securityengineering – Page 2

Facebook Announces Messenger Security Features that Don’t Compromise Privacy

Posted on May 29, 2020 by Bruce Schneier

Note that this is "announced," so we don’t know when it’s actually going to be implemented. Facebook today announced new features for Messenger that will alert you when messages appear to come from financial scammers or potential child abusers, displaying warnings in the Messenger app that provide tips and suggest you block the offenders. The feature, which Facebook started rolling… Continue reading Facebook Announces Messenger Security Features that Don’t Compromise Privacy→

Bluetooth Vulnerability: BIAS

Posted on May 26, 2020 by Bruce Schneier

Bluetooth Vulnerability: BIAS

Posted on May 26, 2020 by Bruce Schneier

This is new research on a Bluetooth vulnerability (called BIAS) that allows someone to impersonate a trusted device: Abstract: Bluetooth (BR/EDR) is a pervasive technology for wireless communication used by billions of devices. The Bluetooth standard includes a legacy authentication procedure and a secure authentication procedure, allowing devices to authenticate to each other using a long term key. Those procedures… Continue reading Bluetooth Vulnerability: BIAS→

Securing Internet Videoconferencing Apps: Zoom and Others

Posted on April 30, 2020 by Bruce Schneier

The NSA just published a survey of video conferencing apps. So did Mozilla. Zoom is on the good list, with some caveats. The company has done a lot of work addressing previous security concerns. It still has a bit to go on end-to-end encryption. Matthew Green looked at this. Zoom does offer end-to-end encryption if 1) everyone is using a… Continue reading Securing Internet Videoconferencing Apps: Zoom and Others→

Vulnerability Finding Using Machine Learning

Posted on April 20, 2020 by Bruce Schneier

Vulnerability Finding Using Machine Learning

Posted on April 20, 2020 by Bruce Schneier

Microsoft is training a machine-learning system to find software bugs: At Microsoft, 47,000 developers generate nearly 30 thousand bugs a month. These items get stored across over 100 AzureDevOps and GitHub repositories. To better label and prioritize bugs at that scale, we couldn’t just apply more people to the problem. However, large volumes of semi-curated data are perfect for machine… Continue reading Vulnerability Finding Using Machine Learning→

Kubernetes Security

Posted on April 10, 2020 by Bruce Schneier

Attack matrix for Kubernetes, using the MITRE ATT&CK framework. A good first step towards understand the security of this suddenly popular and very complex container orchestration system…. Continue reading Kubernetes Security→

Microsoft Buys Corp.com

Posted on April 9, 2020 by Bruce Schneier

A few months ago, Brian Krebs told the story of the domain corp.com, and how it is basically a security nightmare: At issue is a problem known as "namespace collision," a situation where domain names intended to be used exclusively on an intern… Continue reading Microsoft Buys Corp.com→

Microsoft Buys Corp.com

Posted on April 9, 2020 by Bruce Schneier

The Insecurity of WordPress and Apache Struts

Posted on March 18, 2020 by Bruce Schneier

Interesting data: A study that analyzed all the vulnerability disclosures between 2010 and 2019 found that around 55% of all the security bugs that have been weaponized and exploited in the wild were for two major application frameworks, namely WordPress and Apache Struts. The Drupal content management system ranked third, followed by Ruby on Rails and Laravel, according to a… Continue reading The Insecurity of WordPress and Apache Struts→