Green Padlocks, Gray Padlocks - Does Anyone Really Care?

Posted by: Amir Khashayar Mohammadi
Published on:
Topics: Security

At the BlackHat conference in Las Vegas earlier this month, I had a chance to chat with Troy Hunt (creator of haveibeenpwned.com) and Scott Helme (founder of report-uri.com) about the protracted death of Extended Validation (EV) certificates.

We also talked about the fallacy of expecting users to make sense of how browsers interpret SSL/TLS certificates and about browser security in general.

What good do "security aesthetics" of a certificate accomplish when browsers no longer support it?

Listen to our conversation here.

How to Conduct Social Media Investigations and Remain Anonymous

Posted by: A8 Team
Published on:

How can professional investigators securely conduct research on social media without exposing their organization? Authentic8’s Nick Finnberg, OSINT training specialist and former intelligence analyst, shared insights and tradecraft insights, tips and tools at a webinar on social media investigations.

*

There are more than 3.5 billion active social media users across the world. Facebook, Instagram, Twitter, LinkedIn, Reddit, 8chan and Co. can be a treasure trove for law enforcement, fraud investigators, corporate security specialists, and Open Source Intelligence (OSINT) analysts. Provided, that is, the researchers have tools at their disposal that are up to the task.

That’s a big IF. Online investigators need to be able to quickly and efficiently collect, save, and collaboratively analyze data while maintaining adequate operational security (OpSec). This often poses a challenge, because they also grapple with budget constraints, inadequate online tools with inherent security vulnerabilities, and an acute shortage of properly trained cybersecurity personnel.

How to safely, effectively, and anonymously use social media for

GDPR Outlook: After First Record Fines, What’s Next?

Posted by: A8 Team
Published on:

Following the record penalties for Google, British Airways and Marriott under the European Union's General Data Protection Regulation (GDPR) by French and British data privacy commissioners, which industry or sector will the EU's privacy watchdogs home in on next?

European GDPR enforcement actions are just getting up to speed. All indications point to more rough waters ahead for large transnationals with a presence in the EU.

In their third conversation on the state of GDPR, Scott Petry, co-founder and CEO of Authentic8, explores with Steve Durbin, Managing Director of the UK-based Information Security Forum (ISF)

  • what impact Brexit may have on GDPR enforcement in the UK
  • how the EU is currently taking aim for the next salvo of sanctions against GDPR violators
  • why apps and tools that touch EU employee data face increased scrutiny.

Will the next headline-worthy penalty hit a US-based company for not sufficiently protecting its EU employee data? Listen to their discussion here:

Did you miss the first two

Morale: Recruitment, Retention, and Browsing

Posted by: Sean Heritage
Published on:

During my tenure as the Commanding Officer of the Navy’s defensive cyberspace operations team, I distinctly remember an exit interview with a civilian teammate. He sat across from me and proudly stated that though he loved our team, he was ready to leave and willing to take a pay cut for the opportunity ahead of him (note: he wasn’t taking a pay cut, but he was willing to).

He enjoyed his teammates, he told me, appreciated his leadership, was motivated by our mission, and felt appropriately compensated. Given that dissatisfaction - and not satisfaction - with any one of those job aspects usually serves as reason people decide to look elsewhere for employment, I was perplexed.

My departing teammate went on to explain: “I am a geek. I love technology. I want to be on a team that uses the latest and greatest hardware and software. I want to be able to connect with the outside world from my desktop.

JavaScript Template Attacks: How Browsers Give Away the Store

Posted by: A8 Team
Published on:

Did you know? Attackers use  your locally installed browser base and JavaScript to draw up intricate exploit roadmaps for targeted attacks on your organization. Listen to our interview with security researcher Michael Schwarz to learn how JavaScript template attacks work and how to prevent them.

*

“Free” browsers boast features and extensions that supposedly enhance security and privacy online. The same settings or plugins, it turns out, can be used by adversaries to achieve precisely the opposite effect.

That’s just one of the eye-opening findings reported in the research paper JavaScript Template Attacks: Automatically Inferring Host Information for Targeted Exploits.

The paper was authored by security researchers Michael Schwarz, Florian Lackner and Daniel Gruss of Graz University in Austria. They describe how JavaScript template attacks help attackers prepare pinpointed zero-day or side-channel attacks against large organizations, by exploiting the ubiquitous data leaks in “free” browsers and their extensions.

The researchers found an abundance of environment-dependent properties in Firefox, Chrome, Edge, and mobile