In 2017, the Belgian Cost of Cybercrime project (KUL) published the results of an enlightening study aiming to measure the impact of cybercrime, and more broadly cyber attacks, on Belgian Businesses.
We can highligt two results from this paper: First most businesses have been hit by one form or another of cyberattack, some even more than once a year. So, the likelihood of being hit is quite high.
Second, the average cost per incident is relatively low, most of them below 500€, although in some cases, it was above 10.000€. It surely depends on the kind of business you are and on the size of your company. Meaning SME shouldn’t have to spend a fortune in protection measure.
Recently, DHS (US Department of Homeland Security) announced they are developing with private partners a solution to mitigate Telephony Denial of Services (TDOS) against emergency numbers and other critical phone numbers.
For the past years TDOS attacks seems to have flourish in the US. They are often used to claim a ransom to the targeted number owner.
If you have already made a Business Impact Analysis on your telephony system, your probably know how much one day of downtime might cost you. You probably have some solutions in place but, do they protect you against a TDOS?
Don’t forget to add TDOS to your list of threats if it is relevant for your business.
The SSL certificates issued by Israel based Certificate Authority StartSSL (https://www.startssl.com/) are blocked by Google Chrome and Mozilla Firefox since March 2017. Behind what could be just a technical issue, there is some disturbing facts:
First, the reason why Google and Mozilla have decided to progressively block StartSSL (and more importantly WoSign) is the issuance by WoSign, a chinese Certificate Autority, of multiple SSL certificate for Domains for which they didn’t received any mandate and didn’t validate the ownership of the domain by the requester. The first case to be reported to Google was GitHub, the famous Source Code repository. As WoSign had “secretely” bought StartSSL and integrated its infrastructure in its own, StartSSL has been “sentenced” to the similar distrust by most browser than its owning company.
As DNS CAA records are not used by browsers to check if the Certificate Authority of an SSL certificate for a domain is the correct one, it could have allowed someone to impersonate GitHub or at least to lure some users to a fake GitHub site (anyway, GitHub didn’t set his CAA record). Such behavior is unacceptable for any certificate issuer as trust is the cornerstone of the entire SSL certificate paradigm. Google and Mozilla’s reaction seems then proportionate. However, you can imagine the impact of such sentence. For any CA, being withdraw from the list of trusted certificates of the two main browsers is like a death penalty for the CA.
The second disturbing fact is that StartSSL failed (or decided not) to properly inform its customers. Worse, it continues to sell its Class 1 certificate despite the fact they are basically useless. That’s not the kind of commercial decision that will help restore the trust to the Israeli company, even if WoSign has defined a remediation plan aiming at giving more autonomy to StartSSL (see below).
Customers who had paid for the Enterprise Validation have lost their money and are now using blocking certificates. The only cheap and rapid solution to restore access to their website (and keeping the SSL/TLS active) is likely to use LetsEncrypt free certificates.
I don’t know what the future is but I wouldn’t recommend StartSSL to anyone anymore and I doubt any security aware person would. That’s not a good indicator for a bright future.