Home

Recent Blog Posts

  • Confide, Screenshots, and Imaginary Threats
    Recently Vice published a story about a lawsuit against the makers of the 'secure' messaging application Confide. This isn't just a lawsuit, it's a class-action lawsuit and brought by Edelson PC - an amazingly successful (and sometimes hated1) law firm - this isn't a simple case. The complaint includes a…
    Continue reading »

  • Shadow Brokers, Equation Group, Oh My…
    Yet again, a group known as The Shadow Brokers is in the news, with yet another leak from what is widely accepted as the NSA (Equation Group1 in APT terms). This release is, to many, the most important release of this leaked stolen material from the most elite and secretive…
    Continue reading »

  • Looking for value in EV Certificates
    When you are looking for TLS (SSL) certificates, there are three different types available, and vary widely by price and level of effort required to acquire them. Which one you choose impacts how your certificate is treated by browsers; the question for today is, are EV certificates worth the money?…
    Continue reading »

  • YAWAST 0.5 Released
    Today, I've released the latest version of YAWAST, a security scanner for web applications that provides basic information about the application, and performs common checks so that you can move on to the fun part of testing more quickly. YAWAST also remains the only tool I've found that can perform…
    Continue reading »

  • On the need for an open Security Journal
    The information security industry, and more significantly, the hacking community are prolific producers of incredibly valuable research; yet much of it is lost to most of those that need to see it. Unlike academic research which is typically published in journals (with varying degrees of openness), most research conducted within…
    Continue reading »

All Blog Posts | Archive

Recent Security Research

  • PL/SQL Developer: HTTP to Command Execution
    While looking into PL/SQL Developer - a very popular tool for working with Oracle databases, to see how it encrypts passwords I noticed something interesting. When testing Windows applications, I make it a habit to have Fiddler running, to see if there is any interesting traffic - and in this…
    Continue reading »

  • PL/SQL Developer: Nonexistent Encryption
    (See here for another issue discovered during this research; Updates over HTTP & Command Execution.) PL/SQL Developer by Allround Automations has an option to store the user's logon history with passwords - the passwords are encrypted with a proprietary algorithm. At this point, you should know how this is going…
    Continue reading »

  • Verizon Hum Leaking Credentials
    or, Christmas Infosec Insanity... A friend mentioned Hum by Verizon, a product that I hadn't heard of but quickly caught my attention - both from a "here's a privacy nightmare" perspective, and "I might actually use that" perspective. While looking at the site, I decided to take a look at…
    Continue reading »

  • Dovestones Software AD Self Password Reset (CVE-2015-8267)
    Software AD Self Password Reset v3.0 by Dovestones Software contains a critical vulnerability in the password change functionality, that allows unauthenticated users to change the password of arbitrary accounts. The vendor has been working with customers to upgrade them to a fixed version. The /Reset/ChangePass function doesn't validate that the…
    Continue reading »

  • Making BadUSB Work For You – DerbyCon
    Last week Brandon Wilson and I were honored to speak at DerbyCon, on the work we’ve been doing on the Phison controller found in many USB thumb drives. This was my first time speaking at DerbyCon - it’s a great event, with a fantastic team making the magic happen. Slides:…
    Continue reading »

Projects

  • YAWAST – The YAWAST Antecedent Web Application Security Toolkit
  • libsodium-net – The .NET library for libsodium; a modern and easy-to-use crypto library.
  • ccsrch – Cross-platform credit card (PAN) search tool for security assessments.
  • Underhanded Crypto Contest – A competition to write or modify crypto code that appears to be secure, but actually does something evil.

Consulting & Services

I am available for certain consulting projects; especially in the areas of application security, cryptography, secure systems design, and application penetration testing. For more information, please contact me.

About Adam Caudill

Adam Caudill is a security consultant with over 15 years of experience in security and software development; with a focus on application security, secure communications, and cryptography. Active blogger, open source contributor, and advocate for user privacy and protection. His work has been cited by many media outlets and publications around the world, from CNN to Wired and countless others.