Authentic8 Blog Author: Guest Contributor

Authentic8 welcomes suggestions and submissions from guest contributors. Blog posts should be relevant, non-promotional and add valuable and actionable insights for improving IT security on the web.

Rogue WiFi Access Points: Would You Know the Difference?

When traveling, at trade shows or when visiting a client or customer, a wireless access point (AP) can offer the most direct way to connect to the web. And the most dangerous, too.

*

Beware “rogue” access points (RAPs). They’re out there ready to get you when you expect it least.

Rogue access points pop up on your device’s network menu with labels that look like what you’d expect to see when trying to gain access to a system in a public or semi-public space.

They pop up in coffee shops, hotel lobbies and hallways, on trade show floors, commuter trains or at airports. The network label at Reagan National Airport in Washington DC, for example, reads FlyReagan. But someone may have set up a RAP labeled FlyReagan or FlyDCA for their own (read: dark) purposes.

RAPs vs. APs: Would you know the difference?

Have you ever been pwned by a rogue AP? Most victims wouldn’t be able to

Hoodwinked: Why Our Eyes Won't Protect Us Against Phishing and Fake Websites

By Benjamin Dynkin & Barry Dynkin

Our eyes were the gatekeepers between fact and fiction, reality and myth - then the internet came along. The visual information we encounter and interact with on the web is digitally created and manipulated - and we’re not ready for it.

*
Web pages and individual visual elements can be easily replicated, and their impact on users tracked and measured. The problem with that is that scammers take advantage of it, while we still trust our eyes. This trust can now easily be turned against us.

In the domain of email-based fraud, perpetrators have evolved beyond broad, “Nigerian Prince”-esque campaigns. No longer are they limited to crude schemes that are easily detected.

Instead, they are using sophisticated, targeted campaigns that combine social engineering with visual deception and manipulation. The goal is to generate sensory overload and trick individuals into divulging critical information, such as usernames and passwords, or to overcome their resistance with psychological pressure

Browser Security: Pwned and Exposed

Supposedly secure browsers are making headlines, but not in a good way. Their makers cannot gloss over the security weaknesses any longer.

*

Browser makers should be concerned, very concerned. Last week, a security researcher with software firm AdGuard called out five malicious ad blocking extensions in the Google Chrome Store.

At that point, they had already been installed by at least 20 million users of the Chrome browser. This shouldn’t have come as a big surprise. Many well-documented cases prove that plugins, in general, exacerbate the risks associated with using a locally installed browser.

And annual exploit competitions like last month’s Pwn2Own keep exposing ever more vulnerabilities of supposedly “secure” browsers for the world (malware authors, in particular) to see and study.

At Pwn2Own (sponsored by security vendor Trend Micro), Apple’s Safari browser was hacked by a three bug chain containing a macOS elevation of privilege vulnerability that modified text on a MacBook Pro's touch bar. And that wasn’

SSL Certificates Boost Security? Many Don’t.

Massive disruption is coming to websites that use digital certificates issued by Symantec or the brands that it has owned - Verisign, Thawte GeoTrust, and RapidSSL. One third or more of the net’s SSL certificates could be affected.

*

Effective this week, both the Chrome and Firefox browsers will not accept any SSL certificates issued by Symantec that were issued before June 2016. Symantec certificates that were issued after that date will not be accepted by both browsers starting in September 2018.

These drastic measures have been in the making for about a year. In March 2017 Google announced that it had lost all confidence in certificates issued by Symantec.

What had gone wrong? In short, the way how Symantec was issuing the certificates. Its issuance methods could allow untrusted third parties to issue certificates on Symantec’s behalf - without oversight. The rules that Symantec ignored had been decided by the industry standards group, the CA/B Forum, for certificates used

HTTPS: Beware the False Sense of Security

HTTPS is the protocol that is getting a lot of attention these days. As more browsers migrate toward supporting it in meaningful ways — like by not connecting to sites that do not offer it — it would be easy for a user to think that once HTTPS has been implemented, everything security-related is taken care of.

That is not the case.

In fact, one of the major problems affecting HTTPS right now is that users think that it does more than it actually does, than it was designed to do.

A simple example of this would be when some page connects with HTTPS to a browser but has a link to an image on another server embedded in it. The page is sent to the user HTTPS encrypted and all. Yet on the page served to the browser, it also serves up the link to the image - an image file may or may not contain malicious code.

The user would have no