Facebook teamed up with computer-industry association USENIX to launch the Internet Defense Prize, aimed at highlighting research that could significantly improve the security of the Web, and the inaugural winners, Johannes Dahse and Thorsten Holz, researchers from Ruhr-Universität Bochum in Germany, were awarded $50,000 for a paper titled, “Static Detection of Second-Order Vulnerabilities in Web Applications.”
Protect the Graph
Facebook offered an update on the state of the deployment of the STARTTLS encryption standard, which it originally wrote about in May, saying that 95 percent of its notification emails are now successfully encrypted with both Perfect Forward Secrecy and strict certificate validation.
How does Facebook protect its users against BREACH attacks on HTTPS traffic, as well as cross-site request forgery attacks? Chad Parry, a London-based member of the social network’s security infrastructure team, and Christophe Van Gysel, who contributed to the mitigation of BREACH at Facebook as an intern, answered those questions in detail in a note on the Protect the Graph page.
In a study of one day’s worth of Facebook’s notification email logs, the social network found that 76 percent of unique MX host names that receive its emails support the STARTTLS encryption standard, meaning that 58 percent of its emails were successfully encrypted.
Facebook offered some statistics about its bug bounty program in a note on its Protect the Graph page, saying that it received 14,763 submissions in 2013, up 246 percent from the previous year, and 687 of those submissions qualified for awards.
Part of being able to combat malware, phishing, and other online threats is gathering and consolidating as much data on those threats as possible, and Facebook took a major step forward on that front with its development of ThreatData.