Absolute security is simple– put your PC in a well-guarded vault, and never power it on. But that’s not what PCs are built for, and good luck finding a job that would pay you for such advice. Security Engineering (like all engineering) is a story of tradeoffs. Tradeoffs commonly take place across multiple dimensions: AsContinue reading “Security: Tradeoffs”
Category Archives: security
Web Platform Weirdness: Babies and Bathwater
When moving from other development platforms to the web, developers often have a hard time understanding why the web platform seems so … clunky. In part, that’s because the platform is pretty old at this point (>25 years as an app platform), partly because changes in form factors and paradigms (particular mobile) have introduced newContinue reading “Web Platform Weirdness: Babies and Bathwater”
Web Weirdness: Probing Localhost
If you closely watch the Network tab in the Chromium Developer Tools when you try to log into Fidelity Investments, you might notice something that looks a bit weird. JavaScript on the page attempts to create WebSocket connections to a bunch of local ports on the IPv4 localhost address (127.0.0.1): So, what are those portsContinue reading “Web Weirdness: Probing Localhost”
Attack Techniques: Fullscreen Abuse
It’s extremely difficult to prevent attacks when there are no trustworthy pixels on the screen, especially if a user doesn’t realize that none of what they’re seeing should be trusted. Unfortunately for the browsing public, the HTML5 Fullscreen API can deliver this power to an attacker. Today (and for over a decade now), an attackingContinue reading “Attack Techniques: Fullscreen Abuse”
The Challenge of IP Reputation
When protecting clients and servers against network-based threats, it’s tempting to consider the peer’s network address when deciding whether that peer is trustworthy. Unfortunately, while IP addresses can be a valuable signal, attempts to treat traffic as trustworthy or untrustworthy based on IP address alone can be very prone to mistakes. Background Most clients andContinue reading “The Challenge of IP Reputation”
Defensive Techniques: Application Guard
Earlier this year, I mentioned that I load every phishing URL I’m sent to see what it does and whether it tries to use any interesting new techniques. While Edge’s “Enhanced Security Mode” reduces the risks of 0-day attacks against the browser itself, another great defense available for enterprise users is Microsoft Defender Application Guard.Continue reading “Defensive Techniques: Application Guard”
SmartScreen Application Reputation, with Pictures
Last Update: Sept 3, 2025 I’ve previously explained how Chromium-based browsers assign a “danger level” based on the type of the file, as determined from its extension. Depending on the Danger Level, the browser may warn the user before a file download begins in order to confirm that the user really wanted a potentially-dangerous file.Continue reading “SmartScreen Application Reputation, with Pictures”
Attack Techniques: QR Codes
As outlined in earlier posts in this series, attackers know that security software can detect their phishing lures and block users from even seeing the lure if it contains a known-phishing URL. For example, both Windows Live and Gmail block email that is believed to contain phishing links. If your enterprise uses Microsoft Defender forContinue reading “Attack Techniques: QR Codes”
Enforcing SmartScreen with Policy
Microsoft Defender SmartScreen provides protection against the most common forms of attack: phishing and malware. SmartScreen support is built-in to Microsoft Edge and the Windows 8+ shell. The SmartScreen web service also powers the Microsoft Defender Browser Protection extension for Chromium-derived browsers. While SmartScreen provides powerful controls to block attacks, the user remains in fullContinue reading “Enforcing SmartScreen with Policy”
Attack Techniques: SMS Gift Card Scams
Last week, I had the chance to fly to Redmond to meet my new teammates on the Protection team in Microsoft Defender. I also had the chance to catch up with a few old friends from the Edge team, one of whom I met for coffee on Friday morning. As we sat down with ourContinue reading “Attack Techniques: SMS Gift Card Scams”
text/plain 