Adam Caudill

Security Leader, Researcher, Developer, Writer, & Photographer

  • DEFCAD & Freedom of Information

    Freedom of speech is, in my opinion, the single most important and inalienable right that humanity has. This isn’t a privilege granted by a government, it’s an innate right of humanity. It’s a right that is essential to the preservation of many other freedoms – without it, there is no freedom, there is no liberty. Earlier today a friend posted something on Twitter, I started to retweet it, but after some thought decided I needed to say more than I could fit in 140 characters.

    Read more…

  • Password Hashing: No Silver Bullets

    In the dark days of the web, if a service hashed your password instead of storing it in plain text, they were doing good. As sites were hacked, and credentials stolen, a silver bullet emerged: always hash and salt passwords when storing them. Many, many services were built with this design – LivingSocial is a great example. SHA1 hashing with a 40 byte salt – once upon a time, that was considered reasonable protection.

    Read more…

  • The WikiLeaks We Deserve

    I’ve been a (fairly quiet) critic of WikiLeaks for a long time, the core of the mission I agree with – information should be free, and should be preserved – but the implementation is deeply flawed. But then, that’s not really news is it? Two and half years ago when I last wrote about WikiLeaks, I pointed out that Julian Assange was the organization’s biggest problem. So what do we have today?

    Read more…

  • 1Password, PBKDF2, & Implementation Flaws

    …or “Crypto Is Hard, Vol. 479” Earlier today a tweet about a new feature for oclHashcat-plus started a truly interesting debate on Twitter over the implications. The new feature is the ability to crack 1Password keychain files – at an impressive 3 million passwords per second. Support added to crack 1Password to oclHashcat-plus, 100% computed on GPU! Plus I found an exploitable design flaw http://t.co/53ZtWggsDz — hashcat (@hashcat) April 16, 2013 To achieve this speed, two optimizations were used – the first is in precomputing ipad and opad for SHA1-HMAC, this effectively cuts the number of SHA1 calls in half.

    Read more…

  • Linode: Another Breach Notification Gone Wrong

    Last night I received an email from Linode about a possible breach and mandatory password reset that reminded me of another recent email, in some disturbing ways. Dear Linode customer, Linode administrators have discovered and blocked suspicious activity on the Linode network. Not too long ago, I received a similar email from Evernote – not just in it’s text, but in the errors made. Dear Evernote user, Evernote’s Operations & Security team has discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service.

    Read more…

  • Security Done Wrong: Leaky FTP Server

    Update: I’ve just spoken to AMI, and received some very important information; so here are the key points and clarifications: To clarify, the ‘vendor’ I refer to is a customer of AMI; it is this customer’s public FTP server that exposed this information. Per AMI, the signing key included in the ‘Ivy Bridge’ archive is a default test key; AMI instructs customers to change the key before building for a production environment.

    Read more…

  • First, Do No Harm: Developers & Bad APIs

    Primum non nocere (first, do no harm) – an iconic phrase in modern medicine, yet also applicable to many other fields. This is something I wish more people would think about, developers especially – and primarily when writing new APIs. In general, developers don’t have an impressive history with security – quite frankly, developers suck. Seeing as I consider myself a developer, that’s painful to admit. Chris Andrè Dale posted an interesting article some time ago that got me thinking: Why it’s easy being a hacker: A SQL injection case study – Chris pointed out the problems with educational material that developers are using, and just how bad the examples are.

    Read more…

  • Evernote: XOR & Passwords

    Update: Evernote has reported that this issue has been addressed. Evernote for Android stores various settings in an XML, this file though isn’t really protected – it’s easily readable, especially if an attacker is able to get physical access to a device, what’s worse is that it contains the user’s credentials. /data/data/com.evernote/shared_prefs/com.evernote_preferences.xml The username in located in the <string name="username"> element, and the password is stored in <string name="encrypted_password"> – from the name you’d assume that the password is actually encrypted.

    Read more…

  • Evernote: Doing it (mostly) right

    (Update: See here for more information about what they did wrong, including a vulnerability I found in the password handling of the Android app.) So the big news today is Evernote being popped; with 50m users and user base that often stores sensitive material – it certainly is a tempting target for many reasons. Important: Evernote just implemented a service-wide password reset. Please read our post for details and instructions http://t.

    Read more…

  • Revisiting Snapchat API & Security

    As Shapchat has increased in popularity, I’ve been asked several times to revisit my Snapchat API & Security post, to address the changes that they made in response to my complaints. So, here is it – sorta. I started making detailed notes and looking at the changes they made – but yesterday @tlack made that mostly irrelevant with his release of Snaphax, a PHP library to interact with the undocumented Shapchat API.

    Read more…