Netgear Admin Password Disclosure
Some (though not all) Netgear products expose the administrator password to unauthorized users in a file named /cgi-bin/<model>.log – if the device is vulnerable, you’ll get something like this: >curl http://<ip>/cgi-bin/WNR2000XT.log Admin login name admin Admin password <snip> Country Europe Wireless network name (SSID) wireless_ext Wireless channel 6 Security type WPA2-PSK(AES) Wireless passphrase <snip> The full list of devices that are vulnerable isn’t known; the issue was presented to Netgear, but no response was received.
Read more…UPEK Windows Password Decryption
On August 28th ElcomSoft announced that they had determined a method to extract Windows passwords from the registry for users of UPEK’s fingerprint readers and Protector Suite software (UPEK is now owned by AuthenTec, which is now owned by Apple). What they didn’t announce was the technical details of how they did it. Myself and Brandon Wilson have been working to recreate their research – and we have. We have not been in contact with ElcomSoft, so this is an independent re-discovery of this vulnerability.
Read more…WordPress: Don’t trust that update
Want to know the easiest way to hack most of the WordPress installs on a host? It’s as easy as attacking the host’s internal DNS server, then just sitting back and waiting on users to install your backdoor. If you can manage to change the IP address that “api.wordpress.org” resolves to, you’ve won the battle. I can’t take credit for finding this, it was pointed out on Twitter: tweet deleted
Read more…NeoInvoice Blind SQL Injection (CVE-2012-3477)
NeoInvoice is a multi-tenant open source invoicing system, that currently contains an unauthenticated blind SQL injection condition in signup_check.php. The input for the value field isn’t being properly sanitized, and is used in string concatenation to create the SQL query: require_once("config.php"); if (isset($_GET['field']) && ($_GET['field'] == 'username' || $_GET['field'] == 'email')) { $field = $_GET['field']; $table = 'user'; $taken = '0'; $not_taken = '1'; } else if (isset($_GET['field']) && $_GET['field'] == 'coupon') { $field = 'name'; $table = 'coupon'; $taken = '1'; $not_taken = '0'; } else { die("<div class=\"error\">Invalid Field</div>"); } if (!
Read more…Decrypting Spark Saved Passwords
A friend of mine has been evaluating an open source instant messaging client called Spark, which can be linked to Active Directory for authentication. Like most IM clients, Spark allows users to save their password – and me being me, I was curious as to how it’s doing this – as storing Windows domain logins is kinda a big deal. So, within a few minutes I found all of the details – and none of them make me feel any better.
Read more…Yahoo’s Associated Content Hacked?
Update: TrustedSec has a write up: Yahoo! Voice compromised. Over 400K clear-text accounts. Analysis and story here: http://t.co/B8ko49pB – Still unconfirmed. — TrustedSec (@TrustedSec) July 12, 2012 Earlier today a group called “D33Ds Company” released a large (17MB) dump from a Yahoo server. The dump includes information from a MySQL database, and the email addresses and passwords from over 450k users. Based on some of the emails and the naming of the tables, I suspect that the data is from Associated Content – a company that Yahoo bought in 2010, and closed in 2011 – replacing it with Yahoo Voices.
Read more…Assange, Ecuador, and the Cyberarmy
ALERT: Julian Assange has requested political asylum and is under the protection of the Ecuadorian embassy in London http://t.co/bz4O9bjF — WikiLeaks (@wikileaks) June 19, 2012 The news that Julian Assange has asked Ecuador for political asylum is flooding twitter as his supporters do their best to attract attention to his cause, and rally everyone they can to contact Ecuador’s embassy in London to urge them to grant Assange’s request. While I’ve watched the Assange case since before the first allegations came out of Sweden – that’s not my interest here, my interest is in what Ecuador could do if they wanted to.
Read more…Snapchat: API & Security
Update 3: In 2014 the FTC filed a complaint against Snapchat for their failure to provide the level of security they promised. The findings listed below were sent to the founders of Snapchat, that email was quoted in the FTC compliant as proof that Snapchat was aware of these issues. Update 2: The Snapchat API has changed to address the issues I pointed out to them – and the new API has issues as well.
Read more…Monitor iPhone HTTP(S) Traffic with Fiddler
For a research project I decided that I needed to monitor the traffic to and from my iPhone – both HTTP and HTTPS. Having had so much luck with Fiddler in the past, it was the first place I looked. There are a number of posts on this topic, but few that provide a clear and complete picture of what’s needed. So I wrote one. First, install the latest version of Fiddler, then install the iOS-compatible certificate generator.
Read more…LinkedIn: A little common sense
The fact that LinkedIn was breached has been well covered and confirmed, but in their confirmation they said something that I personally found insulting, more than anything else: It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases. So, they just recently started salting their hashes?
Read more…
About Me
Security researcher, engineer and software developer with more than 20 years of experience.
Work: I primarily focus on application security, usable security, secure communications, and cryptography. I build and lead strong and dynamic teams, who cover all facets of security and privacy.
Writing: I write about my research, security in general, development and software design, and leadership through my blog, essays, and various publications. I also engage in some creating writing when I can.
Photography: I am a purist fine art photographer, working primarily in black & white, and focused on sharing new perspectives of the world. Limited edition prints of my work are available on my online gallery. I also have a background in photojournalism, and volunteer in this field when I can.