Breaking and Evading the Local Browser Sandbox (1)

Illustration: Breaking and Evading the Local Browser Sandbox (1) - Authentic8 Blog

by Amir Khashayar Mohammadi

Is “sandboxing” the local browser really the cure-all for inherent browser vulnerabilities that the developers of supposedly “secure” browsers make it out to be?

Or is it just one more attempt to put lipstick on an aging pig with progressing health problems?

Much like with security patches and browser updates, the answer is not that simple. Putting the fix in can open the door for new and different exploits that allow attackers to pwn the local machine.

Which methods have been applied so far to break local browser and app sandboxes?

Let’s take a closer look. You will be surprised.

Breakouts from the beginning

Local browser sandboxing was first introduced by Google for the Chrome browser, as a layer of isolation designed to keep third-party processes confined to the browser and prevent them from harming the local machine’s environment.

The problem with this form of isolation is that it is far from perfect.

The smallest hole

Risk Management and Employee Cybersecurity

Illustration: Risk Management and Employee Cybersecurity - Authentic8 Blog

Risk management will be a central topic at the 3rd annual ALM cyberSecure conference in New York City this year.

The cross-industry gathering of thought leaders on December 4-5 aims to facilitate a holistic approach to data security, risk management and data governance.

Influential business leaders from the cybersecurity industry and high-ranking law enforcement officials will be convening with corporate risk management, compliance and law department leaders at the conference, which features speakers from numerous Fortune 100 companies.

Authentic8 Co-Founder and CEO Scott Petry will moderate a discussion panel on “Revamping Employee Cybersecurity Policies and Training to Mitigate Legal Risks” on December 4th.

Scott Petry will be joined on stage by Daniel Pepper, Vice President and Deputy General Counsel at Comcast; Adam Rubin, General Counsel of PrizeLogic; and Allen Brandt, Executive Director, Associate General Counsel and Chief Privacy Officer at the Depository Trust & Clearing Corporation.

Balancing IT security, data protection and privacy

Balancing IT security and data protection with the needs

The Long Con: Antivirus and Your Data

Illustration: The Long Con: Antivirus and Your Data - Authentic8 Blog

Officials and security researchers have named antivirus (AV) vendors as the new weak link in enterprise and government networks. They claim that sensitive files of the U.S. National Security Agency, the Republic of Korea Armed Forces and U.S. companies were targeted and exfiltrated thanks to the software that should be protecting the endpoint.

Antivirus solutions have been around since the mid-1980s. We gave them file system permissions to scan every file. Then we allowed access OS processes to scan active code. Then we allowed vendors to take our data to the cloud for “enhanced” security.

Now, as with many other services, our trust is used against us. The same AV tools that were supposed to help us fight malware are used as a backdoor to steal sensitive information and stage cyber attacks. This feels like a long con perpetrated by the antivirus industry.

Which vendors can you trust?

The irony is that for years we’ve been paying vendors to

Cryptojacking 101

Illustration: Cryptojacking 101 - Authentic8 Blog

As an end user, cryptojacking (cryptocurrency mining at someone else's expense) poses a problem - someone is hogging up your computing power and immediately benefiting from you, without your knowledge.

To the miner, at first glance, this seems like a victimless crime, it's a passive activity, and the costs seem minimal, and the returns are hard earned cryptocurrency to spend on the open, deep, and dark web.

However, mining this currency comes at a high cost due to computational expenses (GPU, CPU usage), electricity costs (Source), and time for the cryptojacking victim.

Clever companies and individuals are looking for ways to leverage other individuals resources to mine cryptocurrency through embedding cryptomining scripts into websites serving up anything from webstores to video streams.

Let’s step through the mechanics, economy, and potential mechanisms to counter browser-based cryptojacking.

The Mechanics of Cryptojacking

Cryptojacking is simple:

  • a user navigates to a website or service controlled by the miner,
  • a CoinHive or similar client-side JavaScript is

5 Must-Read Cybersecurity Resources for Law Firms

Illustration: 5 Must-Read Cybersecurity Resources for Law Firms - Authentic8 Blog

A recent survey of law firms found that nearly one-third of the respondents didn’t know who was responsible for risk management within their organization. What will their corporate clients make of that?

According to the research reviewed for this post, client cybersecurity audits are becoming the new normal for law firms. Many companies are no longer willing to entrust their legal matters to firms without subjecting them to a client audit first.

The same holds true when Big Law is looking to partner with smaller practices in local markets. Potential partners who cannot demonstrate that and how they protect sensitive client information against data breaches will lose valuable business and connections to a competitor in the region who can.

For this post, we have collected resources that provide up-to-date insights and guidance that help law firms with their cybersecurity planning and client audit preparation:

*

1. Why Are So Many Law Firms Unaware That They Suffered a Data Breach?

The second edition