Authentic8 Blog Author: Guest Contributor

Authentic8 welcomes suggestions and submissions from guest contributors. Blog posts should be relevant, non-promotional and add valuable and actionable insights for improving IT security on the web.

How the PageUp Hack is Highlighting HR's Data Protection Problems

Illustration: How the PageUp Hack is Highlighting HR's Data Protection Problems - Authentic8 Blog

The recent data breach at global Human Resources services provider PageUp may have impacted millions of job seekers, the firm announced last week. Following such incidents that affect HR records, it’s often IT that gets the blame. Are HR firms and departments generally too lax at handling confidential data?

*

HR professionals have been found to be especially vulnerable to cyberattacks or user error. HR data breaches have severe consequences for individual employees and the whole organization. In 2015, confidental information of more than 22 million current and former federal employees and contractors was stolen when state-sponsored hackers hit the Office of Personnel Management (OPM), the U.S. government’s HR department.

Since then, employees have started suing their employers over other incidents, as in the case of an HR data breach at Seagate, and more law firms are lining up to take their cases. Lamps Plus was slapped with a class action in California federal court, accusing it of failing to

Rogue WiFi Access Points: Would You Know the Difference?

Illustration: Rogue WiFi Access Points: Would You Know the Difference? - Authentic8 Blog

When traveling, at trade shows or when visiting a client or customer, a wireless access point (AP) can offer the most direct way to connect to the web. And the most dangerous, too.

*

Beware “rogue” access points (RAPs). They’re out there ready to get you when you expect it least.

Rogue access points pop up on your device’s network menu with labels that look like what you’d expect to see when trying to gain access to a system in a public or semi-public space.

They pop up in coffee shops, hotel lobbies and hallways, on trade show floors, commuter trains or at airports. The network label at Reagan National Airport in Washington DC, for example, reads FlyReagan. But someone may have set up a RAP labeled FlyReagan or FlyDCA for their own (read: dark) purposes.

RAPs vs. APs: Would you know the difference?

Have you ever been pwned by a rogue AP? Most victims wouldn’t be able to

Hoodwinked: Why Our Eyes Won't Protect Us Against Phishing and Fake Websites

Illustration: Hoodwinked: Why Our Eyes Won't Protect Us Against Phishing and Fake Websites - Authentic8 Blog

By Benjamin Dynkin & Barry Dynkin

Our eyes were the gatekeepers between fact and fiction, reality and myth - then the internet came along. The visual information we encounter and interact with on the web is digitally created and manipulated - and we’re not ready for it.

*
Web pages and individual visual elements can be easily replicated, and their impact on users tracked and measured. The problem with that is that scammers take advantage of it, while we still trust our eyes. This trust can now easily be turned against us.

In the domain of email-based fraud, perpetrators have evolved beyond broad, “Nigerian Prince”-esque campaigns. No longer are they limited to crude schemes that are easily detected.

Instead, they are using sophisticated, targeted campaigns that combine social engineering with visual deception and manipulation. The goal is to generate sensory overload and trick individuals into divulging critical information, such as usernames and passwords, or to overcome their resistance with psychological pressure

Browser Security: Pwned and Exposed

Illustration: Browser Security: Pwned and Exposed - Authentic8 Blog

Supposedly secure browsers are making headlines, but not in a good way. Their makers cannot gloss over the security weaknesses any longer.

*

Browser makers should be concerned, very concerned. Last week, a security researcher with software firm AdGuard called out five malicious ad blocking extensions in the Google Chrome Store.

At that point, they had already been installed by at least 20 million users of the Chrome browser. This shouldn’t have come as a big surprise. Many well-documented cases prove that plugins, in general, exacerbate the risks associated with using a locally installed browser.

And annual exploit competitions like last month’s Pwn2Own keep exposing ever more vulnerabilities of supposedly “secure” browsers for the world (malware authors, in particular) to see and study.

At Pwn2Own (sponsored by security vendor Trend Micro), Apple’s Safari browser was hacked by a three bug chain containing a macOS elevation of privilege vulnerability that modified text on a MacBook Pro's touch bar. And that wasn’

SSL Certificates Boost Security? Many Don’t.

Illustration: SSL Certificates Boost Security? Many Don’t. - Authentic8 Blog

Massive disruption is coming to websites that use digital certificates issued by Symantec or the brands that it has owned - Verisign, Thawte GeoTrust, and RapidSSL. One third or more of the net’s SSL certificates could be affected.

*

Effective this week, both the Chrome and Firefox browsers will not accept any SSL certificates issued by Symantec that were issued before June 2016. Symantec certificates that were issued after that date will not be accepted by both browsers starting in September 2018.

These drastic measures have been in the making for about a year. In March 2017 Google announced that it had lost all confidence in certificates issued by Symantec.

What had gone wrong? In short, the way how Symantec was issuing the certificates. Its issuance methods could allow untrusted third parties to issue certificates on Symantec’s behalf - without oversight. The rules that Symantec ignored had been decided by the industry standards group, the CA/B Forum, for certificates used