Authentic8 Blog Author: Guest Contributor

Authentic8 welcomes suggestions and submissions from guest contributors. Blog posts should be relevant, non-promotional and add valuable and actionable insights for improving IT security on the web.

SSL Certificates Boost Security? Many Don’t.

Illustration: SSL Certificates Boost Security? Many Don’t. - Authentic8 Blog

Massive disruption is coming to websites that use digital certificates issued by Symantec or the brands that it has owned - Verisign, Thawte GeoTrust, and RapidSSL. One third or more of the net’s SSL certificates could be affected.

*

Effective this week, both the Chrome and Firefox browsers will not accept any SSL certificates issued by Symantec that were issued before June 2016. Symantec certificates that were issued after that date will not be accepted by both browsers starting in September 2018.

These drastic measures have been in the making for about a year. In March 2017 Google announced that it had lost all confidence in certificates issued by Symantec.

What had gone wrong? In short, the way how Symantec was issuing the certificates. Its issuance methods could allow untrusted third parties to issue certificates on Symantec’s behalf - without oversight. The rules that Symantec ignored had been decided by the industry standards group, the CA/B Forum, for certificates used

HTTPS: Beware the False Sense of Security

Illustration: HTTPS: Beware the False Sense of Security - Authentic8 Blog

HTTPS is the protocol that is getting a lot of attention these days. As more browsers migrate toward supporting it in meaningful ways — like by not connecting to sites that do not offer it — it would be easy for a user to think that once HTTPS has been implemented, everything security-related is taken care of.

That is not the case.

In fact, one of the major problems affecting HTTPS right now is that users think that it does more than it actually does, than it was designed to do.

A simple example of this would be when some page connects with HTTPS to a browser but has a link to an image on another server embedded in it. The page is sent to the user HTTPS encrypted and all. Yet on the page served to the browser, it also serves up the link to the image - an image file may or may not contain malicious code.

The user would have no

The Six Biggest Inside Threats to Law Firm IT

Illustration: The Six Biggest Inside Threats to Law Firm IT - Authentic8 Blog

by Jordan McQuown, CIO, LogicForce

Watching the news, you could easily come away with the impression that our greatest security threat emanates from state actors far away, seeking to hack into your law firm.

You might even feel that you are protected. After all, your firm put firewalls and strong external perimeter defense systems in place. Are you sure you didn’t overlook something?

Because in my experience, an external attack is far less likely to cause a data breach than incidental actions of internal employees. I have come to believe that the most prevalent cybersecurity threats are not direct attacks on your perimeter defenses from the outside. Unintentional actions by insiders expose your firm to much bigger risks.

How can you identify and manage these risks to prevent a data breach? I recommend starting by focusing on...

The Six Biggest Internal Cybersecurity Threats

To prevent threats, you must be aware of them. Recently, LogicForce profiled more than 300 law firms for

GDPR: A Deadline You Can’t Afford to Ignore

Illustration: GDPR: A Deadline You Can’t Afford to Ignore - Authentic8 Blog

by Steve Durbin, Managing Director, Information Security Forum

If your U.S.-based business deals with customers, employees or contractors in the European Union, the clock is ticking for you. On May 25th, the EU’s General Data Protection Regulations (GDPR) goes into effect.

It will affect you no matter if you have an actual presence in Europe or not.

At the Information Security Forum (ISF), we consider GDPR to be the most extensive overhaul of global privacy law in decades. It fundamentally redefines the scope and application of EU data protection legislation.

GDPR compels organizations worldwide to comply with its requirements — or face stiff fines and penalties. The regulation affects any organization that handles the personal data of European Union (EU) residents, regardless of where the data is processed.

Many US-based organizations are obliged to comply with the new standards. Given the global nature of e-commerce, cloud services, and communications platforms, few organizations will be able to completely avoid the requirements.

Local Browser Wins Olympic Gold for Worst Security

Illustration: Local Browser Wins Olympic Gold for Worst Security - Authentic8 Blog

by Amir Khashayar Mohammadi

Nearly every web browser comes equipped with a built-in password manager. Combined with all its other inherent vulnerabilities, this makes the local browser an even more attractive target for automated attacks. The bad guys would love to gain access to the container that keeps track of the keys to your online bank. Given the browser’s weak security underpinnings, how hard could it be?

Not too hard. This was confirmed, once again, by news that broke earlier this week. A new piece of malware, dubbed "Olympic Destroyer" by security firm Talos, does just that. Its purpose was to target a network of non-critical systems at this year's Winter Olympics in PyeongChang, South Korea.

Cybersecurity researchers pointed out that Olympic Destroyer was designed to take computers offline by erasing critical system files. But that was not the whole story. Olympic Destroyer also features two critical methods of stealing credentials.

One technique targets those credentials stored in the