Evernote for Windows, Arbitrary File Download via Update
Update: The Evernote security has reported that this issue is resolved. Evernote for Windows downloads its update information via HTTP, making it subject to man-in-the-middle attacks – further, this allows an attacker to specify an arbitrary file for the updater to download. The good news is that Evernote will not execute the file thanks to signature validation – but the file isn’t removed, so it’s available for later use. As the file isn’t executed, it isn’t a critical issue.
Read more…VICIDIAL: Multiple Vulnerabilities
Update: The VICIDIAL team has publicly released a new version that, according to them, has corrected the issues I’ve pointed out here. Please make sure you are using the latest version available. If you aren’t sure if your instance is safe, contact your friendly local penetration tester to verify it’s secure as you expect it to be. Update: The SQL Injection vulnerability has been assigned CVE-2013-4467, and Command Injection assigned CVE-2013-4468.
Read more…Worried about the NSA? Try AES-512!
…or, The Cost of Wild Speculation. “We need to boost our security – I think the NSA has broken everything we use. AES-256 is too weak, I don’t trust it. Find a way to implement AES-512.” Double-AES-256! It’d be easy, and double encrypting has never bitten us before. So, let’s write some code! def encrypt(msg, iv, key) return e(e(msg, iv, key.slice(0..31)), iv, key.slice(32..63)) end def decrypt(cipher, iv, key) return d(d(cipher, iv, key.
Read more…Crypto, the NSA, and Broken Trust
Even as a child I was fascinated by cryptography – and often left the local librarians with puzzled looks thanks to the books I would check out. It’s so elegantly simple, and yet massively complex. There is one very unusual property of crypto though – it’s not about math or modes, it’s about trust. Cryptography, especially as used today, has the most wonderful dichotomy of trust; on one hand crypto, by its very nature, is used in situations lacking trust.
Read more…Making Android NSA-Proof
As it turns out, it’s quite easy to make your Android phone NSA-proof. It’s a simple method, and anyone can do it – all you need is a few ounces of thermite! Too extreme? Tools & Tips Let’s shoot for something a little more attainable – spy resistant. We can’t stop every attack, but we can reduce the attack surface a bit. Here are a few tools that I’ve been using recently to do just that.
Read more…Is moving offshore really crazy?
Today ZDNet published an article titled “The lunacy of trying to avoid NSA spying by moving e-mail and cloud out of the US” – I’m still trying to figure out if the position is naive, or intentionally ignores important facts. In short, the author (Steven J. Vaughan-Nichols) states that your data is safer in the US because outside of the US, the NSA has much less restrictive rules to operate under.
Read more…Hash Storage: Make Attackers Work
So you hash your passwords? Good. Do you salt? That’s good. Do you use a strong hashing algorithm (PBKDF2/bcrypt/scrypt)? Great! But how do you store the hashes? What happens when you get hit with a SQL injection attack? I’m a big believer in defense in-depth – not that marketing garbage about stacking layers of blinky-light boxes, but using techniques to add extra work for an attacker. You might not be able to stop every attack, but the more work they have to do, the better the odds they won’t get everything they want.
Read more…Cryptocat: What is the measure…
What is the measure of a man; what makes one great, and another lesser? What separates success from failure? We all recognize light from dark, but at which point does it go from one to another? If we ask if a person (or company, or product) is successful – do we measure them against their closest competitor, their nearest neighbor, or perhaps the most successful person we know? Where, and how, do you set that bar to measure against?
Read more…Do one thing right…
Everybody’s favorite whipping boy, Cryptocat is back in the news today – and it’s bad. Really bad. Steve Thomas has found a major flaw in the way Cryptocat generated ECC keys. Due to this flaw, the keyspace was only $2^{54.15}$, well below a secure level. Add a meet in the middle attack, and this is further reduced to $2^{27.08}$ – which based on my rough estimates, is just slightly more secure than a paper bag.
Read more…OPSEC, The NSA, and You
It’s been two weeks since news broke about the NSA collecting massive amounts of data from Verizon; and likely everybody else. There’s also PRISM – whatever the hell that is – it seems there’s no agreement on that, and I doubt there will be anytime soon. What really matters here though, is we have proof that people are watching – and if it’s happening in the US, it’s probably happening everywhere else.
Read more…
About Me
Security Architect at 1Password. Security researcher, engineer and software developer with more than 20 years of experience.
Work: I primarily focus on application security, usable security, secure communications, and cryptography. I build and lead strong and dynamic teams, who cover all facets of security and privacy.
Writing: I write about my research, security in general, development and software design, and leadership through my blog, essays, and various publications. I also engage in some creating writing when I can.
Photography: I am a purist fine art photographer, working primarily in black & white, and focused on sharing new perspectives of the world. Limited edition prints of my work are available on my online gallery. I also have a background in photojournalism, and volunteer in this field when I can.