Home

Recent Blog Posts

  • Insane Ideas: Blockchain-Based Automated Investment System
    This is part of the Insane Ideas series. A group of blog posts that detail ideas, possible projects, or concepts that may be of interest. These are ideas that I don't plan to pursue, and are thus available to any and all that would like to do something with them.…
    Continue reading »

  • YAWAST v0.7 Released
    It has now been over a year since the last major release of YAWAST, but today I am happy to release version 0.7, which is one of the largest changes to date. This is the result of substantial effort to ensure that YAWAST continues to be useful in the future,…
    Continue reading »

  • TLS: 64bit-ish Serial Numbers & Mass Revocation
    During a recent discussion about the DarkMatter CA on a Mozilla mailing list, it was found that their 64-bit serial numbers weren't actually 64 bits, and it opened a can of worms. It turns out that the serial number was effectively 63 bits, which is a violation of the CA/B…
    Continue reading »

  • Bitcoin is a Cult
    The Bitcoin community has changed greatly over the years; from technophiles that could explain a Merkle tree in their sleep, to speculators driven by the desire for a quick profit & blockchain startups seeking billion dollar valuations led by people who don't even know what a Merkle tree is. As…
    Continue reading »

  • Exploiting the Jackson RCE: CVE-2017-7525
    Earlier this year, a vulnerability was discovered in the Jackson data-binding library, a library for Java that allows developers to easily serialize Java objects to JSON and vice versa, that allowed an attacker to exploit deserialization to achieve Remote Code Execution on the server. This vulnerability didn't seem to get…
    Continue reading »

All Blog Posts | Archive

Recent Security Research

  • Exploiting the Jackson RCE: CVE-2017-7525
    Earlier this year, a vulnerability was discovered in the Jackson data-binding library, a library for Java that allows developers to easily serialize Java objects to JSON and vice versa, that allowed an attacker to exploit deserialization to achieve Remote Code Execution on the server. This vulnerability didn't seem to get…
    Continue reading »

  • Breaking the NemucodAES Ransomware
    The Nemucod ransomware has been around, in various incarnations, for some time. Recently a new variant started spreading via email claiming to be from UPS. This new version changed how files are encrypted, clearly in an attempt to fix its prior issue of being able to decrypt files without paying…
    Continue reading »

  • PL/SQL Developer: HTTP to Command Execution
    While looking into PL/SQL Developer - a very popular tool for working with Oracle databases, to see how it encrypts passwords I noticed something interesting. When testing Windows applications, I make it a habit to have Fiddler running, to see if there is any interesting traffic - and in this…
    Continue reading »

  • PL/SQL Developer: Nonexistent Encryption
    (See here for another issue discovered during this research; Updates over HTTP & Command Execution.) PL/SQL Developer by Allround Automations has an option to store the user's logon history with passwords - the passwords are encrypted with a proprietary algorithm. At this point, you should know how this is going…
    Continue reading »

  • Verizon Hum Leaking Credentials
    or, Christmas Infosec Insanity... A friend mentioned Hum by Verizon, a product that I hadn't heard of but quickly caught my attention - both from a "here's a privacy nightmare" perspective, and "I might actually use that" perspective. While looking at the site, I decided to take a look at…
    Continue reading »

Projects

  • YAWAST – The YAWAST Antecedent Web Application Security Toolkit
  • libsodium-net – The .NET library for libsodium; a modern and easy-to-use crypto library.
  • ccsrch – Cross-platform credit card (PAN) search tool for security assessments.
  • Underhanded Crypto Contest – A competition to write or modify crypto code that appears to be secure, but actually does something evil.

Insane Ideas Series

The Insane Ideas series is a group of blog posts the detail various ideas that I found interesting, but didn’t pursue due to time restrictions or other factors. The goal of publishing these ideas is to make the concept available to others, in hopes that they will pursue the idea – or at least find amusement in it.

Consulting & Services

I am available for certain consulting projects; especially in the areas of application security, cryptography, secure systems design, and application penetration testing. For more information, please contact me.

About Adam Caudill

Adam Caudill is a security consultant with over 15 years of experience in security and software development; with a focus on application security, secure communications, and cryptography. Active blogger, open source contributor, and advocate for user privacy and protection. His work has been cited by many media outlets and publications around the world, from CNN to Wired and countless others.