In-brief: Outrage over Lenovo’s promotion of privacy busting adware continued to grow amid lawsuits and more spying revelations. The big question: is this the final – final straw for the beleaguered Secure Sockets Layer (SSL) technology? (Updated to add comment from Kevin Bocek of Venafi.)
After White House Summit a Consensus – on Pessimism
In-brief: Even with a high-profile summit in the heart of Silicon Valley, partisan gridlock back in Washington D.C. will make progress on cyber security impossible, experts say.
Study Reveals (Sad) Psychology of Facebook Scam Victims
Bad is good enough, according to a study of over 850,000 Facebook scams by the antivirus software provider Bitdefender. (PDF version of the report is here.) The two-year study of Facebook scams in the UK, the US and Europe found that a short list of lame, repackaged tricks are a well that never runs dry: fooling Facebook users by playing on their curiosity, vanity or naiveté. Almost half of social media e-threats prey on users’ curiosity. Far and away the top category of scam on Facebook are ‘profile view’ scams that offer Facebook users the ability to see who has viewed their profile. That ruse accounted for 45% of all scams on the 1 billion strong social network. The scam has been linked to malicious software downloads – often in the form of browser ‘plug-ins’ that promise to reveal Facebook profile views. It works well because it plays on Facebook users curiosity […]
Update: Facebook awards $50K Internet Defense Prize for Work on Securing Web Apps
Saying that research dollars for cyber security are disproportionately devoted to work on “offensive” techniques (like hacking), social media giant Facebook has awarded two researchers a $50,000 prize for their work on cyber defense. The company announced on Wednesday that Johannes Dahse and Thorsten Holz, both of Ruhr-Universität Bochum in Germany for their work on a method for making software less prone to being hacked. The two developed a method for detecting so-called “second-order” vulnerabilities in Web applications using automated static code analysis. Their paper (PDF here) was presented at the 23rd USENIX Security Symposium in San Diego. In a blog post announcing the prize, John Flyn, a security engineering manager at Facebook, said the Internet Defense Prize recognizes “superior quality research that combines a working prototype with significant contributions to the security of the Internet—particularly in the areas of protection and defense.” Dahse and Holz’s work was chosen by a panel […]
Podcast: Is Defense-In-Depth The Only Real Heartbleed Fix?
Like everyone else, we wrote extensively in the last month about the serious security vulnerability in OpenSSL dubbed “Heartbleed,” which affected many of the world’s leading web sites and services, including Facebook and Google. The large-type headlines about Heartbleed have passed. But that doesn’t mean that the danger has. As we have noted, we are entering a phase that might be considered Heartbleed’s ‘long tail.’ Most of the well-trafficked websites that were vulnerable to Heartbleed have gotten around to fixing the vulnerability. But public-facing web servers are only the beginning of the story for OpenSSL. Chasing down the vulnerability’s long tail in third-party applications and on internal web sites and applications is a much larger task. As I’ve noted: open source components make their way into all manner of applications and bespoke products these days, often without any effort to assess the security of the borrowed code. For companies that need to protect critical IT […]
