#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
SaaS Security

SSL Certificate | Breaking Cybersecurity News | The Hacker News

Dell's Laptops are Infected with 'Superfish-Like' pre-installed Malware

Dell's Laptops are Infected with 'Superfish-Like' pre-installed Malware

Nov 24, 2015
Similar to the Superfish malware that surrounded Lenovo laptops in February, another big computer manufacturer Dell spotted selling PCs and laptops pre-installed with a rogue SSL certificate that could allow attackers: To impersonate as any HTTPS-protected website and spy on when banking or shopping online. The rogue certificate, dubbed eDellRoot , was first discovered over the weekend by a software programmer named Joe Nord . The certificate is so creepy that it automatically re-installs itself even when removed from the Windows operating system. Also Read:  Lenovo Caught Using Rootkit to Secretly Install Unremovable Software Superfish 2.0: Unkillable Zombie The self-signed transport layer security (TLS) credential came pre-installed as a root certificate on Dell PCs and laptops that are signed with the same private cryptographic key, which is stored locally. That means an attacker with moderate technical skills can extract the key and abuse it to sign fo
Free Encryption Project to issue First SSL/TLS Certificates Next Month

Free Encryption Project to issue First SSL/TLS Certificates Next Month

Jun 19, 2015
Let's Encrypt , a project aimed to provide free-of-charge and easier-to-implement way to obtain and use a digital cryptographic certificates (SSL/TLS) to secure HTTPS website, is looking forward to issue its first digital certificates next month. With Let's Encrypt , any webmaster interested in implementing HTTPS for their services can get the certificates for free, which is a great move for encouraging people to encrypt their users' connections to their websites. Let's Encrypt is a combined effort of digital-era rights advocate Electronic Frontier Foundation (EFF), Mozilla Foundation , Cisco Systems , Internet content distributor Akamai Technologies , certificate provider IdenTrust and researchers from the University of Michigan . Generally, the process of implementation of an SSL certificate, including the need to obtain and install a certificate, is complicated for most web developers as it sounds. In most cases, the cost related issues force web adm
How to Accelerate Vendor Risk Assessments in the Age of SaaS Sprawl

How to Accelerate Vendor Risk Assessments in the Age of SaaS Sprawl

Mar 21, 2024SaaS Security / Endpoint Security
In today's digital-first business environment dominated by SaaS applications, organizations increasingly depend on third-party vendors for essential cloud services and software solutions. As more vendors and services are added to the mix, the complexity and potential vulnerabilities within the  SaaS supply chain  snowball quickly. That's why effective vendor risk management (VRM) is a critical strategy in identifying, assessing, and mitigating risks to protect organizational assets and data integrity. Meanwhile, common approaches to vendor risk assessments are too slow and static for the modern world of SaaS. Most organizations have simply adapted their legacy evaluation techniques for on-premise software to apply to SaaS providers. This not only creates massive bottlenecks, but also causes organizations to inadvertently accept far too much risk. To effectively adapt to the realities of modern work, two major aspects need to change: the timeline of initial assessment must shorte
Critical SSL Vulnerability Leaves 25,000 iOS Apps Vulnerable to Hackers

Critical SSL Vulnerability Leaves 25,000 iOS Apps Vulnerable to Hackers

Apr 25, 2015
A critical vulnerability resides in AFNetworking could allow an attacker to cripple the HTTPS protection of 25,000 iOS apps available in Apple's App Store via man-in-the-middle (MITM) attacks . AFNetworking is a popular open-source code library that lets developers drop networking capabilities into their iOS and OS X products. But, it fails to check the domain name for which the SSL certificate has been issued. Any Apple iOS application that uses AFNetworking version prior to the latest version 2.5.3 may be vulnerable to the flaw that could allow hackers to steal or tamper data, even if the app protected by the SSL (secure sockets layer) protocol . Use any SSL Certificate to decrypt users' sensitive data: An attacker could use any valid SSL certificate for any domain name in order to exploit the vulnerability, as long as the certificate issued by a trusted certificate authority (CA) that's something you can buy for $50. " This meant that a coffee sh
cyber security

Automated remediation solutions are crucial for security

websiteWing SecurityShadow IT / SaaS Security
Especially when it comes to securing employees' SaaS usage, don't settle for a longer to-do list. Auto-remediation is key to achieving SaaS security.
iOS 8 Vulnerability Lets Hackers Crash Any iPhone and iPad Within Wi-Fi Range

iOS 8 Vulnerability Lets Hackers Crash Any iPhone and iPad Within Wi-Fi Range

Apr 22, 2015
Security researchers have uncovered a zero-day vulnerability in iOS 8 that could repeatedly crash users' Apple iPhones, iPads and iPods when the devices connect to a malicious wireless hotspot. It's like Denial of Service (DoS) attack on Apple's iOS devices that results in crashing either individual iOS apps or users' entire iPhones. NO iOS ZONE Adi Sharabani and Yair Amit of Mobile security firm Skycure presented their latest research, titled " No iOS Zone ", at the RSA security conference in San Francisco on Tuesday. The duo showed: It is possible for an attacker to create malicious Wi-Fi networks in order to crash nearby users' mobile devices with incredible accuracy. Also, even the "No iOS Zone" attack is capable to make iOS things within the range completely unusable by triggering constant numbers of reboots. It is nothing but a DoS attack… ...that makes the device inaccessible by its users, just like in the ca
Gogo In-flight Internet issues Fake SSL Certificates to its own Customers

Gogo In-flight Internet issues Fake SSL Certificates to its own Customers

Jan 06, 2015
Gogo — one of the largest providers of in-flight Internet service — has been caught issuing fake SSL certificates, allowing the inflight broadband provider to launch man-in-the-middle (MITM) attacks on its own users, view passwords and other sensitive information. The news came to light when security engineer Adrienne Porter Felt , who works on Google Chrome's security team, was served the phony SSL certificate while trying to connect to Google's video service YouTube. She noticed that the SSL certificate was signed by an untrusted issuer and wasn't issued by Google, but rather by Gogo itself. Felt publicly posted details about the spoofed certificate on Twitter and also provided a screenshot of the HTTPS certificate Gogo issued her when she visited YouTube. Felt tweeted , " Hey, @Gogo, why are you issuing *.google.com certificates on your planes? " Alike other unauthorized certificates, the fake Gogo certificate would generate warnings by virtually all modern bro
Chrome Plans to Mark All 'HTTP' Traffic as Insecure from 2015

Chrome Plans to Mark All 'HTTP' Traffic as Insecure from 2015

Dec 16, 2014
Google is ready to give New Year gift to the Internet users, who are concerned about their privacy and security. The Chromium Project's security team has marked all HTTP web pages as insecure and is planning to explicitly and actively inform users that HTTP connections provide no data security protections. There are also projects like Let's Encrypt , launched by the non-profit foundation EFF (Electronic Frontier Foundation) in collaboration with big and reputed companies including Mozilla, Cisco, and Akamai to offer free HTTPS/SSL certificates for those running servers on the Internet at the beginning of 2015. This is not the first time when Google is taking initiative to encourage website owners to switch to HTTPS by default. Few months ago, the web Internet giant also made changes in its search engine algorithm in an effort to give a slight ranking boost to the websites that use encrypted HTTPS connections. "We, the Chrome Security Team, propose that
Cybersecurity Resources