Authentic8 Blog Category: News

How Do I Know If My Local Browser Extension Was Hijacked?

Illustration: How Do I Know If My Local Browser Extension Was Hijacked? - Authentic8 Blog

If you’ve installed add-ons or plugins with your browser (like the one that came with your computer), it could be a question you're asking yourself right now.

This week brought news that at least six more extensions for a popular browser were hijacked. Two similar attacks were uncovered only last week. In all these cases the hijackers “updated” the extensions to inject malicious code into web pages. More than a million local browser installations were affected.

*

At the risk of repeating myself - local browser add-ons put your data at risk. Browsers are targeted in more than 80 percent of online attacks because inherent design flaws and the security weaknesses of common internet protocols make them the most vulnerable component of your personal or business IT.

When connecting to a website, browsers indiscriminately fetch and process code from the web on the local computer. Malicious code may be hidden in a web app or passed through from an ad server on

So Much Leaking.

Illustration: So Much Leaking. - Authentic8 Blog

In the wake of the devastating WannaCry and NotPetya ransomware campaigns, it was hard to imagine that things could get more embarrassing for the IT profession.

That double whammy was possible because IT administrators left firewall ports 445 and 139 open, which allowed the ExternalBlue exploit to take hold. Thousands of companies around the world paid the price for IT's negligence.

Despite all the attention, many organizations still haven’t taken the simple step to close the obviously open ports.  Once they get hit, regulators and litigators will likely have a field day. Nobody can say IT wasn’t warned.

And now, just a few short weeks later, we learn that security researchers have discovered numerous preventable data leaks that exposed personal, sensitive data of hundreds of millions of users.  Where did they find this data?

On Amazon - where else?  The go-to web service for storing large amounts of data. Impacted organizations include:

The One IT Security Issue That Too Many Media Are Totally Missing

Illustration: The One IT Security Issue That Too Many Media Are Totally Missing - Authentic8 Blog

SECURITY, NEWS

Did you notice how some journalists ask one particular question at the end of an interview? It’s usually a good sign: "Is there anything I didn't ask you but should have?"

This question indicates curiosity to go past the obvious talking points. It shows the interviewer’s openness to considering new angles. We decided to rephrase and broaden that question and pose it to our InfoSec Luminaries:

"What's the one IT security issue that you wish journalists would cover more or better, and why?"

No media bashing or gripe-airing intended here. Reporting on IT security, computer crime, data protection and privacy - and getting it right - is tough enough. It looks like more fun from the outside (if you’re not  doing it yourself ) than it actually is. We get it.

But even those in the industry who enjoy stellar media coverage can point to an issue or two that deserves more attention than it is actually

ISPs & Privacy: Why it Matters, and How to Cover Your A$$

Illustration: ISPs & Privacy: Why it Matter, and How to Cover Your A$$NEWS, POLICY

Both the US Senate and the House of Representatives have cleared the way to remove privacy rules for internet service providers (ISPs) like AT&T, Charter, Comcast and Verizon. The President  signed the executive order to repeal these rules, which were originally put in place by the FCC in 2016 to protect consumers on the web. 

While the nation’s largest ISPs have pushed hard for this move, most internet users in the U.S. are only now learning that their entire web browsing history may be collected, sold, and/or used for marketing purposes - no  “opt-in” or other permission required.

This is a good time to take a step back and assess what it all means. The privacy rules were fairly recent and had not yet been enacted.  And, it's not back to the old state - the lawmakers went a step further, issuing a joint resolution that aims to ensure that the FCC will be barred

Book Review: What They Really Do With Your Medical Data

Thumbnail: Book Review: What They Really Do With Your Medical Data - Illustration for Authentic8 blog review of Our Bodies, Our Data by Adam TannerSECURITY, IDENTITY, NEWS

Happy Data Privacy Day.  A new book provides an in-depth look at the commercial trade in patient medical data.  Sensitive data, a vibrant market, and not much cause for celebration.

*

A while ago, I wrote about the wave of data breaches at healthcare organizations and medical identity theft that is impacting millions and what we can do to protect ourselves better.

One of the readers of that post was acclaimed journalist Adam Tanner, who has reported on data collection and consumer privacy since 2012.

Adam and I have had an ongoing discussion on data privacy and security matters since we met a few years ago.  He was covering the issue for Forbes, and I had a chance to brief him on our secure browser solution.

A few weeks ago, he kindly directed my attention to an unknown - to me, at least - aspect of our personal medical records. I thought our medical data was sacrosanct.  Protected by regulatory

Industrial Control Systems Under Attack: Secure Browser, Anybody?

Illustration: Blog Post Industrial Control Systems Under Attack - Secure Browser, Anybody?SECURITY, NEWS

The primary threats against Industrial Control Systems (ICS), the computing infrastructure at the heart of utilities and manufacturing plants, come from secret agent style espionage like you see in the movies, right? Wrong.

***

Remember the “Stuxnet” attack that sent the centrifuges in Iran’s Uranium enrichment plant into a self-destructive spin? In that attack, a USB stick was used to cross the security “air gap” of that unconnected computer, and drop malicious software on the (Windows-based) Siemens control units.

Now, attackers targeting critical infrastructure don’t even need to drop a USB stick in the parking lot. They can simply rely on employees opening a phishing email, or visiting a compromised website. That’s all it takes for a motivated outsider to wreak havoc, steal data or lock down critical ICS processes with ransomware.

Fear-mongering? I would have thought so too.  But then I read Booz Allen Hamilton’s newest Industrial Cybersecurity Threat Briefing [PDF].

It’s the most thorough

Must-Have Features of a Secure Virtual Browser

Illustration: Whitepaper Cover - Why a Virtual Browser is Important for Your EnterpriseSECURITY, POLICY

How did the local browser become the “security sinkhole" of today’s enterprise? And, more importantly, what’s the alternative ? How can enterprise IT leaders protect their infrastructure against web-borne threats, without putting productivity at risk by restricting web access?

Network security expert David Strom answers these questions in a new whitepaper, titled Why a Virtual Browser is Important For Your Enterprise . The whitepaper includes a detailed list of features that enterprise IT security managers should expect from “virtual” or “security-aware” browsers.

Illustration: Whitepaper Cover - Why a Virtual Browser is Important for Your Enterprise

Five of Strom’s (eight) criteria for how to pick the most secure browser for the enterprise:

  • the ability to “keep all browsing information protected on a separate and secure network”,
  • the option to “enforce corporate acceptable use policies to allow/block specific content categories and websites”,
  • “single sign-on features to allow users to share credentials for a collection of SaaS-based services”,
  • the “ability to add multi-factor authentication (MFA)”
  • “anonymous surfing” capabilities.

Phishing, drive-by attacks, ransomware, SQL injections,

Monthly News Roundup - December 2015 (TL;DR)

2015-12-31_GCluley.png

NEWS

This month we learned that Microsoft’s browser is vulnerable and many people’s Java has security flaws. No, you haven’t traveled back in an infosec time machine. These old-fashioned headlines came back in a new way this month. Oh, and a mere 191 million people’s personally identifiable information was exposed online. Check out those stories plus much more in our December 2015 news roundup:

  • US Voter Records Leaked Online: On Dec. 20, security researcher Chris Vickery discovered an exposed database containing personally identifiable information for 191 million registered US voters. The data included voters’ full names, addresses, voter IDs, birthdates, phone numbers, political affiliations, voting histories, and confirmation about whether or not they are on the do-not-call list. Depending on state law, much of that information must remain private and secure. As of now, the owner of the database remains unknown but the database has been taken offline.
  • Apps Share User Info But Don’t Tell Their Customers

Monthly News Roundup - November 2015 (TL;DR)

2015-11-30_SCMagazine.pngNEWS

This month we learned about a host of newfangled malware and hacks that compromise everyday websites, online ads, hotel chains, and British tabloids. Plus, State Department employees recently found out that their love of Facebook made them vulnerable to the Axis of Evil. Check out November’s biggest infosec headlines, below:

US State Department Targeted By Iranian Cyber Attack: Multiple sources reported on an apparent spear phishing attack from Iran’s Revolutionary Guard on the US State Department. The attackers used compromised social media accounts of junior level State Department employees to hack computers of officials who work on Iranian and Middle Eastern affairs. In a strange twist, the US government learned about the attack from Facebook. Often it’s the other way around, with private sector firms and organizations learning they’ve been victims once they’re notified by the feds. The upshot: The government needs to manage employee web access and passwords, and control access to social media apps

Monthly News Roundup - October 2015 (TL;DR)

NEWS

October was Cybersecurity Awareness Month and look what we got you: A collector’s edition of this month’s news highlights. Network World also did a product overview of Silo.  According to the headlines, social engineering is on the rise, Flash remains vulnerable, and organizations that shouldn’t be hacked, are. Here’s a look back at October’s biggest infosec news:

Scottrade Customer Data Leaked: Retail brokerage Scottrade announced that their customers’ personally identifying information had been leaked. The company revealed that Social Security numbers and other contact information for 4.6 million customers were exposed to hackers. The breach took place between 2013 and 2014, but was unknown to Scottrade until they were notified by federal investigators.

Experian Hack Affects T-Mobile Customers: Credit bureau and consumer data broker Experian revealed that 15 million records it was entrusted to keep secure were exposed to criminals. The leaked data came from customer applications for T-Mobile service. The theft included Social Security