Authentic8 Blog Category: Privacy

2019 - the Year of Fake Security

Record data breaches and a new survey published in December indicate that cybersecurity snake oil peddlers had a ball last year. Their customers, not so much.

*

Remember Francis ("Frankie") Archibald Keyes, Esquire from RSA 2018 and 2019? According to survey results from last year's RSA Conference in San Francisco, the fictitious cybersecurity figure enjoyed significantly higher trust among IT professionals than most real-life vendors or experts.

Of those surveyed in our Cybersecurity Approval Poll at RSA, a total of 88% stated that they trusted Mr. Keyes "much more," "slightly more" or "about the same" as "other cybersecurity vendors and experts."

Frankie was completely made up by Authentic8, and for a short while, his meteoric rise to notoriety had our sales team worried. Would he become more famous than Silo, our pioneering Silo cloud browser and web isolation platform?


Francis ("Frankie") Archibald Keyes, the face of Fake Security in 2019

Those fears were put to rest quickly (sorry, Frankie). At the same time,

Ideas That Become Obvious In Hindsight

Interview: Authentic8 Co-founder and CEO Scott Petry on Leo Laporte's TWiT.tv

Were you excited when Apple presented the Newton mobile device to the world, a glimpse into a future starring the iPhone? Or perhaps relieved when the email Spam Wars were won by Postini, a Silicon Valley startup later bought by Google, where it became the core of Gmail?

The ideas and concepts that drove both breakthrough innovations initially faced ridicule (in the case of Newton) and skepticism. What they have in common is that today, they are obvious in hindsight.

What they also share is a name: Scott Petry. His career took him from Apple's Newton team to founding and later selling Postini - which solved the email spam problem - to Google and from there to his current role as Co-founder and CEO of Authentic8, which pioneered remote browser isolation in the cloud.

Do we have a theme here? Leo Laporte thinks so. The award-winning tech journalist and founder

How to Detect Browser Extensions

Working on new methods and tools to identify browser exploits, I recently came across a common question again in a forum: "Is it possible to detect what browser extensions I have installed?"

That information would be of value to various people for several reasons. Online attackers and snoops stand to gain most from it. Examples:

  • Browser extension details can help fingerprint the client from others, as in: "This client uses a Google Translate browser extension. This other client does not."
  • Plugin information can also aid in targeted client exploitation, as in: "This this client has version 2.0.6 of the [bleep] password manager installed, with working exploits A, B, and C."
  • Addon identification can also be leveraged to hijack the local browser, as in: "This developer's Gmail account has been pwned; let's use it to push a malicious update."


Sounds far-fetched? I wish it were. Check out our blog posts with real-life examples: JavaScript Template Attacks, Password Manager Extension Exploit, and

GDPR Outlook: After First Record Fines, What’s Next?

Following the record penalties for Google, British Airways and Marriott under the European Union's General Data Protection Regulation (GDPR) by French and British data privacy commissioners, which industry or sector will the EU's privacy watchdogs home in on next?

European GDPR enforcement actions are just getting up to speed. All indications point to more rough waters ahead for large transnationals with a presence in the EU.

In their third conversation on the state of GDPR, Scott Petry, co-founder and CEO of Authentic8, explores with Steve Durbin, Managing Director of the UK-based Information Security Forum (ISF)

  • what impact Brexit may have on GDPR enforcement in the UK
  • how the EU is currently taking aim for the next salvo of sanctions against GDPR violators
  • why apps and tools that touch EU employee data face increased scrutiny.

Will the next headline-worthy penalty hit a US-based company for not sufficiently protecting its EU employee data? Listen to their discussion here:

Did you miss the first two

JavaScript: How Browsers Give Away the Store

Did you know? Attackers use  your locally installed browser base and JavaScript to draw up intricate exploit roadmaps for targeted attacks on your organization. Listen to our interview with security researcher Michael Schwarz to learn how JavaScript template attacks work and how to prevent them.

*

“Free” browsers boast features and extensions that supposedly enhance security and privacy online. The same settings or plugins, it turns out, can be used by adversaries to achieve precisely the opposite effect.

That’s just one of the eye-opening findings reported in the research paper JavaScript Template Attacks: Automatically Inferring Host Information for Targeted Exploits.

The paper was authored by security researchers Michael Schwarz, Florian Lackner and Daniel Gruss of Graz University in Austria. They describe how JavaScript template attacks help attackers prepare pinpointed zero-day or side-channel attacks against large organizations, by exploiting the ubiquitous data leaks in “free” browsers and their extensions.

The researchers found an abundance of environment-dependent properties in Firefox, Chrome, Edge, and mobile