DigiCert Offers Continuous Monitoring of Digital Certificates to Defeat Fraud

This is a move in the right direction, considering the rampant use of compromised Certificates by hackers to obscure their real identity/motives.

Jason Sabin, CSO of DigiCert, said in an interview that the system is designed to give customers more control of and supervision over the certificates they have in use.

“In some large organizations, you can get people who need to get something done for a certain project so they go and grab a domain and don’t have time to go through whatever process they have in place for getting a certificate,” Sabin said. “So they do it themselves, but then the organization doesn’t know it’s happened, or perhaps it wasn’t done correctly.”

The CertCentral platform that DigiCert is rolling out allows for continuous monitoring of an organization’s certificates, and it also can protect companies against phishing and other attacks that play off of variants of their legitimate domains.

“We can look for people using certificates that are close variants of your domains, like using zeroes for the letter O or things like that,” Sabin said.

Certificate Transparency (CT) is possibly the best approach one can think of today, to detect and prevent unauthorised Certificate usage. But it also has to be noted that the key player behind this initiative, is Google, a company infamous for their thoughts/acts on User Privacy.

Dennis Fisher (@dennisf) has elaborated this in much detail at ThreatPost: https://threatpost.com/digicert-offers-continuous-monitoring-of-digital-certificates-to-defeat-fraud/112227

CT’s official site is also a great read to understand the concept further:

Certificate Logs:

Certificate logs are simple network services that maintain cryptographically assured, publicly auditable, append-only records of certificates.

Monitors:

Monitors are publicly run servers that periodically contact all of the log servers and watch for suspicious certificates.

Auditors:

Auditors are lightweight software components that typically perform two functions. First, they can verify that logs are behaving correctly and are cryptographically consistent. If a log is not behaving properly, then the log will need to explain itself or risk being shut down. Second, they can verify that a particular certificate appears in a log

A must read: http://www.certificate-transparency.org/what-is-ct

Image courtesy: www.hotforsecurity.com

How SEBI rewrote its regulations for startups in 100 days

Its very interesting to see SEBI work closely with these startups to understand the way “Listing” has to evolve, on par with countries like the US, UK and Singapore. The key here is to understand the fact that, the way and the duration over which revenues and profits are made by most of the startups today (especially the technology ones), in India and around the world, is different than in conventional businesses. And so the Listing requirements and policies also need to change accordingly.

Some of the key updates made to the policy include:

A new Listing platform
No more small investors
Profits do not matter the most, anymore
“Promoter” vs “Founder”

Aparna Ghosh from Yourstory.com has summarised the changes here: http://yourstory.com/2015/04/sebi-regulations-for-startups/

Image courtesy: Yourstory.com

IBM to work with Apple Watches Team to integrate health data with Medical devices

Its ironic to note the way the relationship between IBM and Apple has evolved in the last 3 decades. Keeping the historic 1984 Ad (https://www.youtube.com/watch?v=OwT6mgXsZvU) on one side, and this announcement on another, shows that time can change even the bitterest of relationships, isn’t it?

As Jack Purcher notes for Patently Apple:

“…IBM has struck partnerships with Apple and the world’s biggest makers of medical devices, to put health data from Apple Watches into the hands of doctors and insurers, and to create personalized treatments for hip replacement patients and diabetics.

IBM’s push into digital healthcare will allow users monitoring their heart rate, calories burnt and cholesterol levels using Apple’s HealthKit platform to upload the information from an IBM app to a storage cloud, where it will be accessible to their doctors and insurance companies. Those who opt in to Apple’s ResearchKit will also be able to share their data with medical researchers.”

Do checkout the full report here:http://www.patentlyapple.com/patently-apple/2015/04/ibm-to-put-health-data-from-apple-watches-into-the-hands-of-doctors-and-insurers-to-create-personalized-treatments.html

Book Review: The Intel Trinity

A concise review by Brad Feld about the book The Intel Trinity,The: How Robert Noyce, Gordon Moore, and Andy Grove Built the World’s Most Important Company.

“I work with many first time and young entrepreneurs who know the phrase “Moore’s Law” but know nothing about the origin story of Intel or the history of how Moore’s Law built the base of an industry that we continue to build on. I also know many experienced entrepreneurs who seem to have forgotten that the phenomenon we experience around innovation, disruption, innovators vs. incumbents, and radical shifts in the underlying dynamics of markets is nothing new. If you fall into this category, as hard as it may be to acknowledge, get a copy of The Intel Trinity and read it from cover to cover.”

Do checkout the full review here: http://www.feld.com/archives/2015/03/book-intel-trinity.html

Its a must read for all technology enthusiasts.

Log Monitoring for e-Commerce: Five Key Areas

e-Commerce has become the most important platform for a Retailer to sell goods. And as the number of financial transactions on e-Commerce sites dramatically increase year-on-year, the more interesting they become to fraudsters and adversaries. The key to detecting security anomalies in this communication channel, is to log every crucial piece of information.

Even from an Operational perspective, it is very important for an e-Commerce company to know exactly what they should log, so that their IT Operations team isn’t overwhelmed with the amount of information being processed and thrown at them for review.

The five key areas to focus on must be:

Checkout: Log every step in the checkout process for errors and set alerts so you know if any part of the process fails.
Shopping cart: Log all add-to-cart failures when they occur, send out an alert, and investigate the problem ASAP. There are a lot of intermittent problems that can create big headaches.
Online catalog/ product page: Look for issues with specific product lines, markets, or other logical groups of products, especially if you have old data or legacy software integrations.
Email signup: Look for both client-side and server-side issues because the business logic resides in both places.
Login & registration. In addition to form submission and validation, focus on authentication and authorization logic as a whole. Log social media login errors, authentication and authorization cookies that may be out-of-sync, and errors from additional authentication checks.

Do checkout his post here: http://apmdigest.com/5-areas-every-e-commerce-business-should-monitor-using-log-data

Image Courtesy: http://www.softprodigy.com

harinotes.com – My Blog

Just like many other people, I read a lot of stuff every day. Most of it is about technology, as that’s what I do as a profession. And I have always liked sharing interesting stuff from what I read, with friends and colleagues.

And I always knew that a Blog will give me an opportunity to share such interesting stuff, with multiple people, using one common platform, instead of multiple social media platforms.

So I have been thinking of Blogging for quite sometime (quite sometime = almost a decade!), and now I finally decided to do so in 2015. (no it was not one of my new year resolutions 2015 :))

So this is it. This is my Blog where I share my thoughts and curated articles on Technology, Startups, Information Security, and Travel, and sometime on off-beat topics like Politics and others too.

So Hello World!