Cryptojacking 101

Illustration: Cryptojacking 101 - Authentic8 Blog

As an end user, cryptojacking (cryptocurrency mining at someone else's expense) poses a problem - someone is hogging up your computing power and immediately benefiting from you, without your knowledge.

To the miner, at first glance, this seems like a victimless crime, it's a passive activity, and the costs seem minimal, and the returns are hard earned cryptocurrency to spend on the open, deep, and dark web.

However, mining this currency comes at a high cost due to computational expenses (GPU, CPU usage), electricity costs (Source), and time for the cryptojacking victim.

Clever companies and individuals are looking for ways to leverage other individuals resources to mine cryptocurrency through embedding cryptomining scripts into websites serving up anything from webstores to video streams.

Let’s step through the mechanics, economy, and potential mechanisms to counter browser-based cryptojacking.

The Mechanics of Cryptojacking

Cryptojacking is simple:

  • a user navigates to a website or service controlled by the miner,
  • a CoinHive or similar client-side JavaScript is

5 Must-Read Cybersecurity Resources for Law Firms

Illustration: 5 Must-Read Cybersecurity Resources for Law Firms - Authentic8 Blog

A recent survey of law firms found that nearly one-third of the respondents didn’t know who was responsible for risk management within their organization. What will their corporate clients make of that?

According to the research reviewed for this post, client cybersecurity audits are becoming the new normal for law firms. Many companies are no longer willing to entrust their legal matters to firms without subjecting them to a client audit first.

The same holds true when Big Law is looking to partner with smaller practices in local markets. Potential partners who cannot demonstrate that and how they protect sensitive client information against data breaches will lose valuable business and connections to a competitor in the region who can.

For this post, we have collected resources that provide up-to-date insights and guidance that help law firms with their cybersecurity planning and client audit preparation:

*

1. Why Are So Many Law Firms Unaware That They Suffered a Data Breach?

The second edition

Spyware Targeting Users Through ISP

Illustration: Spyware Targeting Users Through ISP - Authentic8 Blog

by Larry Loeb

FinFisher is a suite of surveillance tools that has achieved notoriety for its use by repressive regimes and rogue states to spy on their citizens and civil rights organizations.

Security firm ESET has now found evidence for the first time that an ISP colluded with third parties to enable this surveillance software.

FinFisher features a wide range of capabilities for spying on users, including, among others, live surveillance through webcams and microphones, keylogging, and the exfiltration of files.

The first way that FinFisher infected victims was fairly typical of malware tricks and often exploited local browser vulnerabilities.

The arsenal included zero-day exploits, spear-phishing emails, drive-by downloads when users navigated to hacked sites, as well as directly installing the malware if physical access could be made to target's device.

Some of that still happens. Earlier this month, a spearphishing campaign targeting Russian users was launched which leveraged an Office 365 zero-day to distribute the malware.

Now ESET has found a

5 Free Resources for More Cybersecurity Awareness in Your Business

Illustration: 5 Free Resources for More Cybersecurity Awareness in Your Business - Authentic8 Blog

Every year, too many companies and organizations still pass up an easy opportunity for making their employees or volunteers more #cyberaware: National Cyber Security Awareness Month, the annual public/private campaign in October to raise public awareness and improve the nation’s overall security posture.

While IT security managers acknowledge the need for finding new and better ways to help users overcome their learned helplessness in the face of cyber threats, a lack of internal resources often prevents them from mounting their own NCSAM efforts and reach out to employees on all levels.

Does this sound familiar? If so, it’s not too late for your team to get in on this year’s NCSAM action.

Here's a quick fix.

Check out the free tools and resources we have selected for you.

However big or small your organization, they can help you get up and running with your own NCSAM in-house campaign on a budget and in no time:

*

The Official NCSAM

Research: Deanonymizing Browser Data Made Easy

Illustration: Research: Deanonymizing Browser Data Made Easy - Authentic8 Blog

This year at DEFCON in Las Vegas, investigative journalist Svea Eckert and researcher Andreas Dewes demonstrated how to deanonymize browsing datasets they had acquired through major browser plugin providers with relative ease.

Their research resulted in a handful of significant findings:

  • 10 “privacy” plugins provided the most voluminous data sets.
  • Data provided is very granular.
  • Contrary to popular belief, deanonymization techniques aren’t novel with the majority being pattern matching rather than complex maths.
  • Using Publicly Available Information (PAI) for correlation makes deanonymization much simpler.

Let’s dig into their research [PDF] to identify the risks involved with plugin usage and techniques utilized for data exploitation. One notable finding even affected an active law enforcement investigation.

Browser Plugins as Data Providers

The security implications of using browser plugins are extensive. Risks abound - from download and installation over settings and permissions to possible user data monetization.

One data provider identified in the research was Web of Trust (WOT) - a plugin installed