The Death of EV SSL Certificates

It was reported some months ago that Google Chrome among other browsers were looking in to the fact that Extended Validation SSL certificates were not really worth the money or effort nor working as intended for use.

The Identified Issue

The Chrome developers at Google questioned the validity of E.V. certificates some months ago after carry out research with users. They discovered that it made absolutely no difference to users behavior when entering credit card or username and password information on websites. In fact most users do not even know the difference between a bottom of the range ACME (Automated Certificate Management Environment) certificate provided by the likes of Let’s Encrypt and the top of thee range, most expensive E.V certs. They called for action to be taken in this but no solution has been found to correct this.

The Result

The results of this research, combined with the fact that the E.V. certificates take up much needed space on the address bar, and it has been dropped on most mobile platforms already is that it will now be removed from Chrome. Mozilla has said it will also be removing it from Firefox in the very near future as well. Going forward all browsers will move the E.V information to the Certificate information section which needs to be clicked to be seen. This move basically renders the E.V certificate dead. They cost substantially more than any other type of certificate and are much harder to obtain due to the level of scrutiny required to obtain one.

What Are The Differences Between SSL Certificates

The different types of certificate available to websites were meant to be a representative of how secure or how much trust you could give to the website. a basic ACME type of certificate provided by the likes of Let’s Encrypt is the bottom of the range. There is absolutely no trust in the company or entity that owns the domain or website. There is  no checks made on them. So if they put up a website that looks like you local bank, it matter not to the certificate supplier as they are not looking at it. The ACME certificates are automatically installed and renewed as long as the basics can be verified. That being that the DNS records can have one added to it and it is hosted on that server. This is the cheapest type as they are usually free and only come in the basic encryption level.

The cheapest paid for certificates are much the same but there is a check on the domain made that means that an actual person has to verify they own the domain name by way of an email sent to an email address on the domain, such as admin, administrator or webmaster. This only proves that the person asking for the certificate is an actual person who has access to the domain and email account. These are also know as D.V. (Domain Vetted) certificates.

The next level up is O.V. (Organisation Vetted) certificates. These are a bit more expensive but give the user some information about the organisation behind the certificate so that they can be more sure of who they are dealing with. These require the issuing authority to check the person/company actually exists before issuing a certificate. They therefor take longer to issue than the ACME which are instant and the DV certificates which are usually within an hour.

The next Level is the E.V. (Extended Validation) certificates. These are much harder to get as there is a lot more checks carried out by a human being in the issuing authority and so the cost is much higher for them. They use to give you a green bar at the top and a green padlock on other browsers. The should have allowed visitors to know that you have been fully vetted and can be trusted to take credit card details. They were akin to the old fashioned banks. In the Old Wild West, there was a big problem with banks opening up, taking in customer deposits and then disappearing by morning, in some cases a while later, but you get the idea. They would open up, take money in and then as quick as they arrived they were gone, with all the money. That is why banks have big buildings that cost lots of money, to show that they were there fro the long haul and were trust worth. The average conman did not want to spend any money on something he was going to throw away. EV certificates were the same for the internet. Deliberately expensive and hard to get so that the holder of one could show they were trustworthy and not a conman.

Sadly, people have not recognised this and as there has been no way proposed to correct this, the browsers who are responsible for showing you the difference are moving the only identifiers to a location very few people ever look.

Having the display of the extra security that the EV certificates provide is not in line with Chromes goal of security by default and then showing those who are not secure in a bad light, rather than promoting those who make things extra secure. There is still a case use for the OV and DV certificates but the EV certificates will probably be phased out as there is little benefit to them above an OV certificate.

Only time will tell, for the moment though you can get any of these certificates in our store and the ACME certificates are available on all new hosting accounts as well.

Stay Safe.

 

CritchCorp Computers Support

 


photo credit: Link to EpicTop10.com SSL via photopin (license)


Microsoft admits Outlook.com hacked

Micrsoft Outlook.com hacked

 

Microsoft has admitted that its Outlook.com platform was hacked. Users of its email system are affected. That includes Outlook.com, MSN and Hotmail email accounts.

A support agent had their credentials compromised by hackers. The hackers had full access to Outlook.com which also hosts the msn and Hotmail email accounts. Microsoft will not admit to how many users are affected but say that they have contacted affected users and also as a precaution made them all change their passwords although they say that there are no user credentials that have been compromised.

SecuredMail.App

Secure, easy to use email at a low cost

Get your SecuredMail.App email account and keep your email and attachments private. Your mail is always your mail, and only £2.00 inc VAT/month for 2 email accounts.

Get yours now; get away from those free email accounts and take back control of your data.

Includes - spam and virus filtering, 5GB account, POP/IMAP access, webmail, calendar, auto-responders, import email from your old free account, Address book and much, much more, click below for more details.

 

Claims that it has been going on for longer

Microsoft dismissed claims that the breach had been going on for around 6 months and stated that it had only been between January 1st and March 28th 2019.They also claim that only around 6% of the total affected users had been fully breached. Certainly the hackers had full access to email and attachments of those affected.

The Managing Director and a Security Expert at CritchCorp Computers Ltd stated:

It seems unlikely that they had different levels of access to users email accounts and more likely that they had full access to all the accounts. However as Microsoft will not elaborate on breach it is difficult to say.

Screen shots of the breach have been provided to Microsoft, which prompted them to admit that the hack had happened and further screen shots to admit to the extent of the hack.

What they may have done

You may well have noticed more phishing emails during this time and indeed in the future. These emails may come from someone you know and use your name in them. They may well urge you to click a link which will inevitably ask you for money in some way, or infect you with a virus that will steal credentials to banking sites or other high value websites.

You should always be vigilant when receiving email and even more so when it comes from a free email account such as Hotmail or Outlook.com but now you will need to extra vigilant.

There is also a suggestion that they may have used the breach to reset stolen iPhones. Apple has started to tie iPhones to the email address. Therefore only the email address holder can reset the phone to factory default.

What to do if you use Outlook.com

If you know of any Outlook.com users then you should urge them to immediately check their email for a message from Microsoft. In any case perhaps change their password and/or email service provider. We recommend SecuredMail.App, BasicMail or our Cloud Mail accounts as an alternative to any free or paid for email service. All are available from our store and can replace Outlook.com, Gmail, yahoo mail and iCloud mail.

Keep Safe

CritchCorp Computers Ltd

 

How to find out if your website contains malware

How to find out your website is infected

 

Does Your Website Contain Malware? How can you find out?

When was the last time you checked your website for malware? Maybe, you have a valid reason (business is booming or website is undergoing changes) for not doing so. But this could prove extremely dangerous. Therefore it’s extremely important to check your website for malware from time to time. In this blog, we list some guidelines about how to check for website malware infections and how to protect your websites.

Reactive Ways of Discovering your Website was Hacked

  • Your Website Visitors Are Being Warned By Google Chrome:

    Your users will eventually start complaining about not being able to reach your website and that Google Chrome is blocking it using a message which reads ‘Phishing attack ahead’. If this is the case, it’s a clear sign that your website has been hacked. It’s time you did something about it.

 

  • Your Hosting Provider Takes Your Site Offline:

    This happens when visitors approach your website hosting provider and lodge complaints with them instead of choosing to approach you. When this happens, your website hosting provider has little choice but to remove your infected-website before the infection spreads to the visitors.

 

Proactive Ways of Protecting Against Hackers

  • Using Website Malware Scanner:

If you’re someone who thinks along the lines ‘let me find out whether my website is vulnerable or not and then safeguard it’ (which is very wrong thinking, by the way) then there are plenty of free online website malware scanners(like our very own Web Inspector) which can prove useful to you. All you have to do is give your website’s URL and you’ll know whether your website is vulnerable or not within minutes.

  • Using Website Security Application:

This is probably the best way of offering 24/7 protection to your website. As the name suggests, website security applications are website protection tools which protect your websites from various security attacks like DDoS, Brute-Force, SQL Injection etc., through constant monitoring and by employing various website malware detection and prevention techniques.

Conclusion:

Speaking in non-technical terms, malware typically hides within the website’s code, which website malware scanners find or detect. Whereas a website security application does not stop at just identification or detection. It gets to the root of the issue and removes the malware from the website. That’s the big difference between these website security or protection tools.

Now, proactive monitoring is important when it comes to website protection. Because, well, prevention is always better than cure. Therefore subscribe to the services of a website security application like Comodo cWatch and make sure your website stays safe against various security threats.

Comodo cWatch is available from CritchCorp Computers Ltd with all our hosting plans and you can get even more protection by upgrading to include the CDN and WAF. See the different options on the cWatch Page.

Check Your Website Security Before It’s Too Late!

Check your website Security before it's too late

You’ve probably tried to visit a website before, only to find that your browser has blocked the site because one or more of its webpages contains malware. But how about the website owners? Do they realize that their site is infected? Shouldn’t they have noticed before your browser did? The answer is “yes.” Follow these steps to make sure your site is secured:

Check Out Google

There’s a way to confirm your suspicion if your website does have malware or other issues. Google has a website for diagnosing unsecured websites. Please use http://www.google.com/safebrowsing/diagnostic?site=[SITE NAME]. Remember to change the [SITE NAME] into your site address. You’ll see a quick report on your website’s condition there. Though, Google won’t show you what kind of malware attacked you.

Stronger Password Combinations

When Google gives you a report and it has malware on it, you need to change all of your passwords. Use a stronger password combination this time. Avoid reusing passwords for different accounts.

The Hidden Danger

Even new hackers will use a certain attribute to display malicious links. The display=none attribute will prevent visitors and site owners from finding the intruder links. Nobody searches for how to eradicate malware until they have undeniable evidence. The average person might not notice malicious links right away, but search engine bots can. You can be deranked from search engines like Google if such links are found. It is easy to find the unwanted links, but you need to look very carefully for them. Here is what you should do:

  • Open your source code on a web browser. (Most browsers let you go to the Page Source under the View menu.)
  • Check for the and tags for strange links.
  • Look for links next to the “display=none” attribute.

 

If you know your code, then you will quickly identify the links that should not be there. If this is the first time you are looking at it, the malicious code will usually lead to porn or gambling websites. You can check the links you found or if they are obvious, just block them.

These steps will lessen or protect you from new attacks. Yet there might be security holes left on your website. Check if you have the most recent updates and look in a couple of days if your code is free of unwanted links. Allot another week for check ups again before you can finally say it’s a closed case.

Further Measures to Take

Having another software to protect your website can give you immense benefits. Not only can it avoid damages, it also lessens the stress of a website security. To secure all of your digital assets, you can use Comodo cWatch.

Comodo cWatch a Managed Security Service for websites and applications that combines a Web Application Firewall (WAF) provisioned over a Secure Content Delivery Network (CDN). It is a fully managed solution from a 24/7 staffed Cyber Security Operation Center (CSOC) of certified security analysts and is powered by a Security Information and Event Management (SIEM) center that leverages data from over 85 million endpoints to detect and mitigate threats before they occur. Its other features are Security Monitoring, Web Application Firewall, Malware Removal, and PCI Scanning.

WordPress Flaw found in Social Media plugin

Simple Social Buttons plugin flaw found that can take over your site.

 

URGENT – If you use the plugin ‘Simple Social Buttons’ in your WordPress installation, you should immediately update it to the latest version as there has been a serious flaw found in it that could allow an attacker to take over the site. The flaw, which was discovered last week by security researcher and developer Luka Šikić, has been discovered and a video showing how to use it to break in to WordPress websites has been released.

The flaw has been fixed by the developer and a patch released. So if you haven’t already then you should update now.

The flaw can only be leveraged in sites that allow user sign-up, which most sites have disabled due to security reasons. Never the less you should update before they figure out how to exploit the flaw without user sign-up requirements.

Any of our customers who have website maintenance contracts will have already been updated to the latest security patch. If you are not sure then you should contact your web development team and/or your host to see if they can help.

If you are really stuck then we may be able to help, please submit a support ticket with your website URL and contact information. Do NOT post your username and password in the ticket we will contact you separately for the information if needed.

If you use the Simple Social Buttons plugin for WordPress then make sure you update your site to correct the security flaw immediately.

Stay Safe

CritchCorp Computers Ltd.

 

Update to Apple FaceTime Flaw

Apple has fixed it flaw in the FaceTime program. It is safe to turn on again, after updating your device.

 

Apple has finally fixed the FaceTime Flaw we reported on week before last. They issued a patch (12.1.4) for iPhones (5S+) and iPad Air+ and iPod Touch 6th gen+ on Friday after initially disabling the group chat on the server side. They fixed the server side early last week but still needed to patch the software on the phones, iPads and iPods. This has now been done.

If you disabled FaceTime on your devices, as was advised, then after you install the latest update for your device, it is safe to turn it on again.

The issue was discovered by a 14 year old boy, who was thanked by Apple in their statement, which is here:

We have fixed the Group FaceTime security bug on Apple’s servers and we will issue a software update to re-enable the feature for users next week. We thank the Thompson family for reporting the bug. We sincerely apologize to our customers who were affected and all who were concerned about this security issue. We appreciate everyone’s patience as we complete this process.

We want to assure our customers that as soon as our engineering team became aware of the details necessary to reproduce the bug, they quickly disabled Group FaceTime and began work on the fix. We are committed to improving the process by which we receive and escalate these reports, in order to get them to the right people as fast as possible. We take the security of our products extremely seriously and we are committed to continuing to earn the trust Apple customers place in us.

Don’t forget to install the update first before switching it back on.

Stay Safe.

CritchCorp Computers Ltd.

New browser extension checks leaks

Firefox and Google Chrome extension checks for hacked accounts

 

Firefox released a browser extension in November 2018 which connects to the HaveIBeenPwned.com site to check if the site you are on has been involved in a breach of username and passwords. If you have never seen an alert of this sort then it will notify you of any site that has been breached in the previous twelve months and then it will only alert you to sites that have been breached in the last two months. This is to not over burden you, the user, with too many alerts and to not be unfair to sites that take and have made provisions to protect user data since a breach.

Google has now released its own extension for Chrome that actually goes a bit further. Using their own copy of the database of breached username (email addresses) and passwords, they will check every time you enter a username and password to see if the combination has been seen in a breach at all and inform the user if it is found.

Both companies are trying to inform users and not overburden them with warnings. The biggest issue is that people re-use passwords over and over again on different sites. Hackers are now taking these lists of usernames and passwords and trying them on other sites to try to gain access to user accounts. You can of course go to the Have I Been Pwned site yourself and check to see if your username or password exists there but we would recommend that everyone get a secure password manager, such as ConnectID, our own password manager which comes free with all our Cloud accounts. It will keep your usernames and passwords stored away and even log you straight in to the site when you arrive so you don’t have to remember your usernames and passwords, which means that you can use more complex passwords and keep your data and account safer.

Stay Safe

CritchCorp Computers Ltd

Gmail and Yahoo Mail 2FA thwarted by Iranian phishers

SMS 2FA used by Google and Yahoo by-passed

 

A phishing gang in Iran has managed to bypass the two Factor Authentication (2FA) that Gmail and Yahoo Mail users use to secure their accounts.

2FA helps users to protect their accounts by adding an extra layer of security. Using your username and password and then something extra like a single use password which is delivered via an SMS message.

In this case the gang were able to get the user to go to a fake website that looked exactly like the users Gmail or Yahoo Mail login page. Once the user had entered in their details to the fake site the gang then took those details and entered them in to the real site and then the fake site asked for the code which had just been sent to their mobile phone. Once they entered this in to the site the gang were able to take the code and enter it in to the real site and gain access to the users email accounts.

The attackers, working on behalf of the Iranian government, sent out emails targeting US Government officials, activists and journalists, specifically those involved in the US sanctions against Iran. First they found as much information about each victim and then crafted specially targeted emails at each of them. The emails had a secret hidden picture in them which notified the gang in real-time when the user was viewing the email so they could carry out the attack while the user was trying to login.

The attack was notable for other reasons also it used email addresses such as notifications.mailservices@gmail.com and noreply.customermails@gmail.com to make it look like they were official emails from Google.

We would urge all users of any service to ensure that they check very carefully the links in emails and if possible not to use links in emails at all. Keep yourself up-to-date with security issues by opening an account and signing up for our Security Alerts, Newsletters and Promotional emails.

Keep Safe

CritchCorp Computers Ltd