securityengineering – SSL and internet security news

IoT Security Principles

July 7, 2020 infossl

cybersecurity, internetofthings, Security technology, securityengineering

The BSA — also known as the Software Alliance, formerly the Business Software Alliance (which explains the acronym) — is an industry lobbying group. They just published “Policy Principles for Building a Secure and Trustworthy Internet of Things.” They call for: Distinguishing between consumer and industrial IoT. Offering incentives for integrating security. Harmonizing national and … Read More “IoT Security Principles” »

Hacked by Police

July 3, 2020 infossl

crime, cybersecurity, france, hacking, lawenforcement, phones, Security technology, securityengineering

French police hacked EncroChat secure phones, which are widely used by criminals: Encrochat’s phones are essentially modified Android devices, with some models using the “BQ Aquaris X2,” an Android handset released in 2018 by a Spanish electronics company, according to the leaked documents. Encrochat took the base unit, installed its own encrypted messaging programs which … Read More “Hacked by Police” »

Analyzing IoT Security Best Practices

June 25, 2020 infossl

academicpapers, internetofthings, nationalsecuritypolicy, Security technology, securityengineering

New research: “Best Practices for IoT Security: What Does That Even Mean?” by Christopher Bellman and Paul C. van Oorschot: Abstract: Best practices for Internet of Things (IoT) security have recently attracted considerable attention worldwide from industry and governments, while academic research has highlighted the failure of many IoT product manufacturers to follow accepted practices. … Read More “Analyzing IoT Security Best Practices” »

Zoom Will Be End-to-End Encrypted for All Users

June 17, 2020 infossl

cybersecurity, encryption, Security technology, securityengineering, twofactorauthentication, videoconferencing

Zoom is doing the right thing: it’s making end-to-end encryption available to all users, paid and unpaid. (This is a change; I wrote about the initial decision here.) …we have identified a path forward that balances the legitimate right of all users to privacy and the safety of users on our platform. This will enable … Read More “Zoom Will Be End-to-End Encrypted for All Users” »

Availability Attacks against Neural Networks

June 10, 2020 infossl

academicpapers, machinelearning, Security technology, securityengineering

New research on using specially crafted inputs to slow down machine-learning neural network systems: Sponge Examples: Energy-Latency Attacks on Neural Networks shows how to find adversarial examples that cause a DNN to burn more energy, take more time, or both. They affect a wide range of DNN applications, from image recognition to natural language processing … Read More “Availability Attacks against Neural Networks” »

“Sign in with Apple” Vulnerability

June 2, 2020 infossl

apple, hacking, Security technology, securityengineering, vulnerabilities, zeroday

Researcher Bhavuk Jain discovered a vulnerability in the “Sign in with Apple” feature, and received a $100,000 bug bounty from Apple. Basically, forged tokens could gain access to pretty much any account. It is fixed. EDITED TO ADD (6/2): Another story. Powered by WPeMatico

Facebook Announces Messenger Security Features that Don’t Compromise Privacy

May 29, 2020 infossl

encryption, facebook, machinelearning, metadata, Security technology, securityengineering

Note that this is “announced,” so we don’t know when it’s actually going to be implemented. Facebook today announced new features for Messenger that will alert you when messages appear to come from financial scammers or potential child abusers, displaying warnings in the Messenger app that provide tips and suggest you block the offenders. The … Read More “Facebook Announces Messenger Security Features that Don’t Compromise Privacy” »

Bluetooth Vulnerability: BIAS

May 26, 2020 infossl

authentication, bluetooth, impersonation, Security technology, securityengineering, vulnerabilities, wireless

This is new research on a Bluetooth vulnerability (called BIAS) that allows someone to impersonate a trusted device: Abstract: Bluetooth (BR/EDR) is a pervasive technology for wireless communication used by billions of devices. The Bluetooth standard includes a legacy authentication procedure and a secure authentication procedure, allowing devices to authenticate to each other using a … Read More “Bluetooth Vulnerability: BIAS” »

Securing Internet Videoconferencing Apps: Zoom and Others

April 30, 2020 infossl

aes, encryption, internetandsociety, keys, nsa, Security technology, securityengineering, videoconferencing

The NSA just published a survey of video conferencing apps. So did Mozilla. Zoom is on the good list, with some caveats. The company has done a lot of work addressing previous security concerns. It still has a bit to go on end-to-end encryption. Matthew Green looked at this. Zoom does offer end-to-end encryption if … Read More “Securing Internet Videoconferencing Apps: Zoom and Others” »

Vulnerability Finding Using Machine Learning

April 20, 2020 infossl

artificialintelligence, cloudcomputing, cybersecurity, machinelearning, microsoft, Security technology, securityengineering, vulnerabilities

Microsoft is training a machine-learning system to find software bugs: At Microsoft, 47,000 developers generate nearly 30 thousand bugs a month. These items get stored across over 100 AzureDevOps and GitHub repositories. To better label and prioritize bugs at that scale, we couldn’t just apply more people to the problem. However, large volumes of semi-curated … Read More “Vulnerability Finding Using Machine Learning” »