SSL Certificates Boost Security? Many Don’t.

Illustration: SSL Certificates Boost Security? Many Don’t. - Authentic8 Blog

Massive disruption is coming to websites that use digital certificates issued by Symantec or the brands that it has owned - Verisign, Thawte GeoTrust, and RapidSSL. One third or more of the net’s SSL certificates could be affected.

*

Effective this week, both the Chrome and Firefox browsers will not accept any SSL certificates issued by Symantec that were issued before June 2016. Symantec certificates that were issued after that date will not be accepted by both browsers starting in September 2018.

These drastic measures have been in the making for about a year. In March 2017 Google announced that it had lost all confidence in certificates issued by Symantec.

What had gone wrong? In short, the way how Symantec was issuing the certificates. Its issuance methods could allow untrusted third parties to issue certificates on Symantec’s behalf - without oversight. The rules that Symantec ignored had been decided by the industry standards group, the CA/B Forum, for certificates used

HTTPS: Beware the False Sense of Security

Illustration: HTTPS: Beware the False Sense of Security - Authentic8 Blog

HTTPS is the protocol that is getting a lot of attention these days. As more browsers migrate toward supporting it in meaningful ways — like by not connecting to sites that do not offer it — it would be easy for a user to think that once HTTPS has been implemented, everything security-related is taken care of.

That is not the case.

In fact, one of the major problems affecting HTTPS right now is that users think that it does more than it actually does, than it was designed to do.

A simple example of this would be when some page connects with HTTPS to a browser but has a link to an image on another server embedded in it. The page is sent to the user HTTPS encrypted and all. Yet on the page served to the browser, it also serves up the link to the image - an image file may or may not contain malicious code.

The user would have no

Fed Up? Fire Up This Cloud Browser.

Illustration: Fed Up? Fire Up This Cloud Browser. - Authentic8 Blog

The Facebook/Cambridge Analytica fiasco did not happen overnight or by “mistake”, as Facebook wants users to believe. The price of “free” services and apps online means the loss of data protection, privacy and transparency.

This isn’t a new phenomenon, it’s not limited to Facebook, and it should not be a surprise to anyone. Venture investment in companies building businesses around “eyeballs” and “clicks” had to convert to hard cash at some point, and that point is the monetization of user data.

In contrast, Authentic8’s cloud browser Silo was built on the trust of its users. How do we honor that trust? We think you have a right to know what we do with your data. But first, some background.

*

So Mark has admitted “mistakes” on behalf of Facebook. As did Marissa before him, for Yahoo. And don’t forget Richard (who?), who apologized - kinda, sorta - for Equifax. And so on…

Did it change anything that these

The Six Biggest Inside Threats to Law Firm IT

Illustration: The Six Biggest Inside Threats to Law Firm IT - Authentic8 Blog

by Jordan McQuown, CIO, LogicForce

Watching the news, you could easily come away with the impression that our greatest security threat emanates from state actors far away, seeking to hack into your law firm.

You might even feel that you are protected. After all, your firm put firewalls and strong external perimeter defense systems in place. Are you sure you didn’t overlook something?

Because in my experience, an external attack is far less likely to cause a data breach than incidental actions of internal employees. I have come to believe that the most prevalent cybersecurity threats are not direct attacks on your perimeter defenses from the outside. Unintentional actions by insiders expose your firm to much bigger risks.

How can you identify and manage these risks to prevent a data breach? I recommend starting by focusing on...

The Six Biggest Internal Cybersecurity Threats

To prevent threats, you must be aware of them. Recently, LogicForce profiled more than 300 law firms for

Update on Meltdown and Spectre Exploits

Three months ago, the industry was on high alert due to the publication of two new security exploits: Meltdown and Spectre see my prior post on this topic.

Since then, Authentic8 has aggressively updated its software at both the system and application level, from kernel to browser (and every patch in between). We have been actively monitoring our systems for security issues, as we always have and will continue to do.

These attacks did not represent a qualitative change in the security landscape but were a reminder that threats are always present. Some are known; most are probably not.

The Meltdown and Spectre threat reminds us that monitoring and rapid response are vital to our security and, by extension, the security of our customers.

While we haven’t seen any in-the-wild exploits that take advantage of Meltdown and Spectre, security breaches attributed to the lack of basic IT hygiene continue unabated.

We encourage you to re-assess - continuously - your basic security