Google makes HTTPS encryption mandatory for its 45 new TLDs : .dev / .app / .how…

Google makes HTTPS encryption mandatory for its 45 new TLDs - HSTS
Source : Sean MacEntee via flickr

In a recent article in this blog, we mentioned the arrival of Chrome 68 in July 2018 and the fact that HTTP will be considered “not secure” from then on. Well, this is not the only weapon that Google is planning to use to encourage large-scale adoption of encrypted websites.

You may not be aware, but Google has submitted a number of applications to ICANN as part of the new TLD program, and as a registry, they have secured the management of 45 top-level domains*. Just as the .bank and .insurance extensions have very strict security rules, Google has announced that they will apply HSTS implementation and pre-loading to their new TLDs therefore making HTTPS implementation mandatory.

What is HSTS?

HTTPS Strict Transport Security (HSTS) is a way in which browsers automatically enforce HTTPS-secured connections instead of unsafe HTTP. For example, if the website http://www.nameshield.net is on the list, a browser will never make insecure connections to the website, it will always be redirected to a URL that uses HTTPS and the site will be added to its list of sites that must always be accessed through HTTPS. From thereon, the browser will always use HTTPS for this site, whatever happens, whether the user has accessed the site via a Favorite, a link or simply by typing HTTP in the address bar, he has nothing more to do.

HSTS was first adopted by Chrome 4 in 2009, and has since been integrated in to all major browsers. The only flaw in the process is that browsers can still reach an unsafe HTTP URL the first time they connect to a site, opening a small window for attackers to intercept and carry out such attacks as Man-in-The-Middle attacks, misappropriation of cookies or the Poodle SSLv3 attack which was very much in the news in 2014.

A fully secured Top-Level Domain

HSTS pre-loading solves all this by pre-loading a list of HSTS domains into the browser itself, eliminating the threat of attacks. Even better, this pre-loading can be applied to entire TLDs, not just domains and subdomains, which means that it becomes automatic for anyone who registers a domain name ending in that TLD.

Adding an entire TLD to the HSTS pre-upload list is also more efficient because it secures all domains under this TLD without having to include all of the domains individually. Since HSTS pre-load lists can take months to update in browsers, TLD setup has the added benefit of making HSTS instant for newer websites that use them.

HTTPS deployment will be obligatory for .app and .dev extensions

Google is therefore planning to make HSTS mandatory for its 45 TLDs in the coming months. What does that mean? Millions of new sites registered under each TLD will now be HTTPS (and domain owners will need to configure their websites to switch to HTTPS or they will not work). In order to use a .dev, .app, .ads, .here, .meme, .ing, .rsvp, .fly … domain name, you will need to acquire an SSL certificate and deploy HTTPS.

Our team is at your disposal for any questions related to TLDs, domain names or SSL certificates.

* Google’s 45 TLDs: .gle .prod .docs .cal .soy .how .chrome .ads .mov .youtube .channel .nexus .goog .boo .dad .drive .hangout .new .eat .app .moto .ing .meme .here .zip .guge .car .foo .day .dev .play .gmail .fly .gbiz .rsvp .android .map .page .google .dclk .search .prof .phd .esq .みんな .谷歌 .グーグル

“Win an airline ticket with a value of 500€” or other online scams attempt

Recently, many frauds campaigns offering free Nike shoes here and IKEA vouchers of 500€ there have been going on. Last case in date, a fraudulent e-mails campaign announcing the winning of airline tickets with a nice value of 500€, graciously offered to the winners of a supposed contest proposed by Air France airline company. This scam has circulated around France and was shared on social networks, by e-mails and even relayed on WhatsApp.

A misleading typography: typosquatting

If we look at the e-mail in question, the link www.airfrạnce.com, inserted in the message, seemed to correspond to the official website address of Air France. Except for one little detail… The “a” of France is not a “a” of Latin alphabet but the “ạ” of Vietnamese alphabet. A single dot close then! Amazing case of typosquatting, a practice misleading web users by replacing, adding or deleting a letter in a domain name with the famous brand. Without enough vigilance, web users while thinking they are on a trusted website, could click on the link and find themselves redirected towards a page totally independent of the official website of the brand. On this page, a form to fill with their precious personal data in order to have a chance to win free tickets in this case. A confirmed scam.

The aim of these phishing and frauds campaigns is to collect as many personal information as possible. In other words, the identity thieves, the source of this kind of online attacks seek to obtain the e-mail, phone number and all interesting data of the tricked Internet user.

It was after the alert by Zataz website was sent, that Air France confirmed that it was indeed a fraud. It also encouraged web users to not consider this kind of message. It is also important to specify that the official website of the airline company is secured and authenticated by an SSL certificate, the browsers displaying the https://www.airfrance.fr

What to do in front of these attacks and how to prevent them

The first reaction to adopt is wariness on the user’s side. The more the offer and the benefit are attractive, the more cautious you should be. Don’t communicate your personal data via a form or by return of mail without checking beforehand the request’s authenticity.

Always check the final URL of the page on which you are redirected, be attentive to the typography. Generally, only the information on site are official. An SSL certificate presence and the proprietary data displaying are also good indicators.

On the brands owners’ side, a naming and defensive registration strategy allows to best protect its users. The efficient monitoring implementation will also allow to detect phishing attempts as soon as possible and to take action early in order to stop them.

Slamming: a scam still too common

Slamming: a scam still too common

The slamming is a fraud aiming to deceive companies in order to sell by emails unsolicited services for domain names.

These slamming attempts are easily recognizable and play on their contacts lack of knowledge in some cases. The slammers propose services that you didn’t solicit with your official registrar (registration, whois’update, owner or registrar transfer…) at high prices. These emails are sources of anxiety and lead you to take a quick decision.

For example, a standard slamming email would encourage you to register domain names in emergency because a third party would have done a domain names’ registration request using exactly your company name or your lead product, identically (as if by chance). They recommend you to register them without delay to prevent any cybersquatting. Obviously, the “fake registrar”, in its great magnanimity has put on standby the domain name registration order for the good of the company…

Warning, the slammer uses visual references and the right technical vocabulary, misleading that way the company. They can also make reference or put the logo of some registries or actors of the Internet environment in order to give credibility to their speech.

What to do if you have any doubts?

Forward your emails to Nameshield, which will confirm you if these mails are fraudulent.

We recommend a management of your domain names centralized and managed by a person informed of the operations associated to domain names. Don’t take any decision in a hurry. You can also make a whois to verify the sender’s identity and the existence of the “registrar” company. You will then notice that most of the domain names used for slamming campaigns have been recently registered and that the companies holding the names are unrelated to the registration office activity.

Be careful, your domain names are intangible assets to protect, secure and value.

Nameshield assists you on a daily basis, in the management of your domain names portfolio, your digital brands protection and the risks management on the web.

PyeongChang Olympic Games: Cyberattack

PyeongChang 2018 Olympic Games: Cyberattack

It’s during the opening ceremony of the PyeongChang Winter Olympic Games that a cyberattack has aimed at the host infrastructure IT department.

Around 45 minutes before the start of the event, the servers and WI-FI network have been hit by an attack, which fortunately has not impacted the ceremony. However, in the Olympic Village, the press zone has been deprived of Internet connection and television. Furthermore, the official website of the PyeongChang 2018 Olympic Games has been unreachable for hours, hindering web users to print their tickets to access to the event. 12 hours were needed to completely restore the services.

The CIO didn’t wish to communicate on this attack origin, but PyeongChang 2018’s spokesperson points that “there was a cyberattack, the server has been updated yesterday (Sunday February 11), and we know the cause of the problem. We know what happened, this is a usual thing during Olympic Games. We will not reveal the source.” The CIO’s communication director, has assured “We refuse for now to reveal the details of our investigation, but we will do it.”

A cyberattack with destructive aim

Talos Security company’s two researchers have analyzed the attack though and observed that the purpose was not to retrieve sensitive or personal data contained on the organization server, but clearly to interfere with the games ‘running.

The virus samples’ analysis allowed to highlight its main purpose: the destructive aspect. Concretely, the effects caused by this cyberattack, were to delete the events of the calendar and the documents, and above all, to make the affected machine inoperable.

PyeongChang Games, victims once again

At a global scale and ensuring a visibility of choice for cybercriminals, this is not the first cyberattack suffered by the PyeongChang Olympic Games. At the end of December 2017, the infrastructure was hit by an attack mainly consisting of the sending of emails to the event organizers. According to the McAfee company, those mails contained Word files infected by a virus.

Russia, North Korea: the different leads considered

The potential attack’s perpetrators could be Russia, of which the delegation has been denied of the Games for doping reasons: before the Games, McAfee declared to have information indicating that hackers located in Russia had planned attacks in retaliation.

A possible North Korean involvement was also mentioned, despite the rapprochement that could be observed by the viewers during the opening ceremony.

An attack that shows, once again, the IT infrastructures ‘vulnerability despite the means implemented.

FIC 2018: Nameshield’s DNS Premium solution labelled France Cybersecurity

FIC 2018: Nameshield’s DNS Premium solution labelled France CybersecurityThese 23 and 24 January, has taken place in Lille, the 10th edition of the International Cybersecurity Forum (FIC). With 7000 participants, 240 partners and 60 represented nationalities, it is a major event in terms of cybersecurity and digital confidence, gathering all the actors in France and in Europe.

On this occasion, and for its first participation as a partner, Nameshield was given the France Cybersecurity label for its DNS Premium solution.

FIC 2018: Nameshield’s DNS Premium solution labelled France Cybersecurity
France Cybersecurity Label given by Mounir Mahjoubi, Secretary of State for Digital

The Nameshield’s labelled DNS Premium solution

The DNS is a well-known attack vector: DDoS, spoofing, Man in the Middle. The attacks are various and sophisticated. In front of the magnitude of these threats, maintaining its DNS infrastructure is complex.

Reliable and strong, the Nameshield’s highly secured DNS Premium is a DNS solution high availability, anycast and offers expert functionalities (anti-DDoS filter – Failover – GeoIP – DNSSEC – detailed statistics – etc.).

This solution labelled France Cybersecurity, thus allows to its users to protect their digital assets from any attack and ensures a high availability of their Internet services.

What is the France Cybersecurity label?

FIC 2018: Nameshield’s DNS Premium solution labelled France CybersecurityThe France Cybersecurity label is the guarantee for users that the Nameshield’s products and services are French and possess clear and well defined functionalities, with a certain level of quality in terms of cybersecurity, verified by an independent jury.

The France Cybersecurity Label answers to several needs and objectives:

  • Raise awareness among users and international ordering parties regarding the importance of the French origin of a Cybersecurity offer and its intrinsic qualities
  • Certify to users and ordering parties the quality and functionalities of labelled products and services
  • Promote French cybersecurity solutions and increase their international visibility
  • Certify to users and ordering parties the quality and functionalities of labelled products and services
  • Increase their overall use and the users’ security level

This label is governed by a committee composed of representatives gathered in 3 colleges:

  • College of officials: representatives from the Direction générale de l’armement (DGA, the French Government Defense procurement and technology agency), the Direction générale des entreprises (DGE, the French Directorate General for Enterprise within the Ministry of Economy, Industry and Digital), and the Agence nationale de la sécurité des systèmes d’information (ANSSI, the French National Cybersecurity Agency).
  • College of users: representatives from groups of users, such as: CIGREF, GITSIS, CESIN, CLUSIF ISSM space.
  • College of industrials: representatives from the “Alliance pour la Confiance Numérique” (ACN – Alliance for digital confidence) and HEXATRUST.

Nameshield certified ISO 27001 on all its registrar activity, was able to bring all the necessary guarantees to obtain the France Cybersecurity Label for its domain names securing offer, the DNS Premium and as highlighted by Gérard Gourjon, Nameshield’s Deputy Director-General: “Obtaining the France Cybersecurity Label illustrates our engagement to provide the best services and standards regarding cybersecurity to our customers. At Nameshield, we are proud to see our highly efficient and highly secured DNS infrastructure being labelled.”

For more information on our labelled solution DNS Premium: https://www.nameshield.com/en/cybersecurity/dns-premium/

For more information on the France Cybersecurity Label: https://www.francecybersecurity.fr/en/

SSL certificates reduction to 2 years maximum

SSL certificates reduction to 2 years maximum

The CAB forum, organization which defines the SSL certificates issuing and management rules approved the SSL certificates reduction to a duration of 2 years against 3 previously. Initiated by the browsers Chrome and Mozilla heading, this decision moves in the direction of an always more secured Internet by forcing the actors to renew more often their security keys and to stay on the last standards of the market.

This decision will be applicable to all Certification Authorities from March 1st 2018. In order to ensure a smooth transition, from February 1st 2018, Nameshield will not propose certificates with a 3 years duration anymore.

What impact for your certificates?

The new certificates will thus have a maximum duration of 825 days (2 years and 3 months to cover the possibility of 90 days early renewal). EV certificates were already under this scenario, so are concerned the DV and OV certificates in all their forms (standard, multi-sites or wildcard). Nothing in particular for these certificates.

For existing certificates, this new duration will have a consequence, since it will apply to all the certificates from March 1st. A 3 years certificate issued recently and which would need to be replaced beyond the 825 days deadline, will then have to be authenticated again. It is then important to know it to prevent urgent reissue, including for the simple SAN adding. You have to check beforehand if the certificate to replace may be impacted, this is the case of DV and OV certificates, the EV are also not concerned here.

Nameshield’s SSL team will inform you regarding the concerned certificates.

A bad phishing story

A bad phishing story

A victim of phishing from 2015, asked her bank for a refund of 3300€, which was the amount diverted by a fraud author. However, during the legal procedure, the Justice has cancelled the judgement of the local court of October 2017, which has requested to the bank of the victim to refund the corresponding amounts of the phishing operation.

The reason of this cancellation? The victim has deliberately communicated some confidential data regarding her credit card, by falling into the trap of a phishing email (the scammer has posed as the telephone operator of the victim).

This cancellation argument argues that indeed, the mail didn’t have any recipient nor sender name and that the reject or unpaid mention was inexact. Also the victim could have prevented the trap set and not communicate her banking information. Therefore, it was her responsibility, which indeed cancels the request for the stolen money refund by the bank.

The majority of phishing websites use domain names associated to an existing activity or referring to an activity, with the aim to deceive users, by inviting them to click on the links of legitimate websites. It allows to increase the likelihood of the attackers’ success.

The phishing concept is to retrieve personal data on Internet via identity theft, adapted to digital support.

If it is true that fraudulent payment online is directly caused by the victim’s negligence, yet, she didn’t communicate neither her credit card confidential code, nor the 6 digit 3D SECURE code, which was sent to her by SMS to validate the payment. The victim has blocked her credit card the same day, after the reception of two 3D secure messages.

However, in this case, the bank affirms that regularly, it has raised its customers ‘awareness and communicated with them, in order to alert them of phishing risks and warn them to never communicate their confidential banking data.

Thus, the Court of Cassation has judged that the victim acted carelessly and could have prevented to fall into the trap of the fraudster.

Cyber threats heavily rely on web users’ bad practices, as the SANS Institute confirms. The threats the most frequently encountered in companies are phishing (72% of the respondents), spywares (50%) and ransomwares (49%).

According to the American company Webroot, about 1.385.000 unique phishing websites are created each month, with an impressive peak of 2.3 million during May 2017.

Be aware that these phishing websites stay active during a very short period: between 4 and 8 hours maximum, to prevent to be followed or blacklisted.

Of course, this case reminds that vigilance remains crucial more than ever!

A phishing attack more and more sophisticated

A phishing attack more and more sophisticated

Recently, some Amazon users have been the victims of a quite sophisticated phishing attack.

They received a fake e-mail from Amazon, alerting them that someone attempted to connect to their account by trying to change their password. A six digit code was transmitted with the instruction to call a number to verify the user’s identity. If the web users were not the source of these actions, they were invited to follow a specific procedure to secure their account. When they called the supposed Amazon number, they were directed to a Customers service department, located abroad. During the call, they had to go on a website and communicate the code to ensure the security of the account.

The copy of the phishing message:

A phishing attack more and more sophisticated

Fortunately, many web users have detected this phishing attack and didn’t fall into the trap. But for the others, were they victims of a malware or a data theft?

All web users are hit by these phishing attempts. They are part of our daily lives, but many brands raise awareness among their customers against these actions (mostly the banking industry which is the privileged target of hackers).

To be continued.

The continuation of the Equifax case or how the controls implemented in the context of an ISMS (ISO 27001) can help to prevent security incidents?

Cybersecurity - The continuation of the Equifax case

October 3rd, 2017, Equifax’s ex CEO, Rick Smith, had to explain to the American Congress how the private data of almost one out of two Americans could be hacked.

Let us briefly recall the chronology of events (for more information, we invite you to read Adriana Lecerf’s complete article):

  • March 9th, 2017: An Apache Struts flaw is detected. Less than a week after, the security patch is validated and planned, but the latter is not applied on all the servers.
  • March 15th, 2017: a scan is carried out but no vulnerability is detected.
  • April 2017: Hackers take advantage of this breach (the security patch which was not applied on all the servers) and steal the precious data.
  • July 31th, 2017: The ex CEO is informed of the information theft.
  • September 8th, 2017: Official communication on the hacking.

How can the ISO 27001 certification and the establishment of an associated ISMS (Information Security Management System) help to prevent this kind of incident?

The ISO 27001 standard is the reference regarding validation and constant improvement of an ISMS. It relies on 114 control points which scan all the domains for the establishment of an ISMS, including the implementation of procedures and the platforms update processes.

That includes the implementation and regular control of the risks management process aiming to ensure the data security. The main purpose of this management system is to carry out the appropriate measures in order to reduce, even eliminate threats impact on users or customers.

The ISMS is a wheel of constant improvement and in the case of Equifax, the processes of control established and tracked with an ISMS could have eventually helped to prevent this kind of incident.

This case demonstrates again the obligation to rethink the security strategy within companies and to implement necessary protocols to ensure the discovery of possible security flaws and the corrective action to apply.

Nameshield certified ISO 27001

The CAA becomes mandatory in the small SSL’s world

Or how to benefit from it to implement a certification strategy specific to your company?

The CAA becomes mandatory in the small SSL’s world

In January 2013, a new type of DNS Resource Record has appeared to improve the control chain in the SSL certificates issuing. This record, called CAA for Certificate Authority Authorization, allows to specify for a given domain name which Certification Authorities are authorized to issue certificates.

It’s an extremely interesting creation, in particular for big companies and groups, which technical teams are scattered in the World and for which it’s often difficult to require a global certification strategy. It’s not unusual for companies to accidentally discover the existence of certificates requested by teams not knowing the processes, by external consultants, issued by Certification Authorities with a bad image, or for certificates of low level of authentication (DV). The implementation of CAA record on your domain names is a good solution to control what the teams are doing and the news on SSL’s world will help you do that.

Indeed, if the CAA has been detailed in the RFC-6844 from 2013, it was not mandatory until today, for a Certification Authority to check if it was authorized or not to issue a certificate on a given domain name, hence a certain uselessness of this and a very low adoption.

September 8th, 2017 – The CAA checking becomes mandatory

We had to wait until March 2017, and a positive vote of the CAB/forum (ballot 187) to make this verification mandatory. Since the 8 September, the Certification Authorities have the duty to do this verification at the risk of sanctions from CAB/forum and browsers, the recent news regarding Google and Symantec has shown us how it’s not in their interests.

Three scenarios occur during this verification on a given domain name:

  • A CAA record is set and indicates the Certification Authority name, this one can issue the certificate.
  • A CAA record is set and indicates a Certification Authority’s name different, this one CANNOT issue the certificate.
  • No CAA record is set, any Certification Authority can issue a SSL certificate.

The CAA becomes mandatory in the small SSL’s world

It’s important to note that for a given domain name, many CAA records can be declared. A simple tool (among many others) to test your domain name, is available online: https://caatest.co.uk/

How to benefit from CAA for my company?

If it’s not already done, the establishment of the CAA checking is the opportunity for your company to define a certification strategy and to be able to ensure that it is complied with.

Define one (or multiple) Certification Authority corresponding to your values and to your expectations in term of service quality is a first step.

It will require to put around the table the marketing stakeholders to validate the impact on websites display and the technical services to ensure of the chosen provider’s quality. It will then be necessary to declare these CAA records in the different zones of your domain names.

It’s then important to communicate with all the operational staff so they become aware of the rules imposed within the company, in order not to block them in obtaining a certificate.

Indeed, Nameshield’s experience shows that SSL certificates are often requested in a hurry; moreover the browser’s last versions are not kind towards certificates’ errors by ostensibly displaying “not secure”. In consequence, blocking the issuing of a certificate because the communication didn’t get through can be damaging.

Such strategy presents real advantages in the control of certificates, in marketing, technical, risks control and costs associated to certificates. It’s necessary to conduct it with full knowledge and in order to do it, our SSL experts’ team can assist you.