web analytics

Network Solutions malcode widget first discovered by VeriSign Trust Seal web site malware scanning

Nov 28

Network Solutions malcode widget first discovered by VeriSign Trust Seal web site malware scanning

There’s a lot in the news right now about the malware distributed from what may be as many as 5,000,000 parked Network Solutions pages. In addition to the earlier article, here’s a nice summary from Brian Krebs, and here’s one from Elinor Mills of CNET.

The story originally broke from VeriSign Trust Services partner Armorize in a detailed two-part blog (part two here) with a subsequent, also detailed, follow up. In the second Armorize blog post, the team writes,

A few days ago, in response to questions by one of our largest customers, we analyzed a widget by Network Solutions

I happen to know that the large customer in question was the VeriSign Trust Services division of Symantec, and the original source of the discovery was the daily scan for web site malware distribution that we include with our VeriSign Trust Seal.

Since February we have offered web site malware scanning with the standalone version of the VeriSign Trust Seal, and we’re in the process of rolling this same functionality out to 100% of the VeriSign-branded SSL customer base. SSL customers who have activated the service receive a daily scan of their web sites, seeking malware distribution, at no additional charge. One of these daily scans identified a malware hit on a VeriSign SSL customer’s site. Since we notify the site operator when these incidents occur – complete with identification of the specific page, line of code, and text string in which the malware distribution occurs – the problem almost always is fixed the same day. This particular page hit again for malware the next day and then the day after that, unusual enough that our team started to investigate. As part of that investigation we pulled in Armorize, and the rest is history.

This indicent illustrates a few salient points.

Web site malware distribution is a scourge on online safety today. As Armorize writes about this attack in its follow up, “We strongly believe that the number of potentially impacted users is high.”
Daily scans are an indispensible part of fighting this problem. Armorize reports that this attack has been live since May. It was not until VeriSign started for roll out widespread malware scanning that anybody discovered it.
You can’t count on the fact that other parties will discover these attacks. Network Solutions now agrees that the widget in question was a distributor of malware and has pulled it down. But what happened during the three months prior to that?
Businesses need to choose to monitor and manage their own security and not to assume that a hoster or other service provider is getting it right for them. This indicent is not the first of its kind. Just a few months ago we saw a similar malware problem with a number of hosting providers, including Go Daddy. It’s clear that businesses can’t rely on hosters to manage this problem by themselves. Fortunately, there are solutions like the VeriSign Trust Seal that can make monitoring for malware distribution automatic, simple and affordable and can ease remediation to an attack considerably.

View the original article here

Read More

Code signing and Windows Phone 7

Nov 28

Tim Callan’s SSL Blog – Online Security Tim Callan’s SSL Blog: Code signing and Windows Phone 7 Tim Callan’s SSL Blog Demystifying the Web’s Secure Backbone « Certificate revoked in Acrobat malware attack | Main | New video: Tim Callan shows heat maps of VeriSign seals in search results »

Code signing and Windows Phone 7

On September 16 Microsoft will grant software developers access to the Windows Phone 7 application platform developer tools, freeing them to develop for the Windows Phone 7 Marketplace. Windows Phone 7 is scheduled for launch in the upcoming holiday season.

That’s good news for developers, who will have a direct channel to sell their applications to Windows Phone users, in a time when mobile application downloads are rising meteorically and the mobile computing ecosystem is on a massive growth spurt. To wit,

Smartphone users downloaded roughly 2.4 billion applications from app stores in 2009 and are estimated to download more than 6 billion in 2010.
The mobile application market is pacing for $10 billion in revenue this year and possibly $25 billion by 2014.
The top thousand iPad applications earn roughly $372,000 per day, about $136 million a year in US sales.

An indispensible part of this success is the security component known as code signing. Code signing enables secure application transfer over mobile networks and make this whole ecosystem viable. Microsoft requires all applications to be signed before they appear in the Windows Phone Marketplace. VeriSign- and Thawte-branded code signing certificates meet this requirement.

View the original article here

Read More

e-Hallow's Eve: The day more shoppers haunt the Internet for Halloween bargains

Nov 28

Tim Callan’s SSL Blog – Online Security Tim Callan’s SSL Blog: e-Hallow’s Eve: The day more shoppers haunt the Internet for Halloween bargains Tim Callan’s SSL Blog Demystifying the Web’s Secure Backbone « GeoTrust leads the pack again | Main | VeriSign Trust Seal Dollar Day is tomorrow »

e-Hallow’s Eve: The day more shoppers haunt the Internet for Halloween bargains

We all know Cyber Monday as the busiest online shopping day of the holiday season. As the first business day that follows Black Friday, Cyber Monday is the starting pistol for e-retailers’ most crucial time of the year.

But what about the day in October when the most online transactions take place in time for Halloween? After all, 25 percent of consumers spend more on Halloween than on any other non-gift giving holiday. Shouldn’t that day be called out for its contributions to a holiday in which consumers spend an estimated $5.8 billion?

Well, we think so, and we’ve got just the name for it: e-Hallow’s Eve. And this year, e-Hallow’s Eve, the busiest shopping day of the Halloween season, fell on Oct. 25. On that day, Symantec’s VeriSign seal was viewed on web sites 250 million times by consumers. That’s equal to the highwater mark we recorded on last year’s Cyber Monday.

Will 11th hour shipping deadlines decide when e-Hallow’s Eve will fall next year? We’ll just have to keep an eye on VeriSign seal views to figure it out.

But since consumer behaviors tend to reappear year after year, I’d say there’s more than a ghost of a chance.

View the original article here

Read More

VeriSign Customers Honored by Computerworld

Nov 28

Online Identity and Trust: VeriSign Customers Honored by Computerworld Online Identity and Trust « Cloud-based Authentication Matters Here | Main | Qualys provides VIP Protection to its customers »

VeriSign Customers Honored by Computerworld

be412fec1398f6848b66ff82fb034031_2011_website.jpg
Congratulations to Addison Avenue Federal Credit Union and the U.S. District Court in the District of Columbia, both of which were designated as Laureates by the Computerworld Honors Program. In addition to this honor, Addison Avenue Federal Credit Union was also named as a finalist for the Computerworld 21st Century Achievement Award, an award that honors and documents the extraordinary innovations of individuals and organizations that are leading the global IT revolution.

Addison Avenue Federal Credit Union
Addison Avenue offers its customers the VeriSign Identity Protection (VIP) Authentication Service, a cloud-based, strong authentication service that delivers an additional layer of protection beyond simple username and password. Addison Avenue was the first federal credit union in the U.S. to offer VIP Authentication to help its customers protect their account access and information against fraud or theft. The Addison Avenue case study can be found at this link.

Magistrate Judge for the U.S. District Court
On Sept. 26, 2009, the Honorable John M. Facciola, Magistrate Judge for the U.S. District Court in the District of Columbia, issued the first digitally signed judicial order in U.S. history, which was built on VeriSign’s Managed Public Key Infrastructure (PKI) Services

View the original article here

Read More

Qualys provides VIP Protection to its customers

Nov 28

Online Identity and Trust: Qualys provides VIP Protection to its customers Online Identity and Trust « VeriSign Customers Honored by Computerworld | Main | Some additional “Social Security” »

Qualys provides VIP Protection to its customers

Qualys logo 3.jpg

At this week’s RSA Conference in Europe, Qualys announced that it will now offer its customers strong authentication protection with our VIP Authentication Service. VIP will provide users of QualysGuard® a safer and more secure way to access and manage their accounts.

Qualys is the latest VIP customer to implement our leading cloud-based authentication service that allows enterprises to secure online access and transactions to obtain compliance and reduce fraud risk. As with VIP, QualysGuard is a SaaS service that requires no on-premises hardware to purchase and deploy. Both companies are continually striving to make the adoption of cloud computing safer and easier for organizations of all sizes.

To download a FREE VIP mobile credential for your Android®, iPhone®, Windows Mobile®, BlackBerry® handsets or most of the devices using the Java 2 Micro Edition (J2ME) and BREW platforms, click here for more details.

Posted by VIP Team on October 15, 2010 9:40 AM | Permalink

Post a comment (If you haven’t left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won’t appear on the entry. Thanks for waiting.)

View the original article here

Read More