SSL.com

Cybersecurity Roundup August 2023

internet-browser-safety-checks

Google Chrome Introduces Safety Checks for Browser Extensions 

Google Chrome is implementing a new feature to enhance user security by warning them about potentially malicious browser extensions. The feature will alert users if an installed extension has been removed from the Chrome Web Store, which is often a sign that the extension is malware. These malicious extensions, usually produced by scam companies and threat actors, can inject ads, track user data, or even steal personal information. Despite Google’s efforts to remove such extensions from the Web Store, they remain active in the user’s browser unless manually uninstalled. The new safety check feature will be available in Chrome 117 but can be tested now in Chrome 116 by enabling the ‘Extensions Module in Safety Check’ feature. Once enabled, users will see a new option under ‘Privacy and security’ settings that prompts them to review and uninstall any extensions removed from the Chrome Web Store for violating extension policies. 
SSL.com’s Takeaway: The new feature is a significant step towards enhancing browser security, but it also highlights the ongoing struggle against malicious extensions. These extensions are produced rapidly, often reappearing under new names after removal. While Google’s new feature will help users identify malicious extensions, it’s a reactive measure that kicks in after the extension has already been installed and potentially done damage.

Users should proactively vet extensions before installing them by checking reviews, developer reputation, and permissions required. Employing additional security software that scans for browser vulnerabilities can also add an extra layer of protection.

UK Government’s Voter Registration Website Causes Confusion, Raises Security Concerns 

The UK government’s domain choice for its voter registration website, HouseholdResponse.com, has been confusing residents, leading many to suspect it’s a scam. Failure to update voter details on this site can result in a fine of up to £1,000. The website is part of the annual canvassing process to update the electoral register and is maintained by a private company, Civica Election Services (CES). The non-government domain has sparked concerns about its authenticity and the potential for scammers to exploit this confusion by creating phishing sites. London-based software developer Pranay Manocha expressed dissatisfaction with the use of HouseholdResponse.com for electoral registration and confirmation, highlighting the need for a trustworthy .gov website. 
SSL.com’s Takeaway: Using a non-government domain for such a critical civic duty can be very problematic where phishing and online scams are rampant. The confusion undermines trust in the electoral process and presents a ripe opportunity for cybercriminals to exploit the situation. The issue is exacerbated by a time-sensitive requirement to respond that imposes penalties. Scammers and cybercriminals can leverage this sense of urgency in their malicious messaging.

The UK government should consider migrating the service to a .gov.uk domain to eliminate confusion and enhance trust. 

Aside from migrating to a .gov.uk domain, implementing an Extended Validation (EV) SSL certificate on the UK government’s voter registration website can significantly alleviate the concerns raised. The main issue at hand is the confusion and suspicion surrounding the site’s authenticity, which makes it susceptible to phishing attacks. When a user clicks the lock icon on an internet browser’s address bar, an Extended Validation (EV) SSL certificate, with its rigorous verification process, would display the validated name of the organization which owns the website, assuring users of the site’s legitimacy. This would serve as a powerful deterrent against scammers attempting to exploit the confusion by creating fraudulent versions of the website. 

Secure Your Website with Confidence! Get Your SSL.com Enterprise EV SSL Certificate Now for Unrivaled Trust and Protection!

Try out SSL.com Enterprise EV SSL Certificate!

Data Breach at Dutch Land Registry Exposes Millions of Home Addresses 

A security breach at the Dutch land registry, Kadaster, has exposed the addresses of every homeowner in the Netherlands. The breach was discovered by RTL Nieuws, prompting the privacy watchdog AP to call for immediate action. Kadaster’s website offers a search facility intended for real estate professionals, allowing them to find property owners and their addresses. However, the investigation revealed that the service was easily exploitable, as it did not vet applications rigorously. Screenshots from Telegram chats showed individuals offering to search the registry for a fee. The breach poses significant risks, making it easy for criminals, stalkers, and blackmailers to obtain personal addresses. 
SSL.com’s Takeaway: The breach at Kadaster is a glaring example of how poor cybersecurity measures can have far-reaching implications. Not only does it expose citizens to potential criminal activities, but it also puts vulnerable groups like journalists, activists, and politicians at risk. The fact that the service was intended for professionals but was easily exploitable shows a lack of foresight in security design. This is not an isolated incident; similar vulnerabilities have been exploited in other governmental databases, leading to real-world consequences like the murder of a lawyer who was defending a key witness. 

Immediate steps should be taken to rigorously vet the credentials of those applying for professional accounts. Multi-factor authentication and periodic security audits can further strengthen the system. Public awareness campaigns should also be launched to educate citizens on protecting themselves after such breaches. 

A client authentication certificate could also significantly mitigate the security issue at the Dutch land registry. This certificate would enhance security by requiring individuals, including real estate professionals, to not only provide their regular login credentials but also present a valid client certificate issued by a trusted certificate authority.  

This certificate would be granted only after a rigorous identity verification process, ensuring that the person requesting access is genuinely who they claim to be. By adding this layer of authentication, Kadaster could implement stricter access controls, limiting access to only those with valid certificates.

Arm your agency against data breaches with SSL.com Client Authentication certificates!

Try SSL.com Client Authentication Certificates!

 

Airbnb Accounts Targeted for Fraud on the Dark Web 

Airbnb has become a hot target for cybercriminals, with thousands of accounts sold on underground cybercrime stores for as low as one dollar, according to an investigation by researchers at SlashNext. Cybercriminals gain unauthorized access to these accounts through phishing, stealer malware, and stolen cookies. Once they have access, they can book properties or perform other unauthorized actions without raising alerts. The Dark Web offers “account checkers,” automated programs that rapidly test Airbnb accounts, and discounted vacation services. The researchers noted that these services are profitable, as indicated by the many views and replies on forum threads advertising them. 
SSL.com’s Takeaway: The targeting of Airbnb accounts is a concerning development in cybercrime. With over 7 million global listings in 100,000 active cities, Airbnb presents a lucrative opportunity for hackers. The breach jeopardizes hosts’ and guests’ financial and personal information and poses property risks. The use of “account checkers” and the sale of discounted services indicate a mature, organized cybercrime ecosystem that is capitalizing on vulnerabilities in Airbnb’s security measures. 

Airbnb must ramp up its security protocols, possibly incorporating multi-factor authentication and rigorous monitoring of suspicious activities. Users should be educated about the risks, advised to change their passwords regularly, and remain cautious of phishing attempts.

Public Key Infrastructure (PKI) can also play a role in addressing the security issues faced by Airbnb and its users. PKI is a framework that uses digital certificates, public and private keys, and certificate authorities to ensure secure communication and identity verification. Here’s how PKI can help in this context: 

  • SSL/TLS Certificates: Airbnb should use SSL/TLS certificates to encrypt communication between users’ devices and their servers. This would protect users’ login credentials and data during transmission, making it more difficult for attackers to intercept sensitive information. 
  • Email Signing and Encryption: Airbnb can use PKI-based email signing and encryption to ensure that communication sent to users is authentic and secure. This helps in mitigating phishing attacks where attackers impersonate Airbnb via email. 
  • Digital Identity Verification: Airbnb could implement a digital identity verification system using PKI. Users would need to undergo a robust identity verification process to create and access their accounts. This could deter cybercriminals from creating fake accounts. 
  • Certificate-Based Access Control: Airbnb can employ client authentication certificates for access control, allowing only administrators to access critical systems . This would make it extremely difficult for attackers to gain unauthorized access even if they have stolen login credentials.

Elevate your security, build trust, and empower your business with SSL.com’s cutting-edge digital certificates!

Explore SSL.com’s PKI-based digital certificates

SSL.com Announcements

Automate Validation and Issuance of Email Signing and Encryption Certificates for Employees 

Bulk enrollment is now available for Personal ID+Organization S/MIME Certificates (also known as IV+OV S/MIME), and NAESB Certificates through the SSL.com Bulk Order Tool. Bulk enrollment of Personal ID+Organization S/MIME and NAESB Certificates has the additional requirement of an Enterprise PKI (EPKI)  Agreement. An EPKI Agreement allows a single authorized representative of an organization to order, validate, issue, and revoke a high volume of these two types of certificates for other members, thereby enabling a faster turnaround in securing an organization’s data and communication systems.    

New Key Storage Requirements for Code Signing Certificates 

As of June 1, 2023, SSL.com’s Organization Validation (OV) and Individual Validation (IV) Code Signing Certificates must be issued either on Federal Information Processing Standard 140-2 (FIPS 140-2) USB tokens or used with our eSigner cloud code signing service. This change is in compliance with the Certificate Authority/Browser (CA/B) Forum’s new key storage requirements to increase security for code signing keys. The previous rule allowed OV and IV code signing certificates to be issued as downloadable files. Since the new requirements only allow the use of encrypted USB tokens or other FIPS-compliant hardware appliances to store the certificate and private key, it is expected that instances of code signing keys being stolen and misused by malicious actors will be greatly reduced. Click this link to learn more about the SSL.com eSigner cloud code signing solution.
Exit mobile version