Recent Blog Posts
On the need for an open Security Journal
The information security industry, and more significantly, the hacking community are prolific producers of incredibly valuable research; yet much of it is lost to most of those that need to see it. Unlike academic research which is typically published in journals (with varying degrees of openness), most research conducted within…Continue reading »
TLS Certificates from the Top Million Sites
Thanks to the recent WoSign / StartCom issues with misused or flawed certificates, there was a question about how many of the certificates issued were actually active - so this seemed to be a good time to run a scan against the Alexa top 1 million sites to see what…Continue reading »
Ruby + GCM Nonce Reuse: When your language sets you up to fail…
A couple hours ago, Mike Santillana posted to oss-security about a rather interesting find in Ruby's OpenSSL library; in this case, the flaw is subtle - so much so that it's unlikely that anyone would notice it, and it's a matter of a seemingly insignificant choice that determines if your…Continue reading »
Testing for SWEET32 with YAWAST
Testing for SWEET32 isn't simple - when the vulnerability was announced, some argued that the best solution was to assume that if a TLS server supported any of the 3DES cipher suites, consider it vulnerable. The problem is, it's not that simple. On my employer's corporate blog, I wrote about…Continue reading »
Developers: Placing Trust in Strangers
Much has been said, especially recently, about that mess of dependencies that modern applications have - and for those of us working in application security, there is good reason to be concerned about how these dependencies are being handled. While working on YAWAST, I was adding a new feature, and…Continue reading »
Recent Security Research
PL/SQL Developer: HTTP to Command Execution
While looking into PL/SQL Developer - a very popular tool for working with Oracle databases, to see how it encrypts passwords I noticed something interesting. When testing Windows applications, I make it a habit to have Fiddler running, to see if there is any interesting traffic - and in this…Continue reading »
PL/SQL Developer: Nonexistent Encryption
(See here for another issue discovered during this research; Updates over HTTP & Command Execution.) PL/SQL Developer by Allround Automations has an option to store the user's logon history with passwords - the passwords are encrypted with a proprietary algorithm. At this point, you should know how this is going…Continue reading »
Verizon Hum Leaking Credentials
or, Christmas Infosec Insanity... A friend mentioned Hum by Verizon, a product that I hadn't heard of but quickly caught my attention - both from a "here's a privacy nightmare" perspective, and "I might actually use that" perspective. While looking at the site, I decided to take a look at…Continue reading »
Dovestones Software AD Self Password Reset (CVE-2015-8267)
Software AD Self Password Reset v3.0 by Dovestones Software contains a critical vulnerability in the password change functionality, that allows unauthenticated users to change the password of arbitrary accounts. The vendor has been working with customers to upgrade them to a fixed version. The /Reset/ChangePass function doesn't validate that the…Continue reading »
Making BadUSB Work For You – DerbyCon
Last week Brandon Wilson and I were honored to speak at DerbyCon, on the work we’ve been doing on the Phison controller found in many USB thumb drives. This was my first time speaking at DerbyCon - it’s a great event, with a fantastic team making the magic happen. Slides:…Continue reading »
- YAWAST – The YAWAST Antecedent Web Application Security Toolkit
- libsodium-net – The .NET library for libsodium; a modern and easy-to-use crypto library.
- ccsrch – Cross-platform credit card (PAN) search tool for security assessments.
- Underhanded Crypto Contest – A competition to write or modify crypto code that appears to be secure, but actually does something evil.
Consulting & Services
I am available for certain consulting projects; especially in the areas of application security, cryptography, secure systems design, and application penetration testing. For more information, please contact me.
About Adam Caudill
Adam Caudill is a security consultant with over 15 years of experience in security and software development; with a focus on application security, secure communications, and cryptography. Active blogger, open source contributor, and advocate for user privacy and protection. His work has been cited by many media outlets and publications around the world, from CNN to Wired and countless others.