the online threat.

The highlighted attack is the latest twist on the venerable MITM attack, which relies on a user being fooled into going to the wrong Web site. Common techniques for fooling visitors include phishing e-mails, false wireless hotspots, and most recently poisoning of insecure DNS servers. The scheme uses a fraudulent server to intercept communications between a user's browser and a legitimate Web site, and then acts as a proxy, collecting sensitive information over HTTP (not HTTPS) between the browser and the fraudulent server.

What makes this attack different than previous MITM attacks is that the fraudulent site attempts to leverage false visual cues, namely replacing the fraudulent site's favicon with a padlock icon, which has traditionally been recognized as a visual cue to signify an SSL-protected site. But while this scheme is capable of reproducing the padlock, it is not capable of recreating the legitimate HTTPS indicator or the even more noticeable green glow in the address bar of high security Web browsers, where the site is secured with an Extended Validation SSL Certificate.

To help protect from a MITM attack, VeriSign offers the following tips to end users and businesses.

End users:

Look for the "green glow": Man-in-the-middle and phishing attacks in the wild today can be combated through Extended Validation (EV) SSL Certificates and to notice when there is an absence of green. EV SSL Certificates definitively confirm the identity of the organization that owns the Web site. Online criminals do not have access to EV SSL Certificates for the sites they're counterfeiting and therefore cannot spoof the green glow that shows that an authenticated Web site is secure.

Download the latest version of high security Web browsers such as Internet Explorer 7 or higher, FireFox 3 or higher, Google Chrome, Safari or Opera.

Take advantage of authentication credentials such as tokens and other forms of two factor authentication for sensitive accounts.

Treat e-mails from unknown senders with a high degree of skepticism, and don't click links to access secure sites (type in the Web address into the browser).

Businesses: Adopt EV SSL and educate customers on what the green or glow means. Put the EV SSL Certificate on your home page and every other page where a secure transaction takes place.

Don't offer logins on pages that are not already in an SSL session.

Offer two factor authentication to customers as an optional way to add another layer of security when accessing accounts.

Don't include links in e-mails to customers, and encourage them to download the latest version of their favorite browsers.

"Though online criminals have been using low-authentication SSL Certificates in phishing and man-in-the-middle types of attacks for years, the Black Hat presentation last week is a good reminder for end users to remain vigilant when transacting online," said Tim Callan, vice president of product marketing for VeriSign. "Security threats come in many forms and staying a step ahead requires education on the end-user side and a comprehensive, layered security approach from Web sites to help ensure that users have a secure experience."

About VeriSign VeriSign, Inc. (NASDAQ: VRSN) is the trusted provider of Internet infrastructure services for the networked world. Billions of times each day, VeriSign helps companies and consumers all over the world engage in communications and commerce with confidence. Additional news and information about the company is available at www.verisign.com

Statements in this announcement other than historical data and information constitute forward-looking statements within the meaning of Section 27A of the Securities Act of 1933 and Section 21E of the Securities Exchange Act of 1934. These statements involve risks and uncertainties that could cause VeriSign's actual results to differ materially from those stated or implied by such forward-looking statements. The potential risks and uncertainties include, among others, the uncertainty of future revenue and profitability and potential fluctuations in quarterly operating results due to such factors as the inability of VeriSign to successfully develop and market new products and services and customer acceptance of any new products or services, including VeriSign EV SSL solutions; the possibility that VeriSign's announced new services may not result in additional customers, profits or revenues; and increased competition and pricing pressures. More information about potential factors that could affect the company's business and financial results is included in VeriSign's filings with the Securities and Exchange Commission, including in the company's Annual Report on Form 10-K for the year ended December 31, 2007 and quarterly reports on Form 10-Q. VeriSign undertakes no obligation to update any of the forward-looking statements after the date of this press release.

2009 VeriSign, Inc. All rights reserved. VeriSign, the VeriSign logo, the Checkmark Circle logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc., and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This gives a new meaning to blind leading the blind.
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21441
PUBLISHED: 2021-06-16
There is a XSS vulnerability in the ticket overview screens. It's possible to collect various information by having an e-mail shown in the overview screen. Attack can be performed by sending specially crafted e-mail to the system and it doesn't require any user intraction. This issue affects: OTRS A...
CVE-2020-9493
PUBLISHED: 2021-06-16
A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.
CVE-2021-28815
PUBLISHED: 2021-06-16
Insecure storage of sensitive information has been reported to affect QNAP NAS running myQNAPcloud Link. If exploited, this vulnerability allows remote attackers to read sensitive information by accessing the unrestricted storage mechanism. This issue affects: QNAP Systems Inc. myQNAPcloud Link vers...
CVE-2021-3535
PUBLISHED: 2021-06-16
Rapid7 Nexpose is vulnerable to a non-persistent cross-site scripting vulnerability affecting the Security Console's Filtered Asset Search feature. A specific search criterion and operator combination in Filtered Asset Search could have allowed a user to pass code through the provided search field. ...
CVE-2021-32685
PUBLISHED: 2021-06-16
tEnvoy contains the PGP, NaCl, and PBKDF2 in node.js and the browser (hashing, random, encryption, decryption, signatures, conversions), used by TogaTech.org. In versions prior to 7.0.3, the `verifyWithMessage` method of `tEnvoyNaClSigningKey` always returns `true` for any signature that has a SHA-5...